Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

MY TAKE: Why it’s now crucial to preserve PKI, digital certificates as the core of Internet security

By Byron V. Acohido

For decades, the cornerstone of IT security has been Public Key Infrastructure, or PKI, a system that allows you to encrypt and sign data, issuing digital certificates that authenticate the identity of users.

Related: How PKI could secure the Internet of Things

If that sounds too complicated to grasp, take a look at the web address for the home page of this website. Take note of how the URL begins with HTTPS.  The ‘S’ in HTTPS stands for ‘secure.’ Your web browser checked the security certificate for this website, and verified that the certificate was issued by a legitimate certificate authority. That’s PKI in action.

As privacy comes into sharp focus as a priority and challenge for cybersecurity, it’s important to understand this fundamental underlying standard.

Because it functions at the infrastructure level, PKI is not as well known as it should be by senior corporate management, much less the public. However, you can be sure cybercriminals grasp  the nuances about PKI, as they’ve continued to exploit them to invade privacy and steal data.

Here’s the bottom line: PKI is the best we’ve got. As digital transformation accelerates, business leaders and even individual consumers are going to have to familiarize themselves with PKI and proactively participate in preserving it. The good news is that the global cybersecurity community understands how crucial it has become to not just preserve, but also reinforce, PKI. Google, thus far, is leading the way. (more…)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

Comment | Read | December 9th, 2019 | Best Practices | For consumers | For technologists | Privacy | Steps forward | Top Stories

MY TAKE: How blockchain technology came to seed the next great techno-industrial revolution

By Byron V. Acohido

Some 20 years ago, the founders of Amazon and Google essentially set the course for how the internet would come to dominate the way we live.

Jeff Bezos of Amazon, and Larry Page and Sergey Brin of Google did more than anyone else to actualize digital commerce as we’re experiencing it today – including its dark underbelly of ever-rising threats to privacy and cybersecurity.

Related: Securing identities in a blockchain

Today we may be standing on the brink of the next great upheaval. Blockchain technology in 2019 may prove to be what the internet was in 1999.

Blockchain, also referred to as distributed ledger technology, or DLT,  is much more than just the mechanism behind Bitcoin and cryptocurrency speculation mania. DLT holds the potential to open new horizons of commerce and culture, based on a new paradigm of openness and sharing.

Some believe that this time around there won’t be a handful of tech empresarios grabbing a stranglehold on the richest digital goldmines. Instead, optimists argue, individuals will arise and grab direct control of minute aspects of their digital personas – and companies will be compelled to adapt their business models to a new ethos of sharing for a greater good.

At least that’s one Utopian scenario being widely championed by thought leaders like economist and social theorist Jeremy Rifkin, whose talk, “The Third Industrial Revolution: A Radical New Sharing Economy,” has garnered 3.5 million views on YouTube. And much of the blockchain innovation taking place today is being directed by software prodigies, like Ethereum founder Vitalik Buterin, who value openness and independence above all else.

Public blockchains and private DLTs are in a nascent stage, as stated above, approximately where the internet was in the 1990s. This time around, however, many more complexities are in play – and consensus is forming that blockchain will take us somewhere altogether different from where the internet took us.

“With the Internet, a single company could take a strategic decision and then forge ahead, but that’s not so with DLT,” says Forrester analyst Martha Bennett, whose cautious view of blockchain we’ll hear later. “Blockchains are a team sport. There needs to be major shifts in approach and corporate culture, towards collaboration among competitors, before blockchain-based networks can become the norm.”

That said, here are a few important things everyone should understand about the gelling blockchain revolution. …more

Comment | Read | November 4th, 2019 | For consumers | For technologists | My Take | Privacy | Steps forward | Top Stories

MY TAKE: How ‘credential stuffing’ and ‘account takeovers’ are leveraging Big Data, automation

By Byron V. Acohido

A pair of malicious activities have become a stunning example of digital transformation – unfortunately on the darknet.

Related: Cyber risks spinning out of IoT

Credential stuffing and account takeovers – which take full advantage of Big Data, high-velocity software, and automation – inundated the internet in massive surges in 2018 and the first half of 2019, according to multiple reports.

