Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

For consumers

 

SHARED INTEL: Mobile apps are riddled with security flaws, many of which go unremediated

By Byron V. Acohido

The convergence of DevOps and SecOps is steadily gaining traction in the global marketplace. Some fresh evidence of this encouraging trend comes to us by way of shared intelligence from WhiteHat Security.

Related: The tie between DevOps and SecOps.

Organizations that are all-in leveraging microservices to speed-up application development, on the DevOps side of the house, have begun acknowledging the importance of incorporating SecOps along the way. The most forward-thinking among them are increasingly checking for vulnerabilities in new apps – and finding them, big time.

That’s one of the key revelations in the 2019 WhiteHat Application Security Statistics Report, which I’d place in the category of reports that bear close scrutiny because it is based on the actual in-the-field experiences of WhiteHat’s global customer base. Also, WhiteHat has been generating this report annually since 2006.

Based on 17 million application security scans carried out in 2018, WhiteHat found a 20% increase in vulnerabilities found in the applications that organizations tested for security flaws.

What’s more, based on WhiteHat’s partner, NowSecure’s insight, some 70% of mobile apps were found to leak sensitive data.

The fact that more companies are participating in the hunt for security flaws in new apps is a good thing. However, WhiteHat also found many app vulnerabilities are, today, going unaddressed. Remediation rates actually fell in 2018, as compared to 2017. At the moment, the effort required to secure existing and new apps appears to be overwhelming already short-staffed security teams.

The Dawn of DevSecOps

This field report tells us that, yes, SecOps is gaining traction, with more and more security teams beginning to contribute to the delivery of secure apps. However, many security teams lack the skills, and/or have not yet won corporate backing to bring in the engineering support needed to mitigate the vulnerabilities.

These applications flaws were always there, mind you – WhiteHat found that more than one-third of all application security risks are inherited rather than written – but now they are being flushed out as DevOps and SecOps merge into DevSecOps.

The more progressive security teams are, indeed, tackling remediation. For those teams, the benefits associated with paying a bit of attention to security, up front, have sunk in. Not only can they take pride in contributing to a better experience for end users, they’re also reducing the headaches that go along with having to patch vulnerabilities that turn up, post production. …more

MY TAKE: Six-figure GDPR privacy fines reinforce business case for advanced SIEM, UEBA tools

By Byron V. Acohido

Europe came down hard this summer on British Airways and Marriott for failing to safeguard their customers’ personal data.

The EU slammed the UK airline with a $230 million fine, and then hammered the US hotel chain with a $125 million penalty – the first major fines under the EU’s toughened General Data Protection Regulation, which took effect May 25, 2018.

Related: Will GDPR usher in new age of privacy?

It’s no wonder security analysts toiling in security operations centers (SOCs) are depressed. There’s a widening security skills shortage, the complexity of company networks is going through the roof, cyber attacks continue to intensify and now regulators are breathing down their necks.

More than half of the 554 IT and security pros recently polled by the Ponemon Institute consider their SOCs to be ineffectual and some 66% indicated they are considering quitting their jobs.

I had an evocative discussion about this with Sam Humphries, senior product marketing manager for Exabeam. We spoke at Black Hat USA 2019. Exabeam, which sponsored the Ponemon study, is a San Mateo, Calif.-based supplier of advanced security management systems.

Fortunately, there is a cottage industry of cybersecurity vendors, Exabeam among them, engaged in proactively advancing ways for SOC analysts to extract more timely and actionable threat intelligence from their security information and event management (SIEM) and user and entity behavior (UEBA) systems. For a full drill down on our meeting, give a listen to the accompanying podcast. A few key takeaways:

Sticks & carrots

Poor security practices at British Airways resulted in hackers pilfering credit card information, names, addresses, travel booking details and logins for some 500,000 airline customers. Marriott, meanwhile, failed to notice a breach that persisted for four years, exposing some 339 million customer records, of which about 30 million belonged to European residents.

Under GDPR, Europe has the authority to fine organizations up to 4 percent of their annual global revenue if they violate any European citizen’s privacy rights, for example, by failing to secure their personal data. What’s more, organizations that run afoul of the GDPR’s new data loss reporting requirements could face additional fines up to 2 percent of annual global revenue. …more

NEW TECH: ICS zero-day flaws uncovered by Nozomi Networks’ analysis of anomalous behaviors

By Byron V. Acohido

Andrea Carcano’s journey to co-founding a security company in the vanguard of defending critical infrastructure began at a tender age.

Related: Why the Golden Age of cyber spying is here

Carcano hacked a computer screen at age 14, and that got him intrigued by software controls. He went on to earn a masters degree in cybersecurity, during which time he won a scholarship from the European Commission to craft a proof of concept attack against an industrial control system (ICS.)

