Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

GUEST ESSAY: A primer on the degrees of privacy tech companies assign to your digital footprints

By Sanjay Mehta

In recent years, brands have started butting up against the line between convenience and privacy.  Shoppers love the convenience of personalized experiences that their data powers, but then horror stories such as the Cambridge Analytica scandal make people skeptical about how much information companies should be collecting and sharing.

Related: Apple battles Facebook over consumer privacy

Fundamentally this comes down to the underlying user identity, what data it contains, who generates that data, and where it resides.

Here we’ll discuss the implications to the third-party tracking and data which has been most impacted by recent privacy regulations and protocols. First it is important to understand the different degrees of data privacy.

Degrees of privacy

Customers share their information either explicitly through forms and transactions, or implicitly through their behaviors such as searches and clickstreams. Data explicitly provided by the user is considered “zero-party” data.

In ecommerce, this commonly comes in the form of a registration, a review, or a purchase. This is used for communication, personalization and (more…)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

Comment | Read | October 13th, 2021 | For consumers | For technologists | Guest Blog Post | Privacy | Top Stories

SHARED INTEL: Reviving ‘observability’ as a means to deeply monitor complex modern networks

By Byron V. Acohido

An array of promising security trends is in motion.

New frameworks, like SASE, CWPP and CSPM, seek to weave security more robustly into the highly dynamic, intensely complex architecture of modern business networks.

Related: 5 Top SIEM myths

And a slew of new application security technologies designed specifically to infuse security deeply into specific software components – as new coding is being developed and even after it gets deployed and begins running in live use.

Now comes another security initiative worth noting. A broad push is underway to retool an old-school software monitoring technique, called observability, and bring it to bear on modern business networks. I had the chance to sit down with George Gerchow, chief security officer at Sumo Logic, to get into the weeds on this.

Based in Redwood City, Calif., Sumo Logic supplies advanced cloud monitoring services and is in the thick of this drive to adapt classic observability to the convoluted needs of company networks, today and going forward. For a drill down on this lively discussion, please give the accompanying podcast a listen. Here are the main takeaways:

One Comment | Read | September 20th, 2021 | Best Practices | For consumers | For technologists | Podcasts | Top Stories

GUEST ESSAY: Why it’s worrisome that China has integrated Huawei switches into telecoms worldwide

By Sarina Krantzler

In the previous discussion, China’s 14th Five-Year Plan was summarized to capture relevant aspects of dual circulation, the Digital Silk Road (DSR), and the Belt Road Initiative (BRI) that aim to advance China as an economic, technological, and foreign policy powerhouse.

Related: Part 1. China’s 5 year digital plans

Both of those initiatives are well-funded, thoughtful, and strategic in their attempts to spread influence and widespread dependency on Chinese products.

The first blog concluded with a strong message of encouragement for the U.S. to evolve its own creative cybersecurity strategy leveraging strategic goals with economics and public policy to create a sustainable, secure cyber system consistent with Western ethical standards, our free market philosophy, and our democratic traditions.

The FCC’s Rip and Replace Model was introduced, by title only, to provide a glimpse into how the U.S. should, and is beginning to, take action to counteract intrusive Chinese technology within our critical infrastructure. To understand our options in this fight, however, we first need to understand who we’re up against.

Huawei Technologies, or Huawei for short, is a Chinese telecommunications firm that has been fed tens of billions of dollars in financial assistance by the Chinese government on a scale of subsidization that dwarfs the next closest competitors’ monetary receipt. To fuel their rise to the top of the global telecommunications landscape, Huawei had access to as much as $75 billion in state support as it grew from a little-known vendor of phone switches to the world’s largest telecom equipment company (Wall Street Journal).

Subsidies aside, since 1998, Huawei has received an estimated $16 billion in loans, export credits, and other forms of financing from Chinese banks for the firms’ operations and customers.

As referenced in the previous blog, Brazil was originally firmly in opposition of adopting Huawei technology into their infrastructure until the country became desperate amidst the COVID-19 pandemic.

