Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

MY TAKE: Coping with security risks, compliance issues spun up by ‘digital transformation’

By Byron V. Acohido

A core security challenge confronts just about every company today.

Related: Can serverless computing plus GitOps lock down DX?

Companies are being compelled to embrace digital transformation, or DX, if for no other reason than the fear of being left behind as competitors leverage microservices, containers and cloud infrastructure to spin-up software innovation at high velocity.

While the benefits of DX are highly-touted, this shift has also spawned a whole new tier of unprecedented privacy and security challenges. On one hand, threat actors have already begun exploiting fresh attack vectors, borne of this rising complexity, and, on the other, government authorities and industry standards bodies are insisting on compliance with increasingly cumbersome data-handling security rules.

I had an evocative discussion at Black Hat USA 2019 with Andy Byron, president of Lacework, a Mountain View, CA-based start-up that has raised $32 million in venture capital to help companies address these conflicting imperatives. For a full drill down, give a listen to the accompanying podcast. Here are my big takeaways:

Tech stack exposures

Companies today routinely rely on software applications written by far-flung third-party developers busily mixing, matching and reusing modular “microservices” and packaging them inside of software “containers.” This all adds up to faster output by software development teams, which, in turn, has given impetus to the rise of  “serverless” cloud infrastructure.

Two types of organizations are doing this, Byron told me. Established enterprises, dragging along their legacy datacenters, recognize this as the once-and- future path for cost savings, agility and speed to market. Meanwhile, next-gen companies, like Netflix, Uber and Airbnb, are proactively racing down this path,  out of the gate.

“People are taking the development, building and management of applications and moving it into a new phenomenon called containers,” Byron says. “The cloud is kind of dragging this movement along and DevOps and security are center stage, at the moment.”

Shifting requirements

One way to understand the security hazards is to think about the radical changes being imposed on the traditional enterprise technology stack. A tech stack is the collection of software and tools companies cobble together to deploy apps, websites and other digital products. A couple of decades ago, when everything was on the company premises, sitting behind a firewall, security teams at least had a fighting chance to stay on top of things. (more…)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

Comment | Read | August 22nd, 2019 | Black Hat Podcasts | For consumers | For technologists | My Take | Podcasts | Privacy | Top Stories

MY TAKE: A primer on how ransomware arose to the become an enduring scourge

By Byron V. Acohido

“All we know is MONEY! Hurry up! Tik Tak, Tik Tak, Tik Tak!”

This is an excerpt from a chilling ransom note Baltimore IT officials received from hackers who managed to lock up most of the city’s servers in May. The attackers demanded $76,000, paid in Bitcoin, for a decryption key. Baltimore refused to pay – choosing, instead, to absorb an estimated $18 million in recovery costs.

Related:  ‘Cyber Pearl Harbor’ happens every day

Some 15 months earlier, in March 2018, Atlanta was hit by a similar assault, and likewise refused to pay a $51,000 ransom, eating $17 million in damage.

Stunning as these two high-profile attacks were, they do not begin to convey the full scope of what a pervasive and destructive phenomenon ransomware has become – to individuals, to companies of all sizes and, lately, to poorly defended local agencies.

Probing and plundering

Ransomware is highly resilient and flexible. Its core attraction for criminals is that it is about as direct a channel to illicitly-garnered cash as any conman could dream up – few middlemen required.

From a high level, ransomware is essentially an open platform that operates on market principles, around which a thriving ecosystem of suppliers and specialists has taken shape. This has opened the door for newbie purveyors, with modest technical skill, to enter the field, giving these novices easy and cheap access to powerful turnkey tools and services. Meanwhile, the advanced hacking collectives invest in innovation and press forward. The net result is a continuation of proven styles of ransomware attacks, as well as constant probing for vulnerable pockets and plundering along fresh pathways.

According to the FBI, the absolute number of daily ransomware attacks actually dipped slightly last year. However, that’s more a function of hackers targeting individuals less, and companies and governments more. And as highlighted by the assaults on Baltimore and Atlanta, municipalities are among the hottest targets of the moment. A survey of local media reports by Recorded Future tallied 38 ransomware attacks against cities in 2017, rising to 53 attacks in 2018. In the first four months of 2019 alone, some 22 attacks have been disclosed.

…more

Comment | Read | August 15th, 2019 | For consumers | For technologists | Imminent threats | My Take | Top Stories

ROUNDTABLE: Huge Capital One breach shows too little is being done to preserve data privacy

By Byron V. Acohido

Company officials at Capital One Financial Corp ought to have a crystal clear idea of what to expect next — after admitting to have allowed a gargantuan data breach.

