Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Imminent threats

 

SHARED INTEL: What can be done — today — to keep quantum computing from killing encryption

By Byron V. Acohido

There’s little doubt that the shift to quantum computing  will open new horizons of digital commerce. But it’s also plain as day that the mainstreaming of quantum processing power will profoundly exacerbate cybersecurity exposures.

Related: The ‘post quantum crytpo’ race is on

This isn’t coming as any surprise to IT department heads. In fact, there’s widespread recognition in corporate circles that the planning to address fresh cyber risks associated with quantum computing should have commenced long ago.

That’s the upshot of a survey of 400 large organizations across critical infrastructure industries in the U.S., Germany and Japan. The study, sponsored by DigiCert, Inc., a Lehi,Utah-based supplier of digital certificates, found 71 percent of global organizations already see the emergence of quantum processing power as a material security threat.

Their trepidation is focused on the potential undermining of a core security component of classical computing systems: encryption. In a nutshell, when quantum processing power becomes widely available – whether that be three years or 10 years from now — threat actors will gain the ability to decrypt everything companies have been protecting with classical encryption.

To its credit, the global cybersecurity community is not asleep on this. A major public-private effort is underway to revamp classical cryptography, and ultimately replace it with something called post-quantum-cryptography, or PQC. DigiCert happens to be in the thick of this effort; I recently had a wide-ranging discussion about this with Tim Hollebeek, DigiCert’s industry and standards technical strategist. …more

SHARED INTEL: APIs hook up new web and mobile apps — and break attack vectors wide open

By Byron V. Acohido

If your daily screen time is split between a laptop browser and a smartphone, you may have noticed that a few browser web pages are beginning to match the slickness of their mobile apps.

Related: The case for a microservices firewall

Netflix and Airbnb are prime examples of companies moving to single-page applications, or SPAs, in order to make their browser webpages as responsive as their mobile apps.

The slickest SPAs leverage something called GraphQL, which is a leading edge way to build and query application programing interfaces, or APIs. If you ask the builders of these SPAs, they will tell you that the scale and simplicity of retrieving lots of data with GraphQL is superior to a standard RESTful API. And that brings us to cybersecurity.

APIs are being created in batches on a daily basis by the Fortune 500 and any company that is creating mobile and web applications. APIs are the conduits for moving data to-and-fro in our digitally transformed world. And each new API is a pathway to the valuable sets of data fueling each new application.

Trouble is that at this moment no one is keeping very good track of the explosion of APIs. Meanwhile, the rising use of SPA and GraphQL underscores how API growth is shifting into a higher gear. This means the attack surface available to cyber criminals looking to make money off of someone else’s data is, yet again, expanding.

I had a chance to discuss this with Doug Dooley, COO of Data Theorem, a Silicon Valley-based application security startup helping companies deal with these growing API exposures. For a full drill down, give a listen to the accompanying podcast. Here are a few key takeaways:

Cool new experiences

Amazon Web Services, Microsoft Azure, Google Cloud and Alibaba Cloud supply computer processing and data storage as a utility. DevOps has decentralized the creation and delivery of  smart applications that can mine humongous data sets to create cool new user experiences.

Microservices are little snippets of modular code of which smart apps are made of. Written by far-flung third-party developers, microservices get mixed and matched and reused inside of software containers. And each instance of a microservice connecting to another microservice, or to a container, is carried out by an API.

In short, APIs are multiplying fast and creating the automated highways of data. The growth of APIs on the public Internet grew faster in 2019 than in previous years, according to ProgrammableWeb.  And this doesn’t account for all the private APIs business built and use. The services on that smartphone you’re holding makes use of hundreds of unique APIs.  …more

MY TAKE: How ‘credential stuffing’ and ‘account takeovers’ are leveraging Big Data, automation

By Byron V. Acohido

A pair of malicious activities have become a stunning example of digital transformation – unfortunately on the darknet.

Related: Cyber risks spinning out of IoT

Credential stuffing and account takeovers – which take full advantage of Big Data, high-velocity software, and automation – inundated the internet in massive surges in 2018 and the first half of 2019, according to multiple reports.

Credential stuffing is one of the simplest cybercriminal exploits, a favorite among hackers. Using this technique, the criminal collects your leaked credentials (usually stolen in a data breach) and then applies them to a host of other accounts, hoping they unlock more. If you’re like the majority of users out there, you reuse credentials. Hackers count on it.