Credential stuffing is one of the simplest cybercriminal exploits, a favorite among hackers. Using this technique, the criminal collects your leaked credentials (usually stolen in a data breach) and then applies them to a host of other accounts, hoping they unlock more. If you’re like the majority of users out there, you reuse credentials. Hackers count on it.

A new breed of credential stuffing software programs allows people with little to no computer skills to check the log-in credentials of millions of users against hundreds of websites and online services such as Netflix and Spotify in a matter of minutes. The sophistication level of these cyberthreats is increasing, and there’s an ominous consensus gelling in the cybersecurity community that the worst is yet to come.

“We’ve observed significant growth in credential stuffing and account takeovers for several years. It’s hard to see a short-term change that would slow attempts by attackers,” Patrick Sullivan, Akamai’s senior director of security strategy, told me. “Significant changes to authentication models may be required to alter the growth trajectory of these attacks.” …more

Comment | Read | October 16th, 2019 | For consumers | For technologists | Imminent threats | My Take | Top Stories

MY TAKE: What everyone should know about the promise and pitfalls of the Internet of Things

By Byron V. Acohido

The city of Portland, Ore. has set out to fully leverage the Internet of Things and emerge as a model “smart” city.

Related: Coming soon – driverless cars

Portland recently shelled out $1 million to launch its Traffic Sensor Safety Project, which tracks cyclists as they traverse the Rose City’s innumerable bike paths. That’s just step one of a grand plan to closely study – and proactively manage – traffic behaviors of cyclists, vehicles, pedestrians and joggers. This is all in pursuit of the high-minded goal of eliminating all accidents that result in death or serious injury.

Portland is shooting high, and it is by no means alone. Companies in utilities, transportation and manufacturing sectors are moving forward with the …more

Comment | Read | September 19th, 2019 | For consumers | For technologists | My Take | New Tech | Privacy | Top Stories

MY TAKE: A primer on how ransomware arose to the become an enduring scourge

By Byron V. Acohido

“All we know is MONEY! Hurry up! Tik Tak, Tik Tak, Tik Tak!”

This is an excerpt from a chilling ransom note Baltimore IT officials received from hackers who managed to lock up most of the city’s servers in May. The attackers demanded $76,000, paid in Bitcoin, for a decryption key. Baltimore refused to pay – choosing, instead, to absorb an estimated $18 million in recovery costs.

Related:  ‘Cyber Pearl Harbor’ happens every day

Some 15 months earlier, in March 2018, Atlanta was hit by a similar assault, and likewise refused to pay a $51,000 ransom, eating $17 million in damage.

Stunning as these two high-profile attacks were, they do not begin to convey the full scope of what a pervasive and destructive phenomenon ransomware has become – to individuals, to companies of all sizes and, lately, to poorly defended local agencies.

Probing and plundering

Ransomware is highly resilient and flexible. Its core attraction for criminals is that it is about as direct a channel to illicitly-garnered cash as any conman could dream up – few middlemen required.

From a high level, ransomware is essentially an open platform that operates on market principles, around which a thriving ecosystem of suppliers and specialists has taken shape. This has opened the door for newbie purveyors, with modest technical skill, to enter the field, giving these novices easy and cheap access to powerful turnkey tools and services. Meanwhile, the advanced hacking collectives invest in innovation and press forward. The net result is a continuation of proven styles of ransomware attacks, as well as constant probing for vulnerable pockets and plundering along fresh pathways.

According to the FBI, the absolute number of daily ransomware attacks actually dipped slightly last year. However, that’s more a function of hackers targeting individuals less, and companies and governments more. And as highlighted by the assaults on Baltimore and Atlanta, municipalities are among the hottest targets of the moment. A survey of local media reports by Recorded Future tallied 38 ransomware attacks against cities in 2017, rising to 53 attacks in 2018. In the first four months of 2019 alone, some 22 attacks have been disclosed.

