Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

MY TAKE: Why the next web-delivered ad you encounter could invisibly infect your smartphone

By Byron V. Acohido

Google, Facebook and Amazon have gotten filthy rich doing one thing extremely well: fixating on every move each one of us makes when we use our Internet-connected computing devices.

Related: Protecting web gateways

The tech titans have swelled into multi-billion dollar behemoths by myopically focusing on delivering targeted online advertising, in support of online retailing. This has largely shaped the digital lives we’ve come to lead.

Turns out all of this online profiling has a dark side. Cybercriminals have begun escalating their efforts to bend the legitimate online advertising and retailing fulfillment ecosystem to their whims.

This development is unfolding largely off the radar screen of the website publishers who depend on this ecosystem, says Chris Olson, CEO of the Media Trust, a 15-year-old website security vendor, based in McLean, VA that is on the front lines of mitigating this seething threat.

Meanwhile, billions of consumers who participate in this ecosystem each minute of every day remain blissfully ignorant of how they are increasingly being placed in harm’s way, simply doing routine online activities, Olson told Last Watchdog.

Losing control of risk

Like most other pressing cybersecurity challenges today, the problem is rooted in digital transformation. Specifically, to make their digital operations ever more flexible and agile, enterprises have grown ever more reliant on third-party software developers. …more

GUEST ESSAY: Repelling social engineering attacks requires shoring up the weakest link: humans

By Cynthia Lopez

The problem with social engineering attacks is that they capitalize on the weakest link on any computer or network system: You! Avoiding social engineering attacks requires you to understand what they are and how they work.

Related: Why diversity needs to be part of security training

Social engineering takes advantage of human psychology to attack using deception and manipulation. Hackers know that humans are:

•Easily distracted. They usually don’t check links that they click on in an e-mail if it’s from somebody they trust. It could be an e-mail that looks like it came from their bank, from an online service they use, or even their boss.

Once they see that level of trust, they may unknowingly hand over their passwords or vital company information because they did not bother to verify the link – or sender – before clicking. For instance, an e-mail may come from paypa1.com instead of paypal.com (the number 1 in place of the letter l).

•Forgetful. Other social engineering attacks do not come via e-mail, but from plain stealing. Many people check their work e-mails and other office-related stuff from their phones. Often, they just save their password. If that device is left in a taxi or other public place, whoever picks up that phone is just a few taps away from learning your company’s secrets. …more

MY TAKE: Identity ‘access’ and ‘governance’ tech converge to meet data protection challenges

By Byron V. Acohido

As companies make more extensive use of evermore capable – and complex — digital systems, what has remained constant is the innumerable paths left wide open for threat actors to waltz through.

Related: Applying ‘zero trust’ to managed security services.

So why hasn’t the corporate sector been more effective at locking down access for users? It’s not for lack of trying. I recently discussed this with Chris Curcio, vice-president of channel sales at Optimal IdM, a Tampa, Fla.-based supplier of identity access management (IAM) systems, which recently announced a partnership with Omada, a Copenhagen-based provider of identity governance administration (IGA) solutions.

Curcio walked me through how identity management technologies evolved over the past two decades. He pointed out how they’ve gone through a series of consolidations, including one unfolding right now. I found this historical overview to be quite instructive. It shed light on how we got to this era of companies struggling to secure highly complex networks, housed on-premises and in overlapping public and private clouds, while at the same time striving to optimize the productivity of employees and – increasingly — third-party suppliers and contractors.

Fortunately, the identity management space has attracted and inspired some of the best and brightest tech security innovators and entrepreneurs. And the encouraging news is that the best of them have, once again, begun to seek out alliances in an effort to elevate baseline protections. Here are takeaways from our fascinating discussion:

Access pain points

As this century began, and companies began assembling the early iterations of modern business networks, there was a big need for employees to log into company email systems and business applications. So along came a group of startups supplying “single sign-on” capability – a way for a user to access multiple applications with one set of credentials.

A separate set of startups soon cropped up specifically to handle the provisioning of log on accounts that gave access to multiple systems, and also the de-provisioning of those accounts when a user left the company. It wasn’t too long before the single sign-on suppliers and the provisioning vendors began to merge; most of the leaders were acquired by tech giants like Oracle, IBM, Cisco, CA Enterprises and Sun Microsystems.

Not long afterwards, in about the 2010 time frame, IAM vendors first arrived on the scene, including Optimal IdM, Centrify, Okta and CyberArk, followed by many others. These vendors all spun out of the emergence of a new set of protocols, referred to as federated standards, designed to manage and map user identities across multiple systems. The IAM vendors took single sign-on to the next level, adding multi-factor authentication and other functionalities. …more

MY TAKE: Here’s why the Internet Society’s new Privacy Code of Conduct deserves wide adoption

By Byron V. Acohido

When Facebook founder Mark Zuckerberg infamously declared that privacy “is no longer a social norm” in 2010, he was merely parroting a corporate imperative that Google had long since established. That same year, then-Google CEO Eric Schmidt publicly admitted that Google’s privacy policy was to “get right up to the creepy line and not cross it.”