2 Comments | Read | September 8th, 2021 | For consumers | For technologists | Guest Blog Post | Top Stories

ROUNDTABLE: Why T-Mobile’s latest huge data breach could fuel attacks directed at mobile devices

By Byron V. Acohido

TMobile has now issued a formal apology and offered free identity theft recovery services to nearly 48 million customers for whom the telecom giant failed to protect their sensitive personal information.

At the start of this week, word got out that hackers claimed to have seized personal data for as many as 100 million T-Mobile  patrons.

Related: Kaseya hack worsens supply chain risk

This stolen booty reportedly included social security numbers, phone numbers, names, home addresses, unique IMEI numbers, and driver’s license information.

Once more, a heavily protected enterprise network has been pillaged by data thieves. Last Watchdog convened a roundtable of cybersecurity experts to discuss the ramifications, which seem all too familiar. Here’s what they had to say, edited for clarity and length:

Allie Mellen, analyst, Forrester

According to the attackers, this was a configuration issue on an access point T-Mobile used for testing. The configuration issue made this access point publicly available on the Internet. This was not a sophisticated attack. T-Mobile left a gate left wide open for attackers – and attackers just had to find the gate.”

T-Mobile is offering two free years of identity protection for affected customers, but ultimately this is pushing the responsibility for the safety of the data onto the user. Instead of addressing the security gaps that have plagued T-Mobile for years, they are offering their customers temporary identity protection when breaches happen, as if to say, ‘This is the best we can do.’

Chris Clements, VP of Solutions Architecture, Cerberus Sentinel

One Comment | Read | August 19th, 2021 | For consumers | For technologists | My Take | Top Stories

Author Q&A: In modern cyberwarfare ‘information security’ is one in the same with ‘national security’

By Byron V. Acohido

What exactly constitutes cyberwarfare?

The answer is not easy to pin down. On one hand, one could argue that cyber criminals are waging an increasingly debilitating economic war on consumers and businesses in the form of account hijacking, fraud, and extortion. Meanwhile, nation-states — the superpowers and second-tier nations alike — are hotly pursuing strategic advantage by stealing intellectual property, hacking into industrial controls, and dispersing political propaganda at an unheard-of scale.

Related: Experts react to Biden’s cybersecurity executive order

Now comes a book by John Arquilla, titled Bitskrieg: The New Challenge of Cyberwarfare, that lays out who’s doing what, and why, in terms of malicious use of digital resources connected over the Internet. Arquilla is a distinguished professor of defense analysis at the United States Naval Postgraduate School. He coined the term ‘cyberwar,’ along with David Ronfeldt, over 20 years ago and is a leading expert on the threats posed by cyber technologies to national security.

Bitskrieg gives substance to, and connects the dots between, a couple of assertions that have become axiomatic:

•Military might no longer has primacy. It used to be the biggest, loudest weapons prevailed and prosperous nations waged military campaigns to achieve physically measurable gains. Today, tactical cyber strikes can come from a variety of operatives – and they may have mixed motives, only one of which happens to be helping a nation-state achieve a geo-political objective.

•Information is weaponizable. This is truer today than ever before. Arquilla references nuanced milestones from World War II to make this point – and get you thinking. For instance, he points out how John Steinbeck used a work of fiction to help stir the resistance movement across Europe.

Steinbeck’s imaginative novel, The Moon is Down, evocatively portrayed how ordinary Norwegians took extraordinary measures to disrupt Nazi occupation. This reference got me thinking about how Donald Trump used social media to stir the Jan. 6 insurrection in … more

3 Comments | Read | August 16th, 2021 | Book Excerpts | For consumers | For technologists | Privacy | Q & A | Steps forward | Top Stories

Black Hat insights: How to shift security-by-design to the right, instead of left, with SBOM, deep audits

By Byron V. Acohido

There is a well-established business practice referred to as bill of materials, or BOM, that is a big reason why we can trust that a can of soup isn’t toxic or that the jetliner we’re about to board won’t fail catastrophically

Related: Experts react to Biden cybersecurity executive order

A bill of materials is a complete list of the components used to manufacture a product. The software industry has something called SBOM: software bill of materials. However, SBOMs are rudimentary when compared to the BOMs associated with manufacturing just about everything else we expect to be safe and secure: food, buildings, medical equipment, medicines and transportation vehicles.

