STE WILLIAMS

A Surrey man has been jailed for 32 months after admitting to launching distributed denial-of-service (DDoS) attacks against an African telco.

Daniel Kaye, 30, of Egham, told the Blackfriars Crown Court that back in 2016 he took a monthly salary from Liberian company Cellcom to carry out a sustained DDoS against their rival telco Lonestar. According to the National Crime Agency, at its peak Kaye’s attack was so heavy that it disabled internet access for most of the country.

Living in Cyprus at the time, Kaye built himself a Mirai botnet pieced together using hijacked Dahua security cameras and infected devices “rented” from other hackers. He then accepted the monthly retainer from Cellcom and proceeded to run the attack in the latter half of 2016.

When the attacks finally subsided, Lonestar said it suffered tens of millions of dollars in lost business and had to directly pay $600,000 to fully ameliorate the effects of the DDoS attack.

That botnet, referred to as “#14” by researchers, was among the largest on the internet, and at one point was said to have accounted for more than half of all Mirai infections on the planet.

Cops: German suspect, 20, ‘confessed’ to mass hack of local politicians

READ MORE

Kaye was arrested in February of 2017 and pled guilty last month to counts of creating and using a botnet and possessing criminal property. Between that, he also got a free trip to Germany where he was tried for a separate 2016 DDoS on Deutsche Telekom (he would get a suspended sentence for that one.) Kaye was also said to be tied to DDoS attacks against Lloyd’s, Barclays, and Halifax banks in the UK.

Though much of the Mirai #14 botnet Kaye used was said to have been machines rented from other hackers, prosecutors described the 30-year-old as a “highly skilled and capable hacker-for-hire” in announcing the two years and eight months prison term this month.

“Kaye was a talented and sophisticated cyber criminal who created one of the world’s largest networks of compromised computers which he then made available to other cyber criminals with no consideration as to the damage it would cause,” said Russell Tyner from the UK Crown Prosecution Service (CPS).

“The CPS and the NCA together with the authorities in Germany and Cyprus worked closely together in order to bring him to justice.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/14/liberian_hackerforhire_case/

Roundup This week we saw a Huawei official cuffed (again), telcos caught selling tracking data (again) and Microsoft patching dozens of bugs (again).

Here are a few other notable security happenings.

Chaturbate rubbed raw by card cache bug

Adult webcam service Chaturbate has plugged a security hole that left some of its customers a little, er, exposed.

Researcher Imran Paray (via HackerOne) found that the Chaturbate website had been collecting and storing user’s payment card details in the browser cache.

This meant that a person who had access to the machine could pull up their card number and details as plain text – a handy extra for burglars and thieves. This is bad enough on a regular site, but even more embarrassing as it happens through a service most users are accessing in a more… discreet… manner.

“This endpoint is allowing the credit card details to be stored in clear text into the browser caches,” Paray explained.

Chaturbate was able to patch the bug with no indication that any user accounts had been exposed. For his work, Paray was given a $300 bounty payout.

Facebook exec swatted in Palo Alto

An unnamed Facebook executive was the victim of a swatting call earlier this week in Palo Alto.

The local Palo Alto Daily Post reports that police received a call on Wednesday night from someone claiming to be the unnamed cybersecurity exec. The person on the line claimed to have shot his wife and set up explosives around the house.

This prompted police to respond with multiple vehicles, surround the house, and briefly handcuff the man while the home was searched. The whole thing was eventually found to be a “prank” and everyone went on their way.

For anyone who still thinks swatting people is harmless fun we’d like to point out that a California man is facing 20 years in prison after a swatting call he made resulted in the shooting death of a Kansas man.

Researcher siphons PlayStation Vita boot ROM with ‘voltage glitch’ trick

A low-level electrical engineering trick has allowed a researcher to slurp the contents of the highly-protected boot ROM of the PS Vita.

Yifan Lu showed how (PDF) voltage glitching, a technique where the current to individual gates is modified to change their behavior, could be used to inject faults into the custom SoC the hand-held gaming platform uses.

From there, Lu was able to manipulate the chip into giving up the contents of its boot ROM, allowing access to memory that been protected from prying eyes.

While not the fastest or easiest way to crack a console, the process is very interesting from an academic perspective and the paper is well worth a read.

NSA catches data thief with help from *checks notes* Kaspersky Lab

The contractor who took home and hoarded 20 years’ worth of American intelligence documents and files was nabbed with the help of Russia-based Kaspersky Lab.