Capital One’s mea culpa coincided with the FBI’s early morning raid of a Seattle residence to arrest Paige Thompson. Authorities charged the 33-year-old former Amazon software engineer with masterminding the hack.

Related: Hackers direct botnets to manipulate business logic

Thompson is accused of pilfering sensitive data for 100 million US and 6 million Canadian bank patrons. That includes social security and social insurance numbers, bank account numbers, phone numbers, birth dates, email addresses and self-reported income; in short, just about everything on an identity thief’s wish list.

Just a few days before Capital One’s disclosure,  Equifax rather quietly agreed to pay up to $700 million to settle consumer claims and federal and state investigations into its 2017 data breach that compromised sensitive information of more than 145 million American consumers. Also very recently,  the Federal Trade Commission slammed Facebook with a record $5 billion fine for losing control over massive troves of personal data and mishandling its communications with users.

Sure enough, it didn’t take long (less than 24 hours) for Keven Zosiak, a Stamford, Connecticut resident and Capital One credit card holder, to file a lawsuit  against Capital One for its failure to protect sensitive customer data. Many more lawsuits, as well as federal probes and Congressional hearings, are sure to follow.

Oh, and let’s not forget how Equifax summarily canned five top execs, including Equifax CEO Richard Smith, in the aftermath of its big breach. Not even doing this YouTube video apology was enough to save Smith his job.  It’s going to be interesting to see who Capital One’s board of directors designates to throw under the bus on this one.

Larger lessons

Arguably the most fascinating twist to the Capital One caper is the FBI’s rather quick arrest of Paige Thompson. Arrests in network breaches are rare, indeed. For instance, we know a lot of details about the Equifax breach, thanks to a GAO investigation and report. But no suspects have ever been publicly named.

What’s more, the usual suspects in high-profile breaches – i.e. professional Russian, Eastern European, Chinese and North Korean hacking collectives – appear to be out of the loop with respect to this particular caper. The Capital One breach, it seems to me, vividly highlights the depth and breadth of the Internet underground. Anyone with technical aptitude, diligence and a lack of scruples, such as an out-of-work IT staffer, can engage in criminal activity at a fairly high level. …more

2 Comments | Read | August 1st, 2019 | Best Practices | For consumers | For technologists | Privacy | Top Stories

NEW TECH: A couple of tools that deserve wide use — to preserve the integrity of U.S. elections

By Byron V. Acohido

As the presidential debate season ramps up, the specter of nation-state sponsored hackers wreaking havoc, once more, with U.S. elections, looms all too large.

It’s easy to get discouraged by developments such as  Sen. McConnell recently blocking a bi-partisan bill to fund better election security, as well as the disclosure that his wife, Transportation Security Elaine Chao, has accepted money from voting machine lobbyists.

Related: Why not train employees as phishing cops?

That’s why I was so encouraged to learn about two new tools that empower individual candidates – and local election officials – to take proactive steps to make election tampering much more difficult to successfully pull off. In the current geo-political environment, every forthright step can make a huge difference.

First, there’s a tool called the Rapid Cyber Risk Scorecard. NormShield, the Vienna, VA-based, cybersecurity firm that supplies this service, recently ran scores for all of the 26 declared presidential candidates —  and found the average cyber risk score to be B+.

What this tells me is that the presidential candidates, at least, actually appear to be heeding lessons learned from the hacking John Podesta’s email account – and all of the havoc Russia was able to foment in our 2016 elections. NormShield found that all of the 2020 presidential hopefuls, thus far,  are making sure their campaigns are current on software patching, as well as Domain Name System (DNS) security; and several are doing much more.

My takeaway: other candidates can use this scorecard, which runs assessments of 10 cyber risk categories, as a starting point to harden their campaigns.

Another such service that can do a ton of good was announced last week by Global Cyber Alliance (GCA), in partnership with Craig Newmark Philanthropies and the Center for Internet Security. It’s a free cybersecurity toolkit for elections that gives local election authorities actionable guidance on how to mitigate the most common risks to trustworthy elections.

…more

One Comment | Read | July 1st, 2019 | New Tech | Steps forward | Top Stories

GUEST ESSAY: The ethical considerations of personal privacy viewed as a human right

By Dean Chester

It ought to be clear to everyone that personal privacy should be a human right and not a commodity to be bought and sold.

Alas, we can’t take it for granted: data breaches put us under fire constantly, revealing everything about us from logs and passwords to medical data.

The recent Suprema data breach, for example, exposed such sensitive data as fingerprints, facial recognition, and clearance level information of as many as 28 million employees worldwide. This number is so high that it’s difficult to even imagine the consequences of it.

Luckily for us, there are ways to protect our private info, at least to some extent. But there seems to be an underlying problem in these possibilities.

