Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

My Take

 

MY TAKE: What it takes to beat cybercrime in the age of DX and IoT: personal responsibility

By Byron V. Acohido

Back in 2004, when I co-wrote this USA TODAY cover story about spam-spreading botnets, I recall advising my editor to expect cybersecurity to be a headline-grabbing topic for a year or two more, tops.

Related:  A primer on machine-identity exposures

I was wrong. Each year over the past decade-and-a-half, a cause-and-effect pattern has spread more pervasively into the fabric of modern society. Each and every major advance of Internet-centric commerce – from e-tailing and email, to social media and mobile computing, and now on to the Internet of Things – has translated into an exponential expansion of the attack surface available to cybercriminals.

And malicious hackers have taken full advantage – whether they are motivated by criminal profits, backed by nation-state operatives, or simply desirous of bragging rights. Year-in and year-out, criminal innovation has far outpaced the effort on the part of companies and governments to defend their business networks, as well as to preserve the sanctity of our private data.

…more

NEW TECH: Can Project Furnace secure DX — by combining serverless computing and GitOps?

By Byron V. Acohido

Assuring the privacy and security of sensitive data, and then actually monetizing that data, — ethically and efficiently — has turned out to be the defining challenge of digital transformation.

Today a very interesting effort to address this complex dilemma is arising from the ferment, out of the UK. It’s called Project Furnace, an all-new open source software development platform.

Related: The need to fold ‘SecOps’ into ‘DevOps’

I had the chance to sit down with Furnace Ignite’s co-founders: John Blamire, chief operating officer, and Danny Waite, chief technology officer,  for a pre-launch briefing.

They walked me through how Project Furnace began as a quest to improve the output of SIEM (security information and event management) systems.

However, beyond improving legacy appproachs to network security, Blamire and Waite explained why they firmly believe Furnace could ultimately accelerate the design and implementation of all smart software — the next generation of apps destined to run everything from our shopping experiences to our driverless cars and our smart homes and cities. Here are takeaways from our meeting:

DX context

Furnace, in essence, seeks to aid and abet digital transformation, or DX, the ongoing digitization of essentially all human endeavors into a machine-readable format that can be automatically acted upon. DX is the wider context, here, in the sense that DX is made possible because of the rise of “datafication” — the processes by which we’ve come to rapaciously collect and store mind-boggling amounts of data from web forms, social media, mobile apps, surveillance cameras, IoT sensors and the like.

In 2016, Waite was assigned the task of coming up with a much better way to extract …more

MY TAKE: Why Satya Nadella is wise to align with privacy advocates on regulating facial recognition

By Byron V. Acohido

We’re just a month and change into the new year, and already there have been two notable developments underscoring the fact that some big privacy and civil liberties questions need to be addressed before continuing the wide-scale deployment of advanced facial recognition systems.

This week civil liberties groups in Europe won the right to challenge the UK’s bulk surveillance activities in the The Grand Chamber of the European Court of Human Rights.

Related: Snowden on unrestrained surveillance

“The surveillance regime the UK government has built seriously undermines our freedom,” Megan Golding, a lawyer speaking for privacy advocates, stated. “Spying on vast numbers of people without suspicion of wrongdoing violates everyone’s right to privacy and can never be lawful.”

That development followed bold remarks made by none other than Microsoft CEO Satya Nadella just a few weeks earlier at the World Economic Forum in Davos, Switzerland.

Nadella expressed deep concern about facial recognition, or FR, being used for intrusive surveillance and said he welcomed any regulation that helps the marketplace “not be a race to the bottom.”

Ubiquitous surveillance

You may not have noticed, but there has been a flurry of breakthroughs in biometric technology, led by some leapfrog advances in facial recognition systems over the past couple of years. Now facial recognition appears to be on the verge of blossoming commercially, with security use-cases paving the way.

Last November,  SureID, a fingerprint services vendor based in Portland, Ore., announced a partnership with Robbie.AI, a Boston-based developer of a facial recognition system designed to be widely deployed on low-end cameras.

The partners aim to combine fingerprint and facial data to more effectively authenticate employees in workplace settings. And their grander vision is to help establish a nationwide biometric database in which a hybrid facial ID/fingerprint can be used for things such as fraud-proofing retail transactions, or, say, taking a self-driving vehicle for a spin.

However, the push back by European privacy advocates and Nadella’s call for regulation highlights the privacy and civil liberties conundrums advanced surveillance technologies poses. It’s a healthy thing that a captain of industry can see this. These are weighty issues …more

MY TAKE: Why companies should care about 2.2 billion stolen credentials circulating in easy reach

By Byron V. Acohido

Some chilling hard evidence has surfaced illustrating where stolen personal information ultimately ends up, once it has flowed through the nether reaches of the cyber underground.

Wired magazine reported this week on findings by independent security researchers who have been tracking the wide open availability of a massive cache of some 2.2 billion stolen usernames, passwords and other personal data.

Related: Massive Marriott breach closes out 2018

Ever wonder where the tens of millions of consumer records stolen from Marriott, Yahoo, Equifax, Dropbox, Linked In,  Target, Home Depot, Sony, Anthem, Premera Blue Cross, Uber and literally thousands of other organizations that have sustained major network breaches ends up?

This data gets collected and circulated in data bases that the thieves initially attempt to sell for big profits on the dark web, as reported by Motherboard. The work of these researchers shows how, at the end of the day, much of the stolen personal data eventually spills over into the open Internet, where it is free for the taking by  anyone with a modicum of computer skills.

Credential stuffing

The clear and present risk to the average consumer or small business owner is that his or her stolen account credentials will surface in one or more credential stuffing campaigns. This is where criminals deploy botnets to automate the injection of surreptitiously obtained usernames and password pairs until they gain fraudulent access to a targeted account. And once they do, they swiftly try to gain access to accounts on other popular services.

Reddit earlier this month acknowledged that credential stuffers locked down a “large group of accounts.” The social news aggregation site informed the victims that would need to reset their passwords to regain access, and, notably, advised them to choose strong, unique passwords. …more

MY TAKE: ‘Bashe’ attack theorizes a $200 billion ransomware raid using NSA-class cyber weapons

By Byron V. Acohido

A report co-sponsored by Lloyd’s of London paints a chilling scenario for how a worldwide cyberattack could trigger economic losses of some $200 billion for companies and government agencies ill-equipped to deflect a very plausible ransomware attack designed to sweep across the globe.

Related: U.S. cyber foes exploit government shutdown

The Cyber Risk Management (CyRiM) project lays out in detail how a theoretical ransomware attack – dubbed the “Bashe” campaign – could improve upon the real life WannaCry and NotPetya ransomware worms that plagued thousands of organizations in 2017.

The exercise was commissioned by Lloyd’s of London, the Cambridge Centre for Risk Studies and the Nanyang Technological University in Singapore, among others. In their construct, the fictional cyber ring behind Bashe leverages lessons learned from missteps made in WannaCry and NotPetya, with the aim of making Bashe “the most infectious malware of all time.”

It should not be forgotten that WannaCry and NotPetya made use of some of the  69 cyber weapons stolen from the NSA and released publicly by a group known as Shadow Brokers. These weapons were designed by NSA software engineers to take advantage of heretofore undisclosed security vulnerabilities in Windows, Linux, IBM and other core operating systems and applications widely used in commerce and government.

EternalBlue pedigree

Keep in mind, globe-spanning ransomware worms are just one of endless ways the NSA weapons, often referred to as “EternalBlue,” could be leveraged. While the Lloyd’s study focuses on the ransomware scenario, it’s reasonable to believe threat actors of every stripe are developing other ways to utilize EternalBlue-class cyber weaponry.

