Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Imminent threats

 

GUEST ESSAY: Supply chain vulnerabilities play out in latest Pentagon personnel records breach

By Michael Magrath

It is disheartening, but not at all surprising, that hackers continue to pull off successful breaches of well-defended U.S. government strategic systems.

Related podcast: Cyber attacks on critical systems have only just begun

On Friday, Oct. 12, the Pentagon disclosed that intruders breached Defense Department travel records and compromised the personal information and credit card data of U.S. military and civilian personnel.

The Associated Press, quoting a U.S. official familiar with the matter, reported that the breach could have happened months ago, but was only recently discovered. At this juncture, as many as 30,000 federal employees are known to have been victimized, but that number may grow as the investigation continues.

The Pentagon has since issued a statement conceding that a department cyber team informed leaders about the breach on Oct. 4. Pentagon spokesman Lt. Col. Joseph Buccino now says that DoD continues to gather information on the size and scope of the hack, and is attempting to identify the culprits.

It does appear that this is another example of attacks successfully penetrating a weak supply chain link, underscoring the importance of addressing third-party risks.

Third-party risk

Buccino disclosed that authorities are examining a “breach of a single commercial vendor that provided service to a very small percentage of the total population” of Defense Department personnel. …more

MY TAKE: The no. 1 reason ransomware attacks persist: companies overlook ‘unstructured data’

By Byron V. Acohido

All too many companies lack a full appreciation of how vital it has become to proactively manage and keep secure “unstructured data.”

One reason for the enduring waves of ransomware is that unstructured data is easy for hackers to locate and simple for them to encrypt.

Related video: Why it’s high time to protect unstructured data

Ironically, many victimized companies are paying hefty ransoms to decrypt unstructured data that may not be all that sensitive or mission critical.

I talked with Jonathan Sander, Chief Technology Officer with STEALTHbits Technologies, about this at Black Hat USA 2018.

The New Jersey-based software company is focused on protecting an organization’s sensitive data and the credentials attackers use to steal that data. For a drill down on our conversation about unstructured data exposures please listen to the accompanying podcast. A few takeaways:

Outside a database

Structured data can be human- or machine-generated, and is easily searchable information usually stored in a database, including names, Social Security numbers, phone numbers, ZIP codes.

Unstructured data (also human- or machine-generated) is basically everything else. Typical unstructured data includes a long list of files—emails, Word docs, social media, text files, job applications, text messages, digital photos, audio and visual files, spreadsheets, presentations, digital surveillance, traffic and weather data, and more. In a typical day, individuals and businesses create and share a tidal wave of this information.

The main difference between the two is organization and analysis. Most of the unstructured data generated in the course of conducting digital commerce doesn’t get stored in a database or any other formal management system.

For structured data, users can run simple analysis tools, i.e., content searches, to find what they need. But with no orderly internal framework, unstructured data defies data mining tools. Most human communication is via unstructured data; it’s messy and doesn’t fit into analytical algorithms.

Ransomware target

There is a mountain of unstructured data compared to a molehill of its structured counterpart. Gartner analysts estimate that over 80 percent of enterprise data is unstructured …more

MY TAKE: Here’s how anyone with $20 can hire an IoT botnet to blast out a week-long DDoS attack

By Byron V. Acohido

Distributed denial of service (DDoS) attacks continue to erupt all across the Internet showing not the faintest hint of leveling off, much less declining, any time soon.

Related video: How DDoS attacks leverage the Internet’s DNA

To the contrary, DDoS attacks appear to be scaling up and getting more sophisticated in lock step with digital transformation; DDoS attacks today are larger, more varied and come at the targeted website from so many more vectors than ever before.

This is borne out by Akamai Technologies’ Summer 2018 Internet Security/Web Attack Report.

Akamai, which optimizes the delivery of content for large enterprises, measured a 16 percent increase in the number of DDoS attacks recorded since last year.

GitHub’s logo

That increase included far and away the largest DDoS attack ever recorded, when the popular code-sharing website GitHub got inundated by an astounding 1.35 terabytes per second of nuisance traffic. The attackers responsible for the GitHub attack very cleverly leveraged something called memcached database servers.

They accessed these otherwise obscure servers — which make up part of the Internet’s open infrastructure —  and used them to massively amplify traffic directed at GitHub — to deafening levels.

Of course, we’ve not seen the last of these types of innovative, brute-force attacks. But that’s not all. DDoS attacks are evolving to become more diverse. A nascent cottage industry is starting to gel around DDoS botnets-for-hire, comprised of millions of compromised IoT devices. …more

MY TAKE: How the lack of API security translates into ‘digital transformation’ security holes

By Byron V. Acohido

If you’re not familiar with how Facebook, Twitter and YouTube make it so easy for you and me to easily access cool content they’ve collected and stored behind their respective firewalls, then you might think “API” is a trendy type of beer.

In fact, API stands for Application Programming Interface, the indispensable technology that makes it possible for software applications to exchange data across the Internet.

Related: Cross-site scripting threat heats up

APIs have been a cornerstone of our digital economy from the start. Without them, social media and software-as-a-service, as we’ve come to know them, wouldn’t exist. And today APIs are empowering companies to speed up complex software development projects – as part of digital transformation.

