Connect with us

Published

on

Krisanapong Detraphiphat | Moment | Getty Images

John Hultquist, vice president of intelligence analysis at Google-owned cybersecurity firm Mandiant, likens his job to studying criminal minds through a soda straw. He monitors cyberthreat groups in real time on the dark web, watching what amounts to a free market of criminal innovation ebb and flow.

Groups buy and sell services, and one hot idea — a business model for a crime — can take off quickly when people realize that it works to do damage or to get people to pay. Last year, it was ransomware, as criminal hacking groups figured out how to shut down servers through what’s called directed denial of service attacks. But 2022, say experts, may have marked an inflection point due to the rapid proliferation of IoT (Internet of Things) devices.

Attacks are evolving from those that shut down computers or stole data, to include those that could more directly wreak havoc on everyday life. IoT devices can be the entry points for attacks on parts of countries’ critical infrastructure, like electrical grids or pipelines, or they can be the specific targets of criminals, as in the case of cars or medical devices that contain software.

“What I wish is that the vulnerabilities of cybersecurity could never negatively affect human life and infrastructure,” says Meredith Schnur, cyber brokerage leader for US & Canada at Marsh & McLennan, which insures large companies against cyberattacks. “Everything else is just business.”

For the past decade, manufacturers, software companies and consumers have been rushing to the promise of Internet of Things devices. Now there are an estimated 17 billion in the world, from printers to garage door openers, each one packed with software (some of it open-source software) that can be easily hacked. In a conversation Dec. 26 with The Financial Times, Mario Greco, the group CEO of giant insurer Zurich Insurance Group, said cyberattacks could pose a larger threat to insurers than pandemics and climate change, if hackers aim to disrupt lives, rather than merely spying or stealing data.

IoT devices are a key entry point for many attacks, according to Microsoft’s Digital Defense Report 2022. “While the security of IT hardware and software has strengthened in recent years, the security of Internet of Things (IoT) … has not kept pace,” according to the report.

A rash of attacks that reached the physical world through the cyber world in the past year show the rising stakes. Last February, Toyota stopped operations at one of its plants because of a cyberattack. In April, Ukraine’s power grid was targeted. In May, the Port of London was hit with a cyberattack. That followed up on a 2021 that included to major attacks on critical infrastructure in the U.S., taking down energy and food supply operations of Colonial Pipeline and the JBS meatpacking conglomerate.

What many experts are anticipating is the day enterprising criminals or hackers affiliated with a nation-state figure out an easy-to-replicate scheme using IoT devices at scale. A group of criminals, perhaps connected to a foreign government, could figure out how to take control of many things at once – like cars, or medical devices. “We have already seen large-scale attacks using IoT, in the form of IoT botnets. In that case, actors leveraging unpatched vulnerabilities in IoT devices used control of those devices to carry out denial of service attacks against many targets. Those vulnerabilities are found regularly in ubiquitous products that are rarely updated.”

In other words, the possibility already exists. It’s only a question of when a criminal or a nation decides to act in a way that targets the physical world at a large scale. “It’s not always the art of the possible. It’s a market-driven thing,” Hultquist said. “Somebody figures out a scheme that is successful at making money.”

Aside from responding rapidly to attacks, the only answer to the “cat-and-mouse game” is constant innovation, says Shlomo Kramer, an early investor in Palo Alto Networks and currently one of the top cyber security investors worldwide.

There are a handful of companies, new regulatory approaches, a growing focus on cars as a particularly important area, and a new movement within the software engineering world to do a better job of incorporating cybersecurity from the beginning.

Internet of Things has a big update problem

The cybersecurity industry is upping its game. Companies including ForeScout and Phosphorus focus on Internet of Things security, which has a heavy emphasis on constant inventory of “endpoints” – where new devices connect to a network.

But one of the key problems in Internet of Things security is that there isn’t a good process for updating devices with patches, as new vulnerabilities, hacks or attacks are discovered, says Greg Clark, former CEO of Symantec, currently the chairman of Forescout. Many users are accustomed to downloading updates and patches to computers and phones; and even in those cases, a significant number of users don’t bother to do the updates.

The problem is much worse in the IoT: For instance, who bothers to update their garage-door opener? “Not many of the IoT devices have a system to update the code,” says Clark. “It becomes a serious problem to remediate the vulnerabilities in the IoT.”

He said one focus for cybersecurity companies has become putting controls around the devices so they can only do a specific set of things. That way, the devices can’t be weaponized to launch attacks on other networks. “There are a lot of hammers swinging,” Clark said, on products that make the IoT more secure).

Medical devices, which are seen as particularly important and particularly vulnerable, are one focus. Last month, Palo Alto Networks announced a new product aimed at medical device makers.

