You may have heard the term “script kiddies”, which usually refers to adults who hack into business networks. However, lately there has been a significant rise in cybercrime attacks from actual school-age children. A new report from the UK’s National Crime Agency has found the average age for DDoS hackers has dropped to 15, with some students being as young as nine years old. The issue is that DDoS attacks are easy enough for even a kid to carry out.
In the arsenal of cybersecurity defenses is the series of exercises that go by the name of red team/blue team simulated attack. These simulations are purposely designed to closely mimic actual real-world conditions. For example, one of the red team members would take on the role of an employee clicking on a phishing link that deposits malware on the network. The defending team members must then find this malware before it spreads across their network and infects web servers and other applications. To make things more realistic, the simulation replays real network traffic to obscure the attacks, just like in the real world.
In this piece for CSOonline, I discuss the difference between the various colored designations, why you would want to conduct these exercises, and some recommended steps to take to pull this off.
Linode has published an excellent series of red team exercises that is worth looking at.
The often-exploited Remote Desktop Protocol (RDP) is once again in the news. This time, it has a new attack vector that was discovered by researchers and subsequently patched earlier this month by Microsoft. Given that all versions of Windows for the past 10 years – for both desktop and server – need to be patched, you should put this on your priority list, especially since this new problem can be easily exploited. In my latest post for Avast’s blog, I describe what this new challenge is about and ways that you can minimize any potential expoits.
The Verge has put together a solid collection of articles on how to deal with the not-so-new realities of working from home, They had me write a piece on how to share your work files and you can read it here. The days when we were all connected to the same shared drive or local network folder are now quaint memories. But today’s sharing files will take some careful planning, particularly if you want to do so as securely as possible.
In my article, I cover the various methods that are available, from sharing a file attached to an email or instant message to using public cloud services like Dropbox to using Google Workspace and Microsoft OneDrive. But the best solution is a group of business-related cloud services that I summarize in this chart.
|Vendor||Monthly pricing||Max. file upload||Free trial period||Application integration|
|Egnyte||$20/user||100 GB||15 days||Extensive|
|SecureDocs||$250 for unlimited users||Unlimited||14 days||Limited|
|ShareFile/Citrix||$50 for unlimited users||100 GB||30 days||Extensive|
|SugarSync||$55 for 3 users||300 GB for web clients||30 days||Limited|
One of the biggest threats facing both large and small businesses alike goes by the moniker credential stuffing. In these attacks, the bad guys count on our reuse of passwords across two or more logins, and once they find a user name/password that works, they try to use that information to break into our other accounts. Akamai, in its latest State of the Internet report, says that it has seen over 193 billion credential stuffing attacks in 2020. These attacks can cost billions of dollars annually, when adding up the cost of remediating the problem, handling all the user calls for password resets, and changing other operations. The office of New York Attorney General Letitia James has found thousands of posts containing login credentials that had been tested in credential stuffing attacks. In order to combat credential stuffing attacks, James’ office recently released a business guide.
Edward Snowden and Pulitzer Prize-winning journalists Glenn Greenwald and Chris Hedges have recently come together in a video conference call moderated by Amy Goodman of Democracy Now. In the video, the group talks about the past eight years of privacy problems and other significant events. After Snowden leaked documents from the NSA and left their employment in 2013, he has been living in Moscow and since charged with violating the Espionage Act. I review the discussion in this blog post for Avast and explore his history, the state of affairs around Julian Assange’s self-imposed exile in London, and the relationship between governments and individual privacy in light of the NSA’s mass surveillance that was revealed by Snowden.
A years-long research effort between computer scientists at Stony Brook University and private industry researchers have found more than 1,000 new and more sophisticated phishing automation toolkits across the globe. What’s interesting about this effort is these tools can help subvert the multi-factor authentication (MFA) of just about any website using two key techniques, man-in-the-middle (MITM), and reverse web proxies. In my blog post for Avast, I talk about how the attack works, how these tools were found in the wild, and what you can do about them to keep using MFA to protect your own logins.
The US Cyberspace Solarium Commission’s latest report, entitled Countering Disinformation in the US, is the latest analysis to come from this two-year-old bipartisan Congressional think tank. The report, which was released earlier this month, takes a closer look at the way disinformation is spread across digital networks and proposes a series of policy actions to slow its spread using a layered defense.
Whether or not the US Congress will take up these recommendations is hard to say. Certainly, the current hyper-partisan split won’t make it easier. You can see the move away from bipartisan bill sponsorship as documented by the report in the graph above. You can read more in my post for Avast here.
Earlier this month, security researchers uncovered a series of major vulnerabilities in the Log4j Java software that is used in tens of thousands of web applications. The code is widely used across consumer and enterprise systems, in everything from Minecraft, Steam, and iCloud to Fortinet and Red Hat systems. One analyst estimate millions of endpoints could be at risk.
There are at least four major vulnerabilities from Log4j exploits. What is clear is that as an application developer, you have a lot of work to do to find, fix, and prevent log4j issues in the near-term, and a few things to worry about in the longer term.
I am back on Shaun St. Hill’s Tech and Main podcast, this time talking about the benefits and frustrations of using passwordless technologies. There are some signs of hope, particularly with new tools that don’t require you to type in one-time codes but can recognize your smartphone’s intrinsic hardware to help authenticate you. Of course, this means you need a smartphone for every employee.