Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Privacy

 

ROUNDTABLE: Kaseya hack exacerbates worrisome supply-chain, ransomware exposures

By Byron V. Acohido

It was bound to happen: a supply-chain compromise, ala SolarWinds, has been combined with a ransomware assault, akin to Colonial Pipeline, with devasting implications.

Related: The targeting of supply chains

Last Friday, July 2, in a matter of a few minutes,  a Russian hacking collective, known as REvil, distributed leading-edge ransomware to thousands of small- and mid-sized businesses (SMBs) across the planet — and succeeded in locking out critical systems in at least 1,500 of them. This was accomplished by exploiting a zero-day vulnerability in Kaseya VSA, a network management tool widely used by managed service providers (MSPs)  as their primary tool to remotely manage IT systems on behalf of SMBs.

REvil essentially took full control of the Kaseya VSA servers at the MSP level, then used them for the singular purpose of extorting victimized companies — mostly SMBs —  for payments of $45,000, payable in Minera. In a few instances, the attackers requested $70 million, payable in Bitcoin, for a universal decryptor.

Like SolarWinds and Colonial Pipeline, Miami-based software vendor, Kaseya, was a thriving entity humming right along, striving like everyone else to leverage digital agility — while also dodging cybersecurity pitfalls. Now Kaseya and many of its downstream customers find themselves in a  crisis recovery mode faced with shoring up their security posture and reconstituting trust. Neither will come easily or cheaply.

SHARED INTEL: ‘Credential stuffers’ leverage enduring flaws to prey on video game industry

By Byron V Acohido

The video game industry saw massive growth in 2020; nothing like a global pandemic to drive  people to spend more time than ever gaming.

Related: Credential stuffers exploit Covid 19 pandemic

Now comes a report from Akamai detailing the extent to which cyber criminals preyed on this development. The video game industry withstood nearly 11 billion credential stuffing attacks in 2020, a 224 percent spike over 2019. The attacks were steady and large, taking place at a rate of millions per day, with two days seeing spikes of more than 100 million.

This metric shows how bad actors redoubled their efforts to rip off consumers fixated on spending  real money on character enhancements and additional levels. The big takeaway, to me, is how they accomplished  this – by refining and advancing credential stuffing.

Credential stuffing is a type of advanced brute force hacking that leverages software automation to insert stolen usernames and passwords into web page forms, at scale, until the attacker gains access to a targeted account.

We know from a Microsoft report how hacking groups backed by Russia, China and Iran have aimed such attacks against hundreds of organizations involved in both the 2020 presidential race and U.S.-European policy debates. And credential stuffing was the methodology used by a Nigerian crime ring

GUEST ESSAY: Why online supply chains remain at risk — and what companies can do about it

By Aanand Krishnan

The Solarwinds hack has brought vendor supply chain attacks — and the lack of readiness from enterprises to tackle such attacks — to the forefront.

Related: Equipping Security Operations Centers (SOCs) for the long haul

Enterprises have long operated in an implicit trust model with their partners. This simply means that they trust, but don’t often verify, that their partners are reputable and stay compliant over time. Given the dynamic nature of websites today and the constantly changing integrations to a site, this implicit trust model no longer suffices.

So what does the average modern website look like? More than 70 percent of the content that loads on an end user’s browser does not come from the website’s server at all. Enterprises are designing client heavy applications that are executed through JavaScript at runtime, and these browsers are acting as modern day OSes.

Let’s discuss how the SolarWinds hack relates to a regular website supply chain. Web architecture from the past decade followed a trend where most web applications were server heavy, and enterprises’ data centers handled the bulk of the processing. The web browser was more of a graphical interface or a rendering engine.

Due to optimized speeds and improved computing capacity on client devices, the architecture has evolved over the last few years.

MY TAKE: Massive data breaches persist as agile software development fosters full-stack hacks

By Byron V. Acohido

Data leaks and data theft are part and parcel of digital commerce, even more so in the era of agile software development.

Related: GraphQL APIs stir new exposures

Many of the high-profile breaches making headlines today are the by-product of hackers pounding away at Application Programming Interfaces (APIs) until they find a crease that gets them into the pathways of the data flowing between an individual user and myriad cloud-based resources.

It’s important to understand the nuances of these full-stack attacks if we’re ever to slow them down. I’ve had a few deep discussions about this with Doug Dooley, chief operating officer at Data Theorem, a Palo Alto, Calif.-based software security vendor specializing in API data protection. Here are a few key takeaways:

Targeting low-hanging fruit

Massive data base breaches today generally follow a distinctive pattern: hack into a client -facing application; manipulate an API; follow the data flow to gain access to an overly permissive database or S3 bucket (cloud storage). A classic example of this type of intrusion is the Capital One data breach.

Suspected Capital One hacker Paige Thompson was indicted for her alleged data breach and theft of more than 100 million people including 140,000 social security numbers and 80,000 linked bank accounts. The 33-year-old Amazon Web Services (AWS) software engineer was also accused of stealing cloud computer power on Capital One’s account to “mine” cryptocurrency for her own benefit, a practice known as “cryptojacking.”

