Cybersecurity Giant Vendor Fail Is Official: No Easy Fix
March 15, 2021
The marketing claims were hot air, it seems. The New York Times reports “White House Weighs New Cybersecurity Approach after Failure to Detect Hacks.” Let me be clear. Organizations spending money for advanced, artificially intelligent, and proactive methods for dealing with cyber attacks face some difficult circumstances. First, the cash is gone. Second, the fix is neither quick nor easy. Third, boards of directors and those with oversight will ask difficult questions to which there are no reassuring answers; for example, “What information has been lost exactly?”
The answer: “No one knows.”
The NYT states:
… The hacks were detected long after they had begun not by any government agency but by private computer security firms.
Let’s be clear. The SolarWinds’ misstep was detected because a single human chased down an anomaly related to allowing access to a single mobile phone.
Several observations are warranted:
- Cybersecurity vendors have been peddling systems which don’t work
- Companies are licensing these systems and assuming that their data are protected. The assumption is flawed and reflects poorly on the managers making these decisions.
- The lack of information about the inherent flaws in the Microsoft software build and updating processes, the mechanisms for generating “on the fly” builds of open source enabled code, and the indifference of developers to verifying that library code is free from malicious manipulation underscores systemic failures.
Remediating the issue will take more than BrightTALK security videos, more than conference presentations filled with buzzwords and glittering generalities, and more than irresponsible executives chasing big paydays.
The failure in technical education coupled with the disastrous erosion of responsible engineering practices has created “intrusions.”
Yes, intrusions and other impacts as well.
Stephen E Arnold, March 15, 2021
Insider Threat Info
March 15, 2021
Few people want to talk about trust within an organization. Even fewer bring up blackmail, outright dumbness, or selling secrets for cash. These topics do require discussion. Where organizations are at this moment is in a very tough spot.
Cyber security vendors will email white papers, give Zoom pitches, and accept money for licenses to software which managed to miss the antics of the SolarWinds’ bad actors for — what was it — six months, a year, maybe almost two years. Yeah.
Executives will turn cyber security over to a team, a new hire, a consultant or two (McKinsey & Co. has some specialists awaiting your call), and one or more information technology employees. Did I leave anyone out? Oh, right, senior management. Well, those men and women are above the fray because security….
The trade publications will comment, quote, explain, and create nifty diagrams. I use a couple of these in my cyber crime lectures. They add color, but not much information. Oh, well, arts and crafts are important.
The allegedly responsible parties dodge those digital balls flung by fast twitch bad actors.
Articles like “What Are Insider Threats in Cyber Security” are, therefore, helpful. In a few hundred words an outfit called News Patrolling offered some helpful information. For example, I found this passage on point:
the human factor is often the most difficult to control and predict when it comes to data security and protection.
The write up provides a run down of insider threat “types”; for example, the turncloak, the pawn, and the collusionist. Some are left out like those I identified; for instance, the dumb ones. The catalog of insider attack types is acceptable, but some types are omitted; for example, people who sell data on in an encrypted Telegram group or the person who throws away high value trash unwittingly or as a new age brush drop.
Nevertheless, this is a useful write up to discuss with colleagues. Maybe the conversation should be held in a Starbuck’s in Silicon Valley. Loud talking is okay.
Stephen E Arnold, March 15, 2021
The Google: Disrupting Education in the Covid Era
March 15, 2021
I thought the Covid thing disrupted education. As a result, Google’s video conferencing system failed to seize an opportunity. Even poor, confused Microsoft put some effort into Teams. Sure, Teams is not the most secure or easy to use video conferencing service, but it has more features than Google has chat apps and ad options. Google also watched the Middle Kingdom’s favorite video service “zoom” right into a great big lead. Arguably, Google’s video conferencing tool should have hooked into the Chromebook, which is in the hands of some students. But what’s happened? Zoom, zoom, zoom.
I read this crisp headline: “Inside Google’s Plan to Disrupt the College Degree (Exclusive). Get a First Look at Google’s New Certificate Programs and a New Feature of Google Search Designed to Help Job Seekers Everywhere.”
Wow. The write up is an enthusiastic extension of Google Gibru-ish. Here’s why:
- Two candidates. One is a PhD from Princeton with a degree in computer science. The other is a minority certificate graduate. Both compete for the same job. Which candidate gets the job?
