Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Imminent threats

 

MY TAKE: How ‘credential stuffing’ is being deployed to influence elections, steal Covid-19 relief

By Byron V. Acohido

What do wildfires and credential stuffing have in common?

Related: Automated attacks leverage big data

For several years now, both have flared up and caused harm at the fringes of population centers and our digital economy. And, now, in 2020, both have escalated to catastrophic proportions.

Just after Labor Day, dried out trees and shrubs combined with high winds to erupt into massive wildfires that swiftly engulfed rural towns and even suburban areas of California, Oregon, Washington and several other states. Millions of acres of land got consumed, hundreds of thousands of people were evacuated and dozens lost their lives.

Meanwhile, all year long and continuing through the fall, opportunistic cybercriminals have launched wave after wave of automated credential stuffing campaigns. These bad actors are wreaking havoc in two arenas: Stealing Covid-19 relief payments on a massive scale as well as meddling, once again, in the election of a U.S. president.

The wildfires eventually subsided with calmer, damper meteorological conditions. However, massive surges of credential stuffing have persisted, fueled by a seemingly endless supply of already stolen, or easy-to-steal, personal information along with the wide availability of sophisticated hacking tools.

MY TAKE: Lessons learned from the summer of script kiddies hacking Twitter, TikTok

By Byron V. Acohido

Graham Ivan Clark, Onel de Guzman and Michael Calce. These three names will go down in the history of internet commerce, right alongside Jack Dorsey, Mark Zuckerberg and Jeff Bezos.

Related: How ‘Zero Trust’ is compatible with agile computing

We’re all familiar with the high-profile entrepreneurs who gave us the tools and services that underpin our digital economy. However, Clark, de Guzman and Calce are equally notable as leading members of the Hall of Fame of script kiddies – youngsters who precociously shed light on the how these same tools and services are riddled with profound privacy and security flaws.

The trouble is Clark, 17, of Tampa, Florida, is teaching us much the same lessons in the summer of 2020 that de Guzman and Calce did in the spring of 2000. De Guzman authored the I Love You email virus that circled the globe infecting millions of PCs; Calce, aka Mafiaboy, released the Melissa Internet worm that knocked offline Amazon, CNN, eBay and Yahoo.

Judging from the success of script kiddies, the tech giants apparently have not learned very much about security in 20 years. Clark was arrested in late July and charged with masterminding the hijacking of the Twitter accounts of A-list celebrities, and then Tweeting from those accounts to pull off a Bitcoin scam. His caper is worrisome on two counts. First it shows how resistant companies continue to be with respect to embracing very doable cyber hygiene practices – measures that would prevent these sorts of hacks. And second, it reminds us how much capacity to wreak havoc truly malicious parties — not just script kiddies – possess. This is chilling considering the times we’re in. On the cusp of electing a U.S. president, with the world struggling to recover from a global pandemic, there are nuanced lessons we can learn from the Twitter Bitcoin hack. Here’s what all consumers and companies should heed going forward.

NEW TECH: A better way to secure agile software — integrate app scanning, pen testing into WAF

By Byron V. Acohido

The amazing array of digital services we so blithely access on our smartphones wouldn’t exist without agile software development.

Related: ‘Business logic’ hacks on the rise

Consider that we began this century relying on the legacy “waterfall” software development process. This method required a linear plan, moving in one direction, that culminated in a beta deliverable by a hard and fast deadline. To set this deadline required a long, often tortured planning cycle. And this invariably led to the delivery of a bug-ridden version 1.0, if not outright project failure.

By contrast, the agile approach, aka DevOps, thrives on uncertainty. DevOps expects changes as part of being responsive to end users. Agile software development is all about failing fast — discovering flaws quickly and making changes on the fly. Agile has given us Netflix, Twitter, Uber, TikTok and much more.

Of course the flip side is that all of this speed and agility has opened up endless fresh attack vectors – particularly at the web application layer of digital commerce. “The heart of any business is its applications,” says Venky Sundar, founder and chief marketing officer of Indusface. “And application-level attacks have come to represent the easiest target available to hackers.”

Based in Bengalura, India, Indusface helps its customers defend their applications with a portfolio of services that work in concert with its flagship web application firewall (WAF,) a technology that has been around for about 15 years. WAFs have become a table stakes; any company with a public-facing website should by now have a WAF. Fundamentally, WAFs monitor all of the  HTTP traffic hitting a company’s web servers and block known malicious traffic, such as the threats listed in the OWASP Top 10 application level attacks

A few of the big-name vendors in the WAF space include Imperva, Cloudflare, Akamai and Barracuda and even Amazon Web Services offers a WAF. Indusface has differentiated itself by … more

Q&A: Sophos poll shows how attackers are taking advantage of cloud migration to wreak havoc

By Byron V. Acohido

Cloud migration, obviously, is here to stay.

Related: Threat actors add ‘human touch’ to hacks

To be sure, enterprises continue to rely heavily on their legacy, on-premises datacenters. But there’s no doubt that the exodus to a much greater dependency on hybrid cloud and multi-cloud resources – Infrastructure-as-a-Service (IaaS) and Platforms-as-a-Service (PaaS) – is in full swing.

Now comes an extensive global survey from Sophos, a leader in next generation cybersecurity, that vividly illustrates how cybercriminals are taking full advantage. For its State of Cloud Security 2020 survey, Sophos commissioned the polling of some 3,500 IT managers across 26 countries in Europe, the Americas, Asia Pacific, the Middle East, and Africa. The respondents were from organizations that currently host data and workloads in the public cloud.

