Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Top Stories

 

MY TAKE: What it takes to beat cybercrime in the age of DX and IoT: personal responsibility

By Byron V. Acohido

Back in 2004, when I co-wrote this USA TODAY cover story about spam-spreading botnets, I recall advising my editor to expect cybersecurity to be a headline-grabbing topic for a year or two more, tops.

Related:  A primer on machine-identity exposures

I was wrong. Each year over the past decade-and-a-half, a cause-and-effect pattern has spread more pervasively into the fabric of modern society. Each and every major advance of Internet-centric commerce – from e-tailing and email, to social media and mobile computing, and now on to the Internet of Things – has translated into an exponential expansion of the attack surface available to cybercriminals.

And malicious hackers have taken full advantage – whether they are motivated by criminal profits, backed by nation-state operatives, or simply desirous of bragging rights. Year-in and year-out, criminal innovation has far outpaced the effort on the part of companies and governments to defend their business networks, as well as to preserve the sanctity of our private data.

…more

Comment | Read | February 15th, 2019 | My Take | Top Stories

NEW TECH: Can Project Furnace secure DX — by combining serverless computing and GitOps?

By Byron V. Acohido

Assuring the privacy and security of sensitive data, and then actually monetizing that data, — ethically and efficiently — has turned out to be the defining challenge of digital transformation.

Today a very interesting effort to address this complex dilemma is arising from the ferment, out of the UK. It’s called Project Furnace, an all-new open source software development platform.

Related: The need to fold ‘SecOps’ into ‘DevOps’

I had the chance to sit down with Furnace Ignite’s co-founders: John Blamire, chief operating officer, and Danny Waite, chief technology officer,  for a pre-launch briefing.

They walked me through how Project Furnace began as a quest to improve the output of SIEM (security information and event management) systems.

However, beyond improving legacy appproachs to network security, Blamire and Waite explained why they firmly believe Furnace could ultimately accelerate the design and implementation of all smart software — the next generation of apps destined to run everything from our shopping experiences to our driverless cars and our smart homes and cities. Here are takeaways from our meeting:

DX context

Furnace, in essence, seeks to aid and abet digital transformation, or DX, the ongoing digitization of essentially all human endeavors into a machine-readable format that can be automatically acted upon. DX is the wider context, here, in the sense that DX is made possible because of the rise of “datafication” — the processes by which we’ve come to rapaciously collect and store mind-boggling amounts of data from web forms, social media, mobile apps, surveillance cameras, IoT sensors and the like.

In 2016, Waite was assigned the task of coming up with a much better way to extract …more

Comment | Read | February 12th, 2019 | For technologists | My Take | Steps forward | Top Stories

GUEST ESSAY: Australia’s move compelling VPNs to cooperate with law enforcement is all wrong

By Bogdan Patru

The moment we’ve all feared has finally come to pass. When government agencies and international intelligence groups pooled together resources to gather user data, the VPN’s encryption seemed like the light at the end of the tunnel.

Related: California enacts pioneering privacy law

However, it looks like things are starting to break apart now that Australia has passed the “Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018”. On the 6th of December 2018, a law that is a direct attack on internet users’ privacy was agreed to by both the House of Representatives and the Senate.

The amendment forces all companies, even VPN providers, to collect and give away confidential user data if the police demand it. All telecoms companies will have to build tools in order to bypass their own encryption.

If suspicions appear that a crime has been or will be committed by one of their users, the law enforcement agencies are in their right to demand access to user messages and private data.

This Orwellian Thought Police is to be the judge, jury, and executioner in a digital world that shelters our personal lives and secrets. All the things we’d like to keep hidden from others. You know, this revolutionary idea called “privacy” Anyone?

Tech companies all over the world are unsure how this can be achieved without installing backdoors into their own security systems. These vulnerabilities are just like a stack of powder kegs ready to blow up at any moment. This is because anyone with knowledge of their existence could theoretically use those security holes to gain access to the user data. …more

Comment | Read | February 11th, 2019 | For consumers | For technologists | Guest Blog Post | Privacy | Top Stories

MY TAKE: Why companies should care about 2.2 billion stolen credentials circulating in easy reach

By Byron V. Acohido

Some chilling hard evidence has surfaced illustrating where stolen personal information ultimately ends up, once it has flowed through the nether reaches of the cyber underground.

Wired magazine reported this week on findings by independent security researchers who have been tracking the wide open availability of a massive cache of some 2.2 billion stolen usernames, passwords and other personal data.

Related: Massive Marriott breach closes out 2018

Ever wonder where the tens of millions of consumer records stolen from Marriott, Yahoo, Equifax, Dropbox, Linked In,  Target, Home Depot, Sony, Anthem, Premera Blue Cross, Uber and literally thousands of other organizations that have sustained major network breaches ends up?

This data gets collected and circulated in data bases that the thieves initially attempt to sell for big profits on the dark web, as reported by Motherboard. The work of these researchers shows how, at the end of the day, much of the stolen personal data eventually spills over into the open Internet, where it is free for the taking by  anyone with a modicum of computer skills.

Credential stuffing

The clear and present risk to the average consumer or small business owner is that his or her stolen account credentials will surface in one or more credential stuffing campaigns. This is where criminals deploy botnets to automate the injection of surreptitiously obtained usernames and password pairs until they gain fraudulent access to a targeted account. And once they do, they swiftly try to gain access to accounts on other popular services.

