Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

For technologists

 

SHARED INTEL: Ramifications of 86 cities storing citizens’ data in misconfigured AWS S3 buckets

By Byron V. Acohido

The ethical hackers at WizCase recently disclosed another stunning example of sensitive consumer data left out in the open in the public cloud —  for one and all to access.

Related: How stolen data gets leveraged in full-stack attacks

This latest high-profile example of security sloppiness was uncovered by a team of white hat hackers led by Ata Hakçil. They found personal documents, collected by over 80 US municipalities, sitting in Amazon Web Services S3 storage buckets left wide open in the public cloud.

This included citizens’ physical addresses, phone numbers, drivers’ licenses, tax documents, and more.  There was no need for a password or login credentials to access this information, and the data was not encrypted.

The WizCase team traced this exposure  back to a cloud-delivered information management tool — mapsonline.net, supplied by Woburn, Mass.-based PeopleGIS.  WizCase reached out to PeopleGIS and the S3 buckets in question have since been secured.

Some 114 Amazon S3 storage buckets used a common naming pattern associated with  PeopleGIS; of those 28 appeared to be properly configured, and were not accessible without proper credentials; but 86 were accessible without any password nor encryption. The WizCase team outlined three ways this could have happened:

•PeopleGIS created and handed over the buckets to their city customers, and some of them made sure these were properly configured

NEW TECH: How the emailing of verified company logos actually stands to fortify cybersecurity

By Byron V. Acohido

Google’s addition to Gmail of something called Verified Mark Certificates (VMCs) is a very big deal in the arcane world of online marketing.

Related: Dangers of weaponized email

This happened rather quietly as Google announced the official launch of VMCs in a blog post on July 12. Henceforth companies will be able to insert their trademarked logos in Gmail’s avatar slot; many marketers can’t wait to distribute email carrying certified logos to billions of inboxes. They view logoed email as an inexpensive way to boost brand awareness and customer engagement on a global scale.

However, there is a fascinating back story about how Google’s introduction of VMCs – to meet advertising and marketing imperatives — could ultimately foster a profound advance in email security. Over the long term, VMCs, and the underlying Brand Indicators for Message Identification (BIMI) standards, could very well give rise to a bulwark against email spoofing and phishing.

I had a chance to sit down with Dean Coclin, senior director of business development at DigiCert, to get into the weeds of this quirky, potentially profound, security development. DigiCert is a Lehi, Utah-based Certificate Authority (CA) and supplier of Public Key Infrastructure services.

Coclin and I worked through how a huge email security breakthrough could serendipitously arrive as a collateral benefit of VMCs. Here are the main takeaways from our discussion:

NEW TECH: DigiCert Document Signing Manager leverages PKI to advance electronic signatures

By Byron V. Acohido

Most of us, by now, take electronic signatures for granted.

Related: Why PKI will endure as the Internet’s secure core

Popular services, like DocuSign and Adobe Sign, have established themselves as convenient, familiar tools to conduct daily commerce, exclusively online. Yet electronic signatures do have their security limitations. That’s why “wet” signatures, i.e. signing in the presence of a notary, remains a requirement for some transactions involving high dollars or very sensitive records.

Clearly, a more robust approach to verifying identities in the current and future digital landscape would be useful. After all, conducting business transactions strictly online was already on the rise before Covid 19, a trend that only accelerated due to the global pandemic.

And this is why DigiCert recently introduced DigiCert® Document Signing Manager (DSM) – an advanced hosted service designed to increase the level of assurance of the identities of persons signing documents digitally.

I had the chance to learn more about this new tool from Brian Trzupek, DigiCert’s senior vice president of product DigiCert is best known as a Certificate Authority (CA) and a supplier of services to manage Public Key Infrastructure. And PKI, of course, is the behind-the-scenes authentication and encryption framework on which the Internet is built.

ROUNDTABLE: Kaseya hack exacerbates worrisome supply-chain, ransomware exposures

By Byron V. Acohido

It was bound to happen: a supply-chain compromise, ala SolarWinds, has been combined with a ransomware assault, akin to Colonial Pipeline, with devasting implications.

Related: The targeting of supply chains

Last Friday, July 2, in a matter of a few minutes,  a Russian hacking collective, known as REvil, distributed leading-edge ransomware to thousands of small- and mid-sized businesses (SMBs) across the planet — and succeeded in locking out critical systems in at least 1,500 of them. This was accomplished by exploiting a zero-day vulnerability in Kaseya VSA, a network management tool widely used by managed service providers (MSPs)  as their primary tool to remotely manage IT systems on behalf of SMBs.

