Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Black Hat Podcasts

 

SHARED INTEL: How ‘memory attacks’ and ‘firmware spoilage’ circumvent perimeter defenses

By Byron V. Acohido

What does Chinese tech giant Huawei have in common with the precocious kid next door who knows how to hack his favorite video game?

Related: Ransomware remains a scourge

The former has been accused of placing hidden backdoors in the firmware of equipment distributed to smaller telecom companies all across the U.S. The latter knows how to carry out a  DLL injection hack — to cheat the game score. These happen to represent two prime examples of cyber attack vectors that continue to get largely overlooked by traditional cybersecurity defenses.

Tech consultancy IDC tells us that global spending on security hardware, software and services is on course to top $103 billion in 2019, up 9.4 percent from 2018. Much of that will be spent on subscriptions for legacy systems designed to defend network perimeters or detect and deter malicious traffic circulating in network logs.

However, the threat actors on the leading edge are innovating at deeper layers. One security vendor that happens to focus on this activity is Virsec, a San Jose-based supplier of advanced application security and memory protection technologies. I had the chance to visit with Willy Leichter, Virsec’s vice president of marketing, at Black Hat 2019.

“There are multiple vectors, lots of different ways people can inject code directly into an application,” Leichter told me. “And now we’re hearing about new threats, throughout the whole supply chain, where there might be malware deeply embedded at the firmware level, or at the processor level,  that can provide ways to get into the applications, and get into the data.”

For a full drill down of our discussion, give a listen to the accompanying podcast. Here are a few key takeways:

Firmware exposures

Firmware is the coding built into computing devices and components that carry out the low-level input/output tasks necessary to enable software applications to run. Firmware is on everything from hard drives, motherboards and routers … more

BEST PRACTICES: Resurgence of encrypted thumb drives shows value of offline backups — in the field

By Byron V. Acohido

Encrypted flash drives, essentially secure storage on a stick, are a proven technology that has been readily available for at least 15 years. A few years back, it seemed like they would fade into obsolescence, swept aside by the wave of streaming services and cloud storage.

Related: Can Europe’s GDPR restore data privacy?

And yet today there is a resurgence in demand for encrypted flash drives. What’s happened is this: Digital transformation has raced forward promoting high-velocity software innovation, with only a nod to security. This trend has opened up vast new tiers of attack vectors – and threat actors are taking full advantage.

Security-conscious companies – the ones who are proactively responding, not just to threat actors having a field day, but also to the specter of paying steep fines for violating today’s stricter data privacy regulations – are paying much closer attention to sensitive data circulating out in the field, as well they should.

Highly secure portable drives make perfect sense in  numerous work scenarios; encrypted flash drives, specifically, are part of a global hardware encryption market on track to climb to $296.4 billion by 2020, up 55% as compared to 2015, according to Allied Market Research.

NEW TECH: Silverfort deploys ‘multi-factor authentication’ to lock down ‘machine identities’

By Byron V. Acohido

From the start, two-factor authentication, or 2FA, established itself as a simple, effective way to verify identities with more certainty.

Related: A primer on IoT security risks

The big hitch with 2FA, and what it evolved into – multi-factor authentication, or MFA – has always been balancing user convenience and security. That seminal tension still exists today even as the global cybersecurity community is moving to extend MFA as a key security component in much more complex digital systems spinning out of digital transformation.

One leading innovator in this space is Tel Aviv-based Silverfort. I’ve had a number of conversations with company co-founder and CEO Hed Kovetz over the past couple of years, and I had the chance to meet with him again at Black Hat 2019.

One thing I learned from Kovetz this time was that secure authentication seems destined to play a major role, going forward in verifying, not just human identities, but also machine identities. In terms of baking in security at a fundamental level of future systems, that’s very significant. For a drill down on why that’s so, give a listen to our full discussion in the accompanying podcast. Here are the key takeaways:

A machine’s world

Machines are taking over. A machine, in this context, is any piece of hardware or software that can accept and execute instructions. This includes the beefy servers humming along in vast data centers and providing the infrastructure for cloud services.

And it also include software: the modular “microservices” written by third-party developers; the software “containers” inside of which these microservices get mixed and matched; and the billions of APIs that enable two disparate machines to exchange data. In this realm, the identity of each and every machine must be verified, or chaos would rule.

Machine identities are verified by digital certificates that leverage the public key infrastructure (PKImore

SHARED INTEL: APIs hook up new web and mobile apps — and break attack vectors wide open

By Byron V. Acohido

If your daily screen time is split between a laptop browser and a smartphone, you may have noticed that a few browser web pages are beginning to match the slickness of their mobile apps.

Related: The case for a microservices firewall

Netflix and Airbnb are prime examples of companies moving to single-page applications, or SPAs, in order to make their browser webpages as responsive as their mobile apps.

The slickest SPAs leverage something called GraphQL, which is a leading edge way to build and query application programing interfaces, or APIs. If you ask the builders of these SPAs, they will tell you that the scale and simplicity of retrieving lots of data with GraphQL is superior to a standard RESTful API. And that brings us to cybersecurity.

APIs are being created in batches on a daily basis by the Fortune 500 and any company that is creating mobile and web applications. APIs are the conduits for moving data to-and-fro in our digitally transformed world. And each new API is a pathway to the valuable sets of data fueling each new application.

Trouble is that at this moment no one is keeping very good track of the explosion of APIs. Meanwhile, the rising use of SPA and GraphQL underscores how API growth is shifting into a higher gear. This means the attack surface available to cyber criminals looking to make money off of someone else’s data is, yet again, expanding.

I had a chance to discuss this with Doug Dooley, COO of Data Theorem, a Silicon Valley-based application security startup helping companies deal with these growing API exposures. For a full drill down, give a listen to the accompanying podcast. Here are a few key takeaways:

Cool new experiences

Amazon Web Services, Microsoft Azure, Google Cloud and Alibaba Cloud supply computer processing and data storage as a utility. DevOps has decentralized the creation and delivery … more

SHARING INTEL: Why full ‘digital transformation’ requires locking down ‘machine identities’

By Byron V. Acohido

Digital commerce has come to revolve around two types of identities: human and machine.

Great effort has gone into protecting the former, and yet human identities continue to get widely abused by cyber criminals. By comparison, scant effort has gone into securing the latter. This is so in spite of the fact that machine identities are exploding in numbers and have come to saturate digital transformation.

Related: IoT exposures explained

I’ve conversed several times with Jeff Hudson about this. Hudson is CEO of Salt Lake City, UT-based Venafi, a leading provider of machine identity protection solutions. Each time I’ve come away with a better grasp of how machine identities have come to play such a pivotal role in the IT systems taking us forward – and yet how vulnerable they remain to attack in the current environment.

We had a chance to meet again at Black Hat 2019. For a full drill down of our wide-ranging discussion please give a listen to the accompanying podcast. Here are a few key takeaways:

Machines on the march

Cloud computing and DevOps have given rise to a whirlwind of new types of machines. A machine, in this context, refers to any piece of hardware or software that can accept and execute instructions. The hardware servers humming along in vast data centers are, indeed, machines.

And so are the modular “microservices” written by far-flung third-party developers, who specialize in mixing, matching and reusing microservices assembled inside of software “containers,” which are another type of machine. APIs, the interface coding that allows two different machines to exchange data – for instance, an IoT device and a command server — are machines as well. This is how cool new digital services are getting spun up at high velocity.

NEW TECH: ‘Passwordless authentication’ takes us closer to eliminating passwords as the weak link

By Byron V. Acohido

If there ever was such a thing as a cybersecurity silver bullet it would do one thing really well: eliminate passwords.

Threat actors have proven to be endlessly clever at abusing and misusing passwords. Compromised logins continue to facilitate cyber attacks at all levels, from phishing ruses to credential stuffing to enabling hackers to probe deep inside of a breached network.

Related: The Internet of Things is just getting started

The technology to get rid of passwords is readily available; advances in hardware token and biometric authenticators continue apace. So what’s stopping us from getting rid of passwords altogether?

The hitch, of course, is that password-enabled account logins are too deeply engrained in legacy network infrastructure. For most large enterprises, it would be much too costly and too disruptive to jettison the use of passwords entirely.

That said, we may very well be in the early adopter phase of weaving leading-edge “password-less authentication” solutions into pliant areas of legacy networks. I recently had the chance to drill down on this trend with Trusona, a 3-year-old Scottsdale, AZ company that is pioneering a password-less multi-factor authentication platform.

I interviewed Sharon Vardi, Trusona’s chief marketing officer, about what the path forward looks like, in terms of someday eliminating passwords from digital commerce. For a full drill down, give a listen to the accompanying podcast. Here are key takeaways.

History lesson

A couple of thousand years ago, Roman troops used passwords to decipher friend from foe as they patrolled the empire. In 1960, an MIT computer scientist named Fernando Corbató introduced the use of passwords in a mainframe computing project, not really to lock any intruders out. Corbató sought a simple way to let his colleagues store private files on multiple terminals – and passwords fit the bill.

As computers shrank in size, and then pervaded into our homes and everyday workplaces, passwords stuck around. Username and password logins emerged as … more

SHARED INTEL: How NTA/NDR systems get to ‘ground truth’ of cyber attacks, unauthorized traffic

By Byron V. Acohido

The digital footprints of U.S. consumers’ have long been up for grabs. No one stops the tech giants, media conglomerates and online advertisers from intensively monetizing consumers’ online behaviors, largely without meaningful disclosure.

Related: The state of ransomware

Who knew that much the same thing routinely happens to enterprises? A recent report by network detection and response vendor ExtraHop details how third-party security and analytics tools routinely “phone home” in order to exfiltrate network behavior data back to their home base, without explicitly asking permission.

It’s tempting to chalk this up to competitive frenzy – a simple case of third-party suppliers seeking whatever edge they can get away with. But there is a larger lesson here. ExtraHop’s finding vividly shows how, as digital transformation ramps up, companies really have no clue what moves back and forth, nor in and out, of their networks on a daily basis.

In one case, ExtraHop tracked a made-in-China surveillance cam sending UDP traffic logs, every 30 minutes, to a known malicious IP address with ties to China. It appears the cam in question was unwittingly set up by an employee for personal security reasons.

In another case, a device management tool was deployed in a hospital and used the WiFi network to insure data privacy, as it provisioned connected devices. But ExtraHop noticed that the tool also opening encrypted connections to vendor-owned cloud storage, a major HIPAA violation.

Getting to ground truth

I had a chance to discuss the wider implication of these findings with Raja Mukerji, co-founder and chief customer officer at ExtraHop. We met at Black Hat 2019. Mukerji and fellow co-founder Jesse Rothstein, ExtraHop’s chief technology officer, were colleagues at Seattle-based network switching systems supplier F5 Networks.

Launched in Seattle in 2007, ExtraHop set out to help companies gain an actionable understanding of their IT environments. Since then it has raised $61.6 million in VC backing, grown to … more