Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Top Stories

 

MY TAKE: How ‘credential stuffing’ is being deployed to influence elections, steal Covid-19 relief

By Byron V. Acohido

What do wildfires and credential stuffing have in common?

Related: Automated attacks leverage big data

For several years now, both have flared up and caused harm at the fringes of population centers and our digital economy. And, now, in 2020, both have escalated to catastrophic proportions.

Just after Labor Day, dried out trees and shrubs combined with high winds to erupt into massive wildfires that swiftly engulfed rural towns and even suburban areas of California, Oregon, Washington and several other states. Millions of acres of land got consumed, hundreds of thousands of people were evacuated and dozens lost their lives.

Meanwhile, all year long and continuing through the fall, opportunistic cybercriminals have launched wave after wave of automated credential stuffing campaigns. These bad actors are wreaking havoc in two arenas: Stealing Covid-19 relief payments on a massive scale as well as meddling, once again, in the election of a U.S. president.

The wildfires eventually subsided with calmer, damper meteorological conditions. However, massive surges of credential stuffing have persisted, fueled by a seemingly endless supply of already stolen, or easy-to-steal, personal information along with the wide availability of sophisticated hacking tools.

MY TAKE: Lessons learned from the summer of script kiddies hacking Twitter, TikTok

By Byron V. Acohido

Graham Ivan Clark, Onel de Guzman and Michael Calce. These three names will go down in the history of internet commerce, right alongside Jack Dorsey, Mark Zuckerberg and Jeff Bezos.

Related: How ‘Zero Trust’ is compatible with agile computing

We’re all familiar with the high-profile entrepreneurs who gave us the tools and services that underpin our digital economy. However, Clark, de Guzman and Calce are equally notable as leading members of the Hall of Fame of script kiddies – youngsters who precociously shed light on the how these same tools and services are riddled with profound privacy and security flaws.

The trouble is Clark, 17, of Tampa, Florida, is teaching us much the same lessons in the summer of 2020 that de Guzman and Calce did in the spring of 2000. De Guzman authored the I Love You email virus that circled the globe infecting millions of PCs; Calce, aka Mafiaboy, released the Melissa Internet worm that knocked offline Amazon, CNN, eBay and Yahoo.

Judging from the success of script kiddies, the tech giants apparently have not learned very much about security in 20 years. Clark was arrested in late July and charged with masterminding the hijacking of the Twitter accounts of A-list celebrities, and then Tweeting from those accounts to pull off a Bitcoin scam. His caper is worrisome on two counts. First it shows how resistant companies continue to be with respect to embracing very doable cyber hygiene practices – measures that would prevent these sorts of hacks. And second, it reminds us how much capacity to wreak havoc truly malicious parties — not just script kiddies – possess. This is chilling considering the times we’re in. On the cusp of electing a U.S. president, with the world struggling to recover from a global pandemic, there are nuanced lessons we can learn from the Twitter Bitcoin hack. Here’s what all consumers and companies should heed going forward.

NEW TECH: Trend Micro flattens cyber risks — from software development to deployment

By Byron V. Acohido

Long before this awful pandemic hit us, cloud migration had attained strong momentum in the corporate sector. As Covid19 rages on, thousands of large to mid-sized enterprises are now slamming pedal to the metal on projects to switch over to cloud-based IT infrastructure.

A typical example is a Seattle-based computer appliance supplier that had less than 10 percent of its 5,000 employees set up to work remotely prior to the pandemic. Seattle reported the first Covid19 fatality in the U.S., and Washington was among the first states to issue shelter at home orders. Overnight, this supplier was forced to make the switch to 90 percent of its employees working from home.

As jarring as this abrupt shift to remote work has been for countless companies, government agencies and educational institutions, it has conversely been a huge boon for cyber criminals. The Internet from its inception has presented a wide open attack vector to threat actors. Covid19 has upgraded the Internet — from the criminals’ point of view — to a picture-perfect environment for phishing, scamming and deep network intrusions. Thus the urgency for organizations to put all excuses aside and embrace stricter cyber hygiene practices could not be any higher.

It’s a very good thing that the cybersecurity industry has been innovating apace, as well. Cybersecurity technology is far more advanced today than it was five years ago, or even two years ago.

NEW TECH: A better way to secure agile software — integrate app scanning, pen testing into WAF

By Byron V. Acohido

The amazing array of digital services we so blithely access on our smartphones wouldn’t exist without agile software development.

Related: ‘Business logic’ hacks on the rise

Consider that we began this century relying on the legacy “waterfall” software development process. This method required a linear plan, moving in one direction, that culminated in a beta deliverable by a hard and fast deadline. To set this deadline required a long, often tortured planning cycle. And this invariably led to the delivery of a bug-ridden version 1.0, if not outright project failure.

By contrast, the agile approach, aka DevOps, thrives on uncertainty. DevOps expects changes as part of being responsive to end users. Agile software development is all about failing fast — discovering flaws quickly and making changes on the fly. Agile has given us Netflix, Twitter, Uber, TikTok and much more.

