Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Imminent threats

 

MY TAKE: For better or worse, machine-to-machine code connections now form much of the castle wall

By Byron V. Acohido

Managing permissions is proving to be a huge security blind spot for many companies.

Related: President Biden’s cybersecurity order sets the stage

What’s happening is that businesses are scaling up their adoption of multi-cloud and hybrid-cloud infrastructures. And in doing so, they’re embracing agile software deployments, which requires authentication and access privileges to be dispensed, on the fly, for each human-to-machine and machine-to-machine coding connection.

This frenetic activity brings us cool new digital services, alright. But the flip side is that companies have conceded to a dramatic expansion of their cloud attack surface – and left it wide open to threat actors.

“The explosion in the number of human and non-human identities in the public cloud has become a security risk that businesses simply can’t ignore,” observes Eric Kedrosky, CISO at Sonrai Security.

I’ve had a couple of deep discussions with Kedrosky about this. Based in New York City, Sonrai is a leading innovator in a nascent security discipline, referred to as Cloud Infrastructure Entitlement Management (CIEM,)

GUEST ESSAY: Here’s what every business should know — and do — about CaaS: crime-as-a-service

By Jack Chapman

It doesn’t matter if you want to learn a new language or figure out how to fix your broken clothes dryer; the tools, tutorials, and templates you need are available online.

Related: Enlisting ‘human sensors’

Unfortunately, with crime-as-a-service, the same is true for people interested in trying their hand at cybercrime. The dark web provides virtually everything potential attackers need to make their move.

Let’s look closely at precisely what crime-as-a-service (CaaS) is, why it’s so dangerous, and how your business can defend itself.

CaaS variants

Experts define  CaaS as what happens when sophisticated hackers and criminals work together to create technology, toolkits, and methodologies geared toward carrying out cyberattacks. CaaS is happening with increasing regularity. For example, an Illinois man recently faced conviction for running a website that allowed users to buy subscriptions to launch distributed denial of service (DDoS) attacks against computer networks.

Q&A: All-powerful developers begin steering to the promise land of automated security

By Byron V. Acohido

Software developers have become the masters of the digital universe.

Related: GraphQL APIs pose new risks

Companies in the throes of digital transformation are in hot pursuit of agile software and this has elevated developers to the top of the food chain in computing.

There is an argument to be made that agility-minded developers, in fact, are in a terrific position to champion the rearchitecting of Enterprise security that’s sure to play out over the next few years — much more so than methodical, status-quo-minded security engineers.

With Black Hat USA 2021 reconvening in Las Vegas this week, I had a deep discussion about this with Himanshu Dwivedi, founder and chief executive officer, and Doug Dooley, chief operating officer, of Data Theorem, a Palo Alto, CA-based supplier of a SaaS security platform to help companies secure their APIs and modern applications.

For a full drill down on this evocative conversation discussion please view the accompanying video. Here are the highlights, edited for clarity and length:

LW:  Bad actors today are seeking out APIs that they can manipulate, and then they follow the data flow to a weakly protected asset. Can you frame how we got here?

Dwivedi: So 20 years ago, as a hacker, I’d go see where a company registered its IP. I’d do an ARIN Whois look-up. I’d profile their network and build an attack tree. Fast forward 20 years and everything is in the cloud. Everything is in Amazon Web Services, Google Cloud Platform or Microsoft Azure and I can’t tell where anything is hosted based solely on IP registration.

So as a hacker today, I’m no longer looking for a cross-site scripting issue of some website since I can only attack one person at a time with that. I’m looking at the client, which could be an IoT device, or a mobile app or a single page web app (SPA) or it could be an … more

SHARED INTEL: Ramifications of 86 cities storing citizens’ data in misconfigured AWS S3 buckets

By Byron V. Acohido

The ethical hackers at WizCase recently disclosed another stunning example of sensitive consumer data left out in the open in the public cloud —  for one and all to access.

Related: How stolen data gets leveraged in full-stack attacks

This latest high-profile example of security sloppiness was uncovered by a team of white hat hackers led by Ata Hakçil. They found personal documents, collected by over 80 US municipalities, sitting in Amazon Web Services S3 storage buckets left wide open in the public cloud.

This included citizens’ physical addresses, phone numbers, drivers’ licenses, tax documents, and more.  There was no need for a password or login credentials to access this information, and the data was not encrypted.

The WizCase team traced this exposure  back to a cloud-delivered information management tool — mapsonline.net, supplied by Woburn, Mass.-based PeopleGIS.  WizCase reached out to PeopleGIS and the S3 buckets in question have since been secured.