The question of ethics

Yes, what we should ask is how ethical it is to even charge for upholding one’s privacy? It is true that there are cheap VPN services and even free ones. Isn’t it great to be able to hide your traffic by encrypting it for free?

But as it always is the case with free services, those that aren’t paid make you their product by limiting your speed and traffic, showing you ads, and – what a surprise – selling your private data to third parties.

Inexpensive services may not seek to profit off of you, but the question of ethics still stands. Is a right you have to pay for a right or is it a privilege?

It may be argued that it costs money to keep a virtual private network going, and it’s a good argument. This article, however, is not meant to be a jab at honest VPN providers. Obviously, what they do is logical and they can’t be blamed for it. There’s a market for the services they provide and they try to keep the fees low.

It is the situation creating this market that is unhealthy. And as long as it doesn’t change, we can’t take our privacy online as a fundamental right.

Free privacy… or is it?

Another popular solution to the lack of privacy on the Web today is Tor. At first glance, it seems to be a perfect one: it’s free and maintained by the sheer dedication of thousands of volunteers all around the globe. Sure, it may be slow, but that only adds certain grassroots charm to the whole affair.

The second glance brings disillusionment. Tor may be free to use but it’s not free to keep going and the funds have to come from somewhere. And they do – from the American government, as they always have. …more

Comment | Read | August 22nd, 2019 | For consumers | For technologists | Guest Blog Post | Top Stories

MY TAKE: Here’s how ‘bulletproof proxies’ help criminals put compromised IoT devices to work

By Byron V. Acohido

Between Q1 2019 and Q2 2019, malicious communications emanating from residential IP addresses in the U.S. – namely smart refrigerators, garage doors, home routers and the like – nearly quadrupled for the retail and financial services sectors.

Related: How botnets gave Trump 6 million faked followers

To put it plainly, this represented a spike in cyber attacks bouncing through ordinary Internet-connected devices humming away in homes across America. These attacks were carried out by cyber criminals leveraging an insidious new attack tool: bulletproof proxies.

What were they up to? IoT devices are proving to be an integral element for cyber criminals to launch automated attack campaigns to manipulate social media likes, create fake accounts, take over existing accounts, execute credential stuffing, content scraping, click fraud and carry out other cyber villainy.

This stunning intel comes in a study from Cequence Security, a Sunnyvale, CA-based vendor focused on helping companies defend against such attacks. These findings have huge implications, not just highlighting what a huge drain botnets have become to our Internet-centric economy, but also underscoring how botnets have become a disruptive force in political discourse, globally.

I had a deep discussion about this with Cequence’s Will Glazier, head of research, and Matt Keil, director of product marketing, at Black Hat USA 2019. For a full drill down, give a listen to the accompanying podcast. My big takeaways:

Bulletproof weaponry

Back in 2007, a noted fellow journalist, Brian Krebs, exposed how the Russian Business Network had pioneered something called “bulletproof hosting.” RBN provided web hosting services to one-and-all, and then looked the other way as spammers, fraudsters and even child pornography distributors did their thing, operating their botnets with impunity.

Just the other day, Krebs broke another story about what he’s calling “bulletproof residential VPN services.” And Cequence has done deep analysis on “bulletproof proxies” — the latest, greatest iteration of bulletproof hosting. Instead of building out and hosting a server farm that can be isolated and potentially shut down by law enforcement, bulletproof proxy providers today assemble millions of globally distributed IP addresses and make those available to one-and-all.

Crucially, the availability of an endless supply of IP addresses reinforces the viability of botnets. (A bot is a computing nodule, and a botnet is a network of nodules under control of the botnet master.) The fact that botnet nodules today increasingly spin out of residential IP addresses is significant for two reasons: …more

Comment | Read | August 21st, 2019 | Black Hat Podcasts | For consumers | For technologists | Imminent threats | Podcasts | Privacy | Top Stories

SHARED INTEL: Malware-ridden counterfeit phones place consumers, companies in harm’s way

By Byron V. Acohido

A faked Rolex or Prada handbag is easy enough to acquire on the street in certain cities, and you can certainly hunt one down online.

Now add high-end counterfeit smartphones to the list of luxury consumer items that are being aggressively marketed to bargain-hungry consumers.

Related: Most companies ignorant about rising mobile attacks

While it might be tempting to dismiss the potential revenue lost by Apple, Samsung, HTC and other suppliers of authentic phones, this counterfeit wave is particularly worrisome. The faked phones flooding  the market today are slicker than ever. And, increasingly, they come riddled with some of the most  invasive types of malware.

This is putting consumers and companies in harm’s way through yet another attack vector – one which gives professional hacking collectives another means to compromise online accounts and break into company networks.

“These devices are not safe to do anything on, and they impact everything they touch,” says Ronan Cremin, chief technology officer at Afilias Technologies, a Dublin-based tech vendor that has a unique view of mobile device usage patterns.

I visited with Cremin at Black Hat USA 2019. For a full drill down of our discussion, give a listen to the accompanying podcast.  My takeaways:

Cutting corners

Knock-off smartphones are a much bigger problem than most folks realize. An estimated 180 million counterfeit mobile phones are sold globally each year, representing a potential loss of $50 billion to device manufacturers, according to a study by the EU’s Intellectual Property Office.

Such phones have been around for a few ears, and the latest iterations are getting nearly impossible to distinguish from the genuine article, Cremin told me. Packaging is spot on: all expected accessories, including headphones, chargers, cables and user guides are typically included. Outwardly, the look-and-fell is amazing: fit and finish and the user interface are indistinguishable from the genuine article. The big clue that it’s a fake is the asking price, which is typically a tenth or less of what you’d expect to pay.

Ah, but on the inside, that is where all the corners get cut. A favorite sleigh-of-hand is to display bogus specs for the make, model, RAM, storage and CPU core. Under the covers, the main components typically will be several generations old. …more

Comment | Read | August 20th, 2019 | For consumers | For technologists | Imminent threats | Podcasts | Top Stories

MY TAKE: Can embedding security deep inside mobile apps point the way to securing IoT?

By Byron V. Acohido

The full blossoming of the Internet of Things is on the near horizon – or is it?

Enterprises across the planet are revving up their IoT business models, and yet there is a sense of foreboding about a rising wave of IoT-related security exposures.

Related: The security and privacy implications of driverless vehicles

Some 25 percent of 700 organizations surveyed in five nations reported IoT security-related losses of at least $34 million in the last two years, according to the 2018 State of IoT Security study sponsored  by certificate authority DigiCert.

Similarly, software security company Irdeto polled 220 security decision makers in the healthcare, transportation and manufacturing sectors and found 80 percent experienced a cyberattack on their IoT devices in the past 12 months, sustaining, on average, $330,000 in losses.

Cyber criminals know a good thing when they see it. IoT systems introduce added layers of network complexity, which translates into an enlarged attack surface. Threat actors gleefully recognize that IoT is being implemented off of an already huge and poorly defended attack surface: legacy networks.

Clearly, IoT won’t begin to approach full fruition until and unless a few deep-seated security weaknesses get adequated addressed. I had the chance at  Black Hat USA 2019 to discuss this with Mark Hearn and Catherine Chambers, of Irdeto, a 50-year-old software security and media technology company based in Amsterdam.

Irdeto recently introduced a new service—Trusted Software – aimed at developers of mobile apps. The service enables app developers to conveniently embed top-shelf security into the source code of their new mobile apps, as a final step, just before distribution to user.

…more

Comment | Read | August 19th, 2019 | For technologists | My Take | Steps forward | Top Stories

NEW TECH: Trend Micro inserts ‘X’ factor into ‘EDR’ – endpoint detection and response

By Byron V. Acohido

With all the talk of escalating cyber warfare, the spread of counterfeit smartphones and new forms of self-replicating malware, I came away from Black Hat USA 2019 (my 15th) marveling, once more, at the panache of modern cyber criminals.

Related: Lessons learned from Capital One breach

Yet, I also had the chance to speak one-on-one with dozens of security vendors who are innovating like crazy to improve security. And I came away, once again, much encouraged. I met with Kevin Simzer, for instance, Trend Micro’s chief operating officer.

Trend Micro is among the top five endpoint security vendors who’ve been in the battle since the earliest iterations of antivirus software, more than three decades ago. The company has evolved far beyond those days. They came to Las Vegas prepared to push detection and response beyond the endpoint.

While endpoint detection and response (EDR) is one of the most significant advancements made by endpoint security vendors in the past six years, enterprises need more. Companies have silos of security data that need the same type of visibility that EDR brings to the end point.

Enter Trend Micro’s new answer to the change of much needed visibility and threat alert overload. I came away from my interview with Simzer with a strong sense that they have a very  comprehensive managed detection and response offering, and that even more innovation from Trend and others is assured, going forward.

For a full drill down, give a listen to the accompanying podcast. Here are my big takeaways:

Prevention vs. detection

In 2013, Gartner analyst Anton Chuvakin coined “EDR” to classify an emerging set of tools designed to go beyond signature-based antivirus software which was designed primarily to identify specific malicious binary files. Instead, EDR tools were tuned to recognize anomalous activities on endpoints, then trigger alerts that warranted further investigations. …more

Comment | Read | August 14th, 2019 | For technologists | New Tech | Podcasts | Steps forward | Top Stories

Older Articles »