A10 Networks: What is network security and who suffers DDoS attacks?

Posted on by
Reply

Network security starts with having a well-protected network. This means keeping intruders out, and continuously scanning for potential breaches, malware and flagging those attempted compromises. One of the biggest threats increasing in popularity is a very specific type of attack called distributed denial of service (DDoS) attacks. These attacks are targeted at your internet servers, including web and database servers, and are designed to flood random traffic so that the servers can’t respond to legitimate users’ queries. They are very easy to mount, and without the right tools, very hard to prevent.

This post was part of the A10Networks glossary and can be found here.

Avast blog: Using AI as an offensive cyber weapon

Posted on by
1

The rise of offensive AIAI is a double-edged sword. It has enabled the creation of software tools that have helped to automate tasks such as prediction, information retrieval, and media synthesis, which have been used to improve various cyber defensive measures. However, AI has also been used by attackers to improve their malicious campaigns. For example, AI can be used to poison ML models and thus target their datasets and steal login credentials (think keylogging, for example). I recently spent some time at a newly created Offensive AI Research Lab run by Dr. Yisroel Mirsky. The lab is part of one of the research efforts at the Ben Gurion University in Beersheva, Israel. Mirsky is part of a team that published a report entitled “The Threat of Offensive AI to Organizations”. The Offensive AI Research Lab’s report and survey show the broad range of activities (both negative and positive) that are made possible through offensive AI.

You can read my latest post for Avast’s blog here.

Is this the beginning of the end of Twitter?

Posted on by
7

It isn’t a rhetorical question. We are certainly witnessing a unique moment in social media history and in the evolution or devolution of Twitter. I am gathering my thoughts for an interesting presentation that I have at the end of the week at a local high school entrepreneurship class.

For more than six years, I have been a guest lecturer at a class called Spark that meets at a local disused shopping mall. The topic of these lectures is how to use social media, and in particular Twitter, to promote your new business. I offer some of the spectacular Twit fails (remember Jonathan Schwartz’s resignation from being the CEO of Sun? Remember Sun?) and lessons learned by adults that can apply to the young business-owners-to-be  The students are fascinating as they try to imitate the now iconic Shark Tank pitches. They are largely self-funded, low budget operations, but what they lack in venture funding they more than make up for tremendous passion and insight into their nascent businesses.

This year there were two different sections of students, a nod towards the growing popularity of student business owners. My first lecture was about a month ago, and I basically used the same set of slides that I have had, updated through the years as we made the transition from presidents using Blackberries to presidents using their own social media networks. That was the before times. We knew Elon was up to something, we just didn’t know the deets.

Now we do. And so far the Bird is not faring well. Thousands of layoffs. Whipsawing technical requirements that literally change by the hour. Troll Tweeting by your CEO is not a way to set corporate (or national) policy. In my Spark classes over the years I have been consistent that the students should avoid any mention of sex, politics and religion. The new Twitter CEO has adopted the opposite stand. I don’t think things are going to end well.

Remember Orkut, Friendster, SixDegrees or Myspace? They have all come and gone over the past 25 years. Twitter may soon enter that realm. I feel as though I am witnessing the breakup of my first marriage, or the collapse of the British Monarchy and the less that I say about either of them the better.

Twitter has evolved from being the world’s town square and the global media assignment story editor to the place for shaming. Those blue checkmarks that seemed so valuable back in 2012 or so have turned into Troll-a-rama. Someone impersonating Eli Lilly’s account brought the stock price down the next day. And as if that wasn’t enough, a reporter for the Washington Post was able to obtain two fake accounts within minutes, impersonating a comedian and a US Senator (with prior permissions from both).

Many of my tech journo colleagues have begun the migration to Mastodon. You can find me here. I am still Tweeting too, but leery of what will happen. It is interesting to set out to learn another social media network. Hindsight is great: I am glad that I didn’t invest much time in Google+.

