Need Free Data? Two Thousand Terabytes Are Available

October 2, 2023

Vea4_thumb_thumb_thumb_thumb_thumb_tNote: This essay is the work of a real and still-alive dinobaby. No smart software involved, just a dumb humanoid.

I read “Censys Reveals Open Directories Share More Than 2,000 TB of Unprotected Data.” What’s an open directory? According to the champion of redactions the term refers to lists of direct links to files. True?

The article reports:

These open directories could leak sensitive data, intellectual property or technical data and let an attacker compromise the entire system.

Why do these “lists” exist? Laziness, lack of staff who know what to do, and forgetting how an intern configured a server years ago?

The article states:

Why don’t search engines prohibit people from seeing those open directories? Censys researchers told TechRepublic that “while this may initially sound like a reasonable approach, it’s a bandage on the underlying issue of open directories being exposed on the internet in the first place.

Are open directories a good thing? I think it depends on one’s point of view. Why are bad actors generally cheerful these days? Attack surfaces are abundant and management floats above such hard-to-grasp details about online systems and services. Hey, what time is lunch?

Stephen E Arnold, October 2, 2023

Malware: The NSO Group and a Timeline

September 8, 2023

Vea4_thumb_thumb_thumb_thumb_thumb_tNote: This essay is the work of a real and still-alive dinobaby. No smart software involved, just a dumb humanoid.

A flurry of NSO Group news appeared in my newsfeeds this morning. Citizen Labs issued an advisory. You can find that short item in “BLASTPASSNSO Group iPhone Zero-Click, Zero-Day Exploit Captured in the Wild.” Recorded Future, a cyber security company, published “Apple Discloses Zero-Days Linked.” Variants of these stories are percolating, including British tabloid newspapers like The Metro. One message comes through: Update your iPhones.

The information makes clear that a vulnerability “path” appears to be blocked. That’s good news. The firm which allegedly discovered the way into user mobile devices is the NSO Group. The important fact, at least for me, is that this organization opened its doors for business in 2010. The origin story, if one believes the information once can find using a free Web search engine, is that the company evolved from a mobile phone repair business. After repairing and tinkering, the founder set up a company to assist government agencies in obtaining information from mobile devices believed to be used by bad actors. Agree or disagree, the origin story is interesting.

What’s important for me is that the time between the company’s start up and the “good news” about addressing a vulnerability in certain devices has been a decade, maybe more. I don’t have an opinion about whether the time window could have been closed more quickly. What’s important to me is that the information is diffusing quickly. On one hand, that’s beneficial to those concerned about the security of their devices. On the other hand, that’s the starter’s gun for bad actors to deploy another hard-to-spot exploit.

I have several observation about this vulnerability:

  1. The challenge to those who create hardware and software is to realize that security issues are likely to exist. Those who discover these and exploit them, blindside the company. The developers have to reverse engineer the exploit and then figure out what their colleagues missed. Obviously this is a time consuming and difficult process. Perhaps 10 years is speedy or slow. I don’t know. But an error made many years ago can persist and affect millions of device owners.
  2. The bad actor acts and the company responsible for chasing down the flaw reacts. This is a cat-and-mouse game. As a result, the hardware and software developers are playing defense. The idea that a good defense is better than a good offense may not be accurate. Those initial errors are, by definition, unknown. The gap between the error and the exploit allows bad actors to do what they want. Playing defense allows the offense time to gear up something new. The “good guys” are behind the curve in this situation.
  3. The fact that the digital ecosystem is large means that the opportunity for mischief increases. In my lectures, I like to point out that technology yields benefits, but it also is an enabler of those who want to do mischief.

Net net: The steady increase in cyber crime and the boundary between systems and methods which are positive and negative becomes blurred. Have we entered a stage in technical development in which the blurred space between good and bad has become so large that one cannot tell what is right or wrong, correct or incorrect, appropriate or inappropriate? Are we living in a “ghost Web” or a “shadow land?”

