Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

My Take

 

MY TAKE: What the Uber hack tells us about fresh attack vectors created by the rise of DevOps

By Byron V. Acohido

Dissecting the root cause of Uber’s catastrophic data breach is a worthwhile exercise. Diving one level deeper into the scenario that led up to the popular ride-hailing service losing personal data for 50 million passengers and seven million drivers shows us why this particular type of hack is likely to recur many more times in 2018.

Related podcast: Why DevOps and security are destined to intersect

Hackers got deep into Uber’s Amazon Web Services platform. They did this by somehow obtaining, then using the AWS logon credentials of one of Uber’s software developers, who left those credentials accessible on GitHub. Though we don’t know nitty gritty details, security analysts say something like this had to have happened:

While working on an AWS coding task, the Uber developer took some of this code base and uploaded it to GitHub.  No security sins to this point. ‘Git’ is a system for controlling the latest version of software programs; GitHub is an online repository where developers upload code for peer reviews and such.

Here’s the wider context: imagine the degree to which Uber, in order to connect riders and drivers, uses software to tie into services hosted by Amazon, Google, Facebook, Twitter, iPhone and Android. Uber is a prime example of an Internet-centric enterprise comprised of a collection of tools and services hosted by myriad partners. Think about how frenetic the software development process must be too keep Uber humming. …more

MY TAKE: Once upon a time, circa 2003-2004, botnets emerged as the engine of cybercrime

By Byron V. Acohido

Betty Carty figured she ought to be in the digital fast lane.

Last Christmas, Carty purchased a Dell desktop computer, then signed up for a Comcast high-speed Internet connection. But her new Windows XP machine crashed frequently and would only plod across the Internet.

(Editor’s note: This 2,200 word article was originally published, Sept. 8, 2004,  in print form as a USA TODAY Money section cover story, part of one of a three part series on the emergence of botnets for systemic criminal use. Botnets are today much larger, stealthier and more sophisticated. They actually pivot off cloud-based services — and they continue to be the engine that drives most forms of Internet-centric hacking.)

Dell was no help. The PC maker insisted — correctly — that Carty’s hardware worked fine.

But in June, Comcast curtailed Carty’s outbound e-mail privileges after pinpointing her PC as a major source of e-mail spam. An intruder had turned Carty’s PC into a “zombie,” spreading as many as 70,000 pieces of e-mail spam a day.

Related article: The care and feeding of botnets in 2017

The soft-spoken Carty, 54, a grandmother of three from southern New Jersey, was flabbergasted. “Someone had broken into my computer,” she says.

Since early 2003, wave after wave of infectious programs have begun to saturate the Internet, causing the number of PCs hijacked by hackers and turned into so-called zombies to soar into the millions — mostly in homes like Carty’s, at small businesses and on college campuses. And, much like zombies of voodoo legend, they mindlessly do the bidding of their masters and help commit crimes online.

Personal computers have never been more powerful — and dangerous. Just as millions of Americans are buying new PCs and signing up for ultrafast Internet connections, cybercrooks are stepping up schemes to take control of their machines — and most consumers don’t have a clue.

“We thought things were bad in 2003, but we’ve seen a sharp uptick in 2004. I’m worried things will get much worse,” says Ed Skoudis, co-founder of consulting firm Intelguardians

Carty’s PC could have been taken over in myriad ways. She could have been fooled into opening a virus-infected e-mail. She might have innocently surfed to a Web page bristling with contagious code. Or she may have done nothing at all. One of dozens of network worms, voracious, self-replicating programs that pinball around the Web searching for security holes in Windows PCs, may have found one on her new PC. …more

MY TAKE: Why Uber’s flaunting of disclosure laws should ignite security regulations

Think it was a mere coincidence that Uber disclosed its catastrophic data breach late in the afternoon on the Tuesday before Thanksgiving?

Fat chance. Uber’s new CEO Dara Khosrowshahi almost certainly calculated the diminished notoriety to be gained by announcing the hack on the eve of the year’s most distraction-packed, four-day weekend.

Related article: The implications of Deloitte breach on heels of SEC, Equifax hacks

Uber discovered it had been breached 14 months ago, in October 2016. The ride-hailing pioneer has admitted losing personal information for 57 million customers (myself included) and 600,000 drivers.