This according to a report from Politico, who said that Harold Martin was only cuffed in 2016 after the Russian security lab reported to the NSA that the former contractor had been sending them cryptic messages regarding his unauthorized collection of intelligence files.

Martin would be arrested in 2016 and charged a year later with stealing confidential government documents and software for a period of more than 20 years. In early 2018, he said he intended to plead guilty to a single charge.

Kaspersky, meanwhile, would become persona non grata with the US government thanks to allegations the company operated as a back door for the Kremlin in a separate NSA data leak incident, a claim Kaspersky has long denied and for which there is no public evidence.

Perhaps these latest revelations will help the security vendor get back in Uncle Sam’s good graces.

TCL phones found to contain shady software bundles

Chinese phone manufacturer TCL, whose clients include Blackberry and Alcatel, has been found bundling phones with a malicious weather application

This according to Upstream Systems’ Secure-D team, who uncovered a number of Alcatel phones in Brazil exhibiting suspicious behavior.

“Over July and August 2018, through Secure-D, we observed a higher than usual number of transaction attempts in Brazil and Malaysia coming from a series of Alcatel Android smartphones (Pixi 4 and A3 Max models),” Upstream said.

“Those suspicious requests were initiated by the same application named com.tct.weather in both Brazil Malaysia.”

What they eventually found was that an app bundled on the phone, com.tct.weather, was not only spying on users and transmitting logs to China, but also using the phones to carry out click fraud and ad-injection attacks.

Aside from the bundled devices, the bogus weather app was also being offered on the Android Play Store and had racked up millions of installs. Since the report, Google has pulled the app from the store.

“Overall, whether pre-installed on Alcatel devices or downloaded from Google’s official Play Store, the application com.tct.weather has generated over 27m transaction attempts across 7 markets,” Upstream said.

“Had they not been blocked by Secure-D these transactions would have translated into $1.5m unwanted charges to users’ airtime.”

Don’t panic, but Russia might be able to kill the US power grid

Or at least a sizable portion of it.

This according to a report from the Wall Street Journal , who cited government sources in reporting that a number of private contractors had been breached by Russian-backed hackers who then worked their way up the supply chain until they were in position to cripple parts of the power grid.

The report is yet another reminder of the big problem in securing critical infrastructure in the US: For every large carrier with a sizable security team, there are dozens of poorly-equipped subcontractors who know little about data security.

XTerm Javascript component patches up remote code bug

It’s the three letters no developer wants to hear in connection to their product: RCE.

A remote code execution flaw was spotted in XTerm, a component for Javascript that lets developers create terminals within browser windows. In this case, said Google Security researcher Felix Wilhelm (one of the group credited with discovery), an exploit would have allowed the attacker to escape the terminal and cause further mayhem on the vulnerable machine.

CVE-2019-0542 is a RCE bug due to insecure terminal escape sequence handling in xterm.js (a xterm rewrite in javascript). Affects vscode and azure cloud shell https://t.co/rFBv4Ig8n4 (cc @teh_gerg :))

— Felix Wilhelm (@_fel1x) January 9, 2019

Anyone using XTerm for their sites will want to use this script from Wilhelm to check if their version needs to be updated to patch up the bug.

Jira, we have had a problem

A bunch of internal NASA data, things like employee names and IDs, internal emails, and project details, were recently found to be exposed, and it will come as no surprise that the culprit was Atlassian’s much-loathed Jira system.

Bug-hunter Avinash Jain found that a NASA Jira server had been improperly configured to allow “everyone” access, a setting that not only adds everyone within the organization but also those outside.

“I found that Jira instance used by NASA had a misconfigured setting where any anonymous user can access the user picker functionality (described as above) and pulls out the complete list of every NASA user’s username and email address,” Jain explained.

Additionally, the server would let at an anonymous user access filters that could then be used to group users based on what projects they were working on. So someone who accessed the server anonymously could see a NASA employee’s name, email address, and what specific projects they were involved in. You can see why this would be an extremely useful tool to anyone wanting to infiltrate the US space agency.

Fortunately, the bug was privately reported and fixed back in June. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/12/security_roundup/

In this episode, the Naked Security Podcast investigates the ethics of remote rickrolling, whether Acrobat is the new Flash, and how to fool biometrics with a zombie hand.

With Anna Brading. Paul Ducklin, Mark Stockley and Matthew Boddy.

