Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

My Take

 

MY TAKE: Surfshark boosts ‘DIY security’ with its rollout of VPN-supplied antivirus protection

By Byron V. Acohido

Surfshark wants to help individual citizens take very direct control of their online privacy and security.

Thus, Surfshark has just become the first VPN provider to launch an antivirus solution as part of its all-in-one security bundle Surfshark One.

Related: Turning humans into malware detectors

This development is part and parcel of rising the trend of VPN providers hustling to deliver innovative “DIY security” services into the hands of individual consumers.

It’s notable that this is happening at a time when Microsoft, Apple and Google are going the opposite direction – by natively embedding more consumer-grade security services into their popular operating systems, like Windows, Mac, IoS and Android. And let’s not forget the longstanding, multi-billion market of antivirus software subscriptions directed at consumers.

The consumer anti-virus vendors have been generating massive subscription revenue for two decades; though this market is mature and in a consolidation phase, it is not going to disappear anytime soon, as suggested by  NortonLifeLock’s $8 billion buyout of Avast.

Last year I agreed to serve a one-year term on Surfshark’s advisory board. I accepted because I appreciated Surfshark’s emphasis on privacy and security — and saw it as a way to learn more about the consumer cybersecurity market.

ROUNDTABLE: Why T-Mobile’s latest huge data breach could fuel attacks directed at mobile devices

By Byron V. Acohido

TMobile has now issued a formal apology and offered free identity theft recovery services to nearly 48 million customers for whom the telecom giant failed to protect their sensitive personal information.

At the start of this week, word got out that hackers claimed to have seized personal data for as many as 100 million T-Mobile  patrons.

Related: Kaseya hack worsens supply chain risk

This stolen booty reportedly included social security numbers, phone numbers, names, home addresses, unique IMEI numbers, and driver’s license information.

Once more, a heavily protected enterprise network has been pillaged by data thieves. Last Watchdog convened a roundtable of cybersecurity experts to discuss the ramifications, which seem all too familiar. Here’s what they had to say, edited for clarity and length:

Allie Mellen, analyst, Forrester

According to the attackers, this was a configuration issue on an access point T-Mobile used for testing. The configuration issue made this access point publicly available on the Internet. This was not a sophisticated attack. T-Mobile left a gate left wide open for attackers – and attackers just had to find the gate.”

T-Mobile is offering two free years of identity protection for affected customers, but ultimately this is pushing the responsibility for the safety of the data onto the user. Instead of addressing the security gaps that have plagued T-Mobile for years, they are offering their customers temporary identity protection when breaches happen, as if to say, ‘This is the best we can do.’

Chris Clements, VP of Solutions Architecture, Cerberus Sentinel

ROUNDTABLE: Kaseya hack exacerbates worrisome supply-chain, ransomware exposures

By Byron V. Acohido

It was bound to happen: a supply-chain compromise, ala SolarWinds, has been combined with a ransomware assault, akin to Colonial Pipeline, with devasting implications.

Related: The targeting of supply chains

Last Friday, July 2, in a matter of a few minutes,  a Russian hacking collective, known as REvil, distributed leading-edge ransomware to thousands of small- and mid-sized businesses (SMBs) across the planet — and succeeded in locking out critical systems in at least 1,500 of them. This was accomplished by exploiting a zero-day vulnerability in Kaseya VSA, a network management tool widely used by managed service providers (MSPs)  as their primary tool to remotely manage IT systems on behalf of SMBs.

REvil essentially took full control of the Kaseya VSA servers at the MSP level, then used them for the singular purpose of extorting victimized companies — mostly SMBs —  for payments of $45,000, payable in Minera. In a few instances, the attackers requested $70 million, payable in Bitcoin, for a universal decryptor.

Like SolarWinds and Colonial Pipeline, Miami-based software vendor, Kaseya, was a thriving entity humming right along, striving like everyone else to leverage digital agility — while also dodging cybersecurity pitfalls. Now Kaseya and many of its downstream customers find themselves in a  crisis recovery mode faced with shoring up their security posture and reconstituting trust. Neither will come easily or cheaply.

SHARED INTEL: Microsoft discloses how the Nobelium hacking ring engages in routine phishing

By Byron V. Acohido

Microsoft has blunted the ongoing activities of the Nobelium hacking collective, giving us yet another glimpse of the unceasing barrage of hack attempts business networks must withstand on a daily basis.

Related: Reaction to Biden ‘s cybersecurity executive order

Nobelium is the Russian hacking collective best known for pulling off the milestone SolarWinds supply chain hack last December. That caper required the intricate counterfeiting of software updates sent out automatically by SolarWinds to 18,000 customers. And yet, for all of its sophistication, Nobelium also engages in routine phishing campaigns to get a foothold in targeted organizations. This of course is how they get a toehold to go deeper.

In this case, the attackers leveraged information gleaned from a Microsoft worker’s computing device. In a blog posting, Microsoft disclosed that it “detected information-stealing malware on a machine belonging to one of our customer support agents with access to basic account information for a small number of our customers” and that “the actor used this information in some cases to launch highly targeted attacks as part of their broader campaign.”

