Category Archives: security

When it Comes to Cybersecurity Practice, Don’t Be Okta.

Posted on by
1

I have written about Okta for many years, back when they were an upstart single-sign-on security vendor coming of age in the era of cloud access and identity. By way of perspective, back in 2012 (when I wrote that first Network World review when I gave them high marks for their product), most of Okta’s competitors offered on-premises servers and the cloud was more of a curiosity than a sure bet. Seems very quaint by today’s standards, when the cloud is a foregone conclusion.

However, you can count me now as one of their detractors. This is why my hed says when it comes to cybersec practice, don’t be Okta.

Let’s look at the timeline over the past couple of years. During 2022 alone, they experienced a phishing attack, another major breach, and had their GitHub source code stolen. Then last year they saw two separate supply chain attacks that affected most of their customers, along with leaked healthcare data on almost five thousand of their employees. And last fall yet another attack on MGM and Caesars resorts was blamed on a flaw in their software. It is almost too hard to keep track, and I can’t guarantee that I got all of them.

Some of these attacks were due to clever social engineering, which is embarrassing for a cybersec company to fall into. Now, all of us can have some sympathy over being so compromised, and I know I have almost fallen for this trick, particularly when it comes in the form of a rando text message that asks how I am doing or something that appears innocent. But still: Don’t Be Okta. Spend less time multitasking, particularly when you are on your phone, and focus on every message, email, and communication that you receive to ensure that you aren’t about to play into some hacker’s hands. Pay attention!

Some of these attacks were due to bugs in how Okta set up their software supply chain, or poor identity provisioning, or a combination of things. Okta’s CSO David Bradbury was interviewed over the weekend and promised to do better, rolling out various security controls in an announcement last week. That’s great, but why has it taken so long?

One weakness that was repeatedly exploited by attackers was Okta’s lack of attention when it came to provisioning admin-level users. They are now making MFA required for all customer admin consoles. They are also requiring passwordless access for all internal employees. It has taken them, what 15 years and multiple hacks to figure this out? Neither of these things are heavy lifts, yet I still talk to many folks who should know better who have resisted implementing these tools to protect their personal account logins. Don’t Be Okta!

How about better and more transparent breach reporting? Some of those supply chain attacks took months to figure out the depth, nature, and cause — and then for Okta to properly notify its customers. As an example, the September attack was initially estimated to impact one percent of its customers, before being revised to 100%. Oopsie. That doesn’t bode well for having a trusted relationship with your customers. The EU requires breach notification in two days. Was someone asleep or was management at fault for taking its sweet time getting the word out?

Buried in all the good cheery messaging from last week was this little tidbit: “As more features are rolled out in early access mode, the company intends to turn the controls deemed most beneficial on by default.” Ruh-oh. Turn them all on by default, right now! You want security by design?

Bradbury ironically admitted that security has never been a value historically for the company, and claims that almost half of their engineers are now working on security, apart from an actual security team. Just adding bodies isn’t necessarily the right move. Everyone needs to be focused on security, so I ask what are the other half of the devs doing that gives them a pass?

This isn’t the way forward. Don’t Be Okta! Take a closer look at your own security practices, and ensure that you have learned from their mistakes.

Dark Reading: Biometrics Regulation Heats Up, Portending Compliance Headaches

Posted on by
Reply

This year might be a boon for biometric privacy legislation. The topic is heating up and lies at the intersection of four trends: increasing artificial intelligence (AI)-based threats, growing biometric usage by businesses, anticipated new state-level privacy legislation, and a new executive order issued by President Biden this week that includes biometric privacy protections.

But things could backfire: A growing thicket of privacy laws regulating biometrics is aimed at protecting consumers amid increasing cloud breaches and AI-created deepfakes. But for businesses that handle biometric data, staying compliant is easier said than done. I explore the issues surrounding implementing and regulating biometrics in a post for Dark Reading today.

CSOonline: How to strengthen your Kubernetes defenses

Posted on by
Reply

Kubernetes-focused attacks are on the rise. Here is an overview of the current threats and best practices for securing your clusters. The runaway success of Kubernetes adoption by enterprise software developers has created motivation for attackers to target these installations with specifically designed exploits that leverage its popularity. Attackers have become better at hiding their malware, avoiding the almost trivial security controls, and using common techniques such as privilege escalation and lateral network movement to spread their exploits across enterprise networks. While methods for enforcing Kubernetes security best practices exist, they aren’t universally well known and require specialized knowledge, tools, and tactics that are very different from securing ordinary cloud and virtual machine use cases.