IoT device makers are not regulated enough

Because the challenges are new, and cut across industries, the U.S. guidelines and regulations remain patchwork. That has left a lot of IoT cybersecurity up to consumers and companies across sectors, rather than the many manufacturers making IoT devices.

“I’m hopeful there will be some new standards, and newer regulations that will force the vendors to do more,” says Randy Trzeciak, director of the science information and security policy & management program at Carnegie Mellon University. “There should be a national discussion around insuring device security, and where the manufacturer needs to take some ownership and responsibility.”

Clark said CISA and the National Institutes of Standards and Technology are working together, issuing guidelines for the thousands of manufacturers that make IoT devices covering such things as ensuring that IoT devices identify themselves to networks as they are added to them. In 2020, the U.S. Congress turned the guidelines into a law, but only for companies that supply the U.S. government with IoT devices. A spokesman for the National Institutes of Standards and Technology says this is the only national law the agency knows of. Some state-specific and industry-specific laws also exist: For instance, data in medical devices would be covered by HIPAA, and the National Highway Traffic Safety Administration has some jurisdiction over cars.

Some investors and executives cautiously welcome the increasing involvement of regulators. “It’s simply too complex,” Kramer said. “There’s not enough qualified and experienced security people.”

How cars are being targeted

As more criminal hackers aim attacks at the physical sphere, cars are a target. That includes theft, with attackers exploiting the keyless entry systems, but also attacks on sensitive information now being stored in cars, such as maps and credit card data.

Led by the European Union, countries around the world are rapidly adopting cybersecurity regulations for cars, with the EU’s coming into effect in July of last year.

The transition to electric vehicles has created an opportunity for regulators to get ahead of the criminals. As the new technology lowered the barriers to entry, more car companies entered the market. In turn, that has created an opportunity for regulators to work with industry groups that want to protect their home-grown industries.

The concerns about cars are nothing new. In one landmark experiment in 2015, two hackers attacked a Jeep Cherokee. “They shut down the engine on the highway – the brakes didn’t respond. This is not a pleasant situation,” said David Barzilai, CEO of a six-year-old Israeli company called Karamba Security, which helps car companies make their IoT devices more secure.

Barzilai says that in the past 12 months, there were dozens of attacks, both by serious criminal gangs and teen-agers. “When we started six years ago, the attacks were by states, mostly China,” he says. “Within the last 12 months, there’s a democratization” in car attacks, he said, pointing to the case in January 2022 of the teen who figured out how to access the control systems of a few dozen Teslas at once,  last January — have already done.

Connected cars usually have SIM cards, that hackers can attack via cellular networks, he said. “All cars of the same vehicle model use the same software,” he said. “Once hackers identify a vulnerability, and a way to exploit it remotely, they can replicate the attack on other vehicles.” 

Cybersecurity grew as an industry mostly as an after-the-fact attempt to fix software and hardware that was long since on the market, as criminals and foreign governments discovered vulnerabilities in the systems that they could exploit. One study by IBM‘s System Science’s Institute found it costs six times more to fix a cybersecurity vulnerability while software is being implemented than when it is under development. The IoT is still relatively new as an industry, giving security-minded developers a chance to get ahead of the cat-and-mouse game, says Trzeciak, and there’s a growing movement of researchers and developers working on this, including Carnegie Mellon’s Software Engineering Institute’s DevSecOps initiative, which aims to add security into earlier phases of software development. That process-based innovation could make all kinds of software, including that in cars and medical devices, more secure — and therefore, the devices safer.

Continue Reading

Technology

Google’s cloud outpaces rivals in third quarter as AI battle heats up

Published

on

By

Google's cloud outpaces rivals in third quarter as AI battle heats up

Alphabet CEO Sundar Pichai speaks at the Munich Security Conference at the Hotel Bayerischer Hof in Munich, Germany, on February 16, 2024.

Tobias Hase | Picture Alliance | Getty Images

With Wall Street laser focused on cloud computing this week, Google outpaced its rivals in growth, a key sign for investors that the internet company is gaining traction in artificial intelligence.

Google’s cloud business, which includes infrastructure as well as software subscriptions, grew 35% year over year in the third quarter to $11.35 billion, accelerating from 29% in the prior period.

Amazon Web Services, which remains the market leader, grew 19% to $27.45 billion, meaning it’s more than twice the size of Google Cloud but expanding about half as quickly. Second-place Microsoft said revenue from Azure and other cloud services grew 33% from a year earlier.

Five of the six trillion-dollar tech companies reported results this week, with AI chipmaker Nvidia as the outlier. Amazon, Alphabet and Microsoft always report around the same time, giving investors a snapshot of how the cloud wars are playing out.

“While Alphabet has often been criticized as a Johnny-one-note for its dependence on digital advertising, the rapid growth of Google Cloud has begun to diversify the company’s revenue,” analysts at Argus Research, who recommend buying the stock, wrote in a report on Oct. 31.