“I said at the time, ‘OK, this is cool, someone is paying me to develop malware,” Carcano told me. “So I decided to keep going. I saw a huge gap, and I got really passionate about this topic. I started on my PhD, and at the very beginning focused on the offensive side. But I quickly moved to the defensive side and spent all of my academic career focused on how to protect critical infrastructure.”

PhD in hand, Carcano spent three years in the field helping a large oil-and-gas company tighten ICS security for operations in different corners of the world. In 2013, he co-founded Nozomi Networks aiming to deliver a more holistic and efficient way to defend industrial controls of all types.

I had the chance to visit with Carcano at Black Hat USA 2019. For a full drill down, give a listen to the accompanying podcast. Here’s what I came away with:

Ready-made attack tools

Vulnerability research and outright attacks on industrial controls has shifted dramatically over the past 10 to 15 years ago. When Carcano first began working in the field, only a handful of the top nation-states were actively involved in sponsoring this type of activity, and they tried to do it  as quietly as possible.

Today, for a variety of reasons having to do with geo-political affairs and the evolving cyber underground, things are much different. The state-sponsored hacking groups are still in business. But they are part of a thriving cottage industry that has arisen around finding, selling and testing fresh ICS vulnerabilities. And not just of power plants and utilities, but also in the firmware and software that run manufacturing plants of all types and sizes, Carcano told me. …more

GUEST ESSAY: The ethical considerations of personal privacy viewed as a human right

By Dean Chester

It ought to be clear to everyone that personal privacy should be a human right and not a commodity to be bought and sold.

Alas, we can’t take it for granted: data breaches put us under fire constantly, revealing everything about us from logs and passwords to medical data.

The recent Suprema data breach, for example, exposed such sensitive data as fingerprints, facial recognition, and clearance level information of as many as 28 million employees worldwide. This number is so high that it’s difficult to even imagine the consequences of it.

Luckily for us, there are ways to protect our private info, at least to some extent. But there seems to be an underlying problem in these possibilities.

The question of ethics

Yes, what we should ask is how ethical it is to even charge for upholding one’s privacy? It is true that there are cheap VPN services and even free ones. Isn’t it great to be able to hide your traffic by encrypting it for free?

But as it always is the case with free services, those that aren’t paid make you their product by limiting your speed and traffic, showing you ads, and – what a surprise – selling your private data to third parties.

Inexpensive services may not seek to profit off of you, but the question of ethics still stands. Is a right you have to pay for a right or is it a privilege?

It may be argued that it costs money to keep a virtual private network going, and it’s a good argument. This article, however, is not meant to be a jab at honest VPN providers. Obviously, what they do is logical and they can’t be blamed for it. There’s a market for the services they provide and they try to keep the fees low.

It is the situation creating this market that is unhealthy. And as long as it doesn’t change, we can’t take our privacy online as a fundamental right.

Free privacy… or is it?

Another popular solution to the lack of privacy on the Web today is Tor. At first glance, it seems to be a perfect one: it’s free and maintained by the sheer dedication of thousands of volunteers all around the globe. Sure, it may be slow, but that only adds certain grassroots charm to the whole affair.

The second glance brings disillusionment. Tor may be free to use but it’s not free to keep going and the funds have to come from somewhere. And they do – from the American government, as they always have. …more

MY TAKE: Here’s how ‘bulletproof proxies’ help criminals put compromised IoT devices to work

By Byron V. Acohido

Between Q1 2019 and Q2 2019, malicious communications emanating from residential IP addresses in the U.S. – namely smart refrigerators, garage doors, home routers and the like – nearly quadrupled for the retail and financial services sectors.

Related: How botnets gave Trump 6 million faked followers

To put it plainly, this represented a spike in cyber attacks bouncing through ordinary Internet-connected devices humming away in homes across America. These attacks were carried out by cyber criminals leveraging an insidious new attack tool: bulletproof proxies.

What were they up to? IoT devices are proving to be an integral element for cyber criminals to launch automated attack campaigns to manipulate social media likes, create fake accounts, take over existing accounts, execute credential stuffing, content scraping, click fraud and carry out other cyber villainy.

This stunning intel comes in a study from Cequence Security, a Sunnyvale, CA-based vendor focused on helping companies defend against such attacks. These findings have huge implications, not just highlighting what a huge drain botnets have become to our Internet-centric economy, but also underscoring how botnets have become a disruptive force in political discourse, globally.

I had a deep discussion about this with Cequence’s Will Glazier, head of research, and Matt Keil, director of product marketing, at Black Hat USA 2019. For a full drill down, give a listen to the accompanying podcast. My big takeaways:

Bulletproof weaponry

Back in 2007, a noted fellow journalist, Brian Krebs, exposed how the Russian Business Network had pioneered something called “bulletproof hosting.” RBN provided web hosting services to one-and-all, and then looked the other way as spammers, fraudsters and even child pornography distributors did their thing, operating their botnets with impunity.

