Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

For consumers

 

NEW TECH: ‘Passwordless authentication’ takes us closer to eliminating passwords as the weak link

By Byron V. Acohido

If there ever was such a thing as a cybersecurity silver bullet it would do one thing really well: eliminate passwords.

Threat actors have proven to be endlessly clever at abusing and misusing passwords. Compromised logins continue to facilitate cyber attacks at all levels, from phishing ruses to credential stuffing to enabling hackers to probe deep inside of a breached network.

Related: The Internet of Things is just getting started

The technology to get rid of passwords is readily available; advances in hardware token and biometric authenticators continue apace. So what’s stopping us from getting rid of passwords altogether?

The hitch, of course, is that password-enabled account logins are too deeply engrained in legacy network infrastructure. For most large enterprises, it would be much too costly and too disruptive to jettison the use of passwords entirely.

That said, we may very well be in the early adopter phase of weaving leading-edge “password-less authentication” solutions into pliant areas of legacy networks. I recently had the chance to drill down on this trend with Trusona, a 3-year-old Scottsdale, AZ company that is pioneering a password-less multi-factor authentication platform.

I interviewed Sharon Vardi, Trusona’s chief marketing officer, about what the path forward looks like, in terms of someday eliminating passwords from digital commerce. For a full drill down, give a listen to the accompanying podcast. Here are key takeaways.

History lesson

A couple of thousand years ago, Roman troops used passwords to decipher friend from foe as they patrolled the empire. In 1960, an MIT computer scientist named Fernando Corbató introduced the use of passwords in a mainframe computing project, not really to lock any intruders out. Corbató sought a simple way to let his colleagues store private files on multiple terminals – and passwords fit the bill.

As computers shrank in size, and then pervaded into our homes and everyday workplaces, passwords stuck around. Username and password logins emerged as the go-to way to control access to network servers, business applications and Internet-delivered consumer services. Passwords may have been very effective securing Roman roads. But they quickly proved to be a very brittle cybersecurity mechanism. …more

MY TAKE: Local government can do more to repel ransomware, dilute disinformation campaigns

By Byron V. Acohido

Local government agencies remain acutely exposed to being hacked. That’s long been true. However, at this moment in history, two particularly worrisome types of cyber attacks are cycling up and hitting local government entities hard: ransomware sieges and election tampering.

Related: Free tools that can help protect elections

I had a deep discussion about this with Todd Weller, chief strategy officer at Bandura Cyber. We spoke at Black Hat USA 2019. Bandura Cyber is a 6-year-old supplier of  threat intelligence gateway technologies. It helps organizations of all sizes but has a solution that is well suited to enable more resource constrained SMBs, tap into the myriad threat feeds being collected by a wide variety of entities and extract actionable intelligence.

Weller observed that local governments are under pressure to more proactively detect and deter threat actors, which means they must figure out how to redirect a bigger chunk of limited resources toward mitigating cyber threats. Current attack trends add urgency, and catching up on doing basic security best practices isn’t enough. For a drill down on my interview with Weller, give a listen to the accompanying podcast. Here are key takeaways:

Ransomware run

We’ve recently learned just how easy it is for ransomware purveyors to either extract huge extortion payments from local agencies, or worse, cause tens of millions of dollars of damage.

Baltimore city officials declined to pay $76,000 for a ransomware decryption key – and the city ended up absorbing an estimated $18 million in recovery costs. Atlanta refused to pay a $51,000 ransom, and ate $17 million in damage.

Meanwhile, officials from Riviera Beach, Fla., population 35,000, saw fit to cough up a $600,000 payment, and Lake City, Fla., population 12,046, paid $460,000, respectively, for ransomware decryption keys. In each case, after weeks of having city services disrupted, and facing pressure from constituents, city leaders viewed paying a six-figure ransom as the least painful, quickest resolution. …more

MY TAKE: What everyone should know about the promise and pitfalls of the Internet of Things

By Byron V. Acohido

The city of Portland, Ore. has set out to fully leverage the Internet of Things and emerge as a model “smart” city.