An effort to bring SBOMs up to par is gaining steam and getting a lot of attention at Black Hat USA 2021 this week in Las Vegas. President Biden’s cybersecurity executive order, issued in May, includes a detailed SBOM requirement for all software delivered to the federal government.

ReversingLabs, a Cambridge, MA-based software vendor that helps companies conduct deep analysis of new apps just before they go out the door, is in the thick of this development. I had the chance to visit with its co-founder and chief software architect Tomislav Pericin. For a full drill down on our discussion please give the accompanying podcast a listen. Here are the big takeaways:

Gordian Knot challenge

The software industry is fully cognizant of the core value of a bill of materials and has been striving for a number of years to adapt it to software development.

One Comment | Read | August 5th, 2021 | Black Hat Podcasts | For consumers | For technologists | Podcasts | Steps forward | Top Stories

Q&A: All-powerful developers begin steering to the promise land of automated security

By Byron V. Acohido

Software developers have become the masters of the digital universe.

Related: GraphQL APIs pose new risks

Companies in the throes of digital transformation are in hot pursuit of agile software and this has elevated developers to the top of the food chain in computing.

There is an argument to be made that agility-minded developers, in fact, are in a terrific position to champion the rearchitecting of Enterprise security that’s sure to play out over the next few years — much more so than methodical, status-quo-minded security engineers.

With Black Hat USA 2021 reconvening in Las Vegas this week, I had a deep discussion about this with Himanshu Dwivedi, founder and chief executive officer, and Doug Dooley, chief operating officer, of Data Theorem, a Palo Alto, CA-based supplier of a SaaS security platform to help companies secure their APIs and modern applications.

For a full drill down on this evocative conversation discussion please view the accompanying video. Here are the highlights, edited for clarity and length:

LW:  Bad actors today are seeking out APIs that they can manipulate, and then they follow the data flow to a weakly protected asset. Can you frame how we got here?

Dwivedi: So 20 years ago, as a hacker, I’d go see where a company registered its IP. I’d do an ARIN Whois look-up. I’d profile their network and build an attack tree. Fast forward 20 years and everything is in the cloud. Everything is in Amazon Web Services, Google Cloud Platform or Microsoft Azure and I can’t tell where anything is hosted based solely on IP registration.

So as a hacker today, I’m no longer looking for a cross-site scripting issue of some website since I can only attack one person at a time with that. I’m looking at the client, which could be an IoT device, or a mobile app or a single page web app (SPA) or it could be an … more

Comment | Read | August 3rd, 2021 | Black Hat Podcasts | For consumers | For technologists | Imminent threats | Q & A | Top Stories | Videos

NEW TECH: How the emailing of verified company logos actually stands to fortify cybersecurity

By Byron V. Acohido

Google’s addition to Gmail of something called Verified Mark Certificates (VMCs) is a very big deal in the arcane world of online marketing.

Related: Dangers of weaponized email

This happened rather quietly as Google announced the official launch of VMCs in a blog post on July 12. Henceforth companies will be able to insert their trademarked logos in Gmail’s avatar slot; many marketers can’t wait to distribute email carrying certified logos to billions of inboxes. They view logoed email as an inexpensive way to boost brand awareness and customer engagement on a global scale.

However, there is a fascinating back story about how Google’s introduction of VMCs – to meet advertising and marketing imperatives — could ultimately foster a profound advance in email security. Over the long term, VMCs, and the underlying Brand Indicators for Message Identification (BIMI) standards, could very well give rise to a bulwark against email spoofing and phishing.

I had a chance to sit down with Dean Coclin, senior director of business development at DigiCert, to get into the weeds of this quirky, potentially profound, security development. DigiCert is a Lehi, Utah-based Certificate Authority (CA) and supplier of Public Key Infrastructure services.

Coclin and I worked through how a huge email security breakthrough could serendipitously arrive as a collateral benefit of VMCs. Here are the main takeaways from our discussion:

One Comment | Read | July 26th, 2021 | Best Practices | For consumers | For technologists | New Tech | Privacy | Steps forward | Top Stories

ROUNDTABLE: Kaseya hack exacerbates worrisome supply-chain, ransomware exposures

By Byron V. Acohido

It was bound to happen: a supply-chain compromise, ala SolarWinds, has been combined with a ransomware assault, akin to Colonial Pipeline, with devasting implications.

