Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Privacy

 

STEPS FORWARD: Math geniuses strive to make a pivotal advance — by obfuscating software code

By Byron V. Acohido

Most of time we take for granted the degree to which fundamental components of civilization are steeped in mathematics.

Everything from science and engineering to poetry and music rely on numeric calculations. Albert Einstein once observed that “pure mathematics is, in its way, the poetry of logical ideas.”

Related: How Multi Party Computation is disrupting encryption

An accomplished violinist, Einstein, no doubt, appreciated the symmetry of his metaphor. He was keenly aware of how an expressive Haydn symphony applied math principles in a musical context in much the same way has he did in deriving breakthrough physics theorems.

Math once more is being conjured to help civilization make a great leap forward. Digital technology, like music, is all about math. We’ve come a long way leveraging algorithms to deliver an amazing array of digital services over the past 30 years; yet so much more is possible.

Math is the linchpin to innovations that can dramatically improve the lives of billions of people, perhaps even save the planet. However, a quintessential math conundrum, is, for the moment, holding these anticipated advancements in check. The math community refers to this bottleneck as “indistinguishability obfuscation,” or iO.

Our top math geniuses point to iO as a cornerstone needed to unleash the full potential of artificially intelligent (AI) programs running across highly complex and dynamic cloud platforms, soon to be powered by quantum computers. Simply put, iO must be achieved in order to preserve privacy and security while tapping into the next generation of IT infrastructure.

I recently had the chance to discuss iO with Dr. Tatsuaki Okamoto, director of NTT Research’s Cryptography and Information Security (CIS) Lab, and Dr. Amit Sahai, professor of computer science at UCLA Samueli School of Engineering and director of UCLA Center for Encrypted Functionalities (CEF). NTT Research sponsored research led by Sahai that recently resulted in a achieving an important iO milestone.

MY TAKE: Why companies and consumers must collaborate to stop the plundering of IoT systems

By Byron V. Acohido

The Internet of Things (IoT) has come a long, long way since precocious students at Carnegie Melon University installed micro-switches inside of a Coca-Cola vending machine so they could remotely check on the temperature and availability of their favorite beverages.

Related: Companies sustain damage from IoT attacks

That was back in 1982. Since then, IoT devices have become widely and deeply integrated into our homes, businesses, utilities and transportations systems. This has brought us many benefits. And yet our pervasive deployment of IoT systems has also vastly expanded the cyber attack surface of business networks, especially in just the past few years.

And now Covid-19 is having a multiplier effect on these rising IoT exposures. Nine months into the global pandemic an ominous dynamic is playing out.

Remote work and remote schooling have spiked our reliance on IoT systems to a scale no one could have predicted; and much of this sudden, dramatic increase is probably going to be permanent. In response, threat actors are hustling to take full advantage.

This shift is just getting started. IoT-enabled scams and hacks quickly ramped up to a high level – and can be expected to accelerate through 2021 and beyond. This surge can, and must, be blunted. The good news is that we already possess the technology, as well as the best practices frameworks, to mitigate fast-rising IoT exposures.

However, this will require a concerted, proactive effort by the business community —  enterprises and small- and mid-sized businesses alike. Individual citizens, consumers and workers have a big role to play as well. Each one of us will have to cooperate and make sacrifices. A lot is at stake. Here’s what all companies and individuals should fully grasp about our IoT systems under attack, post Covid-19.

MY TAKE: Lessons learned from the summer of script kiddies hacking Twitter, TikTok

By Byron V. Acohido

Graham Ivan Clark, Onel de Guzman and Michael Calce. These three names will go down in the history of internet commerce, right alongside Jack Dorsey, Mark Zuckerberg and Jeff Bezos.

Related: How ‘Zero Trust’ is compatible with agile computing

We’re all familiar with the high-profile entrepreneurs who gave us the tools and services that underpin our digital economy. However, Clark, de Guzman and Calce are equally notable as leading members of the Hall of Fame of script kiddies – youngsters who precociously shed light on the how these same tools and services are riddled with profound privacy and security flaws.

The trouble is Clark, 17, of Tampa, Florida, is teaching us much the same lessons in the summer of 2020 that de Guzman and Calce did in the spring of 2000. De Guzman authored the I Love You email virus that circled the globe infecting millions of PCs; Calce, aka Mafiaboy, released the Melissa Internet worm that knocked offline Amazon, CNN, eBay and Yahoo.

Judging from the success of script kiddies, the tech giants apparently have not learned very much about security in 20 years. Clark was arrested in late July and charged with masterminding the hijacking of the Twitter accounts of A-list celebrities, and then Tweeting from those accounts to pull off a Bitcoin scam. His caper is worrisome on two counts. First it shows how resistant companies continue to be with respect to embracing very doable cyber hygiene practices – measures that would prevent these sorts of hacks. And second, it reminds us how much capacity to wreak havoc truly malicious parties — not just script kiddies – possess. This is chilling considering the times we’re in. On the cusp of electing a U.S. president, with the world struggling to recover from a global pandemic, there are nuanced lessons we can learn from the Twitter Bitcoin hack. Here’s what all consumers and companies should heed going forward.

NEW TECH: Trend Micro flattens cyber risks — from software development to deployment

By Byron V. Acohido

Long before this awful pandemic hit us, cloud migration had attained strong momentum in the corporate sector. As Covid19 rages on, thousands of large to mid-sized enterprises are now slamming pedal to the metal on projects to switch over to cloud-based IT infrastructure.

