Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

BEST PRACTICES: How to protect yourself from the enduring scourge of malvertising

By Byron V. Acohido

Malvertising is rearing its ugly head – yet again. Malicious online ads have surged and retreated in cycles since the earliest days of the Internet. Remember when infectious banner ads and viral toolbars cluttered early browsers?

Related: Web application exposures redouble

Historically, with each iteration of malicious ads, the online advertising industry, led by Google, has fought back, and kept this scourge at a publicly acceptable level.

However, malvertising has never been as dynamic, stealthy and persistent as it is today. Here’s what you should know about this enduring online threat:

Gaming the ecosystem

Malvertising has become enmeshed in the highly dynamic online advertising, shopping and banking ecosystem we’ve come to rely on. It has accomplished this by leveraging the openness of the browsers on our go-to computing devices, namely our smartphones and PCs.

Malvertising code often circulates in tiny iframes, the HTML element that enables objects to appear on a webpage without changing the page. This bad code comes and goes, circulating to even well-known, high-traffic websites as part of the flow of web ads being placed dynamically by the online advertising networks, of which Google is the largest.

Malvertisers game this ecosystem in several ways. There are endless ways for them to hack into websites and ad networks directly. Doors and windows are left wide open in the software applications being rapidly developed to support a swelling army of third-party contractors who supply shopping cart services, data management platforms, retargeting enablement systems, and the like.

“The bad guys are insinuating their malicious code as part of the code that renders on the victim’s device during fulfillment,” says Chris Olson, CEO of the Media Trust, a McLean, VA-based website security vendor. “If you visit a large retail website, you may encounter 100 or 150 third party companies that get access to your computing device. For the most part, no one is really thinking about the security of all of these third-party apps. It’s only lightly monitored.”

Another gambit favored by threat actors is to set up shop as an independent ad network, and then patiently behave as a model citizen in order to gain trust. Once good-standing is achieved, the attacker begins to slip malicious ads into the daily flow of the ecosystem.

(more…)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

Comment | Read | March 22nd, 2019 | My Take | Top Stories

MY TAKE: What the Ethiopian 737 Max 8 crash should tell us about the safety of ‘smart’ jetliners

By Byron V. Acohido

When news broke about the crash of a Ethiopian Airlines Boeing 737, the first question that popped into my head was whether an older 737 model, still using the flawed rudder actuator, might have been involved.

Related: Historical context of the rudder flaws on older model 737s

Of course it was actually the newest iteration of the 737, the Max 8. I’m no longer covering aviation. But having chronicled the saga of the 737 flawed rudder design, which Boeing ultimately replaced, here is what I’m wondering:

•I wonder if this will turn out to be yet another in a long …more

Comment | Read | March 12th, 2019 | My Take | Top Stories

MY TAKE: Memory hacking arises as a go-to tactic to carry out deep, persistent incursions

By Byron V. Acohido

A common thread runs through the cyber attacks that continue to defeat the best layered defenses money can buy.

Related: We’re in the midst of ‘cyber Pearl Harbor’

Peel back the layers of just about any sophisticated, multi-staged network breach and you’ll invariably find memory hacking at the core. In fact, memory attacks have quietly emerged as a powerful and versatile new class of hacking technique that threat actors in the vanguard are utilizing to subvert conventional IT security systems.

In a sense, memory attacks are a reflection of what has been left out of the $216 billion companies spent over the past two years on security products and services. That’s Gartner’s estimate of global spending on cybersecurity in 2017 and 2018. Memory hacking is being carried out across paths that have been left comparatively wide open to threat actors who are happy to take full advantage of the rather fragile framework of processes that execute deep inside the kernel of computer operating systems.

Last Watchdog recently sat down with Satya Gupta, founder and CTO of Virsec, a San Jose-based supplier of advanced data protection systems. Virsec is a leading innovator of memory protection technologies. Gupta put memory attacks in context of the complexity that has overtaken modern business networks. Here’s what I took away from our discussion:

Transient hacks

Memory hacking has become a go-to technique used both by common cybercriminals, as well as nation-state backed hacking specialists. Threat actors are crafting memory attacks designed to help them gain footholds, move laterally and achieve persistence deep inside well-defended enterprise networks.

Microsoft, supplier of the Windows operating system used ubiquitously in enterprise networks, recently disclosed that fully 70% of all security bugs pivot off what the software giant refers to as “memory safety issues.”

These are issues that are coming into play in all other major OSs, as well as at the processing chip level of computer hardware.

For instance, major vulnerability was discovered lurking in the GNU C Library, or GLIBC, an open source component that runs deep inside of Linux operating systems used widely in enterprise settings. GLIBC keeps common code in one place, thus making it easier for multiple programs to connect to the company network and to the Internet. Turns out it was possible for a threat actor to flood GLIBC with data, take control of it, and then use it as a launch point for stealing passwords, spying on users and attempting to usurp control of other computers. …more

Comment | Read | March 4th, 2019 | For technologists | My Take | Steps forward | Top Stories

Web application exposures continue to bedevil companies as digital transformation accelerates

By Byron V. Acohido

As sure as the sun will rise in the morning, hackers will poke and prod at the web applications companies rely on – and find fresh weaknesses they can exploit.

Related: Cyber spies feast on government shutdown

Companies are scaling up their use of web apps as they strive to integrate digital technology into every aspect of daily business operation. As this ‘digital transformation’ of commerce accelerates, the attack surface available to threat actors likewise is expanding.

I had a lively discussion recently with a couple of experts from WhiteHat Security. The San Jose, CA-based security vendor has been helping companies protect their web applications since the company was founded in 2001 by world-renowned ethical hacker Jeremiah Grossman, who also happens to be a black belt in Brazilian Jiu-Jitsu, as well as a native of my home state, Hawaii.

I spoke with WhiteHat Security researchers Bryan Becker and Mark Rogan at RSA 2019. They supplied clarifying context as to why web application vulnerabilities continue bedevil companies of all sizes and in all sectors. For a full drill down, give a listen to the accompanying podcast. Key takeaways:

Myriad vault doors

Thanks to digital transformation, the attack surface available to threat actors, via web interfaces, is larger than many companies realize – and this exposure continues to steadily expand.

“Moving to the cloud, terms like agile development and container-based infrastructure — all of these are different ways to break a large process down into many smaller components which is easier for a management team and a development team to manage and to update quicker,” said Becker.

But what happens is that instead of having one giant application, you end up with a hundred mini applications, and in the long run, that means it is harder to monitor for vulnerabilities in the code. …more

Comment | Read | March 21st, 2019 | For technologists | My Take | Podcasts | Top Stories

GUEST ESSAY: Why there’s no such thing as anonymity it this digital age

By Goddy Ray

Unless you decide to go Henry David Thoreau and shun civilization altogether, you can’t — and won’t — stop generating data, which sooner or later can be traced back to you.

Related: The Facebook factor

A few weeks back I interviewed a white hat hacker. After the interview, I told him that his examples gave me paranoia. He laughed and responded, “There’s no such thing as anonymous data; it all depends on how determined the other party is.”

App developers, credit card, telecommunication companies, and others use the term “anonymous data” because it sells. But anonymous data really doesn’t exist anymore

Every step online is recorded and stored – our interactions with devices, geolocation, voter registration, time stamps, etc. Machine learning (ML) is currently the leading technique to re-identify any data. Specifically-designed algorithms make pattern-recognition much faster and more efficient. Sometimes the accuracy of identifying is 90% and more.

De-anonymization

Actually, 63% of the population can be identified just by the combination of their gender, date of birth, and zip code.

“Anonymous” or “aggregated” large datasets are often released publicly. As a result, the development of de-anonymization tools is becoming increasingly more advanced. Here are a  few unexpected examples of supposedly anonymous data reversal: …more

One Comment | Read | March 21st, 2019 | Guest Blog Post | Privacy | Top Stories

MY TAKE: Get ready to future-proof cybersecurity; the race is on to deliver ‘post-quantum crypto’

By Byron V. Acohido

Y2Q. Years-to-quantum. We’re 10 to 15 years from the arrival of quantum computers capable of solving complex problems far beyond the capacity of classical computers to solve.

PQC. Post-quantum-cryptography. Right now, the race is on to revamp classical encryption in preparation for the coming of quantum computers. Our smart homes, smart workplaces and smart transportation systems must be able to withstand the threat of quantum computers.

Put another way, future-proofing encryption is crucial to avoiding chaos. Imagine waiting for a quantum computer or two to wreak havoc before companies commence a mad scramble to strengthen encryption that protects sensitive systems and data, the longer we wait, the bigger the threat gets.

Related: The case for ‘zero-trust’

The tech security community gets this. One recent report estimates that the nascent market for PQC technology will climb from around $200 million today to $3.8 billion by 2028 as the quantum threat takes center stage.

I had the chance to visit at RSA 2019 with Avesta Hojjati, head of research and development at DigiCert. The world’s leading provider of digital certificates is working alongside other leading companies, including Microsoft Research and ISARA, to gain endorsement from the National Institute of Standards for breakthrough PQC algorithms, including Microsoft’s “Picnic” and ISARA’s qTESLA.

Hojjati outlined the challenge of perfecting an algorithm that can make classical computers resistant to quantum hacking — without requiring enterprises to rip-and-replace their classical encryption infrastructure. For a full drill down of our discussion, give a listen to the accompanying podcast. Below are excerpts edited for clarity and length.

