Cyber Sins: Part of the Human Condition Permanently
October 24, 2020
Business operations have secrets and maybe sins. Medium explains “The Seven Deadly Sins Of Cybersecurity.” Using the metaphor of the biblical seven deadly sins: greed, gluttony, lust, envy, sloth, wrath, and pride, the article compares social media platforms to the digital manifestation of them. The write up argues that cybersecurity is demonized by seven deadly sins.
What’s a sin?
Covid-19 has made cyber security more important than ever as people are forced to work from their homes. Organizations need cybersecurity to protect their information and the pandemic exposes all weaknesses in organizations’ cybersecurity culture, if any exists. Another sin is believing a layered, complex solution equals a decent security plan. Complexity actually creates more problems, especially when plans involve too much overhead management and talking about “doing something” instead of taking action.
Credential abuse is also a deadly sin. One commits credential abuse in the over reliance of simple passwords. People love simple passwords, because they are easy to remember and they hate complex credential systems because they are annoying. It might be better to find an alternative solution:
“So what solutions should you start exploring? Identity & Access Management, Privileged Access Management (PAM), Just-In-Time/Just-Enough Administration, Role-based access controls, Multi-Factor Authentication, and more. What about Single Sign-On? Federated Identity management? everyone must adhere to secure credential management without exception…In climbing, free-soloing might be the epitome of cool, but when you fall, you’ll wish you had a belay.”
The article advises to be aware that you cannot treat all of your information the same way. The example the article uses is treating a mobile number differently than a credit card number. It is important to be aware of how any information posted online could be potentially harmful.
Then an ultimate sin is not paying attention to blind spots:
“Many threats “hide in plain sight” and we don’t have the time, energy, and resources to look for them, let alone know where to start.This problem is due to complexity, a lack of resources, and too many gaps and overlaps.”
The key to absolving this sin is discovering the blind spots, then developing solutions.
Sin, however, is part of the human condition. Bad actors sense opportunities and exploit them. Cyber crime continues to thrive and become more pervasive.
Whitney Grace, October 24, 2020
One More Reason to Love Microsoft Windows 10 Updates: Malware
October 23, 2020
The pushing of updates reflects two things. First, the generally low quality of software. Second, a crazed desire to lock in customers. Microsoft seems to be working hard to deliver on both counts. However, there is more to love about the silent, unwanted Windows update processes, a topic not covered in Microsoft’s free report about its loss of 250 million items of customer data. Curious? You can download the report at this link.
“This Nasty Malware Has Disguised Itself As a Windows 10 Update”, if accurate, suggests there are other issues with the JEDI warriors’ online systems. We learned:
Emotet, the malware campaign that has been causing havoc for computer systems all over the world, has reappeared with a new approach to infecting devices. An email attachment claiming to be from Windows Update and instructing users to upgrade Microsoft Word is now being used to lure unsuspecting victims into downloading the malicious software. The malware works by first sending spam emails that contain either a Word document attachment or a download link. Victims will then be prompted to ‘Enable Content’ to allow macros to run on their device, which will install the Emotet Trojan.
Seems like phishing to us. Are there steps Microsoft could take to minimize risks to their millions of long suffering customers? Sure, but it may not be a priority. JEDI, you know. Beating off Amazon and Google, you know.
The reports about security are nice. But maybe something more than a free marketing document is needed if the “nasty malware” story is on the money? You know?
Stephen E Arnold, October 23, 2020
Twitter for Verification: The Crypto Approach
October 21, 2020
New York State’s Twitter Investigation Report explores the cybersecurity “incident” at Twitter and its implications for election security. If you don’t have a copy, you can view the document at this url. The main point of the document struck me as this statement from the document:
Given that Twitter is a publicly traded, $37 billion technology company, it was surprising how easily the Hackers were able to penetrate Twitter’s network and gain access to internal tools allowing them to take over any Twitter user’s account.
With the Department of Financial Services’ report in mind, I found the information in “.Crypto Domain Owners Can Now Be Verified With Twitter Accounts for Safer Payments” interesting. Twitter and “safer” are not words I would associate. The write up reports:
Blockchain startup Unstoppable Domains and oracle network Chainlink have launched a new feature allowing individuals or entities with blockchain domains to authenticate themselves using their Twitter accounts. The feature is powered by Chainlink oracles, which connect each .crypto address from Unstoppable Domains to a public Twitter username. The firms said the Twitter authentication could help stem crimes in cryptocurrency payments such as phishing hacks.
In one of our Twitter tests, we created an account in the name of a now deceased pet. Tweets were happily disseminated automatically by the dog. Who knew that the dead dog’s Twitter account can reduce phishing attacks?
Twitter: Secure enough to deliver authentication? The company’s approach to business does not give me confidence in the firm’s systems and methods.
Stephen E Arnold, October 21, 2020
DarkCyber for October 20, 2020, Now Available
October 20, 2020
The October 20, 2020 DarkCyber video news program covers five stories. First, secure messaging apps have some vulnerabilities. These can be exploited, according to researchers in Europe. Second, QuinetiQ’s most recent cyber report provides some eye-opening information about exploit techniques and methods. Third, a free phishing tool is available on GitHub. With it, a bad actor can automate phishing attacks. Fourth, mobile phones can be remotely activated to work like spy cameras and audio transmitters. The final story explains that swarms of drones can be controlled from a mobile phone and a new crawling drone can deliver bio-weapons in a stealthy manner. DarkCyber is produced by Stephen E Arnold, author of CyberOSINT and the Dark Web Notebook. You can view the 11 minute program at this link. (The miniature centipede-like drone is a marvel.)
Kenny Toth, October 20, 2020
Dark Web Sites Losing Out to Encrypted Chat Apps?
October 14, 2020
With several Dark Web marketplaces falling to either law enforcement successes or to their own administrators’ “exit scams,” it was predicted vendors and buyers of illegal goods would shift to another alternative, one that promises end-to-end encryption. However, Bank Info Security explains “Why Encrypted Chat Apps Aren’t Replacing Darknet Markets.” To be sure, some criminals do use these apps, but they have been running into some disadvantages. Writer Mathew J. Schwartz specifies:
“One is the challenge of finding – or marketing – goods and services being provided via chat apps. Fear about the reliability of legitimate platforms – and of the risk of getting sold out – is another factor. ‘By trusting a legitimate third-party application’s encryption and anonymity policies, threat actors are placing their trust in non-criminals,’ the ‘Photon Research Team’ at digital risk protection firm Digital Shadows tells me. Criminals typically prefer to avoid such situations. … Chat platforms’ smaller scale can also be an unwelcome limitation for criminals because fewer customers means lower profits for sellers or chat-channel administrators. ‘Most instant messaging platforms tend to be smaller in terms of number of participants and also geographically focused or limited by language – limiting the reach,’ Raveed Laeb and Victoria Kivilevich, respectively product manager and threat intelligence analyst at Israeli cyber threat intelligence monitoring firm Kela, tell me. ‘Another limit is that many chat channels focus on one subject – meaning that one channel features drugs, another one offers enrolls and so on. Thus, it lowers potential profits for the channel’s admins,’ they say.”
It is true, legitimate encrypted apps have plenty of incentive to cooperate with the authorities. So why not build an alternative by criminals for criminals? Some have tried that, with networks like BlackBox, Phantom Secure, and EncroChat, all of which were summarily busted by law enforcement. There are likely more out there, but they may suffer the same fate.
In the end, it seems many dark-market vendors are sticking with the marketplaces. It makes sense in our view—we see the two avenues as complements to one another, anyway. Meanwhile, though, certain marketplaces are abandoning some of their traditional sellers: We’re told illegal drugs are being banned at these sites in favor of digitally transmittable products like malware, stolen databases, login credentials, and other cybercrime tools and services. There is the absence of complications caused by physical packages, but these products also exist in a grey area in many jurisdictions. (We note no mention is made of other items of high concern, like child pornography or weapons.) Schwartz supposes admins believe ceasing to market illegal drugs will make their sites smaller targets. Perhaps?
Cynthia Murrell, October 14, 2020
eBay: Sprinting Forward to Fight Online Sneaker Fraud
October 13, 2020
“EBay Launches Sneaker Authentication Service to Combat Counterfeit Sales” caught one of the DarkCyber research team’s attention. When I read the forwarded email about this Verge article, I wondered why the title wasn’t “Ebay Sprints Forward with a Sneaker Authentication Service.” I then realized that eBay has been in business for 25 years and product fraud has been around at least that long on the service. One of my friends who used to work in a British security service worked as an adviser to eBay. I recall that he mentioned that eBay online crime was a “stunner.” I assumed he meant that the amount of online crime was enough to startle an experienced investigator.
According to the Silicon Valley “real” news write up:
Collectible sneakers are big business.
I recall instances of robbery and murder for a pair of gym shoes. Yeah, that is a “real” news factoid. Murder amps up the perceived value of this particular apparel sector.
Here’s how the quarter century old digital market will deal with fake gym shoes:
As with its previously-announced watch authentication service, eBay has partnered with a third-party company, Sneaker Con, to authenticate items. When a sale is made, the buyer ships the sneakers to an “authentication facility” where they’re inspected to make sure they match the listing’s title, description, and images. If they pass the inspection, an eBay tag is attached to them, and they’re sent on to the buyer. The same process covers returns, to stop unscrupulous buyers from trying to return fake sneakers to legitimate sellers.
Sprinting to the future or stepping up slowly? DarkCyber thinks eBay is doing the speed walking associated with 75 year olds. Interpretation: Move slowly. Maybe “Ebay Limps Forward with a Sneaker Authentication Service.”
Stephen E Arnold, October 13, 2020
Domains Seized: What Companies Assisted the US Government?
October 13, 2020
The Straits Times’s article “US Seizes Iran Propaganda Websites” reported:
The US has seized 92 web domains used by Iran, including four which purported to be genuine English language news sites…Four of them, with the domain names “newsstand7.com”, “usjournal.net”, “usjournal.us”, and “twtoday.net”, were “operated by or on behalf” of Iran’s Islamic Revolutionary Guard Corps to influence United States domestic and foreign policy…
The article included an interesting factoid; to wit:
The sites were identified first with intelligence from Google and then also with help from Twitter and Facebook…
Interesting?
Stephen E Arnold, October 13, 2020
Facebook and Encryption
October 12, 2020
A number of experts have pointed to the information about Facebook’s contribution to child exploitation, human trafficking, and related activities. A good example is Robert David Steele’s “Betty Boop: Facebook Responsible for 94% of 69 Million Child Sex Abuse Images Reported by US Tech Firms.” DarkCyber notes “Five Eyes and Japan Call for Facebook Backdoor to Monitor Crime.” The point of that Nikkei Asia paywalled article is that encrypted messaging apps are conduits of information related to criminal activity.
Russia has taken some steps to deal with Telegram messaging traffic. Other countries, including Australia, Canada, England, New Zealand, and the United States express similar thoughts. Japan wants to “move closer” to these initiatives.
DarkCyber’s view is that the similarity of views among these countries is a response to a growing cyber crime challenge. The speed of instant messaging is one factor. The messaging apps’ growing robustness coverts what was Dark Web eCommerce within Tor to encrypted channels operating on the “open” Internet. Plus, the messaging apps allow users to create the equivalent of “chat groups” in which like minded individuals can share images and other information.
The call for a back door is getting louder. Providers of these software services may be reluctant to make changes. It is possible that change may be forced upon certain companies.
Stephen E Arnold, October 12, 2020
Work from Home: Stating the Obvious and a Newish Word
October 12, 2020
I read “Organizations Have Accrued Technical Debt in the Shift to Remote Work, and Now They Have to Face the Fallout.” Three facets of the article snagged my attention. The first was this observation attributed to a Security Awareness Advocate at KnowBe4, a information services firm:
“Many organizations have accrued a lot of technical debt, for lack of a better term, to get people working remotely,” said Malik. “They’ve enabled remote access to servers that they traditionally would never have given access to, or they might have relaxed some security rules. I heard of an organization that actually dropped 2FA to allow all of their employees to easily connect into the office, because they didn’t have enough resources to deploy 2FA to everyone, or train them up, or to deal with the number of tickets that would inevitably come in.
Okay, the obvious has been stated.
Second, the use of the phrase “technical debt” indicates that services firms want to make clear that taking one set of technologies and applying them to remote work has risks.
No kidding. News? Hardly. Reports from assorted cyber security companies have been pointing out that phishing has become a go-to mechanism for some time. A useful report is available from Interpol.
The third facet of the article was the use of the portmanteau “websem.” The coinage appears to be a combination of the word “webinar”, itself a modification of “seminar, and the now ubiquitous term “Web.”
Observations:
- Recycling Interpol data does not constitute an insight worthy of a consulting gig
- Whipping up jargon adds some froth to the Reddiwip analysis
Why not cite sources and use words WFH’ers will understand; for example, Zoom-eeting. Mammals braying, excitement, and snacks with toppings? The fallout? Plump targets for phishers.
Stephen E Arnold, October 12, 2020
Does Search Breed Fraud?
October 11, 2020
The question “Does search breed fraud?” is an interesting one. As far as I know, none of the big time MBA case studies address the topic. If any academic discipline knows about fraud, I believe it is those very same big time MBA programs.
“South Korean Search Giant Fined US $23 Million for Manipulating Results” reveals that Naver has channeled outfits with a penchant for results fiddling. The write up states:
The Korea Fair Trade Commission, the country’s antitrust regulator, ruled Naver altered algorithms on multiple occasions between 2012 and 2015 to raise its own items’ rankings above those of competitors.
Naver responded, according to the write up, with this statement:
“The core value of search service is presenting an outcome that matches the intentions of users,” it said in a statement, adding: “Naver has been chosen by many users thanks to our focus on this essential task.”
The pressure to generate revenue is significant. Engineers, who may be managed loosely or steered by the precepts of high school science club thought processes, can make tiny changes with significant impact. As a result, the manipulation can arise from a desire to get promoted, be cool, or land a bonus.
The implications can be profound. Google may be less evil because fiddling is an emergent behavior.
Stephen E Arnold, October 11, 2020
-
- Subscribe to Beyond Search
Feature archive
News archive
-
