A US Government Classification Wowza!
August 30, 2022
I read “What’s in a Classified Document?” The title is interesting because it suggests that classified information is like a cook book. The contents of the cook book are “known”; that is, step-by-step information about making grilled chicken. The write up explains:
Breakdowns of the various levels of information classification are available online, but they’re not that helpful out of context.
That makes sense: No context, no or limited understanding.
The write up continues:
Most classified materials, however, just aren’t all that sexy at first glance.
I noted this statement:
Technical and scientific documents, for instance, are almost always highly valuable.
And this caught my eye:
One of the greatest risks is that an adversary will learn how we’ve discovered their secrets.
I also put a check mark by this sentence:
Finally, it’s important to understand that, in many cases, what’s classified is not a particular set of facts but what the intelligence community thinks those facts mean.
Looking at the information about secrets, I think the obvious statements are okay. The point to me is that old fashioned methods of enforcing secrecy are probably better than the methods in use today.
Unfortunately the Information wants to be free and the Sharing is caring ideas are not in line with my views. The message I take away from this write up is that beliefs, ideas, and procedures have been eroded in the last decade or so.
But I am a dinobaby. What do I know? Well, enough to point out that the apparatus of secrecy might be a useful project for someone not in the lobbying business, not a Beltway Bandit, and not an individual preparing a flight path as a consultant.
Stephen E Arnold, August 30, 2022
A Hidden Nugget about E2EE Use as a Filter
August 23, 2022
I am not a fan of Silicon Valley type “real” news. Political biases usually color the factoids. I read “Inside Facebook’s Encryption Conundrum.” [Believe it or not you may have to spit out personal info or pay to read this hyperlinked document.] I don’t care too much about Facebook’s conundrums. Mismanaged online services are poorly understood by those who live and die by social media. The goldfish does not know the water in its bowl contains amorphous scales of lead and lead phosphate.
I am going to ignore the description of the Zuckbook’s business processes and focus on what I perceive to be the nugget in the write up:
In recent conversations with Meta employees, I’ve come to understand more about what’s taking so long — and how consumer apathy toward encryption has created challenges for the company as it works to create a secure messaging app that its user base will actually use.
Translating into Beyond Search lingo yields, “People don’t know and don’t care.”
Ergo, anyone using an encrypted messaging app is signaling:
I know;
I care;
Therefore, why not monitor me?
You may have a different conclusion. I believe use of apps like Telegram provides an important signal. Apathy is a filter. Is the opposite important?
Stephen E Arnold, August 23, 2022
TikTok: Allegations of Keylogging
August 22, 2022
I am not a TikTok person; therefore, I exist in a trend free zone. Others are sucking down short videos with alacrity. I admire a company, possibly linked to China’s government, which has pioneered a next generation video editor and caused the Alphabet Google YouTube DeepMind thing to innovate via its signature “me too” method of innovation.
Now TikTok has another feature, which is an interesting allegation. “TikTok’s In-App Browser Can Monitor Your Every Click and Keystroke” asserts:
When Krause [a security researcher] dug a little deeper into what these apps’ in-app browsers really do, he’d found that TikTok does some bad things, including monitoring all of users’ keyboard inputs and taps. So, if you open a web page inside of TikTok’s app, and enter your credit card details there, TikTok can access all of those details. TikTok is also the only app, out of all the apps Krause has looked into, that doesn’t even offer an option to open the link in the device’s default browser, forcing you to go through its own in-app browser.
Let’s assume this finding is spot on. First question: Does anyone care? Second question: So what?
I don’t have answers to either question. I do, however, have several observations:
- Oracle, for some reason, seems to care. The estimable database company is making an effort to find information that suggests TikTok data are kept in a cupboard. Only grandma can check out who will be an easy target for psychological manipulation. No results yet, but if TikTok is a neutral service, why’s Oracle involved?
- A number of Silicon Valley pundits have pointed out that TikTok is no big deal. That encapsulates the “so what” issue. “Put that head in the sand and opine forward” is the rule of thumb for these insightful folks.
- Keyloggers are a fave of certain actors. TikTok may have found them useful for benign purposes.
Quite an allegation.