Related: Coming soon – driverless cars

Portland recently shelled out $1 million to launch its Traffic Sensor Safety Project, which tracks cyclists as they traverse the Rose City’s innumerable bike paths. That’s just step one of a grand plan to closely study – and proactively manage – traffic behaviors of cyclists, vehicles, pedestrians and joggers. This is all in pursuit of the high-minded goal of eliminating all accidents that result in death or serious injury.

Portland is shooting high, and it is by no means alone. Companies in utilities, transportation and manufacturing sectors are moving forward with the …more

SHARED INTEL: Mobile apps are riddled with security flaws, many of which go unremediated

By Byron V. Acohido

The convergence of DevOps and SecOps is steadily gaining traction in the global marketplace. Some fresh evidence of this encouraging trend comes to us by way of shared intelligence from WhiteHat Security.

Related: The tie between DevOps and SecOps.

Organizations that are all-in leveraging microservices to speed-up application development, on the DevOps side of the house, have begun acknowledging the importance of incorporating SecOps along the way. The most forward-thinking among them are increasingly checking for vulnerabilities in new apps – and finding them, big time.

That’s one of the key revelations in the 2019 WhiteHat Application Security Statistics Report, which I’d place in the category of reports that bear close scrutiny because it is based on the actual in-the-field experiences of WhiteHat’s global customer base. Also, WhiteHat has been generating this report annually since 2006.

Based on 17 million application security scans carried out in 2018, WhiteHat found a 20% increase in vulnerabilities found in the applications that organizations tested for security flaws.

What’s more, based on WhiteHat’s partner, NowSecure’s insight, some 70% of mobile apps were found to leak sensitive data.

The fact that more companies are participating in the hunt for security flaws in new apps is a good thing. However, WhiteHat also found many app vulnerabilities are, today, going unaddressed. Remediation rates actually fell in 2018, as compared to 2017. At the moment, the effort required to secure existing and new apps appears to be overwhelming already short-staffed security teams.

The Dawn of DevSecOps

This field report tells us that, yes, SecOps is gaining traction, with more and more security teams beginning to contribute to the delivery of secure apps. However, many security teams lack the skills, and/or have not yet won corporate backing to bring in the engineering support needed to mitigate the vulnerabilities.

These applications flaws were always there, mind you – WhiteHat found that more than one-third of all application security risks are inherited rather than written – but now they are being flushed out as DevOps and SecOps merge into DevSecOps.

The more progressive security teams are, indeed, tackling remediation. For those teams, the benefits associated with paying a bit of attention to security, up front, have sunk in. Not only can they take pride in contributing to a better experience for end users, they’re also reducing the headaches that go along with having to patch vulnerabilities that turn up, post production. …more

MY TAKE: Six-figure GDPR privacy fines reinforce business case for advanced SIEM, UEBA tools

By Byron V. Acohido

Europe came down hard this summer on British Airways and Marriott for failing to safeguard their customers’ personal data.

The EU slammed the UK airline with a $230 million fine, and then hammered the US hotel chain with a $125 million penalty – the first major fines under the EU’s toughened General Data Protection Regulation, which took effect May 25, 2018.

Related: Will GDPR usher in new age of privacy?

It’s no wonder security analysts toiling in security operations centers (SOCs) are depressed. There’s a widening security skills shortage, the complexity of company networks is going through the roof, cyber attacks continue to intensify and now regulators are breathing down their necks.

More than half of the 554 IT and security pros recently polled by the Ponemon Institute consider their SOCs to be ineffectual and some 66% indicated they are considering quitting their jobs.

I had an evocative discussion about this with Sam Humphries, senior product marketing manager for Exabeam. We spoke at Black Hat USA 2019. Exabeam, which sponsored the Ponemon study, is a San Mateo, Calif.-based supplier of advanced security management systems.

Fortunately, there is a cottage industry of cybersecurity vendors, Exabeam among them, engaged in proactively advancing ways for SOC analysts to extract more timely and actionable threat intelligence from their security information and event management (SIEM) and user and entity behavior (UEBA) systems. For a full drill down on our meeting, give a listen to the accompanying podcast. A few key takeaways:

Sticks & carrots

Poor security practices at British Airways resulted in hackers pilfering credit card information, names, addresses, travel booking details and logins for some 500,000 airline customers. Marriott, meanwhile, failed to notice a breach that persisted for four years, exposing some 339 million customer records, of which about 30 million belonged to European residents.

