23andMe: Those Users and Their Passwords!

December 5, 2023

green-dino_thumb_thumb_thumbThis essay is the work of a dumb dinobaby. No smart software required.

Silicon Valley and health are match fabricated in heaven. Not long ago, I learned about the estimable management of Theranos. Now I find out that “23andMe confirms hackers stole ancestry data on 6.9 million users.” If one follows the logic of some Silicon Valley outfits, the data loss is the fault of the users.

image

“We have the capability to provide the health data and bioinformation from our secure facility. We have designed our approach to emulate the protocols implemented by Jack Benny and his vault in his home in Beverly Hills,” says the enthusiastic marketing professional from a Silicon Valley success story. Thanks, MSFT Copilot. Not exactly Jack Benny, Ed, and the foghorn, but I have learned to live with “good enough.”

According to the peripatetic Lorenzo Franceschi-Bicchierai:

In disclosing the incident in October, 23andMe said the data breach was caused by customers reusing passwords, which allowed hackers to brute-force the victims’ accounts by using publicly known passwords released in other companies’ data breaches.

Users!

What’s more interesting is that 23andMe provided estimates of the number of customers (users) whose data somehow magically flowed from the firm into the hands of bad actors. In fact, the numbers, when added up, totaled almost seven million users, not the original estimate of 14,000 23andMe customers.

I find the leak estimate inflation interesting for three reasons:

  1. Smart people in Silicon Valley appear to struggle with simple concepts like adding and subtracting numbers. This gap in one’s education becomes notable when the discrepancy is off by millions. I think “close enough for horse shoes” is a concept which is wearing out my patience. The difference between 14,000 and almost 17 million is not horse shoe scoring.
  2. The concept of “security” continues to suffer some set backs. “Security,” one may ask?
  3. The intentional dribbling of information reflects another facet of what I call high school science club management methods. The logic in the case of 23andMe in my opinion is, “Maybe no one will notice?”

Net net: Time for some regulation, perhaps? Oh, right, it’s the users’ responsibility.

Stephen E Arnold, December 5, 2023 

Cyber Security Responsibility: Where It Belongs at Last!

December 5, 2023

green-dino_thumb_thumb_thumbThis essay is the work of a dumb dinobaby. No smart software required.

I want to keep this item brief. Navigate to “CISA’s Goldstein Wants to Ditch ‘Patch Faster, Fix Faster’ Model.”

CISA means the US government’s Cybersecurity and Infrastructure Security Agency. The “Goldstein” reference points to Eric Goldstein, the executive assistant director of CISA.

The main point of the write up is that big technology companies have to be responsible for cleaning up their cyber security messes. The write up reports:

Goldstein said that CISA is calling on technology providers to “take accountability” for the security of their customers by doing things like enabling default security controls such as multi-factor authentication, making security logs available, using secure development practices and embracing memory safe languages such as Rust.

I may be incorrect, but I picked up a signal that the priorities of some techno feudalists are not security. Perhaps these firms’ goals are maximizing profit, market share, and power over their paying customers. Security? Maybe it is easier to describe in a slide deck or a short YouTube video?

image

The use of a parental mode seems appropriate for a child? Will it work for techno feudalists who have created a digital mess in kitchens throughout the world? Thanks, MSFT Copilot. You must have ingested some “angry mommy” data when your were but a wee sprout.

Will this approach improve the security of mission-critical systems? Will the enjoinder make a consumer’s mobile phone more secure?

My answer? Without meaningful consequences, security is easier to talk about than deliver. Therefore, minimal change in the near future. I wish I were wrong.

Stephen E Arnold, December 5, 2023

Omegle: Hasta La Vista

November 30, 2023

green-dino_thumb_thumb_thumbThis essay is the work of a dumb dinobaby. No smart software required.

In the Internet’s early days, users could sign into chatrooms and talk with strangers. While chatrooms have fallen out of favor, the idea of talking with strangers hung on but now it’s accompanied by video. Chat Roulette and Omegle are popular chatting applications that allow users to video chat with random individuals. The apps are notorious for pranks and NSFW content, including child sexual abuse. The Independent shared a story about one of the two: “Omegle Anonymous Chat App Shuts Down After 14 Years.”