Stephen E Arnold, August 22, 2022
Albert the (Bug) Bounty Hunter
August 18, 2022
Albert Pedersen, an inquisitive scholar in Denmark, makes a hobby of prodding software for vulnerabilities. Now he has proudly collected a bounty after his second successful hunt. Gizmodo reports, “A College Student Discovered a Bug in Cloudflare Email Routing that Let You Read Any User’s Emails.” Email routing services allow users to create disposable email addresses that point back to their “real” accounts and can be valuable privacy tools. That is, if they are truly secure. Writer Lucas Ropek reports:
“Unfortunately, as demonstrated in research published Wednesday by a college student from Denmark, Cloudflare’s service had a giant bug in it. The flaw, when properly exploited, allowed any user to read—or even manipulate—other users’ emails. … The vulnerability, which Cloudflare has confirmed but says was never exploited, involved a flaw in the program’s ‘zone ownership verification’ system, meaning that it was possible for a hacker to reconfigure email routing and forwarding for email domains that weren’t owned by them. Proper manipulation of the exploit would have allowed someone with knowledge of the bug to re-route any users’ emails to their own address. It would have also allowed a hacker to prevent certain emails from being sent to the target at all. In his write-up, Pedersen notes that it’s not that difficult to find online lists of email addresses attached to Cloudflare’s service. Using one of those lists, a bad guy could have quite easily targeted anybody using the forwarding service. After discovering the exploit, Pedersen managed to reproduce it a number of times using multiple personal domains and decided to report the issue to Cloudflare’s bug bounty program.”
We are sure Cloudflare considers the bounty to be $6,000 well spent. Had the bug gone unsquashed, the repercussions may have gone well beyond the troublesome privacy issues. Bad actors could also have used it to reset passwords, gaining access to financial and other accounts. As Ropek points out, this is a good illustration of why two-factor authentication is worth the hassle. As talented as he is, the intrepid young Dane is only one person. He may not catch the next bug in time.
Cynthia Murrell, August 18, 2022
Is Google Drive — Gulp — a Hacking Tool for Bad Actors?
August 17, 2022
Russia is a near-impregnable force when it comes to hacking. Vladimir Putin’s home base is potentially responsible for influencing many events in the United States, including helping Donald Trump win his first presidential election. Russia neither confirms nor denies the roles hackers play in its and global politics. Unfortunately, Cyber Scoop shares how a common Google tool has been purloined by hackers: “Russian Hacking Unit Cozy Bears Adds Google Drive To Its Arsenal, Researchers Say.”
In what is one of the simplest ways to deliver malware, Russian hackers from the state-funded unit Cozy Bear are using Dropbox and Google Drive. Did you read that? Russian hackers are using legitimate cloud storage services, including one from one of the biggest tech giants, to deliver malware. Palo Alto Networks’ Unit 42 researchers are confounded by the delivery process, because it is hard to detect:
“This is a new tactic for this actor and one that proves challenging to detect due to the ubiquitous nature of these services and the fact that they are trusted by millions of customers worldwide,” the researchers said. “When the use of trusted services is combined with encryption, as we see here, it becomes extremely difficult for organizations to detect malicious activity in connection with the campaign.”
Russian hackers and other black hat people have used cloud storage services to deliver malware before, but using Google Drive is a new tactic. Google is a globally trusted brand that makes more people vulnerable to malware. When people see Google, they automatically trust it, so potential victims could unknowingly download malware.
Dropbox is deleting any accounts that are exploiting their services for hacking. The good news is cloud storage services want to protect users, but the bad news is they are not acting fast enough.
Whitney Grace, August 17, 2022
Quantum Supremacy Emulators: The Crypto Claim
August 16, 2022
I noted the silliness of the quantum supremacy claims first by the GOOG and then by the Red Hat dependent IBM. I pointed out that Intel claimed a quantum thing-a-ma-bob that would be a hub for certain quantum functions. Yeah, horse something, maybe ridge, maybe feathers. I mentioned in one of my blog posts or client emails that the US government aided by big wizards had developed algorithms that could not be broken by yet-to-be-invented quantum computers.
Now we have an interesting story that puts much of the quantum supremacy-type PR in a flaming dumpster. Wow, look at the dense smoke from a piddling fire.
“Post Quantum Encryption Contender Is Taken Out by Single-Core PC and 1 Hour” states:
SIKE is the second NIST-designated PQC candidate to be invalidated this year. In February, IBM post-doc researcher Ward Beullens published research that broke Rainbow, a cryptographic signature scheme with its security, according to Cryptomathic, “relying on the hardness of the problem of solving a large system of multivariate quadratic equations over a finite field.”
Everyone will keep trying. Perhaps a functioning quantum computer will become available to make hunting for flaws more helpful. No, wait a minute. The super algorithm was compromised by a single core PC chugging along for one hour.
Oh, well, as long as one doesn’t look too closely some of the quantum supremacy PR sounds great. In my opinion, some of the stuff is a bit silly.
Stephen E Arnold, August 16, 2022
Cisco Systems: Security? Well, the Ads Say So
August 12, 2022
I read a mildly amusing article which revealed a flaw in Cisco Systems’ security. The write up was “Cisco Hacked by Yanluowang Ransomware Gang, 2.8GB Allegedly Stolen.”
