Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

MY TAKE: What it takes to beat cybercrime in the age of DX and IoT: personal responsibility

By Byron V. Acohido

Back in 2004, when I co-wrote this USA TODAY cover story about spam-spreading botnets, I recall advising my editor to expect cybersecurity to be a headline-grabbing topic for a year or two more, tops.

Related:  A primer on machine-identity exposures

I was wrong. Each year over the past decade-and-a-half, a cause-and-effect pattern has spread more pervasively into the fabric of modern society. Each and every major advance of Internet-centric commerce – from e-tailing and email, to social media and mobile computing, and now on to the Internet of Things – has translated into an exponential expansion of the attack surface available to cybercriminals.

And malicious hackers have taken full advantage – whether they are motivated by criminal profits, backed by nation-state operatives, or simply desirous of bragging rights. Year-in and year-out, criminal innovation has far outpaced the effort on the part of companies and governments to defend their business networks, as well as to preserve the sanctity of our private data.

Shock-immune public

2018 was no exception. The year closed out with Starwood Properties, parent of the Marriott hotel chain, disclosing it lost personal data for 500 million patrons in a breach that lasted some  four years. Disclosures of huge data breaches no longer shock the public. Over the years, massive data losses have been reported by Equifax, Yahoo, Target, Anthem, Premera Blue Cross, Sony Pictures, Sony PlayStation, Home Depot, Deloitte, JP Morgan Chase, CitiBank and the U.S. Office of Personnel Management, just to name a few.

Meanwhile, we learned last year that stolen data might be the least of our worries. We witnessed Facebook CEO Mark Zuckerberg apologize to Congress for making behavioral data for 87 million Facebook users accessible to British consultancy Cambridge Analytica, which then used this sensitive information to manipulate  U.S. voters into supporting Donald Trump.

Speaking of America’s president, with Trump dominating mainstream news coverage, most folks took little notice of a tectonic shift of the cyber landscape. In 2018, as businesses raced to mix and match cloud-services delivered by the likes of Amazon Web Services, Microsoft Azure and Google Cloud, unforeseen gaps in classic network security systems began to turn up. And sure enough, enterprising cybercriminals wasted no time taking advantage.

Hackers got deep into Uber’s AWS platform. They did this by somehow obtaining, then using the AWS login credentials of one of Uber’s software developers, who left those credentials accessible on GitHub. ‘Git’ is a system for controlling the latest version of software programs; GitHub is an online repository where developers upload code for peer reviews and such.

The wider context? Imagine the degree to which Uber uses software to tie into services hosted by Amazon, Google, Facebook, Twitter, iPhone and Android. Uber is a prime example of an Internet-centric enterprise comprised of a collection of tools and services hosted by myriad partners. Think about how frenetic the software development process must be to keep Uber humming. Imagine all of the fresh attack vectors.

Cutting-edge malware

The direction this is heading is not good. A report from insurance underwriting giant Lloyd’s of London and risk modeling consultancy, Air Worldwide, showed how a three-day outage of the top cloud services providers would cause $15 billion in damage to the U.S. economy. Such a scenario would devastate small- and mid-sized businesses reliant on cloud services.

Meanwhile, after presumably enjoying a restful holiday, the best and brightest malicious hackers are diving into 2019 with renewed verve. A cutting-edge information stealer, dubbed Vidar, is designed to relay stolen data back to a botnet command-and-control server, just as the botnets I wrote about in 2004 did. Vidar, however, can identify browser and computer specifications at a granular level. This makes Vidar capable of stealing cryptocurrencies from digital wallets.

There is also a new type of attack aimed at the hardware level of targeted computers, instead of the software application level. The “Meltdown” and “Spectre” exploits paved the way for so-called “microcode hacks” in early 2018. And as 2019 commences, a new iteration, referred to as “page cache attacks,” presents an insidious new way for attackers to bypass security systems and place phishing windows deep inside of legitimate applications.

Hahad

“This attack class presents a significantly lower complexity barrier than previous hardware-based attacks and can easily be put into practice by threat actors, both nation-state as well as cyber gangs,” says Mounir Hahad, head of Juniper Threat Labs at Juniper Networks. “There is not much that an end user can currently do to protect themselves against this type of attack, except to not run any software from a shady source, even if it does not raise any antivirus flag.”

Shared burden

Vidar and microcode hacking are two grains of sand on the beachhead of 2019 cyber threats. Conjuring a full summary of cyber exposures would be daunting. Clearly, there’s no turning the clock back on our Internet-centric digital lives. It is going to be a long while before the Pandora’s box of technical and societal problems we’ve opened gets resolved.

The good news is that an unparalleled acceleration of research has commenced in next-gen network architectures, including distributed databases, advanced encryption, datafication and artificial intelligence. What’s more, key industry standards-setting bodies and government regulators are well aware of what’s at stake. And they’ve begun a plodding march toward consensus standards and protocols.