This week’s links:

• Don’t fall victim to the Chromecast hackers
• Update now! Adobe Acrobat and Reader have critical flaws
• Vein authentication beaten by wax hand and photograph

If you enjoy the podcast, please share it with other people interested in cybersecurity, and give us a vote on iTunes and other podcasting directories.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/3iHH_IWYR7U/

US cellphone networks have promised – again – that they will stop selling records of their subscribers’ whereabouts to anyone willing to cough up cash.

In a statement on Thursday, ATT said: “In light of recent reports about the misuse of location services, we have decided to eliminate all location aggregation services – even those with clear consumer benefits,” adding: “We are immediately eliminating the remaining services and will be done in March.”

That same March deadline was referenced by T-Mobile US’s CEO John Legere who had promised last June to end the sale of subscribers’ private location data. Legere tweeted this week: “T-Mobile is completely ending location aggregator work. We’re doing it the right way to avoid impacting consumers who use these types of services for things like emergency assistance. It will end in March, as planned and promised.”

Getting deja vu

That sounds a bit rich to some lawmakers, however, who extracted what appeared to be identical promises seven months ago. Back then, Senator Ron Wyden (D-OR) discovered that a company called Securus Technologies was selling people’s location data to the cops, and insisted that America’s telecoms watchdog the FCC investigate.

Wyden also wrote to the four major US cellular telcos – ATT, Verizon, T-Mobile and Sprint – asking them to carry out an audit of which third parties had access to user location data, and ensure that they had people’s consent before sharing such personally identifiable information.

As a result of those efforts, the network operators at the time pledged to put an end to the practice. Verizon sent a letter [PDF] saying it had “conducted a comprehensive review” of its “location aggregator program” and as a result would kill the agreements it had with the two companies in the program, LocationSmart and Zumigo.

Verizon claimed that location data was only sold if subscribers had explicitly agreed to it, and that the sale of such information was only allowed “under specific conditions” which include fraud detection “or customer identification among others.”

The other operators put out similar statements. “ATT has no reason to believe that there are other instances of unauthorized access to ATT customer location data,” the communications giant said. “Nonetheless, we are reviewing these issues carefully to ensure the proper handling of all ATT customer information.”

And T-Mobile US’s Legere told Senator Wyden to his face that he would end the practice of selling location data through third parties.

That was then. Now…

But, just as we warned at the time, it was all weasel words. Fast forward to this month, and journalist Joe Cox was able to pay a bounty hunter $300 to have someone’s T-Mobile US phone number tracked and located – through the exact same location reselling system that had previously been exposed.

In this case it wasn’t Securus but a company called Microbilt. However, the details were identical: it was an approved third party that purchased subscribers’ location records from a carrier, and through a chain of organizations, sold that private location data to pretty much anyone willing to pay it: from car salespeople, stalkers, and property managers to criminals, bounty hunters, and private investigators, potentially.

Subscribers are not informed that their location data has been provided to a third party, and it is highly debatable that they have given their explicit permission to be tracked – despite what the cell networks claim – in large part because there is no way for users to tell their mobile operators to not sell their location data.

Following the revelation this month that nothing has changed, Senator Wyden has again called for an FCC investigation, and again argued for a privacy law that would protect US citizens from having their personal data sold without their permission. Wyden has found another supporter in the form of Senator Kamala Harris (D-CA).

Groundhog Day

Cue another round of promises from the mobile networks. Having been accused of lying to Senator Wyden, T-Mobile US boss Legere embarked on some history revision.

ATT (sucks) upgrades folks to 5G (Evolution) that isn’t actually 5G

READ MORE

Back in June, Legere made the seemingly unambiguous promise that he had “personally evaluated this issue and have pledged that T-Mobile will not sell customer location data to shady middlemen.”

After repeat questions on what that actually meant, a few days later T-Mobile US clarified that it was “winding down our location aggregation agreements.” Yet seven months later, it seems that “winding down” still hadn’t started.

Following this week’s outcry, Legere repeated the same argument as months earlier, and claimed that his telco was “doing it the right way to avoid impacting consumers.” He claimed to have promised to end the whole thing in March, though we have been unable to find any reference to March 2019 back in June 2018.

Meanwhile, Sprint, which is being gobbled up by T-Mobile US, gave a vague promise to not “knowingly share personally identifiable geo-location information” unless lawfully compelled by the cops or Feds. Verizon, which appears to have been the only network carrier to have mostly pulled the plug on location data sales, said it is still shutting down what’s left of its whereabouts-reselling operation: four location-sharing deals with roadside assistance companies, which now face the chop. Once those agreements are over, Verizon won’t sell any location data, and will only share people’s whereabouts to roadside assistance organizations with subscribers’ permission, it is claimed.

