Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

MY TAKE: What the Uber hack tells us about fresh attack vectors created by the rise of DevOps

By Byron V. Acohido

Dissecting the root cause of Uber’s catastrophic data breach is a worthwhile exercise. Diving one level deeper into the scenario that led up to the popular ride-hailing service losing personal data for 50 million passengers and seven million drivers shows us why this particular type of hack is likely to recur many more times in 2018.

Related podcast: Why DevOps and security are destined to intersect

Hackers got deep into Uber’s Amazon Web Services platform. They did this by somehow obtaining, then using the AWS logon credentials of one of Uber’s software developers, who left those credentials accessible on GitHub. Though we don’t know nitty gritty details, security analysts say something like this had to have happened:

While working on an AWS coding task, the Uber developer took some of this code base and uploaded it to GitHub.  No security sins to this point. ‘Git’ is a system for controlling the latest version of software programs; GitHub is an online repository where developers upload code for peer reviews and such.

Here’s the wider context: imagine the degree to which Uber, in order to connect riders and drivers, uses software to tie into services hosted by Amazon, Google, Facebook, Twitter, iPhone and Android. Uber is a prime example of an Internet-centric enterprise comprised of a collection of tools and services hosted by myriad partners. Think about how frenetic the software development process must be too keep Uber humming. (more…)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

PODCAST: The case for rethinking security — starting with smarter management of privileged access logons

By Byron V. Acohido

Two cybersecurity trend lines have moved unremittingly up the same curve over the past two decades — and that’s not a good thing.

Year-in and year-out, organizations have steadily increased spending to defend their networks — and they continue to do so, with no end in sight. Research firm MarketsandMarkets estimates that the global cybersecurity market size will grow from $137.85 billion in 2017 to $231.94 billion by 2022, a compound annual growth rate of 11.0%.

Related podcast: Much stronger security can come from simple ‘Identity Access Management’ improvements

At the same time, the damage and disruption caused by malicious hackers has also continued to rise, with no end in sight. One recent measure of this comes from a survey of senior officials at 120 large enterprises, conducted by research firm Forrester and sponsored by Centrify, a leading supplier of identity and access management (IAM) technologies.

 

C-level executives disclosed to Forrester that two thirds of their companies had been breached multiple times –  a startling five times on average over the past two years. What’s more, respondents indicated these break-ins occurred evenly all across the network, at endpoints, servers, data bases and in software-as-a-service systems. …more

VIDEO: Law enforcement’s view of cyber criminals — and what it takes to stop them

By Alan Zeichick

Law enforcement officials play a vital role tracking down and neutralizing cyber criminals. Theirs is a complex, often thankless, mission. Here are some insights shared by two current, and one former,  high-level officials from U.S. law enforcement, who spoke at the NetEvents Global Press & Analyst Summit, in San Jose, Calif., in late September.

Based in San Francisco, M.K. Palmore is a senior manager for the Federal Bureau of Investigation’s Cyber Branch. As an FBI Security Risk Management Executive, Palmore leads teams that help identify threat actors, define attribution and carry out arrests.

Related article: Ransomware requires effective risk-management

Palmore says financially-motivated threat actors account for much of the current level of malicious cyber activity. Nation-state sponsored hackers, ideologically-motivated hacktivists, and insider intruders also are causing significant damage and disruption.

Palmore

“We’re talking about a global landscape, and the barrier to entry for most financially-motivated cyber-threat actors is extremely low,” Palmore says. “In terms of who is on the other end of the keyboard, we’re typically talking about mostly male threat actors,  between the ages of, say, 14 and 32 years

Dr. Ronald Layton is Deputy Assistant Director of the U.S. Secret Service. Layton observes that the technological sophistication and capabilities of threat actors has increased. “The toolsets that you see today that are widely available would have been highly classified 20 years ago,” Layton says. “Sophistication has gone up exponentially.”

The rapid escalation of ransomware is a telling marker, Layton says; ransomware rose  from the 22nd most popular crime-ware application in 2014, to number five in 2017.

Says Layton: “In 2014, the bad guys would say, ‘I’m going to encrypt your file unless you pay me X amount of dollars in Bitcoin.’ End-users got smarter, and just said, ‘Well, I’m going to back my systems up.’  Now ransomware concentrates on partial or full hard-disk encryption, so backup doesn’t help as much. Sophistication by the threat actors has gone up, and the ability to more quickly adjust, on both sides, quite frankly, has gone up.”

Beyond cyber extortion, cyber criminals have steadily advanced supply chains and cooperative partnerships, organizing and executing cyber attacks of all types.

Layton

Ten years ago, crime groups tended to work in isolation, Layton says. Today “they all know each other,” he says. “They are collaborative and they all use Russian as a communications modality to talk to one another in an encrypted fashion. That’s what’s different, and that represents a challenge for all of us.”

With cyber attacks steadily intensifying, organizations of all sizes and in all business sectors generally must do a much better job embracing best policies and practices. …more

MY TAKE: Once upon a time, circa 2003-2004, botnets emerged as the engine of cybercrime

By Byron V. Acohido

Betty Carty figured she ought to be in the digital fast lane.

Last Christmas, Carty purchased a Dell desktop computer, then signed up for a Comcast high-speed Internet connection. But her new Windows XP machine crashed frequently and would only plod across the Internet.