But it will take some years to sort this all out. For the foreseeable future, the burden lies on each individual – each consumer, each employee, each company owner, each senior exec, each board director — to stay informed and to practice wise security and privacy habits.

I’ll do my part to keep the discussion going. Talk soon.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(This column originally appeared on  Avast Blog.)

 

(more…)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

Comment | Read | February 15th, 2019 | My Take | Top Stories

PODCAST: US cyber foes take cue from government shutdown; rise in malware deployment under way

By Byron V. Acohido

One profound consequence of Donald Trump’s shutdown of the federal government, now in day 33, is what a boon it is to US cyber adversaries. And moving forward, the long run ramifications are likely to be dire, indeed.

Related: Welcome to the ‘golden age’ of cyber espionage

With skeleton IT crews manning government networks, America’s adversaries — China, Russia, North Korea, Iran and others in Eastern Europe and the Middle East —  have seized the opportunity to dramatically step up both development and deployment of sophisticated cyberweapons targeting at federal systems, says Jeremy Samide, CEO of Stealthcare, supplier of a threat intelligence platform that tracks and predicts attack patterns.

For a full drill down on the stunning intelligence Samide shared with Last Watchdog, please listen to the accompanying podcast. In a nutshell, Trump’s government shutdown has lit a fire under nation-state backed cyber spies to accelerate the development and deployment of high-end cyberweapons designed to be slipped deep inside of hacked networks and stealthily exfiltrate sensitive data and/or remain at the ready to cripple control systems.

This spike in activity has been very methodical, Samide told Last Watchdog. Operatives are stepping up probes of vulnerable access points on the assumption that no one is guarding the playground, Samide says.  At the same time, they are also accelerating development of the latest iterations of weaponry of the class of Eternal Blue, the NSA’s top-shelf cyberweapon that was stolen, leaked and subsequently used to launch the highly invasive WannaCry and NotPetya worms.

The longer the Trump government shut down continues, the more time US cyber adversaries will have to design and deploy heavily-cloaked malware —  and embed this digital weaponry far and wide in federal business networks and in critical infrastructure systems, Samide says.

What’s more, the longer the government closure continues, the more likely it is that key IT staffers with cybersecuritiy experience will choose to move to the private sector where there is an acute skills shortage. …more

14 Comments | Read | January 23rd, 2019 | For consumers | For technologists | My Take | Podcasts | Top Stories

MY TAKE: Massive Marriott breach continues seemingly endless run of successful hacks

By Byron V. Acohido

I have a Yahoo email account, I’ve shopped at Home Depot and Target, my father was in the military and had a security clearance, which included a dossier on his family, archived at the U.S. Office of Personnel Management, I’ve had insurance coverage from Premera Blue Cross and I’ve stayed at the Marriott Marquis in San Francisco.

Related: Uber hack shows DevOps risk

The common demonitor: All of those organizations have now disclosed massive data breaches over a span of the past five years.

On Friday, Starwood Properties, which merged with Marriott in 2016, disclosed as many as 500 million people who made reservations at their hotels may have had their personal information accessed in a breach that lasted as long as four years.

The Starwood hack appears to come in second in scale only to the 2013 Yahoo breach, which affected as many as 3 billion accounts, while a subsequent Yahoo breach also hit 500 million accounts.

The breach is rightly attracting attention of regulators in Europe and the United States. Marriott shares fell nearly 6 percent to $114.67 in Friday afternoon trading. Here’s a roundup of reaction from cybersecurity thought leaders: …more

Comment | Read | December 3rd, 2018 | For consumers | For technologists | My Take | Top Stories

NEW TECH: Can Project Furnace secure DX — by combining serverless computing and GitOps?

By Byron V. Acohido

Assuring the privacy and security of sensitive data, and then actually monetizing that data, — ethically and efficiently — has turned out to be the defining challenge of digital transformation.

Today a very interesting effort to address this complex dilemma is arising from the ferment, out of the UK. It’s called Project Furnace, an all-new open source software development platform.

Related: The need to fold ‘SecOps’ into ‘DevOps’

I had the chance to sit down with Furnace Ignite’s co-founders: John Blamire, chief operating officer, and Danny Waite, chief technology officer,  for a pre-launch briefing.

They walked me through how Project Furnace began as a quest to improve the output of SIEM (security information and event management) systems.

