Google: So Darned Useful to Good and Bad Actors
June 25, 2021
Never underestimate hackers’ adaptability and opportunism. E Hacking News reports, “Threat Actors Use Google Drives and Docs to Host Novel Phishing Attacks.” For the first time, security firm Avanan has found, attackers are able to bypass link scanners and other security protections and use Google’s standard document tools to deliver malicious, credential-stealing links. Previously, bad actors have had to lure their victims to a legitimate website in order to exploit its security flaws. Now they can do so right from users’ inboxes. The article cites a recent report from Trend Micro as well as the research from Avanan:
“According to researchers, once the hacker publishes the lure, ‘Google provides a link with embed tags that are meant to be used on forums to render custom content. The attacker does not need the iframe tags and only needs to copy the part with the Google Docs link. This link will now render the full HTML file as intended by the attacker and it will also contain the redirect hyperlink to the actual malicious website.’ The hackers then use the phishing lure to get the victim to ‘Click here to download the document.’ Once the victim clicks, the page redirects to the actual malicious phishing website through a web page designed to mimic the Google Login portal. Friedrich said Avanan researchers also spotted this same attack method used to spoof a DocuSign phishing email. In this case, the ‘View Document’ button was a published Google Docs link that actually was a fake DocuSign login page that would transmit the entered password to an attacker-controlled server via a ‘Log in’ button.”
Stolen login credentials are the most effective way to infiltrate any organization, and with a little social engineering hackers can attract many of them with this approach. It is a good reminder that educated users who do not fall for phishing schemes provide the best protection against such attackers. Alternatively, just download some interesting apps from the Google Play Store.
Cynthia Murrell, June 25, 2021
DarkCyber for June 15, 2021, Now Available
June 15, 2021
DarkCyber is a video news program issued every two weeks. The June 15, 2021, show includes five stories:
- Pentest tools you can download and use today for free
- A free report that explains Britain’s cyber weaknesses
- Additional information about the E2EE revolution
- Another tip for finding flexible developers and programmers who will do exactly what you want done
- The FireScout, a drone with a 100 mile range and the ability to drop sonobuoys and other devices, perform surveillance, and remain aloft for up to 10 hours.
The DarkCyber video news program contains information presented in Stephen E Arnold’s lectures to law enforcement and intelligence professionals. His most recent lecture was the New Dark Web. He presented his most recent research findings to a group of more than 100 cyber fraud investigators working in Connecticut for a variety of LE and related organizations. The
The June 15, 2021, DarkCyber video program is available from Mr. Arnold’s blog splash page and can be viewed on YouTube. One important note: The video program does not contain advertisements or sponsored content. We know that’s unusual today, but the DarkCyber team prefers to operate without an invisible hand on the controls or an invisible foot on the team’s neck.
Kenny Toth, June 15, 2021
Chronic Cyber Insecurity
June 11, 2021
NPR has shared the transcript of an All Things Considered interview with former NSA general counsel Glenn Gerstell in, “USAID Hack: Former NSA Official Calls U.S. Cyber Insecurity a ‘Chronic Disease.’” The exchange is not reassuring. Host Michel Martin begins with the recent news of another breach, announced by Microsoft late last month. Once again the perpetrators appear to be Russian operatives, probably the same ones that were behind the SolarWinds attack. Not that Putin will admit as much when he is confronted, as he will likely be, by President Biden at their upcoming meeting in Geneva. We note this exchange:
“MARTIN: Why do you think these attacks keep happening despite the sanctions that the Biden administration has already imposed, you know, on Russia? And do you think the government’s doing enough to protect itself against these threats and also us, the public?
“GERSTELL: Well, your question is really the key one. And I think the lesson we learn from this is that this in some ways, our cyber insecurity in this regard, is a chronic disease for which we don’t have a single cure. It’s not an illness for which there’s a particular drug that we could take to get rid of it. So unfortunately, however, we’re at the beginning end of this chronic condition. This is going to get worse before it gets better. It will ultimately get better. But in the meantime, we have sophisticated attackers, nation states and criminals who can co-opt legitimate servers and companies and computers and softwares. And this proves, unfortunately, that our current scheme of deterrents simply isn’t working.”
What will work is the multi-billion dollar question. Martin wonders whether there are any plans to regulate crypto currency. Gerstell allows that is a step that might be taken, but it would do little to disrupt either spying or the sowing of chaos generated by these types of attacks. It could, however, curtail the sort of ransomware attack that recently shut down a pipeline on the East Coast and had some fools pumping gasoline into plastic bags and other unwise receptacles. That would be something, we suppose.
