Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

My Take

 

Q&A: Here’s why securing mobile apps is an essential key to tempering political division

By Byron V. Acohido

Finally, Facebook and Twitter muzzled Donald Trump, preventing him from using his favorite online bully pulpits to spread disinformation. It only took Trump inciting a failed coup d’état that cost five lives.

Related: How a Russian social media app is radicalizing disaffected youth

The action taken by Facebook and Twitter last week was a stark reminder of how digital tools and services can be manipulated by badly motivated parties in insidious ways.

The risks and exposures intrinsic to our favorite digital tools and services runs very deep, indeed. This is something that we’re going to have to address. As the presidential election unfolded in the fall, for example, there were revelations about how mobile apps used by political candidates were rife with security flaws that played right into the hands of propagandists and conspiracy theorists.

Data Theorem, a Palo Alto, Calif.-based software security vendor specializing in API exposures, took a close look at the gaping vulnerabilities in mobile app used by the Biden and Trump campaigns, respectively, and came up with a scoring system to rate the security-level of each camp’s main mobile app to reach voters.

On Android, the Official Trump 2020 App ranked nearly three times as secure as the Vote Joe App, for a simplistic reason: the Trump app used the most recent version of Android OS. Newer versions of Android provided more security and privacy benefits.

That said, neither the Biden nor the Trump apps enforced Android’s Verify Apps feature, which scans for potentially harmful Apps on the device. If the Verify Apps feature is turned off, any apps side-loaded onto the user’s device do not get scanned for malware, Doug Dooley, Data Theorem’s chief operating officer, told me.

MY TAKE: How Russia is leveraging insecure mobile apps to radicalize disaffected males

By Byron V. Acohido

How did we get to this level of disinformation? How did we, the citizens of the United States of America, become so intensely divided?

It’s tempting to place the lion’s share of the blame on feckless political leaders and facile news media outlets. However, that’s just the surface manifestation of what’s going on.

Related: Let’s not call it ‘fake news’ any more.

Another behind-the-scenes component — one that is not getting the mainstream attention it deserves — has been cyber warfare. Russian hacking groups have set out to systematically erode Western democratic institutions — and they’ve been quite successful at it. There’s plenty of evidence illustrating how Russia has methodically stepped-up cyber attacks aimed at achieving strategic geopolitical advantage over rivals in North America and Europe.

I’m not often surprised by cybersecurity news developments these days. Yet, one recent disclosure floored me. A popular meme site, called iFunny, has emerged as a haven for disaffected teen-aged boys who are enthralled with white supremacy. iFunny is a Russian company; it was launched in 2011 and has been downloaded to iOS and Android phones an estimated 10 million times.

In the weeks leading up to the 2020 U.S. presidential election, investigators at Pixalate, a Palo Alto, Calif.-based supplier of fraud management technology, documented how iFunny distributed data-stealing malware and, in doing so, actually targeted smartphone users in the key swing states of Pennsylvania, Michigan and Wisconsin. The public is unlikely to ever learn who ordered this campaign, and what they did — or intend to do, going forward — with this particular trove of stolen data.

Advertising practices

Even so, this shared intelligence from Pixalate is instructive. It vividly illustrates how threat actors have gravitated to hacking vulnerable mobile apps. The state of mobile app security is poor. Insecure mobile apps represent a huge and growing attack vector. Mobile apps are being pushed out of development more rapidly than ever, … more

SHARED INTEL: Coming soon — ‘passwordless authentication’ as a de facto security practice

By Byron V. Acohido

As a tradeoff for enjoying our digital lives, we’ve learned to live with password overload and even tolerate two-factor authentication.

But now, at long last, we’re on the brink of eliminating passwords altogether, once and for all.

Related:  CEOs quit Tweeting to protect their companies

A confluence of technical and social developments points to username-and-password logons becoming obsolete over the next few years. What’s more, this shift could very well kick into high gear as part of the solidifying of post Covid-19 business practices and online habits.

I had a chance to discuss this seminal transition with George Avetisov, co-founder and chief executive officer of HYPR, a Manhattan-based supplier of advanced authentication technologies. For a full drill down on our eye-opening conversation, please give a listen to the accompanying podcast. Here are a few big takeaways.

Password tradeoffs 

Passwords have always been a big pain. They must be convoluted to be any good, which means they’re difficult to remember, especially since the average person has to juggle passwords to access dozens of online accounts. From a business perspective, managing and resetting passwords chews up scarce resources, and yet even with the best possible maintenance passwords are trivial to hack.

For most of the Internet era, we’ve learned to live with these tradeoffs. However, in the last couple of years the harm wrought by the abuse of passwords has spiked exponentially. The reason: credential stuffing. This is a type of advanced, brute-force hacking that leverages automation.

By deploying botnets pre-loaded with stolen data, credential stuffing gangs are able to insert stolen usernames and passwords into web page forms, at scale, until they gain access to a valuable account. Credential stuffing has enabled criminal hacking rings to turbo-charge their malware spreading and account hijacking campaigns. And when Covid-19 hit, these attackers opportunistically pivoted to plundering Covid-19 relief funds at an ungodly scale.

MY TAKE: Why companies and consumers must collaborate to stop the plundering of IoT systems

By Byron V. Acohido

The Internet of Things (IoT) has come a long, long way since precocious students at Carnegie Melon University installed micro-switches inside of a Coca-Cola vending machine so they could remotely check on the temperature and availability of their favorite beverages.