Stephen E Arnold, September 8, 2023

Surprised? Microsoft Drags Feet on Azure Security Flaw

September 5, 2023

Vea4_thumb_thumb_thumb_thumb_thumb_tNote: This essay is the work of a real and still-alive dinobaby. No smart software involved, just a dumb humanoid.

Microsoft has addressed a serious security flaw in Azure, but only after being called out by the cybersecurity firm that found the issue. It only took several months. Oh, and according to that firm, the “fix” only applies to new applications despite Microsoft’s assurances to the contrary. “Microsoft Fixes Flaw After Being Called Irresponsible by Tenable CEO,” Bleeping Computer reports. Writer Sergiu Gatlan describes the problem Tenable found within the Power Platform Custom Connectors feature:

“Although customer interaction with custom connectors usually happens via authenticated APIs, the API endpoints facilitated requests to the Azure Function without enforcing authentication. This created an opportunity for attackers to exploit unsecured Azure Function hosts and intercept OAuth client IDs and secrets. ‘It should be noted that this is not exclusively an issue of information disclosure, as being able to access and interact with the unsecured Function hosts, and trigger behavior defined by custom connector code, could have further impact,’ says cybersecurity firm Tenable which discovered the flaw and reported it on March 30th. ‘However, because of the nature of the service, the impact would vary for each individual connector, and would be difficult to quantify without exhaustive testing.’ ‘To give you an idea of how bad this is, our team very quickly discovered authentication secrets to a bank. They were so concerned about the seriousness and the ethics of the issue that we immediately notified Microsoft,’ Tenable CEO Amit Yoran added.”

Yes, that would seem to be worth a sense of urgency. But even after the eventual fix, this bank and any other organizations already affected were still vulnerable, according to Yoran. As far as he can tell, they weren’t even notified of the problem so they could mitigate their risk. If accurate, can Microsoft be trusted to keep its users secure going forward? We may have to wait for another crop of interns to arrive in Redmond to handle the work “real” engineers do not want to do.

Cynthia Murrell, September 5, 2023

A Hacker Recommends Hacking Books

August 11, 2023

Vea4_thumb_thumb_thumb_thumb_thumb_tNote: This essay is the work of a real and still-alive dinobaby. No smart software involved, just a dumb humanoid.

Hacxx, a self-identified posting freak, has published a list of “20 Best Free Hacking Books 2023.” I checked the post on Sinister.ly and noted that the list of books did not include links to the “free” versions. I asked one of my research team to do a quick check to see if these books were free. Not surprisingly most were available for sale. O’Reilly titles were free if one signed up for that publisher’s services. A couple were posted on a PDF download site. We think the list is helpful. For those interested in the list and where the books Hacxx says are “the best”, we have arranged them in alphabetical order. Authors should be compensated for their work even if the subject is one that some might view as controversial. Right, Hacxx?

