Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

For technologists

 

SHARED INTEL: Coming soon — ‘passwordless authentication’ as a de facto security practice

By Byron V. Acohido

As a tradeoff for enjoying our digital lives, we’ve learned to live with password overload and even tolerate two-factor authentication.

But now, at long last, we’re on the brink of eliminating passwords altogether, once and for all.

Related:  CEOs quit Tweeting to protect their companies

A confluence of technical and social developments points to username-and-password logons becoming obsolete over the next few years. What’s more, this shift could very well kick into high gear as part of the solidifying of post Covid-19 business practices and online habits.

I had a chance to discuss this seminal transition with George Avetisov, co-founder and chief executive officer of HYPR, a Manhattan-based supplier of advanced authentication technologies. For a full drill down on our eye-opening conversation, please give a listen to the accompanying podcast. Here are a few big takeaways.

Password tradeoffs 

Passwords have always been a big pain. They must be convoluted to be any good, which means they’re difficult to remember, especially since the average person has to juggle passwords to access dozens of online accounts. From a business perspective, managing and resetting passwords chews up scarce resources, and yet even with the best possible maintenance passwords are trivial to hack.

For most of the Internet era, we’ve learned to live with these tradeoffs. However, in the last couple of years the harm wrought by the abuse of passwords has spiked exponentially. The reason: credential stuffing. This is a type of advanced, brute-force hacking that leverages automation.

By deploying botnets pre-loaded with stolen data, credential stuffing gangs are able to insert stolen usernames and passwords into web page forms, at scale, until they gain access to a valuable account. Credential stuffing has enabled criminal hacking rings to turbo-charge their malware spreading and account hijacking campaigns. And when Covid-19 hit, these attackers opportunistically pivoted to plundering Covid-19 relief funds at an ungodly scale.

2 Comments | Read | November 11th, 2020 | Best Practices | For consumers | For technologists | My Take | Podcasts | Steps forward | Top Stories

MY TAKE: Why companies and consumers must collaborate to stop the plundering of IoT systems

By Byron V. Acohido

The Internet of Things (IoT) has come a long, long way since precocious students at Carnegie Melon University installed micro-switches inside of a Coca-Cola vending machine so they could remotely check on the temperature and availability of their favorite beverages.

Related: Companies sustain damage from IoT attacks

That was back in 1982. Since then, IoT devices have become widely and deeply integrated into our homes, businesses, utilities and transportations systems. This has brought us many benefits. And yet our pervasive deployment of IoT systems has also vastly expanded the cyber attack surface of business networks, especially in just the past few years.

And now Covid-19 is having a multiplier effect on these rising IoT exposures. Nine months into the global pandemic an ominous dynamic is playing out.

Remote work and remote schooling have spiked our reliance on IoT systems to a scale no one could have predicted; and much of this sudden, dramatic increase is probably going to be permanent. In response, threat actors are hustling to take full advantage.

This shift is just getting started. IoT-enabled scams and hacks quickly ramped up to a high level – and can be expected to accelerate through 2021 and beyond. This surge can, and must, be blunted. The good news is that we already possess the technology, as well as the best practices frameworks, to mitigate fast-rising IoT exposures.

However, this will require a concerted, proactive effort by the business community —  enterprises and small- and mid-sized businesses alike. Individual citizens, consumers and workers have a big role to play as well. Each one of us will have to cooperate and make sacrifices. A lot is at stake. Here’s what all companies and individuals should fully grasp about our IoT systems under attack, post Covid-19.

One Comment | Read | November 9th, 2020 | For consumers | For technologists | My Take | Privacy | Top Stories

GUEST ESSAY: ‘CyberXchange’ presents a much-needed platform for cybersecurity purchases

By Armistead Whitney

There is no shortage of innovative cybersecurity tools and services that can help companies do a much better job of defending their networks.

Related: Welcome to the CyberXchange Marketplace

In the U.S. alone, in fact, there are more than 5,000 cybersecurity vendors. For organizations looking to improve their security posture, this is causing confusion and vendor fatigue, especially for companies that don’t have a full time Chief Information Security Officer.

The vendors are well-intentioned. They are responding to a trend of companies moving to meet rising compliance requirements, such as PCI-DSS and GDPR. Senior management is now  focused on embracing well-vetted best practices such as those outlined in FFIEC and SOC 2, and many more. According to a recent study by PwC, 91% of all companies are following cybersecurity frameworks, like these, as they build and implement their cybersecurity programs.

All of this activity has put a strain on how companies buy and sell cybersecurity solutions. Consider that PCI-DSS alone has over 250 complex requirements that include things like endpoint protection, password management, anti-virus, border security, data recovery and awareness training.

Traditional channels for choosing the right security solutions are proving to be increasingly ineffective. This includes searching through hundreds of companies on Google, attending trade shows and conferences (not possible today with COVID), or dealing with constant cold calls and cold emails from security company sales reps.

One Comment | Read | October 19th, 2020 | For technologists | Guest Blog Post | Steps forward

MY TAKE: How ‘credential stuffing’ is being deployed to influence elections, steal Covid-19 relief

By Byron V. Acohido

What do wildfires and credential stuffing have in common?

Related: Automated attacks leverage big data

For several years now, both have flared up and caused harm at the fringes of population centers and our digital economy. And, now, in 2020, both have escalated to catastrophic proportions.

Just after Labor Day, dried out trees and shrubs combined with high winds to erupt into massive wildfires that swiftly engulfed rural towns and even suburban areas of California, Oregon, Washington and several other states. Millions of acres of land got consumed, hundreds of thousands of people were evacuated and dozens lost their lives.