For a long time, cloud was a money sink for Google, but that’s no longer the case.

Google reported a 17% cloud operating margin in the third quarter, after first turning a profit last year. It was “a real beat to expectations there,” Melissa Otto, head of technology, media and telecommunications sector research at Visible Alpha, said on CNBC this week. She said she isn’t sure if the company can sustain that level of profitability.

Otto: The scale of Alphabet's cloud business, and spend on AI infrastructure, will be critical

The opposite story has been true at Amazon, which has long counted on AWS for the bulk of total profit.

AWS’ operating margin for the the third quarter was 38%, which analysts at Bernstein described as a “whopping” number. Executives have been careful with hiring and have discontinued less popular AWS services. Also, at the beginning of 2024, Amazon extended the useful life of its servers from five years to six, a change that boosted the operating margin by 200 basis points, or 2 percentage points.

Microsoft this week started giving investors more accurate readings of its Azure public cloud. When the company reported Azure revenue growth in the past, the number would include sales of mobility and security services and Power BI data analytics software. Microsoft, which is the lead investor in ChatGPT creator OpenAI, is getting a hefty boost from AI services.

“Demand continues to be higher than our available capacity,” Amy Hood, Microsoft’s finance chief, said on the company’s earnings call.

While Azure growth in the current quarter will moderate a bit, Hood said it should pick up in the first half of 2025 “as our capital investments create an increase in available AI capacity to serve more of the growing demand.”

Amazon is seeing a similar dynamic.

“I think pretty much everyone today has less capacity than they have demand for, and it’s really primarily chips that are the area where companies could use more supply,” Amazon CEO Andy Jassy said on his company’s earnings call.

To help ease the burden, Amazon relies to a degree on its own processors, in addition to Nvidia’s graphics processing units (GPUs). Jassy said clients are showing interest in Trainium 2, the company’s second-generation chip for training models.

“We’ve gone back to our manufacturing partners multiple times to produce much more than we’d originally planned,” he said.

Google is now on the sixth generation of its own custom tensor processing units for AI. CEO Sundar Pichai told analysts that he’d been spending time with the TPU team.

“I couldn’t be more excited at the forward-looking roadmap, but all of it allows us to both plan ahead in the future and really drive an optimized architecture for it,” he said.

Microsoft introduced its own AI chip in the cloud, Maia, a year ago. The company has started to use Maia chips to power its own services, but it hasn’t yet made it available for customers to rent out, a spokesperson said.

Analysts at DA Davidson said in a note this week that they don’t see this as a battle Microsoft can win going up against Amazon and Google. They have a neutral rating on Microsoft.

Oracle, which generally ranks fourth among U.S. cloud infrastructure companies, is expected to report quarterly results in December. In its last report, Oracle said cloud infrastructure revenue jumped 45% to $2.2 billion, up from 42% growth in the prior quarter.

Oracle recently partnered with its three bigger cloud rivals to make its databases available on their services, a move that Chairman Larry Ellison said on the last earnings calls, “will turbocharge the growth of our database business for years to come.”

WATCH: Otto: The scale of Alphabet’s cloud business, and spend on AI infrastructure, will be critical

Otto: The scale of Alphabet's cloud business, and spend on AI infrastructure, will be critical

Continue Reading

Technology

Nvidia to join Dow Jones Industrial Average, replacing rival chipmaker Intel

Published

on

By

Nvidia to join Dow Jones Industrial Average, replacing rival chipmaker Intel

CEO of Nvidia, Jensen Huang, speaks during the launch of the supercomputer Gefion, where the new AI supercomputer has been established in collaboration with EIFO and NVIDIA at Vilhelm Lauritzen Terminal in Kastrup, Denmark October 23, 2024.

Ritzau Scanpix | Mads Claus Rasmussen | Via Reuters

Nvidia is replacing rival chipmaker Intel in the Dow Jones Industrial Average, a shakeup to the blue-chip index that reflects the boom in artificial intelligence and a major shift in the semiconductor industry.

Intel shares were down 1% in extended trading on Friday. Nvidia shares rose 1%.

The switch will take place on Nov. 8. Also, Sherwin Williams will replace Dow Inc. in the index, S&P Dow Jones said in a statement.

Nvidia shares have climbed over 170% so far in 2024 after jumping roughly 240% last year, as investors have rushed to get a piece of the AI chipmaker. Nvidia’s market cap has swelled to $3.3 trillion, second only to Apple among publicly traded companies.

Companies including Microsoft, Meta, Google and Amazon are purchasing Nvidia’s graphics processing units (GPUs), such as the H100, in massive quantities to build clusters of computers for their AI work. Nvidia’s revenue has more than doubled in each of the past five quarters, and has at least tripled in three of them. The company has sginaled that demand for its next-generation AI GPU called Blackwell is “insane.”

