A10 Networks: What is network security and who suffers DDoS attacks?

Network security starts with having a well-protected network. This means keeping intruders out, and continuously scanning for potential breaches, malware and flagging those attempted compromises. One of the biggest threats increasing in popularity is a very specific type of attack called distributed denial of service (DDoS) attacks. These attacks are targeted at your internet servers, including web and database servers, and are designed to flood random traffic so that the servers can’t respond to legitimate users’ queries. They are very easy to mount, and without the right tools, very hard to prevent.

This post was part of the A10Networks glossary and can be found here.

Avast blog: Using AI as an offensive cyber weapon

The rise of offensive AIAI is a double-edged sword. It has enabled the creation of software tools that have helped to automate tasks such as prediction, information retrieval, and media synthesis, which have been used to improve various cyber defensive measures. However, AI has also been used by attackers to improve their malicious campaigns. For example, AI can be used to poison ML models and thus target their datasets and steal login credentials (think keylogging, for example). I recently spent some time at a newly created Offensive AI Research Lab run by Dr. Yisroel Mirsky. The lab is part of one of the research efforts at the Ben Gurion University in Beersheva, Israel. Mirsky is part of a team that published a report entitled “The Threat of Offensive AI to Organizations”. The Offensive AI Research Lab’s report and survey show the broad range of activities (both negative and positive) that are made possible through offensive AI.

You can read my latest post for Avast’s blog here.

Qualys annual user conference live blogging

Qualys’ annual security conference returned to a live-only event this week at the Venetian Hotel in Las Vegas, and the keynote addresses started things off on a very practical note… about selling coconuts, toasters, and carbon monoxide detectors. The first two keynotes featured speeches from both Shark Tank celebrity businessman and CEO of Cyderes, Robert Herjavec, and Qualys’ President and CEO, Sumedh Thakar. Both spoke around the similar theme of qualifying and quantifying digital cyber risks.

I am doing near-time blogging of their show, and this was the first of a series of posts.

The second post was a recap of the first day’s events, and included highlights from some of their customers and product team as they took a deeper dive into TotalCloud.

The third post profiled the special launch of the Qualys Threat Research Unit, showing some of its research and how it compiles threat intel and works with various industry bodies to share this data.

The next post highlights some of Qualys’ customers who came to the event to tell some of their stories about how their companies have benefitted from their products.

My final post recaps the second day of the conference sessions and some of the more interesting aspects of various Qualys products.

Avast blog: CISA recommendations on providing phishing-resistant authentication

The US Cybersecurity and Infrastructure Security Agency (CISA) has recently published a fact sheet on implementing phishing-resistant multi-factor authentication (MFA). The publication is in response to a growing number of cyberattacks that leverage poor MFA methods. “Not all forms of MFA are equally secure. Some forms are vulnerable to phishing, push bombing attacks, exploitation of Signaling System 7 (SS7) protocol vulnerabilities, or SIM swap attacks,” the agency writes. The strongest form of phishing protection is to employ FIDO2 or WebAuthn-based tokens as your MFA method, what CISA calls the “gold standard.”

You can read more at my latest blog post for Avast here.

Avast blog: The latest challenges to Section 230 reach the Supreme Court

The 2015 murder of the 23-year ago American student Nohemi Gonzalez is about to take center stage in a case that has made its way to the US Supreme Court. The woman was one of 129 people killed in Paris by a group of ISIS terrorists. Her estate and family members sued Google, claiming that a series of YouTube videos posted by ISIS are the cause of the attack (and her death), and requests damages as part of the Anti-Terrorism Act.

At the heart of the resulting Gonzalez v. Google case lies Section 230 of the Communications Decency Act of 1996. This section has been routinely vilified by various political groups, who claim that the protections under this section against civil suits should be struck down. For my latest blog for Avast, I summarize the various issues that are facing the court and implications for online communications.

The arguments are transcribed here.


Microsoft breached in September, thanks to a public Azure storage container

Last month, researchers discovered that someone at Microsoft misconfigured one of their Azure Blob Storage containers. The container had public access, which could have resulted in a data breach. It contained sensitive data from a high-profile cloud provider with 65,000 companies,111 countries and private data of 548,000 users. Microsoft was notified by the researchers and  reconfigured the bucket to make it private within several hours. “Our investigation found no indication customer accounts or systems were compromised. We have directly notified the affected customers,” posted Microsoft on their blog.

Another security researcher suggested that the data was a SQL server backup that was mistakenly placed on this open storage container.