In this post for CSO, I examine the threat landscape, what exploits security vendors are detecting, and ways that enterprises can better harden their Kubernetes installations and defend themselves.examine the threat landscape, what exploits security vendors are detecting, and ways that enterprises can better harden their Kubernetes installations and defend themselves.

Book review: Micah Lee’s Hacks Leaks and Revelations

Posted on by
Reply

There has been a lot written about data leaks and the information contained therein, but few books that tell you how to do it yourself. That is the subject of Hacks, Leaks and Revelations that was recently published.

This is a very unique and interesting and informative book, written by Micah Lee, who is the director of information security for The Intercept and has written numerous stories about leaked data over the years, including a dozen articles on some of the contents of the Snowden NSA files. What is unique is that Lee will teach you the skills and techniques that he used to investigate these datasets, and readers can follow along and do their own analysis with this data and others such as emails from the far-right group Oath Keepers. There is also materials leaked from the Heritage Foundation, and chat logs from the Russian ransomware group Conti. This is a book for budding data journalists, as well as for infosec specialists who are trying to harden their data infrastructure and prevent future leaks from happening.

Many of these databases can be found on DDoSecrets, the organization that arose from the ashes of WikiLeaks and where Lee is an adviser.

Lee’s book is also unique in that he starts off his journey with ways that readers can protect their own privacy, and that of potential data sources, as well as ways to verify that the data is authentic, something that even many experienced journalists might want to brush up on. “Because so much of source protection is beyond your control, it’s important to focus on the handful of things that aren’t.” This includes deleting records of interviews, any cloud-based data or local browsing history for example. “You don’t want to end up being a pawn in someone else’s information warfare,” he cautions. He spends time explaining what not to publish or how to redact the data, using his own experience with some very sensitive sources.

One of the interesting facts that I never spent much time thinking about before reading Lee’s book is that while it is illegal to break into a website and steal data, it is perfectly legal for anyone to make a copy of that data once it has been made public and do your own investigation.

Another reason to read Lee’s book is that there is so much practical how-to information, explained in simple step-by-step terms that even computer neophytes can quickly implement them. Each chapter has a series of exercises, split out by operating system, with directions. A good part of the book dives into the command line interface of Windows, Mac and Linux, and how to harness the power of these built-in tools.

Along the way you’ll learn Python scripting to automate the various analytical tasks and use some of his own custom tools that he and his colleagues have made freely available. Automation — and the resulting data visualization — are both key, because the alternative is very tedious examination line by line of the data. He uses the example of searching the BlueLeaks data for “antifa” as an example (this is a collection of data from various law enforcement websites that document misconduct), making things very real. There are other tools such as Signal, an encrypted messaging app, and using BitTorrent. There is also advice on using disk encryption tools and password managers. Lee explains how they work and how he used them in his own data explorations.

One chapter goes into details about how to read other people’s email, which is a popular activity with stolen data.

The book ends with a series of case studies taken from his own reporting, showing how he conducted his investigations, what code he wrote and what he discovered. The cases include leaks from neo-Nazi chat logs, the anti-vax misinformation group America’s Frontline Doctors and videos leaked from the social media site Parler that were used during one of Trump’s impeachment trials. Do you detect a common thread here? These case studies show how hard data analysis is, but they also walk you through Lee’s processes and tools to illustrate its power as well.

Lee’s book is really the syllabus for a graduate-level course in data journalism, and should be a handy reference for beginners and more experienced readers. If you are a software developer, most of his advice and examples will be familiar. But if you are an ordinary computer user, you can quickly gain a lot of knowledge and see how one tool works with another to build an investigation. As Lee says, “I hope you’ll use your skills to discover and publish secret revelations, and to make a positive impact on the world while you’re at it.”

SiliconANGLE: Here are the major security threats and trends for 2024 – and how to deal with them

Posted on by
Reply

What a year 2023 was for cybersecurity!

It was a year the world became obsessed with generative artificial intelligence — and a year that brought new breaches with old exploits, a year that brought significant consolidation in the security tools marketplace, and a year when passkeys finally took hold, at least for consumers.