…more

One Comment | Read | August 15th, 2019 | For consumers | For technologists | Imminent threats | My Take | Top Stories

ROUNDTABLE: Huge Capital One breach shows too little is being done to preserve data privacy

By Byron V. Acohido

Company officials at Capital One Financial Corp ought to have a crystal clear idea of what to expect next — after admitting to have allowed a gargantuan data breach.

Capital One’s mea culpa coincided with the FBI’s early morning raid of a Seattle residence to arrest Paige Thompson. Authorities charged the 33-year-old former Amazon software engineer with masterminding the hack.

Related: Hackers direct botnets to manipulate business logic

Thompson is accused of pilfering sensitive data for 100 million US and 6 million Canadian bank patrons. That includes social security and social insurance numbers, bank account numbers, phone numbers, birth dates, email addresses and self-reported income; in short, just about everything on an identity thief’s wish list.

Just a few days before Capital One’s disclosure,  Equifax rather quietly agreed to pay up to $700 million to settle consumer claims and federal and state investigations into its 2017 data breach that compromised sensitive information of more than 145 million American consumers. Also very recently,  the Federal Trade Commission slammed Facebook with a record $5 billion fine for losing control over massive troves of personal data and mishandling its communications with users.

Sure enough, it didn’t take long (less than 24 hours) for Keven Zosiak, a Stamford, Connecticut resident and Capital One credit card holder, to file a lawsuit  against Capital One for its failure to protect sensitive customer data. Many more lawsuits, as well as federal probes and Congressional hearings, are sure to follow.

Oh, and let’s not forget how Equifax summarily canned five top execs, including Equifax CEO Richard Smith, in the aftermath of its big breach. Not even doing this YouTube video apology was enough to save Smith his job.  It’s going to be interesting to see who Capital One’s board of directors designates to throw under the bus on this one.

Larger lessons

Arguably the most fascinating twist to the Capital One caper is the FBI’s rather quick arrest of Paige Thompson. Arrests in network breaches are rare, indeed. For instance, we know a lot of details about the Equifax breach, thanks to a GAO investigation and report. But no suspects have ever been publicly named.

What’s more, the usual suspects in high-profile breaches – i.e. professional Russian, Eastern European, Chinese and North Korean hacking collectives – appear to be out of the loop with respect to this particular caper. The Capital One breach, it seems to me, vividly highlights the depth and breadth of the Internet underground. Anyone with technical aptitude, diligence and a lack of scruples, such as an out-of-work IT staffer, can engage in criminal activity at a fairly high level. …more

2 Comments | Read | August 1st, 2019 | Best Practices | For consumers | For technologists | Privacy | Top Stories

NEW TECH: A couple of tools that deserve wide use — to preserve the integrity of U.S. elections

By Byron V. Acohido

As the presidential debate season ramps up, the specter of nation-state sponsored hackers wreaking havoc, once more, with U.S. elections, looms all too large.

It’s easy to get discouraged by developments such as  Sen. McConnell recently blocking a bi-partisan bill to fund better election security, as well as the disclosure that his wife, Transportation Security Elaine Chao, has accepted money from voting machine lobbyists.

Related: Why not train employees as phishing cops?

That’s why I was so encouraged to learn about two new tools that empower individual candidates – and local election officials – to take proactive steps to make election tampering much more difficult to successfully pull off. In the current geo-political environment, every forthright step can make a huge difference.

First, there’s a tool called the Rapid Cyber Risk Scorecard. NormShield, the Vienna, VA-based, cybersecurity firm that supplies this service, recently ran scores for all of the 26 declared presidential candidates —  and found the average cyber risk score to be B+.

What this tells me is that the presidential candidates, at least, actually appear to be heeding lessons learned from the hacking John Podesta’s email account – and all of the havoc Russia was able to foment in our 2016 elections. NormShield found that all of the 2020 presidential hopefuls, thus far,  are making sure their campaigns are current on software patching, as well as Domain Name System (DNS) security; and several are doing much more.

My takeaway: other candidates can use this scorecard, which runs assessments of 10 cyber risk categories, as a starting point to harden their campaigns.

