Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

MY TAKE: Technologists, privacy advocates point to flaws in the Apple-Google COVID-19 tracing app

By Byron V. Acohido

If the devastating health and economic ramifications weren’t enough, individual privacy is also in the throes of being profoundly and permanently disrupted by the coronavirus pandemic. The tech giants are partnering on a tool for public good, but critics worry it will ultimately get used for predatory surveillance.

Related: Europe levies big fines for data privacy missteps

Apple and Google are partnering up to bring technology to bear on COVID-19 contact tracing efforts. The tech giants are laudably putting aside any competitive urgings to co-develop a solution that combines mobile operating system, Bluetooth and GPS technologies to help us all get past the burgeoning health crisis.

However, in an apparent effort to live down Google’s abjectly poor track record respecting consumer privacy, the Apple-Google partnership is treading lightly to avoid anything that might hint at an undue invasion of individual privacy. In doing so, their proposed solution has a number of glaring technical and privacy-protection shortcomings, according to several technologists I spoke with.  In fact, the Apple-Google project has exacerbated a privacy controversy that flared up in Europe in the early stages, one that has more recently been picking up steam in the U.S., as well. Here’s how technologists and privacy experts see things stacking up:

Bluetooth-based tracing

Infected persons will be able to use their iPhones or Android devices to make their status known to a central server, which then correlates an anonymized identifier of the infected person to anonymized IDs of non-infected persons who happen to be in close proximity. The server then alerts the non-infected persons to self-immunize.

NEW TECH: Silverfort helps companies carry out smarter human and machine authentications

By Byron V. Acohido

Doing authentication well is vital for any company in the throes of digital transformation.

Digital commerce would fly apart if businesses could not reliably affirm the identities of all humans and all machines, that is, computing instances, that are constantly connecting to each other across the Internet.

Related: Locking down ‘machine identities’

At the moment, companies are being confronted with a two-pronged friction challenge, when it comes to authentication. On the one hand, they’re encountering crippling friction when attempting to migrate legacy, on-premises systems to the cloud. And on the other hand, there’s no authentication to speak of  – when there needs to be some — when it comes to machine-to-machine connections happening on the fly to make digital processes possible.

I had an enlightening discussion about this with Dana Tamir, vice president of market strategy for Silverfort, a Tel Aviv-based supplier of agentless multi-factor authentication technology. We spoke at RSA 2020. For a full drill down of the interview, please listen to the accompanying podcast. Here are excerpts, edited for clarity and length:

LW: Can you frame the authentication challenge companies face today?

Tamir: One of the biggest changes taking place is that there are many more remote users, many more employees bringing their own devices, and many more cloud resources are being used. This has basically dissolved the network perimeter. You can’t assume trust within the perimeter  because the perimeter doesn’t exist anymore.

And yet we know that threats exist everywhere, within our own environments, and out in the cloud. So that changes the way security needs to be applied, and how we authenticate our users. We now need to authenticate users everywhere, not only when they enter the network.

LW: What obstacles are companies running into with cloud migration?

GUEST ESSAY: What everyone should know about the pros and cons of online fingerprinting

By Ebbe Kernel

When it was first introduced, device fingerprinting – or online fingerprinting in general – was meant to create a safer, more responsible internet. The idea was that by fingerprinting devices used to connect to the internet we could achieve better accountability.

Related: Why Satya Nadella calls for regulation of facial recognition systems

The concept itself is still very much relevant today. Fingerprinting is considered a necessary practice to fight challenges such as fake accounts and the misuse of internet services. However, online fingerprinting is also being used to track users. Now, fingerprinting is a tool in the marketer’s toolbox. Has it failed in its initial mission?

If you are not familiar with the concept of online fingerprinting, the principles behind it are very simple. More about it can be found on Smartproxy. Whenever you access a web server, details about your IP address, your browser information, your device information, and other information are recorded in logs. Logged online activities are easier to trace so service providers can perform the necessary security check if one is required.

Fingerprinting makes it difficult for irresponsible parties to create fake accounts or social media pages. Service providers can recognize signs of fake accounts from similarities in their fingerprints, allowing further action to be taken against those accounts. In the era of bots and fake news, fingerprinting is supposed to work seamlessly.

The Electronic Frontier Foundation (EFF) recently revealed just how many details are leaked and stored when you access a web server. The number

of details that are recorded is simply staggering, with information such as your approximate location, the referrer site, and whether you have Do Not Track activated being leaked.

MY TAKE: COVID-19 cements the leadership role CISOs must take to secure company networks

By Byron V. Acohido

Chief Information Security Officers were already on the hot seat well before the COVID-19 global pandemic hit, and they are even more so today.

Related: Why U.S. cybersecurity policy needs to match societal values

CISOs must preserve and protect their companies in a fast-changing business environment at a time when their organizations are under heavy bombardment. They must rally the troops to proactively engage, day-to-day, in the intricate and absolutely vital mission of preserving the security of IT assets, without stifling innovation. And they must succeed on executive row, with middle management and amongst the troops in the operational trenches.