- One candidate, either Timnit Gebru or Margaret Mitchell. Both complete a Google certification program. Will these individuals get a fair shake and maybe get hired?
- Many female candidates from India. Some are funded by Google’s grant to improve opportunities for Indian females. How many will get Google jobs? [a] 80 to 99 percent, [b] 60 to 79 percent, [c] fewer than 60 percent? (I am assuming this grant and certificate thing are more than a tax deduction or hand waving.)
High school science club management decisions are fascinating to me.
Got your answers? I have mine.
For the PhD versus the certificate holder, the answer is it depends. A PhD with non Googley notions about ethical AI is likely to be driving an Uber. The certificate holder with the right mental orientation gets to play Foosball and do Googley things.
For the Gebru – Mitchell question, my answer is neither. Female, non-Googley, and already Xooglers. Find your future elsewhere is what I intuit.
And the females in India. Hard to say. The country is far away. The $20 million or so is too little. The cultural friction within the still existing castes are too strong. Maybe a couple is my guess.
In short, Google can try to disrupt education. But Covid has disrupted education. Another outfit has zoomed into chinks in the Google carapace. So marketing it is. It may work. Google is indeed Google.
Stephen E Arnold, March 15, 2021
Watching the Future of Talend
March 15, 2021
I read “Talend Sells to Private Equity Firm Thoma Bravo in $2.4 Billion Deal.” I find this interesting. Talend is a software company providing extract, transform, and load services and analytics. Data remain the problem for many thumbtypers fresh from Amazon or Google certification classes. The idea is to suck in legally data from different sources. These data are often in odd ball formats to malformed because another digital mechanic missed a bolt or added a bit of finery. Some people love MarkLogic innovations in XML; others, not so enamored of the tweaks.
What’s Thoma Bravo bring to the table for a publicly traded company with a number of competitors?
I can think of two benefits:
The first is MBA think. Thoma Bravo is skilled in the methods for making a company more efficient. It is a good idea to internalize the definition of “efficiency” as the word is used at McKinsey & Co.
The second is acquisition think. From my point of view, the idea is to identify interesting companies which provide additional functionality around the core Talend business. Then Thoma Bravo assists the Talend management to bring these companies into the mothership, train sales professionals, and close deals.
No problem exists with this game plan. One can identify some indicators to monitor; for example:
- Executive turnover
- Realigning expenditures; possibly taking money from security and allocating the funds to sales and marketing
- Targeting specific market segments with special bundles of enhanced Talend software and business methods.
For more information about Talend as it exists in March 2021, navigate to this link.
Oh, one final comment. Thoma Bravo was involved in making SolarWinds the business success it became.
Stephen E Arnold, March 15, 2021
Search Engines: Bias, Filters, and Selective Indexing
March 15, 2021
I read “It’s Not Just a Social Media Problem: How Search Engines Spread Misinformation.” The write up begins with a Venn diagram. My hunch is that quite a few people interested in search engines will struggle with the visual. Then there is the concept that typing in a search team returns results are like loaded dice in a Manhattan craps game in Union Square.
The reasons, according to the write up, that search engines fall off the rails are:
- Relevance feedback or the Google-borrowed CLEVER method from IBM Almaden’s patent
- Fake stories which are picked up, indexed, and displayed as value infused,
The write up points out that people cannot differentiate between accurate, useful, or “factual” results and crazy information.
Okay, here’s my partial list of why Web search engines return flawed results:
- Stop words. Control the stop words and you control the info people can find
- Stored queries. Type what you want but get the results already bundled and ready to display.
- Selective spidering. The idea is that any index is a partial representation of the possible content. Instruct spiders to skip Web sites with information about peanut butter, and, bingo, no peanut butter information
- Spidering depth. Is the bad stuff deep in a Web site? Just limit the crawl to fewer links?
- Spider within a span. Is a marginal Web site linking to sites with info you want killed? Don’t follow links off a domain.
- Delete the past. Who looks at historical info? A better question, “What advertiser will pay to appear on old content?” Kill the backfile. Web indexes are not archives no matter what thumbtypers believe.
There are other methods available as well; for example, objectionable info can be placed in near line storage so that results from questionable sources display with latency or slow enough to cause the curious user to click away.
To sum up, some discussions of Web search are not complete or accurate.