Another such service that can do a ton of good was announced last week by Global Cyber Alliance (GCA), in partnership with Craig Newmark Philanthropies and the Center for Internet Security. It’s a free cybersecurity toolkit for elections that gives local election authorities actionable guidance on how to mitigate the most common risks to trustworthy elections.

…more

One Comment | Read | July 1st, 2019 | New Tech | Steps forward | Top Stories

GUEST ESSAY: Cyber insurance 101 — for any business operating in today’s digital environment

By Cynthia Lopez Olson

Cyberattacks are becoming more prevalent, and their effects are becoming more disastrous. To help mitigate the risk of financial losses, more companies are turning to cyber insurance.

Related: Bots attack business logic

Cyber insurance, like other forms of business insurance, is a way for companies to transfer some of numerous potential liability hits associated specifically with IT infrastructure and IT activities.

These risks are normally not covered by a general liability policy, which includes coverage only for injuries and property damage. In general, cyber insurance covers things like:

•Legal fees and expenses to deal with a cybersecurity incident

•Regular security audit

•Post-attack public relations

•Breach notifications

•Credit monitoring

•Expenses involved in investigating the attack

•Bounties for cyber criminals

In short, cyber insurance covers many of the expenses that you’d typically face in the wake of cybersecurity event. …more

Comment | Read | January 20th, 2020 | Best Practices | For consumers | For technologists | Guest Blog Post | Privacy | Steps forward

MY TAKE: Why we should all now focus on restoring stability to US-Iran relations

By Byron V. Acohido

As tensions escalate between the U.S. and Iran it’s vital not to lose sight of how we arrived at this point.

Related: We’re in the golden age of cyber spying

Mainstream news outlets are hyper focused on the events of the past six days. A Dec. 27 rocket attack on a military base in northern Iraq killed an American contractor and a number of service members. Protesters attacked the US embassy in Baghdad. President Trump then retaliated by ordering a drone strike that killed a top Iranian military leader,  Gen. Qasem Soleimani.

The open assassination of a top Middle East official has ignited a social media frenzy about how we very well may be on the brink of World War III. I very much hope cooler heads prevail.

Iran accord scuttled

A starting point for cooling things off would be for news pundits — as well as anyone who considers himself or herself a social media influencer, i.e, someone who fosters community discussions — to recall the hostile shove Trump gave Iran last May.

That’s when Trump scuttled the 2015 Iran nuclear deal – which was the result of 10 years of negotiation between Iran and the United Nations Security Council. The 2015 Iran accord, agreed to by President Obama, set limits on Iran’s nuclear programs in exchange for the lifting of nuclear-related sanctions.

For his own reasons, Trump declared the 2015 Iran accord the “worst deal ever,” and has spent the past several months proactively escalating tensions with Iran, for instance, by unilaterally imposing multiple rounds of fresh sanctions.

This, of course, pushed Iran into a corner, and, no surprise, Iran has pushed back. It’s important to keep in mind that Iran, as well as Europe and the U.S., were meeting the terms of the 2015 nuclear deal, prior to Trump scuttling the deal. …more

Comment | Read | January 3rd, 2020 | For consumers | For technologists | Imminent threats | My Take

GUEST ESSAY: When cyber risks rise in 2020, as they surely will, don’t overlook physical security

By Vidya Muthukrishnan

Physical security is the protection of personnel and IT infrastructure (such as hardware, software, and data) from physical actions and events that could cause severe damage to an organization. This includes protection from natural disasters, theft, vandalism, and terrorism.

Related: Good to know about IoT

Physical security is often a second thought when it comes to information security. Despite this, physical security must be implemented correctly to prevent attackers from gaining physical access and taking whatever they desire.

This could include expensive hardware, or access to sensitive user and/or enterprise security information. All the encryption, firewalls, cryptography, SCADA systems, and other IT security measures would be useless if that were to occur.

