Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

For technologists

 

MY TAKE: Massive data breaches persist as agile software development fosters full-stack hacks

By Byron V. Acohido

Data leaks and data theft are part and parcel of digital commerce, even more so in the era of agile software development.

Related: GraphQL APIs stir new exposures

Many of the high-profile breaches making headlines today are the by-product of hackers pounding away at Application Programming Interfaces (APIs) until they find a crease that gets them into the pathways of the data flowing between an individual user and myriad cloud-based resources.

It’s important to understand the nuances of these full-stack attacks if we’re ever to slow them down. I’ve had a few deep discussions about this with Doug Dooley, chief operating officer at Data Theorem, a Palo Alto, Calif.-based software security vendor specializing in API data protection. Here are a few key takeaways:

Targeting low-hanging fruit

Massive data base breaches today generally follow a distinctive pattern: hack into a client -facing application; manipulate an API; follow the data flow to gain access to an overly permissive database or S3 bucket (cloud storage). A classic example of this type of intrusion is the Capital One data breach.

Suspected Capital One hacker Paige Thompson was indicted for her alleged data breach and theft of more than 100 million people including 140,000 social security numbers and 80,000 linked bank accounts. The 33-year-old Amazon Web Services (AWS) software engineer was also accused of stealing cloud computer power on Capital One’s account to “mine” cryptocurrency for her own benefit, a practice known as “cryptojacking.”

Thompson began pounding away on the Capital One’s public-facing applications supposedly protected by their open-source Web Application Firewall (WAF), and succeeded in carrying out a  “Server Side Request Forgery” (SSRF) attack. By successfully hacking the client-facing application, she was then able to relay commands to a legacy AWS metadata service to obtain credentials.

Password and token harvesting is one of the most common techniques in hacking. Using valid credentials, Thompson was able to gain access using APIs … more

One Comment | Read | June 9th, 2021 | For technologists | My Take | Privacy | Steps forward | Top Stories

GUEST ESSAY: Data poverty is driving the growth of cybercrime – here’s how to reverse the trend

By Robert Panasiuk

Data poverty is real and it’s coming for your user accounts.

Related: Credential stuffing soars due to Covid-19

The current state of data in cybersecurity is a tale of The Haves and The Have-WAY-mores. All tech companies have data, of course, but the only data that’s truly valuable and provides insights—actionable data—isn’t as universal as it should be.

This “data poverty,” or dearth of actionable insights, is a problem for companies across many verticals. Cybersecurity should not be one of them. The sentinels working to prevent the next SolarWinds breach need all the Grade-A data they can get, and fast. Data democratization, on a privacy-compliant basis, is the only way they’ll get it.

The simple truth is that no cybersecurity company can compete with the data stacks of the FAAMG behemoths, which is why cybercrime is seeing a 63 percent boost over the past year.

It’s time to take steps to democratize data and fortunately there are examples of what this looks like in other industries that show how competing security outfits can link arms and still remain competitive.

Why can’t we be friends?

“Coopetition”—competing companies working together and sharing information—is not uncommon across other industries. Casinos trade intel on card counters. E-tailers partner with physical stores to increase their brick-and-mortar presence. Rival software companies exchanging data can involve more red tape, but fundamentally the information they share achieves the same goals: making more money and ensuring their customers receive the best possible service.

Comment | Read | June 7th, 2021 | For technologists | Guest Blog Post | Privacy | Top Stories

MY TAKE: Why monetizing data lakes will require applying ‘attribute-based’ access rules to encryption

By Byron V. Acohido

The amount of data in the world topped an astounding 59 zetabytes in 2020, much of it pooling in data lakes.

Related:  The importance of basic research

We’ve barely scratched the surface of applying artificial intelligence and advanced data analytics to the raw data collecting in these gargantuan cloud-storage structures erected by Amazon, Microsoft and Google. But it’s coming, in the form of driverless cars, climate-restoring infrastructure and next-gen healthcare technology.

In order to get there, one big technical hurdle must be surmounted. A new form of agile cryptography must get established in order to robustly preserve privacy and security as all this raw data gets put to commercial use.

I recently had the chance to discuss this with Kei Karasawa, vice president of strategy, and Fang Wu, consultant, at NTT Research, a Silicon Valley-based think tank which is in the thick of deriving the math formulas that will get us there.

They outlined why something called attribute-based encryption, or ABE, has emerged as the basis for a new form of agile cryptography that we will need in order to kick digital transformation into high gear.

For a drill down on our discussion, please give the accompanying podcast a listen. Here are the key takeaways:

Cloud exposures

Data lakes continue to swell because each second of every day, every human, on average, is creating 1.7 megabytes of fresh data. These are the rivulets feeding the data lakes.

A zettabyte equals one trillion gigabytes. Big data just keeps getting bigger. And we humans crunch as much of it as we can by applying machine learning and artificial intelligence to derive cool new digital services. But we’re going to need the help of quantum computers to get to the really amazing stuff, and that hardware is coming.

As we press ahead into our digital future, however, we’ll also need to retool the public-key-infrastructure. PKI is the authentication and encryption framework … more

Comment | Read | June 2nd, 2021 | For consumers | For technologists | My Take | Podcasts | Steps forward | Top Stories

GUEST ESSAY: A full checklist on how to spot pharming attacks — and avoid becoming a victim

By Peter Baltazar

Cybercriminals use various techniques for conducting cyberattacks. One such popular way to infiltrate a system is Pharming. It is an online scam attack quite similar to Phishing.

Related: Credential stuffing explained

The term Pharming is a combination of two words Phishing and Farming. It is a type of social engineering cyberattack in which the website’s traffic is manipulated to steal confidential credentials from the users. Cybercriminals design a fake website, basically the clone of an official one, and use various means to redirect users to the phony webpage when visiting any other legit site.

Primarily the Pharming attack is planned to gain sensitive data like login credentials, personally identifiable information (PII), social security numbers, bank details, and more. The attackers can also use it for installing malware programs on the victim’s system.

Pharming vs phishing

Though Pharming and Phishing share almost similar goals, the approach to conduct Pharming is entirely different from Phishing. Unlike Phishing, Pharming is more focused on sabotaging the system rather than manipulating the victims. However, we will later know how Phishing plays a vital role in conducting Pharming.

The Pharming attacks are carried out by modifying the settings on the victim’s system or compromising the DNS server. Manipulating the Domain Name Service (DNS) protocol and rerouting the victim from its intended web address to the fake web address can be done in the following two ways:

•Changing the Local Host file. In this method of manipulating DNS, the attackers infiltrate the victim’s device and change the local host file. A local host file is a directory of IP addresses. The modified local host file would redirect users to the fake website whenever they try to open the legit site the next time. The phony website is designed similar to the one victims intended to visit so that the users are not alarmed.

To modify the local host file, the attacker primarily uses the Phishing technique so … more

Comment | Read | June 1st, 2021 | Best Practices | For consumers | For technologists | Guest Blog Post | Top Stories

ROUNDTABLE: Experts react to DHS assigning TSA to keep track of cyber attacks on pipelines

By Byron V. Acohido

The same federal agency that makes you take your shoes off and examines your belongings before boarding a flight will begin monitoring cyber incidents at pipeline companies.

Related: DHS begins 60-day cybersecurity sprints

The Department of Homeland Security on Thursday issued a directive requiring all pipeline companies to report cyber incidents to DHS’s Transportation Security Administration (TSA.)

This, of course, follows a devastating ransomware attack that resulted in a shutdown of Colonial Pipeline.

It can be argued that this is one small step toward the true level of federal oversight needed to protect critical infrastructure in modern times. I covered the aviation industry in the 1980s and 1990s when safety regulations proved their value by compelling aircraft manufacturers and air carriers to comply with certain standards, at a time when aircraft fleets were aging and new fly-by-wire technology introduced complex risks.

We’re a long way from having regulatory frameworks for data privacy and network security needed for critical infrastructure — akin to what we have to keep aviation and ground transportation safe and secure. However, the trajectory of ransomware attacks, supply chain corruption, denial of service attacks and cyber espionage is undeniable.

It seems clear we’re going to need more regulations to help guide the private sector into doing the right things. The discussion is just getting started, as you can see by this roundtable of comments from industry experts:

Edgard Capdevielle, CEO, Nozomi Networks

Most critical infrastructure sectors don’t have mandatory cyber standards, and until now that included oil and gas. The requirement for mandatory breach reporting will help shine a light on the extent of the problem in this sector.  Cybersecurity is a team sport.

Comment | Read | May 28th, 2021 | Best Practices | For consumers | For technologists | Steps forward | Top Stories

GUEST ESSAY: ‘World password day’ reminds us to embrace password security best practices

By Chad Cragle

We celebrated World Password Day on May 6, 2021.

Related: Credential stuffing fuels account takeovers

Did you know that this unconventional celebration got its start in 2013, and that it’s now an official holiday on the annual calendar? Every year, the first Thursday in May serves as a reminder for us to take control of our personal password strategies.

Passwords are now an expected and typical part of our data-driven online lives. In today’s digital culture, it’s not unusual to need a password for everything—from accessing your smartphone, to signing into your remote workspace, to checking your bank statements, and more. We’ve all grown used to entering passwords dozens of times per day, and because of this, we often take passwords for granted and forget how crucial they are.

With that in mind, what steps can you take to ensure that your personal data is protected at all times? As a data-driven, security-focused company, we’ve rounded up our top tips inspired by World Password Day to help you improve your password game.

Password overhaul

We know… just the mere thought of coming up with (and remembering) yet another new password is daunting. The average person has about 100 different passwords for the various tools, apps, websites, and online services they use on a regular basis. With so many passwords to keep track of, those familiar “Update Password” prompts tend to get bothersome.

But, unfortunately, we live in a world of constant hacking attempts and security breaches. While changing passwords may be inconvenient at times, following this password best practice can help prevent the following data catastrophes:

Comment | Read | May 26th, 2021 | Best Practices | For consumers | For technologists | Privacy | Steps forward | Top Stories

Last Watchdog podcast: Unwrapping ‘resilience’ guidance discussed at RSA Conference 2021

By Byron V. Acohido

Resilience was the theme of RSA Conference 2021 which took place virtually last week.

Related: Web attacks spike 62 percent in 2020

I’ve been covering this cybersecurity gathering since 2004 and each year cybersecurity materially advances. By the same token, the difficulties of defending modern IT systems has redoubled as organizations try to balance security and productivity.

The outside pressures are indeed as daunting as ever. Migration to cloud infrastructure is accelerating; reliance on wide-open, modular software development is deepening; and the shortage of skilled security analysts is wider than ever. Meanwhile, deep, damaging network breaches persist, affecting companies of all sizes and in all industries.

I visited with Bruce Snell and Setu Kulkarni from NTT Security to discuss this.

Snell is vice president of security strategy; his resume includes a stint as McAfee’s cybersecurity and privacy director.

And Kulkarni joined NTT Security last fall as vice president of corporate strategy, coming over with NTT’s acquisition of WhiteHat Security, where he was VP, Corporate Strategy & Business Development (Editor’s note: an earlier version misstated this title.) For a lively debrief of RSA Conference 2021, please give the accompanying podcast a listen.

 

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

 

Comment | Read | May 25th, 2021 | Best Practices | For technologists | RSA Podcasts | Steps forward | Top Stories

Older Articles »