With the addition of Nvidia, four of the six trillion-dollar tech companies are now in the index. The two not in the Dow are Alphabet and Meta.

While Nvidia has been soaring, Intel has been slumping. Long the dominant maker of PC chips, Intel has lost market share to Advanced Micro Devices and has made very little headway in AI. Intel shares have fallen by more than half this year as the company struggles with manufacturing challenges and new competition for its central processors.

Intel said in a filing this week that the board’s audit and finance committee approved cost and capital reduction activities, including lowering head count by 16,500 employees and reducing its real estate footprint. The job cuts were originally announced in August.

The Dow contains 30 components and is weighted by the share price of the individual stocks instead of total market value. Nvidia put itself in better position to join the index in May, when the company announced a 10-for-1 stock split. While doing nothing to its market cap, the move slashed the price of each share by 90%, allowing the company to become a part of the Dow without having too heavy a weighting.

The switch is the first change to the index since February, when Amazon replaced Walgreens Boots Alliance. Over the years, the Dow has been playing catchup in gaining exposure to the largest technology companies. The stocks in the index are chosen by a committee from S&P Dow Jones Indices.

WATCH: Nvidia leaps and bounds ahead of AMD

Nvidia is leaps and bounds ahead of AMD on the AI story, says Susquehanna's Christopher Rolland

Continue Reading

Technology

Super Micro’s 44% plunge this week wipes out stock’s gains for the year

Published

on

By

Super Micro's 44% plunge this week wipes out stock's gains for the year

Charles Liang, chief executive officer of Super Micro Computer Inc., during the Computex conference in Taipei, Taiwan, on Wednesday, June 5, 2024. The trade show runs through June 7. 

Annabelle Chih | Bloomberg | Getty Images

Super Micro investors continued to rush the exits on Friday, pushing the stock down another 9% and bringing this week’s selloff to 44%, after the data center company lost its second auditor in less than two years.

The company’s shares fell as low as $26.23, wiping out all of the gains for 2024. Shares had peaked at $118.81 in March, at which point they were up more than fourfold for the year. Earlier that month, S&P Dow Jones added the stock to the S&P 500, and Wall Street was rallying around the company’s growth, driven by sales of servers packed with Nvidia’s artificial intelligence processors.

Super Micro’s spectacular collapse since March has wiped out roughly $55 billion in market cap and left the company at risk of being delisted from the Nasdaq. On Wednesday, as the stock was in the midst of its second-worst day ever, Super Micro said it will provide a “business update” regarding its latest quarter on Tuesday, which is Election Day in the U.S.

The company’s recent challenges date back to August, when Super Micro said it would not file its annual report on time with the SEC. Noted short seller Hindenburg Research then disclosed a short position in the company and wrote in a report that it identified “fresh evidence of accounting manipulation.” The Wall Street Journal later reported that the Department of Justice was in the early stages of a probe into the company.

Super Micro disclosed on Wednesday that Ernst & Young had resigned as its accounting firm just 17 months after taking over from Deloitte & Touche. The auditor said it was “unwilling to be associated with the financial statements prepared by management.”

A Super Micro spokesperson told CNBC that the company “disagrees with E&Y’s decision to resign, and we are working diligently to select new auditors.” Super Micro does not expect matters raised by Ernst & Young to “result in any restatements of its quarterly financial results for the fiscal year ended June 30, 2024, or for prior fiscal years,” the representative said.

Analysts at Argus Research on Thursday downgraded the stock in the intermediate term to a hold, citing the Hindenburg note, reports of the Justice Department investigation and the departure of Super Micro’s accounting firm, which the analysts called a “serious matter.” Argus’ fears go beyond accounting irregularities, with the firm suggesting that the company may be doing business with problematic entities.

“The DoJ’s concerns, in our view, may be mainly about related-party transactions and about SMCI products ending up in the hands of sanctioned Russian companies,” the analysts wrote.

In September, the month after announcing its filing delay, Super Micro said it had received a notification from the Nasdaq indicating that its late status meant the company wasn’t in compliance with the exchange’s listing rules. Super Micro said the Nasdaq’s rules allowed the company 60 days to file its report or submit a plan to regain compliance. Based on that timeframe, the deadline would be mid-November.

Though Super Micro hasn’t filed financials with the SEC since May, the company said in an August earnings presentation that revenue more than doubled for a third straight quarter. Analysts expect that, for the fiscal first quarter ended September, revenue jumped more than 200% to $6.45 billion, according to LSEG. That’s up from $2.1 billion a year earlier and $1.9 billion in the same fiscal quarter of 2023.

WATCH: I don’t know if Super Micro is guilty or innocent, says Jim Cramer

I don't know if Super Micro is guilty or innocent, says Jim Cramer

Continue Reading

Trending