Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Imminent threats

 

Black Hat insights: All-powerful developers begin steering to the promise land of automated security

By Byron V. Acohido

Software developers have become the masters of the digital universe.

Related: GraphQL APIs pose new risks

Companies in the throes of digital transformation are in hot pursuit of agile software and this has elevated developers to the top of the food chain in computing.

There is an argument to be made that agility-minded developers, in fact, are in a terrific position to champion the rearchitecting of Enterprise security that’s sure to play out over the next few years — much more so than methodical, status-quo-minded security engineers.

With Black Hat USA 2021 reconvening in Las Vegas this week, I had a deep discussion about this with Himanshu Dwivedi, founder and chief executive officer, and Doug Dooley, chief operating officer, of Data Theorem, a Palo Alto, CA-based supplier of a SaaS security platform to help companies secure their APIs and modern applications.

For a full drill down on this evocative conversation discussion please view the accompanying video. Here are the highlights, edited for clarity and length:

LW:  Bad actors today are seeking out APIs that they can manipulate, and then they follow the data flow to a weakly protected asset. Can you frame how we got here?

Dwivedi: So 20 years ago, as a hacker, I’d go see where a company registered its IP. I’d do an ARIN Whois look-up. I’d profile their network and build an attack tree. Fast forward 20 years and everything is in the cloud. Everything is in Amazon Web Services, Google Cloud Platform or Microsoft Azure and I can’t tell where anything is hosted based solely on IP registration.

So as a hacker today, I’m no longer looking for a cross-site scripting issue of some website since I can only attack one person at a time with that. I’m looking at the client, which could be an IoT device, or a mobile app or a single page web app (SPA) or it could be an … more

Comment | Read | August 3rd, 2021 | Black Hat Podcasts | For consumers | For technologists | Imminent threats | Top Stories | Videos

SHARED INTEL: Ramifications of 86 cities storing citizens’ data in misconfigured AWS S3 buckets

By Byron V. Acohido

The ethical hackers at WizCase recently disclosed another stunning example of sensitive consumer data left out in the open in the public cloud —  for one and all to access.

Related: How stolen data gets leveraged in full-stack attacks

This latest high-profile example of security sloppiness was uncovered by a team of white hat hackers led by Ata Hakçil. They found personal documents, collected by over 80 US municipalities, sitting in Amazon Web Services S3 storage buckets left wide open in the public cloud.

This included citizens’ physical addresses, phone numbers, drivers’ licenses, tax documents, and more.  There was no need for a password or login credentials to access this information, and the data was not encrypted.

The WizCase team traced this exposure  back to a cloud-delivered information management tool — mapsonline.net, supplied by Woburn, Mass.-based PeopleGIS.  WizCase reached out to PeopleGIS and the S3 buckets in question have since been secured.

Some 114 Amazon S3 storage buckets used a common naming pattern associated with  PeopleGIS; of those 28 appeared to be properly configured, and were not accessible without proper credentials; but 86 were accessible without any password nor encryption. The WizCase team outlined three ways this could have happened:

•PeopleGIS created and handed over the buckets to their city customers, and some of them made sure these were properly configured

Comment | Read | July 27th, 2021 | For consumers | For technologists | Imminent threats | Privacy | Top Stories

ROUNDTABLE: Kaseya hack exacerbates worrisome supply-chain, ransomware exposures

By Byron V. Acohido

It was bound to happen: a supply-chain compromise, ala SolarWinds, has been combined with a ransomware assault, akin to Colonial Pipeline, with devasting implications.

Related: The targeting of supply chains

Last Friday, July 2, in a matter of a few minutes,  a Russian hacking collective, known as REvil, distributed leading-edge ransomware to thousands of small- and mid-sized businesses (SMBs) across the planet — and succeeded in locking out critical systems in at least 1,500 of them. This was accomplished by exploiting a zero-day vulnerability in Kaseya VSA, a network management tool widely used by managed service providers (MSPs)  as their primary tool to remotely manage IT systems on behalf of SMBs.

REvil essentially took full control of the Kaseya VSA servers at the MSP level, then used them for the singular purpose of extorting victimized companies — mostly SMBs —  for payments of $45,000, payable in Minera. In a few instances, the attackers requested $70 million, payable in Bitcoin, for a universal decryptor.

Like SolarWinds and Colonial Pipeline, Miami-based software vendor, Kaseya, was a thriving entity humming right along, striving like everyone else to leverage digital agility — while also dodging cybersecurity pitfalls. Now Kaseya and many of its downstream customers find themselves in a  crisis recovery mode faced with shoring up their security posture and reconstituting trust. Neither will come easily or cheaply.

Comment | Read | July 8th, 2021 | For technologists | Imminent threats | My Take | Privacy | Top Stories

SHARED INTEL: ‘Credential stuffers’ leverage enduring flaws to prey on video game industry

By Byron V Acohido

The video game industry saw massive growth in 2020; nothing like a global pandemic to drive  people to spend more time than ever gaming.

Related: Credential stuffers exploit Covid 19 pandemic

Now comes a report from Akamai detailing the extent to which cyber criminals preyed on this development. The video game industry withstood nearly 11 billion credential stuffing attacks in 2020, a 224 percent spike over 2019. The attacks were steady and large, taking place at a rate of millions per day, with two days seeing spikes of more than 100 million.

This metric shows how bad actors redoubled their efforts to rip off consumers fixated on spending  real money on character enhancements and additional levels. The big takeaway, to me, is how they accomplished  this – by refining and advancing credential stuffing.

Credential stuffing is a type of advanced brute force hacking that leverages software automation to insert stolen usernames and passwords into web page forms, at scale, until the attacker gains access to a targeted account.

We know from a Microsoft report how hacking groups backed by Russia, China and Iran have aimed such attacks against hundreds of organizations involved in both the 2020 presidential race and U.S.-European policy debates. And credential stuffing was the methodology used by a Nigerian crime ring

Comment | Read | July 7th, 2021 | For consumers | For technologists | Imminent threats | Privacy | Top Stories

SHARED INTEL: Akamai reports web attack traffic spiked 62 percent in 2020 — all sectors hit hard

By Byron V. Acohido

Some instructive fresh intelligence about how cyber attacks continue to saturate the Internet comes to us from Akamai Technologies.

Related: DHS launches 60-day cybersecurity sprints

Akamai, which happens to be the Hawaiian word for “smart,” recently released its annual State of the Internet security report. As a leading global content delivery network (CDN), Akamai has a birdseye view of what is coursing through cyber space moment-by-moment. In 2020, it saw 193 billion credential stuffing attacks globally, with 3.4 billion hitting financial services organizations — an increase of more than 45 percent year-over-year in that sector.

Meanwhile, threat actors’ siege on web applications surged 62 percent in 2020 vs.  2019: Akamai observed nearly 6.3 billion web app attacks last year, with more than 736 million targeting financial services.

The majority were SQL Injection (SQLi) attacks, which made up 68 percent of all web app attacks in 2020; Local File Inclusion (LFI) attacks came in second at 22 percent. However, in the financial services industry, LFI attacks were the number one web application attack type in 2020 at 52 percent, with SQLi at 33 percent and Cross-Site Scripting at 9 percent.

I had the chance to visit with the estimable Steve Ragan, the Akamai analyst who put together this report. I’ve known Ragan for a long time and greatly respect his work. He’s excellent at putting himself in the shoes of the threat actors. Here are excerpts of our discussion, edited for clarity and length.

Q: The scale of ‘attacks’ in 2020 is astronomical: 6.3 billion web attacks globally; 736 million in the financial services sector. Can you break this down, and put it into a useful context? For instance, what constitutes a single web attack?

A: You’re right. It is astronomical. For Akamai, a single alert is an attack, and a group of attacks could be called a campaign. In 2020, we observed a healthy mix of both attacks and … more

Comment | Read | May 24th, 2021 | For technologists | Imminent threats | Top Stories

ROUNDTABLE: Experts react to President Biden’s exec order in the aftermath of Colonial Pipeline hack

By Byron V. Acohido

As wake up calls go, the Colonial Pipeline ransomware hack was piercing.

Related: DHS embarks on 60-day cybersecurity sprints

The attackers shut down the largest fuel pipeline in the U.S., compelling Colonial to pay them 75 bitcoins, worth a cool $5 million.

This very high-profile caper is part of an extended surge of ransomware attacks, which  quintupled globally between the first quarter of 2018 and the fourth quarter of 2020, and is expected to rise 20 percent to 40 percent this year,  according to insurance giant Aon.

Ransomware is surging at at time when the global supply chain is being corrupted from inside out, as so vividly illustrated by the SolarWinds supply chain debacle.

In response, President Biden last week issued an executive order requiring more rigorous cybersecurity practices for federal agencies and contractors that develop software for the federal government. Last Watchdog asked a roundtable of cybersecurity industry experts for their reaction. Here’s what they said, responses edited for clarity and length:

Chenxi Wang, founder & general partner, Rain Capital

The new executive order is a swift response from the administration. It’s refreshing to see a government executive order that understands technology trends such as “zero trust”, is able to delineate “Operational Technology (OT)” from “information technology (IT,)” and can talk intelligently about supply chain risks.

While some of the measures stipulated in the order are considered table stakes like multi-factor authentication, the fact that the order exists will help to raise the collective security posture of products and services. It will not be sufficient to defend against sophisticated adversaries, but it will help organizations on the lower end of the capability spectrum to improve their cyber posture and defense.

Keatron Evans, principal security researcher, Infosec Institute

President Biden’s order was drafted with heavy involvement from actual cybersecurity experts, and this is encouraging. Requiring federal agencies to produce an actionable plan to implement Zero Trust Architecture is … more

Comment | Read | May 19th, 2021 | For consumers | For technologists | Imminent threats | My Take | Privacy | Top Stories

RSAC insights: Sophos report dissects how improved tools, tactics stop ransomware attack

By Byron V. Acohido

A new report from Sophos dissects how hackers spent two weeks roaming far-and-wide through the modern network of a large enterprise getting into a prime position to carry out what could’ve been a devasting ransomware attack.

Related: DHS embarks on 60-day cybersecurity sprints

This detailed intelligence about a ProxyLogon-enabled attack highlights how criminal intruders are blending automation and human programming skills to great effect. However, in this case, at least, they were detected and purged before hitting paydirt, demonstrating something that doesn’t get discussed often enough.

Enterprises actually have access to plenty of robust security technology, as well as proven tactics and procedures, to detect and defuse even leading-edge, multi-layered attacks. It’s clear to me that cybersecurity technical innovation and supporting frameworks, which includes wider threat intelligence sharing, are taking hold and making a material difference, albeit incrementally.

I had a lively discussion with Dan Schiappa, Sophos’ chief product officer, about this. For a drill down, please give the accompanying podcast a listen. Here are the key takeaways:

Exploit surge

ProxyLogon refers to the critical vulnerability discovered in Microsoft Exchange mail servers early this year. Criminal hacking rings have been hammering away at this latest of a long line of zero-day flaws discovered in a globally distributed system. The pattern is all too familiar: they marshal their hacking infrastructure to take advantage of the window of time when there is a maximum number of vulnerable systems just begging to be hacked.

Comment | Read | May 12th, 2021 | For technologists | Imminent threats | My Take | Privacy | RSA Podcasts | Steps forward | Top Stories

Older Articles »