Sophos found that fully 70% of organizations experienced a public cloud security incident in the last year. Furthermore, 50% encountered ransomware and other malware; 29% reported incidents of data getting exposed; 25% had accounts compromised; and 17% dealt with incidents of crypto-jacking. The poll also showed that organizations running multi-cloud environments were 50% more likely to suffer a cloud security incident than those running a single cloud.

Those findings were eye-opening, yes. But they were not at all surprising. Digital commerce from day one has revolved around companies bulling forward to take full advantage of wondrous decentralized, anonymous characteristics of the Internet, which began a military-academic experiment.

SHARED INTEL: Study shows mismanagement of ‘machine identities’ triggers $52 billion in losses

By Byron V. Acohido

In one sense, digital transformation is all about machines.

Related: Authenticating IoT devices

Physical machines, like driverless vehicles and smart buildings; but, even more so, virtual machines. I’m referring to the snippets of “microservice” coding placed inside of modular software “containers” that get mixed and matched in “storage buckets,” and then processed in  “serverless computers” residing in the Internet cloud.

These virtual machines – which happen to be mushrooming in number — underly the physical machines. This all adds up to high-speed, agile innovation. But the flip side is that fresh software vulnerabilities are getting spun up, as well. Machines control the flow of all types of sensitive data. As a result, the way in which they connect and authorize communication makes them a primary security risk for organizations. And, cyber criminals, no surprise, are taking full advantage.

Now comes a study from Boston-based consultancy Air Worldwide that puts some hard numbers on the degree to which threat actors are plundering virtual machines. The report, titled The Economic Impact of Machine Identity Breaches, was commissioned by Salt Lake City, UT-based security vendor Venafi.

According to the study, poor management of machine identities leads directly to an estimated $52 billion to $72 billion in losses annually. What’s more, large enterprises, i.e. those with $2 billion or more in annual revenue, are getting hit twice as hard as smaller organizations, when it comes to cyber attacks that exploit anemic protections for machine identities.

I had a chance to visit once again with Jeff Hudson, Venafi’s outspoken CEO at RSA 2020. We had a lively discussion about the backdrop of the study, and its going-forward implications. For a full drill down, please give the accompanying podcast a listen. Here are excerpts, edited for clarity and length:

SHARED INTEL: How attacks on web, mobile apps are being fueled by rising API vulnerabilities

By Byron V. Acohido

Application programming interface. API. It’s the glue holding digital transformation together.

Related: A primer on ‘credential stuffing’

APIs are the conduits for moving data to-and-fro in our digitally transformed world. APIs are literally everywhere in the digital landscape, and more are being created every minute. APIs connect the coding that enables the creation and implementation of new applications.

However, APIs also manifest as a wide open, steadily expanding attack vector. Many organizations caught up in the frenzy of digital transformation don’t fully appreciate the gaping exposures APIs have come to represent.

I had the chance to discuss this with Matt Keil, director of product marketing at Cequence Security, a Sunnyvale, Calif.-based application security vendor that’s in the thick of helping businesses mitigate web application exposures. We spoke at RSA 2020. For a full drill down, please give the accompanying podcast a listen. Here are key takeaways:

Romance scams

Like many modern companies, Zoosk, the popular San Francisco-based dating site, rests on infrastructure that’s predominantly cloud-based. Zoosk’s core service is delivered via a mobile app that has 20 different registration and/or login pages – all are API driven.

Thus, it was well worth it for a hacking group to study Zoosk’s IT stack to reconnoiter its weak points.  Here’s how Keil breaks down what happened:

MY TAKE: Iran’s cyber retaliation for Soleimani assassination continues to ramp up

By Byron V. Acohido

Less than 48 hours after the killing of Iran’s General Qasem Soleimani, the U.S. Department of Homeland Security issued a bulletin calling out Iran’s “robust cyber program,” and cautioning everyone to be prepared for Iran to “conduct operations in the United States.”

Related: Cyber warfare enters Golden Age

In fact, strategic cyber operations essentially pitting Russia and Iran against the U.S. and Saudi Arabia have been steadily escalating for at least the past decade, with notable spikes in activity throughout the course of 2019.

The Soleimani assassination simply added kerosene to those long-flickering flames. Since the killing, there has been a marked increase in probing for vulnerable servers – focused on industrial control systems in facilities in both the Middle East and North America. This escalation of reconnaissance is being closely monitored by the global cybersecurity and intelligence communities. Jeremy Samide, CEO of Stealthcare, a Cleveland-based cyberthreats intelligence gathering consultancy, is in the midst of it.

Samide and other experts say what’s coming next is very likely to be a series of varied attacks as combatants on all sides leverage footholds gained from ongoing intelligence gathering and malware planting. Evidence of this gelling scenario are called out in a recent report from Dragos, a Maryland-based supplier of industrial controls security systems, and also in a technical report issued earlier this month by Saudi Arabia’s National Cyber Security Center.

“This isn’t something that’s going to happen overnight,” Samide told me. “Iran’s response will be long and drawn out. There will very likely be a number of smaller and medium-sized attacks, culminating in a larger attack that will be highly coordinated and strike at just the right time. And it might not be Iran directly retaliating alone. It could involve multiple state actors, adversarial to the West, joining forces to co-ordinate an attack, or even multiple attacks.”

There has been plenty of news coverage of certain high-profile Iranian and Russian cyberattacks; … more