Tips for Phishers
August 31, 2021
I spotted “AI Analysis Unveils the Most Effective Email Subject Lines for the Holidays.” My hunch is that a “real” news professionals wanted to provide helpful tips to those who engage in email marketing. The write up includes “tips” from professional email marketers. Here’s one example:
email subject lines that are direct or evoke curiosity or friendliness are the most likely to get opened
Gee, I wonder what other group of email marketers might benefit from such advice?
What about phishers? These are the bad actors who seek to compromise a user’s or an organization’s security via malicious email. With some cyber security solutions relying on rules, database look up, or the human recipient for blocking phishing attempts, the write up is likely to be quite useful. Just in time for the holidays: AI-derived tips for getting someone to open an email. Super thinking!
What bad actor can resist taking this advice?
Including empathy in your messages for your customers helps you make them feel that you are on their side.
Helpful, right?
Stephen E Arnold, August 31, 2021
Why Big Tech Is Winning: The UK Admission
August 31, 2021
I read “UK’s FCA Say It Is Not Capable of Supervising Crypto Exchange Binance.” This is a paywalled story, and I am not sure how much attention it will get. As Spotify is learning from locking up the estimable Joe Rogan, paywalls make sense to a tiny slice of one’s potential audience.
The story is an explanation about government helplessness when it comes to fintech or financial technology. The FCA acronym means Financial Conduct Authority. Think about London. Think about the wizards who cooked up some nifty digital currency methods at assorted UK universities less than one hour from the Pickle. Think about the idea that a government agency with near instant access to the wonks at the National Crime Agency, the quiet ones at Canary Wharf, and the interesting folks in Cheltenham. Now consider this passage from the write up:
… the Financial Conduct Authority said that Binance’s UK affiliate had “failed to” respond to some of its basic queries, making it impossible to oversee the sprawling group, which has no fixed headquarters and offers services around the world. The admission underscores the scale of the challenge facing authorities in tackling potential risks to consumers buying frequently unregulated products through nimble crypto currency businesses, which can often circumvent national bans by giving users access to facilities based overseas.
Hello? Rural Kentucky calling, is anyone at work?
Let’s step back. I need to make one assumption; that is, government entities’ have authority and power. What this write up makes clear is that when it comes to technology, the tech outfits have the authority and the power.
Not good in my opinion for the “consumer” and maybe for some competitors. Definitely not good for enforcement authorities.
Who finds sun shining through the clouds after reading this Financial Times’s story? I would wager that tech centric outfits are thinking about a day or more at the beach. No worries. And look. Here comes Snoop Dog handing out free beer. What a day!
Stephen E Arnold, August 31, 2021
Big Tech Vows, Warrants, Commits, Guarantees, and Assures to Make Security Way Way Way Better
August 26, 2021
I had to laugh. I read some of the write ups explaining the pledges of big tech to the White House about security. The US is at or near the bottom when it comes to security. America plays offense. The defense thing is not what George Washington would do.
Here’s a representative write up: “Google, Microsoft Plan to Spend Billions on Cybersecurity after Meeting with Biden.” This triggered a chuckle and a snort:
IBM CEO Arvind Krishna told CNBC ahead of the meeting and outside the White House on Wednesday that cybersecurity is “the issue of the decade.” He said he hoped to see more coordination between the public and private sectors coming out of the meeting and said IBM would do its part to help skill workers in the space.
Why are adversaries of the US running exfiltration, ransomware, and intellectual property theft operations?
Let me count the ways:
- Systems from outfits like Apple and Microsoft can be compromised because security is an add on, an afterthought, or a function implemented to protect revenues
- Senior managers in many US firms are clueless about security and assume that our employees won’t create problems by selling access, clicking on scammer emails, or working from home on projects funded by bad actors
- Customers pay little or no attention to security, often ignoring or working around security safeguards when they exist. Hey, security distracts those folks from scrolling through Facebook or clicking on TikTok videos.
There are other reasons as well; for example, how about the steady flow of one off security gaps discovered by independent researchers. Where are the high end threat intelligence services. If a single person can find a big, gaping security hole, why are the hundreds of smart cyber security systems NOT finding this type of flaw? Oh, right. Well, gee. A zero day by 1,000 evil techies in China or Moldova is the answer. Sorry, not a good answer.
There is a cyber security crisis in America. Yes, Windows may be the giant piece of cheese for the digital rats. Why hack US systems? That’s where there are lots of tasty cheese.
Is there a fix which billions “invested” over five years can fix?
Nope.
Pipe dreams, empty words, and sheepish acquiescence to a fact that bad actors around the world find enervating.