Related: The targeting of supply chains

Last Friday, July 2, in a matter of a few minutes,  a Russian hacking collective, known as REvil, distributed leading-edge ransomware to thousands of small- and mid-sized businesses (SMBs) across the planet — and succeeded in locking out critical systems in at least 1,500 of them. This was accomplished by exploiting a zero-day vulnerability in Kaseya VSA, a network management tool widely used by managed service providers (MSPs)  as their primary tool to remotely manage IT systems on behalf of SMBs.

REvil essentially took full control of the Kaseya VSA servers at the MSP level, then used them for the singular purpose of extorting victimized companies — mostly SMBs —  for payments of $45,000, payable in Minera. In a few instances, the attackers requested $70 million, payable in Bitcoin, for a universal decryptor.

Like SolarWinds and Colonial Pipeline, Miami-based software vendor, Kaseya, was a thriving entity humming right along, striving like everyone else to leverage digital agility — while also dodging cybersecurity pitfalls. Now Kaseya and many of its downstream customers find themselves in a  crisis recovery mode faced with shoring up their security posture and reconstituting trust. Neither will come easily or cheaply.

Comment | Read | July 8th, 2021 | For technologists | Imminent threats | My Take | Privacy | Top Stories

MY TAKE: Why monetizing data lakes will require applying ‘attribute-based’ access rules to encryption

By Byron V. Acohido

The amount of data in the world topped an astounding 59 zetabytes in 2020, much of it pooling in data lakes.

Related:  The importance of basic research

We’ve barely scratched the surface of applying artificial intelligence and advanced data analytics to the raw data collecting in these gargantuan cloud-storage structures erected by Amazon, Microsoft and Google. But it’s coming, in the form of driverless cars, climate-restoring infrastructure and next-gen healthcare technology.

In order to get there, one big technical hurdle must be surmounted. A new form of agile cryptography must get established in order to robustly preserve privacy and security as all this raw data gets put to commercial use.

I recently had the chance to discuss this with Kei Karasawa, vice president of strategy, and Fang Wu, consultant, at NTT Research, a Silicon Valley-based think tank which is in the thick of deriving the math formulas that will get us there.

They outlined why something called attribute-based encryption, or ABE, has emerged as the basis for a new form of agile cryptography that we will need in order to kick digital transformation into high gear.

For a drill down on our discussion, please give the accompanying podcast a listen. Here are the key takeaways:

Cloud exposures

Data lakes continue to swell because each second of every day, every human, on average, is creating 1.7 megabytes of fresh data. These are the rivulets feeding the data lakes.

A zettabyte equals one trillion gigabytes. Big data just keeps getting bigger. And we humans crunch as much of it as we can by applying machine learning and artificial intelligence to derive cool new digital services. But we’re going to need the help of quantum computers to get to the really amazing stuff, and that hardware is coming.

As we press ahead into our digital future, however, we’ll also need to retool the public-key-infrastructure. PKI is the authentication and encryption framework … more

Comment | Read | June 2nd, 2021 | For consumers | For technologists | My Take | Podcasts | Steps forward | Top Stories

GUEST ESSAY: ‘Cybersecurity specialist’ tops list of work-from-home IT jobs that need filling

By Scott Orr

Even before the COVID-19 pandemic turned many office workers into work-from-home (WFH) experts, the trend toward working without having to commute was clear.

Related: Mock attacks help SMBs harden defenses

As internet bandwidth has become more available, with homes having access to gigabit download speeds, a whole new world of career paths has opened for those who want to control their work hours and conditions. Maybe you want better pay, to be home near your kids or you just like the idea of avoiding the daily drive to an office. Whatever the reason, you can likely find work online.

One of the hottest fields right now on the WFH radar is the information technology (IT) sector. But you’ll first need to learn the specifics to get to work. Fortunately, there are online classes you can take to get that knowledge – and best of all, you can take them for free.  Let’s look at what’s available and how you might jumpstart a new career.

Most IT jobs require you to have some sort of experience before you can start charging enough to make them viable as full-time employment. And some are more like a side hustle or temp job.

