Security Is a Game

November 12, 2020

This article’s headline caught my attention: “Stop Thinking of Cybersecurity As a Problem: Think of It As a Game.” I think I understand. The write up asserts:

The thing is, cybersecurity isn’t a battle that’s ultimately won, but an ongoing game to play every day against attackers who want to take your systems down. We won’t find a one-size-fits-all solution for the vulnerabilities that were exposed by the pandemic. Instead, each company needs to charge the field and fend off their opponent based on the rules of play. Today, those rules are that anything connected to the internet is fair game for cybercriminals, and it’s on organizations to protect these digital assets.

Interesting idea. Numerous cyber security solutions are available. Some organizations have multiple solutions in place. Nevertheless, bad actors continue to have success. If the information in  Risk Based Security 2020 Q3 Report Data Breach QuickView is anywhere close to accurate. The “game” is being won by bad actors: Lots of data was sucked down by cyber criminals in the last nine months.

Fun, right?

Stephen E Arnold, November 12, 2020

Microsoft Security: Time for a Rethink

November 1, 2020

Not long ago, the Wall Street Journal ran this full page ad for a cyber security company named Intrusion:


The ad is interesting because it highlights the failure of cyber security. Evidence of this ineffective defense is revealed in reports from the FBI, Interpol, and independent researchers: Cyber crime, particularly phishing and ransomware, are increasing. There are hundreds of threat neutralizers, smart cyber shields, and a mind boggling array of AI, machine learning, and predictive methods which are not particularly effective.

Microsoft 365 Administrators Fail to Implement Basic Security Like MFA” provides some interesting information about the state of security for a widely used software system developed by Microsoft.

The article reveals that researchers have found that 99 percent of breaches can be “prevented using MFA.” MFA is cyber lingo for multi-factor authentication. A common way to prove that a log on is valid is to use a password. But before the password lets the user into the system, a one time code is sent to a mobile phone. The user enters the code from the phone and the system lets the person access the system. Sounds foolproof.

The write up states:

The survey research shows that approximately 78% of Microsoft 365 administrators do not have multi-factor authentication (MFA) activated.

Another finding is that:

Microsoft 365 administrators are given excessive control, leading to increased access to sensitive information. 57% of global organizations have Microsoft 365 administrators with excess permissions to access, modify, or share critical data. In addition, 36% of Microsoft 365 administrators are global admins, meaning these administrators can essentially do whatever they want in Microsoft 365. CIS O365 security guidelines suggests limiting the number of global admins to two-four operators maximum per business.

Let’s step back. If the information in the write up is correct, a major security issue is associated with Microsoft’s software. With an increase in breaches, is it time to ask:

Should Microsoft engage in a rethink of its security methods?

We know that third party vendors are not able to stem the tide of cyber crime. A security company would not buy a full page ad in the Wall Street Journal to call attention to failure if it were just marketing fluff. We know that Microsoft admins and Microsoft apps are vulnerable.

Perhaps shifting the burden from the software and cloud vendor to the user is not the optimal approach when one seeks to make security more effective and efficient. The shift is probably more economical for Microsoft; that is, let the customer carry the burden.

Some Microsoft customers may push back and say, “Wrong.” Perhaps regulators will show more interest in security if their newfound energy for taking action against monopolies does not wane? Over to the JEDI knights.

Stephen E Arnold, November 1, 2020

Organizational Security: Many Vendors, Many Breaches

October 30, 2020

I noted a write up with a fraught title: “Breaches Down 51%, Exposed Records Set New Record with 36 Billion So Far.” I interpreted this to mean “fewer security breaches but more data compromised.”

The write up explains the idea this way:

The number of records exposed has increased to a staggering 36 billion. There were 2,935 publicly reported breaches in the first three quarters of 2020, with the three months of Q3 adding an additional 8.3 billion records to what was already the “worst year on record,” Risk Based Security reveals.

Okay. How is this possible? The answer:

The report explores numerous factors such as how media coverage may be a factor contributing to the decline in publicly reported breaches. In addition, the increase of ransomware attacks may also have a part to play.

I interpreted this to mean, “Let’s not tell anyone.”

If you want a copy of this RiskBased Security report, navigate to this link. You will have to cough up an email and a name.

Net net: More data breaches and fewer organizations willing to talk about their security lapses. What about vendors of smart cyber security systems? Vendors are willing to talk about the value and performance of their products.

Talk, however, may be less difficult than dealing with security breaches.

Stephen E Arnold, October 30, 2020

Cyber Sins: Part of the Human Condition Permanently

October 24, 2020

Business operations have secrets and maybe sins. Medium explains “The Seven Deadly Sins Of Cybersecurity.” Using the metaphor of the biblical seven deadly sins: greed, gluttony, lust, envy, sloth, wrath, and pride, the article compares social media platforms to the digital manifestation of them. The write up argues that cybersecurity is demonized by seven deadly sins.

What’s a sin?

