Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 
Byron Acohido · Why achieving iO -- 'indistinguishability obfuscation' -- is so crucial

STEPS FORWARD: Math geniuses strive to make a pivotal advance — by obfuscating software code

By Byron V. Acohido

Most of time we take for granted the degree to which fundamental components of civilization are steeped in mathematics.

Everything from science and engineering to poetry and music rely on numeric calculations. Albert Einstein once observed that “pure mathematics is, in its way, the poetry of logical ideas.”

Related: How Multi Party Computation is disrupting encryption

An accomplished violinist, Einstein, no doubt, appreciated the symmetry of his metaphor. He was keenly aware of how an expressive Haydn symphony applied math principles in a musical context in much the same way has he did in deriving breakthrough physics theorems.

Math once more is being conjured to help civilization make a great leap forward. Digital technology, like music, is all about math. We’ve come a long way leveraging algorithms to deliver an amazing array of digital services over the past 30 years; yet so much more is possible.

Math is the linchpin to innovations that can dramatically improve the lives of billions of people, perhaps even save the planet. However, a quintessential math conundrum, is, for the moment, holding these anticipated advancements in check. The math community refers to this bottleneck as “indistinguishability obfuscation,” or iO.

Our top math geniuses point to iO as a cornerstone needed to unleash the full potential of artificially intelligent (AI) programs running across highly complex and dynamic cloud platforms, soon to be powered by quantum computers. Simply put, iO must be achieved in order to preserve privacy and security while tapping into the next generation of IT infrastructure.

I recently had the chance to discuss iO with Dr. Tatsuaki Okamoto, director of NTT Research’s Cryptography and Information Security (CIS) Lab, and Dr. Amit Sahai, professor of computer science at UCLA Samueli School of Engineering and director of UCLA Center for Encrypted Functionalities (CEF). NTT Research sponsored research led by Sahai that recently resulted in a achieving an important iO milestone. (more…)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

Comment | Read | November 16th, 2020 | For consumers | For technologists | Podcasts | Privacy | Steps forward | Top Stories

SHARED INTEL: Coming soon — ‘passwordless authentication’ as a de facto security practice

By Byron V. Acohido

As a tradeoff for enjoying our digital lives, we’ve learned to live with password overload and even tolerate two-factor authentication.

But now, at long last, we’re on the brink of eliminating passwords altogether, once and for all.

Related:  CEOs quit Tweeting to protect their companies

A confluence of technical and social developments points to username-and-password logons becoming obsolete over the next few years. What’s more, this shift could very well kick into high gear as part of the solidifying of post Covid-19 business practices and online habits.

I had a chance to discuss this seminal transition with George Avetisov, co-founder and chief executive officer of HYPR, a Manhattan-based supplier of advanced authentication technologies. For a full drill down on our eye-opening conversation, please give a listen to the accompanying podcast. Here are a few big takeaways.

Password tradeoffs 

Passwords have always been a big pain. They must be convoluted to be any good, which means they’re difficult to remember, especially since the average person has to juggle passwords to access dozens of online accounts. From a business perspective, managing and resetting passwords chews up scarce resources, and yet even with the best possible maintenance passwords are trivial to hack.

For most of the Internet era, we’ve learned to live with these tradeoffs. However, in the last couple of years the harm wrought by the abuse of passwords has spiked exponentially. The reason: credential stuffing. This is a type of advanced, brute-force hacking that leverages automation.

By deploying botnets pre-loaded with stolen data, credential stuffing gangs are able to insert stolen usernames and passwords into web page forms, at scale, until they gain access to a valuable account. Credential stuffing has enabled criminal hacking rings to turbo-charge their malware spreading and account hijacking campaigns. And when Covid-19 hit, these attackers opportunistically pivoted to plundering Covid-19 relief funds at an ungodly scale.