However, beyond improving legacy appproachs to network security, Blamire and Waite explained why they firmly believe Furnace could ultimately accelerate the design and implementation of all smart software — the next generation of apps destined to run everything from our shopping experiences to our driverless cars and our smart homes and cities. Here are takeaways from our meeting:

DX context

Furnace, in essence, seeks to aid and abet digital transformation, or DX, the ongoing digitization of essentially all human endeavors into a machine-readable format that can be automatically acted upon. DX is the wider context, here, in the sense that DX is made possible because of the rise of “datafication” — the processes by which we’ve come to rapaciously collect and store mind-boggling amounts of data from web forms, social media, mobile apps, surveillance cameras, IoT sensors and the like.

In 2016, Waite was assigned the task of coming up with a much better way to extract …more

Comment | Read | February 12th, 2019 | For technologists | My Take | Steps forward | Top Stories

GUEST ESSAY: Australia’s move compelling VPNs to cooperate with law enforcement is all wrong

By Bogdan Patru

The moment we’ve all feared has finally come to pass. When government agencies and international intelligence groups pooled together resources to gather user data, the VPN’s encryption seemed like the light at the end of the tunnel.

Related: California enacts pioneering privacy law

However, it looks like things are starting to break apart now that Australia has passed the “Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018”. On the 6th of December 2018, a law that is a direct attack on internet users’ privacy was agreed to by both the House of Representatives and the Senate.

The amendment forces all companies, even VPN providers, to collect and give away confidential user data if the police demand it. All telecoms companies will have to build tools in order to bypass their own encryption.

If suspicions appear that a crime has been or will be committed by one of their users, the law enforcement agencies are in their right to demand access to user messages and private data.

This Orwellian Thought Police is to be the judge, jury, and executioner in a digital world that shelters our personal lives and secrets. All the things we’d like to keep hidden from others. You know, this revolutionary idea called “privacy” Anyone?

Tech companies all over the world are unsure how this can be achieved without installing backdoors into their own security systems. These vulnerabilities are just like a stack of powder kegs ready to blow up at any moment. This is because anyone with knowledge of their existence could theoretically use those security holes to gain access to the user data. …more

Comment | Read | February 11th, 2019 | For consumers | For technologists | Guest Blog Post | Privacy | Top Stories

MY TAKE: Why Satya Nadella is wise to align with privacy advocates on regulating facial recognition

By Byron V. Acohido

We’re just a month and change into the new year, and already there have been two notable developments underscoring the fact that some big privacy and civil liberties questions need to be addressed before continuing the wide-scale deployment of advanced facial recognition systems.

This week civil liberties groups in Europe won the right to challenge the UK’s bulk surveillance activities in the The Grand Chamber of the European Court of Human Rights.

Related: Snowden on unrestrained surveillance

“The surveillance regime the UK government has built seriously undermines our freedom,” Megan Golding, a lawyer speaking for privacy advocates, stated. “Spying on vast numbers of people without suspicion of wrongdoing violates everyone’s right to privacy and can never be lawful.”

That development followed bold remarks made by none other than Microsoft CEO Satya Nadella just a few weeks earlier at the World Economic Forum in Davos, Switzerland.

Nadella expressed deep concern about facial recognition, or FR, being used for intrusive surveillance and said he welcomed any regulation that helps the marketplace “not be a race to the bottom.”

Ubiquitous surveillance

You may not have noticed, but there has been a flurry of breakthroughs in biometric technology, led by some leapfrog advances in facial recognition systems over the past couple of years. Now facial recognition appears to be on the verge of blossoming commercially, with security use-cases paving the way.

Last November,  SureID, a fingerprint services vendor based in Portland, Ore., announced a partnership with Robbie.AI, a Boston-based developer of a facial recognition system designed to be widely deployed on low-end cameras.

The partners aim to combine fingerprint and facial data to more effectively authenticate employees in workplace settings. And their grander vision is to help establish a nationwide biometric database in which a hybrid facial ID/fingerprint can be used for things such as fraud-proofing retail transactions, or, say, taking a self-driving vehicle for a spin.

However, the push back by European privacy advocates and Nadella’s call for regulation highlights the privacy and civil liberties conundrums advanced surveillance technologies poses. It’s a healthy thing that a captain of industry can see this. These are weighty issues …more

Comment | Read | February 6th, 2019 | For consumers | For technologists | My Take | Privacy

MY TAKE: Why companies should care about 2.2 billion stolen credentials circulating in easy reach

By Byron V. Acohido

Some chilling hard evidence has surfaced illustrating where stolen personal information ultimately ends up, once it has flowed through the nether reaches of the cyber underground.

Wired magazine reported this week on findings by independent security researchers who have been tracking the wide open availability of a massive cache of some 2.2 billion stolen usernames, passwords and other personal data.

Related: Massive Marriott breach closes out 2018

Ever wonder where the tens of millions of consumer records stolen from Marriott, Yahoo, Equifax, Dropbox, Linked In,  Target, Home Depot, Sony, Anthem, Premera Blue Cross, Uber and literally thousands of other organizations that have sustained major network breaches ends up?