A new breed of credential stuffing software programs allows people with little to no computer skills to check the log-in credentials of millions of users against hundreds of websites and online services such as Netflix and Spotify in a matter of minutes. The sophistication level of these cyberthreats is increasing, and there’s an ominous consensus gelling in the cybersecurity community that the worst is yet to come.

“We’ve observed significant growth in credential stuffing and account takeovers for several years. It’s hard to see a short-term change that would slow attempts by attackers,” Patrick Sullivan, Akamai’s senior director of security strategy, told me. “Significant changes to authentication models may be required to alter the growth trajectory of these attacks.” …more

SHARED INTEL: Mobile apps are riddled with security flaws, many of which go unremediated

By Byron V. Acohido

The convergence of DevOps and SecOps is steadily gaining traction in the global marketplace. Some fresh evidence of this encouraging trend comes to us by way of shared intelligence from WhiteHat Security.

Related: The tie between DevOps and SecOps.

Organizations that are all-in leveraging microservices to speed-up application development, on the DevOps side of the house, have begun acknowledging the importance of incorporating SecOps along the way. The most forward-thinking among them are increasingly checking for vulnerabilities in new apps – and finding them, big time.

That’s one of the key revelations in the 2019 WhiteHat Application Security Statistics Report, which I’d place in the category of reports that bear close scrutiny because it is based on the actual in-the-field experiences of WhiteHat’s global customer base. Also, WhiteHat has been generating this report annually since 2006.

Based on 17 million application security scans carried out in 2018, WhiteHat found a 20% increase in vulnerabilities found in the applications that organizations tested for security flaws.

What’s more, based on WhiteHat’s partner, NowSecure’s insight, some 70% of mobile apps were found to leak sensitive data.

The fact that more companies are participating in the hunt for security flaws in new apps is a good thing. However, WhiteHat also found many app vulnerabilities are, today, going unaddressed. Remediation rates actually fell in 2018, as compared to 2017. At the moment, the effort required to secure existing and new apps appears to be overwhelming already short-staffed security teams.

The Dawn of DevSecOps

This field report tells us that, yes, SecOps is gaining traction, with more and more security teams beginning to contribute to the delivery of secure apps. However, many security teams lack the skills, and/or have not yet won corporate backing to bring in the engineering support needed to mitigate the vulnerabilities.

These applications flaws were always there, mind you – WhiteHat found that more than one-third of all application security risks are inherited rather than written – but now they are being flushed out as DevOps and SecOps merge into DevSecOps.

The more progressive security teams are, indeed, tackling remediation. For those teams, the benefits associated with paying a bit of attention to security, up front, have sunk in. Not only can they take pride in contributing to a better experience for end users, they’re also reducing the headaches that go along with having to patch vulnerabilities that turn up, post production. …more

NEW TECH: ICS zero-day flaws uncovered by Nozomi Networks’ analysis of anomalous behaviors

By Byron V. Acohido

Andrea Carcano’s journey to co-founding a security company in the vanguard of defending critical infrastructure began at a tender age.

Related: Why the Golden Age of cyber spying is here

Carcano hacked a computer screen at age 14, and that got him intrigued by software controls. He went on to earn a masters degree in cybersecurity, during which time he won a scholarship from the European Commission to craft a proof of concept attack against an industrial control system (ICS.)

“I said at the time, ‘OK, this is cool, someone is paying me to develop malware,” Carcano told me. “So I decided to keep going. I saw a huge gap, and I got really passionate about this topic. I started on my PhD, and at the very beginning focused on the offensive side. But I quickly moved to the defensive side and spent all of my academic career focused on how to protect critical infrastructure.”

PhD in hand, Carcano spent three years in the field helping a large oil-and-gas company tighten ICS security for operations in different corners of the world. In 2013, he co-founded Nozomi Networks aiming to deliver a more holistic and efficient way to defend industrial controls of all types.

I had the chance to visit with Carcano at Black Hat USA 2019. For a full drill down, give a listen to the accompanying podcast. Here’s what I came away with:

Ready-made attack tools

Vulnerability research and outright attacks on industrial controls has shifted dramatically over the past 10 to 15 years ago. When Carcano first began working in the field, only a handful of the top nation-states were actively involved in sponsoring this type of activity, and they tried to do it  as quietly as possible.

Today, for a variety of reasons having to do with geo-political affairs and the evolving cyber underground, things are much different. The state-sponsored hacking groups are still in business. But they are part of a thriving cottage industry that has arisen around finding, selling and testing fresh ICS vulnerabilities. And not just of power plants and utilities, but also in the firmware and software that run manufacturing plants of all types and sizes, Carcano told me. …more

MY TAKE: Here’s how ‘bulletproof proxies’ help criminals put compromised IoT devices to work

By Byron V. Acohido

Between Q1 2019 and Q2 2019, malicious communications emanating from residential IP addresses in the U.S. – namely smart refrigerators, garage doors, home routers and the like – nearly quadrupled for the retail and financial services sectors.

Related: How botnets gave Trump 6 million faked followers

To put it plainly, this represented a spike in cyber attacks bouncing through ordinary Internet-connected devices humming away in homes across America. These attacks were carried out by cyber criminals leveraging an insidious new attack tool: bulletproof proxies.

What were they up to? IoT devices are proving to be an integral element for cyber criminals to launch automated attack campaigns to manipulate social media likes, create fake accounts, take over existing accounts, execute credential stuffing, content scraping, click fraud and carry out other cyber villainy.

This stunning intel comes in a study from Cequence Security, a Sunnyvale, CA-based vendor focused on helping companies defend against such attacks. These findings have huge implications, not just highlighting what a huge drain botnets have become to our Internet-centric economy, but also underscoring how botnets have become a disruptive force in political discourse, globally.

I had a deep discussion about this with Cequence’s Will Glazier, head of research, and Matt Keil, director of product marketing, at Black Hat USA 2019. For a full drill down, give a listen to the accompanying podcast. My big takeaways:

Bulletproof weaponry

Back in 2007, a noted fellow journalist, Brian Krebs, exposed how the Russian Business Network had pioneered something called “bulletproof hosting.” RBN provided web hosting services to one-and-all, and then looked the other way as spammers, fraudsters and even child pornography distributors did their thing, operating their botnets with impunity.

Just the other day, Krebs broke another story about what he’s calling “bulletproof residential VPN services.” And Cequence has done deep analysis on “bulletproof proxies” — the latest, greatest iteration of bulletproof hosting. Instead of building out and hosting a server farm that can be isolated and potentially shut down by law enforcement, bulletproof proxy providers today assemble millions of globally distributed IP addresses and make those available to one-and-all.

Crucially, the availability of an endless supply of IP addresses reinforces the viability of botnets. (A bot is a computing nodule, and a botnet is a network of nodules under control of the botnet master.) The fact that botnet nodules today increasingly spin out of residential IP addresses is significant for two reasons: …more

SHARED INTEL: Malware-ridden counterfeit phones place consumers, companies in harm’s way

By Byron V. Acohido

A faked Rolex or Prada handbag is easy enough to acquire on the street in certain cities, and you can certainly hunt one down online.

Now add high-end counterfeit smartphones to the list of luxury consumer items that are being aggressively marketed to bargain-hungry consumers.

Related: Most companies ignorant about rising mobile attacks

While it might be tempting to dismiss the potential revenue lost by Apple, Samsung, HTC and other suppliers of authentic phones, this counterfeit wave is particularly worrisome. The faked phones flooding  the market today are slicker than ever. And, increasingly, they come riddled with some of the most  invasive types of malware.

This is putting consumers and companies in harm’s way through yet another attack vector – one which gives professional hacking collectives another means to compromise online accounts and break into company networks.

“These devices are not safe to do anything on, and they impact everything they touch,” says Ronan Cremin, chief technology officer at Afilias Technologies, a Dublin-based tech vendor that has a unique view of mobile device usage patterns.

I visited with Cremin at Black Hat USA 2019. For a full drill down of our discussion, give a listen to the accompanying podcast.  My takeaways:

Cutting corners

Knock-off smartphones are a much bigger problem than most folks realize. An estimated 180 million counterfeit mobile phones are sold globally each year, representing a potential loss of $50 billion to device manufacturers, according to a study by the EU’s Intellectual Property Office.

Such phones have been around for a few ears, and the latest iterations are getting nearly impossible to distinguish from the genuine article, Cremin told me. Packaging is spot on: all expected accessories, including headphones, chargers, cables and user guides are typically included. Outwardly, the look-and-fell is amazing: fit and finish and the user interface are indistinguishable from the genuine article. The big clue that it’s a fake is the asking price, which is typically a tenth or less of what you’d expect to pay.

Ah, but on the inside, that is where all the corners get cut. A favorite sleigh-of-hand is to display bogus specs for the make, model, RAM, storage and CPU core. Under the covers, the main components typically will be several generations old. …more