Meanwhile, all year long and continuing through the fall, opportunistic cybercriminals have launched wave after wave of automated credential stuffing campaigns. These bad actors are wreaking havoc in two arenas: Stealing Covid-19 relief payments on a massive scale as well as meddling, once again, in the election of a U.S. president.

The wildfires eventually subsided with calmer, damper meteorological conditions. However, massive surges of credential stuffing have persisted, fueled by a seemingly endless supply of already stolen, or easy-to-steal, personal information along with the wide availability of sophisticated hacking tools.

Comment | Read | September 23rd, 2020 | For consumers | For technologists | Imminent threats | My Take | Top Stories

MY TAKE: Lessons learned from the summer of script kiddies hacking Twitter, TikTok

By Byron V. Acohido

Graham Ivan Clark, Onel de Guzman and Michael Calce. These three names will go down in the history of internet commerce, right alongside Jack Dorsey, Mark Zuckerberg and Jeff Bezos.

Related: How ‘Zero Trust’ is compatible with agile computing

We’re all familiar with the high-profile entrepreneurs who gave us the tools and services that underpin our digital economy. However, Clark, de Guzman and Calce are equally notable as leading members of the Hall of Fame of script kiddies – youngsters who precociously shed light on the how these same tools and services are riddled with profound privacy and security flaws.

The trouble is Clark, 17, of Tampa, Florida, is teaching us much the same lessons in the summer of 2020 that de Guzman and Calce did in the spring of 2000. De Guzman authored the I Love You email virus that circled the globe infecting millions of PCs; Calce, aka Mafiaboy, released the Melissa Internet worm that knocked offline Amazon, CNN, eBay and Yahoo.

Judging from the success of script kiddies, the tech giants apparently have not learned very much about security in 20 years. Clark was arrested in late July and charged with masterminding the hijacking of the Twitter accounts of A-list celebrities, and then Tweeting from those accounts to pull off a Bitcoin scam. His caper is worrisome on two counts. First it shows how resistant companies continue to be with respect to embracing very doable cyber hygiene practices – measures that would prevent these sorts of hacks. And second, it reminds us how much capacity to wreak havoc truly malicious parties — not just script kiddies – possess. This is chilling considering the times we’re in. On the cusp of electing a U.S. president, with the world struggling to recover from a global pandemic, there are nuanced lessons we can learn from the Twitter Bitcoin hack. Here’s what all consumers and companies should heed going forward.

Comment | Read | September 1st, 2020 | For consumers | For technologists | Imminent threats | My Take | Privacy | Top Stories

NEW TECH: Trend Micro flattens cyber risks — from software development to deployment

By Byron V. Acohido

Long before this awful pandemic hit us, cloud migration had attained strong momentum in the corporate sector. As Covid19 rages on, thousands of large to mid-sized enterprises are now slamming pedal to the metal on projects to switch over to cloud-based IT infrastructure.

A typical example is a Seattle-based computer appliance supplier that had less than 10 percent of its 5,000 employees set up to work remotely prior to the pandemic. Seattle reported the first Covid19 fatality in the U.S., and Washington was among the first states to issue shelter at home orders. Overnight, this supplier was forced to make the switch to 90 percent of its employees working from home.

As jarring as this abrupt shift to remote work has been for countless companies, government agencies and educational institutions, it has conversely been a huge boon for cyber criminals. The Internet from its inception has presented a wide open attack vector to threat actors. Covid19 has upgraded the Internet — from the criminals’ point of view — to a picture-perfect environment for phishing, scamming and deep network intrusions. Thus the urgency for organizations to put all excuses aside and embrace stricter cyber hygiene practices could not be any higher.

It’s a very good thing that the cybersecurity industry has been innovating apace, as well. Cybersecurity technology is far more advanced today than it was five years ago, or even two years ago.

Comment | Read | August 25th, 2020 | For technologists | New Tech | Podcasts | Privacy | Steps forward | Top Stories

NEW TECH: A better way to secure agile software — integrate app scanning, pen testing into WAF

By Byron V. Acohido

The amazing array of digital services we so blithely access on our smartphones wouldn’t exist without agile software development.

Related: ‘Business logic’ hacks on the rise

Consider that we began this century relying on the legacy “waterfall” software development process. This method required a linear plan, moving in one direction, that culminated in a beta deliverable by a hard and fast deadline. To set this deadline required a long, often tortured planning cycle. And this invariably led to the delivery of a bug-ridden version 1.0, if not outright project failure.

By contrast, the agile approach, aka DevOps, thrives on uncertainty. DevOps expects changes as part of being responsive to end users. Agile software development is all about failing fast — discovering flaws quickly and making changes on the fly. Agile has given us Netflix, Twitter, Uber, TikTok and much more.

Of course the flip side is that all of this speed and agility has opened up endless fresh attack vectors – particularly at the web application layer of digital commerce. “The heart of any business is its applications,” says Venky Sundar, founder and chief marketing officer of Indusface. “And application-level attacks have come to represent the easiest target available to hackers.”

Based in Bengalura, India, Indusface helps its customers defend their applications with a portfolio of services that work in concert with its flagship web application firewall (WAF,) a technology that has been around for about 15 years. WAFs have become a table stakes; any company with a public-facing website should by now have a WAF. Fundamentally, WAFs monitor all of the  HTTP traffic hitting a company’s web servers and block known malicious traffic, such as the threats listed in the OWASP Top 10 application level attacks

A few of the big-name vendors in the WAF space include Imperva, Cloudflare, Akamai and Barracuda and even Amazon Web Services offers a WAF. Indusface has differentiated itself by … more

One Comment | Read | August 17th, 2020 | For technologists | Imminent threats | New Tech | Podcasts | Top Stories

« Newer Articles
Older Articles »