A typical example is a Seattle-based computer appliance supplier that had less than 10 percent of its 5,000 employees set up to work remotely prior to the pandemic. Seattle reported the first Covid19 fatality in the U.S., and Washington was among the first states to issue shelter at home orders. Overnight, this supplier was forced to make the switch to 90 percent of its employees working from home.

As jarring as this abrupt shift to remote work has been for countless companies, government agencies and educational institutions, it has conversely been a huge boon for cyber criminals. The Internet from its inception has presented a wide open attack vector to threat actors. Covid19 has upgraded the Internet — from the criminals’ point of view — to a picture-perfect environment for phishing, scamming and deep network intrusions. Thus the urgency for organizations to put all excuses aside and embrace stricter cyber hygiene practices could not be any higher.

It’s a very good thing that the cybersecurity industry has been innovating apace, as well. Cybersecurity technology is far more advanced today than it was five years ago, or even two years ago.

Q&A: Sophos poll shows how attackers are taking advantage of cloud migration to wreak havoc

By Byron V. Acohido

Cloud migration, obviously, is here to stay.

Related: Threat actors add ‘human touch’ to hacks

To be sure, enterprises continue to rely heavily on their legacy, on-premises datacenters. But there’s no doubt that the exodus to a much greater dependency on hybrid cloud and multi-cloud resources – Infrastructure-as-a-Service (IaaS) and Platforms-as-a-Service (PaaS) – is in full swing.

Now comes an extensive global survey from Sophos, a leader in next generation cybersecurity, that vividly illustrates how cybercriminals are taking full advantage. For its State of Cloud Security 2020 survey, Sophos commissioned the polling of some 3,500 IT managers across 26 countries in Europe, the Americas, Asia Pacific, the Middle East, and Africa. The respondents were from organizations that currently host data and workloads in the public cloud.

Sophos found that fully 70% of organizations experienced a public cloud security incident in the last year. Furthermore, 50% encountered ransomware and other malware; 29% reported incidents of data getting exposed; 25% had accounts compromised; and 17% dealt with incidents of crypto-jacking. The poll also showed that organizations running multi-cloud environments were 50% more likely to suffer a cloud security incident than those running a single cloud.

Those findings were eye-opening, yes. But they were not at all surprising. Digital commerce from day one has revolved around companies bulling forward to take full advantage of wondrous decentralized, anonymous characteristics of the Internet, which began a military-academic experiment.

MY TAKE: Remote classes, mobile computing heighten need for a security culture in K-12 schools

By Byron V. Acohido

Parents have long held a special duty to protect their school-aged children from bad actors on the Internet.

Related: Mock attacks help schools defend themselves

Now COVID-19 has dramatically and permanently expanded that parental responsibility, as well as extended it to ill-prepared school officials in K-12 campuses all across the nation. The prospect of remotely-taught lessons remaining widespread for some time to come has profound privacy and cybersecurity implications, going forward.

Overnight, those in charge must learn how to operate all of our elementary, junior high and high schools as if they were digital-native startups. Students, parents and teachers at each K-12 facility, henceforth, need to be treated as the equivalent of remote workers given to using a wide variety of personally-owned computing devices and their favorite cloud services subscriptions. And it must be assumed that many of them are likely ignorant of good cyber hygiene practices.

School district officials will have to adapt and embrace a bold, new paradigm – and they’ll have to do it fast. The stakes are very high. Organized hacking groups will be quick to single out — and plunder — the laggards. Here’s what all parents and school officials need to spend the summer thinking about and planning for:

Zoom-bombing lessons

“Zoom-bombing” entered our lexicon soon after schools began their first attempts at using the suddenly indispensable video conferencing tool to conduct classes online. Attackers quickly figured how to slip obscenities and even pornographic videos into live classes.

This was an early indicator of how far most schools have to go in adopting an appropriate security posture. No one enforced the use of passwords, nor insisted on strict teacher control of those lessons. To Zoom’s credit, password protection and a “waiting room” feature,

MY TAKE: Technologists, privacy advocates point to flaws in the Apple-Google COVID-19 tracing app

By Byron V. Acohido

If the devastating health and economic ramifications weren’t enough, individual privacy is also in the throes of being profoundly and permanently disrupted by the coronavirus pandemic. The tech giants are partnering on a tool for public good, but critics worry it will ultimately get used for predatory surveillance.

Related: Europe levies big fines for data privacy missteps

Apple and Google are partnering up to bring technology to bear on COVID-19 contact tracing efforts. The tech giants are laudably putting aside any competitive urgings to co-develop a solution that combines mobile operating system, Bluetooth and GPS technologies to help us all get past the burgeoning health crisis.

However, in an apparent effort to live down Google’s abjectly poor track record respecting consumer privacy, the Apple-Google partnership is treading lightly to avoid anything that might hint at an undue invasion of individual privacy. In doing so, their proposed solution has a number of glaring technical and privacy-protection shortcomings, according to several technologists I spoke with.  In fact, the Apple-Google project has exacerbated a privacy controversy that flared up in Europe in the early stages, one that has more recently been picking up steam in the U.S., as well. Here’s how technologists and privacy experts see things stacking up:

Bluetooth-based tracing

Infected persons will be able to use their iPhones or Android devices to make their status known to a central server, which then correlates an anonymized identifier of the infected person to anonymized IDs of non-infected persons who happen to be in close proximity. The server then alerts the non-infected persons to self-immunize.