Traditional examples of physical security include junction boxes, feeder pillars, and CCTV security cameras. But the challenges of implementing physical security are much more problematic than they were previously. Laptops, USB drives, and smartphones can all store sensitive data that can be stolen or lost. Organizations have the daunting task of trying to safeguard data and equipment that may contain sensitive information about users. …more

Comment | Read | December 31st, 2019 | Best Practices | For technologists | Guest Blog Post

GUEST ESSAY: Addressing DNS, domain names and Certificates to improve security postures

By Vincent D’Angelo

In 2019, we’ve seen a surge in domain name service (DNS) hijacking attempts and have relayed warnings from the U.S. Cybersecurity and Infrastructure Agency, U.K.’s Cybersecurity Centre, ICANN, and other notable security experts. Although, the topic has gained popularity amongst CIOs and CISOs, most companies are still overlooking important security blind spots when it comes to securing their digital assets outside the enterprise firewalls—domains, DNS, digital certificates.

D’Angelo

In fact, most organizations, regardless of geographic location or industry, are exposed to these risks. Our most recent Domain Name Security report featuring insights from the defense, media, and financial sectors illustrates the risk trends.

•Do you know who your domain name registrar is (the domain name management company that holds the keys to the kingdom)?

•What do you know about your domain name registrar’s controls, security, policies and processes?

I like to think of this topic like the electricity that powers our homes. Everyone expects their lights to work, but then, what happens when the power goes out? In the enterprise environment, domain names, DNS, and certificates are the lifeline to any internet-based application including websites, email, apps, virtual private networks (VPNs), voice over IP (VoIP) and more. …more

Comment | Read | December 6th, 2019 | For technologists | Guest Blog Post | Top Stories

Last Watchdog’s IoT and ‘zero trust’ coverage win MVP awards from Information Management Today

By Byron V. Acohido

I’m privileged to share news that two Last Watchdog articles were recognized in the 2019 Information Management Today MVP Awards. My primer on the going forward privacy and security implications of IoT — What Everyone Should Know About the Promise and Pitfalls of the Internet of Things — won second place in the contest’s IoT Security category.

In addition, my coverage of how the zero trust authentication movement is improving privacy and security at a fundamental level — Early Adopters Find Smart ‘Zero Trust’ Access Improves Security Without Stifling Innovation — won third place in the contest’s Hardware and Software Security category. I’ve been paying close attention to privacy and cybersecurity since 2004, first as a technology reporter …more

Comment | Read | December 5th, 2019 | For consumers | For technologists | My Take | Privacy | Top Stories

SHARED INTEL: How ‘memory attacks’ and ‘firmware spoilage’ circumvent perimeter defenses

By Byron V. Acohido

What does Chinese tech giant Huawei have in common with the precocious kid next door who knows how to hack his favorite video game?

Related: Ransomware remains a scourge

The former has been accused of placing hidden backdoors in the firmware of equipment distributed to smaller telecom companies all across the U.S. The latter knows how to carry out a  DLL injection hack — to cheat the game score. These happen to represent two prime examples of cyber attack vectors that continue to get largely overlooked by traditional cybersecurity defenses.

Tech consultancy IDC tells us that global spending on security hardware, software and services is on course to top $103 billion in 2019, up 9.4 percent from 2018. Much of that will be spent on subscriptions for legacy systems designed to defend network perimeters or detect and deter malicious traffic circulating in network logs.

However, the threat actors on the leading edge are innovating at deeper layers. One security vendor that happens to focus on this activity is Virsec, a San Jose-based supplier of advanced application security and memory protection technologies. I had the chance to visit with Willy Leichter, Virsec’s vice president of marketing, at Black Hat 2019.

“There are multiple vectors, lots of different ways people can inject code directly into an application,” Leichter told me. “And now we’re hearing about new threats, throughout the whole supply chain, where there might be malware deeply embedded at the firmware level, or at the processor level,  that can provide ways to get into the applications, and get into the data.”

For a full drill down of our discussion, give a listen to the accompanying podcast. Here are a few key takeways:

Firmware exposures

Firmware is the coding built into computing devices and components that carry out the low-level input/output tasks necessary to enable software applications to run. Firmware is on everything from hard drives, motherboards and routers to office printers and smart medical devices. …more

Comment | Read | November 20th, 2019 | Black Hat Podcasts | For technologists | Podcasts | Privacy | Top Stories

Older Articles »