Reddit earlier this month acknowledged that credential stuffers locked down a “large group of accounts.” The social news aggregation site informed the victims that would need to reset their passwords to regain access, and, notably, advised them to choose strong, unique passwords. …more

Comment | Read | February 1st, 2019 | For consumers | For technologists | Imminent threats | My Take | Top Stories

MY TAKE: ‘Bashe’ attack theorizes a $200 billion ransomware raid using NSA-class cyber weapons

By Byron V. Acohido

A report co-sponsored by Lloyd’s of London paints a chilling scenario for how a worldwide cyberattack could trigger economic losses of some $200 billion for companies and government agencies ill-equipped to deflect a very plausible ransomware attack designed to sweep across the globe.

Related: U.S. cyber foes exploit government shutdown

The Cyber Risk Management (CyRiM) project lays out in detail how a theoretical ransomware attack – dubbed the “Bashe” campaign – could improve upon the real life WannaCry and NotPetya ransomware worms that plagued thousands of organizations in 2017.

The exercise was commissioned by Lloyd’s of London, the Cambridge Centre for Risk Studies and the Nanyang Technological University in Singapore, among others. In their construct, the fictional cyber ring behind Bashe leverages lessons learned from missteps made in WannaCry and NotPetya, with the aim of making Bashe “the most infectious malware of all time.”

It should not be forgotten that WannaCry and NotPetya made use of some of the  69 cyber weapons stolen from the NSA and released publicly by a group known as Shadow Brokers. These weapons were designed by NSA software engineers to take advantage of heretofore undisclosed security vulnerabilities in Windows, Linux, IBM and other core operating systems and applications widely used in commerce and government.

EternalBlue pedigree

Keep in mind, globe-spanning ransomware worms are just one of endless ways the NSA weapons, often referred to as “EternalBlue,” could be leveraged. While the Lloyd’s study focuses on the ransomware scenario, it’s reasonable to believe threat actors of every stripe are developing other ways to utilize EternalBlue-class cyber weaponry.

This creates a responsibility for every organization to consider this report and assess what damage control might entail, says Darin Pendergraft, vice president of product marketing at STEALTHbits Technologies, a Hawthorne, NJ-based supplier of systems to protect sensitive company data. …more

Comment | Read | January 31st, 2019 | For consumers | For technologists | Imminent threats | My Take | Top Stories

NEW TECH: This free tool can help gauge, manage third-party cyber risk; it’s called ‘VRMMM’

By Byron V. Acohido

Late last year, Atrium Health disclosed it lost sensitive data for some 2.65 million patients when hackers gained unauthorized access to databases operated by a third-party billing vendor.

Turn the corner into 2019 and we find Citigroup, CapitalOne, Wells Fargo and HSBC Life Insurance among a host of firms hitting the crisis button after  their customers’ records turned up on a database of some 24 million financial and banking documents found parked on an Internet-accessible server — without so much as password protection. The culprit: lax practices of a third-party data and analytics contractor.

Related: Atrium Health breach highlights third-party risks

One might assume top-tier financial services firms and healthcare vendors would have solved third-party cyber exposures by now. But the truth of the matter is, companies of all sizes and in all sectors remain acutely vulnerable to attack vectors laid open by third-party contractors. And this continues to include enterprises that have poured a king’s ransom into hardening their first-party security posture.

What’s happening is that supply chains are becoming more intricate and far-flung the deeper we move into digital transformation and the Internet of Things. And opportunistic threat actors are proving adept as ever at sniffing out the weak-link third parties in any digital ecosystem.

Mike Jordan, senior director of the Shared Assessments Program, a Santa Fe, NM-based  intel-sharing and training consortium focused on third-party risks, points out that at least one of the banks that had data exposed in this latest huge data leak wasn’t even a customer of the allegedly culpable contractor.

“Hacked subcontractors or downstream service providers can harm companies that have no business relationship with each other,” Jordan told Last Watchdog. “Individuals can even be affected by parties with whom they have no explicit relationships, such as credit bureaus and data brokers.” …more

Comment | Read | January 30th, 2019 | For technologists | Top Stories

MY TAKE: 3 privacy and security habits each individual has a responsibility to embrace

By Byron V. Acohido

Would you back out of a driveway without first buckling up, checking the rear view mirror and glancing behind to double check that the way is clear?

Consider that most of us spend more time navigating the Internet on our laptops and smartphones than we do behind the wheel of a car. Yet it’s my experience that most people don’t fully appreciate the profound risks they face online and all too many still do not practice simple behaviors that can dramatically reduce their chances of being victimized by malicious parties.

Related: Long run damage of 35-day government shutdown

Why we’re in the ‘Golden Age’ of cyber espionageThe fact is cyber criminals are expert at refining and carrying out phishing, malvertising and other tried-and-true ruses that gain them access to a targeted victim’s Internet-connected computing device. And the malware that subsequently gets installed continues to get more stealthy and capable with each advancing iteration.

This has become an engrained pattern in our modern digital world. A vivid illustration comes from Palo Alto Networks’ Unit 42 forensics team. Researchers recently flushed out a new variety of the Xbash family of malware tuned to seek out administrators’ rights and take control of Linux servers. This variant of Xbash is equipped to quietly uninstall any one of five popular types of cloud security protection and monitoring products used on such servers.

Targeting one device

The end game for this particular hacking ring is to install crypto currency mining routines on compromised Linux servers. But the larger point is that Xbash is just one of dozens of malware families circulating far and wide across the Internet. Xbash gets rolling by infecting one device, which then serves as the launch pad for deeper hacking forays limited only by the attacker’s initiative.

To be sure, it’s not as if the good guys aren’t also innovating. Worldwide spending on information security products and services rose to $114 billion in 2018, up from $102 billion in 2017, an increase of 12.4 percent, according to tech consultancy Gartner. …more

One Comment | Read | January 28th, 2019 | For consumers | For technologists | My Take | Privacy | Top Stories

Older Articles »