  1. Advanced Penetration Testing https://www.amazon.com/Advanced-Penetration-Testing-Hacking-Networks/dp/1119367689 [Less than $30US]
  2. Basics of Hacking and Penetration Testing https://www.amazon.com/Basics-Hacking-Penetration-Testing-Ethical/dp/0124116442?tag=50kft00-20
  3. Black Hat Python: Python Programming for Hackers and Pentesters https://www.amazon.com/Black-Hat-Python-Programming-Pentesters/dp/1593275900?tag=50kft00-20 [Less than $33US]
  4. Blue Team Handbook: Incident Response Edition https://www.amazon.com/Blue-Team-Handbook-condensed-Responder/dp/1500734756?tag=50kft00-20 [Less than $17]
  5. CISSP All-In-One Exam Guide https://www.amazon.com/CISSP-All-One-Guide-Ninth/dp/1260467376?tag=50kft00-20 [Less than $60US]
  6. Computer Hacking Beginners Guide https://www.amazon.com/Computer-Hacking-Beginners-Guide-Penetration-ebook/dp/B01N4FFHMW/ref=sr_1_1?crid=2TKYVD64M3NLS&keywords=.+Computer+Hacking+Beginners+Guide&qid=1691702342&sprefix=computer+hacking+beginners+guide%2Caps%2C91&sr=8-1 [$1US for Kindle edition]
  7. Ghost in the Wires https://www.amazon.com/Ghost-Wires-Adventures-Worlds-Wanted/dp/0316037729?tag=50kft00-20 [Less than $20US]
  8. Gray Hat Hacking: The Ethical Hacker’s Handbook, Sixth Edition https://www.amazon.com/Gray-Hat-Hacking-Ethical-Handbook/dp/1264268947?tag=50kft00-20 [Less than $46US]
  9. Hackers Playbook 2 https://www.amazon.com/Hacker-Playbook-Practical-Penetration-Testing/dp/1980901759/ref=sr_1_2?crid=3OWZ8UCLX5ANU&keywords=.+The+Hackers+Playbook+2&qid=1691701682&sprefix=the+hackers+playbook+2%2Caps%2C85&sr=8-2 [Less than $30]
  10. Hacking: Computer Hacking Beginners Guide https://pdfroom.com/books/hacking-computer-hacking-beginners-guide/p0q2J8GodxE [Free download]
  11. Hacking: The Art of Exploitation, 2nd Edition https://www.amazon.com/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441/ref=sr_1_1?crid=BY25O5JGDY95&keywords=Hacking%3A+The+Art+of+Exploitation%2C+2nd+Edition&qid=1691702542&sprefix=hacking+the+art+of+exploitation%2C+2nd+edition%2Caps%2C116&sr=8-1  [Less than $30US]
  12. Hash Crack: Password Cracking Manual https://www.amazon.com/Hash-Crack-Password-Cracking-Manual/dp/1793458618?tag=50kft00-20 [Less than $15]
  13. Kali Linux Revealed: Mastering the Penetration Testing Distribution https://www.amazon.com/Kali-Linux-Revealed-Penetration-Distribution/dp/0997615605?tag=50kft00-20 [Less than $40US]
  14. Mastering Metasploit https://github.com/PacktPublishing/Mastering-Metasploit-Third-Edition [No charge as of August 10, 2023]
  15. Nmap Network Scanning at https://nmap.org
  16. Practical Malware Analysis: The Hands-on Guide https://www.amazon.com/Practical-Malware-Analysis-Hands-Dissecting/dp/1593272901?tag=50kft00-20 [Less than $45US]
  17. RTFM: Red Team Field Manual https://www.amazon.com/RTFM-Red-Team-Field-Manual/dp/1075091837/ref=sr_1_2?crid=16SFXUJRL3LMR&keywords=RTFM%3A+Red+Team+Field+Manual&qid=1691701596&sprefix=rtfm+red+team+field+manual%2Caps%2C104&sr=8-2 [This version is about $12US]
  18. Social Engineering: The Science of Human Hacking https://www.amazon.com/Social-Engineering-Science-Human-Hacking-dp-111943338X/dp/111943338X/ref=dp_ob_title_bk [Less than $21US]
  19. Web Application Hacker’s Handbook https://edu.anarcho-copy.org/Against%20Security%20-%20Self%20Security/Dafydd%20Stuttard,%20Marcus%20Pinto%20-%20The%20web%20application%20hacker’s%20handbook_%20finding%20and%20exploiting%20security%20flaws-Wiley%20(2011).pdf [This is the second edition]
  20. Web Hacking 101 https://pdfroom.com/books/web-hacking-101/E1d4DO6ydOb [Allegedly free]

Stephen E Arnold, August 11, 2023

Cyber Security Firms Gear Up: Does More Jargon Mean More Sales? Yes, Yes, Yes

July 31, 2023

I read a story which will make stakeholders in cyber security firms turn cartwheels. Imagine not one, not two, not three, but 10 uncertainty inducing, sleepless night making fears.

7 24 bad dream

The young CEO says, “I can’t relax. I just see endless strings of letters floating before my eyes: EDR EPP XDR ITDR, MTD, M, SASE, SSE, UES, and ZTNA. My heavens, ZTNA. Horrible. Who can help me?” MidJourney has a preference for certain types of feminine CEOs. I wonder if there is bias in the depths of the machine.

