Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Imminent threats

 

MY TAKE: How the lack of API security translates into ‘digital transformation’ security holes

By Byron V. Acohido

If you’re not familiar with how Facebook, Twitter and YouTube make it so easy for you and me to easily access cool content they’ve collected and stored behind their respective firewalls, then you might think “API” is a trendy type of beer.

In fact, API stands for Application Programming Interface, the indispensable technology that makes it possible for software applications to exchange data across the Internet.

Related: Cross-site scripting threat heats up

APIs have been a cornerstone of our digital economy from the start. Without them, social media and software-as-a-service, as we’ve come to know them, wouldn’t exist. And today APIs are empowering companies to speed up complex software development projects – as part of digital transformation.

In short, APIs have emerged and endured as the linchpin of social media, cloud services and mobile computing; and they will remain pivotal as the Internet of Things expands.

However, just like every other tech breakthrough that rose rapidly to ubiquitous use, APIs have a gaping downside: intrinsic lack of security. I recently had a chance to discuss the vulnerable state of APIs with Tim Arvanites co-founder and chief technology officer of AAPI, a security startup which helps companies lock down their APIs. For a drill down on our conversation, please listen to the accompanying podcast. Here are a few big picture takeaways: …more

How ‘digital transformation’ gave birth to a new breed of criminal: ‘machine-identity thieves’

By Byron V. Acohido

There’s a new breed of identity thief at work plundering consumers and companies.

However, these fraudsters don’t really care about snatching up your credentials or mine. By now, your personal information and mine has been hacked multiple times and is readily on sale in the Dark Web. This has long been true of the vast majority of Americans.

Related article: 7 hacks signaling a coming global cyber war

The identities most sought after by cyber criminals today are those associated with machines. This is because the digital wizardry driving modern society relies heavily on machine-to-machine communications. And guess what? No one is really watching authentication and privileged access, with respect to those machines very closely.

It’s my belief that every consumer and every company will very soon come to realize that a new breed of criminal – machine-identity thieves – will soon become all-powerful, and not in a good way. Here’s why:

Fresh attack surface

 If you haven’t heard, we are undergoing “digital transformation.” Digital advances are coming at us fast and furious. Consumers have begun accustomed to conveniently accessing clever services delivered by  a sprawling matrix of machines, and not just traditional computer servers.

The machines enabling digital transformation include virtual instances of computers created and maintained in the Internet cloud, as well as myriad instances of software “microservices” and “containers” that come and go as part of the dynamic processes that make all of this happen.

Each machine must continually communicate with countless other machines. And as the number of machines has skyrocketed, so has the volume of machine identities. From a criminal’s perspective, each machine represents an opportunity to slip into the mix and take control. And each machine identity represents a key to get in the door.

 Machine-identity capers

The creation of this vast new attack surface isn’t just theoretical. It’s tangible and threat actors are on the move. “Hackers are stealing machine identities, and using them in attacks, and it’s happening more and more,” says Jeff Hudson, CEO of security supplier Venafi. …more

Q&A: Here’s why it has become vital for companies to deter ‘machine-identity thieves’

By Byron V. Acohido

We’re undergoing digital transformation, ladies and gentlemen. And we’re in a nascent phase where clever advances are blossoming even as unprecedented data breaches arise in parallel.

The latest example of this dichotomy comes from Timehop, a service that enables social media users to plug into their past. On Sunday, Timehop shared details about how a hacker got into their network, conducted several reconnaissance forays, and then moved swiftly on July 4th to pilfer personal information for 21 million Timehop users, including their social media “access tokens.”

Related article: How DevOps contributed to the Uber hack

Much like the recent hacks of Uber and Tesla, the Timehop caper revolved around the attackers manipulating admin credentials and maneuvering extensively through Timehop’s cloud environment.

I recently had a fascinating conversation with Jeff Hudson, CEO of Venafi, about why we are currently in a situation where criminally motivated actors are proving to be every bit as innovative as legitimate businesses, when it comes to leveraging cloud services, and developing breakthrough uses of mobile computing and the Internet of things.

Venafi is a leading supplier of machine identity protection; it helps companies secure authentication and privileged access to key components of critical systems. As such, Hudson argues persuasively that the root of the matter comes down to the need for organizations to keep a much closer account of access logons and encryption keys. And they must do this, not just for human users, but especially for machine-to-machine communications.

For a drill down on our conversation, please listen to the accompanying podcast. Here are excerpts edited for clarity and length.

LW: Can you frame what’s going on with identities when it comes to digital transformation? …more

MY TAKE: Knowing these 5 concepts will protect you from illicit cryptocurrency mining

By Byron V. Acohido

The cryptocurrency craze rages on, and one unintended consequence is the dramatic rise of illicit cryptocurrency mining.

It takes computing power to transform digital calculations into crypto cash, whether it be Bitcoin or one of the many other forms of digital currency.

Related podcast: How cryptomining malware is beginning to disrupt cloud services

So, quite naturally, malicious hackers are busying themselves inventing clever ways to leech computing power from unwitting victims — and directing these stolen computing cycles towards lining their pockets with freshly mined crypto cash.