Microsoft said it notified the targeted 150 organizations, which included “IT companies (57%), followed by government (20%), and smaller percentages for non-governmental organizations and think tanks, as well as financial services.”

MY TAKE: A path for SMBs to achieve security maturity: start small controlling privileged accounts

By Byron V. Acohido

The challenge of embracing digital transformation while also quelling the accompanying cyber risks has never been greater for small- and mid-sized businesses.

Related: How ‘PAM’ improves authentication

SMBs today face a daunting balancing act. To boost productivity, they must leverage cloud infrastructure and participate in agile software development. But this also opens up a sprawling array of fresh security gaps that threat actors are proactively probing and exploiting.

Somehow SMBs must keep pace competitively, while also tamping down the rising risk of suffering a catastrophic network breach.

There’s a glut of innovative security solutions, to be sure, and no shortage of security frameworks designed to help companies mitigate cyber risks. Leading-edge cybersecurity systems in service today apply machine learning in some amazing ways to help large enterprises identify and instantly respond to cyber threats.

However, this is overkill for many, if not most, SMBs. Day in and day out their core security struggle boils down to making it harder for intruders to attain and manipulate remote access. And it doesn’t take enterprise-grade security systems to accomplish this.

I’ve had several discussions about this with Maurice Côté, vice president of business solutions at Devolutions, a Montreal, Canada-based supplier of remote desktop management services. We talked about how Devolutions has been guiding its SMB customers

MY TAKE: Massive data breaches persist as agile software development fosters full-stack hacks

By Byron V. Acohido

Data leaks and data theft are part and parcel of digital commerce, even more so in the era of agile software development.

Related: GraphQL APIs stir new exposures

Many of the high-profile breaches making headlines today are the by-product of hackers pounding away at Application Programming Interfaces (APIs) until they find a crease that gets them into the pathways of the data flowing between an individual user and myriad cloud-based resources.

It’s important to understand the nuances of these full-stack attacks if we’re ever to slow them down. I’ve had a few deep discussions about this with Doug Dooley, chief operating officer at Data Theorem, a Palo Alto, Calif.-based software security vendor specializing in API data protection. Here are a few key takeaways:

Targeting low-hanging fruit

Massive data base breaches today generally follow a distinctive pattern: hack into a client -facing application; manipulate an API; follow the data flow to gain access to an overly permissive database or S3 bucket (cloud storage). A classic example of this type of intrusion is the Capital One data breach.

Suspected Capital One hacker Paige Thompson was indicted for her alleged data breach and theft of more than 100 million people including 140,000 social security numbers and 80,000 linked bank accounts. The 33-year-old Amazon Web Services (AWS) software engineer was also accused of stealing cloud computer power on Capital One’s account to “mine” cryptocurrency for her own benefit, a practice known as “cryptojacking.”

Thompson began pounding away on the Capital One’s public-facing applications supposedly protected by their open-source Web Application Firewall (WAF), and succeeded in carrying out a  “Server Side Request Forgery” (SSRF) attack. By successfully hacking the client-facing application, she was then able to relay commands to a legacy AWS metadata service to obtain credentials.

Password and token harvesting is one of the most common techniques in hacking. Using valid credentials, Thompson was able to gain access using APIs … more

MY TAKE: Why monetizing data lakes will require applying ‘attribute-based’ access rules to encryption

By Byron V. Acohido

The amount of data in the world topped an astounding 59 zetabytes in 2020, much of it pooling in data lakes.

Related:  The importance of basic research

We’ve barely scratched the surface of applying artificial intelligence and advanced data analytics to the raw data collecting in these gargantuan cloud-storage structures erected by Amazon, Microsoft and Google. But it’s coming, in the form of driverless cars, climate-restoring infrastructure and next-gen healthcare technology.

In order to get there, one big technical hurdle must be surmounted. A new form of agile cryptography must get established in order to robustly preserve privacy and security as all this raw data gets put to commercial use.

I recently had the chance to discuss this with Kei Karasawa, vice president of strategy, and Fang Wu, consultant, at NTT Research, a Silicon Valley-based think tank which is in the thick of deriving the math formulas that will get us there.

They outlined why something called attribute-based encryption, or ABE, has emerged as the basis for a new form of agile cryptography that we will need in order to kick digital transformation into high gear.

For a drill down on our discussion, please give the accompanying podcast a listen. Here are the key takeaways:

Cloud exposures

Data lakes continue to swell because each second of every day, every human, on average, is creating 1.7 megabytes of fresh data. These are the rivulets feeding the data lakes.

A zettabyte equals one trillion gigabytes. Big data just keeps getting bigger. And we humans crunch as much of it as we can by applying machine learning and artificial intelligence to derive cool new digital services. But we’re going to need the help of quantum computers to get to the really amazing stuff, and that hardware is coming.

As we press ahead into our digital future, however, we’ll also need to retool the public-key-infrastructure. PKI is the authentication and encryption framework … more