Covid-19 has made cyber security more important than ever as people are forced to work from their homes. Organizations need cybersecurity to protect their information and the pandemic exposes all weaknesses in organizations’ cybersecurity culture, if any exists. Another sin is believing a layered, complex solution equals a decent security plan. Complexity actually creates more problems, especially when plans involve too much overhead management and talking about “doing something” instead of taking action.

Credential abuse is also a deadly sin. One commits credential abuse in the over reliance of simple passwords. People love simple passwords, because they are easy to remember and they hate complex credential systems because they are annoying. It might be better to find an alternative solution:

“So what solutions should you start exploring? Identity & Access Management, Privileged Access Management (PAM), Just-In-Time/Just-Enough Administration, Role-based access controls, Multi-Factor Authentication, and more. What about Single Sign-On? Federated Identity management? everyone must adhere to secure credential management without exception…In climbing, free-soloing might be the epitome of cool, but when you fall, you’ll wish you had a belay.”

The article advises to be aware that you cannot treat all of your information the same way. The example the article uses is treating a mobile number differently than a credit card number. It is important to be aware of how any information posted online could be potentially harmful.

Then an ultimate sin is not paying attention to blind spots:

“Many threats “hide in plain sight” and we don’t have the time, energy, and resources to look for them, let alone know where to start.This problem is due to complexity, a lack of resources, and too many gaps and overlaps.”

The key to absolving this sin is discovering the blind spots, then developing solutions.

Sin, however, is part of the human condition. Bad actors sense opportunities and exploit them. Cyber crime continues to thrive and become more pervasive.

Whitney Grace, October 24, 2020

One More Reason to Love Microsoft Windows 10 Updates: Malware

October 23, 2020

The pushing of updates reflects two things. First, the generally low quality of software. Second, a crazed desire to lock in customers. Microsoft seems to be working hard to deliver on both counts. However, there is more to love about the silent, unwanted Windows update processes, a topic not covered in Microsoft’s free report about its loss of 250 million items of customer data. Curious? You can download the report at this link.

This Nasty Malware Has Disguised Itself As a Windows 10 Update”, if accurate, suggests there are other issues with the JEDI warriors’ online systems. We learned:

Emotet, the malware campaign that has been causing havoc for computer systems all over the world, has reappeared with a new approach to infecting devices. An email attachment claiming to be from Windows Update and instructing users to upgrade Microsoft Word is now being used to lure unsuspecting victims into downloading the malicious software. The malware works by first sending spam emails that contain either a Word document attachment or a download link. Victims will then be prompted to ‘Enable Content’ to allow macros to run on their device, which will install the Emotet Trojan.

Seems like phishing to us. Are there steps Microsoft could take to minimize risks to their millions of long suffering customers? Sure, but it may not be a priority. JEDI, you know. Beating off Amazon and Google, you know.

The reports about security are nice. But maybe something more than a free marketing document is needed if the “nasty malware” story is on the money? You know?

Stephen E Arnold, October 23, 2020

Twitter for Verification: The Crypto Approach

October 21, 2020

New York State’s Twitter Investigation Report explores the cybersecurity “incident” at Twitter and its implications for election security. If you don’t have a copy, you can view the document at this url. The main point of the document struck me as this statement from the document:

Given that Twitter is a publicly traded, $37 billion technology company, it was surprising how easily the Hackers were able to penetrate Twitter’s network and gain access to internal tools allowing them to take over any Twitter user’s account.

With the Department of Financial Services’ report in mind, I found the information in “.Crypto Domain Owners Can Now Be Verified With Twitter Accounts for Safer Payments” interesting. Twitter and “safer” are not words I would associate. The write up reports:

Blockchain startup Unstoppable Domains and oracle network Chainlink have launched a new feature allowing individuals or entities with blockchain domains to authenticate themselves using their Twitter accounts. The feature is powered by Chainlink oracles, which connect each .crypto address from Unstoppable Domains to a public Twitter username. The firms said the Twitter authentication could help stem crimes in cryptocurrency payments such as phishing hacks.

In one of our Twitter tests, we created an account in the name of a now deceased pet. Tweets were happily disseminated automatically by the dog. Who knew that the dead dog’s Twitter account can reduce phishing attacks?

Twitter: Secure enough to deliver authentication? The company’s approach to business does not give me confidence in the firm’s systems and methods.

Stephen E Arnold, October 21, 2020

DarkCyber for October 20, 2020, Now Available

October 20, 2020

The October 20, 2020 DarkCyber video news program covers five stories. First, secure messaging apps have some vulnerabilities. These can be exploited, according to researchers in Europe. Second, QuinetiQ’s most recent cyber report provides some eye-opening information about exploit techniques and methods. Third, a free phishing tool is available on GitHub. With it, a bad actor can automate phishing attacks. Fourth, mobile phones can be remotely activated to work like spy cameras and audio transmitters. The final story explains that swarms of drones can be controlled from a mobile phone and a new crawling drone can deliver bio-weapons in a stealthy manner. DarkCyber is produced by Stephen E Arnold, author of CyberOSINT and the Dark Web Notebook. You can view the 11 minute program at this link. (The miniature centipede-like drone is a marvel.)