Comment | Read | November 11th, 2020 | Best Practices | For consumers | For technologists | My Take | Podcasts | Steps forward | Top Stories

MY TAKE: Why companies and consumers must collaborate to stop the plundering of IoT systems

By Byron V. Acohido

The Internet of Things (IoT) has come a long, long way since precocious students at Carnegie Melon University installed micro-switches inside of a Coca-Cola vending machine so they could remotely check on the temperature and availability of their favorite beverages.

Related: Companies sustain damage from IoT attacks

That was back in 1982. Since then, IoT devices have become widely and deeply integrated into our homes, businesses, utilities and transportations systems. This has brought us many benefits. And yet our pervasive deployment of IoT systems has also vastly expanded the cyber attack surface of business networks, especially in just the past few years.

And now Covid-19 is having a multiplier effect on these rising IoT exposures. Nine months into the global pandemic an ominous dynamic is playing out.

Remote work and remote schooling have spiked our reliance on IoT systems to a scale no one could have predicted; and much of this sudden, dramatic increase is probably going to be permanent. In response, threat actors are hustling to take full advantage.

This shift is just getting started. IoT-enabled scams and hacks quickly ramped up to a high level – and can be expected to accelerate through 2021 and beyond. This surge can, and must, be blunted. The good news is that we already possess the technology, as well as the best practices frameworks, to mitigate fast-rising IoT exposures.

However, this will require a concerted, proactive effort by the business community —  enterprises and small- and mid-sized businesses alike. Individual citizens, consumers and workers have a big role to play as well. Each one of us will have to cooperate and make sacrifices. A lot is at stake. Here’s what all companies and individuals should fully grasp about our IoT systems under attack, post Covid-19.

Comment | Read | November 9th, 2020 | For consumers | For technologists | My Take | Privacy | Top Stories

NEW TECH: A better way to secure agile software — integrate app scanning, pen testing into WAF

By Byron V. Acohido

The amazing array of digital services we so blithely access on our smartphones wouldn’t exist without agile software development.

Related: ‘Business logic’ hacks on the rise

Consider that we began this century relying on the legacy “waterfall” software development process. This method required a linear plan, moving in one direction, that culminated in a beta deliverable by a hard and fast deadline. To set this deadline required a long, often tortured planning cycle. And this invariably led to the delivery of a bug-ridden version 1.0, if not outright project failure.

By contrast, the agile approach, aka DevOps, thrives on uncertainty. DevOps expects changes as part of being responsive to end users. Agile software development is all about failing fast — discovering flaws quickly and making changes on the fly. Agile has given us Netflix, Twitter, Uber, TikTok and much more.

Of course the flip side is that all of this speed and agility has opened up endless fresh attack vectors – particularly at the web application layer of digital commerce. “The heart of any business is its applications,” says Venky Sundar, founder and chief marketing officer of Indusface. “And application-level attacks have come to represent the easiest target available to hackers.”

Based in Bengalura, India, Indusface helps its customers defend their applications with a portfolio of services that work in concert with its flagship web application firewall (WAF,) a technology that has been around for about 15 years. WAFs have become a table stakes; any company with a public-facing website should by now have a WAF. Fundamentally, WAFs monitor all of the  HTTP traffic hitting a company’s web servers and block known malicious traffic, such as the threats listed in the OWASP Top 10 application level attacks

A few of the big-name vendors in the WAF space include Imperva, Cloudflare, Akamai and Barracuda and even Amazon Web Services offers a WAF. Indusface has differentiated itself by … more

Comment | Read | August 17th, 2020 | For technologists | Imminent threats | New Tech | Podcasts | Top Stories

SHARED INTEL: How ransomware evolved from consumer trickery to deep enterprise hacks

By David Balaban

Ransomware is undoubtedly one of the most unnerving phenomena in the cyber threat landscape. Numerous strains of this destructive code have been the front-page news in global computer security chronicles for almost a decade now, with jaw-dropping ups and dramatic downs accompanying its progress.