More stringent action is needed from this day. That’s not happening in my opinion. Who created the cyber security problem? Oh, right the outfits promising do not do it again. Quick action after decades of hand waving. And government regulations, certification, and verification that cyber security systems actually work? Wow, that’s real work. Let’s have a meeting to discuss a statement of work and get some trusted consulting firm on this pronto.
I have tears in my eyes and not from laughing. Nothing funny here.
Stephen E Arnold, August 26, 2021
DarkCyber for August 24, 2021, Now Available
August 24, 2021
The program for August 24, 2021, is now available at this link. This program, number 17 in the 2021 series, contains five stories. These are:
The NSO Group matter has produced some interesting knock on effects.
The consequence of NSO Group’s activities include criticism from the United Nations and Edward Snowden, a whistle blower and resident of Moscow. The Taliban’s takeover of Afghanistan was remarkable.
The core technology for the antagonists is discussed. You will learn about the musician Tankz and his method for making illegal credit card fraud accessible to young people in the UK and elsewhere. In addition to alleged financial crime, Tankz sings about Pyrex whipping. Ask your children what this is and then decide if you need to take action.
The program includes another reminder than one can find anti-security actors on the Regular Web and the Dark Web. The challenge is to make sure you do not become the victim of a scam.
The US government created an interesting report about nuclear war. It is not clear how lo9ng this document will remain available from a public Web server. You can check the link in the DarkCyber video for yourself. Tip: The document explains how the US may select a target for a nuclear strike.
The final story reports that the drone called Avenger has a new capability: Autonomous decision capability enabled by track and follow electronics. No human operator needed when a target is identified.
DarkCyber is produced by Stephen E Arnold and the DarkCyber research team. New programs appear every two weeks unless one of the video distribution services decides to remove the content derived from open sources of information. Tankz and a fellow traveler named DankDex, purveyor of the Fraud Bible, appear to post without pushback.
Kenny Toth, August 24, 2021
Apple: Change Is a Constant in the Digital Orchard
August 18, 2021
Do you remember how plans would come together at the last minute when you were in high school. Once the gaggle met up, plans would change again. I do. Who knew what was going on? When my parents asked me, “Where are you going?” I answered directly: “I don’t know yet.”
Apple sparked a moment of déjà vu for me when I read “Apple Alters Planned New System for Detecting Child Sex Abuse Images over Privacy Concerns.” The write up explained that the high school science club member have allowed events to shape their plans.
Even more interesting is what the new course of action will be; to wit:
The tech giant has said the system will now only hunt for images that have been flagged by clearinghouses in multiple countries.
How’s this going to work? Mode, median, mean, row vector value smoothing, other? The write up states:
Apple had declined to say how many matched images on a phone or a computer it would take before the operating system notifies them for a human review and possible reporting to authorities.
Being infused with the teen aged high school science club approach to decision making, some give the impression of being confused or disassociated from the less intelligent herd.
I have some questions about how these “clearinghouses in multiple countries” will become part of the Apple method. But as interested as I am in who gets to provide inputs, I am more interested in those thresholds and algorithms.
I don’t have to worry, one of the Apple science club managers apparently believes that the core of the system will return 99 percent or greater accuracy.
That’s pretty accurate because that’s six sigma territory for digital content in digital content land. Amazing.
But that’s the teen spirit which made high school science club decisions about what to do to prank the administrators so much fun. What happens if one chows down on too many digital apples? Oh, oh.
Stephen E Arnold, August 18, 2021
Insider Threat Quantified: Whom Does One Trust?
August 15, 2021
Whom does one trust? Not too many is my answer.
“Workers Increasingly Steal company Data during Turnover Tsunami” contains some interesting data; for example:
there were about 65m attempts made by staff to exfiltrate source code from their corporate network in the three months to the end of June, up from about 20m in each of the previous three quarters.
The paywalled article includes some quotes from experts and underscores the fraying social fabric among workers and employers.
Phishing is a security problem. But the insider threat may be another, possibly more challenging, issue to resolve.
Stephen E Arnold, August 20, 2021
More Ad-Citement: Juicing Video Piracy
August 13, 2021
I read “Pirated-Entertainment Sites Are Making Billions From Ads.” My immediate reaction: “What? Bastions of ad integrity helping out video pirates? Impossible?”
According to the pay walled write up, the flagships of integrity seem to be unfurling the jib to speed toward this type of revenue. I learned something I did not know and which may be semi-accurate:
Websites and apps featuring pirated movies and TV shows make about $1.3 billion from advertising each year, including from major companies like Amazon.com Inc., according to a study.
The write up noted:
The piracy operations are also a key source of malware, and some ads placed on the sites contain links that hackers use to steal personal information or conduct ransomware attacks…
Some of these video services provide links to interesting online gambling sites as well.