LW: What makes quantum computing so different than what we have today? …more

Comment | Read | March 20th, 2019 | My Take | Podcasts | Q & A | Top Stories

NEW TECH: Exabeam retools SIEMs; applies credit card fraud detection tactics to network logs

By Byron V. Acohido

Security information and event management, or SIEM, could yet turn out to be the cornerstone technology for securing enterprise networks as digital transformation unfolds.

Related: How NSA cyber weapon could be used for a $200 billion ransomware caper

Exabeam is a bold upstart in the SIEM space. The path this San Mateo, CA-based vendor is trodding tells us a lot about the unfolding renaissance of SIEMs – and where it could take digital commerce.

Launched in 2013 by Nir Polak, a former top exec at web application firewall vendor Imperva, Exabeam in just half a decade has raised an eye-popping $115 million in venture capital, grown to almost 350 employees and reaped over 100 percent revenue growth in each of the last three years.

I had the chance to visit with Trevor Daughney, Exabeam’s vice president of product marketing at RSA 2019. He explained how Exabeam has taken some of the same data analytics techniques that banks have long used to staunch credit card fraud and applied them to filtering network data logs. For a full drill down on our conversation, please listen to the accompanying podcast. Here are a few takeaways:

Very Big Data

The earliest SIEMs cropped up around 2005 or so. Led by the likes of Splunk, LogRhythm, IBM and Exabeam, the global SIEM market is expected to grow to over $5 billion annually in 2022.

Related: Autonomous vehicles are driving IoT security innovation

Fundamentally, SIEMs collect event log data from internet traffic, as well as corporate hardware and software assets. The starting idea was for a security analyst to then sift meaningful security intelligence from a massive volume of potential security events and keep intruders out. Yet, SIEMs never quite lived up to their initial promise.

And now, Big Data is about to become Very Big Data. Consider that 90 percent of the data that exists in the world today was generated in just the past couple of years. That includes everything moving across the internet: email, texting, online searches, social media posts, entertainment streaming, global finance, scientific research and cyber warfare. And on the horizon loom a full blown Internet of Things (IoT) and 5G networks, which will drive data generation to new heights. …more

Comment | Read | March 19th, 2019 | For technologists | My Take | Podcasts | Steps forward | Top Stories

BEST PRACTICES: 6 physical security measures every company needs

By Mike James

It has never been more important to invest in proper security for your business. Laws surrounding the personal data of individuals such as the General Data Protection Regulation (GDPR) put the onus on companies to ensure that both digital and physical copies of data are secure at all times.

Related: Shrinking to human attack vector

Gaining access to your property can provide criminals with the ability not only to steal physical items from your premises, but also to potentially infect computers with malware or access data through your IT infrastructure. Here are six physical security measures that you can put in place to help keep your company secure.

Access controls

Clearly your business needs to have some method of access control …more

Comment | Read | March 19th, 2019 | Guest Blog Post | Steps forward

NEW TECH: SyncDog vanquishes BYOD risk by isolating company assets on a secure mobile app

By Byron V. Acohido

The conundrum companies face with the Bring Your Own Device phenomenon really has not changed much since iPhones and Androids first captured our hearts, minds and souls a decade ago.

Related: Malvertising threat lurks in all browsers

People demand the latest, greatest mobile devices, both to be productive and to stay connected to their personal lives. But big organizations move methodically and in general struggle mightily when it comes to balancing productivity and security. This has led the BYOD dilemma cycling afresh, with each advance of the technology, which is what it’s doing right now.

SyncDog, a Reston, VA-based startup, has jumped into the mobile security space to help companies get a firmer grip on their BYOD exposures. I had the chance to sit down with SynCDog’s founder and CEO, Jonas Gyllensvaan, along with its Chief Revenue Officer, Brian Egenrieder, at RSA 2019.

They dissected the historical context, and conveyed some fresh insights about the societal drivers that make the BYOD such a mercurial operational challenge. A full drill down is worth a listen, and is  accessible via the accompanying podcast. Here are a few key takeaways:

Alphabet soup

When the initial wave of employee-owned iPhones, Androids and Blackberries began turning up in workplace settings, companies reacted by turning to MDM (mobile device management) service providers to handle the inventorying and provisioning of these new endpoints. MDM enabled administrators to oversee smartphones much like desktop PCs.

Soon, the MDMs added password protection and remote wiping capabilities to enable security staff to remotely “brick” a company device gone missing: destroy all apps and files, including any personal data. That was fine – until employees revolted. …more

Comment | Read | March 18th, 2019 | Podcasts | Steps forward | Top Stories

Older Articles »