Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

For technologists

 

NEW TECH: Can Project Furnace secure DX — by combining serverless computing and GitOps?

By Byron V. Acohido

Assuring the privacy and security of sensitive data, and then actually monetizing that data, — ethically and efficiently — has turned out to be the defining challenge of digital transformation.

Today a very interesting effort to address this complex dilemma is arising from the ferment, out of the UK. It’s called Project Furnace, an all-new open source software development platform.

Related: The need to fold ‘SecOps’ into ‘DevOps’

I had the chance to sit down with Furnace Ignite’s co-founders: John Blamire, chief operating officer, and Danny Waite, chief technology officer,  for a pre-launch briefing.

They walked me through how Project Furnace began as a quest to improve the output of SIEM (security information and event management) systems.

However, beyond improving legacy appproachs to network security, Blamire and Waite explained why they firmly believe Furnace could ultimately accelerate the design and implementation of all smart software — the next generation of apps destined to run everything from our shopping experiences to our driverless cars and our smart homes and cities. Here are takeaways from our meeting:

DX context

Furnace, in essence, seeks to aid and abet digital transformation, or DX, the ongoing digitization of essentially all human endeavors into a machine-readable format that can be automatically acted upon. DX is the wider context, here, in the sense that DX is made possible because of the rise of “datafication” — the processes by which we’ve come to rapaciously collect and store mind-boggling amounts of data from web forms, social media, mobile apps, surveillance cameras, IoT sensors and the like.

In 2016, Waite was assigned the task of coming up with a much better way to extract …more

GUEST ESSAY: Australia’s move compelling VPNs to cooperate with law enforcement is all wrong

By Bogdan Patru

The moment we’ve all feared has finally come to pass. When government agencies and international intelligence groups pooled together resources to gather user data, the VPN’s encryption seemed like the light at the end of the tunnel.

Related: California enacts pioneering privacy law

However, it looks like things are starting to break apart now that Australia has passed the “Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018”. On the 6th of December 2018, a law that is a direct attack on internet users’ privacy was agreed to by both the House of Representatives and the Senate.

The amendment forces all companies, even VPN providers, to collect and give away confidential user data if the police demand it. All telecoms companies will have to build tools in order to bypass their own encryption.

If suspicions appear that a crime has been or will be committed by one of their users, the law enforcement agencies are in their right to demand access to user messages and private data.

This Orwellian Thought Police is to be the judge, jury, and executioner in a digital world that shelters our personal lives and secrets. All the things we’d like to keep hidden from others. You know, this revolutionary idea called “privacy” Anyone?

Tech companies all over the world are unsure how this can be achieved without installing backdoors into their own security systems. These vulnerabilities are just like a stack of powder kegs ready to blow up at any moment. This is because anyone with knowledge of their existence could theoretically use those security holes to gain access to the user data. …more

MY TAKE: Why Satya Nadella is wise to align with privacy advocates on regulating facial recognition

By Byron V. Acohido

We’re just a month and change into the new year, and already there have been two notable developments underscoring the fact that some big privacy and civil liberties questions need to be addressed before continuing the wide-scale deployment of advanced facial recognition systems.

This week civil liberties groups in Europe won the right to challenge the UK’s bulk surveillance activities in the The Grand Chamber of the European Court of Human Rights.

Related: Snowden on unrestrained surveillance

“The surveillance regime the UK government has built seriously undermines our freedom,” Megan Golding, a lawyer speaking for privacy advocates, stated. “Spying on vast numbers of people without suspicion of wrongdoing violates everyone’s right to privacy and can never be lawful.”

That development followed bold remarks made by none other than Microsoft CEO Satya Nadella just a few weeks earlier at the World Economic Forum in Davos, Switzerland.

Nadella expressed deep concern about facial recognition, or FR, being used for intrusive surveillance and said he welcomed any regulation that helps the marketplace “not be a race to the bottom.”