Having said that, here are some examples of IT careers you can learn online through free courses:

Security specialist

The more we do online, the more criminals want to take advantage of us. That makes fighting cybercrime a definite growth industry. A wide range of companies, in just about every field, are adding computer security specialists. In fact, these jobs are expected to increase a whopping 31% by 2029. This job involves planning and implementing security measures for large and small companies that rely on computer networks. You will need to develop the ability to anticipate techniques used in future cyberattacks so they can be prevented.

One Comment | Read | March 29th, 2021 | For consumers | For technologists | Guest Blog Post | Top Stories

MY TAKE: Apple users show strong support for Tim Cook’s privacy war against Mark Zuckerberger

By Byron V. Acohido

Like a couple of WWE arch rivals, Apple’s Tim Cook and Facebook’s Mark Zuckerberg have squared off against each other in a donnybrook over consumer privacy.

Cook initially body slammed Zuckerberg — when Apple issued new privacy policies aimed at giving U.S. consumers a smidgen more control over their personal data while online.

Related: Raising kids who care about their privacy

Zuckerberg then dropped kicked Cook by taking out full-page newspaper ads painting Apple’s social responsibility flexing as bad for business; he then hammered Cook with a pop-up ad campaign designed to undermine Apple’s new privacy policies.

But wait. Here’s Cook rising from the mat to bash Z-Man at the Brussels’ International Privacy Day, labeling his tormentor as an obsessive exploiter who ought to be stopped from so greedily exploiting consumers’ digital footprints for his personal gain.

This colorful chapter in the history of technology and society isn’t just breezing by unnoticed. A recent survey of some 2,000 U.S. iPhone and iPad users, conducted by SellCell.com, a phone and tech trade-in website, shows American consumers are tuned in and beginning to recognize what’s at stake.

Fully 72 percent of those polled by SellCell said they were aware of new privacy changes in recent Apple software updates, not just in a cursory manner, but with a high level of understanding; some 42 percent said they understood the privacy improvements extremely well or at least very well, while 21 percent said they understood them moderately well.

Another telling finding: some 65 percent of respondents indicated they were extremely or very concerned about websites and mobile apps that proactively track their online behaviors, while only 14 percent said they were not at all concerned.

Comment | Read | March 8th, 2021 | Best Practices | For consumers | For technologists | My Take | Privacy | Top Stories

GUEST ESSAY: How SPDX helps reconcile interdependencies of open, proprietary software

By Kate Stewart

Software today is built on a combination of open source and proprietary software packages.  Developers can reuse and build on the packages created by others, which results in the rapid creation of new capabilities and technologies.

Related: How SBOM factors into DevSecOps

This reuse creates dependencies, all of which don’t necessarily stay updated at the same pace. The accurate and authenticated identification of all the relevant software package dependencies is key to preventing software supply chain attacks.

Agreeing on a standard way of cataloging summary information about the packages and their dependencies is necessary for multiple tools to interact efficiently and keep up with the rapid pace of reuse.

History of SPDX

We started the Software Package Data Exchange® (SPDX®) project in 2010. The project had the simple goal of sharing summary information about a software package between the creator and consumer. At that time, to comply with the licenses in open source, you had to find them in the source code.

This resulted in hours of issuing grep commands or working with commercial source scanning tools, and once you had the details, you didn’t have a good way of sharing them.

Comment | Read | October 11th, 2021 | For technologists | Guest Blog Post | Steps forward | Top Stories

GUEST ESSAY: What it will take to train the next generation of cybersecurity analysts

By Gary S. Mullen

It is no secret that there is, and has been for some time, a shortage of trained cyber security professionals in corporate IT Security teams.  The Wharton School of the University of Pennsylvania observed that “nowhere is the workforce-skills gap more pronounced than in cybersecurity.”

Related: Deploying ‘human’ sensors’

According to data gathered by CyberSeek under a Commerce Department grant, there are currently nearly 465,000 unfilled cyber jobs across the US alone.  This shortage is significantly impacting corporate America, and it is particularly dire across federal, state and local governments.