This quote, attributed to the founder of White Bullet (an anti piracy outfit) is thought provoking:
Failure to choose tools that assess piracy risk in real-time means advertisers fund criminals – and it’s a billion-dollar problem,” said Peter Szyszko, CEO and Founder of White Bullet, in an email. “At best, this is negligent. At worst, this is deliberate funding of IP crime.
Just one question: Aren’t filters available to block this type of activity in the ad systems of estimable firms?
Apparently that’s just too darned difficult.
Stephen E Arnold, August 13, 2021
DarkCyber for August 10, 2021 Now Available
August 10, 2021
The DarkCyber video for August 10, 2021 is now available at this link. The program includes a snapshot of NSO Group’s content marketing campaign, information about inherently insecure software, fine dining at the Central Intelligence Agency, and a sure fire way to phish with quite tasty bait. The drone story explains an autonomous drone. Just give it a goal and the drone figures out what to do. No human input required. Best of all, a swarm of drones can interact with other drones in the swarm to reach a decision about how to achieve an objective. DarkCyber is produced by Stephen E Arnold, publisher of Beyond Search. The DarkCyber videos are issued every two weeks and are available at www.arnoldit.com/wordpress as well as Youtube.
Kenny Toth, August 10, 2021
Exploit Checklist for Bad Actors
July 28, 2021
I found this post my MIT Research (oops, sorry, I meant MITRE Research. The information in “2021 CWE Top 25 Most Dangerous Software Weaknesses” is fascinating. It provides hot links to details in a public facing encyclopedia called Common Weakness Enumeration. The link is to additional information about the Out-of-Bounds Write” weak point. The Top 25 is a helpful reference for good actors as well as bad actors. The MITRE team provides this preface to the list:
The 2021 Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Weaknesses (CWE Top 25) is a demonstrative list of the most common and impactful issues experienced over the previous two calendar years. These weaknesses are dangerous because they are often easy to find, exploit, and can allow adversaries to completely take over a system, steal data, or prevent an application from working. The CWE Top 25 is a valuable community resource that can help developers, testers, and users — as well as project managers, security researchers, and educators — provide insight into the most severe and current security weaknesses. To create the 2021 list, the CWE Team leveraged Common Vulnerabilities and Exposures (CVE®) data found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), as well as the Common Vulnerability Scoring System (CVSS) scores associated with each CVE record. A formula was applied to the data to score each weakness based on prevalence and severity.
Popular weaknesses, the equivalent of a 1960s AM radio station’s “Fast Mover Tunes” are:
- CWE-276 (Incorrect Default Permissions): from #41 to #19
- CWE-306 (Missing Authentication for Critical Function): from #24 to #11
- CWE-502 (Deserialization of Untrusted Data): from #21 to #13
- CWE-862 (Missing Authorization): from #25 to #18
- CWE-77 (Improper Neutralization of Special Elements used in a Command (‘Command Injection’)): from #31 to #25
New entries are:
- CWE-276 (Incorrect Default Permissions): from #41 to #19
- CWE-918 (Server-Side Request Forgery (SSRF)): from #27 to #24
- CWE-77 (Improper Neutralization of Special Elements used in a Command (‘Command Injection’)): from #31 to #25
A few minutes spent with this list can be instructive. The write up includes a list of weaknesses which one might want to know about.
Net net: Who will find this list more inspirational: Marketing oriented cyber threat vendors or bad actors working under the protection of nation states hostile to US interests?
Stephen E Arnold, July 28, 2021
Cyber Security: Cyber Security Vendors May Have Missed a Scenario
July 21, 2021
I read a somewhat routine write up called “Work from Home Fueling Cyberattacks, Says Global Financial Watchdog.” The word watchdog scares me away. In the post SolarWinds’ era, where were those watchdogs? Come to think about it, “Where were the super smart, predictive threat intelligence systems?” I suppose even watchdogs have to catch some ZZZZs.
The article contained, in my opinion, a comment of exceptional perspicacity. Here it is:
“Most cyber frameworks did not envisage a scenario of near-universal remote working and the exploitation of such a situation by cyber threat actors,” the FSB said in a report to G20 ministers and central banks.
This is not napping. Nope. Missing a scenario makes it clear that cyber security vendors did not think through what would happen if their systems had to deal with off site working at scale. As a result, the systems probably are a-okay when monitoring a tire dealer’s computer system in Akron, Ohio. But in the work from home environment, the threat system was napping. I envision an ever vigilant junk yard dog with flashy icons on its spiked collar. Unfortunately the junk yard dog is chained to a rusting 1975 CJ7 and not on the prowl in the junk yard proper.
Net net: The defense mechanism keeps that old Jeep secure but the bad actors can haul off whatever auto parts of interest. There may be a couple of overlooked catalytic converters amidst the wreckage.
Stephen E Arnold, July 21, 2021
-
- Subscribe to Beyond Search
Feature archive
News archive
-