Are businesses better secured than before? Hardly. Attackers have continued to get more sophisticated, hiding in plain sight and using sneakier ways to penetrate enterprise networks. Ransomware is still a thing, and criminals are getting clever at using multiple tactics to extort funds from their victims.

In this story for SiliconANGLE, I’ve has collected some of the more notable predictions for 2024, and offer my own recommendations for best security practices.

This week in SiliconANGLE

Posted on by
Reply

Here are the ones from the first part of the week.

  1. I did a video interview for a sponsored virtual event for TheCube here, talking about ransomware, air gapped networks, and other reasons to secure your data. 
  2. An analysis of Infrastructure As Code — where it comes from, why it is important, and why it can be both blessing and trouble for IT and devs.
  3. An analysis of everyone’s least favorite hacking group, Lazarus of North Korea, and how they are changing tactics and using Telegram as a command channel, and scooping up millions of dollar-equivalents.
  4. This week, Ukraine’s largest telecom carrier got hit with a massive cyberattack. They are gradually bringing stuff back on line, including the ordinary (like people’s cell phones and bank’s ATMs) and the war-related stuff to target the people most likely to have originated the attack (you know who they are).
  5. A new report from Cloudflare shows their growth in internet traffic along with other interesting stuff such as outages and the percentage of those poor souls who are still using ancient TLS versions.
  6. Another report that examines the past year or so of various cyber attacks and other assorted breaches from a very well respected source at MIT.

This week in SiliconANGLE

Posted on by
Reply

Here are this week’s stories in SiliconANGLE.  My most interesting story is about one man’s effort to improve the power grid in Ukraine, thanks to a very clever collection of Cisco networking gear that provides backups when the GPS systems are jammed by the Russians.

This week in SiliconANGLE

Posted on by
Reply

Here are four stories that I wrote this week.

This week in SiliconANGLE

Posted on by
Reply

Happy holidays! Here are my stories for the week:

  • The group behind LockBit ransomware is now exploting the Citrix Bleed vulnerability, which made big news last month and still at risk for thousands of devices around the world. US and Australian cybersec officials released a security advisory this week that provide the details, and my article follows up with what is going on with this very dangerous and prolific ransomware operation.
  • The group behind the Phobos ransomware is also stepping up its game too.
  • I examine a series of recent cloud security reports, some surveys of IT managers and some taken from actual network telemetry of customers and public sources, to show a not very rosy picture of the situation. Secondary issues such as security alerts take too much time to resolve, and risky behaviors fester without any real accountability to prevent or change.

The latest ransomware ploy

Posted on by
1

Say your company has just been attacked by a ransomware gang, and they are demanding payment or they will do various criminal acts. So whom do you call first?

  1. The corporate security manager, to lockdown your network and begin the process of figuring out how they got in, what damage they have caused, and what your company needs to do to get back to normal operations,
  2. The chief legal officer, to activate law enforcement solutions,
  3. Your insurance agent, to find out the specifics of your cybersecurity policy and to begin the claims process
  4. The chief compliance officer, to begin the process of letting the various regulatory authorities know that a breach has occurred.

Ideally, you should make all of these calls in quick succession. But a situation involving a finserv firm’s ransom attack earlier this month has brought about a new wrinkle in what is now called the multipoint extortion games. This term refers to ransomware gangs using more than just encrypting your data as a way to motivate a company to pay up. Now they file a complaint with the SEC.

Say what? You mean that the folks who caused the breach are now letting the feds know? How is this possible? Read this story by Ionut Ilascu in Bleeping Computer for the deets. They have the victim on the record that they were breached, and information from the ransomware group seems to match up with a complaint that was filed with the SEC at about the same time period. So how annoyed were the ransomware gang that they decided on this course of action? The victim says they have contained the attack. The one trouble? Apparently the breach notification law doesn’t come into effect until next month that requires the mandatory disclosure. Someone needs to provide legal assistance to the bad guys and at least let them know their rights. (JK)

But seriously, if you have a corporate culture that prevents breach disclosure to your customers — at a minimum — now is the time to fix that and become more transparent, before you lose your customers along with the data that the ransomware folks supposedly grabbed.

This week on SiliconANGLE, I covered major security announcements adding AI features to the product lines of Microsoft, Palo Alto Networks, and Wiz. All are claiming — incorrectly — to be the first to do so.