Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Privacy

 

MY TAKE: Coping with security risks, compliance issues spun up by ‘digital transformation’

By Byron V. Acohido

A core security challenge confronts just about every company today.

Related: Can serverless computing plus GitOps lock down DX?

Companies are being compelled to embrace digital transformation, or DX, if for no other reason than the fear of being left behind as competitors leverage microservices, containers and cloud infrastructure to spin-up software innovation at high velocity.

While the benefits of DX are highly-touted, this shift has also spawned a whole new tier of unprecedented privacy and security challenges. On one hand, threat actors have already begun exploiting fresh attack vectors, borne of this rising complexity, and, on the other, government authorities and industry standards bodies are insisting on compliance with increasingly cumbersome data-handling security rules.

I had an evocative discussion at Black Hat USA 2019 with Andy Byron, president of Lacework, a Mountain View, CA-based start-up that has raised $32 million in venture capital to help companies address these conflicting imperatives. For a full drill down, give a listen to the accompanying podcast. Here are my big takeaways:

Tech stack exposures

Companies today routinely rely on software applications written by far-flung third-party developers busily mixing, matching and reusing modular “microservices” and packaging them inside of software “containers.” This all adds up to faster output by software development teams, which, in turn, has given impetus to the rise of  “serverless” cloud infrastructure.

Two types of organizations are doing this, Byron told me. Established enterprises, dragging along their legacy datacenters, recognize this as the once-and- future path for cost savings, agility and speed to market. Meanwhile, next-gen companies, like Netflix, Uber and Airbnb, are proactively racing down this path,  out of the gate.

“People are taking the development, building and management of applications and moving it into a new phenomenon called containers,” Byron says. “The cloud is kind of dragging this movement along and DevOps and security are center stage, at the moment.”

Shifting requirements

One way to understand the security hazards is to think about the radical changes being imposed on the traditional enterprise technology stack. A tech stack is the collection of software and tools companies cobble together to deploy apps, websites and other digital products. A couple of decades ago, when everything was on the company premises, sitting behind a firewall, security teams at least had a fighting chance to stay on top of things. …more

MY TAKE: Here’s how ‘bulletproof proxies’ help criminals put compromised IoT devices to work

By Byron V. Acohido

Between Q1 2019 and Q2 2019, malicious communications emanating from residential IP addresses in the U.S. – namely smart refrigerators, garage doors, home routers and the like – nearly quadrupled for the retail and financial services sectors.

Related: How botnets gave Trump 6 million faked followers

To put it plainly, this represented a spike in cyber attacks bouncing through ordinary Internet-connected devices humming away in homes across America. These attacks were carried out by cyber criminals leveraging an insidious new attack tool: bulletproof proxies.

What were they up to? IoT devices are proving to be an integral element for cyber criminals to launch automated attack campaigns to manipulate social media likes, create fake accounts, take over existing accounts, execute credential stuffing, content scraping, click fraud and carry out other cyber villainy.

This stunning intel comes in a study from Cequence Security, a Sunnyvale, CA-based vendor focused on helping companies defend against such attacks. These findings have huge implications, not just highlighting what a huge drain botnets have become to our Internet-centric economy, but also underscoring how botnets have become a disruptive force in political discourse, globally.

I had a deep discussion about this with Cequence’s Will Glazier, head of research, and Matt Keil, director of product marketing, at Black Hat USA 2019. For a full drill down, give a listen to the accompanying podcast. My big takeaways:

Bulletproof weaponry

Back in 2007, a noted fellow journalist, Brian Krebs, exposed how the Russian Business Network had pioneered something called “bulletproof hosting.” RBN provided web hosting services to one-and-all, and then looked the other way as spammers, fraudsters and even child pornography distributors did their thing, operating their botnets with impunity.

Just the other day, Krebs broke another story about what he’s calling “bulletproof residential VPN services.” And Cequence has done deep analysis on “bulletproof proxies” — the latest, greatest iteration of bulletproof hosting. Instead of building out and hosting a server farm that can be isolated and potentially shut down by law enforcement, bulletproof proxy providers today assemble millions of globally distributed IP addresses and make those available to one-and-all.

Crucially, the availability of an endless supply of IP addresses reinforces the viability of botnets. (A bot is a computing nodule, and a botnet is a network of nodules under control of the botnet master.) The fact that botnet nodules today increasingly spin out of residential IP addresses is significant for two reasons: …more

ROUNDTABLE: Huge Capital One breach shows too little is being done to preserve data privacy

By Byron V. Acohido

Company officials at Capital One Financial Corp ought to have a crystal clear idea of what to expect next — after admitting to have allowed a gargantuan data breach.

Capital One’s mea culpa coincided with the FBI’s early morning raid of a Seattle residence to arrest Paige Thompson. Authorities charged the 33-year-old former Amazon software engineer with masterminding the hack.

Related: Hackers direct botnets to manipulate business logic

Thompson is accused of pilfering sensitive data for 100 million US and 6 million Canadian bank patrons. That includes social security and social insurance numbers, bank account numbers, phone numbers, birth dates, email addresses and self-reported income; in short, just about everything on an identity thief’s wish list.

Just a few days before Capital One’s disclosure,  Equifax rather quietly agreed to pay up to $700 million to settle consumer claims and federal and state investigations into its 2017 data breach that compromised sensitive information of more than 145 million American consumers. Also very recently,  the Federal Trade Commission slammed Facebook with a record $5 billion fine for losing control over massive troves of personal data and mishandling its communications with users.

Sure enough, it didn’t take long (less than 24 hours) for Keven Zosiak, a Stamford, Connecticut resident and Capital One credit card holder, to file a lawsuit  against Capital One for its failure to protect sensitive customer data. Many more lawsuits, as well as federal probes and Congressional hearings, are sure to follow.

Oh, and let’s not forget how Equifax summarily canned five top execs, including Equifax CEO Richard Smith, in the aftermath of its big breach. Not even doing this YouTube video apology was enough to save Smith his job.  It’s going to be interesting to see who Capital One’s board of directors designates to throw under the bus on this one.

Larger lessons

Arguably the most fascinating twist to the Capital One caper is the FBI’s rather quick arrest of Paige Thompson. Arrests in network breaches are rare, indeed. For instance, we know a lot of details about the Equifax breach, thanks to a GAO investigation and report. But no suspects have ever been publicly named.

What’s more, the usual suspects in high-profile breaches – i.e. professional Russian, Eastern European, Chinese and North Korean hacking collectives – appear to be out of the loop with respect to this particular caper. The Capital One breach, it seems to me, vividly highlights the depth and breadth of the Internet underground. Anyone with technical aptitude, diligence and a lack of scruples, such as an out-of-work IT staffer, can engage in criminal activity at a fairly high level. …more

MY TAKE: How state-backed cyber ops have placed the world in a constant-state ‘Cyber Pearl Harbor’

By Byron V. Acohido

Cyber espionage turned a corner this spring when Israeli fighter jets eradicated a building in the Gaza Strip believed to house Hamas cyber operatives carrying out attacks on Israel’s digital systems.

Related: The Golden Age of cyber spying is upon us.

That May 10th  air strike by the Israel Defense Force marked the first use of military force in direct retaliation for cyber spying. This development underscores that we’re in the midst of a new age of cyber espionage.

This comes as no surprise to anyone in the military or intelligence communities. State-sponsored cyber operations have been an integral part of global affairs for decades. And, in fact, cyber ops tradecraft has advanced in sophistication in lock step with our deepening reliance on the commercial Internet.

Here are a few things everyone should know about the current state of government-backed cyber ops.

Russia’s tradecraft

A lot of dots have been connected recently with respect to Russia’s cyber spying, initially thanks to Barack Obama’s leveling of sanctions on Russia for interfering in the 2016 U.S. presidential elections. Among more than two dozen Russians named as co-conspirators by the Obama sanctions were a pair of notorious cyber robbers, Evgeniy Bogachev of Russia and Alexsey Belan of Latvia.

At the time, both were well-known to the FBI as profit-motivated cyber thieves of the highest skill level. Bogachev led a band of criminals that used the Gamover Zeus banking Trojan to steal more than $100 million from banks and businesses worldwide. Then somewhere along the way, Bogachev commenced moonlighting as a cyber spy for the Russian government.

