Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

MY TAKE: Knowing these 5 concepts will protect you from illicit cryptocurrency mining

By Byron V. Acohido

The cryptocurrency craze rages on, and one unintended consequence is the dramatic rise of illicit cryptocurrency mining.

It takes computing power to transform digital calculations into crypto cash, whether it be Bitcoin or one of the many other forms of digital currency.

Related podcast: How cryptomining malware is beginning to disrupt cloud services

So, quite naturally, malicious hackers are busying themselves inventing clever ways to leech computing power from unwitting victims — and directing these stolen computing cycles towards lining their pockets with freshly mined crypto cash.

Individual consumers have been the prime victims for more than a year. And now small- and medium-sized businesses (SMBs) are being increasingly targeted — especially companies  rushing to tap into cloud services such as Amazon Web Services, Microsoft Azure and Google Cloud.

To help you unpack all of this, here are five fundamental concepts that will help you understand why you should reduce  your exposure to illicit cryptocurrency mining.

Cryptocurrency basics. Bitcoin gets created by solving an increasingly difficult math problem; the difficulty factor has risen to the point where Bitcoin today can only be mined by special-purpose computers that consume massive amounts of electricity.

However, Monero, Ethereum, Bytecoin and other cryptocurrencies have come along that can still be mined by ordinary computing devices. So naturally, cryptocurrency mining services have cropped up. Coinhive is a notable example. (more…)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

Why the ‘golden age’ of cyber espionage is upon us

By Byron V. Acohido

Researchers at Cisco’s Talos intelligence unit have now expressed high confidence that the Russian government is behind VPNFilter, a malware strain designed to usurp control of small office and home routers and network access control devices.

If you doubt VPNFilter’s capacity to fuel cyber chaos on a global scale, please peruse the FBI’s recently issued alert about this very nasty piece of leading-edge malware.

Related article: Obsolescence creeping into legacy security systems

VPNFilter is precisely the kind of cyber weaponry nation state-backed military and intelligence operatives routinely deploy to knock down critical infrastructure, interfere with elections and spy on each other.

One of the top analysts on the daily use of malware across the planet is Dr. Kenneth Geers, senior research scientist, at Comodo Cybersecurity. His main duties at Comodo revolve around monitoring and analyzing malware spikes as they unfold on a daily basis, and correlating cyber attacks to global news and political events.

Geers recently walked me through the cyber attack trends and patterns he’s currently monitoring. Bottom line: cyber espionage is on the cusp of a golden age; and the only way to deter this is for the private sector to do a much better job of defending home and business networks.

Why so? Because vulnerable networks supply the communications channels and processing power made so easily accessible to cyber criminals and combatants.

For a full drill down on my fascinating chat with Geers, please listen to the accompanying podcast.  Here are excerpts edited for clarity and length. …more

Will GDPR usher in a new paradigm for how companies treat consumers’ online privacy?

By Byron V. Acohido

Back in 2001, Eric Schmidt, then Google’s CEO, described the search giant’s privacy policy as “getting right up to the creepy line and not crossing it.

Well, Europe has now demarcated the creepy line – and it is well in favor of its individual citizens. The General Data Protection Regulation, or GDPR, elevates the privacy rights of individuals and imposes steep cash penalties for companies that cross the creepy line – now defined in specific detail.

Related article: Zuckerberg’s mea culpa reveals reprehensible privacy practices

Europe’s revised online privacy regulations took effect last Friday. European businesses are bracing for disruption – and U.S. companies won’t be immune to the blowback. There are more than 4,000 U.S. companies doing business in Europe, including many small and midsize businesses. All of them, from Google, Facebook and Microsoft, down to mom-and-pop wholesalers and service providers, now must comply with Europe’s new rules for respecting an individual’s online privacy.

The EU is expected to levy GDPR fines totaling more than $6 billion in the next 12 months, an estimate put out by insurance giant Marsh & McLennan. As these penalties get dished out, senior management will become very uncomfortable; they’ll be forced to assume greater responsibility for cybersecurity and privacy, and not just leave it up to the IT department.