Under GDPR, Europe has the authority to fine organizations up to 4 percent of their annual global revenue if they violate any European citizen’s privacy rights, for example, by failing to secure their personal data. What’s more, organizations that run afoul of the GDPR’s new data loss reporting requirements could face additional fines up to 2 percent of annual global revenue. …more

NEW TECH: ICS zero-day flaws uncovered by Nozomi Networks’ analysis of anomalous behaviors

By Byron V. Acohido

Andrea Carcano’s journey to co-founding a security company in the vanguard of defending critical infrastructure began at a tender age.

Related: Why the Golden Age of cyber spying is here

Carcano hacked a computer screen at age 14, and that got him intrigued by software controls. He went on to earn a masters degree in cybersecurity, during which time he won a scholarship from the European Commission to craft a proof of concept attack against an industrial control system (ICS.)

“I said at the time, ‘OK, this is cool, someone is paying me to develop malware,” Carcano told me. “So I decided to keep going. I saw a huge gap, and I got really passionate about this topic. I started on my PhD, and at the very beginning focused on the offensive side. But I quickly moved to the defensive side and spent all of my academic career focused on how to protect critical infrastructure.”

PhD in hand, Carcano spent three years in the field helping a large oil-and-gas company tighten ICS security for operations in different corners of the world. In 2013, he co-founded Nozomi Networks aiming to deliver a more holistic and efficient way to defend industrial controls of all types.

I had the chance to visit with Carcano at Black Hat USA 2019. For a full drill down, give a listen to the accompanying podcast. Here’s what I came away with:

Ready-made attack tools

Vulnerability research and outright attacks on industrial controls has shifted dramatically over the past 10 to 15 years ago. When Carcano first began working in the field, only a handful of the top nation-states were actively involved in sponsoring this type of activity, and they tried to do it  as quietly as possible.

Today, for a variety of reasons having to do with geo-political affairs and the evolving cyber underground, things are much different. The state-sponsored hacking groups are still in business. But they are part of a thriving cottage industry that has arisen around finding, selling and testing fresh ICS vulnerabilities. And not just of power plants and utilities, but also in the firmware and software that run manufacturing plants of all types and sizes, Carcano told me. …more

GUEST ESSAY: The ethical considerations of personal privacy viewed as a human right

By Dean Chester

It ought to be clear to everyone that personal privacy should be a human right and not a commodity to be bought and sold.

Alas, we can’t take it for granted: data breaches put us under fire constantly, revealing everything about us from logs and passwords to medical data.

The recent Suprema data breach, for example, exposed such sensitive data as fingerprints, facial recognition, and clearance level information of as many as 28 million employees worldwide. This number is so high that it’s difficult to even imagine the consequences of it.

Luckily for us, there are ways to protect our private info, at least to some extent. But there seems to be an underlying problem in these possibilities.

The question of ethics

Yes, what we should ask is how ethical it is to even charge for upholding one’s privacy? It is true that there are cheap VPN services and even free ones. Isn’t it great to be able to hide your traffic by encrypting it for free?

But as it always is the case with free services, those that aren’t paid make you their product by limiting your speed and traffic, showing you ads, and – what a surprise – selling your private data to third parties.

Inexpensive services may not seek to profit off of you, but the question of ethics still stands. Is a right you have to pay for a right or is it a privilege?

It may be argued that it costs money to keep a virtual private network going, and it’s a good argument. This article, however, is not meant to be a jab at honest VPN providers. Obviously, what they do is logical and they can’t be blamed for it. There’s a market for the services they provide and they try to keep the fees low.

It is the situation creating this market that is unhealthy. And as long as it doesn’t change, we can’t take our privacy online as a fundamental right.

Free privacy… or is it?

Another popular solution to the lack of privacy on the Web today is Tor. At first glance, it seems to be a perfect one: it’s free and maintained by the sheer dedication of thousands of volunteers all around the globe. Sure, it may be slow, but that only adds certain grassroots charm to the whole affair.

The second glance brings disillusionment. Tor may be free to use but it’s not free to keep going and the funds have to come from somewhere. And they do – from the American government, as they always have. …more