Microsoft on Security

February 25, 2021

I think that some believe the SolarWinds’ misstep should be called surfing the Microsoft access control process.” I may be wrong on that, of course. I did find some of the statements and quotations in an article called “Microsoft CEO For Global Rules On Data Safety, Privacy.” On the same day that another Microsoftie was explaining the security stumble which has compromised systems at Microsoft itself and a few minor US government agencies, the CEO of the outstanding software company allegedly said:

One thing I hope for is that we don’t fragment, that we are able to, whether it’s on privacy or data safety, bring together a set of global rules that will allow all of us to both comply and make sure that what we build is safe to use.

He allegedly noted:

One of the things we are trying to ensure is how do we have that design principles and engineering processes to ensure that the products and the services are respecting privacy, security, AI ethics as well as the fundamental Internet safety but beyond that there will be regulation.

With some of the source code for Azure, Exchange, and Outlook on the loose, one hopes that those authentication and access control systems are indeed secure. One hopes that the aggressively marketed Windows Defender actually defends. That system appears to have been blind to the surfing maneuvers executed by bad actors for months, maybe a year or more.

Microsoft’s core methods for granting efficient access to trusted users or functions with certifying tokens were compromised. At this time, the scope of the breached systems and the existence if any of sleeper code is not yet quantified.

Assurances are useful in some circumstances. Foundational engineering flaws are slightly more challenging to address.

But “hope” is good. Let’s concentrate security with Microsoft procedures. Sounds good, right? Talk is easier than reengineering perhaps?

Stephen E Arnold, February 25, 2021

Zoom Bombers? Probably from Your Contact List

February 24, 2021

To break up the monotony of quarantine life, a new trend appeared on the Internet due to the large use of videoconferencing. Called “zoombombing,” the new activity is when a stranger joins an online videoconference and disrupts it with lewd comments, activities, and other chaos. Science Magazine shares how zoom bombers are usually not random strangers: “‘Zoombombing’ Research Shows Legitimate Meeting Attendees Cause Most Attacks.”

Zoombombing videos went viral rather quickly. Many of these disruptions incited humor, but soon became annoyances. Boston University and Binghamton University researchers discovered that most zoombombing attacks are “inside jobs.”

“Assistant Professor Jeremy Blackburn and PhD student Utkucan Balci from the Department of Computer Science at Binghamton’s Thomas J. Watson College of Engineering and Applied Science teamed up with Boston University Assistant Professor Gianluca Stringhini and PhD student Chen Ling to analyze more than 200 calls from the first seven months of 2020.

The researchers found that the vast majority of zoombombing are not caused by attackers stumbling upon meeting invitations or “bruteforcing” their ID numbers, but rather by insiders who have legitimate access to these meetings, particularly students in high school and college classes. Authorized users share links, passwords and other information on sites such as Twitter and 4chan, along with a call to stir up trouble.”

Hackers are not causing the problem, but invited participants to the Zoom call. Inside jobs are giggles, but they point to the underlying problem of anonymity. If people are not afraid of repercussions, then they are more likely to say/do racist, sexist, and related things.

The researchers were forced to study antisocial behavior in their studies and had to take mental health breaks due to the depravity.

Whitney Grace, February 24, 2021

DarkCyber for February 23, 2021 Is Now Available

February 23, 2021

DarkCyber, Series 3, Number 4 includes five stories. The first summarizes the value of an electronic game’s software. Think millions. The second explains that Lokinet is now operating under the brand Oxen. The idea is that the secure services’ offerings are “beefier.” The third story provides an example of how smaller cyber security startups can make valuable contributions in the post-SolarWinds’ era. The fourth story highlights a story about the US government’s getting close to an important security implementation, only to lose track of the mission. And the final story provides some drone dope about the use of unmanned aerial systems on Super Bowl Sunday as FBI agents monitored an FAA imposed no fly zone. You could download the video at this url after we uploaded it to YouTube.