Omegle had a simple concept: sign in, be connected to another random person, and video chat for as long as you like. Leif K-Brooks launched the chat platform with good intentions in 2009, but it didn’t take long for bad actors to infiltrate it. K-Brooks tried to stop criminal activities on Omegle with features, such as the “monitored chats” with moderators. They didn’t work and Omegle continued to receive flack. K-Brooks doesn’t want to deal with the criticism anymore:

“The intensity of the fight over use of the site had forced him to decide to shut it down, he said, and it will stop working straight away. ‘As much as I wish circumstances were different, the stress and expense of this fight – coupled with the existing stress and expense of operating Omegle, and fighting its misuse – are simply too much. Operating Omegle is no longer sustainable, financially nor psychologically. Frankly, I don’t want to have a heart attack in my 30s,’ wrote Leif K-Brooks, who has run the website since founding it.”

Omegle’s popularity rose during the pandemic. The sudden popularity surge highlighted the criminal acts on the video chat platform. K-Brooks believes that his critics used fear to shut down the Web site. He also acknowledged that people are quicker to attack and slower to recognize shared humanity. He theorizes that social media platforms are being labeled negatively because of small groups of bad actors.

Whitney Grace, November 30, 2023

Who Benefits from Advertising Tracking Technology? Teens, Bad Actors, You?

November 23, 2023

green-dino_thumb_thumbThis essay is the work of a dumb humanoid. No smart software required.

Don’t get me wrong. I absolutely love advertising. When I click to Sling’s or Tubi’s free TV, a YouTube video about an innovation in physics, or visit the UK’s Daily Mail — I see just a little bit of content. The rest, it seems to this dinobaby, to be advertising. For some reason, YouTube this morning (November 17, 2023) is showing me ads for a video game or undergarments for a female-oriented person before I can watch an update on the solemnity of Judge Engoran’s courtroom.

However, there are some people who are not “into” advertising. I want to point out that these individuals are in the minority; otherwise, people flooded with advertising would not disconnect or navigate to a somewhat less mercantile souk. Yes, a few exist; for example, government Web sites. (I acknowledge that some governments’ Web sites are advertising, but there’s not much I can do about that fusion of pitches and objective information about the location of a nation’s embassy.)

But to the matter at hand. I read a PDF titled “Europe’s Hidden Security Crisis.” The document is a position paper, a white paper, or a special report. The terminology varies depending on the entities involved in the assembly of the information. The group apparently nudging the intrepid authors to reveal the “hidden security crisis” could be the Irish Council for Civil Liberties. I know zero about the group, and I know even less about the authors, Dr. Johnny Ryan and Wolfie Christl. Dr. Ryan has written for the newspaper which looks like a magazine, and Mr. Christl is a principal of Cracked Labs.

So what’s the “hidden security crisis”? There is a special operation underway in Ukraine. The open source information crowd is documenting assorted facts and developments on X.com. We have the public Telegram channels outputting a wealth of information about the special operation and the other unhappy circumstances in Europe. We have the Europol reports about cyber crime, takedowns, and multi-nation operations. I receive in my newsfeed pointers to “real” news about a wide range of illegal activities. In short, what’s hidden?

image

An evil Web bug is capturing information about a computer user. She is not afraid. She is unaware… apparently. Thanks Microsoft Bing. Ooops. Strike that. Thanks, Copilot. Good Grinch. Did you accidentally replicate a beloved character or just think it up?

The report focuses on what I have identified as my first love — commercial messaging aka advertising.

The “hidden”, I think, refers to data collected when people navigate to a Web site and click, drag a cursor, or hover on a particular region. Those data along with date, time, browser used, and similar information are knitted together into a tidy bundle. These data can be used to have other commercial messages follow a person to another Web site, trigger an email urging the surfer to buy more or just buy something, or populate one of the cross tabulation companies’ databases.

The write up uses the lingo RTB or real time bidding to describe the data collection. The report states:

Our investigation highlights a widespread trade in data about sensitive European personnel and leaders that exposes them to blackmail, hacking and compromise, and undermines the security of their organizations and institutions.  These data flow from Real-Time Bidding (RTB), an advertising technology that is active on almost all websites and apps. RTB involves the broadcasting of sensitive data about people using those websites and apps to large numbers of other entities, without security measures to protect the data. This occurs billions of times a day. Our examination of tens of thousands of pages of RTB data reveals that EU military personnel and political decision makers are targeted using RTB.

In the US, the sale of data gathered via advertising cookies, beacons, and related technologies is a business with nearly 1,000 vendors offering data. I am not sure about the “hidden” idea, however. If the term applies to an average Web user, most of those folks do not know about changing defaults. That is not a hidden function; that is an indication of the knowledge the user has about a specific software.

If you are interested in the report, navigate to this link. You may find the “security crisis” interesting. If not, keep in mind that one can eliminate such tracking with fairly straightforward preventative measures. For me, I love advertising. I know the beacons and bugs want to do the right thing: Capture and profile me to the nth degree. Advertising! It is wonderful and its data exhaust informative and useful.

Stephen E Arnold, November 23, 2023

Is Your Phone Secure? Think Before Answering, Please

November 21, 2023

green-dino_thumb_thumb_thumbThis essay is the work of a dumb dinobaby. No smart software required.

I am not going to offer my observations and comments. The article, its information, and the list of companies from The Times of India’s “11 Dangerous Spywares Used Globally: Pegasus, Hermit, FinFisher and More” speaks for itself. The main point of the write up is that mobile phone security should be considered in the harsh light of digital reality. The write up provides a list of outfits and components which can be used to listen to conversations, intercept text and online activity, as well as exfiltrate geolocation data, contact lists, logfiles, and imagery. Some will say, “This type of software should be outlawed.” I have no comment.

image

Are there bugs waiting to compromise your mobile device? Yep. Thanks, MSFT Copilot. You have a knack for capturing the type of bugs with which many are familiar.

Here’s the list. I have alphabetized by the name of the malware and provided a possible entity name for the owner:

  • Candid. Maybe a Verint product? (Believed to be another product developed by former Israeli cyber warfare professionals)
  • Chrysaor. (Some believe it was created by NSO Group or NSO Group former employees)
  • Dark Tequila. (Requires access to the targeted device or for the user to perform an action. More advanced methods require no access to the device nor for the user to click)
  • FinFisher. Gamma Group  (The code is “in the wild” and the the German unit may be on vacation or working under a different name in the UK)
  • Hawkeye, Predator, or Predator Pain (Organization owning the software is not known to this dinobaby)
  • Hermit. RCS Lab (Does RCS mean “remote control service”?)
  • Pegasus. NSO Group Pegasus (now with a new president who worked at NSA and Homeland Security)
  • RATs (Remote Access Trojans) This is a general class of malware. Many variants.
  • Sofacy. APT28 (allegedly)
  • XKeyscore (allegedly developed by a US government agency)

Is the list complete? No.

Stephen E Arnold, November 21, 2023

Why Suck Up Health Care Data? Maybe for Cyber Fraud?

November 20, 2023

green-dino_thumb_thumbThis essay is the work of a dumb humanoid. No smart software required.

In the US, medical care is an adventure. Last year, my “wellness” check up required a visit to another specialist. I showed up at the appointed place on the day and time my printed form stipulated. I stood in line for 10 minutes as two “intake” professionals struggled to match those seeking examinations with the information available to the check in desk staff. The intake professional called my name and said, “You are not a female.” I said, “That’s is correct.” The intake professional replied, “We have the medical records from your primary care physician for a female named Tina.” Nice Health Insurance Portability and Accountability Act compliance, right?

image

A moose in Maine learns that its veterinary data have been compromised by bad actors, probably from a country in which the principal language is not moose grunts. With those data, the shocked moose can be located using geographic data in his health record. Plus, the moose’s credit card data is now on the loose. If the moose in Maine is scared, what about the humanoids with the fascinating nasal phonemes?