Navigate to “The Top 10 Technologies Defining the Future of Cybersecurity.” Read the list. Now think about how vulnerable your organization is. You will be compromised. The only question is, “When?”

What are these fear inducers? I will provide the acronyms. You will have to go to the cited article and learn what they mean. Think of this as a two-punch FUD moment. I provide the acronyms which are unfamiliar and mildly disconcerting. Then read the explanations and ask, “Will I have to buy bigger, better, and more cyber security services?” I shall answer your question this way, “Does an electric vehicle require special handling when the power drops to a goose egg?”

Here are the FUD-ronyms:

  1. EDR
  2. EPP
  3. XDR
  4. ITDR
  5. MTD
  6. M
  7. SASE
  8. SSE
  9. UES
  10. ZTNA.

Scared yet?

Stephen E Arnold, July 31, 2023

AI and Malware: An Interesting Speed Dating Opportunity?

July 27, 2023

Note: Dinobaby here: This essay is the work of a real and still-alive dinobaby. No smart software involved, just a dumb humanoid. Services are now ejecting my cute little dinosaur gif. (´?_?`) Like my posts related to the Dark Web, the MidJourney art appears to offend someone’s sensibilities in the datasphere. If I were not 78, I might look into these interesting actions. But I am and I don’t really care.

AI and malware. An odd couple? One of those on my research team explained at lunch yesterday that an enterprising bad actor could use one of the code-savvy generative AI systems and the information in the list of resources compiled by 0xsyr0 and available on GitHub here. The idea is that one could grab one or more of the malware development resources and do some experimenting with an AI system. My team member said the AmsiHook looked interesting as well as Freeze. Is my team member correct? Allegedly next week he will provide an update at our weekly meeting. My question is, “Do the recent assertions about smart software cover this variant of speed dating?”

Stephen E Arnold, July 27, 2023

Microsoft Causing Problems? Heck, No

July 14, 2023

Vea4_thumb_thumb_thumb_thumb_thumb_t[1]Note: This essay is the work of a real and still-alive dinobaby. No smart software involved, just a dumb humanoid.

I cruised through the headlines my smart news system prepared for me. I noted two articles on different subjects. The two write ups were linked with a common point of reference: Microsoft Corp., home of the Softies and the throbbing heart of a significant portion of the technology governments in North America and Western Europe find essential.

7 13 no problem

“What’s the big deal?” asks Mr. Microsoft. “You have Windows. You have Azure. Software has bugs. Get used to it. You can switch to Linux anytime.” Thin interesting scene is the fruit of MidJourney’s tree of creativity.

The first article appeared in TechRadar. an online real news outfit. The title was compelling; specifically, “Windows 11 Update Is Reportedly Slowing Down PCs and Breaking Internet Connections.” The write up reports:

KB5028185, the ‘Moment 3’ update, is proving seriously problematic for some users … The main bones of contention with patch KB5028185 for Windows 11 22H2 are instances of performance slowdown – with severe cases going by some reports – and problems with flaky internet connections.

The second story appeared on cable “real” news. I tracked down the item titled “US and Microsoft Sound Alarm about China-Based Cybersecurity Threat.” The main idea seems to be:

The U.S. and Microsoft say China-based hackers, focused on espionage, have breached email accounts of about two dozen organizations, including U.S. government agencies.

Interesting. Microsoft seems to face two challenges: Desktop engineering and cloud engineering. The common factor is obviously engineering.

I am delighted that Bing is improving with smart software. I am fascinated by Microsoft’s effort to “win” in online games. However, isn’t it time for something with clout to point out that Microsoft may need to enhance its products’ stability, security, and reliability.

Due to many organizations’ and individuals’ dependence on Microsoft, the company seems to have a knack for creating a range of issues. Will someone step up and direct the engineering in a way that does not increase vulnerability and cause fiduciary loss for its customers?

Anyone? Crickets I fear. Bad actors find Microsoft’s approach more satisfying than a stream of TikTok moments.

Stephen E Arnold, July 14, 2023

Is This for Interns, Contractors, and Others Whom You Trust?

June 14, 2023

Vea4_thumb_thumb_thumb_thumb_thumb_t[1]_thumb_thumbNote: This essay is the work of a real and still-alive dinobaby. No smart software involved, just a dumb humanoid.

Not too far from where my office is located, an esteemed health care institution is in its second month of a slight glitch. The word in Harrod’s Creek is that security methods at use at a major hospital were — how shall I frame this — a bit like the 2022-2023 University of Kentucky’s’ basketball team’s defense. In Harrod’s Creek lingo, this statement would translate to standard English as “them ‘Cats did truly suck.”

6 12 temp worker

A young temporary worker looks at her boss. She says, “Yes, I plugged a USB drive into this computer because I need to move your PowerPoint to a different machine to complete the presentation.” The boss says, “Okay, you can use the desktop in my office. I have to go to a cyber security meeting. See you after lunch. Text me if you need a password to something.” The illustration for this hypothetical conversation emerged from the fountain of innovation known as MidJourney.

The chatter about assorted Federal agencies’ cyber personnel meeting with the institution’s own cyber experts are flitting around. When multiple Federal entities park their unobtrusive and sometimes large black SUVs close to the main entrance, someone is likely to notice.

This short blog post, however, is not about the lame duck cyber security at the health care facility. (I would add an anecdote about an experience I had in 2022. I showed up for a check up at a unit of the health care facility. Upon arriving, I pronounced my date of birth and my name. The professional on duty said, “We have an appointment for your wife and we have her medical records.” Well, that was a trivial administrative error: Wrong patient, confidential information shipped to another facility, and zero idea how that could happen. I made the appointment myself and provided the required information. That’s a great computer systems and super duper security in my book.)

The question at hand, however, is: “How can a profitable, marketing oriented, big time in their mind health care outfit, suffer a catastrophic security breach?”

I shall point you to one possible pathway: Temporary workers, interns, and contractors. I will not mention other types of insiders.

Please, point your browser to Hak5.org and read about the USB Rubber Ducky. With a starting price of $80US, this USB stick has some functions which can accomplish some interesting actions. The marketing collateral explains:

Computers trust humans. Humans use keyboards. Hence the universal spec — HID, or Human Interface Device. A keyboard presents itself as a HID, and in turn it’s inherently trusted as human by the computer. The USB Rubber Ducky — which looks like an innocent flash drive to humans — abuses this trust to deliver powerful payloads, injecting keystrokes at superhuman speeds.

With the USB Rubby Ducky, one can:

  • Install backdoors
  • Covertly exfiltrate documents
  • Capture credential
  • Execute compound actions.

Plus, if there is a USB port, the Rubber Ducky will work.

I mention this device because it may not too difficult for a bad actor to find ways into certain types of super duper cyber secure networks. Plus temporary workers and even interns welcome a coffee in an organization’s cafeteria or a nearby coffee shop. Kick in a donut and a smile and someone may plug the drive in for free!

Stephen E Arnold, June 14, 2023

AI Allegedly Doing Its Thing: Let Fake News Fly Free

June 2, 2023

Vea4_thumb_thumb_thumb_thumb_thumb_t[1]Note: This essay is the work of a real and still-alive dinobaby. No smart software involved, just a dumb humanoid.

I cannot resist this short item about the smart software. Stories has appeared in my newsfeeds about AI which allegedly concluded that to complete its mission, it had to remove an obstacle — the human operator.

A number of news sources reported as actual factual that a human operator of a smart weapon system was annoying the smart software. The smart software decided that the humanoid was causing a mission to fail. The smart software concluded that the humanoid had to be killed so the smart software could go kill more humanoids.

I collect examples of thought provoking fake news. It’s my new hobby and provides useful material for my “OSINT Blindspots” lectures. (The next big one will be in October 2023 after I return from Europe in late September 2023.)

However, the write up “US Air Force Denies AI Drone Attacked Operator in Test” presents a different angle on the story about evil software. I noted this passage from an informed observer:

Steve Wright, professor of aerospace engineering at the University of the West of England, and an expert in unmanned aerial vehicles, told me jokingly that he had “always been a fan of the Terminator films” when I asked him for his thoughts about the story. “In aircraft control computers there are two things to worry about: ‘do the right thing’ and ‘don’t do the wrong thing’, so this is a classic example of the second,” he said. “In reality we address this by always including a second computer that has been programmed using old-style techniques, and this can pull the plug as soon as the first one does something strange.”

Now the question: Did smart software do the right thing. Did it go after its humanoid partner? In a hypothetical discussion perhaps? In real life, nope. My hunch is that the US Air Force anecdote is anchored in confusing “what if” thinking with reality. That’s easy for some younger than me to do in my experience.

I want to point out that in August 2020, a Heron Systems’ AI (based on Google technology) killed an Air Force “top gun” in a simulated aerial dog fight. How long did it take the smart software to neutralize the annoying humanoid? About a minute, maybe a minute and a half. See this Janes new item for more information.

My view is that smart software has some interesting capabilities. One scenario of interest to me is a hacked AI-infused weapons system? Pondering this idea opens the door some some intriguing “what if” scenarios.

Stephen E Arnold, June 2, 2023

NSO Group: How Easy Are Mobile Hacks?

April 25, 2023

I am at the 2023 US National Cyber Crime Conference, and I have been asked, “What companies offer NSO-type mobile phone capabilities?” My answer is, “Quite a few.” Will I name these companies in a free blog post? Sure, just call us at 1-800-YOU-WISH.

A more interesting question is, “Why is Israel-based NSO Group the pointy end of a three meter stick aimed at mobile devices?” (To get some public information about newly recognized NSO Group (Pegasus) tricks, navigate to “Triple Threat. NSO Group’s Pegasus Spyware Returns in 2022 with a Trio of iOS 15 and iOS 16 Zero-Click Exploit Chains.” I would point out that the reference to Access Now is interesting, and a crime analyst may find a few minutes examining what the organization does, its “meetings,” and its hosting services time well spent. Will I provide that information in a free blog post. Please, call the 800 number listed above.)

Now let’s consider the question regarding the productivity of the NSO technical team.

First, Israel’s defense establishment contains many bright people and a world-class training program. What happens when you take well educated people, the threat of war without warning, and an outstanding in-service instructional set up? The answer is, “Ideas get converted into exercises. Exercises become test code. Test code gets revised. And the functional software becomes weaponized.”

Second, the “in our foxhole” mentality extends once trained military specialists leave the formal service and enter the commercial world. As a result, individuals who studied, worked, and in some cases, fought together set up companies. These individuals are a bit like beavers. Beavers do what beavers do. Some of these firms replicate functionality similar to that developed under the government’s watch and sell those products. Please, note, that NSO Group is an exception of sorts. Some of the “insights” originated when the founders were repairing mobile phones. The idea, however, is the same. Learning, testing, deploying, and the hiring individuals with specialized training by the Israeli government. Keep in mind the “in my foxhole” notion, please.

Third, directly or indirectly important firms in Israel or, in some cases, government-assisted development programs provide: [a] Money, [b] meet up opportunities like “tech fests” in Tel Aviv, and [c] suggestions about whom to hire, partner with, consult with, or be aware of.

Do these conditions exist in other countries? In my experience, to some degree this approach to mobile technology exploits does. There are important differences. If you want to know what these are, you know the answer. Buzz that 800 number.

My point is that the expertise, insights, systems, and methods of what the media calls “the NSO Group” have diffused. As a result, there are more choices than ever before when it comes to exploiting mobile devices.

Where’s Apple? Where’s Google? Where’s Samsung? The firms, in my opinion, are in reactive mode, and, in some cases, they don’t know what they don’t know.

Stephen E Arnold, April 25, 2023

« Previous PageNext Page »

  • Archives

  • Recent Posts

  • Meta