As things stand, despite what appears, again, to be unambiguous promises to end location data selling, there is nothing to stop mobile telcos from simply coming up with a different name or spin for their location-peddling services, and firing it all up again.

While there is money to be made and no law preventing it, it is a virtual certainty that ATT and others will figure out a way to profit from selling their customers’ private data. Last time around, FCC boss Ajit Pai refused to investigate the matter, and while there has been no response from Pai on the renewed calls for an investigation thanks to the partial US government shutdown, it is a virtual certainly that he will continue his pro-telco agenda and stay away from the issue.

Meanwhile, pressure grows in Congress to introduce a privacy law – an American version of Europe’s GDPR – especially in the light of abuses by Facebook and others. But that process is very far from certain given that many of the companies that benefit most from selling user data are also some of the most powerful and generous lobbyists in Washington DC. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/11/us_carriers_location_data/

With the partial US government shutdown showing no signs of letting up any time soon, senators are pressing treasury and tax officials on cybersecurity.

Ron Wyden (D-OR), the ranking member on the Senate’s Committee on Finance, on Friday wrote to Treasury Secretary Steve Mnuchin and IRS Commissioner Charles Rettig asking for a report detailing how the US tax authority plans to deal with the shutdown and, in particular, what they are doing to prevent personal information and tax refund falling into the wrong hands.

Of special concern to the Senator was prospect of taxpayer identity theft, a crime in which a crook uses stolen information, such as names and social security numbers, to file fake tax returns on behalf of a victim, pocketing the refunds in the process.

Stopping tax ID fraud has been a major priority for the IRS in recent months, but with employees either furloughed or facing the prospect of having to work sans paycheck, the committee is worried fraudsters and hackers will take advantage of reduced staffing levels to target IRS databases.

“Is there increased risk of taxpayer ID theft if IRS tries to maintain normal operations during a shutdown?” asked Wyden in his letter [PDF].

“For example, if IRS is working with a skeleton staff as a result of the shutdown, is there an elevated risk that cyber criminals filing fraudulent returns with stolen taxpayer identities will be able to steal taxpayers’ refunds? Will IRS be able to detect, let alone thwart, these fraudulent attempts?”

The letter also notes a number of taxpayers stand to fall through the cracks of bureaucracy without a fully staffed IRS, and could be left unable to pay back taxes or handle audits. Without communication from the IRS, those people could be more likely to fall victim to scammers or predatory tax accountants.

US taxman wants AI to do the security checks it seemingly can’t do itself

READ MORE

“How will the IRS alleviate the concerns of taxpayers who have responded to collection and audit notices but, due to the shutdown, not received any notification from the IRS?” Wyden asked.

“Further, how will the IRS adjust the deadlines imposed on taxpayers for responding to collection and audit notices, to ensure taxpayers are not penalized only because the shutdown is preventing the IRS from processing their responses?”

And because this is America in 2019, Wyden would not let the letter wrap up without issuing a shot at the Trump administration for its handling of the shutdown so far.

“I certainly appreciate that IRS and Treasury are scrambling to develop a contingency plan that may help millions of Americans to eventually receive their tax refunds,” the Senator writes.

“However, I would be remiss if I did not point out one obvious fact – that this entire tax filing season fiasco, putting so many millions of American taxpayers at financial risk, could have been avoided had the President kept the government open by simply signing the bipartisan continuing resolution that the Senate passed by voice vote, without a single Senator objecting, at the end of last year.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/12/senate_quizzes_irs/

Nov 14, 2018

Article source: https://www.informationweek.com/whitepaper/cybersecurity/security-monitoring/how-enterprises-are-attacking-the-cybersecurity-problem/402433?cid=mp_rptbx&_mc=mp_rptbx&_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Among the problems: TLS certificates are expiring and websites are becoming inaccessible.

The partial shutdown of the federal government is having an impact in ways both anticipated and not. One that probably falls under the latter is expiring TLS certificates that leave some .gov websites marked as “unsafe” or completely inaccessible from most browsers.

Websites from NASA, the Department of Justice, and the Court of Appeals are among those using one of the 80 certificates that have not been renewed since the beginning of the shutdown.

“The government shutdown has left a mark on the digital world. Several government websites now greet users with a ‘CERT_DATE_INVALID’ warning in place of the website itself. At best, this isn’t a good look for the departments concerned. At worst, the thousands of Americans who rely on these websites are left cut off from the services they need,” says Martin Thorpe, enterprise architect for Venafi.

