Insider Threat Quantified: Whom Does One Trust?
August 15, 2021
Whom does one trust? Not too many is my answer.
“Workers Increasingly Steal company Data during Turnover Tsunami” contains some interesting data; for example:
there were about 65m attempts made by staff to exfiltrate source code from their corporate network in the three months to the end of June, up from about 20m in each of the previous three quarters.
The paywalled article includes some quotes from experts and underscores the fraying social fabric among workers and employers.
Phishing is a security problem. But the insider threat may be another, possibly more challenging, issue to resolve.
Stephen E Arnold, August 20, 2021
More Ad-Citement: Juicing Video Piracy
August 13, 2021
I read “Pirated-Entertainment Sites Are Making Billions From Ads.” My immediate reaction: “What? Bastions of ad integrity helping out video pirates? Impossible?”
According to the pay walled write up, the flagships of integrity seem to be unfurling the jib to speed toward this type of revenue. I learned something I did not know and which may be semi-accurate:
Websites and apps featuring pirated movies and TV shows make about $1.3 billion from advertising each year, including from major companies like Amazon.com Inc., according to a study.
The write up noted:
The piracy operations are also a key source of malware, and some ads placed on the sites contain links that hackers use to steal personal information or conduct ransomware attacks…
Some of these video services provide links to interesting online gambling sites as well.
This quote, attributed to the founder of White Bullet (an anti piracy outfit) is thought provoking:
Failure to choose tools that assess piracy risk in real-time means advertisers fund criminals – and it’s a billion-dollar problem,” said Peter Szyszko, CEO and Founder of White Bullet, in an email. “At best, this is negligent. At worst, this is deliberate funding of IP crime.
Just one question: Aren’t filters available to block this type of activity in the ad systems of estimable firms?
Apparently that’s just too darned difficult.
Stephen E Arnold, August 13, 2021
DarkCyber for August 10, 2021 Now Available
August 10, 2021
The DarkCyber video for August 10, 2021 is now available at this link. The program includes a snapshot of NSO Group’s content marketing campaign, information about inherently insecure software, fine dining at the Central Intelligence Agency, and a sure fire way to phish with quite tasty bait. The drone story explains an autonomous drone. Just give it a goal and the drone figures out what to do. No human input required. Best of all, a swarm of drones can interact with other drones in the swarm to reach a decision about how to achieve an objective. DarkCyber is produced by Stephen E Arnold, publisher of Beyond Search. The DarkCyber videos are issued every two weeks and are available at www.arnoldit.com/wordpress as well as Youtube.
Kenny Toth, August 10, 2021
Exploit Checklist for Bad Actors
July 28, 2021
I found this post my MIT Research (oops, sorry, I meant MITRE Research. The information in “2021 CWE Top 25 Most Dangerous Software Weaknesses” is fascinating. It provides hot links to details in a public facing encyclopedia called Common Weakness Enumeration. The link is to additional information about the Out-of-Bounds Write” weak point. The Top 25 is a helpful reference for good actors as well as bad actors. The MITRE team provides this preface to the list:
The 2021 Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Weaknesses (CWE Top 25) is a demonstrative list of the most common and impactful issues experienced over the previous two calendar years. These weaknesses are dangerous because they are often easy to find, exploit, and can allow adversaries to completely take over a system, steal data, or prevent an application from working. The CWE Top 25 is a valuable community resource that can help developers, testers, and users — as well as project managers, security researchers, and educators — provide insight into the most severe and current security weaknesses. To create the 2021 list, the CWE Team leveraged Common Vulnerabilities and Exposures (CVE®) data found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), as well as the Common Vulnerability Scoring System (CVSS) scores associated with each CVE record. A formula was applied to the data to score each weakness based on prevalence and severity.
Popular weaknesses, the equivalent of a 1960s AM radio station’s “Fast Mover Tunes” are:
- CWE-276 (Incorrect Default Permissions): from #41 to #19
- CWE-306 (Missing Authentication for Critical Function): from #24 to #11
- CWE-502 (Deserialization of Untrusted Data): from #21 to #13
- CWE-862 (Missing Authorization): from #25 to #18
- CWE-77 (Improper Neutralization of Special Elements used in a Command (‘Command Injection’)): from #31 to #25
New entries are:
- CWE-276 (Incorrect Default Permissions): from #41 to #19
- CWE-918 (Server-Side Request Forgery (SSRF)): from #27 to #24
- CWE-77 (Improper Neutralization of Special Elements used in a Command (‘Command Injection’)): from #31 to #25
A few minutes spent with this list can be instructive. The write up includes a list of weaknesses which one might want to know about.
Net net: Who will find this list more inspirational: Marketing oriented cyber threat vendors or bad actors working under the protection of nation states hostile to US interests?
Stephen E Arnold, July 28, 2021
Cyber Security: Cyber Security Vendors May Have Missed a Scenario
July 21, 2021
I read a somewhat routine write up called “Work from Home Fueling Cyberattacks, Says Global Financial Watchdog.” The word watchdog scares me away. In the post SolarWinds’ era, where were those watchdogs? Come to think about it, “Where were the super smart, predictive threat intelligence systems?” I suppose even watchdogs have to catch some ZZZZs.
The article contained, in my opinion, a comment of exceptional perspicacity. Here it is:
“Most cyber frameworks did not envisage a scenario of near-universal remote working and the exploitation of such a situation by cyber threat actors,” the FSB said in a report to G20 ministers and central banks.
This is not napping. Nope. Missing a scenario makes it clear that cyber security vendors did not think through what would happen if their systems had to deal with off site working at scale. As a result, the systems probably are a-okay when monitoring a tire dealer’s computer system in Akron, Ohio. But in the work from home environment, the threat system was napping. I envision an ever vigilant junk yard dog with flashy icons on its spiked collar. Unfortunately the junk yard dog is chained to a rusting 1975 CJ7 and not on the prowl in the junk yard proper.
Net net: The defense mechanism keeps that old Jeep secure but the bad actors can haul off whatever auto parts of interest. There may be a couple of overlooked catalytic converters amidst the wreckage.
Stephen E Arnold, July 21, 2021
Cyber Crime and Crypto Currency: There Is a Link? Really?
July 15, 2021
I read a remarkable report from the diary of Captain Obvious. The entry was “Quick Take: How Cryptocurrency Turbocharged the Cybercrime Racket.” I was stunned to learn that paying for contraband, stolen videos, and Crime as a Service was helped out with allegedly anonymous digital payments “turbocharged the cybercrime racket.”
The write up reports:
Bitcoin and other cryptocurrencies, along with the exchanges where they can be traded anonymously, have emerged as key tools for the cyber extortionists.
The article then explains how to use cryptocurrency for cyber crime, explains why bad actors love money flows which sidestep traditional financial institutions, an estimate of the amount of money stolen using cryptocurrency, a comment about how bad actors obtained payment in the pre-bitcoin days, a comment about tracing digital currency transactions, some law enforcement successes, and what steps might address this issue.
Who knew? Maybe the more than 60 vendors engaged in cyber security, the dozens of vendors monitoring obfuscated forums, and savvy bad actors who jumped at the opportunity cryptocurrency created for mixers.
It is outstanding that the Seattle Times, home of the security giant Microsoft, has revealed this startling connection between obfuscated, instant monetary transactions designed to avoid regulatory requirements of outfits like major US banks.
Pulitzer time? Absolutely. Next the hard hitting news team will report on the sun rising each morning in Seattle.
Stephen E Arnold, July
DarkCyber for July 13, 2021, Now Available
July 13, 2021
DarkCyber is a twice-a-month video news program about the Dark Web, lesser known Internet services, and cyber crime. You can view the program at this link or use the viewer on the Beyond Search splash page. The DarkCyber for July 13, 2021, discusses the new US GAO report on facial recognition. Plus a 2019 report, with numerous FR vendors and accuracy tests, provides data not in the 2021 report. Also, in this program are stories about: [a] what cohort (age group) is most susceptible to online scams, [b] Amazon eCommerce vulnerabilities, and [c] a report about the US Navy’s autonomous mid-air refueling drone. DarkCyber is produced by Stephen E Arnold.
Kenny Toth, July 13, 2021
Tor Compromised?
July 9, 2021
I read “Tor Encryption Can Allegedly Be Accessed by the NSA, Says Security Expert.” I was stunned. I thought that the layers of encryption, the triple hop through relays, and the hope that everything worked as planned was bulletproof. And who funded Tor in the first place? What’s the status of the not-for-profit foundation today? Why were some European entities excited about cross correlating date and time stamps, IP addresses, and other bits of metadata? I don’t have answers to these questions, nor does the write up.
The article presents this information:
A security expert by the name of Robert Graham, however, has outlined his reasons for actually believing that the NSA might not even need tricks and paltry exploits in order for them to gain access to Tor, according to a blog post on Erratasec. Why? The security expert notes that this is because they might already have the keys to the kingdom. If they don’t, then they might be able to, according to arsTechnica.
Let me see if I can follow the source of this interesting assertion. TechTimes (the outfit publishing the “Tor Encryption Can” story cited above) quotes a security expert. There was a source called Erratasec. Then there was a story on ars Technica.
Now I think that Tor software and the onion method have security upsides and downsides. I also know that what humans create, other humans can figure out. I think the point of the write up is that anyone who uses Tor should embrace the current version.
Can NSA or any other intelligence entity figure out who is doing what, when, and why? My view is that deobfuscation methods are advancing. The fact that bad actors are shifting from old-school Dark Web sites to other channels speaks volumes. Bad actors have been shifting to messaging services which feature end-to-end encryption (E2EE) and do not require a particularly hard-to-complete registration process. But this shift from the “old” Dark Web to the “new” Dark Web began several years ago. Bad actors have been aware that other secure communications options were Job One for years. My thought is that this story in interesting, just not focused on what is actually further consumerizing criminal behavior. The action has shifted, and the US may not be the leader in making sense of the new types of communications traffic.
Stephen E Arnold, July 9, 2021
DarkCyber for June 29, 2021, Now Available: Operation Trojan Shield Provides an Important Lesson
June 29, 2021
DarkCyber 13 discusses the Operation Trojan Shield sting. You can view the video at this link. The focus is on three facets of the interesting international takedowns not receiving much attention. The wrap up of the program is a lesson which should be applied to other interesting mobile device applications. If you are wondering how useful access to app data and its metadata are, you may find this 11 minute video thought provoking. DarkCyber is a production of Stephen E Arnold, a semi-retired consultant who dodges thumbtypers, marketers, and jargon lovers. Remember: No ads and no sponsors. (No, we don’t understand either but he pays our modest team like clockwork.)
Kenny Toth, June 29, 2021
Another Friday, More Microsoft Security Misstep Disclosures
June 28, 2021
I think Microsoft believes no one works on Friday. I learned in “Microsoft Warns of Continued Attacks by the Nobelium Hacking Group” that SolarWinds is the gift that keeps on giving. Microsoft appears to have mentioned that another group allegedly working for Mr. Putin has been exploiting Microsoft software and systems. Will a “new” Windows 11 and registering via a Microsoft email cure this slight issue? Sure it will, but I am anticipating Microsoft marketing jabber.
The write up states:
The Microsoft Threat Intelligence Center said it’s been tracking recent activity from Nobelium, a Russia-based hacking group best known for the SolarWinds cyber attack of December 2020, and that the group managed to use information gleaned from a Microsoft worker’s device in attacks. Microsoft said it “detected information-stealing malware on a machine belonging to one of our customer support agents with access to basic account information for a small number of our customers” and that “the actor used this information in some cases to launch highly targeted attacks as part of their broader campaign.” The affected customers were notified of the breach.
The applause sign is illuminated.
I spotted this remarkable statement in the write up as well:
It’s possible that successful attacks went unnoticed, but for now it seems Nobelium’s efforts have been ineffective.
Wait, please. There is more. Navigate to “Microsoft Admits to Signing Rootkit Malware in Supply-Chain Fiasco.” This smoothly executed maneuver from the Windows 11 crowd prompted the write up to state:
Microsoft has now confirmed signing a malicious driver being distributed within gaming environments.
This driver, called “Netfilter,” is in fact a rootkit that was observed communicating with Chinese command-and-control (C2) IPs.
The write up concludes:
This particular incident, however, has exposed weaknesses in a legitimate code-signing process, exploited by threat actors to acquire Microsoft-signed code without compromising any certificates.
Amazing. The reason cyber crime is in gold rush mode is due to Microsoft in my opinion. The high tech wizards in Redmond can do rounded corners. Security? Good question.
Stephen E Arnold, June 28, 2021
-
- Subscribe to Beyond Search
Feature archive
News archive
-
