Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Podcasts

 

PODCAST: US cyber foes take cue from government shutdown; rise in malware deployment under way

By Byron V. Acohido

One profound consequence of Donald Trump’s shutdown of the federal government, now in day 33, is what a boon it is to US cyber adversaries. And moving forward, the long run ramifications are likely to be dire, indeed.

Related: Welcome to the ‘golden age’ of cyber espionage

With skeleton IT crews manning government networks, America’s adversaries — China, Russia, North Korea, Iran and others in Eastern Europe and the Middle East —  have seized the opportunity to dramatically step up both development and deployment of sophisticated cyberweapons targeting at federal systems, says Jeremy Samide, CEO of Stealthcare, supplier of a threat intelligence platform that tracks and predicts attack patterns.

For a full drill down on the stunning intelligence Samide shared with Last Watchdog, please listen to the accompanying podcast. In a nutshell, Trump’s government shutdown has lit a fire under nation-state backed cyber spies to accelerate the development and deployment of high-end cyberweapons designed to be slipped deep inside of hacked networks and stealthily exfiltrate sensitive data and/or remain at the ready to cripple control systems.

This spike in activity has been very methodical, Samide told Last Watchdog. Operatives are stepping up probes of vulnerable access points on the assumption that no one is guarding the playground, Samide says.  At the same time, they are also accelerating development of the latest iterations of weaponry of the class of Eternal Blue, the NSA’s top-shelf cyberweapon that was stolen, leaked and subsequently used to launch the highly invasive WannaCry and NotPetya worms.

The longer the Trump government shut down continues, the more time US cyber adversaries will have to design and deploy heavily-cloaked malware —  and embed this digital weaponry far and wide in federal business networks and in critical infrastructure systems, Samide says.

What’s more, the longer the government closure continues, the more likely it is that key IT staffers with cybersecuritiy experience will choose to move to the private sector where there is an acute skills shortage. …more

MY TAKE: Why security innovations paving the way for driverless cars will make IoT much safer

By Byron V. Acohido

Intelligent computing systems have been insinuating themselves into our homes and public gathering places for a while now.

But smart homes, smart workplaces and smart shopping malls are just the warm-up act. Get ready for smart ground transportation.

Related: Michigan’s Cyber Range hubs help narrow talent gap

Driverless autos, trucks and military transport vehicles are on a fast track for wide deployment in the next five years. The good news is that there is some very deep, behind-the-scenes research and development work being done to make driverless vehicles safe and secure enough for public acceptance.

I’m encouraged that this work should produce a halo effect on other smart systems, ultimately making less-critical Internet of Things systems much more secure, as well.

These sentiments settled in upon returning from my recent visit to Detroit, Ann Arbor and Grand Rapids. I was part of a group of journalists escorted on a tour of cybersecurity programs and facilities hosted by the Michigan Economic Development Corp., aka the MEDC.

One of our stops was at a freshly-erected skunk works for auto software research set up in a low-slung warehouse – previously a country western bar – in rural Sparta, on the outskirts of Grand Rapids. The warehouse today is home to Grimm, an Arlington, VA – based cyber research firm that specializes in embedded systems security, and whose claim to fame is doing proprietary projects for U.S. military and intelligence agencies.

Deep testing

Grimm received a $216,000 MEDC grant to set up shop in Sparta and direct its expertise towards discovering security flaws in autonomous vehicle systems under development by Detroit’s big car makers. …more

GUEST ESSAY: Pentagon’s security flaws highlighted in GAO audit — and recent data breach

By Sherban Naum

Being the obvious target that it is, the U.S. Department of Defense presumably has expended vast resources this century on defending its digital assets from perennial cyber attacks.

Related: Why carpet bombing email campaigns endure

And yet two recent disclosures highlight just how brittle the military’s cyber defenses remain in critical areas. By extension these developments are yet another reminder of why constantly monitoring and proactively defending business networks must be a prime directive at all large organizations, public and private.

A U.S.  Government Accountability Office audit last week found that the defense department is playing catch up when it comes to securing weapons systems from cyberattacks.  At an earlier Senate hearing,  GAO auditors described how DoD has failed to adequately address numerous warnings about how the rising use of automation and connectivity in weapons systems also tend to result in a fresh tier of critical vulnerabilities.

And then last Friday, as if to serve as a reminder that even routine security best practices may  not be getting the emphasis they deserve, the Pentagon disclosed how attackers manipulated the account of a third-party vendor to access DoD travel records.

The result: personal information and credit card data of at least 30,000 U.S. military and civilian personnel were compromised.  Don’t be surprised if the number of victims climbs higher, as we learned from the 2015 hack of 21.5 million personnel records from the U.S. Office of Personnel Management.

Supply chain gaps

The hacking of DoD travel records raises an important nuance. Five years after hackers broke into Target via its HVAC vendor, it remains as crucial as ever to stay on top of trust decisions about who can gain access to a supply chain, and under what criteria.

Naum

One has to assume that DoD specified certain security controls at the time the contract was awarded to the travel services vendor. …more

MY TAKE: Cyber attacks on industrial controls, operational technology have only just begun

By Byron V. Acohido

“May you live in interesting times.” The old Chinese proverb–some consider it a blessing and others a curse–certainly describes the modern-day cyber landscape.

Related: 7 attacks that put us at the brink of cyber war

In today’s geopolitical terrain, nation-state backed cyber criminals are widening their targets and starting to zero in on their adversaries’ business and industrial sectors, using more and more sophisticated weaponry to do so.