Some experts say the issue goes beyond mere Web page inaccessibility. “I think the biggest risk is far beyond expired SSL certificates. How many critical governmental systems are currently unmaintained, outdated, and thus vulnerable?” asks High-Tech Bridge CEO Ilia Kolochenko. “It seems to be a great opportunity for nation-state hacking groups to exploit US momentary weakness to steal or alter extremely sensitive information.”  

Franklyn Jones, CMO at Cequence Security, agrees with Kolochenko and points to specific risks in the moment. “It creates a great opportunity for bad actors to launch automated bot attacks, testing previously stolen credentials to gain access to private accounts on government sites,” he explains.

Read more here and here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities-and-threats/government-shutdown-brings-certificate-lapse-woes/d/d-id/1333641?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

It is great to have heroes, but the real security heroes are the men and women who keep the bad guys out while fighting their own organizations at the same time.

People love to hear me describe the espionage simulations that I perform, putting together teams of former Special Forces and intelligence officers and targeting organizations, in what many might call penetration tests and social engineering. Still, I bristle when anyone calls me a hacker.

True, I admit that I love performing human elicitation and black bag operations, and it is always a rush to get the access to “steal” $1 million or its equivalent. Yet the “gotcha” games can get old, and while the results may be incredible, they are frequently useless.

I consider myself a security professional, and my goal is to leave a company more secure than I found it. Consequently, I’ve learned that finding flaws in security programs is only useful when you can identify practical countermeasures that can actually be implemented. Otherwise, you’re essentially just highlighting that a company can be easily compromised, which is, at best, a footnote in a security presentation.

Even when a problem is seemingly simple to fix, it is usually not that easy. I am sick of hearing “social engineers” perform tests where they get employees to divulge passwords, and then proclaim that the solution is to tell employees not to divulge their passwords. Likewise, people performing technical penetration tests frequently find unpatched systems and recommend patching the systems. Any qualified CISO already knows these issues likely exist in their environment, and that they should address them. But it is grossly naive to believe that it is that simple to just do it.

Addressing the password problem requires a comprehensive solution of technology, process, and awareness, which requires proper funding, resources, planning, execution, and it still won’t be perfect. Social engineering, when performed with proper statistical distributions, can potentially tell you the scope of the problem, but it is far from a useful solution. While patching systems appears to be straightforward, it is an incredibly complicated matter to first find all of the systems that exist, determine their architectures and versions, get administrator access, ensure that licensing exists to update systems, determine if there are any incompatibilities with patches, get the required permissions to have outages, acquire the systems, software, and/or personnel to roll out the patches, etc.

Then consider that these are just two projects among countless other projects that a CISO has to address, and especially prioritize, with each potentially project expending their organizational reputation, and all involving buy-in from other parties.

On multiple occasions, I performed penetration tests that were able to grab the attention of Fortune 50 CEOs by demonstrating the substantial business value that could be lost due to poor security, and providing actionable recommendations. In response, the CEOs increased the security budgets by more than $10 million and increased staffing to begin to address the problems. For my team and me, it was fun and easy. Periodically, we are brought back to advise and further assess how well the improvements are progressing. However, finding damaging flaws in the security posture of a Fortune 50 company is too easy for highly skilled attackers, like those on my team. The people with the really hard jobs are those responsible for fixing the problems.

The general public, and even the security industry, seems to idolize the “hackers” and people who can compromise security of organizations with ease. They are frequently referred to as the “Rock Stars of Security.” Some of these people have incredible skills at what they do. However, the “Rock Stars” we should be revering are those working on internal security teams, who know all too well that real security involves infinitely more than telling people “don’t give away your passwords” or “patch your systems.” They frequently experience failures of one form or another but somehow manage to effectively mitigate losses and keep major organizations up and running.

It is great to have heroes, but the world needs to realize that the real heroes of security are those with the really hard jobs, which means those who are constantly trying to keep the bad guys out while fighting their own organizations more than the hackers. Unfortunately, we rarely know their names, how hard they’re working, or acknowledge them for the heroes that they are.

Related Content:

• 6 CISO Resolutions for 2019
• The Case for a Human Security Officer
• Setting the Table for Effective Cybersecurity: 20 Culinary Questions

Ira Winkler is president of Secure Mentem and author of Advanced Persistent Security. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/kudos-to-the-unsung-rock-stars-of-security/a/d-id/1333611?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A new CSA report addresses the issue of breach responsibility as more organizations move ERP application data the cloud.