That same health care outfit reported that it was compromised and was a victim of a hacker. The health care outfit floundered around and now, months later, struggles to update prescriptions and keep appointments straight. How’s that for security? In my book, that’s about par for health care managers who [a] know zero about confidentiality requirements and [b] even less about system security. Horrified? You can read more about this one-horse travesty in “Norton Healthcare Cyber Attack Highlights Record Year for Data Breaches Nationwide.” I wonder if the grandparents of the Norton operation were participants on Major Bowes’ Amateur Hour radio show?

Norton Healthcare was a poster child for the Commonwealth of Kentucky. But the great state of Maine (yep, the one with moose, lovable black flies, and citizens who push New York real estate agents’ vehicles into bays) managed to lose the personal data for 2,192,515 people. You can read about that “minor” security glitch in the Office of the Maine Attorney General’s Data Breach Notification.

What possible use is health care data? Let me identify a handful of bad actor scenarios enabled by inept security practices. Note, please, that these are worse than being labeled a girl or failing to protect the personal information of what could be most of the humans and probably some of the moose in Maine.

  1. Identity theft. Those newborns and entries identified as deceased can be converted into some personas for a range of applications, like applying for Social Security numbers, passports, or government benefits
  2. Access to bank accounts. With a complete array of information, a bad actor can engage in a number of maneuvers designed to withdraw or transfer funds
  3. Bundle up the biological data and sell it via one of the private Telegram channels focused on such useful information. Bioweapon researchers could find some of the data fascinating.

Why am I focusing on health care data? Here are the reasons:

  1. Enforcement of existing security guidelines seems to be lax. Perhaps it is time to conduct audits and penalize those outfits which find security easy to talk about but difficult to do?
  2. Should one or more Inspector Generals’ offices conduct some data collection into the practices of state and Federal health care security professionals, their competencies, and their on-the-job performance? Some humans and probably a moose or two in Maine might find this idea timely.
  3. Should the vendors of health care security systems demonstrate to one of the numerous Federal cyber watch dog groups the efficacy of their systems and then allow one or more of the Federal agencies to probe those systems to verify that the systems do, in fact, actually work?

Without meaningful penalties for security failures, it may be easier to post health care data on a Wikipedia page and quit the crazy charade that health information is secure.

Stephen E Arnold, November 20, 2023

Smart Software for Cyber Security Mavens (Good and Bad Mavens)

November 17, 2023

green-dino_thumb_thumbThis essay is the work of a dumb humanoid. No smart software required.

One of my research team (who wishes to maintain a low profile) called my attention to the “Awesome GPTs (Agents) for Cybersecurity.” The list on GitHub says:

The "Awesome GPTs (Agents) Repo" represents an initial effort to compile a comprehensive list of GPT agents focused on cybersecurity (offensive and defensive), created by the community. Please note, this repository is a community-driven project and may not list all existing GPT agents in cybersecurity. Contributions are welcome – feel free to add your own creations!

image

Open source cyber security tools and smart software can be used by good actors to make people safe. The tools can be used by less good actors to create some interesting situations for cyber security professionals, the elderly, and clueless organizations. Thanks, Microsoft Bing. Does MSFT use these tools to keep people safe or unsafe?

When I viewed the list, it contained more than 30 items. Let me highlight three, and invite you to check out the other 30 at the link to the repository:

  1. The Threat Intel Bot. This is a specialized GPT for advanced persistent threat intelligence
  2. The Message Header Analyzer. This dissects email headers for “insights.”
  3. Hacker Art. The software generates hacker art and nifty profile pictures.

Several observations:

  • More tools and services will be forthcoming; thus, the list will grow
  • Bad actors and good actors will find software to help them accomplish their objectives.
  • A for fee bundle of these will be assembled and offered for sale, probably on eBay or Etsy. (Too bad fr0gger.)

Useful list!

Stephen E Arnold, November 17, 2023

xx

test

AI Is a Rainmaker for Bad Actors

November 16, 2023

green-dino_thumbThis essay is the work of a dumb dinobaby. No smart software required.

How has smart software, readily available as open source code and low-cost online services, affected cyber crime? Please, select from one of the following answers. No cheating allowed.

[a] Bad actors love smart software.

[b] Criminals are exploiting smart orchestration and business process tools to automate phishing.

[c] Online fraudsters have found that launching repeated breaching attempts is faster and easier when AI is used to adapt to server responses.

[d] Finding mules for drug and human trafficking is easier than ever because social media requests for interested parties can be cranked out at high speed 24×7.

image_thumb

“Well, Slim, your idea to use that new fangled smart software to steal financial data is working. Sittin’ here counting the money raining down on us is a heck of a lot easier than robbing old ladies in the Trader Joe’s parking lot,” says the bad actor with the coffin nail of death in his mouth and the ill-gotten gains in his hands. Thanks, Copilot, you are producing nice cartoons today.

And the correct answer is … a, b, c, and d.

For some supporting information, navigate to “Deepfake Fraud Attempts Are Up 3000% in 2023. Here’s Why.” The write up reports:

Face-swapping apps are the most common example. The most basic versions crudely paste one face on top of another to create a “cheapfake.” More sophisticated systems use AI to morph and blend a source face onto a target, but these require greater resources and skills.  The simple software, meanwhile, is easy to run and cheap or even free. An array of forgeries can then be simultaneously used in multiple attacks.

I like the phrase “cheap fakes.”

Several observations:

  1. Bad actors, unencumbered by bureaucracy, can download, test, tune, and deploy smart criminal actions more quickly than law enforcement can thwart them
  2. Existing cyber security systems are vulnerable to some smart attacks because AI can adapt and try different avenues
  3. Large volumes of automated content can be created and emailed without the hassle of manual content creation
  4. Cyber security vendors operate in “react mode”; that is, once a problem is discovered then the good actors will develop a defense. The advantage goes to those with a good offense, not a good defense.

Net net: 2024 will be fraught with security issues.

Stephen E Arnold, November 17, 2023

SolarWinds: Huffing and Puffing in a Hot Wind on a Sunny Day

November 16, 2023

green-dino_thumb_thumbThis essay is the work of a dumb humanoid. No smart software required.

Remember the SolarWinds’ misstep? Time has a way deleting memories of security kerfuffles. Who wants to recall ransomware, loss of data, and the general embarrassment of getting publicity for the failure of existing security systems? Not too many. A few victims let off steam by blaming their cyber vendors. Others — well, one — relieve their frustrations by emulating a crazed pit bull chasing an M1 A2 battle tank. The pit bull learns that the M1 A2 is not going to stop and wait for the pit bull to stop barking and snarling. The tank grinds forward, possibly over Solar (an unlikely name for a pit bull in my opinion).

11 11 political speech

The slick business professional speaks to a group of government workers gathered outside on the sidewalk of 100 F Street NW. The talker is semi-shouting, “Your agency is incompetent. You are unqualified. My company knows how to manage our business, security, and personnel affairs.” I am confident this positive talk will win the hearts and minds of the GS-13s listening. Thanks, Microsoft Bing. You obviously have some experience with government behaviors.

I read “SolarWinds Says SEC Sucks: Watchdog Lacks Competence to Regulate Cybersecurity.” The headline attributes the statement to a company. My hunch is that the criticism of the SEC is likely someone other than the firm’s legal counsel, the firm’s CFO, or its PR team.

The main idea, of course, is that SolarWinds should not be sued by the US Securities & Exchange Commission. The SEC does have special agents, but no criminal authority. However, like many US government agencies and their Offices of Inspector General, the investigators can make life interesting for those in whom the US government agency has an interest. (Tip: I will now offer an insider tip. Avoid getting crossways with a US government agency. The people may change but the “desks” persist through time along with documentation of actions. The business processes in the US government mean that people and organizations of interest can be the subject to scrutiny. Like the poem says, “Time cannot wither nor custom spoil the investigators’ persistence.”)