Cynthia Murrell, June 11, 2021
SolarWinds: In the News
June 2, 2021
Here’s the good news in “SolarWinds Hackers Are Back with a New Mass Campaign, Microsoft Says.” Microsoft and other firms are taking actions to cope with the SolarWinds’ misstep. That’s the gaffe which compromised who knows how many servers, caught the news cycle, and left the real time cyber security threat detection systems enjoying a McDo burger with crow.
I circled this positive statement:
Microsoft security researchers assess that the Nobelium’s spear-phishing operations are recurring and have increased in frequency and scope,” the MSTC post concluded. “It is anticipated that additional activity may be carried out by the group using an evolving set of tactics.
The good news is the word “evolving.” That means that whatever the cyber security wizards are doing is having some impact.
However, the bulk of the write up makes clear that the bad actors (Russian again) are recycling known methods and exploiting certain “characteristics” of what sure seem to be Microsoft-related engineering.
There are some clues about who at Microsoft are tracking this stubbed toe; for example, a vice president of cust0omer security and trust. (I like that word “trust.”)
Several observations:
- Phishing
- Surfing on Microsoft-like methods; for example, hidden DLLs, which are usually really fun
- A reactive approach.
What’s my take away from the explanation of the security stubbed toe: No solution. Bad actors are on the offensive and vendors and users have to sit back and wait for the next really-no-big-deal breach. Minimization of an “issue” and explaining how someone else spilled the milk will be news again. I think the perpetual motion machine has been discovered in terms of security.
Stephen E Arnold, June 2, 2021
DarkCyber for June 1, 2021, Now Available
June 1, 2021
DarkCyber is a video news program about the Dark Web, cyber crime, and lesser known Internet services. This edition’s story line up includes a bad actor promoting on the regular Internet, a look at Europol’s business process analysis for industrialized cyber crime, a University of Washington research project for a do-it-yourself IMSI sniffer, two free reports about phishing, the go-to method for compromising users’ computer security, and a look at the Gaza, a new drone designed to strike at those who would wrongfully act toward certain groups. DarkCyber is produced by Stephen E Arnold with assistance from the DarkCyber research team. The programs appear twice each month. The videos are available on YouTube. You can view the video via the player on the Beyond Search blog or at https://youtu.be/f1ym19l2Y0I. No ads, no vendor supported posts, nothing but Mr. Arnold commenting on important news stories. How is this possible? No one who thumb typers knows.
Kenny Toth, June 1, 2021
Surveillance: Looking Forward
May 28, 2021
I read “The Future of Communication Surveillance: Moving Beyond Lexicons.” The article explains that word lists and indexing are not enough. (There’s no mention of non text objects and icons with specific meanings upon which bad actors agree before including them in a text message.)
I noted this passage:
Advanced technology such as artificial intelligence (AI), machine learning (ML) and pre-trained models can better detect misconduct and pinpoint the types of risk that a business cares about. AI and ML should work alongside metadata filtering and lexicon alerting to remove irrelevant data and classify communications.
This sounds like cheerleading. The Snowden dump of classified material makes clear that smart software was on the radar of the individuals creating the information released to journalists. Subsequent announcements from policeware and intelware vendors have included references to artificial intelligence and its progeny as a routine component. It’s been years since the assertions in the Snowden documents became known and yet shipping cyber security solutions are not delivering.
The article includes this statement about AI:
Automatically learn over time by taking input from the team’s review of prior alerts
And what about this one? AI can
Adapt quickly to changing language to identify phrases you didn’t know you needed to look for
What the SolarWinds’ misstep revealed was:
- None of the smart cyber security systems noticed the incursion
- None of the smart real time monitoring systems detected repeated code changes and downstream malware within the compromised system
- None of the threat alert services sent a warning to users of compromised systems.
Yet we get this write up about the future of surveillance?
Incredible and disconnected from the real life performance of cyber security vendors’ systems.
Stephen E Arnold, May 28, 2021
Telegram Appeals to Diverse Constituencies
February 25, 2021
Other than heated conflicts between US political parties, the recent coup happened because of the mass spread of conspiracy theories propagated by social media. Social media platforms, including YouTube, Facebook, Twitter, and Instagram, were used to communicate right wing extremist misinformation. In the past, it was difficult for bad acting extremists to pool their “knowledge” and meet liked minded individuals, but the Internet fixed that.
Many social media platforms kicked right wing extremists off their platform, because of crackdowns that followed post-coup. According to Vox’s article, “Why Right-Wing Extremists’ New Favorite Platform Is So Dangerous” the bad actors already found another tool to communicate. Telegram is a Dubai-based platform and only 2% of its users were US-based until the coup attempt. Now Telegram boasts 25 million new US users. Why do bad actors love Telegram?
“Telegram is currently the most downloaded app in the Google Play Store, having unseated Signal for the top spot in the United States. Telegram’s specific combination of features, however, make it especially popular among American right-wing extremists, who have joined the platform in droves after being kicked off of Twitter, Facebook, and Parler. The latter is another extremist favorite and was recently kicked off the internet, though it’s now back in a very limited form.”
Telegram has three components: private and public channels that only a limited number of people can follow, groups where up to 200,,000 can communicate, and Secret Chats-one-on-one encrypted conversations.
Some bad actors can reach larger groups to spread misinformation and they can do so anonymously. Telegram does not monitor its content, but after its been used to incite violence its developers did crackdown on some of the channels. Telegram is popular for another reason: It is a reasonably reliable app.
Since Telegram is not US-based it does not need to comply to the country’s standards, but we have heard that the company has a relationship with Mr. Putin’s telecommunications agency. Other countries may find it slightly more challenging to monitor.
Whitney Grace, February 25, 2021
DarkCyber for February 23, 2021 Is Now Available
February 23, 2021
DarkCyber, Series 3, Number 4 includes five stories. The first summarizes the value of an electronic game’s software. Think millions. The second explains that Lokinet is now operating under the brand Oxen. The idea is that the secure services’ offerings are “beefier.” The third story provides an example of how smaller cyber security startups can make valuable contributions in the post-SolarWinds’ era. The fourth story highlights a story about the US government’s getting close to an important security implementation, only to lose track of the mission. And the final story provides some drone dope about the use of unmanned aerial systems on Super Bowl Sunday as FBI agents monitored an FAA imposed no fly zone. You could download the video at this url after we uploaded it to YouTube.
But…
YouTube notified Stephen E Arnold that his interview with Robert David Steele, a former CIA professional, was removed from YouTube. The reason was “bullying.” Mr. Arnold is 76 or 77, and he talked with Mr. Steele about the Jeffrey Epstein allegations. Mr. Epstein was on the radar of Mr. Steele because the legal allegations were of interest to an international tribunal about human trafficking and child sex crime. Mr. Steele is a director of that tribunal. Bullying about a deceased person allegedly involved in a decades long criminal activity? What?
What’s even more interesting is that the DarkCyber videos, which appear every 14 days focus on law enforcement, intelligence, and cyber crime issues. One law enforcement professional told Mr. Arnold after his Dark Web lecture at the National Cyber Crime Conference in 2020, you make it clear that investigators have to embrace new technology and not wait for budgets to accommodate more specialists.
Mr. Arnold told me that he did not click the bright red button wanting Google / YouTube to entertain an appeal. I am not certain about his reasoning, but I assume that Mr. Arnold, who was an advisor to the world’s largest online search system, was indifferent to the censorship. My perception is that Mr. Arnold recognizes that Alphabet, Google, and YouTube are overwhelmed with management challenges, struggling to figure out how to deal with copyright violations, hate content, and sexually related information. Furthermore, Alphabet, Google, and YouTube face persistent legal challenges, employee outcries about discrimination, and ageing systems and methods.
What does this mean? In early March 2021, we will announce other video services which will make the DarkCyber video programs available.
The DarkCyber team is composed of individuals who are not bullies. If anything, the group is more accurately characterized as researchers and analysts who prefer the libraries of days gone by to the zip zip world of thumbtypers, smart software, and censorship of content related to law enforcement and intelligence professionals.
Mr. Arnold was discussing online clickfraud at lunch next week. Would that make an interesting subject for a DarkCyber story? With two firms controlling more than two thirds of the online advertising, click fraud is a hot potato topic. How does it happen? What’s done to prevent it? What’s the cost to the advertisers? What are the legal consequences of the activity?
Kenny Toth, February 23, 2021
SolarWinds: Woulda, Coulda, Shoulda?
February 17, 2021
The SolarWinds security breach had consequences worldwide. The bad actors, supposed to be Russian operatives, hacked into systems at the Department of Homeland Security, the Treasury Department, the National Institutes of Health, the Department of Justice, and other federal agencies as well as those of some major corporations. The supply-chain attack went on for months until it was finally discovered in December; no one is sure how much information the hackers were able to collect during that time. Not only that, it is suspected they inserted hidden code that will continue to give them access for years to come.