Of course the flip side is that all of this speed and agility has opened up endless fresh attack vectors – particularly at the web application layer of digital commerce. “The heart of any business is its applications,” says Venky Sundar, founder and chief marketing officer of Indusface. “And application-level attacks have come to represent the easiest target available to hackers.”

Based in Bengalura, India, Indusface helps its customers defend their applications with a portfolio of services that work in concert with its flagship web application firewall (WAF,) a technology that has been around for about 15 years. WAFs have become a table stakes; any company with a public-facing website should by now have a WAF. Fundamentally, WAFs monitor all of the  HTTP traffic hitting a company’s web servers and block known malicious traffic, such as the threats listed in the OWASP Top 10 application level attacks

A few of the big-name vendors in the WAF space include Imperva, Cloudflare, Akamai and Barracuda and even Amazon Web Services offers a WAF. Indusface has differentiated itself by … more

MY TAKE: Even Google CEO Sundar Pichai agrees that it is imperative to embed ethics into AI

By Byron V. Acohido

It took a global pandemic and the death of George Floyd to put deep-seated social inequities, especially systemic racism, front and center for intense public debate.

Related: Will ‘blockchain’ lead to more equitable wealth distribution?

We may or may not be on the cusp of a redressing social injustice by reordering our legacy political and economic systems. Only time will tell. Either way, a singular piece of technology – artificial intelligence (AI) — is destined to profoundly influence which way we go from here.

This is not just my casual observation. Those in power fully recognize how AI can be leveraged to preserve status-quo political and economic systems, with all of its built-in flaws, more or less intact.

Conversely, consumer advocates and diversity experts can see how AI could be utilized to redistribute political power more equitably, and in doing so, recalibrate society – including blunting systemic racism.

In late January, as COVID-19 was beginning to spread, the most powerful people on the planet flew to Davos, Switzerland to attend the 50th annual World Economic Forum. AI was prominent on their agenda. These heads of state and captains of industry even coined a buzz phrase, “stakeholder capitalism,” to acknowledge the need to take into account the interests of the economically disadvantaged and politically powerless citizens of the world as they bull ahead with commercial and political uses of AI.“AI is one of the most profound things we’re working on as humanity,” Sundar Pichai, CEO of Alphabet, Google’s parent holding company, told Bloomberg News in Davos. “It’s more profound than fire or electricity.”

Q&A: Sophos poll shows how attackers are taking advantage of cloud migration to wreak havoc

By Byron V. Acohido

Cloud migration, obviously, is here to stay.

Related: Threat actors add ‘human touch’ to hacks

To be sure, enterprises continue to rely heavily on their legacy, on-premises datacenters. But there’s no doubt that the exodus to a much greater dependency on hybrid cloud and multi-cloud resources – Infrastructure-as-a-Service (IaaS) and Platforms-as-a-Service (PaaS) – is in full swing.

Now comes an extensive global survey from Sophos, a leader in next generation cybersecurity, that vividly illustrates how cybercriminals are taking full advantage. For its State of Cloud Security 2020 survey, Sophos commissioned the polling of some 3,500 IT managers across 26 countries in Europe, the Americas, Asia Pacific, the Middle East, and Africa. The respondents were from organizations that currently host data and workloads in the public cloud.

Sophos found that fully 70% of organizations experienced a public cloud security incident in the last year. Furthermore, 50% encountered ransomware and other malware; 29% reported incidents of data getting exposed; 25% had accounts compromised; and 17% dealt with incidents of crypto-jacking. The poll also showed that organizations running multi-cloud environments were 50% more likely to suffer a cloud security incident than those running a single cloud.

Those findings were eye-opening, yes. But they were not at all surprising. Digital commerce from day one has revolved around companies bulling forward to take full advantage of wondrous decentralized, anonymous characteristics of the Internet, which began a military-academic experiment.

ROUNDTABLE: What’s next, now that we know V.I.P Twitter users can so easily be spoofed?

By Byron V. Acohido

Judging from the criminals’ meager pay day, the high-profile hack of Twitter, disclosed last week, was nothing much.

Related: Study shows disinformation runs rampant on Twitter

The hackers insinuated their way deep into Twitter’s internal system. They were able to get into a position from which they could access some 350 million Twitter accounts, including numerous accounts of the rich and famous.

They then hijacked control of the accounts of Barack Obama, Jeff Bezos, Elon Musk, Bill Gates, Joe Biden, Mike Bloomberg and Kanye West,  among others. Next they used the accounts — posing as the celebrities — to pitch Bitcoin variants of the classic Nigerian Prince-type of grift. The con game ran for a little over an hour before Twitter shut it down – and the criminals hauled in only $118,000.

However, because of how Twitter has become a tool to manipulate social discourse, spread disinformation and even influence presidential elections, this hack could yet have a much more devastating long-run impact. Last Watchdog gathered observations from a roundtable of cybersecurity thought leaders. Here’s what concerns them, going forward: