Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

My Take

 

ROUNDTABLE: Targeting the supply-chain: SolarWinds, then Mimecast and now UScellular

By Byron V. Acohido

It’s only February — and 2021 already is rapidly shaping into the year of supply-chain hacks.

Related: The quickening of cyber warfare

The latest twist: mobile network operator UScellular on Jan. 21 disclosed how cybercriminals broke into its Customer Relationship Management (CRM) platform as a gateway to compromise the cell phones of an undisclosed number of the telecom giant’s customers.

This bad news from UScellular follows similarly troubling disclosures from networking software supplier SolarWinds and from email security vendor Mimecast.

The SolarWinds hack came to light in mid-December and has since become a red hot topic in the global cybersecurity community.

Video: What all companies need to know about the SolarWinds hack

Meanwhile, Mimecast followed its Jan. 12 disclosure of a digital certificate compromise with a Jan. 26 posting confirming that the compromise was at the hands of the same nation-state threat group behind the SolarWinds hack and subsequent attacks on various technology companies and federal government agencies.

And now UScellular admits that it detected its network breach on Jan. 6, some two days after the attackers gained unauthorized access. The intruders got in by tricking UScellular retail store employees into downloading malicious software on store computers.

MY TAKE: With disinformation running rampant, embedding ethics into AI has become vital

By Byron V. Acohido

Plato once sagely observed, “A good decision is based on knowledge and not on numbers.” 

Related: How a Russian social media site radicalized U.S. youth

That advice resonates today, even as we deepen our reliance on number crunching — in the form of the unceasing machine learning algorithms whirring away in the background of our lives, setting in motion many of the routine decisions each of us make daily.

However, as Plato seemingly foresaw, the underlying algorithms we’ve come to rely on are only as good as the human knowledge they spring from. And sometimes the knowledge transfer from humans to math formulas falls well short.

Last  August, an attempt by the UK government to use machine learning to conjure and dispense final exam grades to quarantined high-schoolers proved to be a disastrous failure. Instead of keeping things operable in the midst of a global pandemic, the UK officials ended up exposing the deep systemic bias of the UK’s education systems, in a glaring way. 

Then, in November, the algorithms pollsters invoked to predict the outcome of the 2020 U.S. presidential election proved drastically wrong — again, even after the pollsters had poured their knowledge into improving their predictive algorithms after the 2016 elections.  

Q&A: Here’s why securing mobile apps is an essential key to tempering political division

By Byron V. Acohido

Finally, Facebook and Twitter muzzled Donald Trump, preventing him from using his favorite online bully pulpits to spread disinformation. It only took Trump inciting a failed coup d’état that cost five lives.

Related: How a Russian social media app is radicalizing disaffected youth

The action taken by Facebook and Twitter last week was a stark reminder of how digital tools and services can be manipulated by badly motivated parties in insidious ways.

The risks and exposures intrinsic to our favorite digital tools and services runs very deep, indeed. This is something that we’re going to have to address. As the presidential election unfolded in the fall, for example, there were revelations about how mobile apps used by political candidates were rife with security flaws that played right into the hands of propagandists and conspiracy theorists.

Data Theorem, a Palo Alto, Calif.-based software security vendor specializing in API exposures, took a close look at the gaping vulnerabilities in mobile app used by the Biden and Trump campaigns, respectively, and came up with a scoring system to rate the security-level of each camp’s main mobile app to reach voters.

On Android, the Official Trump 2020 App ranked nearly three times as secure as the Vote Joe App, for a simplistic reason: the Trump app used the most recent version of Android OS. Newer versions of Android provided more security and privacy benefits.

That said, neither the Biden nor the Trump apps enforced Android’s Verify Apps feature, which scans for potentially harmful Apps on the device. If the Verify Apps feature is turned off, any apps side-loaded onto the user’s device do not get scanned for malware, Doug Dooley, Data Theorem’s chief operating officer, told me.

MY TAKE: How Russia is leveraging insecure mobile apps to radicalize disaffected males

By Byron V. Acohido

How did we get to this level of disinformation? How did we, the citizens of the United States of America, become so intensely divided?

It’s tempting to place the lion’s share of the blame on feckless political leaders and facile news media outlets. However, that’s just the surface manifestation of what’s going on.

Related: Let’s not call it ‘fake news’ any more.

Another behind-the-scenes component — one that is not getting the mainstream attention it deserves — has been cyber warfare. Russian hacking groups have set out to systematically erode Western democratic institutions — and they’ve been quite successful at it. There’s plenty of evidence illustrating how Russia has methodically stepped-up cyber attacks aimed at achieving strategic geopolitical advantage over rivals in North America and Europe.

I’m not often surprised by cybersecurity news developments these days. Yet, one recent disclosure floored me. A popular meme site, called iFunny, has emerged as a haven for disaffected teen-aged boys who are enthralled with white supremacy. iFunny is a Russian company; it was launched in 2011 and has been downloaded to iOS and Android phones an estimated 10 million times.