That’s a very tall order, made all the more challenging by a global health crisis that has slowed the global economy to a crawl, with no end yet in sight. One new challenge CISOs’ suddenly face is how to lock down web conferencing tools, like Zoom, Skype and Webex, without gutting their usefulness.

Cyber criminals have discovered Zoom logons, in particular, to be useful for carrying out credential stuffing campaigns to probe for deeper access inside of breached networks. Thanks to the sudden rise in use of Zoom and other video conferencing systems by an expanding work-from-home workforce, their logons are begin targeted by threat actors; underground forums today are bristling with databases holding hundreds of thousands of recycled Zoom logon credentials.

I had the chance to discuss this state of affairs with Vishal Salvi, CISO of Infosys. In its 2020 fiscal year, ending March 31, Infosys reported revenue of $12.8 billion, with $7.8 billion coming from North America, $3.1 billion from Europe, $333 million from India and $1.5 billion internationally

MY TAKE: COVID-19’s silver lining could turn out to be more rapid, wide adoption of cyber hygiene

By Byron V. Acohido

Long before COVID-19, some notable behind-the-scenes forces were in motion to elevate cybersecurity to a much higher level.

Related: How the Middle East has advanced mobile security regulations

Over the past couple of decades, meaningful initiatives to improve online privacy and security, for both companies and consumers, incrementally gained traction in the tech sector and among key regulatory agencies across Europe, the Middle East and North America. These developments would have, over the next decade or so, steadily and materially reduced society’s general exposure to cybercrime and online privacy abuses.

Then COVID-19 came along and obliterated societal norms and standard business practices. A sweeping overhaul of the status quo – foreshadowed by the sudden and acute shift to a predominantly work-from-home workforce – lies ahead.

One thing is certain, as this global reset plays out, cyber criminals will seize upon fresh opportunities to breach company and home networks, and to steal, defraud and disrupt, which they’ve already commenced doing.

Yet there are a few threads of a silver lining I’d like to point out. It is possible, if not probable, that we are about to witness an accelerated rate of adoption of cyber hygiene best practices, as well as more intensive use of leading-edge security tools and services. And this positive upswing could be reinforced by stricter adherence to, not just the letter, but the spirit of data security laws already on the books in several nations.

There is an urgency in the air to do the right thing. Several key variables happen to be tilting in an advantageous direction. Here’s a primer about how cyber hygiene best practices – and supporting security tools and services – could gain significant steam in the months ahead, thanks to COVID-19.

BEST PRACTICES: How testing for known memory vulnerabilities can strengthen DevSecOps

By Byron V. Acohido

DevOps wrought Uber and Netflix. In the very near future DevOps will help make driverless vehicles commonplace.

Related: What’s driving  ‘memory attacks’

Yet a funny thing has happened as DevOps – the philosophy of designing, prototyping, testing and delivering new software as fast as possible – has taken center stage. Software vulnerabilities have gone through the roof.

Over a five year period the number technical software vulnerabilities reported to the National Institute of Standards and Technology’s National Vulnerability Database  (NVD) more than tripled – from 5,191 in  2013 to a record 16,556 in 2018.

Total vulnerabilities reported in the NVD dropped a bit in 2019, down to 12,174 total flaws. Some credit for that decline surely goes to the DevSecOps movement that has come into its own in the past two to three years.

DevSecOps proponents are pushing for security-by-design practices to get woven into the highly agile DevOps engineering culture. Still, 12,000-plus fresh software vulnerabilities is a lot, folks. And that’s not counting the latent vulnerabilities getting overlooked in this fast-paced environment – flaws sure to be discovered and exploited down the line by opportunistic threat actors.

San Jose-based application security vendor, Virsec, is seeking to tilt the balance a bit more to the side of good.

NEW TECH: CASBs continue evolving to help CISOs address multiplying ‘cloud-mobile’ risks

By Byron V. Acohido

It can be argued that we live in a cloud-mobile business environment.

Related: The ‘shared responsibility’ burden

Most organizations are all caught up, to one degree or another, in migrating to hybrid cloud networks. And startups today typically launch with cloud-native IT infrastructure.

Mobile comes into play everywhere. Employees, contractors, suppliers and customers consume and contribute from remote locations via their smartphones. And the first tools many of them grab for daily is a cloud-hosted productivity suite: Office 365 or G Suite.

The cloud-mobile environment is here to stay, and it will only get more deeply engrained going forward. This sets up an unprecedented security challenge that companies of all sizes, and in all sectors, must deal with. Cloud Access Security Brokers (CASBs), referred to as “caz-bees,” are well-positioned to help companies navigate this shifting landscape.

I had the chance to discuss this with Salah Nassar, vice president of marketing at CipherCloud, a leading San Jose, CA-based CASB vendor. We met at RSA 2020 and had a lively discussion about how today’s cloud-mobile environment enables network users to bypass traditional security controls creating gaping exposures, at this point, going largely unaddressed.