This creates a responsibility for every organization to consider this report and assess what damage control might entail, says Darin Pendergraft, vice president of product marketing at STEALTHbits Technologies, a Hawthorne, NJ-based supplier of systems to protect sensitive company data. …more

MY TAKE: 3 privacy and security habits each individual has a responsibility to embrace

By Byron V. Acohido

Would you back out of a driveway without first buckling up, checking the rear view mirror and glancing behind to double check that the way is clear?

Consider that most of us spend more time navigating the Internet on our laptops and smartphones than we do behind the wheel of a car. Yet it’s my experience that most people don’t fully appreciate the profound risks they face online and all too many still do not practice simple behaviors that can dramatically reduce their chances of being victimized by malicious parties.

Related: Long run damage of 35-day government shutdown

Why we’re in the ‘Golden Age’ of cyber espionageThe fact is cyber criminals are expert at refining and carrying out phishing, malvertising and other tried-and-true ruses that gain them access to a targeted victim’s Internet-connected computing device. And the malware that subsequently gets installed continues to get more stealthy and capable with each advancing iteration.

This has become an engrained pattern in our modern digital world. A vivid illustration comes from Palo Alto Networks’ Unit 42 forensics team. Researchers recently flushed out a new variety of the Xbash family of malware tuned to seek out administrators’ rights and take control of Linux servers. This variant of Xbash is equipped to quietly uninstall any one of five popular types of cloud security protection and monitoring products used on such servers.

Targeting one device

The end game for this particular hacking ring is to install crypto currency mining routines on compromised Linux servers. But the larger point is that Xbash is just one of dozens of malware families circulating far and wide across the Internet. Xbash gets rolling by infecting one device, which then serves as the launch pad for deeper hacking forays limited only by the attacker’s initiative.

To be sure, it’s not as if the good guys aren’t also innovating. Worldwide spending on information security products and services rose to $114 billion in 2018, up from $102 billion in 2017, an increase of 12.4 percent, according to tech consultancy Gartner. …more

PODCAST: US cyber foes take cue from government shutdown; rise in malware deployment under way

By Byron V. Acohido

One profound consequence of Donald Trump’s shutdown of the federal government, now in day 33, is what a boon it is to US cyber adversaries. And moving forward, the long run ramifications are likely to be dire, indeed.

Related: Welcome to the ‘golden age’ of cyber espionage

With skeleton IT crews manning government networks, America’s adversaries — China, Russia, North Korea, Iran and others in Eastern Europe and the Middle East —  have seized the opportunity to dramatically step up both development and deployment of sophisticated cyberweapons targeting at federal systems, says Jeremy Samide, CEO of Stealthcare, supplier of a threat intelligence platform that tracks and predicts attack patterns.

For a full drill down on the stunning intelligence Samide shared with Last Watchdog, please listen to the accompanying podcast. In a nutshell, Trump’s government shutdown has lit a fire under nation-state backed cyber spies to accelerate the development and deployment of high-end cyberweapons designed to be slipped deep inside of hacked networks and stealthily exfiltrate sensitive data and/or remain at the ready to cripple control systems.

This spike in activity has been very methodical, Samide told Last Watchdog. Operatives are stepping up probes of vulnerable access points on the assumption that no one is guarding the playground, Samide says.  At the same time, they are also accelerating development of the latest iterations of weaponry of the class of Eternal Blue, the NSA’s top-shelf cyberweapon that was stolen, leaked and subsequently used to launch the highly invasive WannaCry and NotPetya worms.

The longer the Trump government shut down continues, the more time US cyber adversaries will have to design and deploy heavily-cloaked malware —  and embed this digital weaponry far and wide in federal business networks and in critical infrastructure systems, Samide says.

What’s more, the longer the government closure continues, the more likely it is that key IT staffers with cybersecuritiy experience will choose to move to the private sector where there is an acute skills shortage. …more