Individual consumers have been the prime victims for more than a year. And now small- and medium-sized businesses (SMBs) are being increasingly targeted — especially companies  rushing to tap into cloud services such as Amazon Web Services, Microsoft Azure and Google Cloud.

To help you unpack all of this, here are five fundamental concepts that will help you understand why you should reduce  your exposure to illicit cryptocurrency mining.

•Cryptocurrency basics. Bitcoin gets created by solving an increasingly difficult math problem; the difficulty factor has risen to the point where Bitcoin today can only be mined by special-purpose computers that consume massive amounts of electricity.

However, Monero, Ethereum, Bytecoin and other cryptocurrencies have come along that can still be mined by ordinary computing devices. So naturally, cryptocurrency mining services have cropped up. Coinhive is a notable example. …more

Will cryptocurrency mining soon saturate AWS, Microsoft Azure and Google Cloud?

By Byron V. Acohido

Don’t look now but cryptojacking may be about to metastasize into the scourge of cloud services.

Cryptojacking, as defined by the Federal Trade Commission, is the use of JavaScript code to capture cryptocurrencies in users’ browsers without asking permission. There’s a temptation to dismiss it as a mere nuisance; companies deep into ‘digital transformation,’ in particular,  might be lulled into this sort of apathy.

Related: Why cryptojacking is more insidious than ransomware

On the face, the damage caused by cryptojacking may appear to be mostly limited to consumers and website publishers who are getting their computing resources diverted to mining fresh units of Monero, Ethereum and Bytecoin on behalf of leeching attackers.

However, closer inspection reveals how cryptojacking morphed out of the ransomware plague of 2015 and 2016. What’s more, by connecting a few dots, it becomes clear a recent surge of cryptojacking could signal a steep rise in a similar form of illicit cryptocurrency mining — one that could materially disrupt cloud services, namely Amazon Web Services, Microsoft Azure and Google Cloud.

I arrived at these conclusions after a riveting discussion with Juniper Networks’ cybersecurity strategist Nick Bilogorskiy, one of the top analysts tracking emerging cyber threats. For a drill down on our discussion, please listen to the accompanying podcast. Here are excerpts edited for clarity and length: …more

Why big companies ignore SAP security patches — and how that could bite them, big time

By Byron V. Acohido

Threat actors in the hunt for vulnerable targets often look first to ubiquitous platforms. It makes perfect sense for them to do so.

Related article: Triaging open-source exposures

Finding a coding or design flaw on Windows OS can point the way to unauthorized to access to a treasure trove of company networks that use Windows. The same holds true for probing widely used open source protocols, as occurred when Heartbleed and Shellshock came to light.

There is yet another widely-used business platform that malicious hackers have turned their attention to. It is SAP’s enterprise resource planning (ERP) applications.

SAP serves as the digital plumbing for dozens of multinationals; it is deeply embedded in 87 percent of the top 2000 global companies, enabling and integrating ERP functions, such as sales, production, human resources and finance, as well as other core systems.

SAP is no different than any other complex software. Vulnerability researchers, ranging from penetration testers to threat actors, continually seek out fresh security flaws which SAP subsequently issues patches for. The trouble has been that SAP patches can be troublesome to implement, and so very often get postponed.

In 2016 the U.S. Department of Homeland Security’s Computer Emergency Response Team (US-CERT) issued three separate security alerts warning SAP customers to install security patches, including one issued six years earlier that had gone widely ignored.

Many large enterprises have been lagging in SAP patches. This exposure is pervasive. And it is only a matter of time before threat actors pull off a high-profile data breach. …more

Mobile security advances to stopping device exploits — not just detecting malicious apps

By Byron V. Acohido

The most profound threat to corporate networks isn’t the latest, greatest malware. It’s carbon-based life forms.

Humans tend to be gullible and impatient. With our affiliations and preferences put in play by search engines and social media, we’re perfect patsies for social engineering. And because we are slaves to convenience, we have a propensity for taking shortcuts when it comes to designing, configuring and using digital systems.

Related article: Is your mobile device spying on you?

This hasn’t worked terribly well for defending modern business networks from cyberattacks. And now we are on the verge of making matters dramatically worse as smartphones and IoT  devices proliferate.

I recently had a chance to discuss this state of affairs with J.T. Keating, vice president of product strategy at Zimperium, a Dallas-based supplier of mobile device security systems. Launched in 2010 by a Samsung consultant who saw the handwriting on the wall, Zimperium has grown to 140 employees and attracted $60 million in venture capital from Warburg Pincus, SoftBank, Samsung, Telstra and Sierra Ventures.

The company is seeking to frame and address mobile security much differently than the traditional approach to endpoint security. “When you have billions of mobile devices that aren’t well protected, and the users are primarily responsible for controlling them, it makes for very ripe targeting,” Keating told me.

For a full drill down, please listen to the accompanying podcast. Here are excerpts edited for clarity and length.

LW: What’s most worrisome about mobile security?

Keating: If you’re a consumer, you should really care about malicious apps. The vast majority of the mobile malware we see is designed for fraud. A perfect example of one going around right now is called Bankbot. A user will …more