While I was preparing the new presentation for my Spark class, I also watched the 2021 documentary 15 Minutes of Shame, which was co-produced by Monika Lewinsky. It was well done, and shows us how public shaming has evolved since her Clinton intern days. I think Twitter’s new model is more the town dump than the town square.

My session should be interesting.  You can view my new slides here on Slideshare.

Qualys annual user conference live blogging

Posted on by
Reply

Qualys’ annual security conference returned to a live-only event this week at the Venetian Hotel in Las Vegas, and the keynote addresses started things off on a very practical note… about selling coconuts, toasters, and carbon monoxide detectors. The first two keynotes featured speeches from both Shark Tank celebrity businessman and CEO of Cyderes, Robert Herjavec, and Qualys’ President and CEO, Sumedh Thakar. Both spoke around the similar theme of qualifying and quantifying digital cyber risks.

I am doing near-time blogging of their show, and this was the first of a series of posts.

The second post was a recap of the first day’s events, and included highlights from some of their customers and product team as they took a deeper dive into TotalCloud.

The third post profiled the special launch of the Qualys Threat Research Unit, showing some of its research and how it compiles threat intel and works with various industry bodies to share this data.

The next post highlights some of Qualys’ customers who came to the event to tell some of their stories about how their companies have benefitted from their products.

My final post recaps the second day of the conference sessions and some of the more interesting aspects of various Qualys products.

How Red Cross volunteer Dianne Tattitch helped with the Florida floods of Hurricane Ian

Posted on by
Reply

One of the fun volunteer jobs that I have is talking to American Red Cross volunteers about the wonderful work they do to help others in need. I recently wrote this post for the local chapter’s blog about the efforts of Dianne Tattitch (who works in IT for Mastercard) and what she did for those impacted by Hurricane Ian in Florida. Here she is helping with her guest’s laundry needs.

 

Avast blog: CISA recommendations on providing phishing-resistant authentication

Posted on by
Reply

The US Cybersecurity and Infrastructure Security Agency (CISA) has recently published a fact sheet on implementing phishing-resistant multi-factor authentication (MFA). The publication is in response to a growing number of cyberattacks that leverage poor MFA methods. “Not all forms of MFA are equally secure. Some forms are vulnerable to phishing, push bombing attacks, exploitation of Signaling System 7 (SS7) protocol vulnerabilities, or SIM swap attacks,” the agency writes. The strongest form of phishing protection is to employ FIDO2 or WebAuthn-based tokens as your MFA method, what CISA calls the “gold standard.”

You can read more at my latest blog post for Avast here.

Once again an Enactus judge

Posted on by
Reply

Once again I had an opportunity to judge several collegiate entrepreneurial efforts as part of the Enactus 2022 world cup competition. I was a virtual judge at last year’s competition and wrote about my experience then. This time around I was working with four teams, each of which had rather innovative ways to make and sell cattle feed. Now, such a mundane topic you wouldn’t think much of, and you would be wrong. I didn’t get to judge the ultimate winner, a team from Egypt. But I was impressed with the Tunisian team from the Higher Institute of Computer Science of El Manar. You can see their Enactus Report document here. What was impressive about the Tunisian students was how focused they were on solving several problems with their venture. First, they wanted to eliminate the use of imported corn and soy feedstocks that were very expensive for the ultimate feed product. They wanted to make use of by-products for human food production that could be used in animal feeds, and increase the nutritional value of the feed to provide better health and muscle production. Their project generated a net income of US$25,000 with 40 farmers using the feed that was a third cheaper than the existing commercial feed, produced entirely with Tunisian sources. They have plans to expand their project to neighboring countries next year.

