Breaching SolarWinds

March 4, 2021

The SolarWinds’ story continues to delight. I read “Former SolarWinds CEO Blames Intern for Solarwinds123 Password Leak.” That’s a heck of a password if I say so myself. Definitely better than admin or password.

How did the hackers breach a company providing services to thousands of clients? Here are the reasons reported by CNN:

  1. An intern fumbled the ball
  2. Brute force guessing of passwords
  3. Some other outfit created software which SolarWinds used and caught malware.

There is a fourth possibility, and it is the one which seems to be one of the more popular ways to gain access to an organization’s network. What is it? Dumpster diving? Mental telepathy? Trawling through open source code looking for credentials? (That’s a pretty good method by the way.)

Nope.

Just strike up a conversation on a social media site, a Dark Web forum, or an encrypted messaging group and [a] use social engineering to get a user name and password, [b] watch for an employee who is not happy with his or her employer, [c] threaten an employee’s mom or family, [d] phishing, or [e] pay a third party contractor writing code for SolarWinds in a far off land.

The preferred approach of bad actors is usually the easiest, simplest, and most hassle free.

Compromising a careless outfit is easy. Even organizations with buttoned up security are vulnerable.

What’s obvious is that the SolarWinds’ misstep reflects on an organizational approach to operating its business. If the company were a railroad, it is conceivable that the firm would lose freight cars, engines, and the keys to the operations office.

What’s fascinating is that the present and former CEO of SolarWinds threw an intern under the digital bus. Nothing like manning up in my opinion.

Stephen E Arnold, March 4, 2021

About TikTok and Privacy: $92 Million Catch Your Attention

March 4, 2021

I have commented about the superficial understanding shared among some “real” and big time journalists of data collection. What’s the big deal about TikTok? Who cares what kids are doing? Dismissive attitude flipped off these questions because “real” news knows what’s up?

ByteDance Agrees to US$92 Million Privacy Settlement with US TikTok Users” suggests that ignoring the China-linked TikTok may warrant some scrutiny. The story reports:

The lawsuits claimed the TikTok app “infiltrates its users’ devices and extracts a broad array of private data including biometric data and content that defendants use to track and profile TikTok users for the purpose of, among other things, ad targeting and profit.” The settlement was reached after “an expert-led inside look at TikTok’s source code” and extensive mediation efforts, according to the motion seeking approval of the settlement.

My view is that tracking a user via a range of methods can create a digital fingerprint of a TikTok user. That fingerprint can be matched or cross correlated with other data available to a specialist; for example, information obtained from Oracle. The result is that a user could be identified and tracked across time.

Yep, today’s young person is tomorrow’s thumbtyper in one of the outfits compromised by the SolarWinds’ misstep. What if the TikTok data make it possible to put pressure on a user? What if the user releases access information or other high value data?

TikTok, TikTok, the clock may be ticketing quietly away.

Stephen E Arnold, March 4, 2021

Google Gets into Insurance

March 3, 2021

Worrying about the relevance of search results? You probably should. The online ad giant is facing some big problems. And what do giant corporations do when their core business faces competitive, legal, employee, management, and customer pressure?

Give up.

Here’s the answer: Sell insurance.

Google Rolls Out First of Its Kind Cyber Insurance Program for Cloud Customers” reports:

Google LLC has teamed up with two major insurers to develop a cyber security insurance offering that will provide Google Cloud customers who sign up with coverage against cyber attacks.

Ask an actuary. Is insurance a good business? Listen to the answer… carefully.

The article notes:

The Risk Manager tool is available to Google Cloud customers by request. As for the cyber insurance coverage against data breaches, it will initially be offered to organizations in the U.S.

There are several implications of this deal. But it is early days, and one cannot purchase insurance to cover a ride in a Waymo infused vehicle directly from the GOOG yet.

The thoughts which ran through my mind after reading the news story were:

  1. Is Google cashing in on SolarWinds’ paranoia?
  2. Does selling insurance for cloud services suggest that cloud services are a big fat bad actor target which cannot be adequately protected?
  3. Will Google insure homes, yachts, and health?
  4. Has Google run out of ideas for generating revenue from its home brew and me too technology?

I have no answers, just hunches.

The Google has looked backwards to bottomry contracts shaped in Babylon. When did this insight dawn? Round about 4,000 before common era (that’s AD in thumbtyper speak).

Will Google innovate with stone flaking methods and sell non fungible tokens for these artifacts?

Stephen E Arnold, March 3, 2021

Microsoft: Back in the Security Spotlight

March 3, 2021

What giant software company with a great marketing operation is back in the spotlight? The answer may be Microsoft. I read “real” news from an outfit which is into trust “Chinese Hackers Plundered Inboxes Using Flaws in Microsoft’s Exchange Server Software.”

The write seems to be taking a slightly less enthusiastic approach to the outstanding software and services provided by the Redmond giant. The company is, as you may know, the outfit which is going to run much of the Department of Defense cloud system. That’s because the cloud is much better than on premises computing devices. The cloud is magical, which I think is a synonym for easier, but that’s just me.

I noted this statement in the trustiness article:

Microsoft’s suite of products has been under scrutiny since the hack of SolarWinds, the Texas-based software firm that served as a springboard for several intrusions across government and the private sector. In other cases, hackers took advantage of the way customers had set up their Microsoft services to compromise their targets or dive further into affected networks. Hackers who went after SolarWinds also breached Microsoft itself, accessing and downloading source code — including elements of Exchange, the company’s email and calendaring product.

The paragraph suggests that because Microsoft’s methods worked for the SolarWinds’ misstep, other bad actors are jumping into the hay stack of wild and crazy methods.

My view is that we are likely to see the feedback loop scale to some painful frequencies. Should anyone worry? Nope, those trusted permissions, the fluid code, and the big fat targets like Azure, Exchange, and Office 365 are no big deal. Right, Microsoft. It takes 1,000 engineers to fool the Softies.

Stephen E Arnold, March 3, 2021

Phishing: No Big Gains in 2020

March 3, 2021

In our work for the DarkCyber video news program and the research for our lectures for law enforcement, the people assisting me have reported that phishing is a big deal. The FBI thinks so. Interpol thinks so. And my personal hunch is that some of the outfits hit by ransomware in 2020 think so.

The Proofpoint “State of the Phish” report wishes to provide some good news; to wit:

57 percent of organizations in seven countries revealed they were targets of a successful phishing attack in 2020, which is only a two percent increase over 2019.

Encouraged?

The Tech News World article “Successful Phishers Make Slim Gains in 2020” seems to be optimistic. The write up reports:

the report noted that the number of respondents who told researchers that phishing attacks resulting in data loss increased 13 percent and those leading to credential compromise jumped 11 percent.

Concerning? Not enough to alter the positive spin the editors put on the article title.

If you want to read the original report, navigate to this Proofpoint link. You will have to fill out a form so that the company can keep you informed about phish and other topics.

Stephen E Arnold, March 2, 2021

How Quickly Can Facebook, Google, and Twitter Remove Content? 36 Hours or Less?

March 3, 2021

I read “Social Media Sites Must Remove Content in 36 Hours of Order: Govt in Draft Digital, OTT Platform Rules.” The rules will be imposed by India. According to the article in News 18 India:

The central government has finalized the rules to regulate internet-based businesses and organizations – social media companies, OTT streaming services, and digital news outlets, among others – as it plans to introduce a sea change in legislation to assert more control over powerful Big Tech firms. Under the new Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021, the government plans to mandate social media companies like Facebook and Twitter to erase contentious content as early as possible, but not later than 36 hours, after a government or legal order.

Pretty clear. India sends an email; the recipient has 36 hours; then the fines begin.

Twitter, headed by a very talented, articulate, and handsome wizard, is allegedly the cause of this decision. Hey, tweet in real time, no problem. Fail to deal with flagged content, big problem.

Sucked into the “go where the money is” process, the inability to move in a sprightly manner could be expensive.

What’s next?

You know those weird motion picture ratings which lured under age limit viewers like roasting burgers in the park on a hot summer day? Ratings, yes. The Indian government wants tags on videos:

While the new rules for social media and other digital platforms will be governed by the IT Ministry, the Information and Broadcasting Ministry will be the governing body for rules concerning streaming platforms. Referring to films and other entertainment, including web-based serials, the draft rules called for a “classification rating” to describe content and advise discretion.

That will allow the Google to demonstrate its ability to do more than create financial hardship for content creators. How long does it take for Google to remove my video interview of Robert David Steele? Answer: About two years. The 36 hour ceiling is obviously going to be no problem for the Googlers.

Like Facebook’s massive victory over Australia, the social media giants will have no difficulty in dealing with another pesky nation state.

Stephen E Arnold, March 3, 2021

Quantum Computing: A Nasty Business

March 3, 2021

In a PhD program, successful candidates push the boundaries of knowledge and change the world for the better. Sometimes. One illustration of this happy outcome is the case of Zak Romaszko at the University of Sussex, who contributed to the school’s ion trap quantum computer project. Robaszko is now working at his professor’s spin-off company Universal Quantum on commercialization of the tech to create large-scale quantum computers. Bravo!

Unfortunately, not all PhD programs are crucibles of such success stories. One in particular appears to be just the opposite, as described in “A Dishonest, Indifferent, and Toxic Culture” posted at the Huixiang Voice. The blog is dedicated to covering the heartbreaking experience of PhD candidate Huixiang Chen, who was studying at the University of Florida’s department of Electrical and Computer Engineering when he took his own life. The note Chen left behind indicated the reason, at least in part, was the pressure put on him by his advisor to go along with a fraudulent peer-review process.

We learn:

“It has been 20 months since the tragedy that a Ph.D. candidate from the University of Florida committed suicide, accusing his advisor coerce him into academic misconduct. Our latest article dropped a bump into the academic world by exposing the evidence of those academic misconduct. The Nature Index followed up with an in-depth report with comments from scientists and academic organizations worldwide expressing their shock and deep concerns about this scandal that happened at the University of Florida.”

A joint committee of the academic publisher Association for Computing Machinery (ACM) and the Institute of Electrical and Electronics Engineers (IEEE) investigated the matter and found substance in the allegations. ACM has imposed a 15-year ban on participation in any ACM Conference or Publication on the offenders, the most severe penalty the organization has ever imposed. The post continues:

“The conclusion finally confirmed two important accusations listed in Huixiang Chen’s suicide note that:
1) The review process for his ISCA-2019 paper was broken, and most of the reviewers of the paper are ‘friends’ of his advisor Dr. Tao Li. The review process became organized and colluded academic fraud:
2)After recognizing that there are severe problems in his ISCA-2019 paper, Huixiang Chen was coerced by his advisor Dr. Tao Li to proceed with a submission despite that Huixiang Chen repeatedly expressed concerns about the correctness of the results reported in work, which led to a strong conscience condemnation and caused the suicide.
“Finally, the paper with academic misconduct got retracted by ACM as Huixiang’s last wish.”

Chen hoped the revelations he left behind would lead to a change in the world; perhaps they will. The problem, though, is much larger than the culture at one university. Peer reviewed publications have become home to punitive behavior, non-reproducible results, and bureaucratic pressure. Perhaps it is time to find another way to review and share academic findings? Google’s AI ethics department may have some thoughts on academic scope and research reviews.

Cynthia Murrell, March 3, 2021

SolarWinds: Microsoft Moves to Closure after Revealing 1000 Bad Actors Got in the Game

March 3, 2021

After first denying it may have been a victim of the SolarWinds hack, and that hackers may have used its software to attack others, Microsoft launched an internal investigation to be sure. It now tells us the truth is somewhere in between. Reports SiliconAngle, “Microsoft Finds SolarWinds Hackers Downloaded Code But Didn’t Mount Attacks.” Writer Duncan Riley summarizes:

“Microsoft’s researchers found was that there was no case where all repositories related to any single product or service were accessed and no access was gained to the vast majority of source code. In the event where code repositories were accessed, only a few individual files were viewed. For a small number of repositories, there was additional access including in some cases the downloading of component source code. The repositories contained code for a small subset of Azure, Intune and Exchange components. The researchers notes that search terms used by the hackers indicate that they were attempting to find secrets but were not successful as Microsoft’s development policy prohibits secrets in code, using automated tools to verify compliance.
“In terms of Microsoft tools being used to attack others, the researchers found no indication of that taking place. They further added that because of so-called defense-in-depth protections, the hackers were also not able to gain access to privileged credentials. To avoid attacks in the future, the researchers recommended that a zero-trust ‘assume breach’ philosophy be adopted as a critical part of defense as well as protecting credentials being essential.”

So they weren’t already taking those basic precautions? That does not inspire confidence. We also do not find the bit about defense-in-depth protections reassuring after the intrusion was missed for months on end. As one outside professional cited by the article notes, we must think twice about how much we trust each link in every supply chain. Including longstanding, supposedly solid players like Microsoft.

Cynthia Murrell, March 3, 2021

From Customer Support to the Deceased: The Wonder of Chatbots and Smart Software

March 2, 2021

I know that chatbots lashed to customer support departments delivers prompt, effective, and pleasing results. No, not to you, gentle reader, to the outfit using smart software to reduce the costs of handling these organizations’ most important asset — Customers.

Now chatbots have nosed into a new domain. We learned from “Chatbots That Resurrect the Dead: Legal Experts Weigh In on Disturbing Technology.” I learned:

It was recently revealed that in 2017 Microsoft patented a chatbot that, if built, would digitally resurrect the dead. Using AI and machine learning, the proposed chatbot would bring our digital persona back to life for our family and friends to talk to. When pressed on the technology, Microsoft representatives admitted that the chatbot was “disturbing” and that there were currently no plans to put it into production.

The write up offered:

Microsoft’s chatbot would use your electronic messages to create a digital reincarnation in your likeness after you pass away. Such a chatbot would use machine learning to respond to text messages just as you would have when you were alive. If you happen to leave behind rich voice data, that too could be used to create your vocal likeness – someone your relatives could speak with, through a phone or a humanoid robot.

What if a hacker uses the technology to keep a deceased LinkedIn professional alive? Other AI tools could generate reports. A third smart system would issue invoices. What if the bad actors responsible for SolarWinds bring back now departed Microsoft wizards? The possibilities are interesting to contemplate.

Respect for the dead? Sure, among the tech elite. Absolutely.

Stephen E Arnold, March 2, 2021

Funding Terrorism with Information about Wretched Situations

March 2, 2021

People often try to help. I recall talking to a street person in San Francisco in the chocolate chip cookie shop near the Diva Hotel on Geary. The chocolate chip shop is, I believe, long gone. I asked the person which cookies he liked the best. He said, “I buy them every day for my family. I get a dozen or so. I eat one on the BART to Daly and then take the rest to the family.” I asked, “What do you do?” He said, “I beg. It works really well. People are very generous.”

Funding the Needy or Funding Terror?” reminded me of this little life lesson from the 1980s. What looked like a person who was down on his luck was a hard working exploiter of people’s desire to help others. None of those Berkeley coupons for the beggar in the cookie store. Now the stakes are higher.

The article reports:

Last year, online fundraisers began to appear on behalf of al-Hol residents. Many were seeking to finance escapes, others to pay for food and supplies. (While some donations have likely gone toward terrorism, the campaigns are careful to avoid mentioning violence.) The petitions spread via social networks, including Facebook, Instagram, and Twitter, and often involved PayPal and other payment systems as well as messaging apps, like WhatsApp and Telegram. Before long, intelligence and law enforcement agencies began to monitor them.

The idea is that money flows in and some of it goes to fund activities not included in the video, the email, or the TV commercial.

How do social media platforms police this allegedly fraudulent activity?

Well, that’s a good question.

The write up reports:

he architects of these networks tailor their messages and methods to geography, specific donors and goals, and national laws and platform regulations. Of the Facebook accounts identified by Rest of World that claim links to al-Hol, only some explicitly asked for donations. Others disseminated pictures or news from the camp in different languages, alongside Islamic scripture and memes. A few users fondly reminisced about their time in the caliphate. Facebook disables and deletes accounts that share terrorist propaganda, so ISIS was never explicitly mentioned. Instead, references to the organization were camouflaged by alternative spellings. “I miss the Dawl@,” one said, with a crying emoji, referencing the Arabic word for “state” in ISIS’s full name.

Again. What are social media platforms doing to address this issue?

Outputting words, forming study teams, and hand waving.

Is this a problem? Not if there are cookies at the meeting. No faux street people needed.

Stephen E Arnold, March 2, 2021

« Previous PageNext Page »

  • Archives

  • Recent Posts

  • Meta