The cyber security talent crunch has been a growing issue for many years now.  According to the 2019/2020 Official Annual Cyber Security Jobs Report sponsored by the Herjavec Group, the number of open cyber security positions has grown 350 percent from 2013 to 2021.  Cybersecurity Ventures predicts that there will be 3.5 million unfilled cyber security jobs globally by 2021.

Unfortunately, getting the hands-on experience needed to become a cyber security analyst is out of reach of many today.  In 95% of the hiring decisions being made for open positions, employers are looking for that hands on experience.

According to MIT Technology Review, fewer than one in four candidates applying for cyber security positions are qualified.

Comment | Read | October 4th, 2021 | Best Practices | For consumers | For technologists | Guest Blog Post | Top Stories

GUEST ESSAY: A breakdown of Google’s revisions to streamline its ‘reCAPTCHA’ bot filter

By Emma Yulini

Most of us internet users are obviously familiar with CAPTCHAs: a challenge or test that is designed to filter out bots (automated programs) and only allow legitimate human users in.

Related: How bots fuel ‘business logic’ hacking

The basic principle behind CAPTCHA is fairly simple: the test must be as difficult as possible (if not impossible) to solve by these bots, but at the same time it must be easy enough for human users not to hurt user experience.

This principle is precisely where all sorts of troubles surrounding CAPTCHAs come in. Today’s bots are really advanced, and advanced AIs are now pretty reliable in solving CAPTCHAs. So, we have to make the CAPTCHAs more difficult, but at the same time we all know how CAPTCHA challenges can be really annoying, and we’ll simply bounce from a site featuring even more difficult CAPTCHA.

This is why Google invented the invisible reCAPTCHA and other newer versions of reCAPTCHA.

reCAPTCHA

What actually is reCAPTCHA? Simply put, there are many different companies offering CAPTCHA solutions at the moment, and reCAPTCHA is Google’s brand of CAPTCHA solution.

Comment | Read | September 30th, 2021 | For consumers | Guest Blog Post

GUEST ESSAY – Notable events in hacking history that helped transform cybersecurity assessment

By April Miller

Assessing the risks involved in using the latest technology is something our culture had to adopt in the early days of the computer. New technologies come with risks — there’s no denying that.

Related: How Russia uses mobile apps to radicalize U.S. youth

To minimize their impact, implementing preventive security measures into these advanced systems is crucial. Businesses across all industries can function adequately without worrying about would-be hackers with malicious intent when they secure their networks.

Phishing scams, malware, ransomware and data breaches are just some of the examples of cyberthreats that can devastate business operations and the protection of consumer information.

Here are five notable historical events that influenced cybersecurity assessment and transformed it into what it is today:

The Battle of Midway (1942)

After the devastating blow of Pearl Harbor, U.S. military officials hired data analysts to crack the Japanese secret code known as JN-25.

Comment | Read | September 27th, 2021 | For consumers | For technologists | Guest Blog Post | Top Stories

Q&A: Surfshark boosts ‘DIY security’ with its rollout of VPN-supplied antivirus protection

By Byron V. Acohido

Surfshark wants to help individual citizens take very direct control of their online privacy and security.

Thus, Surfshark has just become the first VPN provider to launch an antivirus solution as part of its all-in-one security bundle Surfshark One.

Related: Turning humans into malware detectors

This development is part and parcel of rising the trend of VPN providers hustling to deliver innovative “DIY security” services into the hands of individual consumers.

It’s notable that this is happening at a time when Microsoft, Apple and Google are going the opposite direction – by natively embedding more consumer-grade security services into their popular operating systems, like Windows, Mac, IoS and Android. And let’s not forget the longstanding, multi-billion market of antivirus software subscriptions directed at consumers.

The consumer anti-virus vendors have been generating massive subscription revenue for two decades; though this market is mature and in a consolidation phase, it is not going to disappear anytime soon, as suggested by  NortonLifeLock’s $8 billion buyout of Avast.

Last year I agreed to serve a one-year term on Surfshark’s advisory board. I accepted because I appreciated Surfshark’s emphasis on privacy and security — and saw it as a way to learn more about the consumer cybersecurity market.

Comment | Read | September 13th, 2021 | For consumers | My Take | Q & A | Steps forward | Top Stories

Older Articles »