Some 114 Amazon S3 storage buckets used a common naming pattern associated with  PeopleGIS; of those 28 appeared to be properly configured, and were not accessible without proper credentials; but 86 were accessible without any password nor encryption. The WizCase team outlined three ways this could have happened:

•PeopleGIS created and handed over the buckets to their city customers, and some of them made sure these were properly configured

ROUNDTABLE: Kaseya hack exacerbates worrisome supply-chain, ransomware exposures

By Byron V. Acohido

It was bound to happen: a supply-chain compromise, ala SolarWinds, has been combined with a ransomware assault, akin to Colonial Pipeline, with devasting implications.

Related: The targeting of supply chains

Last Friday, July 2, in a matter of a few minutes,  a Russian hacking collective, known as REvil, distributed leading-edge ransomware to thousands of small- and mid-sized businesses (SMBs) across the planet — and succeeded in locking out critical systems in at least 1,500 of them. This was accomplished by exploiting a zero-day vulnerability in Kaseya VSA, a network management tool widely used by managed service providers (MSPs)  as their primary tool to remotely manage IT systems on behalf of SMBs.

REvil essentially took full control of the Kaseya VSA servers at the MSP level, then used them for the singular purpose of extorting victimized companies — mostly SMBs —  for payments of $45,000, payable in Minera. In a few instances, the attackers requested $70 million, payable in Bitcoin, for a universal decryptor.

Like SolarWinds and Colonial Pipeline, Miami-based software vendor, Kaseya, was a thriving entity humming right along, striving like everyone else to leverage digital agility — while also dodging cybersecurity pitfalls. Now Kaseya and many of its downstream customers find themselves in a  crisis recovery mode faced with shoring up their security posture and reconstituting trust. Neither will come easily or cheaply.

Q&A: ‘Credential stuffers’ leverage enduring flaws to prey on video game industry

By Byron V Acohido

The video game industry saw massive growth in 2020; nothing like a global pandemic to drive  people to spend more time than ever gaming.

Related: Credential stuffers exploit Covid 19 pandemic

Now comes a report from Akamai detailing the extent to which cyber criminals preyed on this development. The video game industry withstood nearly 11 billion credential stuffing attacks in 2020, a 224 percent spike over 2019. The attacks were steady and large, taking place at a rate of millions per day, with two days seeing spikes of more than 100 million.

This metric shows how bad actors redoubled their efforts to rip off consumers fixated on spending  real money on character enhancements and additional levels. The big takeaway, to me, is how they accomplished  this – by refining and advancing credential stuffing.

Credential stuffing is a type of advanced brute force hacking that leverages software automation to insert stolen usernames and passwords into web page forms, at scale, until the attacker gains access to a targeted account.

We know from a Microsoft report how hacking groups backed by Russia, China and Iran have aimed such attacks against hundreds of organizations involved in both the 2020 presidential race and U.S.-European policy debates. And credential stuffing was the methodology used by a Nigerian crime ring

Q&A: Akamai reports web attack traffic spiked 62 percent in 2020 — all sectors hit hard

By Byron V. Acohido

Some instructive fresh intelligence about how cyber attacks continue to saturate the Internet comes to us from Akamai Technologies.

Related: DHS launches 60-day cybersecurity sprints

Akamai, which happens to be the Hawaiian word for “smart,” recently released its annual State of the Internet security report. As a leading global content delivery network (CDN), Akamai has a birdseye view of what is coursing through cyber space moment-by-moment. In 2020, it saw 193 billion credential stuffing attacks globally, with 3.4 billion hitting financial services organizations — an increase of more than 45 percent year-over-year in that sector.

Meanwhile, threat actors’ siege on web applications surged 62 percent in 2020 vs.  2019: Akamai observed nearly 6.3 billion web app attacks last year, with more than 736 million targeting financial services.

The majority were SQL Injection (SQLi) attacks, which made up 68 percent of all web app attacks in 2020; Local File Inclusion (LFI) attacks came in second at 22 percent. However, in the financial services industry, LFI attacks were the number one web application attack type in 2020 at 52 percent, with SQLi at 33 percent and Cross-Site Scripting at 9 percent.

I had the chance to visit with the estimable Steve Ragan, the Akamai analyst who put together this report. I’ve known Ragan for a long time and greatly respect his work. He’s excellent at putting himself in the shoes of the threat actors. Here are excerpts of our discussion, edited for clarity and length.

Q: The scale of ‘attacks’ in 2020 is astronomical: 6.3 billion web attacks globally; 736 million in the financial services sector. Can you break this down, and put it into a useful context? For instance, what constitutes a single web attack?

A: You’re right. It is astronomical. For Akamai, a single alert is an attack, and a group of attacks could be called a campaign. In 2020, we observed a healthy mix of both attacks and … more