(Editor’s note: This 2,200 word article was originally published, Sept. 8, 2004,  in print form as a USA TODAY Money section cover story, part of one of a three part series on the emergence of botnets for systemic criminal use. Botnets are today much larger, stealthier and more sophisticated. They actually pivot off cloud-based services — and they continue to be the engine that drives most forms of Internet-centric hacking.)

Dell was no help. The PC maker insisted — correctly — that Carty’s hardware worked fine.

But in June, Comcast curtailed Carty’s outbound e-mail privileges after pinpointing her PC as a major source of e-mail spam. An intruder had turned Carty’s PC into a “zombie,” spreading as many as 70,000 pieces of e-mail spam a day.

Related article: The care and feeding of botnets in 2017

The soft-spoken Carty, 54, a grandmother of three from southern New Jersey, was flabbergasted. “Someone had broken into my computer,” she says.

Since early 2003, wave after wave of infectious programs have begun to saturate the Internet, causing the number of PCs hijacked by hackers and turned into so-called zombies to soar into the millions — mostly in homes like Carty’s, at small businesses and on college campuses. And, much like zombies of voodoo legend, they mindlessly do the bidding of their masters and help commit crimes online.

Personal computers have never been more powerful — and dangerous. Just as millions of Americans are buying new PCs and signing up for ultrafast Internet connections, cybercrooks are stepping up schemes to take control of their machines — and most consumers don’t have a clue.

“We thought things were bad in 2003, but we’ve seen a sharp uptick in 2004. I’m worried things will get much worse,” says Ed Skoudis, co-founder of consulting firm Intelguardians

Carty’s PC could have been taken over in myriad ways. She could have been fooled into opening a virus-infected e-mail. She might have innocently surfed to a Web page bristling with contagious code. Or she may have done nothing at all. One of dozens of network worms, voracious, self-replicating programs that pinball around the Web searching for security holes in Windows PCs, may have found one on her new PC. …more

GUEST ESSAY: What ‘Fight Club’ taught me about protecting my online personas

By Thomas Yohannan

Dissociative identity disorder, AKA multiple personality disorder, is a human condition by which the victim’s personality becomes fragmented into two or more distinctive states.

DID has long been a rich topic for Hollywood screen writers. The movie Fight Club, in which Edward Norton and Brad Pitt portray polar opposite personalities of the main protagonist, is a classic example.

Related podcast: Phil Lieberman calls for resetting the C-suite mindset

DID sufferers subvert themselves in self-contained sets of memories, behaviors, attitudes, even perceived age. This is done so that the victim can insulate certain fragile areas of his or her psyche, and thus is able to function with a sense of security in otherwise threatening environments, psychologically speaking.

It may not be a bad idea …more

MY TAKE: Why Uber’s flaunting of disclosure laws should ignite security regulations

Think it was a mere coincidence that Uber disclosed its catastrophic data breach late in the afternoon on the Tuesday before Thanksgiving?

Fat chance. Uber’s new CEO Dara Khosrowshahi almost certainly calculated the diminished notoriety to be gained by announcing the hack on the eve of the year’s most distraction-packed, four-day weekend.

Related article: The implications of Deloitte breach on heels of SEC, Equifax hacks

Uber discovered it had been breached 14 months ago, in October 2016. The ride-hailing pioneer has admitted losing personal information for 57 million customers (myself included) and 600,000 drivers.

(UPDATE. 6 am, Nov. 29, 2107. Uber has clarified that it lost personal information for about 50 million passengers and 7 million divers, some 600,000 U.S. drivers. That includes losing the driver’s license numbers for all 7 million drivers. On that basis, Washington Attorney General Bob Ferguson has filed a multimillion-dollar lawsuit against Uber. Under Washington’s data loss disclosure law, companies must notify victims of any loss of driver’s license numbers. “Washington law is clear, when a data breach puts people at risk, businesses must inform them,” Ferguson said, in announcing what he billed as a multimillion-dollar lawsuit. “Uber’s conduct has been truly stunning. There is no excuse for keeping this information from consumers.”)

A lot of water has gone under the bridge in 14 months. Uber officials could not have missed the fireworks surrounding high-profile breach disclosures by Equifax, the U.S. Security and Exchange Commission, Deloitte, Yahoo, fast food chain Sonic and international law firm Appleby.

As those organizations bit the bullet, Uber took these steps behind closed doors:

•Paid the hackers $100,000 to delete the data and stay silent about the theft

•Head-hunted, recruited and hired a new CEO, namely Khaosrowshahi

•Tossed its chief security officer, Joe Sullivan, and his deputy, under the bus …more

GUEST ESSAY: The top 4 cybersecurity certificates every IT staffer should have

By Victoria Zambito

Assuredly, it is a very positive development that more companies are looking to boost the security expertise of their in-house IT teams. This is being manifested by flow of IT professionals seeking out and participating in security-related certificate programs.

Numerous third-party organizations offer these educational tracks; a select few garner great respect within the field. Here’s the cream of the crop:

CompTIA A+ Certification

The CompTIA A+ Certification provides essential foundational knowledge for IT professionals. It covers basic enterprise hardware and software deployment, management techniques and cloud computing. Approximately 1 million IT professionals hold the highly coveted IT CompTIA A+ certification.

Certified Ethical Hacker (CEH v9) – EC-Council
The Certified Ethical Hacker Certification demonstrates an IT professional has an understanding of how to …more