In short, APIs have emerged and endured as the linchpin of social media, cloud services and mobile computing; and they will remain pivotal as the Internet of Things expands.

However, just like every other tech breakthrough that rose rapidly to ubiquitous use, APIs have a gaping downside: intrinsic lack of security. I recently had a chance to discuss the vulnerable state of APIs with Tim Arvanites co-founder and chief technology officer of AAPI, a security startup which helps companies lock down their APIs. For a drill down on our conversation, please listen to the accompanying podcast. Here are a few big picture takeaways: …more

How ‘digital transformation’ gave birth to a new breed of criminal: ‘machine-identity thieves’

By Byron V. Acohido

There’s a new breed of identity thief at work plundering consumers and companies.

However, these fraudsters don’t really care about snatching up your credentials or mine. By now, your personal information and mine has been hacked multiple times and is readily on sale in the Dark Web. This has long been true of the vast majority of Americans.

Related article: 7 hacks signaling a coming global cyber war

The identities most sought after by cyber criminals today are those associated with machines. This is because the digital wizardry driving modern society relies heavily on machine-to-machine communications. And guess what? No one is really watching authentication and privileged access, with respect to those machines very closely.

It’s my belief that every consumer and every company will very soon come to realize that a new breed of criminal – machine-identity thieves – will soon become all-powerful, and not in a good way. Here’s why:

Fresh attack surface

 If you haven’t heard, we are undergoing “digital transformation.” Digital advances are coming at us fast and furious. Consumers have begun accustomed to conveniently accessing clever services delivered by  a sprawling matrix of machines, and not just traditional computer servers.

The machines enabling digital transformation include virtual instances of computers created and maintained in the Internet cloud, as well as myriad instances of software “microservices” and “containers” that come and go as part of the dynamic processes that make all of this happen.

Each machine must continually communicate with countless other machines. And as the number of machines has skyrocketed, so has the volume of machine identities. From a criminal’s perspective, each machine represents an opportunity to slip into the mix and take control. And each machine identity represents a key to get in the door.

 Machine-identity capers

The creation of this vast new attack surface isn’t just theoretical. It’s tangible and threat actors are on the move. “Hackers are stealing machine identities, and using them in attacks, and it’s happening more and more,” says Jeff Hudson, CEO of security supplier Venafi. …more

Q&A: Here’s why it has become vital for companies to deter ‘machine-identity thieves’

By Byron V. Acohido

We’re undergoing digital transformation, ladies and gentlemen. And we’re in a nascent phase where clever advances are blossoming even as unprecedented data breaches arise in parallel.

The latest example of this dichotomy comes from Timehop, a service that enables social media users to plug into their past. On Sunday, Timehop shared details about how a hacker got into their network, conducted several reconnaissance forays, and then moved swiftly on July 4th to pilfer personal information for 21 million Timehop users, including their social media “access tokens.”

Related article: How DevOps contributed to the Uber hack

Much like the recent hacks of Uber and Tesla, the Timehop caper revolved around the attackers manipulating admin credentials and maneuvering extensively through Timehop’s cloud environment.

I recently had a fascinating conversation with Jeff Hudson, CEO of Venafi, about why we are currently in a situation where criminally motivated actors are proving to be every bit as innovative as legitimate businesses, when it comes to leveraging cloud services, and developing breakthrough uses of mobile computing and the Internet of things.

Venafi is a leading supplier of machine identity protection; it helps companies secure authentication and privileged access to key components of critical systems. As such, Hudson argues persuasively that the root of the matter comes down to the need for organizations to keep a much closer account of access logons and encryption keys. And they must do this, not just for human users, but especially for machine-to-machine communications.

For a drill down on our conversation, please listen to the accompanying podcast. Here are excerpts edited for clarity and length.

LW: Can you frame what’s going on with identities when it comes to digital transformation? …more

MY TAKE: Knowing these 5 concepts will protect you from illicit cryptocurrency mining

By Byron V. Acohido

The cryptocurrency craze rages on, and one unintended consequence is the dramatic rise of illicit cryptocurrency mining.

It takes computing power to transform digital calculations into crypto cash, whether it be Bitcoin or one of the many other forms of digital currency.

Related podcast: How cryptomining malware is beginning to disrupt cloud services

So, quite naturally, malicious hackers are busying themselves inventing clever ways to leech computing power from unwitting victims — and directing these stolen computing cycles towards lining their pockets with freshly mined crypto cash.

Individual consumers have been the prime victims for more than a year. And now small- and medium-sized businesses (SMBs) are being increasingly targeted — especially companies  rushing to tap into cloud services such as Amazon Web Services, Microsoft Azure and Google Cloud.

To help you unpack all of this, here are five fundamental concepts that will help you understand why you should reduce  your exposure to illicit cryptocurrency mining.

•Cryptocurrency basics. Bitcoin gets created by solving an increasingly difficult math problem; the difficulty factor has risen to the point where Bitcoin today can only be mined by special-purpose computers that consume massive amounts of electricity.

However, Monero, Ethereum, Bytecoin and other cryptocurrencies have come along that can still be mined by ordinary computing devices. So naturally, cryptocurrency mining services have cropped up. Coinhive is a notable example. …more