When cloud data is breached, who is responsible? A new Cloud Security Alliance (CSA) report poses the question at a time when companies are moving enterprise resource planning (ERP) application data to the cloud and expect cloud-focused cyberattacks to increase in 2019.

The study, “Enterprise Resource Planning (ERP) Applications and Cloud Adoption,” was conducted by CSA and sponsored by Onapsis. Researchers polled 199 managers, C-level executives, and staff from businesses in the Americas (49%), APAC (26%), and EMEA (25%).

They found 69% of organizations plan to migrate their data for popular ERP applications to the cloud and use major cloud infrastructure-as-a-service providers. Nearly 90% of respondents say the applications they plan on migrating to the cloud are business-critical. Respondents in the Americas (73%) and APAC (73%) were most likely to report migrating business-critical applications to the cloud compared with those in EMEA, where regulations like GDPR interfere with enterprise plans for tech investments, cloud services, and third-party policies.

The biggest benefit of moving to the cloud, respondents say, is scalability of new technologies (65%). Their next given reason is lower cost of ownership (61%), followed by security patching and updating from the provider (49%). Obstacles to cloud adoption, they say, include moving sensitive data (65%), security (59%), and compliance challenges (54%).

On a positive note, companies are taking steps to protect cloud-based ERP applications with identity and access controls (68%), firewalls (63%), and vulnerability assessment (62%).

But attackers’ capabilities are evolving alongside businesses’ security moves. More than half of survey respondents expect security incidents in the cloud to increase over the coming year.

Their thoughts prompt questions about who is accountable for cyberattacks in the cloud. Sixty percent of participants say they believe cloud services providers are responsible for breaches, but 77% say it’s the organization’s responsibility to secure their ERP applications. Third parties hold the least amount of accountability and responsibility for cloud breaches, the data shows.

“The cloud computing ecosystem is maturing rapidly and business-critical applications, such as ERP solutions, are being moved to cloud environments,” said John Yeoh, director of research, Americas, for the Cloud Security Alliance, in a statement. “With this shift, organizations are starting to explore the question of whether a cloud environment might alleviate traditional challenges that business-critical applications normally face.”

Regardless of their cloud providers, businesses planning a migration must implement security from the start and in phases throughout the project. Onapsis studies have found that implementing security in each phase of the migration could save businesses more than five times their implementation costs, said Juan Pablo Perez-Etchegoyen, Onapsis CTO.

Related Content:

• New Software Side-Channel Attack Raises Risk for Captured Crypto
• Ryuk Ransomware Attribution May Be Premature
• Consumers Demand Security from Smart Device Makers
• 6 Ways to Anger Attackers on Your Network

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/who-takes-responsibility-for-cyberattacks-in-the-cloud/d/d-id/1333637?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Security leaders must stay on top of a fast-moving world of cloud deployment options.

Image Source: Envato Elements

Cloud deployments are not only growing in complexity, but they are way more integral to the delivery of business-critical technology – so much so that they make early cybersecurity challenges from software-as-a-service (SaaS) apps seem quaint in comparison. As developers, testers, and operations staff speed along with continuous delivery/continuous integration (CI/CD) efforts, the use of containers and serverless technology is skyrocketing. With it brings plenty of new impending security issues.

“Serverless computing, often called ‘function as a service,’ will create massive security headaches in 2019, especially when it comes to identifying and protecting assets,” predicts Bob Huber, chief security officer at Tenable. “While serverless computing is a great way to reduce the burden of infrastructure management on developers, it also creates a lack of ownership and visibility into environments.”

The same goes for containers and containerization orchestration and automation tools like Kubernetes, Amazon ECS, and Docker Swarm. And while some people have previously debated whether serverless technology would take over containerization momentum, the truth is they’re actually complementary, says Rani Osnat, vice president of product marketing at Aqua Security.

“It’s not even a two-horse race. There’s a whole range of deployment modalities that include serverless functions, serverless containers – for example, AWS Fargate and Azure Container Instances – containers, various hybrids like AWS Firecracker, or sandboxing technologies like Google gVisor and Kata Containers,” Osnat says. “We will see increasingly composite architectures that blend these mechanisms to optimize performance, scale, and cost.”

With such rapid adoption and fast-changing technology, CISOs will need to stay on top of these trends to effectively manage the new risks they’ll increasingly bring in the coming year.

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: https://www.darkreading.com/6-serverless-and-containerization-trends-cisos-should-track/d/d-id/1333636?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple