Professor Alex Stamos, the director of the Stanford Internet Observatory, began Collision 2021 with a question and answer session on developments in cybersecurity.
Alex Stamos is a cybersecurity expert, business leader and entrepreneur. He’s working to improve the security and safety of the internet through his teaching and research at Stanford University. Before joining Stanford, Alex served as the chief security officer of Facebook and Yahoo.
Private hacking groups
Sophisticated private hacking groups formed in recent years because key hackers learned they can earn tens of millions of dollars with ransomware and other attacks. The groups started as side gigs. They quickly realized that the number of hacking opportunities has exploded far beyond large companies and government departments. Every organization is now a hacking target.
Current and former employees of Russian and Chinese government-sponsored hacking organizations founded most of these private hacking organizations. That’s how these groups acquired the same advanced hacking skills that government-sponsored hacking organizations accumulated over the past decade.
Private hacking groups are forcing us all to improve our cybersecurity.
SolarWinds hack
The SolarWinds hack is the primary product of Russian state-sponsored espionage that began years ago. The Russians inserted brilliantly designed, custom-built malware into the software package build process. SolarWinds distribution provided the Russians with about 18,000 targets that are all large corporations and government agencies.
Unfortunately, we don’t have enough qualified security personnel to fix the problems caused by this Russian hack. It will take quite a while to identify and remove all the malware that the Russians installed. No one should think that the discovery of the SolarWinds hack means it’s almost history.
Security of IoT devices
Many IoT devices are easy targets for hacking. Consumers should quit buying IoT crap. Too many IoT devices will never be patched because they can’t be patched or their owners are not managing them at all.
Many enterprises are starting to insist on security features in the IoT devices they buy. Unfortunately, consumers are not paying attention to the security of their IoT devices. As a result of this divergence of attention, IoT devices will remain easy hacking targets for many years to come.
Managing our personal security risks
We all need to quit reusing passwords for multiple accounts. These recurring passwords are an invitation to identity theft. To achieve this goal, we all need to use a password manager.
We should all implement OpenDNS, NextDNS or any of their competitors in our homes to raise the level of security.
Secure login certification
We can’t tell how well or poorly any company is managing our login credentials. Apple and Google are moving toward federated login identities. I hope that in the future, we will identify ourselves strongly to one or two identity providers. Our chosen provider will then certify who we are to all other participating organizations.
Face ID offers the considerable advantage that nothing leaves our personal devices. There’s nothing for hackers to steal. Impersonation is almost impossible.
Non-fungible token (NFT)
I’m amazed that some people are paying millions of dollars for these tokens. NFTs are a scam. There is no legal framework around NFTs that regulates how they work and how transactions are protected. There’s no blockchain involved to protect the parties. Sellers may be violating securities laws because the issuers of NFTs are not selling something of value.
What ideas can you contribute to help organizations strengthen their cybersecurity defences? Let us know in the comments below.