This is all unfolding as companies globally are racing to embrace digital transformation – the leveraging of cloud services, mobile computing and the Internet of Things to boost innovation and profitability. In such a heady business environment, a regulatory hammer was necessary to give companies pause to consider the deeper implications of poorly defending their networks and taking a cavalier attitude toward sensitive personal data. …more

GUEST ESSAY: Here’s why Tesla has been sabotaged twice in two years — lax network security

By Igor Baikalov

The disclosure earlier this week that Tesla CEO Elon Musk reportedly informed all of his employees about a rogue worker conducting “extensive and damaging sabotage” to the company’s operations very much deserves the news coverage it has gotten.

Related: The ‘golden age’ of cyber spying is upon us

Musk reportedly sent out an internal email describing how an unnamed insider allegedly made unspecified code changes to the company’s manufacturing systems. The news agency Reuters, which viewed a copy of Musk’s email, quotes it as saying: “The full extent of his actions are not yet clear, but what he has admitted to so far is pretty bad . . . His stated motivation is that he wanted a promotion that he did not receive.”

For now the company is investigating the matter, focused on determining if the employee acted alone, or with co-conspirators.

Baikalov

For a cutting-edge company like Tesla, its security practices seem to be pretty lax, especially in light of previous suspicions of sabotage two years hence. In 2016, the company sued a former oil-services executive for impersonating Musk while crafting an email message sent to former Tesla CFO Jason Wheeler. The lawsuit describes how that email was part of an oil-industry effort to undermine the company’s push for energy-efficient transportation.

Fast forward to this week. Based on the limited information available, the alleged saboteur was able to accomplish a series of pretty advanced steps to access and inflict damage on the company jewels. This included:

•Hijacking other employees’ accounts to gain access to sensitive systems and data.

•Modifying production code affecting manufacturing operations.

•Exfiltrating highly sensitive data to external third parties.

Each one of these steps should be sounding alarms in a well-protected environment, as these are the most watched insider activities, and their concentration around a single person would be a huge risk booster. …more

Will cryptocurrency mining soon saturate AWS, Microsoft Azure and Google Cloud?

By Byron V. Acohido

Don’t look now but cryptojacking may be about to metastasize into the scourge of cloud services.

Cryptojacking, as defined by the Federal Trade Commission, is the use of JavaScript code to capture cryptocurrencies in users’ browsers without asking permission. There’s a temptation to dismiss it as a mere nuisance; companies deep into ‘digital transformation,’ in particular,  might be lulled into this sort of apathy.

Related: Why cryptojacking is more insidious than ransomware

On the face, the damage caused by cryptojacking may appear to be mostly limited to consumers and website publishers who are getting their computing resources diverted to mining fresh units of Monero, Ethereum and Bytecoin on behalf of leeching attackers.

However, closer inspection reveals how cryptojacking morphed out of the ransomware plague of 2015 and 2016. What’s more, by connecting a few dots, it becomes clear a recent surge of cryptojacking could signal a steep rise in a similar form of illicit cryptocurrency mining — one that could materially disrupt cloud services, namely Amazon Web Services, Microsoft Azure and Google Cloud.

I arrived at these conclusions after a riveting discussion with Juniper Networks’ cybersecurity strategist Nick Bilogorskiy, one of the top analysts tracking emerging cyber threats. For a drill down on our discussion, please listen to the accompanying podcast. Here are excerpts edited for clarity and length: …more

VASCO rebrands as OneSpan, makes acquisition, to support emerging mobile banking services

By Byron V. Acohido

Bank patrons in their 20s and 30s, who grew up blanketed with digital screens, have little interest in visiting a brick-and-mortar branch, nor interacting with a flesh-and-blood teller.

This truism is pushing banks into unchartered territory. They are scrambling to invent and deliver a fresh portfolio of mobile banking services that appeal to millennials.

Related articles: Hackers revamp tactics, target mobile wallets

This, of course, is a tall task. Convenience must be delicately balanced against security. Rising regulatory and anti-fraud requirements add to the difficulty factor. However, the economic opportunity is considerable. So banks are all in.

The recent series of strategic moves made by VASCO Data Security underscore this seismic shift in banking services. Chicago-based VASCO has been around since 1991 and has more than 600 employees.

VASCO long ago established itself as a leading supplier of authentication technology to 2,000 banks worldwide. Yet on one day last month the company:

•Changed its name to OneSpan

•Launched its new Trusted Identity platform

•Announced the $55 million acquisition of Dealflo, a U.K.-based supplier of automated identity verification and digital account onboarding technologies.

Just prior to this strategic repositioning, I met with Will LaSala, the company’s security evangelist, at RSA Conference 2018. We had a lively conversation about the advanced attacks threat actors are currently directing at banks.   …more

Why big companies ignore SAP security patches — and how that could bite them, big time

By Byron V. Acohido

Threat actors in the hunt for vulnerable targets often look first to ubiquitous platforms. It makes perfect sense for them to do so.

Related article: Triaging open-source exposures

Finding a coding or design flaw on Windows OS can point the way to unauthorized to access to a treasure trove of company networks that use Windows. The same holds true for probing widely used open source protocols, as occurred when Heartbleed and Shellshock came to light.

There is yet another widely-used business platform that malicious hackers have turned their attention to. It is SAP’s enterprise resource planning (ERP) applications.

SAP serves as the digital plumbing for dozens of multinationals; it is deeply embedded in 87 percent of the top 2000 global companies, enabling and integrating ERP functions, such as sales, production, human resources and finance, as well as other core systems.

SAP is no different than any other complex software. Vulnerability researchers, ranging from penetration testers to threat actors, continually seek out fresh security flaws which SAP subsequently issues patches for. The trouble has been that SAP patches can be troublesome to implement, and so very often get postponed.

In 2016 the U.S. Department of Homeland Security’s Computer Emergency Response Team (US-CERT) issued three separate security alerts warning SAP customers to install security patches, including one issued six years earlier that had gone widely ignored.

Many large enterprises have been lagging in SAP patches. This exposure is pervasive. And it is only a matter of time before threat actors pull off a high-profile data breach. …more

GUEST ESSAY: 3 key ingredients to stress-free compliance with data handling regulations

By Izak Bovee

The variety of laws and regulations governing how organizations manage and share sensitive information can look like a bowl of alphabet soup: HIPAA, GDPR, SOX, PCI and GLBA. A multinational conglomerate, government contractor, or public university must comply with ten or more, which makes demonstrating regulatory compliance seem like a daunting, even impossible, undertaking. But there are a manageable number of precautions you can take to secure customer data that will tick the boxes for many different regulations.

Organizations that have control of their information have an easier time demonstrating compliance with regulations. Passing a compliance audit boils down to proving to auditors that your organization has implemented three fundamental things:  adequate data security, …more

Mobile security advances to stopping device exploits — not just detecting malicious apps

By Byron V. Acohido

The most profound threat to corporate networks isn’t the latest, greatest malware. It’s carbon-based life forms.

Humans tend to be gullible and impatient. With our affiliations and preferences put in play by search engines and social media, we’re perfect patsies for social engineering. And because we are slaves to convenience, we have a propensity for taking shortcuts when it comes to designing, configuring and using digital systems.

Related article: Is your mobile device spying on you?

This hasn’t worked terribly well for defending modern business networks from cyberattacks. And now we are on the verge of making matters dramatically worse as smartphones and IoT  devices proliferate.

I recently had a chance to discuss this state of affairs with J.T. Keating, vice president of product strategy at Zimperium, a Dallas-based supplier of mobile device security systems. Launched in 2010 by a Samsung consultant who saw the handwriting on the wall, Zimperium has grown to 140 employees and attracted $60 million in venture capital from Warburg Pincus, SoftBank, Samsung, Telstra and Sierra Ventures.

The company is seeking to frame and address mobile security much differently than the traditional approach to endpoint security. “When you have billions of mobile devices that aren’t well protected, and the users are primarily responsible for controlling them, it makes for very ripe targeting,” Keating told me.

For a full drill down, please listen to the accompanying podcast. Here are excerpts edited for clarity and length.

LW: What’s most worrisome about mobile security?

Keating: If you’re a consumer, you should really care about malicious apps. The vast majority of the mobile malware we see is designed for fraud. A perfect example of one going around right now is called Bankbot. A user will …more