Stephen E Arnold, March 15, 2021
Microsoft Exchange After Action Action: Adulting or Covering Up?
March 12, 2021
I read “Researcher Publishes Code to Exploit Microsoft Exchange Vulnerabilities on GitHub.” The allegedly accurate “real” news report states:
On Wednesday, independent security researcher Nguyen Jang published on GitHub a proof-of-concept tool to hack Microsoft Exchange servers that combined two of those vulnerabilities. Essentially, he published code that could be used to hack Microsoft customers, exploiting a bug used by Chinese government hackers—on an open-source platform owned by Microsoft.
What happened?
Microsoft, took down the hacking tool. “GitHub took down it,” the researcher told Motherboard in an email. “They just send [sic] me an email.” On Thursday, a GitHub spokesperson confirmed to Motherboard that the company removed the code due to the potential damage it could cause.
Interesting.
Two questions crossed my mind:
- Is Microsoft showing more management responsibility with regard to the data posted on GitHub? Editorial control is often useful, particularly when the outputting mechanism provides a wealth of information and code. Some of these items can be used to create issues. Microsoft purchased GitHub and may now be forced to take a more adult view of the service.
- Is Microsoft covering up the flaws in its core processes? After reading Microsoft’s explanations of the Solarwinds’ misstep, the injection of marketing spin and intriguing rhetoric about responsibility open the door to a bit of Home Depoting; that is, paint, wood panel, and bit of carpet make an an ageing condo look better.
Worth watching both the breaches which are concerning and the GitHub service which can cause some individuals’ brows to furrow.
Stephen E Arnold, March 12, 2021
Microsoft: Stunned by Its Own Insecure Petard?
March 12, 2021
I read “10 Key Microsoft Ignite Takeaways for CIOs.” Marketing fluff except for one wild and crazy statement. Here’s the passage I found amusing:
By midyear, enterprises will also be able to control in which datacenter Microsoft stores documents shared through Teams, group by group or even for individual users, making it more useful in some regulated industries or where there are concerns about the security of data. These controls will mirror those available for Exchange and SharePoint. There will also be an option to make end-to-end-encrypted one-to-one voice or video calls, that CIOs can enable on a per-employee basis, and to limit meeting attendance only to invited participants. A future update could see the addition of end-to-end encrypted meetings, too. For companies that are centralizing their investment in such collaboration, McQuire said, “Security is arguably the number one selection criterion.”
Assume this number one selection criterion is on the money. What’s the Microsoft security posture with SolarWinds and the Exchange breaches?
That petard packs quite a wallop, and it is not from marketing hoohah. There’s nothing like a marketing oriented conference to blow smoke to obfuscate the incredible security issues Microsoft has created. But conferences and marketing talk are easier than remediating the security problems.
Stephen E Arnold, March 12, 2021
T-Mobile: Privacy Is a Tough Business
March 12, 2021
Just a bit of mobile phone experience this morning. T Mobile (the magenta or pink outfit) notified me I could opt out of its forthcoming “sell your data” initiative. I dutifully clicked on the link to something which appeared in an SMS as t-mo.com/privacy12. Surprise. The page rendered with a notice that it was a new domain. I fiddled around and was able to locate the page via the search box on T-mobile.com. I filled in the data, including a very long Google ad tracker number. I clicked the submit button and nothing happened. I spotted an email address which was “privacy@tmobile.com.” Guess what? The email bounced. I called 611, the number for customer service. I was told that T Mobile would call me back in 30 minutes. Guess what? No call within the time window.
Privacy is a tough business, and it is one which amuses the marketers and thumbtypers who work with developers to create dark patterns for paying customers. Nice work.
Nifty move. Well, the company is magenta or pink. It is dark, however. Very dark and quite sad.
Stephen E Arnold, March 11, 2021, 435 pm US Eastern
Quantum Computing: The Solution to SolarWinds and Microsoft Security Gaps
March 12, 2021
I am an optimist. I have been waking up with the idea that life is good and my work might make the world a slightly better place. However, I don’t put much trust in unicorns (nifty horses with a long pointy horn or the Silicon Valley type), fairies, or magical mermaids. When new technology comes along, I view the explanations of the technology’s wonders with skepticism. Mobile phones are interesting, but the phone has been around for a while. Shrinking chips make it possible to convert the “phone” into a general purpose thumbtyping machine. Nifty, but still a phone on steroids.