In the weeks leading up to the 2020 U.S. presidential election, investigators at Pixalate, a Palo Alto, Calif.-based supplier of fraud management technology, documented how iFunny distributed data-stealing malware and, in doing so, actually targeted smartphone users in the key swing states of Pennsylvania, Michigan and Wisconsin. The public is unlikely to ever learn who ordered this campaign, and what they did — or intend to do, going forward — with this particular trove of stolen data.

Advertising practices

Even so, this shared intelligence from Pixalate is instructive. It vividly illustrates how threat actors have gravitated to hacking vulnerable mobile apps. The state of mobile app security is poor. Insecure mobile apps represent a huge and growing attack vector. Mobile apps are being pushed out of development more rapidly than ever, … more

SHARED INTEL: Coming soon — ‘passwordless authentication’ as a de facto security practice

By Byron V. Acohido

As a tradeoff for enjoying our digital lives, we’ve learned to live with password overload and even tolerate two-factor authentication.

But now, at long last, we’re on the brink of eliminating passwords altogether, once and for all.

Related:  CEOs quit Tweeting to protect their companies

A confluence of technical and social developments points to username-and-password logons becoming obsolete over the next few years. What’s more, this shift could very well kick into high gear as part of the solidifying of post Covid-19 business practices and online habits.

I had a chance to discuss this seminal transition with George Avetisov, co-founder and chief executive officer of HYPR, a Manhattan-based supplier of advanced authentication technologies. For a full drill down on our eye-opening conversation, please give a listen to the accompanying podcast. Here are a few big takeaways.

Password tradeoffs 

Passwords have always been a big pain. They must be convoluted to be any good, which means they’re difficult to remember, especially since the average person has to juggle passwords to access dozens of online accounts. From a business perspective, managing and resetting passwords chews up scarce resources, and yet even with the best possible maintenance passwords are trivial to hack.

For most of the Internet era, we’ve learned to live with these tradeoffs. However, in the last couple of years the harm wrought by the abuse of passwords has spiked exponentially. The reason: credential stuffing. This is a type of advanced, brute-force hacking that leverages automation.

By deploying botnets pre-loaded with stolen data, credential stuffing gangs are able to insert stolen usernames and passwords into web page forms, at scale, until they gain access to a valuable account. Credential stuffing has enabled criminal hacking rings to turbo-charge their malware spreading and account hijacking campaigns. And when Covid-19 hit, these attackers opportunistically pivoted to plundering Covid-19 relief funds at an ungodly scale.

MY TAKE: Why companies and consumers must collaborate to stop the plundering of IoT systems

By Byron V. Acohido

The Internet of Things (IoT) has come a long, long way since precocious students at Carnegie Melon University installed micro-switches inside of a Coca-Cola vending machine so they could remotely check on the temperature and availability of their favorite beverages.

Related: Companies sustain damage from IoT attacks

That was back in 1982. Since then, IoT devices have become widely and deeply integrated into our homes, businesses, utilities and transportations systems. This has brought us many benefits. And yet our pervasive deployment of IoT systems has also vastly expanded the cyber attack surface of business networks, especially in just the past few years.

And now Covid-19 is having a multiplier effect on these rising IoT exposures. Nine months into the global pandemic an ominous dynamic is playing out.

Remote work and remote schooling have spiked our reliance on IoT systems to a scale no one could have predicted; and much of this sudden, dramatic increase is probably going to be permanent. In response, threat actors are hustling to take full advantage.

This shift is just getting started. IoT-enabled scams and hacks quickly ramped up to a high level – and can be expected to accelerate through 2021 and beyond. This surge can, and must, be blunted. The good news is that we already possess the technology, as well as the best practices frameworks, to mitigate fast-rising IoT exposures.

However, this will require a concerted, proactive effort by the business community —  enterprises and small- and mid-sized businesses alike. Individual citizens, consumers and workers have a big role to play as well. Each one of us will have to cooperate and make sacrifices. A lot is at stake. Here’s what all companies and individuals should fully grasp about our IoT systems under attack, post Covid-19.

MY TAKE: How ‘credential stuffing’ is being deployed to influence elections, steal Covid-19 relief

By Byron V. Acohido

What do wildfires and credential stuffing have in common?

Related: Automated attacks leverage big data

For several years now, both have flared up and caused harm at the fringes of population centers and our digital economy. And, now, in 2020, both have escalated to catastrophic proportions.

Just after Labor Day, dried out trees and shrubs combined with high winds to erupt into massive wildfires that swiftly engulfed rural towns and even suburban areas of California, Oregon, Washington and several other states. Millions of acres of land got consumed, hundreds of thousands of people were evacuated and dozens lost their lives.

Meanwhile, all year long and continuing through the fall, opportunistic cybercriminals have launched wave after wave of automated credential stuffing campaigns. These bad actors are wreaking havoc in two arenas: Stealing Covid-19 relief payments on a massive scale as well as meddling, once again, in the election of a U.S. president.

The wildfires eventually subsided with calmer, damper meteorological conditions. However, massive surges of credential stuffing have persisted, fueled by a seemingly endless supply of already stolen, or easy-to-steal, personal information along with the wide availability of sophisticated hacking tools.