The Obama sanctions helped security analysts and the FBI piece together how Bogachev, around 2010, began running unusual searches on well-placed PCs he controlled, via Gameover Zeus infections. Bogachev’s searches explicitly sought out intelligence of direct strategic benefit to Russia – just prior to Russia making adversarial moves in the Republic of Georgia, the Ukraine and Turkey, respectively.

Meanwhile, details of Alexsey Belan’s Russian-backed escapades came to light in March 2017 when the FBI indicted Belan and three co-conspirators in connection with hacking Yahoo to pilfer more than 500 million email addresses and gain deep access to more than 30 million Yahoo accounts.

The Obama sanctions ultimately linked both Bogachev and Belan to the hack of the Democratic National Committee and several other organizations at the center of the 2016 U.S. presidential elections. The pair were not the first private-sector cybercriminals recruited to serve as Russian assets, and very likely won’t be the last, said Bryson Bort, CEO of security company SCYTHE, a supplier of attack simulation systems.

“Russia explicitly recruits folks already engaged in criminal activities, and once recruited, they are contracted and connected to military organizations for direction and oversight,” Bort told me. “Those activities have criminal end-goals of corporate espionage and theft, but to be clear, they are government-directed.”

Both Bogachev and Belan remain on the FBI’s most wanted cybercriminals list: Bogachev with a $3 million bounty and Belan with a $100,000 bounty. The assumption is that they both reside in Russia under the protection of the Russian government.

“We have not effectively deterred Russia, as a nation, from executing these operations,” Bort said. “So we can expect them to continue to recruit criminal hackers, grow their capabilities, and continue to use them.”

China’s tradecraft

It’s fully expected that Russia’s cyber spying will continue to revolve around spreading propaganda and influencing elections, as well as maneuvering for footholds, in critical infrastructure and financial systems, in order to put Russia into an improved position from which to manipulate global politics of the moment.

By contrast China takes a long view, as explicitly outlined in its Made in China 2025 manifesto. China has been taking methodical steps to transform itself from the source of low-end manufactured goods to the premier supplier of high-end products and services.

…more

MY TAKE: Let’s not lose sight of why Iran is pushing back with military, cyber strikes

By Byron V. Acohido

It is not often that I hear details about the cyber ops capabilities of the USA or UK discussed at the cybersecurity conferences I attend.

Related: We’re in the golden age of cyber spying

Despite the hush-hush nature of Western cyber ops, it is axiomatic in technology and intelligence circles that the USA and UK possess deep hacking and digital spying expertise – capabilities which we regularly deploy to optimize our respective positions in global affairs.

Last week, President Trump took an unheard of step: he flexed American cyber ops muscle out in the open. An offensive cyber strike by the U.S. reportedly knocked out computing systems controlling Iranian rocket and missile launchers, thus arresting global attention for several news cycles.

“The digital strike against Iran is a great example of using USCYBERCOM   as a special ops force, clearly projecting US power by going deep behind enemy lines to knock out the adversary’s intelligence and command-and-control apparatus,” observes Phil Neray, VP of Industrial Cybersecurity for CyberX, a Boston-based supplier of IoT and industrial control system security technologies.

Some context is in order. Trump’s cyber strike against Iran is the latest development in tensions that began in May 2018, when Trump scuttled the 2015 Iran nuclear deal – which was the result of 10 years of negotiation between Iran and the United Nations Security Council. The 2015 Iran accord, agreed to by President Obama, set limits on Iran’s nuclear programs in exchange for the lifting of nuclear-related sanctions.

For his own reasons, Trump declared the 2015 Iran accord the “worst deal ever,” and has spent the past year steadily escalating tensions with Iran, for instance, by unilaterally imposing multiple rounds of fresh sanctions.

Iran pushes back

This, of course, has pushed Iran into a corner, and forced Iran to push back. It’s important to keep in mind that Iran, as well as Europe and the U.S., were meeting the terms of the 2015 nuclear deal, prior to Trump scuttling the deal.  Let’s not forget that a  hard-won stability was in place, prior to Trump choosing to stir the pot.