Kenny Toth, October 20, 2020

Dark Web Sites Losing Out to Encrypted Chat Apps?

October 14, 2020

With several Dark Web marketplaces falling to either law enforcement successes or to their own administrators’ “exit scams,” it was predicted vendors and buyers of illegal goods would shift to another alternative, one that promises end-to-end encryption. However, Bank Info Security explains “Why Encrypted Chat Apps Aren’t Replacing Darknet Markets.” To be sure, some criminals do use these apps, but they have been running into some disadvantages. Writer Mathew J. Schwartz specifies:

“One is the challenge of finding – or marketing – goods and services being provided via chat apps. Fear about the reliability of legitimate platforms – and of the risk of getting sold out – is another factor. ‘By trusting a legitimate third-party application’s encryption and anonymity policies, threat actors are placing their trust in non-criminals,’ the ‘Photon Research Team’ at digital risk protection firm Digital Shadows tells me. Criminals typically prefer to avoid such situations. … Chat platforms’ smaller scale can also be an unwelcome limitation for criminals because fewer customers means lower profits for sellers or chat-channel administrators. ‘Most instant messaging platforms tend to be smaller in terms of number of participants and also geographically focused or limited by language – limiting the reach,’ Raveed Laeb and Victoria Kivilevich, respectively product manager and threat intelligence analyst at Israeli cyber threat intelligence monitoring firm Kela, tell me. ‘Another limit is that many chat channels focus on one subject – meaning that one channel features drugs, another one offers enrolls and so on. Thus, it lowers potential profits for the channel’s admins,’ they say.”

It is true, legitimate encrypted apps have plenty of incentive to cooperate with the authorities. So why not build an alternative by criminals for criminals? Some have tried that, with networks like BlackBox, Phantom Secure, and EncroChat, all of which were summarily busted by law enforcement. There are likely more out there, but they may suffer the same fate.

In the end, it seems many dark-market vendors are sticking with the marketplaces. It makes sense in our view—we see the two avenues as complements to one another, anyway. Meanwhile, though, certain marketplaces are abandoning some of their traditional sellers: We’re told illegal drugs are being banned at these sites in favor of digitally transmittable products like malware, stolen databases, login credentials, and other cybercrime tools and services. There is the absence of complications caused by physical packages, but these products also exist in a grey area in many jurisdictions. (We note no mention is made of other items of high concern, like child pornography or weapons.) Schwartz supposes admins believe ceasing to market illegal drugs will make their sites smaller targets. Perhaps?

Cynthia Murrell, October 14, 2020

eBay: Sprinting Forward to Fight Online Sneaker Fraud

October 13, 2020

EBay Launches Sneaker Authentication Service to Combat Counterfeit Sales” caught one of the DarkCyber research team’s attention. When I read the forwarded email about this Verge article, I wondered why the title wasn’t “Ebay Sprints Forward with a Sneaker Authentication Service.” I then realized that eBay has been in business for 25 years and product fraud has been around at least that long on the service. One of my friends who used to work in a British security service worked as an adviser to eBay. I recall that he mentioned that eBay online crime was a “stunner.” I assumed he meant that the amount of online crime was enough to startle an experienced investigator.

According to the Silicon Valley “real” news write up:

Collectible sneakers are big business.

I recall instances of robbery and murder for a pair of gym shoes. Yeah, that is a “real” news factoid. Murder amps up the perceived value of this particular apparel sector.

Here’s how the quarter century old digital market will deal with fake gym shoes:

As with its previously-announced watch authentication service, eBay has partnered with a third-party company, Sneaker Con, to authenticate items. When a sale is made, the buyer ships the sneakers to an “authentication facility” where they’re inspected to make sure they match the listing’s title, description, and images. If they pass the inspection, an eBay tag is attached to them, and they’re sent on to the buyer. The same process covers returns, to stop unscrupulous buyers from trying to return fake sneakers to legitimate sellers.

Sprinting to the future or stepping up slowly? DarkCyber thinks eBay is doing the speed walking associated with 75 year olds. Interpretation: Move slowly. Maybe “Ebay Limps Forward with a Sneaker Authentication Service.”

Stephen E Arnold, October 13, 2020

Domains Seized: What Companies Assisted the US Government?

October 13, 2020

The Straits Times’s article “US Seizes Iran Propaganda Websites” reported:

The US has seized 92 web domains used by Iran, including four which purported to be genuine English language news sites…Four of them, with the domain names “”, “”, “”, and “”, were “operated by or on behalf” of Iran’s Islamic Revolutionary Guard Corps to influence United States domestic and foreign policy…

The article included an interesting factoid; to wit:

The sites were identified first with intelligence from Google and then also with help from Twitter and Facebook…


Stephen E Arnold, October 13, 2020

Next Page »

  • Archives

  • Recent Posts

  • Meta