Ubiquitous surveillance

You may not have noticed, but there has been a flurry of breakthroughs in biometric technology, led by some leapfrog advances in facial recognition systems over the past couple of years. Now facial recognition appears to be on the verge of blossoming commercially, with security use-cases paving the way.

Last November,  SureID, a fingerprint services vendor based in Portland, Ore., announced a partnership with Robbie.AI, a Boston-based developer of a facial recognition system designed to be widely deployed on low-end cameras.

The partners aim to combine fingerprint and facial data to more effectively authenticate employees in workplace settings. And their grander vision is to help establish a nationwide biometric database in which a hybrid facial ID/fingerprint can be used for things such as fraud-proofing retail transactions, or, say, taking a self-driving vehicle for a spin.

However, the push back by European privacy advocates and Nadella’s call for regulation highlights the privacy and civil liberties conundrums advanced surveillance technologies poses. It’s a healthy thing that a captain of industry can see this. These are weighty issues …more

MY TAKE: Why companies should care about 2.2 billion stolen credentials circulating in easy reach

By Byron V. Acohido

Some chilling hard evidence has surfaced illustrating where stolen personal information ultimately ends up, once it has flowed through the nether reaches of the cyber underground.

Wired magazine reported this week on findings by independent security researchers who have been tracking the wide open availability of a massive cache of some 2.2 billion stolen usernames, passwords and other personal data.

Related: Massive Marriott breach closes out 2018

Ever wonder where the tens of millions of consumer records stolen from Marriott, Yahoo, Equifax, Dropbox, Linked In,  Target, Home Depot, Sony, Anthem, Premera Blue Cross, Uber and literally thousands of other organizations that have sustained major network breaches ends up?

This data gets collected and circulated in data bases that the thieves initially attempt to sell for big profits on the dark web, as reported by Motherboard. The work of these researchers shows how, at the end of the day, much of the stolen personal data eventually spills over into the open Internet, where it is free for the taking by  anyone with a modicum of computer skills.

Credential stuffing

The clear and present risk to the average consumer or small business owner is that his or her stolen account credentials will surface in one or more credential stuffing campaigns. This is where criminals deploy botnets to automate the injection of surreptitiously obtained usernames and password pairs until they gain fraudulent access to a targeted account. And once they do, they swiftly try to gain access to accounts on other popular services.

Reddit earlier this month acknowledged that credential stuffers locked down a “large group of accounts.” The social news aggregation site informed the victims that would need to reset their passwords to regain access, and, notably, advised them to choose strong, unique passwords. …more

MY TAKE: ‘Bashe’ attack theorizes a $200 billion ransomware raid using NSA-class cyber weapons

By Byron V. Acohido

A report co-sponsored by Lloyd’s of London paints a chilling scenario for how a worldwide cyberattack could trigger economic losses of some $200 billion for companies and government agencies ill-equipped to deflect a very plausible ransomware attack designed to sweep across the globe.

Related: U.S. cyber foes exploit government shutdown

The Cyber Risk Management (CyRiM) project lays out in detail how a theoretical ransomware attack – dubbed the “Bashe” campaign – could improve upon the real life WannaCry and NotPetya ransomware worms that plagued thousands of organizations in 2017.

The exercise was commissioned by Lloyd’s of London, the Cambridge Centre for Risk Studies and the Nanyang Technological University in Singapore, among others. In their construct, the fictional cyber ring behind Bashe leverages lessons learned from missteps made in WannaCry and NotPetya, with the aim of making Bashe “the most infectious malware of all time.”

It should not be forgotten that WannaCry and NotPetya made use of some of the  69 cyber weapons stolen from the NSA and released publicly by a group known as Shadow Brokers. These weapons were designed by NSA software engineers to take advantage of heretofore undisclosed security vulnerabilities in Windows, Linux, IBM and other core operating systems and applications widely used in commerce and government.

EternalBlue pedigree

Keep in mind, globe-spanning ransomware worms are just one of endless ways the NSA weapons, often referred to as “EternalBlue,” could be leveraged. While the Lloyd’s study focuses on the ransomware scenario, it’s reasonable to believe threat actors of every stripe are developing other ways to utilize EternalBlue-class cyber weaponry.

This creates a responsibility for every organization to consider this report and assess what damage control might entail, says Darin Pendergraft, vice president of product marketing at STEALTHbits Technologies, a Hawthorne, NJ-based supplier of systems to protect sensitive company data. …more

NEW TECH: This free tool can help gauge, manage third-party cyber risk; it’s called ‘VRMMM’

By Byron V. Acohido

Late last year, Atrium Health disclosed it lost sensitive data for some 2.65 million patients when hackers gained unauthorized access to databases operated by a third-party billing vendor.

Turn the corner into 2019 and we find Citigroup, CapitalOne, Wells Fargo and HSBC Life Insurance among a host of firms hitting the crisis button after  their customers’ records turned up on a database of some 24 million financial and banking documents found parked on an Internet-accessible server — without so much as password protection. The culprit: lax practices of a third-party data and analytics contractor.

Related: Atrium Health breach highlights third-party risks

One might assume top-tier financial services firms and healthcare vendors would have solved third-party cyber exposures by now. But the truth of the matter is, companies of all sizes and in all sectors remain acutely vulnerable to attack vectors laid open by third-party contractors. And this continues to include enterprises that have poured a king’s ransom into hardening their first-party security posture.

What’s happening is that supply chains are becoming more intricate and far-flung the deeper we move into digital transformation and the Internet of Things. And opportunistic threat actors are proving adept as ever at sniffing out the weak-link third parties in any digital ecosystem.

Mike Jordan, senior director of the Shared Assessments Program, a Santa Fe, NM-based  intel-sharing and training consortium focused on third-party risks, points out that at least one of the banks that had data exposed in this latest huge data leak wasn’t even a customer of the allegedly culpable contractor.

“Hacked subcontractors or downstream service providers can harm companies that have no business relationship with each other,” Jordan told Last Watchdog. “Individuals can even be affected by parties with whom they have no explicit relationships, such as credit bureaus and data brokers.” …more

MY TAKE: 3 privacy and security habits each individual has a responsibility to embrace

By Byron V. Acohido

Would you back out of a driveway without first buckling up, checking the rear view mirror and glancing behind to double check that the way is clear?

Consider that most of us spend more time navigating the Internet on our laptops and smartphones than we do behind the wheel of a car. Yet it’s my experience that most people don’t fully appreciate the profound risks they face online and all too many still do not practice simple behaviors that can dramatically reduce their chances of being victimized by malicious parties.

Related: Long run damage of 35-day government shutdown

Why we’re in the ‘Golden Age’ of cyber espionageThe fact is cyber criminals are expert at refining and carrying out phishing, malvertising and other tried-and-true ruses that gain them access to a targeted victim’s Internet-connected computing device. And the malware that subsequently gets installed continues to get more stealthy and capable with each advancing iteration.

This has become an engrained pattern in our modern digital world. A vivid illustration comes from Palo Alto Networks’ Unit 42 forensics team. Researchers recently flushed out a new variety of the Xbash family of malware tuned to seek out administrators’ rights and take control of Linux servers. This variant of Xbash is equipped to quietly uninstall any one of five popular types of cloud security protection and monitoring products used on such servers.

Targeting one device

The end game for this particular hacking ring is to install crypto currency mining routines on compromised Linux servers. But the larger point is that Xbash is just one of dozens of malware families circulating far and wide across the Internet. Xbash gets rolling by infecting one device, which then serves as the launch pad for deeper hacking forays limited only by the attacker’s initiative.

To be sure, it’s not as if the good guys aren’t also innovating. Worldwide spending on information security products and services rose to $114 billion in 2018, up from $102 billion in 2017, an increase of 12.4 percent, according to tech consultancy Gartner. …more