Now ProPublica tells us the government paid big bucks to develop a system that may have stopped it, if only it had been put into place. Writers Peter Elkind and Jack Gillum report that “The U.S. Spent $2.2 Million on a Cybersecurity System that Wasn’t Implemented—and Might Have Stopped a Major Hack.” Oops. We learn:
“The incursion became the latest — and, it appears, by far the worst — in a string of hacks targeting the software supply chain. Cybersecurity experts have voiced concern for years that existing defenses, which focus on attacks against individual end users, fail to spot malware planted in downloads from trusted software suppliers. Such attacks are especially worrisome because of their ability to rapidly distribute malicious computer code to tens of thousands of unwitting customers. This problem spurred development of a new approach, backed by $2.2 million in federal grants and available for free, aimed at providing end-to-end protection for the entire software supply pipeline. Named in-toto (Latin for ‘as a whole’), it is the work of a team of academics led by Justin Cappos, an associate computer science and engineering professor at New York University. … Cappos and his colleagues believe that the in-toto system, if widely deployed, could have blocked or minimized the damage from the SolarWinds attack. But that didn’t happen: The federal government has taken no steps to require its software vendors, such as SolarWinds, to adopt it. Indeed, no government agency has even inquired about it, according to Cappos.”
Other experts also believe in-toto, which is free to use, would have been able to stop the attack in its tracks. Some private companies have embraced the software, including SolarWinds competitor Datadog. That company’s security engineer, in fact, contributed to the tools’ design and implementation. We are not sure what it will take to make the government require its vendors implement in-toto. Another major breach? Two or three? We shall see. See the write-up for more details about supply-chain attacks, the SolarWinds attack specifically, and how in-toto works.
Cynthia Murrell, February 17, 2021
2021: A Year with Two Gulps of Failure
February 11, 2021
I provide additional commentary on Microsoft’s late January 2021 about the SolarWinds’ misstep. The glitch seems to be like an ink stain. Over time, it spreads: China’s alleged involvement, one third of the security penetrations not involving SolarWinds’ software, and mounting suggestions about how long the bad actors were probing and possibly implanting backdoors in government agencies, big contractors, and commercial enterprises. You can view the video on this blog’s home page on January 9, 2021. For today (Monday, January 8, 2021) I want to call attention to two items.
The first is a useful list of situations in which malware, viruses, and other bad actor actions are not detected. You can find the list in “Why Antivirus Software Fails to Detect Latest Viruses and Malwares.” What’s interesting about the article is that none of the suggestions solves the problem of the Saturday Night Live / Donald Rumsfeld quip, “You don’t know what you don’t know.”
The second is the allegedly accurate information in the ABC News’s report “Former Capitol Police Chief Steven Sund Says Entire Intelligence Community Missed Signs of Riot.” Here’s a passage the Capitol Police’s former top dog to Ms. Pelosi included in the news story:
“Having previously handled two major post-election demonstrations successfully utilizing an action plan that was based on intelligence assessments that had proven to be credible, reliable, and accurate, we reasonably assumed the intelligence assessment for Jan. 6, 2021, was also correct.”
What this means to me is that the intel was off the mark.
Perhaps the SolarWinds’ misstep is the result of several factors. Let me raise these as possibilities:
First, the software designed to identify and flag breaches did not work. Furthermore, the infrastructure in wide use for Microsoft software was the carrier of the malware. No one noticed for possibly a year or more. FireEye investigated a mobile phone access issue and came across the multi-part, multi-stage attack. The breach was not one outfit. The penetration extended to as many as 18,000 organizations. It is not clear what the bad actor did once access to this gold mine of systems was achieved.
Second, the intelligence apparatus of multiple US entities did not characterize the scale, intent, and size of the “friendly” protest at the US Capitol in early January. If the information in the ABC News’s story is accurate, the intelligence reports, like the awareness of the SolarWinds’ misstep, were wide of the mark. Maybe in someplace like Cuba or Bali, just not in the Capitol Police’s tactical planning unit’s hands?
The conclusion is that I see two types of failure with a common root cause: A certain blindness.
Marketing, threat assessment webinars, and licensing existing cyber security software won’t address these, possibly inter related problems.
Not good. Marketing explanations are much better. The fix? Another BrightTALK cyber security briefing, more Microsoft security blog posts, and more security podcasts from former government security attorneys?
Stephen E Arnold, January 11, 2021
-
- Subscribe to Beyond Search
Feature archive
News archive
-