With the bulls-eye on a country’s financial Achilles heel, state-sponsored attackers are sowing chaos, disruption and fear. And the risks are multiplying as more digital devices become connected in insufficiently secured environments.

Monitoring and management of many existing industrial control systems’ (ICS) embedded devices, like pumps, valves and turbines, are ancient in technological terms. And until recently, security surrounding operational technology (OT) – the networks that run production operations – have been siloed, or air-gapped, from information technology (IT) operations, which work in the corporate space. Isolating OT operations from public networks like the internet had once been considered best practice.

Dismantling the silos

But Gartner and others now recommend merging OT and IT security. Convergence of the two in the industrial internet of things (IIoT) makes for better communication and access to online data and processes, but it also flings the door wide open for nefarious activity by cyber criminals. Espionage scenarios that once were the basis of movies and novels now have become real-life exploits.

I talked to Phil Neray, vice president of industrial security at CyberX, a company founded in 2013 that operates a platform for real-time security of the industrial internet.

Read on to learn what Neray has to say about industrial security, then hear a more in-depth discussion on the subject on the accompanying podcast:

As organizations digitize their operations and add more sensors and other devices to the production environment, …more

MY TAKE: The many ways social media is leveraged to spread malware, manipulate elections

By Byron V. Acohido

Remember how we communicated and formed our world views before Facebook, Twitter, Instagram, Reddit, CNN and Fox News?

We met for lunch, spoke on the phone and wrote letters. We got informed, factually, by trusted, honorable sources. Remember Walter Cronkite?

Today we’re bombarded by cable news and social media. And Uncle Walt has been replaced by our ‘friend circles.’

This is well-understood by those with malicious intent and hacking capabilities. And this is why they’ve adopted social media as the go-to platform for spreading malware and propaganda.

Mounir Hahad, Head of Juniper Threat Labs at Juniper Networks, has been studying this development closely. I spoke with Hahad at Black Hat USA 2018. Give a listen to our full conversation on the accompanying podcast. Here are a few takeaways:

Faked social media

It’s human nature to trust people a little more who are in your circle of friends. We’re wired to relax our judgment and click more quickly on items sent by someone we’re familiar with, be it an image, a document, a video clip or a webpage link.

It goes further than that, Hahad argues. He contends that a lot of us tend to more quickly believe the information shared by our circle of friends, and that we often fail to verify and think critically. And this is exactly what Hahad and his team of security analysts observed during the 2016 elections.

“The most publicly visible aspect is swaying voter opinion on certain questions,” he explains. “That has been happening through the fake accounts we know of, through a lot of the fake websites that have been specifically put up to promote certain views, and some of that was to mostly sway discourse.”

The second aspect was less publicized, but it is a technique regularly used in the past to compromise users and businesses. The bad actors went phishing to gain access to candidates’ inner circles, …more

Q&A: Reddit breach shows use of ‘SMS 2FA’ won’t stop privileged access pillaging

By Byron V. Acohido

The recent hack of social media giant Reddit underscores the reality that all too many organizations — even high-visibility ones that ought to know better —  are failing to adequately lock down their privileged accounts.

Related: 6 best practices for cloud computing

An excerpt from Reddit’s mea culpa says it all:  “On June 19, we learned that between June 14 and June 18, an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers. Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.”

It’s safe to assume that Reddit has poured a small fortune into security, including requiring employees to use SMS-delivered one-time passcodes in order to access sensitive company assets.

But here’s the rub: Reddit overlooked the fact that SMS 2FA systems are useful only up to a point. It turns out they can be subverted with just a modicum of effort. SIM card hijacking, for instance, is a scam in which a threat actor persuades the phone company to divert data to a new address. And then there’s SS7 hacking, which leverages known flaws in the global SMS infrastructure to intercept data in transit — including passcodes.

In fact, SMS attacks are being refined and improved daily. This is because they are useful in targeting big companies. This summer alone, in the wake of the Reddit hack, British mobile phone retailer Carphone Warehouse, ticketing giant Ticketmaster, telecom company T-Mobile and British Airways disclosed huge data compromises of similar scale and methodology. …more

MY TAKE: Here’s why we need ‘SecOps’ to help secure ‘Cloud Native’ companiess

By Byron V. Acohido

For many start-ups, DevOps has proven to be a magical formula for increasing business velocity. Speed and agility is the name of the game — especially for Software as a Service (SaaS) companies.

Related: How DevOps enabled the hacking of Uber

DevOps is a process designed to foster intensive collaboration between software developers and the IT operations team, two disciplines that traditionally have functioned as isolated silos with the technology department.

It’s rise in popularity has helped drive a new trend for start-ups to go “Cloud Native,” erecting their entire infrastructure, from the ground up, leveraging cloud services like Amazon Web Services, Microsoft Azure and Google Cloud.

Security burden

Though DevOps-centric organizations can gain altitude quickly, they also tend to generate fresh security vulnerabilities at a rapid clip, as well. Poor configuration of cloud services can translate into gaping vulnerabilities—and low hanging fruit for hackers, the recent Tesla hack being a prime example. In that caper,  a core API was left open allowing them to exploit it and begin using Tesla’s servers to mine cryptocurrency. Rising API exposures are another big security concern, by the way.

Because Amazon, Microsoft and Google provide cloud resources under a “shared responsibility” security model, a large burden rests with the user to be aware of, and mitigate latent security weaknesses.

In fact, it’s much more accurate for organizations tapping into cloud services and utilizing DevOps to think of cloud security as a functioning under …more