But…

YouTube notified Stephen E Arnold that his interview with Robert David Steele, a former CIA professional, was removed from YouTube. The reason was “bullying.” Mr. Arnold is 76 or 77, and he talked with Mr. Steele about the Jeffrey Epstein allegations. Mr. Epstein was on the radar of Mr. Steele because the legal allegations were of interest to an international tribunal about human trafficking and child sex crime. Mr. Steele is a director of that tribunal. Bullying about a deceased person allegedly involved in a decades long criminal activity? What? 

What’s even more interesting is that the DarkCyber videos, which appear every 14 days focus on law enforcement, intelligence, and cyber crime issues. One law enforcement professional told Mr. Arnold after his Dark Web lecture at the National Cyber Crime Conference in 2020, you make it clear that investigators have to embrace new technology and not wait for budgets to accommodate more specialists.

Mr. Arnold told me that he did not click the bright red button wanting Google / YouTube to entertain an appeal. I am not certain about his reasoning, but I assume that Mr. Arnold, who was an advisor to the world’s largest online search system, was indifferent to the censorship. My perception is that Mr. Arnold recognizes that Alphabet, Google, and YouTube are overwhelmed with management challenges, struggling to figure out how to deal with copyright violations, hate content, and sexually related information. Furthermore, Alphabet, Google, and YouTube face persistent legal challenges, employee outcries about discrimination, and ageing systems and methods.

What does this mean? In early March 2021, we will announce other video services which will make the DarkCyber video programs available.

The DarkCyber team is composed of individuals who are not bullies. If anything, the group is more accurately characterized as researchers and analysts who prefer the libraries of days gone by to the zip zip world of thumbtypers, smart software, and censorship of content related to law enforcement and intelligence professionals.

Mr. Arnold was discussing online clickfraud at lunch next week. Would that make an interesting subject for a DarkCyber story? With two firms controlling more than two thirds of the online advertising, click fraud is a hot potato topic. How does it happen? What’s done to prevent it? What’s the cost to the advertisers? What are the legal consequences of the activity?

Kenny Toth, February 23, 2021

LinkedIn Phishing

February 22, 2021

One of the news items in an upcoming DarkCyber talks about LinkedIn phishing exploits. I want to mention this method of hijacking or intruding into a system for two reasons. First, Microsoft has been explaining and reframing the SolarWinds’ security misstep for a couple of months. The Redmond giant has used explanations of the breach to market its Windows and Azure security systems. LinkedIn is a Microsoft property, and it seems as if Microsoft would clamp down on phishing attacks after it lost some of the source code to Exchange and a couple of other Microsoft crown jewels. Second, LinkedIn, like Microsoft Teams, is going through a featuritis phase. The service is making publishing, rich media, in message links, and group functions more easily available. The goal is to increase the social network’s value and revenue, particularly among those seeking employment. There’s nothing like a malicious exploit that kills a job hunter’s computing to brighten one’s day.

The article “Phishers Tricking Users via Fake LinkedIn Private Shared Document” explains the exploit. The write up says:

The phishing message is delivered via LinkedIn’s internal messaging system and looks like it has been sent by one of the victim’s contacts. The message urges the recipient to follow a third-party link to view a document.

If you want more details, check out the full Help Net Security post.

In the wake of SolarWinds, I think that Microsoft needs to button up its security. Less marketing and more substantive action seems to be appropriate. Microsoft will be the plumbing for the JEDI program. What vulnerabilities exist within this system? Hopefully none, but recent events and this LinkedIn phishing information suggest reality is insecure.

Stephen E Arnold, February 22, 2021

What Threats Does Cyber Security Software Thwart?

February 19, 2021

I asked myself this question, “What threats does cyber security software thwart?” The SolarWinds’ misstep went undetected for months, maybe a year or more. I read “France Agency ANSSI Links Russia’s Sandworm APT to Attacks on Hosting Providers.” Reuters ran a short news item as well. You can read the report via this link. I don’t want to wade through the cyber security jargon in this post. Instead I want to highlight one fact: The “intrusions” dated back to 2017. Okay, this is another time block in which cyber security systems operated and failed to detect the malicious behavior.

The vector of attack was software used by Centreon. What’s Centreon do?

What’s ANSSI?

The French National Agency for the Security of Information Systems or Agence nationale de la sécurité des systèmes d’information.

What’s Centreon? LinkedIn says:

Centreon is a global provider of business-aware IT monitoring for always-on operations and performance excellence. The company’s holistic, AIOps-ready platform is designed for today’s complex, distributed hybrid cloud infrastructures. Privately held, Centreon was founded in 2005 as an open source software framework. Today, Centreon is trusted by organizations of all sizes across a wide range of public and private sectors. Centreon is headquartered in Paris and Toronto, with sales offices in Geneva, Luxembourg and Toulouse.

What’s Hub One?

It is a subsidiary of Aéroports de Paris. Hub One provides high speed radio networks and services to outfits like Air France and the French government.

What’s an APT?

An advanced persistent threat. The idea is that malware is inside a system or software and is able to remain undetected while it follows instructions from a bad actor.

Now back to the 2017 date.

The point is that current cyber security systems may not be able to provide the defenses which marketers tout.

We’re talking years which strikes me as very SolarWinds-like. Then there is the persistent question: What’s up with the commercial cyber security systems?

Stephen E Arnold, February 19, 2021

Microsoft: Technical Excellence Translates to More Excellencerness

February 18, 2021

I found the Microsoft explanation of the SolarWinds’ misstep interesting. CBS circulated some of the information in the interview in “SolarWinds: How Russian Spies Hacked the Justice, State, Treasury, Energy and Commerce Departments.” The point that Windows’ security systems did not detect the spoofing, modifying, and running of Microsoft software was skipped over in my opinion. I loved this statement by Brad Smith, one of the senior executives at the Redmond giant:

When we analyzed everything that we saw at Microsoft, we asked ourselves how many engineers have probably worked on these attacks. And the answer we came to was, well, certainly more than 1,000.

Then failing to detect the breach which seems to have exploited the fascinating Microsoft software update methods:

I think that when you look at the sophistication of this attacker there’s an asymmetric advantage for somebody playing offense.

Okay, “certainly.” Okay, 1,000.

What if SolarWinds’ misstep was not the largest and most sophisticated hack? Is it possible that an insider or a contractor working from home in another country provided the credentials? What if piggybacking on the wild and wonderful Windows’ update system and method was a cottage industry among some bad actors? What if the idea for the malware was a result of carelessness and assumptions about the “security” of how Microsoft and its partners conducted routine business? What if the bad actors used open source software and some commercial reverse engineering tools, information on hacker forums, and trial and error? Does one need a 1,000 engineers? Microsoft may need that many engineers, but in my experience gained in rural Kentucky, a handful of clever individuals could have made the solar fires burn more brightly. Who can manage 1,000 hackers? I am not sure nation states can get 1,000 cyber warriors to a single conference center at one time or get most to read their email, file reports, and coordinate their code. Some may suggest Russia, China, North Korea, or Iran can do these managerial things in a successful way. Not I. The simplest explanation is often the correct one. Insider, opportunism, and a small team makes more sense to me.

Let me shift gears.

What about the spoofing, modifying, and running of Microsoft software for months, maybe a year, maybe more without detecting the intrusion?

I noted “A Vulnerability in Windows Defender Went Unnoticed for 12 Years.” That write up asserts:

A critical bug in Windows Defender went undetected by both attackers and defenders for some 12 years, before finally being patched last fall. The vulnerability in Microsoft’s built-in antivirus software could have allowed hackers to overwrite files or execute malicious code—if the bug had been found. Let’s be clear—12 years is a long time when it comes to the life cycle of a mainstream operating system, and it’s a heck of a long time for such a critical vulnerability to hide.

Sure, let’s be clear. Microsoft talks security. It issues techno-marketing posts like its late January explanation of the SolarWinds’ misstep which I reported on in the DarkCyber video news program on February 9, 2021.

But perhaps more pointed questions should be asked. I don’t want to know about Team featuritis. I don’t want to know why I should not install certain Windows 10 updates or accept updates like the mandatory update KB4023057. I don’t want to know about folding mobile phones. Nope. None of those things.

I want TV interviewers, CBS “real news” writers, and Microsoft to move beyond marketing chatter, hollow assurances, and techno-babble. Oh, I forgot. The election, Covid, and the Azure cloud JEDI thing. I, like others, need their priorities readjusted.

How many employees and partners told Brad Smith, “You were great in the 60 Minutes interview? Lots I would wager.

Stephen E Arnold, February 18, 2021

SolarWinds: Woulda, Coulda, Shoulda?

February 17, 2021

The SolarWinds security breach had consequences worldwide. The bad actors, supposed to be Russian operatives, hacked into systems at the Department of Homeland Security, the Treasury Department, the National Institutes of Health, the Department of Justice, and other federal agencies as well as those of some major corporations. The supply-chain attack went on for months until it was finally discovered in December; no one is sure how much information the hackers were able to collect during that time. Not only that, it is suspected they inserted hidden code that will continue to give them access for years to come.

Now ProPublica tells us the government paid big bucks to develop a system that may have stopped it, if only it had been put into place. Writers Peter Elkind and Jack Gillum report that “The U.S. Spent $2.2 Million on a Cybersecurity System that Wasn’t Implemented—and Might Have Stopped a Major Hack.” Oops. We learn:

“The incursion became the latest — and, it appears, by far the worst — in a string of hacks targeting the software supply chain. Cybersecurity experts have voiced concern for years that existing defenses, which focus on attacks against individual end users, fail to spot malware planted in downloads from trusted software suppliers. Such attacks are especially worrisome because of their ability to rapidly distribute malicious computer code to tens of thousands of unwitting customers. This problem spurred development of a new approach, backed by $2.2 million in federal grants and available for free, aimed at providing end-to-end protection for the entire software supply pipeline. Named in-toto (Latin for ‘as a whole’), it is the work of a team of academics led by Justin Cappos, an associate computer science and engineering professor at New York University. … Cappos and his colleagues believe that the in-toto system, if widely deployed, could have blocked or minimized the damage from the SolarWinds attack. But that didn’t happen: The federal government has taken no steps to require its software vendors, such as SolarWinds, to adopt it. Indeed, no government agency has even inquired about it, according to Cappos.”

Other experts also believe in-toto, which is free to use, would have been able to stop the attack in its tracks. Some private companies have embraced the software, including SolarWinds competitor Datadog. That company’s security engineer, in fact, contributed to the tools’ design and implementation. We are not sure what it will take to make the government require its vendors implement in-toto. Another major breach? Two or three? We shall see. See the write-up for more details about supply-chain attacks, the SolarWinds attack specifically, and how in-toto works.

Cynthia Murrell, February 17, 2021

Data Security: Clubhouse Security and Data Integrity Excitement?

February 15, 2021

Here in rural Kentucky “clubhouse” means a lower cost shack where some interesting characters gather. There are many “clubs” in rural Kentucky, and not many of them are into the digital flow of Silicon Valley. Some of those “members” do love the tweeter and similar real time, real “news” systems.

Imagine my surprise when I read Stanford Internet Observatory’s report from its Cyber Policy Center “Clubhouse in China: Is the Data Safe?” I thought that the estimable Stanford hired experts who knew that “data” is plural. Thus the headline from the highly intellectual SIPCPC would have written the headline “Clubhouse in China: Are the Data Safe?” (Even some of the members of the Harrod’s Creek moonshine club know that subject-verb agreement is preferred even for graduates of the local skill high school.

Let’s overlook the grammar and consider the “real” information in the write up. The write up has six authors. That’s quite a team.

The SIPCPC determined that Clubhouse uses software and services from a company based in Shanghai. The question is, “Does the Chinese government have access to the data flowing in the Clubhouse super select and awfully elite “conversations”?

The answer it turns out is, “Huh. What?”

Clubhouse was banned by the Chinese government. SIPCPC (I almost typed CCP but caught myself) and the response from the Clubhouse dances around the issue. There are assurances that Clubhouse is going to be more strong.

The only problem is that the SIPCPC and the Clubhouse write up skirt such topics as:

  • Implications of the SolarWinds’ misstep which operated for month prior to detection and there are zero indicators reporting that the breach and its malware have been put in the barn.
  • Intercept technology within data centers in many countries make it possible to capture information (bulk and targeted)
  • The decision to rely on Agora raises interesting implications about the judgment of the Clubhouse management team.

Net net: Interesting write up which casts an interesting light on the SIPCPC findings and the super zippy Clubhouse. If one cannot get subject verb agreement correct, what other issues have been ignored?

Stephen E Arnold, February 15, 2021

2021: A Year with Two Gulps of Failure

February 11, 2021

I provide additional commentary on Microsoft’s late January 2021 about the SolarWinds’ misstep. The glitch seems to be like an ink stain. Over time, it spreads: China’s alleged involvement, one third of the security penetrations not involving SolarWinds’ software, and mounting suggestions about how long the bad actors were probing and possibly implanting backdoors in government agencies, big contractors, and commercial enterprises. You can view the video on this blog’s home page on January 9, 2021. For today (Monday, January 8, 2021) I want to call attention to two items.

The first is a useful list of situations in which malware, viruses, and other bad actor actions are not detected. You can find the list in “Why Antivirus Software Fails to Detect Latest Viruses and Malwares.” What’s interesting about the article is that none of the suggestions solves the problem of the Saturday Night Live / Donald Rumsfeld quip, “You don’t know what you don’t know.”

The second is the allegedly accurate information in the ABC News’s report “Former Capitol Police Chief Steven Sund Says Entire Intelligence Community Missed Signs of Riot.” Here’s a passage the Capitol Police’s former top dog to Ms. Pelosi included in the news story:

“Having previously handled two major post-election demonstrations successfully utilizing an action plan that was based on intelligence assessments that had proven to be credible, reliable, and accurate, we reasonably assumed the intelligence assessment for Jan. 6, 2021, was also correct.”

What this means to me is that the intel was off the mark.

Perhaps the SolarWinds’ misstep is the result of several factors. Let me raise these as possibilities:

First, the software designed to identify and flag breaches did not work. Furthermore, the infrastructure in wide use for Microsoft software was the carrier of the malware. No one noticed for possibly a year or more. FireEye investigated a mobile phone access issue and came across the multi-part, multi-stage attack. The breach was not one outfit. The penetration extended to as many as 18,000 organizations. It is not clear what the bad actor did once access to this gold mine of systems was achieved.

Second, the intelligence apparatus of multiple US entities did not characterize the scale, intent, and size of the “friendly” protest at the US Capitol in early January. If the information in the ABC News’s story is accurate, the intelligence reports, like the awareness of the SolarWinds’ misstep, were wide of the mark. Maybe in someplace like Cuba or Bali, just not in the Capitol Police’s tactical planning unit’s hands?

The conclusion is that I see two types of failure with a common root cause: A certain blindness.

Marketing, threat assessment webinars, and licensing existing cyber security software won’t address these, possibly inter related problems.

Not good. Marketing explanations are much better. The fix? Another BrightTALK cyber security briefing, more Microsoft security blog posts, and more security podcasts from former government security attorneys?

Stephen E Arnold, January 11, 2021

DarkCyber for February 9, 2021, Now Available

February 9, 2021

DarkCyber is a twice-a-month video news program about the Dark Web, cyber crime, and lesser known online services. The program is produced by Stephen E Arnold. You can view the program on the Beyond Search blog or on YouTube at this link.

This week’s program features a discussion of Microsoft’s explanation of the SolarWinds’ misstep. The online explanation is a combination of forensic information with an old-fashioned, almost Balmer-esque marketing pitch. Plus, DarkCyber responds to a viewer who wanted more information about locating bad actor hackers promoting their criminal capabilities on the Dark Web. The program highlights two Dark Web services and provides information to two online resources which offer additional information. Three other stories round out the February 9, 2021, program. Allegedly some of the software stolen in the SolarWinds’ misstep (a data breach which compromised more than 18,000 companies and government organizations) is available for sale. Information about the cost of the software and how to buy are provided. Next you learn about the app tracking technology which is creating friction between Apple and Facebook. Who benefits from tracking users’ actions hundreds of times each day? DarkCyber answers this question. The final story is another signature drone news item. If you think that one drone poses a challenge, consider the difficulty of dealing with thousands of miniature weaponized drones converging on a unit or disrupting warfighting tactics under live fire.

Kenny Toth, February 9, 2021

Next Page »

  • Archives

  • Recent Posts

  • Meta