Just the other day, Krebs broke another story about what he’s calling “bulletproof residential VPN services.” And Cequence has done deep analysis on “bulletproof proxies” — the latest, greatest iteration of bulletproof hosting. Instead of building out and hosting a server farm that can be isolated and potentially shut down by law enforcement, bulletproof proxy providers today assemble millions of globally distributed IP addresses and make those available to one-and-all.

Crucially, the availability of an endless supply of IP addresses reinforces the viability of botnets. (A bot is a computing nodule, and a botnet is a network of nodules under control of the botnet master.) The fact that botnet nodules today increasingly spin out of residential IP addresses is significant for two reasons: …more

SHARED INTEL: Malware-ridden counterfeit phones place consumers, companies in harm’s way

By Byron V. Acohido

A faked Rolex or Prada handbag is easy enough to acquire on the street in certain cities, and you can certainly hunt one down online.

Now add high-end counterfeit smartphones to the list of luxury consumer items that are being aggressively marketed to bargain-hungry consumers.

Related: Most companies ignorant about rising mobile attacks

While it might be tempting to dismiss the potential revenue lost by Apple, Samsung, HTC and other suppliers of authentic phones, this counterfeit wave is particularly worrisome. The faked phones flooding  the market today are slicker than ever. And, increasingly, they come riddled with some of the most  invasive types of malware.

This is putting consumers and companies in harm’s way through yet another attack vector – one which gives professional hacking collectives another means to compromise online accounts and break into company networks.

“These devices are not safe to do anything on, and they impact everything they touch,” says Ronan Cremin, chief technology officer at Afilias Technologies, a Dublin-based tech vendor that has a unique view of mobile device usage patterns.

I visited with Cremin at Black Hat USA 2019. For a full drill down of our discussion, give a listen to the accompanying podcast.  My takeaways:

Cutting corners

Knock-off smartphones are a much bigger problem than most folks realize. An estimated 180 million counterfeit mobile phones are sold globally each year, representing a potential loss of $50 billion to device manufacturers, according to a study by the EU’s Intellectual Property Office.

Such phones have been around for a few ears, and the latest iterations are getting nearly impossible to distinguish from the genuine article, Cremin told me. Packaging is spot on: all expected accessories, including headphones, chargers, cables and user guides are typically included. Outwardly, the look-and-fell is amazing: fit and finish and the user interface are indistinguishable from the genuine article. The big clue that it’s a fake is the asking price, which is typically a tenth or less of what you’d expect to pay.

Ah, but on the inside, that is where all the corners get cut. A favorite sleigh-of-hand is to display bogus specs for the make, model, RAM, storage and CPU core. Under the covers, the main components typically will be several generations old. …more

MY TAKE: A primer on how ransomware arose to the become an enduring scourge

By Byron V. Acohido

“All we know is MONEY! Hurry up! Tik Tak, Tik Tak, Tik Tak!”

This is an excerpt from a chilling ransom note Baltimore IT officials received from hackers who managed to lock up most of the city’s servers in May. The attackers demanded $76,000, paid in Bitcoin, for a decryption key. Baltimore refused to pay – choosing, instead, to absorb an estimated $18 million in recovery costs.

Related:  ‘Cyber Pearl Harbor’ happens every day

Some 15 months earlier, in March 2018, Atlanta was hit by a similar assault, and likewise refused to pay a $51,000 ransom, eating $17 million in damage.

Stunning as these two high-profile attacks were, they do not begin to convey the full scope of what a pervasive and destructive phenomenon ransomware has become – to individuals, to companies of all sizes and, lately, to poorly defended local agencies.

Probing and plundering

Ransomware is highly resilient and flexible. Its core attraction for criminals is that it is about as direct a channel to illicitly-garnered cash as any conman could dream up – few middlemen required.

From a high level, ransomware is essentially an open platform that operates on market principles, around which a thriving ecosystem of suppliers and specialists has taken shape. This has opened the door for newbie purveyors, with modest technical skill, to enter the field, giving these novices easy and cheap access to powerful turnkey tools and services. Meanwhile, the advanced hacking collectives invest in innovation and press forward. The net result is a continuation of proven styles of ransomware attacks, as well as constant probing for vulnerable pockets and plundering along fresh pathways.

According to the FBI, the absolute number of daily ransomware attacks actually dipped slightly last year. However, that’s more a function of hackers targeting individuals less, and companies and governments more. And as highlighted by the assaults on Baltimore and Atlanta, municipalities are among the hottest targets of the moment. A survey of local media reports by Recorded Future tallied 38 ransomware attacks against cities in 2017, rising to 53 attacks in 2018. In the first four months of 2019 alone, some 22 attacks have been disclosed.

…more