Related: What local government can do to repel ransomware

Ransomware came into existence in 1989 as a primitive program dubbed the AIDS Trojan that was spreading via 5.25-inch diskettes. This debut was followed by the emergence of several marginal blackmail threats in the mid-2000s that never gained significant traction among online criminals. The epidemic went truly mainstream with the release of CryptoLocker back in 2013, and it has since transformed into a major dark web economy spawning the likes of Sodinokibi, Ryuk, and Maze lineages that are targeting the enterprise on a huge scale in 2020.

Although most people think of ransomware as a dodgy application that encrypts data and holds it for ransom, the concept is much more heterogeneous than that. It additionally spans mild-impact screen lockers, data wipers disguised as something else, infections that overwrite the master boot record (MBR), and most recently, nasties that enhance the attack logic with data theft.

The above-mentioned AIDS Trojan hailing from the distant pre-Internet era was the progenitor of the trend, but its real-world impact was close to zero. The Archiveus Trojan from 2006 was the first one to use RSA cipher, but it was reminiscent of a proof of concept and used a static 30-digit decryption password that was shortly cracked. None of these early threats went pro. In this timeline, I will instead focus on the strains that became the driving force of the ransomware evolution.

FBI spoofs

2012 – 2013. During this period, the ransomware ecosystem was dominated by Trojans that locked the screen or web browser with fake alerts impersonating law enforcement agencies. These warnings would state that the victim committed a … more

5 Comments | Read | June 21st, 2020 | For technologists | Guest Blog Post | Top Stories

NEW TECH: Cequence Security’s new ‘API Sentinel’ helps identify, mitigate API exposures

By Byron V. Acohido

Application Programming Interfaces – APIs. Without them digital transformation would never have gotten off the ground.

Related: Defending botnet-driven business logic hacks

APIs made possible the astounding cloud, mobile and IoT services we have today. This happened, at a fundamental level, by freeing up software developers to innovate on the fly. APIs have exploded in enterprise use over the past several years.

However, API deployments have scaled so high and so fast that many companies don’t know how many APIs they have, which types they’re using and how susceptible their APIs might be to being compromised.

Cequence Security, a Sunnyvale, Calif.-based application security vendor, today is launching a new solution, called API Sentinel, designed to help companies jump in and start proactively mitigating API risks, without necessarily having to slow down their innovation steam engine. I had the chance to discuss this with Matt Keil, Cequence’s director of product marketing. For a full drill down, please give the accompanying podcast a listen. Here are key takeaways from our conversation:

API 101

Digital transformation took off when companies discovered that instead of developing monolithic applications that were updated annually – at best – they could tap into the skill and creativity of their developers. This was possible because APIs – the conduits that enable two software applications to exchange information – are open and decentralized, exactly like the Internet.

Comment | Read | June 17th, 2020 | For technologists | New Tech | Podcasts | Steps forward | Top Stories

Q&A: NIST’s new ‘Enterprise Risk Management’ guidelines push cyber risks to board level

By Byron V. Acohido

Enterprise risk management (ERM) is a comparatively new corporate discipline. The basic notion is that in today’s complex operating environment, it is important for businesses to proactively identify operational hazards and have a plan in place to account for them.

Related: Poll shows senior execs get cybersecurity

A hazard is anything that can interfere with a company meeting its objectives; it could be something physical, such as a fire, a theft or a natural disaster; or it could  be an abstract risk, such as a lawsuit or a regulatory fine.

As part of its role promoting cybersecurity best practices, the National Institute of Standards and Technology (NIST) has stepped forward to make sure complex and expanding cybersecurity exposures become part and parcel of evolving ERM frameworks.

NIST has been getting positive feedback to draft guidelines it issued in late March which essentially serves as a roadmap for enterprises to account for complex cybersecurity exposures when implementing ERM strategies. The guidelines — NISTIR 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM) – are specifically aimed at fostering the integration of cybersecurity risk management best practices and ERM frameworks.

The Internet Security Alliance (ISA) is a trade association and think tank whose members include prominent corporations in a wide cross section of industries. In February, ISA, in partnership with the National Association of Corporate Directors (NACD), published the 2020 edition of their Cyber-Risk Oversight Handbook for Corporate Boards.

ISA President Larry Clinton noted how well the trade groups’ handbook meshes with NIST’s new guidelines. “The NIST filing does an excellent job linking many of the principles directors have articulated as necessary for effective cybersecurity,” he says. “The NISTIR, like the NACD-ISA handbook, urges enterprises to utilize the modern models that are being developed to help organizations appropriately balance economic growth and cyber risk.”

I had the chance to drill down on this with … more

Comment | Read | June 1st, 2020 | Best Practices | For technologists | Q & A | Top Stories

SHARED INTEL: New book on cyber warfare foreshadows attacks on elections, remote workers

By Byron V. Acohido

It’s difficult to convey the scope and scale of cyber attacks that take place on a daily basis, much less connect the dots between them.

Related: The Golden Age of cyber spying

A new book by Dr. Chase Cunningham —  Cyber Warfare – Truth, Tactics, and Strategies —   accomplishes this in a compelling, accessible way. Cunningham has the boots-on-the-ground experience and storytelling chops to pull this off. As a  cybersecurity principal analyst at Forrester,  he advises enterprise clients on how to stay in front of the latest iterations of cyber attacks coming at them from all quarters.

Cunningham’s 19 years as a US Navy chief spent in cyber forensic and cyber analytic operations included manning security controls at the NSA, CIA and FBI. He holds a PhD and MS in computer science from Colorado Technical University and a BS from American Military University focused on counter-terrorism operations in cyberspace.

Cunningham sets the table in Cyber Warfare by relating detailed anecdotes that together paint the bigger picture. Learning about how hackers were able to intercept drone feed video from CIA observation drones during the war in Iraq, for instance, tells us a lot about how tenuous sophisticated surveillance technology really can be, out in the Internet wild.

And Cunningham delves into some fascinating, informative nuance about industrial systems attacks in the wake of Stuxnet. He also adds historical and forward-looking context to the theft and criminal deployment of the Eternal Blue hacking tools, which were stolen from the NSA, and which have been used to cause so much havoc, vis-à-vis WannaCry and NotPetya. What’s more, he comprehensively lays out why ransomware and deep fake campaigns are likely to endure, posing a big threat to organizations in all sectors for the foreseeable future.

Comment | Read | April 27th, 2020 | Book Excerpts | For consumers | For technologists | Steps forward | Top Stories

STEPS FORWARD: How the Middle East led the U.S. to implement smarter mobile security rules

By Byron V. Acohido

We’ve come to rely on our smartphones to live out our digital lives, both professionally and personally.

When it comes to securing mobile computing devices, the big challenge businesses have long grappled with is how to protect company assets while at the same time respecting an individual’s privacy.

Reacting to the BYOD craze, mobile security frameworks have veered from one partially effective approach to the next over the past decade. However, I recently learned about how federal regulators in several nations are rallying around a reinvigorated approach to mobile security: containerization. Containerizing data is a methodology that could anchor mobile security, in a very robust way, for the long haul.

Interestingly, leadership for this push came from federal regulators in, of all places, the Middle East.  In May 2017, the Saudi Arabian Monetary Authority (SAMA) implemented its Cyber Security Framework mandating prescriptive measures, including a requirement to containerize data in all computing formats. A few months later the United Arab Emirates stood up its National Electronic Security Authority (NESA) which proceeded to do much the same thing.

Earlier this year, US regulators essentially followed the Middle East’s lead by rolling out sweeping new rules — referred to as Cybersecurity Maturity Model Certification (CMMC)  — which require use of data containerization along much the same lines as Saudi Arabia and the UAE mandated some three years ago. The implementation of CMMC represents a big change from past U.S. federal data handling rules for contractors, for which compliance was by-and-large voluntary.

Comment | Read | April 13th, 2020 | For technologists | Podcasts | RSA Podcasts | Steps forward | Top Stories

BEST PRACTICES: Mock attacks help local agencies, schools prepare for targeted cyber scams

By Byron V. Acohido

Cyber criminals who specialize in plundering local governments and school districts are in their heyday.

Related: How ransomware became a scourge

Ransomware attacks and email fraud have spiked to record levels across the U.S. in each of the past three years, and a disproportionate number of the hardest hit organizations were local public agencies.

Lucy Security, a security training company based in Zug, Switzerland that works with many smaller public entities, has been in the thick of this onslaught. The company’s software is used to run public servants and corporate employees through mock cyberattack training sessions. There’s an obvious reason smaller public entities have become a favorite target of cybercriminals: most are run on shoestring budgets and corners tend to get cut in IT security, along with everything else operationally.

I had a chance to discuss this with Lucy Security Inc. CEO Colin Bastable at RSA 2020. Another factor I never thought about, until meeting with Bastable, is that public servants typically possess a can-do work ethic. This can make them particularly susceptible to social engineering trickery, the trigger for online extortion and fraud campaigns, Bastable told me.

For a drill down on my full interview with Bastable, give the accompanying podcast a listen. Here are the key takeaways:

Simple, lucrative fraud

What happened in the state of Texas earlier last January is a microcosm of intensifying pressure all local agencies face from motivated hackers and scammers.

Fraudsters did enough online intelligence gathering on the Manor Independent School District, in Manor, Texas, to figure out which vendors were in line to receive large bank transfers as part of the school district spending the proceeds of a large school bond. They also studied the employees who handled the transactions.

One Comment | Read | April 6th, 2020 | Best Practices | For consumers | For technologists | Podcasts | RSA Podcasts | Steps forward | Top Stories

GUEST ESSAY: ‘CyberXchange’ presents a much-needed platform for cybersecurity purchases

By Armistead Whitney

There is no shortage of innovative cybersecurity tools and services that can help companies do a much better job of defending their networks.

Related: Welcome to the CyberXchange Marketplace

In the U.S. alone, in fact, there are more than 5,000 cybersecurity vendors. For organizations looking to improve their security posture, this is causing confusion and vendor fatigue, especially for companies that don’t have a full time Chief Information Security Officer.

The vendors are well-intentioned. They are responding to a trend of companies moving to meet rising compliance requirements, such as PCI-DSS and GDPR. Senior management is now  focused on embracing well-vetted best practices such as those outlined in FFIEC and SOC 2, and many more. According to a recent study by PwC, 91% of all companies are following cybersecurity frameworks, like these, as they build and implement their cybersecurity programs.

All of this activity has put a strain on how companies buy and sell cybersecurity solutions. Consider that PCI-DSS alone has over 250 complex requirements that include things like endpoint protection, password management, anti-virus, border security, data recovery and awareness training.

Traditional channels for choosing the right security solutions are proving to be increasingly ineffective. This includes searching through hundreds of companies on Google, attending trade shows and conferences (not possible today with COVID), or dealing with constant cold calls and cold emails from security company sales reps.

Comment | Read | October 19th, 2020 | For technologists | Guest Blog Post | Steps forward

MY TAKE: How ‘credential stuffing’ is being deployed to influence elections, steal Covid-19 relief

By Byron V. Acohido

What do wildfires and credential stuffing have in common?

Related: Automated attacks leverage big data

For several years now, both have flared up and caused harm at the fringes of population centers and our digital economy. And, now, in 2020, both have escalated to catastrophic proportions.

Just after Labor Day, dried out trees and shrubs combined with high winds to erupt into massive wildfires that swiftly engulfed rural towns and even suburban areas of California, Oregon, Washington and several other states. Millions of acres of land got consumed, hundreds of thousands of people were evacuated and dozens lost their lives.

Meanwhile, all year long and continuing through the fall, opportunistic cybercriminals have launched wave after wave of automated credential stuffing campaigns. These bad actors are wreaking havoc in two arenas: Stealing Covid-19 relief payments on a massive scale as well as meddling, once again, in the election of a U.S. president.

The wildfires eventually subsided with calmer, damper meteorological conditions. However, massive surges of credential stuffing have persisted, fueled by a seemingly endless supply of already stolen, or easy-to-steal, personal information along with the wide availability of sophisticated hacking tools.

Comment | Read | September 23rd, 2020 | For consumers | For technologists | Imminent threats | My Take | Top Stories

MY TAKE: Lessons learned from the summer of script kiddies hacking Twitter, TikTok

By Byron V. Acohido

Graham Ivan Clark, Onel de Guzman and Michael Calce. These three names will go down in the history of internet commerce, right alongside Jack Dorsey, Mark Zuckerberg and Jeff Bezos.

Related: How ‘Zero Trust’ is compatible with agile computing

We’re all familiar with the high-profile entrepreneurs who gave us the tools and services that underpin our digital economy. However, Clark, de Guzman and Calce are equally notable as leading members of the Hall of Fame of script kiddies – youngsters who precociously shed light on the how these same tools and services are riddled with profound privacy and security flaws.

The trouble is Clark, 17, of Tampa, Florida, is teaching us much the same lessons in the summer of 2020 that de Guzman and Calce did in the spring of 2000. De Guzman authored the I Love You email virus that circled the globe infecting millions of PCs; Calce, aka Mafiaboy, released the Melissa Internet worm that knocked offline Amazon, CNN, eBay and Yahoo.

Judging from the success of script kiddies, the tech giants apparently have not learned very much about security in 20 years. Clark was arrested in late July and charged with masterminding the hijacking of the Twitter accounts of A-list celebrities, and then Tweeting from those accounts to pull off a Bitcoin scam. His caper is worrisome on two counts. First it shows how resistant companies continue to be with respect to embracing very doable cyber hygiene practices – measures that would prevent these sorts of hacks. And second, it reminds us how much capacity to wreak havoc truly malicious parties — not just script kiddies – possess. This is chilling considering the times we’re in. On the cusp of electing a U.S. president, with the world struggling to recover from a global pandemic, there are nuanced lessons we can learn from the Twitter Bitcoin hack. Here’s what all consumers and companies should heed going forward.

Comment | Read | September 1st, 2020 | For consumers | For technologists | Imminent threats | My Take | Privacy | Top Stories

NEW TECH: Trend Micro flattens cyber risks — from software development to deployment

By Byron V. Acohido

Long before this awful pandemic hit us, cloud migration had attained strong momentum in the corporate sector. As Covid19 rages on, thousands of large to mid-sized enterprises are now slamming pedal to the metal on projects to switch over to cloud-based IT infrastructure.

A typical example is a Seattle-based computer appliance supplier that had less than 10 percent of its 5,000 employees set up to work remotely prior to the pandemic. Seattle reported the first Covid19 fatality in the U.S., and Washington was among the first states to issue shelter at home orders. Overnight, this supplier was forced to make the switch to 90 percent of its employees working from home.

As jarring as this abrupt shift to remote work has been for countless companies, government agencies and educational institutions, it has conversely been a huge boon for cyber criminals. The Internet from its inception has presented a wide open attack vector to threat actors. Covid19 has upgraded the Internet — from the criminals’ point of view — to a picture-perfect environment for phishing, scamming and deep network intrusions. Thus the urgency for organizations to put all excuses aside and embrace stricter cyber hygiene practices could not be any higher.

It’s a very good thing that the cybersecurity industry has been innovating apace, as well. Cybersecurity technology is far more advanced today than it was five years ago, or even two years ago.

Comment | Read | August 25th, 2020 | For technologists | New Tech | Podcasts | Privacy | Steps forward | Top Stories

Older Articles »