Related: Mark Zuckerberg’s intolerable business model.

We now know, of course, they weren’t kidding. Facebook’s pivotal role in the Cambridge Analytica scandal and Google getting fined $57 million last week by the French for violating Europe’s privacy rules are just two of myriad examples demonstrating how the American tech titans live by those credos.

But what if companies chose to respect an individual’s right to privacy, especially when he or she goes online? What if consumers could use search engines, patronize social media, peruse news and entertainment sites and use other internet-enabled services without abdicating all of their rights? What if companies stopped treating consumers as wellsprings of behavioral data – data to be voraciously mined and then sold to the highest bidder?

With Jan. 28 earmarked as Data Privacy Day —  an annual international privacy awareness campaign — these are reasonable questions to ask. These are ponderings that have been debated by captains of industry, government regulators, and consumer advocates in Europe and North America for the past decade and a half. …more

MY TAKE: What it takes to beat cybercrime in the age of DX and IoT: personal responsibility

By Byron V. Acohido

Back in 2004, when I co-wrote this USA TODAY cover story about spam-spreading botnets, I recall advising my editor to expect cybersecurity to be a headline-grabbing topic for a year or two more, tops.

Related:  A primer on machine-identity exposures

I was wrong. Each year over the past decade-and-a-half, a cause-and-effect pattern has spread more pervasively into the fabric of modern society. Each and every major advance of Internet-centric commerce – from e-tailing and email, to social media and mobile computing, and now on to the Internet of Things – has translated into an exponential expansion of the attack surface available to cybercriminals.

And malicious hackers have taken full advantage – whether they are motivated by criminal profits, backed by nation-state operatives, or simply desirous of bragging rights. Year-in and year-out, criminal innovation has far outpaced the effort on the part of companies and governments to defend their business networks, as well as to preserve the sanctity of our private data.

…more

NEW TECH: Can Project Furnace secure DX — by combining serverless computing and GitOps?

By Byron V. Acohido

Assuring the privacy and security of sensitive data, and then actually monetizing that data, — ethically and efficiently — has turned out to be the defining challenge of digital transformation.

Today a very interesting effort to address this complex dilemma is arising from the ferment, out of the UK. It’s called Project Furnace, an all-new open source software development platform.

Related: The need to fold ‘SecOps’ into ‘DevOps’

I had the chance to sit down with Furnace Ignite’s co-founders: John Blamire, chief operating officer, and Danny Waite, chief technology officer,  for a pre-launch briefing.

They walked me through how Project Furnace began as a quest to improve the output of SIEM (security information and event management) systems.

However, beyond improving legacy appproachs to network security, Blamire and Waite explained why they firmly believe Furnace could ultimately accelerate the design and implementation of all smart software — the next generation of apps destined to run everything from our shopping experiences to our driverless cars and our smart homes and cities. Here are takeaways from our meeting:

DX context

Furnace, in essence, seeks to aid and abet digital transformation, or DX, the ongoing digitization of essentially all human endeavors into a machine-readable format that can be automatically acted upon. DX is the wider context, here, in the sense that DX is made possible because of the rise of “datafication” — the processes by which we’ve come to rapaciously collect and store mind-boggling amounts of data from web forms, social media, mobile apps, surveillance cameras, IoT sensors and the like.

In 2016, Waite was assigned the task of coming up with a much better way to extract …more

GUEST ESSAY: Australia’s move compelling VPNs to cooperate with law enforcement is all wrong

By Bogdan Patru

The moment we’ve all feared has finally come to pass. When government agencies and international intelligence groups pooled together resources to gather user data, the VPN’s encryption seemed like the light at the end of the tunnel.

Related: California enacts pioneering privacy law

However, it looks like things are starting to break apart now that Australia has passed the “Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018”. On the 6th of December 2018, a law that is a direct attack on internet users’ privacy was agreed to by both the House of Representatives and the Senate.

The amendment forces all companies, even VPN providers, to collect and give away confidential user data if the police demand it. All telecoms companies will have to build tools in order to bypass their own encryption.

If suspicions appear that a crime has been or will be committed by one of their users, the law enforcement agencies are in their right to demand access to user messages and private data.

This Orwellian Thought Police is to be the judge, jury, and executioner in a digital world that shelters our personal lives and secrets. All the things we’d like to keep hidden from others. You know, this revolutionary idea called “privacy” Anyone?

Tech companies all over the world are unsure how this can be achieved without installing backdoors into their own security systems. These vulnerabilities are just like a stack of powder kegs ready to blow up at any moment. This is because anyone with knowledge of their existence could theoretically use those security holes to gain access to the user data. …more