Today, Iran is scrambling for support from whatever quarter it can get it. It’s moves, wise or unwise, are quite clearly are calculated to compel European nations to weigh in on its behalf. However, many of Iran’s chess moves have also translated into fodder for Trump to stir animosity against Iran. …more

BEST PRACTICES: The case for ‘adaptive MFA’ in our perimeter-less digital environment

By Byron V. Acohido

One of the catch phrases I overheard at RSA 2019 that jumped out at me was this: “The internet is the new corporate network.”

Related: ‘Machine identities’ now readily available in the Dark Net

Think about how far we’ve come since 1999, when the Y2K scare alarmed many, until today, with hybrid cloud networks the norm. There’s no question the benefits of accelerating digital transformation are astounding.

Yet the flip side is that legacy security approaches never envisioned perimeter-less computing. The result, not surprisingly, has been a demonstrative lag in transitioning to security systems that strike the right balance between protection and productivity.

Take authentication, for example. Threat actors are taking great advantage of the lag in upgrading authentication. The good news is that innovation to close the gap is taking place. Tel Aviv-based security vendor Silverfort is playing in this space, and has found good success pioneering a new approach for securing authentication in the perimeterless world.

Founded in 2016 by cryptography experts from the Israeli Intelligence Corps’ elite 8200 cyber unit, Silverfort is backed by leading investors in cybersecurity technologies.

I had the chance to catch up with Dana Tamir, Silverfort’s vice president of market strategy, at RSA 2019. For a full drill down of the interview, please listen to the accompanying podcast. Here are the key takeaways:

Eroding effectiveness

Compromised credentials continue to be the cause of many of today’s data breaches. The use of multi-factor authentication, or MFA, can help protect credentials, but even those solutions have lost much of their effectiveness. The problem is that most MFA solutions are designed for specific systems, rather than today’s more dynamic environments. Traditional MFA may have hit its limitations due to dissolving perimeters.

In the past, Tamir explained, you had a solid perimeter around your network, with one entry point and you added the MFA to that single entry for the extra layer of protection. But that single-entry perimeter doesn’t exist today. We don’t even have a real perimeter anymore. …more

Q&A: Here’s why Android users must remain vigilant about malicious apps, more so than ever

By Byron V. Acohido

Android users – and I’m one – are well-advised to be constantly vigilant about the types of cyberthreats directed, at any given time, at the world’s most popular mobile device operating system.

Related: Vanquishing BYOD risks

Attacks won’t relent anytime soon, and awareness will help you avoid becoming a victim. It’s well worth it to stay abreast of news about defensive actions Google is forced to take to protect Android users. Just recently, for instance, the search giant removed 50 malicious apps, installed 30 million times, from the official Google Play Store, including fitness, photo-editing, and gaming apps.

And earlier this year, three popular “selfie beauty apps”– Pro Selfie Beauty Camera, Selfie Beauty Camera Pro and Pretty Beauty Camera 2019 – accessible in Google Play Store were revealed to actually be tools to spread adware and spyware. Each app had at least 500,000 installs, with Pretty Beauty Camera 2019 logging over 1 million installs, mainly by Android users in India.

Instructive details about both of these malicious campaigns come from malware analysts working on apklab.io, which officially launched in February. Apklab.io is Avast’s mobile threat intelligence platform designed to share intelligence gathered by analyzing samples collected from 145 million Android mobile devices in use worldwide.

I had the chance to sit down with Nikolaos Chrysaidos (pictured), head of mobile threat intelligence and security at Avast, to drill down on the wider context of the helpful findings apklabl.io has begun delivering. Here are excerpts of our discussion, edited for clarity and length:

Acohido: What was distinctive about the 50 malicious Android apps your analysts recently discovered?

Chrysaidos: The installations ranged from 5,000 to 5 million installs, and included adware that persistently displayed full screen ads, and in some cases, tried to convince the user to install further apps. The adware applications were linked together by the use of third-party Android libraries, which bypass the background service restrictions present in newer Android versions.

The bypassing itself is not explicitly forbidden on Play Store. However, our analysts were able to detect it because apps using these libraries waste the user’s battery and make the device slower. In this instance, the libraries kept displaying more and more ads, which does violate the Google Play Store rules. …more