This data gets collected and circulated in data bases that the thieves initially attempt to sell for big profits on the dark web, as reported by Motherboard. The work of these researchers shows how, at the end of the day, much of the stolen personal data eventually spills over into the open Internet, where it is free for the taking by  anyone with a modicum of computer skills.

Credential stuffing

The clear and present risk to the average consumer or small business owner is that his or her stolen account credentials will surface in one or more credential stuffing campaigns. This is where criminals deploy botnets to automate the injection of surreptitiously obtained usernames and password pairs until they gain fraudulent access to a targeted account. And once they do, they swiftly try to gain access to accounts on other popular services.

Reddit earlier this month acknowledged that credential stuffers locked down a “large group of accounts.” The social news aggregation site informed the victims that would need to reset their passwords to regain access, and, notably, advised them to choose strong, unique passwords. …more

Comment | Read | February 1st, 2019 | For consumers | For technologists | Imminent threats | My Take | Top Stories

MY TAKE: ‘Bashe’ attack theorizes a $200 billion ransomware raid using NSA-class cyber weapons

By Byron V. Acohido

A report co-sponsored by Lloyd’s of London paints a chilling scenario for how a worldwide cyberattack could trigger economic losses of some $200 billion for companies and government agencies ill-equipped to deflect a very plausible ransomware attack designed to sweep across the globe.

Related: U.S. cyber foes exploit government shutdown

The Cyber Risk Management (CyRiM) project lays out in detail how a theoretical ransomware attack – dubbed the “Bashe” campaign – could improve upon the real life WannaCry and NotPetya ransomware worms that plagued thousands of organizations in 2017.

The exercise was commissioned by Lloyd’s of London, the Cambridge Centre for Risk Studies and the Nanyang Technological University in Singapore, among others. In their construct, the fictional cyber ring behind Bashe leverages lessons learned from missteps made in WannaCry and NotPetya, with the aim of making Bashe “the most infectious malware of all time.”

It should not be forgotten that WannaCry and NotPetya made use of some of the  69 cyber weapons stolen from the NSA and released publicly by a group known as Shadow Brokers. These weapons were designed by NSA software engineers to take advantage of heretofore undisclosed security vulnerabilities in Windows, Linux, IBM and other core operating systems and applications widely used in commerce and government.

EternalBlue pedigree

Keep in mind, globe-spanning ransomware worms are just one of endless ways the NSA weapons, often referred to as “EternalBlue,” could be leveraged. While the Lloyd’s study focuses on the ransomware scenario, it’s reasonable to believe threat actors of every stripe are developing other ways to utilize EternalBlue-class cyber weaponry.

This creates a responsibility for every organization to consider this report and assess what damage control might entail, says Darin Pendergraft, vice president of product marketing at STEALTHbits Technologies, a Hawthorne, NJ-based supplier of systems to protect sensitive company data. …more

Comment | Read | January 31st, 2019 | For consumers | For technologists | Imminent threats | My Take | Top Stories

NEW TECH: This free tool can help gauge, manage third-party cyber risk; it’s called ‘VRMMM’

By Byron V. Acohido

Late last year, Atrium Health disclosed it lost sensitive data for some 2.65 million patients when hackers gained unauthorized access to databases operated by a third-party billing vendor.

Turn the corner into 2019 and we find Citigroup, CapitalOne, Wells Fargo and HSBC Life Insurance among a host of firms hitting the crisis button after  their customers’ records turned up on a database of some 24 million financial and banking documents found parked on an Internet-accessible server — without so much as password protection. The culprit: lax practices of a third-party data and analytics contractor.

Related: Atrium Health breach highlights third-party risks

One might assume top-tier financial services firms and healthcare vendors would have solved third-party cyber exposures by now. But the truth of the matter is, companies of all sizes and in all sectors remain acutely vulnerable to attack vectors laid open by third-party contractors. And this continues to include enterprises that have poured a king’s ransom into hardening their first-party security posture.

What’s happening is that supply chains are becoming more intricate and far-flung the deeper we move into digital transformation and the Internet of Things. And opportunistic threat actors are proving adept as ever at sniffing out the weak-link third parties in any digital ecosystem.

Mike Jordan, senior director of the Shared Assessments Program, a Santa Fe, NM-based  intel-sharing and training consortium focused on third-party risks, points out that at least one of the banks that had data exposed in this latest huge data leak wasn’t even a customer of the allegedly culpable contractor.

“Hacked subcontractors or downstream service providers can harm companies that have no business relationship with each other,” Jordan told Last Watchdog. “Individuals can even be affected by parties with whom they have no explicit relationships, such as credit bureaus and data brokers.” …more

Comment | Read | January 30th, 2019 | For technologists | Top Stories

Older Articles »