The leak was dubbed BlueBleed and the original researchers published a search tool that anyone can use to find whether information from a domain is part of this leak. The key word in that last sentence is “anyone” and if you read the Microsoft blog you can see that they aren’t happy about the way the tool is set up, because anyone can search across any domain to find out whether any unprotected assets were part of this breach.

Certainly, having private data in public containers — those that have no password protection, let alone using any multiple authentication factors — continues to be a big problem. Chris Vickery has made his career discovering many of them, and this post from several years ago cited the more infamous (at least at that moment in time) of Amazon S3’s “leaky buckets.” All of the cloud storage vendors make it relatively easy to create a new storage container that anyone can access. But don’t blame them — it is just basic human nature to forget to lock the door properly.

How can you prevent this from happening?

First, ensure that your sensitive data is well-protected, with proper and strong MFA. Microsoft has various recommendations for securing Azure Blobs and using their various cloud and endpoint security tools.

Avoid promiscuous provisioning. A case in point is Twitter, which (according to Mudge’s testimony) stated that thousands of their employees — accounting for roughly half its workforce, and all its engineers — work directly on Twitter’s live product and have full access rights to interact with actual user data. Okta realized a similar situation in its breach analysis earlier this year, and has since moved to limit access by its tech support engineers. What is needed is to reduce these over-privileged accounts, and to limit who has access to your data. If a developer is testing code outside of a production system, ensure that the data is protected. Audit your accounts to find out who has what access, and to spot configuration errors. One research report found that in 2020, two-thirds of the threats cited by respondents were caused by cloud platform configuration errors.

Ensure that your key IT suppliers have updated contact information to communicate with you. Microsoft relied on a “if you haven’t heard from us, assume you aren’t part of the breach” system — that is not as good as telling everyone what happened. Messages can also get lost or sent to dead mailboxes.

Offboard employees properly and thoroughly. When someone leaves your company, ensure that all of their accounts have been revoked. Many IT managers readily admit that their Active Directories are outdated (that link brings you to the stat of 10% of accounts in these directories are inactive according to Microsoft) and don’t have sufficient resources to maintain, even for the simple situation of who is presently employed by their companies, let alone who has the correct access rights.

Avast blog: The IRS warns smishing attacks are on the rise

In a new blog for Avast, I report on a new study from the IRS which shows that smishing attacks — phishing using SMS text alerts– is on the rise. My wife and I have seen numerous messages that typically are phony package delivery acknowledgements on packages that we never ordered, or offers to send us money out of the blue.

The IRS said the attacks have increased exponentially, especially texts that appear to be coming from the taxing agency. It’s important to note that no matter who you are or your particular tax situation, the IRS never communicates with anyone in this fashion, or by email either. “It is phishing on an industrial scale,” said IRS commissioner Chuck Rettig.

Avast blog: Cryptojacking is back in the news – and it’s increasing

In my latest blog for Avast, I discuss the current state of affairs regarding cryptojacking — malware which takes root on your computers and generates crypto currency “mining” and creation. How it is detected and prevented. It has lots of current appeal to criminals because it continues to provide low risks for the rewards and profits generated: typically, the profit margin is about two percent of the computing costs for the resulting coins mined.

CSOonline: Secure web browsers for the enterprise compared

The web browser has long been the security sinkhole of enterprise infrastructure. While email is often cited as the most common entry point, malware often enters via the browser and is more difficult to prevent. Phishing, drive-by attacks, ransomware, SQL injections, man-in-the-middle, and other exploits all take advantage of the browser’s creaky user interface and huge attack surface, and the gullibility of most end users.

Enter the secure browser, which is available in a variety of configurations (as shown above) that can help IT managers get a better handle on stopping attackers from getting a foothold inside our networks.

I looked at four browsers in a variety of configurations in my latest review for CSOonline:

Avast blog: Beware of SEO poisoning

Holy SEO Poisoning Attack Example: SolarMarker Malware - Blog | Menlo  Security

Getting infected with malware isn’t just clicking on an errant file, but it usually occurs because an entire ecosystem is created by attackers to fool you into actually doing the click. This is the very technique behind something called SEO poisoning, in which seemingly innocent searches can tempt you with malware-infested links. The malware chain begins by an attacker generating loads of fake web content that are intended to “borrow” or piggyback on the reputation of a legitimate website. The fakes contain the malware and manage to get search results to appear higher on internet search engines. In this post for Avast’s blog, I describe the practice and offer some tips on how to steer clear of this problem.