Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Q&A: Reddit breach shows use of ‘SMS 2FA’ won’t stop privileged access pillaging

The recent hack of social media giant Reddit underscores the reality that all too many organizations — even high-visibility ones that ought to know better —  are failing to adequately lock down their privileged accounts.

Related: 6 best practices for cloud computing

An excerpt from Reddit’s mea culpa says it all:  “On June 19, we learned that between June 14 and June 18, an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers. Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.”

It’s safe to assume that Reddit has poured a small fortune into security, including requiring employees to use SMS-delivered one-time passcodes in order to access sensitive company assets.

But here’s the rub: Reddit overlooked the fact that SMS 2FA systems are useful only up to a point. It turns out they can be subverted with just a modicum of effort. SIM card hijacking, for instance, is a scam in which a threat actor persuades the phone company to divert data to a new address. And then there’s SS7 hacking, which leverages known flaws in the global SMS infrastructure to intercept data in transit — including passcodes.

In fact, SMS attacks are being refined and improved daily. This is because they are useful in targeting big companies. This summer alone, in the wake of the Reddit hack, British mobile phone retailer Carphone Warehouse, ticketing giant Ticketmaster, telecom company T-Mobile and British Airways disclosed huge data compromises of similar scale and methodology. (more…)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

MY TAKE: The back story on the convergence, continuing evolution of endpoint security

By Byron V. Acohido

No one in cybersecurity refers to “antivirus” protection any more. The technology that corrals malicious software circulating through desktop PCs, laptops and mobile devices has evolved into a multi-layered security technology referred to as ‘endpoint security.’

This designation change unfolded a few years back. It was a reflection of attackers moving to take full advantage of the fresh attack vectors cropping up as companies retooled their legacy networks – comprised of ‘on-premises’ servers and clients – to operate in the expanding world of cloud services, mobile devices and the Internet of Things.

Having covered the Symantec, McAfee, Trend Micro, Sophos, Kaspersky, et. al. since the nascent days of the antivirus market, I find in fascinating that the top dozen or so antivirus players have all managed to remain in the game. What’s more, they’ve all successfully grown into multi-layered full-service endpoint security suppliers.

I visited with Joe Sykora, vice president of worldwide channel development for Bitdefender, at Black Hat USA 2018, and asked him to put the remarkable staying power of endpoint security in context. In 1990, Florin and Mariuca Talpes parlayed a $300 stake borrowed from a relative into a company which would become Bitdefender in 2001. Founded in Bucharest, the company of 1,600 employees is in the thick of reshaping endpoint security.

For a drill down on my discussion with Sykora, please listen to the accompanying podcast. Here are a few big takeaways: …more

MY TAKE: Here’s why we need ‘SecOps’ to help secure ‘Cloud Native’ companiess

By Byron V. Acohido

For many start-ups, DevOps has proven to be a magical formula for increasing business velocity. Speed and agility is the name of the game — especially for Software as a Service (SaaS) companies.

Related: How DevOps enabled the hacking of Uber

DevOps is a process designed to foster intensive collaboration between software developers and the IT operations team, two disciplines that traditionally have functioned as isolated silos with the technology department.

It’s rise in popularity has helped drive a new trend for start-ups to go “Cloud Native,” erecting their entire infrastructure, from the ground up, leveraging cloud services like Amazon Web Services, Microsoft Azure and Google Cloud.

Security burden

Though DevOps-centric organizations can gain altitude quickly, they also tend to generate fresh security vulnerabilities at a rapid clip, as well. Poor configuration of cloud services can translate into gaping vulnerabilities—and low hanging fruit for hackers, the recent Tesla hack being a prime example. In that caper,  a core API was left open allowing them to exploit it and begin using Tesla’s servers to mine cryptocurrency. Rising API exposures are another big security concern, by the way.

Because Amazon, Microsoft and Google provide cloud resources under a “shared responsibility” security model, a large burden rests with the user to be aware of, and mitigate latent security weaknesses.

In fact, it’s much more accurate for organizations tapping into cloud services and utilizing DevOps to think of cloud security as a functioning under …more

MY TAKE: The no. 1 reason ransomware attacks persist: companies overlook ‘unstructured data’

By Byron V. Acohido

All too many companies lack a full appreciation of how vital it has become to proactively manage and keep secure “unstructured data.”

One reason for the enduring waves of ransomware is that unstructured data is easy for hackers to locate and simple for them to encrypt.

Related video: Why it’s high time to protect unstructured data

Ironically, many victimized companies are paying hefty ransoms to decrypt unstructured data that may not be all that sensitive or mission critical.

I talked with Jonathan Sander, Chief Technology Officer with STEALTHbits Technologies, about this at Black Hat USA 2018.

The New Jersey-based software company is focused on protecting an organization’s sensitive data and the credentials attackers use to steal that data. For a drill down on our conversation about unstructured data exposures please listen to the accompanying podcast. A few takeaways:

Outside a database

Structured data can be human- or machine-generated, and is easily searchable information usually stored in a database, including names, Social Security numbers, phone numbers, ZIP codes.

Unstructured data (also human- or machine-generated) is basically everything else. Typical unstructured data includes a long list of files—emails, Word docs, social media, text files, job applications, text messages, digital photos, audio and visual files, spreadsheets, presentations, digital surveillance, traffic and weather data, and more. In a typical day, individuals and businesses create and share a tidal wave of this information.

The main difference between the two is organization and analysis. Most of the unstructured data generated in the course of conducting digital commerce doesn’t get stored in a database or any other formal management system.

For structured data, users can run simple analysis tools, i.e., content searches, to find what they need. But with no orderly internal framework, unstructured data defies data mining tools. Most human communication is via unstructured data; it’s messy and doesn’t fit into analytical algorithms.

Ransomware target

There is a mountain of unstructured data compared to a molehill of its structured counterpart. Gartner analysts estimate that over 80 percent of enterprise data is unstructured …more

Q&A: The troubling implications of normalizing encryption backdoors — for government use

By Byron V. Acohido

Should law enforcement and military officials have access to a digital backdoor enabling them to bypass any and all types of encryption that exist today?

We know how Vladmir Putin, Xi Jinping and Kim Jung-un  would answer: “Of course!”

Related: Nation-state hacks suggest cyber war is underway

The disturbing thing is that in North America and Europe more and more arguments are being raised in support of creating and maintaining encryption backdoors for government use. Advocates claim such access is needed to strengthen national security and hinder terrorism.

But now a contingent of technology industry leaders has begun pushing back. These technologists are in in full agreement with privacy and civil rights advocates who argue that this is a terrible idea

They assert that the risk of encryption backdoors ultimately being used by criminals, or worse than that, by a dictator to support a totalitarian regime, far outweighs any incremental security benefits. I had an invigorating discussion with Jeff Hudson, CEO of Venafi, about this at Black Hat USA 2018.

Venafi is the leading provider of machine identity protection. Machine to machine connection and communication needs to be authenticated  to access systems, so this technology is where the rubber meets the road, with respect to this debate. For a full drill down, please listen to the accompanying podcast. Here are excerpts edited for clarity and space:

LW: What’s wrong with granting governments the ability to break encryption?

Venafi: It has been established over a long period of time that the minute you put a backdoor in, and you think it’s secure, it almost immediately will fall into the wrong hands. Because it’s there, the bad guys will get to it. This makes backdoors the worst possible things for security.

The government wants to be able to surveil network traffic and They want  backdoors so they can see everything. If they can see all the traffic all the time, they can just sit back and surveil everything. …more

MY TAKE: Poorly protected local government networks cast shadow on midterm elections

By Byron V. Acohido

In March 2018, the city of Atlanta fell victim to a ransomware attack that shut down its computer network. City agencies were unable to collect payment. Police departments had to handwrite reports. Years of data disappeared.

Related: Political propaganda escalates in U.S.

The attack also brought cybersecurity to the local level. It’s easy to think of it as a problem the federal government must address or something that enterprises deal with, but cybersecurity has to be addressed closer to home, as well.

I spoke to A.N. Ananth, CEO of EventTracker, a Netsurion company, about this at Black Hat USA 2018. His company supplies a co-managed SIEM service to mid-sized and large enterprises, including local government agencies.

EventTracker has a bird’s eye view; its unified security information and event management (SIEM) platform includes – behavior analytics, threat detection and response, honeynet deception, intrusion detection and vulnerability assessment – all of which are coupled with their SOC for a co-managed solution. For a drill down on our discussion, give the accompanying podcast a listen. Here are key takeaways:

Local risks

Security of local and state government agencies takes on a higher level of urgency as we get closer to the midterm elections.

“State and local governments are not immune to the digital transformation so their dependence on IT is as high as it’s ever been,” says Ananth. “Consequently, the security of these kinds of systems has become paramount.”

If all politics are local, elections are even more so. According to the National Conference of State Legislatures, security for elections is in the hands of local election administrators, overseen by the state’s chief election official, but protection has been lacking.

During 2016, 39 states were hacked. At least one state saw an attempt to delete voter rolls; …more

MY TAKE: Here’s how diversity can strengthen cybersecurity — at many levels

By Byron V. Acohido

Of the many cybersecurity executives I’ve interviewed, Keenan Skelly’s career path may be the most distinctive. Skelly started out as a U.S. Army Explosive Ordnance Disposal (EOD) Technician. “I was on the EOD team that was actually assigned to the White House during 9/11, so I got to see our national response framework from a very high level,” she says.

Today, Skelly is Vice President of Global Partnerships and Security Evangelist at Circadence®, a distinctive security vendor, in its own right.

Related: How ‘gamification’ makes training stick

Circadence got started in the 1990s as a publisher of one of the earliest massively multiplayer online games. It adapted its gaming systems to help the U.S. military carry out training exercises for real life cyber warfare. That led to a transition into what it is today: a leading supplier of immersive “gamification” training modules designed to keep cyber protection teams in government, military, and corporate entities on their toes.

I met with Skelly at Black Hat USA 2018 and we had a thoughtful discussion about a couple of prominent cybersecurity training issues: bringing diversity into AI systems and closing the cybersecurity skills gap. For a drill down, please listen to the accompanying podcast. Here are key takeaways:

Diversifying AI

Discussions are underway in the technology sector about how Artificial Intelligence could someday eliminate bias in the workplace, and thus engender a more meritocratic workplace

“We’re starting to see Artificial Intelligence and machine learning in just about every space and every tool,” Skelly observes.

Diversity in emerging AI-infused security systems – or, more specifically, the lack of it – is a rising concern. Here’s why: The experts with the knowledge to tweak the algorithms for automated detection systems, at this moment, comprise a very narrow talent pool. The concern is that this could constrain the development of broadly effective security-focused AI.

“The problem is that if you don’t have a diverse group of people training the Artificial Intelligence, …more

MY TAKE: Can Hollywood’s highly effective ‘source-code’ security tools help make IoT safe?

By Byron V. Acohido

Over the past couple of decades, some amazing advances in locking down software code have quietly unfolded in, of all places, Hollywood.

Related: HBO hack spurs cyber insurance market

Makes sense, though. Digital media and entertainment giants like Netflix, Amazon, Hulu, HBO, ESPN, Sony, and Disney are obsessive about protecting their turf. These Tinsel Town powerhouses retain armies of investigators and lawyers engaged in a never-ending war to keep piracy and subscription fraud in check.

And over the years they’ve also financed security breakthroughs – at the source-code level. These security breakthroughs have not received much mainstream attention. What they have done is proven to be wickedly effective at tracking digital assets and preserving digital rights.

I recently had the chance to meet with Mark Hearn and John O’Connor, of Irdeto, a 50-year-old software security and media technology company based in Amsterdam that has been a leading supplier of source code tracking and fingerprinting systems for big media companies.

We met at Black Hat USA 2018, where Hearn and O’Connor, came bearing a message about how these technologies, so heavily relied on by Hollywood, could play a starring role in shoring up the foundational  layers of digital transformation — at the source code level.

For a drill down on our discussion please listen to the accompanying podcast. Here are the big takeaways:

Making it too expensive

Irdeto’s suite of products helps set-top box manufacturers protect high-value content; its technology also is used by live sports broadcasters to deter hackers from siphoning off pay-for-view sporting events.

Irdeto’s Cloakware technology is a key component in these technologies. …more