 

Book Review: Dead and Gondola

Posted on by
Reply

A bookstore in a small Colorado ski town is at the center of a murder. The sisters who own the store imagine themselves as amateur sleuths and you meet many of the townsfolk, all of whom have secrets to keep and interesting lives that unfold over the course of the following days. The characters are all charming in their own special ways, and there is a lot of classic drawing room murder mystery setups as one or another comes under suspicion. If you are a fan of bookstores or ski towns, you will appreciate the setting even more so.

The book is available on AMZ here.

Avast blog: The latest challenges to Section 230 reach the Supreme Court

Posted on by
1

The 2015 murder of the 23-year ago American student Nohemi Gonzalez is about to take center stage in a case that has made its way to the US Supreme Court. The woman was one of 129 people killed in Paris by a group of ISIS terrorists. Her estate and family members sued Google, claiming that a series of YouTube videos posted by ISIS are the cause of the attack (and her death), and requests damages as part of the Anti-Terrorism Act.

At the heart of the resulting Gonzalez v. Google case lies Section 230 of the Communications Decency Act of 1996. This section has been routinely vilified by various political groups, who claim that the protections under this section against civil suits should be struck down. For my latest blog for Avast, I summarize the various issues that are facing the court and implications for online communications.

The arguments are transcribed here.

 

Microsoft breached in September, thanks to a public Azure storage container

Posted on by
Reply

Last month, researchers discovered that someone at Microsoft misconfigured one of their Azure Blob Storage containers. The container had public access, which could have resulted in a data breach. It contained sensitive data from a high-profile cloud provider with 65,000 companies,111 countries and private data of 548,000 users. Microsoft was notified by the researchers and  reconfigured the bucket to make it private within several hours. “Our investigation found no indication customer accounts or systems were compromised. We have directly notified the affected customers,” posted Microsoft on their blog.

Another security researcher suggested that the data was a SQL server backup that was mistakenly placed on this open storage container.

The leak was dubbed BlueBleed and the original researchers published a search tool that anyone can use to find whether information from a domain is part of this leak. The key word in that last sentence is “anyone” and if you read the Microsoft blog you can see that they aren’t happy about the way the tool is set up, because anyone can search across any domain to find out whether any unprotected assets were part of this breach.

Certainly, having private data in public containers — those that have no password protection, let alone using any multiple authentication factors — continues to be a big problem. Chris Vickery has made his career discovering many of them, and this post from several years ago cited the more infamous (at least at that moment in time) of Amazon S3’s “leaky buckets.” All of the cloud storage vendors make it relatively easy to create a new storage container that anyone can access. But don’t blame them — it is just basic human nature to forget to lock the door properly.

How can you prevent this from happening?

First, ensure that your sensitive data is well-protected, with proper and strong MFA. Microsoft has various recommendations for securing Azure Blobs and using their various cloud and endpoint security tools.

Avoid promiscuous provisioning. A case in point is Twitter, which (according to Mudge’s testimony) stated that thousands of their employees — accounting for roughly half its workforce, and all its engineers — work directly on Twitter’s live product and have full access rights to interact with actual user data. Okta realized a similar situation in its breach analysis earlier this year, and has since moved to limit access by its tech support engineers. What is needed is to reduce these over-privileged accounts, and to limit who has access to your data. If a developer is testing code outside of a production system, ensure that the data is protected. Audit your accounts to find out who has what access, and to spot configuration errors. One research report found that in 2020, two-thirds of the threats cited by respondents were caused by cloud platform configuration errors.

Ensure that your key IT suppliers have updated contact information to communicate with you. Microsoft relied on a “if you haven’t heard from us, assume you aren’t part of the breach” system — that is not as good as telling everyone what happened. Messages can also get lost or sent to dead mailboxes.

Offboard employees properly and thoroughly. When someone leaves your company, ensure that all of their accounts have been revoked. Many IT managers readily admit that their Active Directories are outdated (that link brings you to the stat of 10% of accounts in these directories are inactive according to Microsoft) and don’t have sufficient resources to maintain, even for the simple situation of who is presently employed by their companies, let alone who has the correct access rights.