REvil essentially took full control of the Kaseya VSA servers at the MSP level, then used them for the singular purpose of extorting victimized companies — mostly SMBs —  for payments of $45,000, payable in Minera. In a few instances, the attackers requested $70 million, payable in Bitcoin, for a universal decryptor.

Like SolarWinds and Colonial Pipeline, Miami-based software vendor, Kaseya, was a thriving entity humming right along, striving like everyone else to leverage digital agility — while also dodging cybersecurity pitfalls. Now Kaseya and many of its downstream customers find themselves in a  crisis recovery mode faced with shoring up their security posture and reconstituting trust. Neither will come easily or cheaply.

SHARED INTEL: ‘Credential stuffers’ leverage enduring flaws to prey on video game industry

By Byron V Acohido

The video game industry saw massive growth in 2020; nothing like a global pandemic to drive  people to spend more time than ever gaming.

Related: Credential stuffers exploit Covid 19 pandemic

Now comes a report from Akamai detailing the extent to which cyber criminals preyed on this development. The video game industry withstood nearly 11 billion credential stuffing attacks in 2020, a 224 percent spike over 2019. The attacks were steady and large, taking place at a rate of millions per day, with two days seeing spikes of more than 100 million.

This metric shows how bad actors redoubled their efforts to rip off consumers fixated on spending  real money on character enhancements and additional levels. The big takeaway, to me, is how they accomplished  this – by refining and advancing credential stuffing.

Credential stuffing is a type of advanced brute force hacking that leverages software automation to insert stolen usernames and passwords into web page forms, at scale, until the attacker gains access to a targeted account.

We know from a Microsoft report how hacking groups backed by Russia, China and Iran have aimed such attacks against hundreds of organizations involved in both the 2020 presidential race and U.S.-European policy debates. And credential stuffing was the methodology used by a Nigerian crime ring

GUEST ESSAY: Why online supply chains remain at risk — and what companies can do about it

By Aanand Krishnan

The Solarwinds hack has brought vendor supply chain attacks — and the lack of readiness from enterprises to tackle such attacks — to the forefront.

Related: Equipping Security Operations Centers (SOCs) for the long haul

Enterprises have long operated in an implicit trust model with their partners. This simply means that they trust, but don’t often verify, that their partners are reputable and stay compliant over time. Given the dynamic nature of websites today and the constantly changing integrations to a site, this implicit trust model no longer suffices.

So what does the average modern website look like? More than 70 percent of the content that loads on an end user’s browser does not come from the website’s server at all. Enterprises are designing client heavy applications that are executed through JavaScript at runtime, and these browsers are acting as modern day OSes.

Let’s discuss how the SolarWinds hack relates to a regular website supply chain. Web architecture from the past decade followed a trend where most web applications were server heavy, and enterprises’ data centers handled the bulk of the processing. The web browser was more of a graphical interface or a rendering engine.

Due to optimized speeds and improved computing capacity on client devices, the architecture has evolved over the last few years.

SHARED INTEL: Microsoft discloses how the Nobelium hacking ring engages in routine phishing

By Byron V. Acohido

Microsoft has blunted the ongoing activities of the Nobelium hacking collective, giving us yet another glimpse of the unceasing barrage of hack attempts business networks must withstand on a daily basis.

Related: Reaction to Biden ‘s cybersecurity executive order

Nobelium is the Russian hacking collective best known for pulling off the milestone SolarWinds supply chain hack last December. That caper required the intricate counterfeiting of software updates sent out automatically by SolarWinds to 18,000 customers. And yet, for all of its sophistication, Nobelium also engages in routine phishing campaigns to get a foothold in targeted organizations. This of course is how they get a toehold to go deeper.

In this case, the attackers leveraged information gleaned from a Microsoft worker’s computing device. In a blog posting, Microsoft disclosed that it “detected information-stealing malware on a machine belonging to one of our customer support agents with access to basic account information for a small number of our customers” and that “the actor used this information in some cases to launch highly targeted attacks as part of their broader campaign.”

Microsoft said it notified the targeted 150 organizations, which included “IT companies (57%), followed by government (20%), and smaller percentages for non-governmental organizations and think tanks, as well as financial services.”