Thompson began pounding away on the Capital One’s public-facing applications supposedly protected by their open-source Web Application Firewall (WAF), and succeeded in carrying out a  “Server Side Request Forgery” (SSRF) attack. By successfully hacking the client-facing application, she was then able to relay commands to a legacy AWS metadata service to obtain credentials.

Password and token harvesting is one of the most common techniques in hacking. Using valid credentials, Thompson was able to gain access using APIs … more

GUEST ESSAY: Data poverty is driving the growth of cybercrime – here’s how to reverse the trend

By Robert Panasiuk

Data poverty is real and it’s coming for your user accounts.

Related: Credential stuffing soars due to Covid-19

The current state of data in cybersecurity is a tale of The Haves and The Have-WAY-mores. All tech companies have data, of course, but the only data that’s truly valuable and provides insights—actionable data—isn’t as universal as it should be.

This “data poverty,” or dearth of actionable insights, is a problem for companies across many verticals. Cybersecurity should not be one of them. The sentinels working to prevent the next SolarWinds breach need all the Grade-A data they can get, and fast. Data democratization, on a privacy-compliant basis, is the only way they’ll get it.

The simple truth is that no cybersecurity company can compete with the data stacks of the FAAMG behemoths, which is why cybercrime is seeing a 63 percent boost over the past year.

It’s time to take steps to democratize data and fortunately there are examples of what this looks like in other industries that show how competing security outfits can link arms and still remain competitive.

Why can’t we be friends?

“Coopetition”—competing companies working together and sharing information—is not uncommon across other industries. Casinos trade intel on card counters. E-tailers partner with physical stores to increase their brick-and-mortar presence. Rival software companies exchanging data can involve more red tape, but fundamentally the information they share achieves the same goals: making more money and ensuring their customers receive the best possible service.

GUEST ESSAY: ‘World password day’ reminds us to embrace password security best practices

By Chad Cragle

We celebrated World Password Day on May 6, 2021.

Related: Credential stuffing fuels account takeovers

Did you know that this unconventional celebration got its start in 2013, and that it’s now an official holiday on the annual calendar? Every year, the first Thursday in May serves as a reminder for us to take control of our personal password strategies.

Passwords are now an expected and typical part of our data-driven online lives. In today’s digital culture, it’s not unusual to need a password for everything—from accessing your smartphone, to signing into your remote workspace, to checking your bank statements, and more. We’ve all grown used to entering passwords dozens of times per day, and because of this, we often take passwords for granted and forget how crucial they are.

With that in mind, what steps can you take to ensure that your personal data is protected at all times? As a data-driven, security-focused company, we’ve rounded up our top tips inspired by World Password Day to help you improve your password game.

Password overhaul

We know… just the mere thought of coming up with (and remembering) yet another new password is daunting. The average person has about 100 different passwords for the various tools, apps, websites, and online services they use on a regular basis. With so many passwords to keep track of, those familiar “Update Password” prompts tend to get bothersome.

But, unfortunately, we live in a world of constant hacking attempts and security breaches. While changing passwords may be inconvenient at times, following this password best practice can help prevent the following data catastrophes:

ROUNDTABLE: Experts react to President Biden’s exec order in the aftermath of Colonial Pipeline hack

By Byron V. Acohido

As wake up calls go, the Colonial Pipeline ransomware hack was piercing.

Related: DHS embarks on 60-day cybersecurity sprints

The attackers shut down the largest fuel pipeline in the U.S., compelling Colonial to pay them 75 bitcoins, worth a cool $5 million.

This very high-profile caper is part of an extended surge of ransomware attacks, which  quintupled globally between the first quarter of 2018 and the fourth quarter of 2020, and is expected to rise 20 percent to 40 percent this year,  according to insurance giant Aon.

Ransomware is surging at at time when the global supply chain is being corrupted from inside out, as so vividly illustrated by the SolarWinds supply chain debacle.

In response, President Biden last week issued an executive order requiring more rigorous cybersecurity practices for federal agencies and contractors that develop software for the federal government. Last Watchdog asked a roundtable of cybersecurity industry experts for their reaction. Here’s what they said, responses edited for clarity and length:

Chenxi Wang, founder & general partner, Rain Capital

The new executive order is a swift response from the administration. It’s refreshing to see a government executive order that understands technology trends such as “zero trust”, is able to delineate “Operational Technology (OT)” from “information technology (IT,)” and can talk intelligently about supply chain risks.

While some of the measures stipulated in the order are considered table stakes like multi-factor authentication, the fact that the order exists will help to raise the collective security posture of products and services. It will not be sufficient to defend against sophisticated adversaries, but it will help organizations on the lower end of the capability spectrum to improve their cyber posture and defense.

Keatron Evans, principal security researcher, Infosec Institute

President Biden’s order was drafted with heavy involvement from actual cybersecurity experts, and this is encouraging. Requiring federal agencies to produce an actionable plan to implement Zero Trust Architecture is … more