I thought about the human tendency to grasp for silver bullets. This characteristic runs through Jacques Ellul’s book The Technology Bluff. Its decades-old explanations and analyses are either unknown or ignored by many informed individuals. My hunch is that the Murdoch-owned Wall Street Journal assumes that its writers are responsible for understanding certain topics.
I read “Effective Cybersecurity Needs Quantum Computing.” Perhaps I should send a copy of Dr. Ellul’s book? But why? It’s not like the hippy dippy books included in the Murdoch book reviews. Dr. Ellul likes interesting words; for example, Mancipium. Does Mr. Murdoch’s oldest son know the meaning of the word? He should he lives in a mancipum-infused environment.
The essay asserts that a new and essentially unworkable technology will deal with the current cybersecurity challenges. How many years will be required to covert baby step lab experiments into a scalable solution to the business methods employed at outfits like SolarWinds and Microsoft? One, maybe five, or a more realistic 25 years?
The problems caused by flawed, short cut riddled, and uninformed approaches to coding, building, deploying, and updating enterprise software are here-and-now puzzles. For a point of reference, the White House sounded an alarm that a really big problem exists and poses threats today.
Sure, let’s kick back and wait for the entities of nifty technology to deliver solutions. IBM, Google, and other firms are beavering away on the unicornesque quantum computing. That’s fine, but to covert expensive, complex research and development projects into a solution for the vulnerability of that email you sent a few minutes ago is just off the wall. Sure, there may be a tooth fairy or a wizard with a magic wand, but that’s not going to be the fix quantum computing allegedly will deliver.
The WSJ essay states:
The extraordinary sensitivity of qubits reveals interference instantly and unfailingly. They would alert us when hackers read, copy or corrupt transmitted files.
Sure, if someone pays attention. I want to point out that exactly zero of the cybersecurity systems monitoring the SolarWinds’ misstep sounded an alarm. Hooking these systems into a quantum system will result in what, another two to five years of development. Walking by today’s quantum computers and waving an iPhone close to a component can create some excitement. Why? Yep, sensitivity. But why worry about trivial details.
The Murdocher does admit that quantum computers are years away, there is zero value in kicking today’s security disasters down the road like a discard can of Pabst Blue Ribbon beer. Funding is fine. Conflating the current radiation poisoning of digital systems with quantum computing is like waiting for an Uber or Lyft driver to come by in a chariot pulled by a unicorn.
Stephen E Arnold, March 12, 2021
Apple: Yep, the Secure System
March 12, 2021
One of the best things about Apple products are their resistance to viruses and malware. However, when a bad actor sinks their coding fangs into the Mac OS and figures out how to corrupt the software, cyber security professionals pay attention. Ars Technica reports that, “New Malware Found On 30,000 Macs Has Security Pros Stumped.”
The downloaded malware has yet to do anything nefarious other than ping a control server to check for new commands. Security experts believe that there could be an ultimate end action, but it has not happened yet. The malware also has a self-destruction capability, usually that action is reserved for stealth software. It also runs on the new M1 chip and uses the macOS Installer JavaScript API for commands. Red Canary researchers call the new malware “Silver Sparrow.”
Developers are skeptical about Silver Sparrow’s end purpose, but are impressed that it broke through Apple’s legendary defenses:
“An Apple spokesperson provided a comment on the condition they not be named and the comment not be quoted. The statement said that after finding the malware, Apple revoked the developer certificates. Apple also noted there’s no evidence of a malicious payload being delivered. Last, the company said it provides a variety of hardware and software protections and software updates and that the Mac App Store is the safest venue to obtain macOS software.
Among the most impressive things about Silver Sparrow is the number of Macs it has infected. Red Canary researchers worked with their counterparts at Malwarebytes, with the latter group finding Silver Sparrow installed on 29,139 macOS endpoints as of Wednesday. That’s a significant achievement.”
Apple thankfully caught the malware before any damage was done, but it proves that Mac are not invincible and dedicated hackers can penetrate the OS. Will Apple start peddling virus protection software and add an exorbitant price tag?
Whitney Grace, March 12, 2021
-
- Subscribe to Beyond Search
Feature archive
News archive
-