Related: Companies sustain damage from IoT attacks

That was back in 1982. Since then, IoT devices have become widely and deeply integrated into our homes, businesses, utilities and transportations systems. This has brought us many benefits. And yet our pervasive deployment of IoT systems has also vastly expanded the cyber attack surface of business networks, especially in just the past few years.

And now Covid-19 is having a multiplier effect on these rising IoT exposures. Nine months into the global pandemic an ominous dynamic is playing out.

Remote work and remote schooling have spiked our reliance on IoT systems to a scale no one could have predicted; and much of this sudden, dramatic increase is probably going to be permanent. In response, threat actors are hustling to take full advantage.

This shift is just getting started. IoT-enabled scams and hacks quickly ramped up to a high level – and can be expected to accelerate through 2021 and beyond. This surge can, and must, be blunted. The good news is that we already possess the technology, as well as the best practices frameworks, to mitigate fast-rising IoT exposures.

However, this will require a concerted, proactive effort by the business community —  enterprises and small- and mid-sized businesses alike. Individual citizens, consumers and workers have a big role to play as well. Each one of us will have to cooperate and make sacrifices. A lot is at stake. Here’s what all companies and individuals should fully grasp about our IoT systems under attack, post Covid-19.

MY TAKE: How ‘credential stuffing’ is being deployed to influence elections, steal Covid-19 relief

By Byron V. Acohido

What do wildfires and credential stuffing have in common?

Related: Automated attacks leverage big data

For several years now, both have flared up and caused harm at the fringes of population centers and our digital economy. And, now, in 2020, both have escalated to catastrophic proportions.

Just after Labor Day, dried out trees and shrubs combined with high winds to erupt into massive wildfires that swiftly engulfed rural towns and even suburban areas of California, Oregon, Washington and several other states. Millions of acres of land got consumed, hundreds of thousands of people were evacuated and dozens lost their lives.

Meanwhile, all year long and continuing through the fall, opportunistic cybercriminals have launched wave after wave of automated credential stuffing campaigns. These bad actors are wreaking havoc in two arenas: Stealing Covid-19 relief payments on a massive scale as well as meddling, once again, in the election of a U.S. president.

The wildfires eventually subsided with calmer, damper meteorological conditions. However, massive surges of credential stuffing have persisted, fueled by a seemingly endless supply of already stolen, or easy-to-steal, personal information along with the wide availability of sophisticated hacking tools.

MY TAKE: Lessons learned from the summer of script kiddies hacking Twitter, TikTok

By Byron V. Acohido

Graham Ivan Clark, Onel de Guzman and Michael Calce. These three names will go down in the history of internet commerce, right alongside Jack Dorsey, Mark Zuckerberg and Jeff Bezos.

Related: How ‘Zero Trust’ is compatible with agile computing

We’re all familiar with the high-profile entrepreneurs who gave us the tools and services that underpin our digital economy. However, Clark, de Guzman and Calce are equally notable as leading members of the Hall of Fame of script kiddies – youngsters who precociously shed light on the how these same tools and services are riddled with profound privacy and security flaws.

The trouble is Clark, 17, of Tampa, Florida, is teaching us much the same lessons in the summer of 2020 that de Guzman and Calce did in the spring of 2000. De Guzman authored the I Love You email virus that circled the globe infecting millions of PCs; Calce, aka Mafiaboy, released the Melissa Internet worm that knocked offline Amazon, CNN, eBay and Yahoo.

Judging from the success of script kiddies, the tech giants apparently have not learned very much about security in 20 years. Clark was arrested in late July and charged with masterminding the hijacking of the Twitter accounts of A-list celebrities, and then Tweeting from those accounts to pull off a Bitcoin scam. His caper is worrisome on two counts. First it shows how resistant companies continue to be with respect to embracing very doable cyber hygiene practices – measures that would prevent these sorts of hacks. And second, it reminds us how much capacity to wreak havoc truly malicious parties — not just script kiddies – possess. This is chilling considering the times we’re in. On the cusp of electing a U.S. president, with the world struggling to recover from a global pandemic, there are nuanced lessons we can learn from the Twitter Bitcoin hack. Here’s what all consumers and companies should heed going forward.

MY TAKE: Even Google CEO Sundar Pichai agrees that it is imperative to embed ethics into AI

By Byron V. Acohido

It took a global pandemic and the death of George Floyd to put deep-seated social inequities, especially systemic racism, front and center for intense public debate.

Related: Will ‘blockchain’ lead to more equitable wealth distribution?

We may or may not be on the cusp of a redressing social injustice by reordering our legacy political and economic systems. Only time will tell. Either way, a singular piece of technology – artificial intelligence (AI) — is destined to profoundly influence which way we go from here.

This is not just my casual observation. Those in power fully recognize how AI can be leveraged to preserve status-quo political and economic systems, with all of its built-in flaws, more or less intact.

Conversely, consumer advocates and diversity experts can see how AI could be utilized to redistribute political power more equitably, and in doing so, recalibrate society – including blunting systemic racism.

In late January, as COVID-19 was beginning to spread, the most powerful people on the planet flew to Davos, Switzerland to attend the 50th annual World Economic Forum. AI was prominent on their agenda. These heads of state and captains of industry even coined a buzz phrase, “stakeholder capitalism,” to acknowledge the need to take into account the interests of the economically disadvantaged and politically powerless citizens of the world as they bull ahead with commercial and political uses of AI.“AI is one of the most profound things we’re working on as humanity,” Sundar Pichai, CEO of Alphabet, Google’s parent holding company, told Bloomberg News in Davos. “It’s more profound than fire or electricity.”