(UPDATE. 6 am, Nov. 29, 2107. Uber has clarified that it lost personal information for about 50 million passengers and 7 million divers, some 600,000 U.S. drivers. That includes losing the driver’s license numbers for all 7 million drivers. On that basis, Washington Attorney General Bob Ferguson has filed a multimillion-dollar lawsuit against Uber. Under Washington’s data loss disclosure law, companies must notify victims of any loss of driver’s license numbers. “Washington law is clear, when a data breach puts people at risk, businesses must inform them,” Ferguson said, in announcing what he billed as a multimillion-dollar lawsuit. “Uber’s conduct has been truly stunning. There is no excuse for keeping this information from consumers.”)

A lot of water has gone under the bridge in 14 months. Uber officials could not have missed the fireworks surrounding high-profile breach disclosures by Equifax, the U.S. Security and Exchange Commission, Deloitte, Yahoo, fast food chain Sonic and international law firm Appleby.

As those organizations bit the bullet, Uber took these steps behind closed doors:

•Paid the hackers $100,000 to delete the data and stay silent about the theft

•Head-hunted, recruited and hired a new CEO, namely Khaosrowshahi

•Tossed its chief security officer, Joe Sullivan, and his deputy, under the bus …more

MY TAKE: How I came to cover two great ‘beats’ in my journalism career

By Byron V. Acohido

I’ve had the great good fortune to spend most of my career as a “beat reporter” covering two astounding beats.

The articles you see here on LastWatchdog are the work of my second great beat, which I’ve been immersed in since approximately 2004: cybersecurity. Or to put a finer point on it, I live and breathe developments having to do with the for-profit leveraging of the Internet, by both good guys and bad guys.

A journalist couldn’t ask for a richer topic. Cybersecurity affects how we live, work and play. Cybersecurity, at this moment, underpins the profound shifts in culture, economics, politics and national security we are all experiencing.

Related: Univerisity of San Diego lists LastWatchdog as top cybersecurity blog for 2017

Related: VPNMentor includes LastWatchog as Top 20 security blog

I’ve won my fair share of recognition for my work as a journalist. This can be attributed mainly to practicing the craft professionally since 1977, and being blessed to work alongside iconic mentors and inspiring colleagues. I reached the pinnacle of my profession covering my first great beat, aviation safety, for the Seattle Times. I was awarded the 1997 Pulitzer Prize for Beat Reporting for my coverage of a deadly design flaw incorporated into the rudder actuator of Boeing 737 jetliners.

That said, two recent acknowledgements of the work I’m doing here at The LastWatchdog on Privacy & Security are top of mind at this moment. I’d like to thank the University of San Diego for naming LW as one of the top cybersecurity blogs of 2017. And my gratitude also goes out to  vpnmentor.com for placing LW on its list of Top 20 online security blogs of 2017. …more

MY TAKE: The way forward, despite overwhelming cyber threats

By Byron V. Acohido

NEW YORK CITY – Cyber Connect 2017 cybersecurity summit that just wrapped up at the beautiful Grand Hyatt located adjacent to Grand Central Station here in the Big Apple. I got the chance to be on the other side of the interview, sitting down with John Furrier and David Vellante, co-hosts of The Cube. We did it live; here’s the recorded stream.

MY TAKE: How Russia’s election meddling relates to industrial control hacks

By Byron  V. Acohido

While America’s attention has been  riveted on stunning disclosures of how Russia meddled in the U.S. presidential elections, the significance of a parallel, equally important development, may have gotten lost. Don’t look now folks, but the world’s superpowers are steadily marshaling forces to engage in an all-out cyber war.

History may yet prove that Russia’s manipulation of elections in America and elsewhere is, in fact, connected to the steady escalation of attacks on industrial control systems. And it’s not just Russia. Evidence has surfaced that China, USA, Israel and North Korea have also been maneuvering to take full advantage of the profoundly vulnerable state of so-called “OT” systems.

Quick context here: Gartner a few years ago coined the buzzphrase “operational technology,…more

MY TAKE: The death of BYOD; how mobile security has impacted enterprise security

By Byron V. Acohido

Just five years ago, BYOD – Bring Your Own Device – was a rising security concern attracting an inordinate amount of attention.

Fast forward to today and BYOD has faded as a buzzword. However, employees’ use of mobile devices and web apps remains as big a security concern as ever.

Related article: Converting logs into actionable intel

Acohido and Smith

Companies and government agencies are addressing this exposure by taking advantage of technical innovations and by embracing practices that might surprise you.

I had the chance to visit with Gregg Smith, CEO of Silent Circle, at Black Hat 2017 in Las Vegas. Co-founded by a former Navy SEAL and a couple of …more