The write up presents information obtained from a public blog post by the victim of a cyber incident. I call the incident a misstep because I am not sure how many organizations, software systems, people, and data elements were negatively whacked by the bad actors. In general, the idea is that a bad actor should not be able to compromise commercial outfits.

The write up reports:

SolarWinds has come out guns blazing to defend itself following the US Securities and Exchange Commission’s announcement that it will be suing both the IT software maker and its CISO over the 2020 SUNBURST cyberattack.

The vendor said the SEC’s lawsuit is "fundamentally flawed," both from a legal and factual perspective, and that it will be defending the charges "vigorously." A lengthy blog post, published on Wednesday, dissected some of the SEC’s allegations, which it evidently believes to be false. The first of which was that SolarWinds lacked adequate security controls before the SUNBURST attack took place.

The right to criticize is baked into the ethos of the US of A. The cited article includes this quote from the SolarWinds’ statement about the US Securities & Exchange Commission:

It later went on to accuse the regulator of overreaching and "twisting the facts" in a bid to expand its regulatory footprint, as well as claiming the body "lacks the authority or competence to regulate public companies’ cybersecurity. The SEC’s cybersecurity-related capabilities were again questioned when SolarWinds addressed the allegations that it didn’t follow the NIST Cybersecurity Framework (CSF) at the time of the attack.

SolarWinds feels strongly about the SEC and its expertise. I have several observations to offer:

  1. Annoying regulators and investigators is not perceived in some government agencies as a smooth move
  2. SolarWinds may find that its strong words may be recast in the form of questions in the legal forum which appears to be roaring down the rails
  3. The SolarWinds’ cyber security professionals on staff and the cyber security vendors whose super duper bad actor stoppers appear to have an opportunity to explain their view of what I call a “misstep.”

Do I have an opinion? Sure. You have read it in my blog posts or heard me say it in my law enforcement lectures, most recently at the Massachusetts / New York Association of Crime Analysts’ meeting in Boston the first week of October 2023.

Cyber security is easier to describe in marketing collateral than do in real life. The SolarWinds’ misstep is an interesting case example of reality being different from the expectation.

Stephen E Arnold, November 16, 2023

AI Makes Cyberattacks Worse. No Fooling?

November 7, 2023

green-dino_thumb_thumbThis essay is the work of a dumb humanoid. No smart software required.

Why does everyone appear to be surprised by the potential dangers of cyber attacks?  Science fiction writers and even the crazy conspiracy theorists with their tin foil hats predicted that technology would outpace humanity one day.  Tech Radar wrote an article about how AI like ChatGPT makes cyber attacks more dangerous than ever: “AI Is Making Cyberattacks Even Smarter And More Dangerous.

Tech experts want to know how humans and AI algorithms compare when it comes to creating scams.  IBM’s Security Intelligence X-Force team accepted the challenge with an experiment about phishing emails.  They compared human written phishing emails against those ChatGPT wrote.  IBM’s X-Force team discovered that the human written emails had higher clicks rates, giving them a slight edge over the ChatGPT.  It was a very slight edge that proves AI algorithms aren’t far from competing and outpacing human scammers. 

Human written phishing scams have higher click rates, because of emotional intelligence, personalization, and ability to connect with their victims. 

“All of these factors can be easily tweaked with minimal human input, making AI’s work extremely valuable. It is also worth noting that the X-Force team could get a generative AI model to write a convincing phishing email in just five minutes from five prompts – manually writing such an email would take the team about 16 hours. ‘While X-Force has not witnessed the wide-scale use of generative AI in current campaigns, tools such as WormGPT, which were built to be unrestricted or semi-restricted LLMs were observed for sale on various forums advertising phishing capabilities – showing that attackers are testing AI’s use in phishing campaigns,’ the researchers concluded.”

It’s only a matter of time before the bad actors learn how to train the algorithms to be as convincing as their human creators.  White hat hackers have a lot of potential to earn big bucks as venture startups.

Whitney Grace, November 7, 2023

Next Page »

  • Archives

  • Recent Posts

  • Meta