Why did I chuckle?
I noted these ads in a recent Google search about — you guessed it — network security.
The first ad is for networking solutions and Cisco’s secure firewall. Gander at this:
The second ad popped up when I searched for Cisco and its super expert Talos unit. Talos, an acquisition from Israel, is supposed to be one of the Fancy Dan threat intelligence outfits. The idea you know before there is trouble. Peek at this:
You can download the report from this link.
What did the article report as spot on information? Here’s a passage I noted:
The Yanluowang threat actors gained access to Cisco’s network using an employee’s stolen credentials after hijacking the employee’s personal Google account containing credentials synced from their browser. The attacker convinced the Cisco employee to accept multi-factor authentication (MFA) push notifications through MFA fatigue and a series of sophisticated voice phishing attacks initiated by the Yanluowang gang that impersonated trusted support organizations. The threat actors finally tricked the victim into accepting one of the MFA notifications and gained access to the VPN in the context of the targeted user. Once they gained a foothold on the company’s corporate network, Yanluowang operators spread laterally to Citrix servers and domain controllers.
Several observations:
- Cisco identified the bad actors as a group which sure seems to be from a specific country. Russia? No, that nation state has demonstrated that some of its tactical expertise falls short of a high water mark probably captured in a PowerPoint deck. Tanks? Remember?
- The security breach was something the vaunted Cisco security systems could not handle. An insider. Interesting because if this is indeed accurate, no organization can protect itself from an insider who is intentionally or unintentionally compromised. Is this useful information for a bad actor?
- If the Cisco security systems and its flow of threat intelligence were working, why is the company after the fact able to enhance or improve its own security. Wasn’t there a fairy tale about shoemaker’s children not having a snappy new paid of collectible shoes?
Net net: The buzz about a group of companies banding together to share security related information is interesting. What this story about the Cisco breach tells me is that teaming up is a way of circling the wagons. Maybe PowerPoints and ads not completely accurate? Nah, impossible.
Stephen E Arnold, August 12, 2022
DARPA Works to Limit Open Source Security Threats
August 9, 2022
Isn’t it a little late? Open-source code has become an integral part of nearly every facet of modern computing, including military and critical infrastructure applications. Now, reports MIT Technology Review, “The US Military Wants to Understand the Most Important Software on Earth.” It seems military researchers have just realized there is no control over, or even accounting for, the countless contributors to open-source projects like the Linux kernel. That software alone underpins the operation of most computers. And yet the feature that makes open-source software free and, therefore, ubiquitous also makes it vulnerable to bad actors.
Since it cannot turn back the clock and consider security before open-source code got baked into critical software, DARPA will instead scrutinize the people and organizations behind open-source projects. The program, dubbed “SocialCyber,” will take 18 months and millions of dollars to implement. It will use a combination of the latest AI tech and good old-fashioned sociology to pinpoint potential threats. Reporter Patrick Howell O’Neill writes:
“The ultimate goal is to detect and counteract any malicious campaigns to submit flawed code, launch influence operations, sabotage development, or even take control of open-source projects. To do this, the researchers will use tools such as sentiment analysis to analyze the social interactions within open-source communities such as the Linux kernel mailing list, which should help identify who is being positive or constructive and who is being negative and destructive. The researchers want insight into what kinds of events and behavior can disrupt or hurt open-source communities, which members are trustworthy, and whether there are particular groups that justify extra vigilance. These answers are necessarily subjective. But right now there are few ways to find them at all. Experts are worried that blind spots about the people who run open-source software make the whole edifice ripe for potential manipulation and attacks. For Bratus, the primary threat is the prospect of ‘untrustworthy code’ running America’s critical infrastructure—a situation that could invite unwelcome surprises. …This kind of research also aims to find underinvestment—that is critical software run entirely by one or two volunteers.”
The program relies on partnerships between DARPA and several small cybersecurity research firms like New York’s Margin Research. These firms will ascertain who is working on what open-source projects. Margin will focus on Linux, considered the most urgent point of concern. Open-source programming language Python, which is often used in machine-learning projects, is another priority. SocialCyber is quite an undertaking—it is the pound of cure we could have avoided with an ounce of foresight several years ago.
Cynthia Murrell, August 9, 2022
How Secure Is Cyber Security?
July 27, 2022
I have noted that cyber security companies invite me to webinars, briefings, conferences, and telephone calls. The subject of these calls is usually advanced, next-generation, proactive, smart, and intelligent cyber security solutions. The idea is that I will mention these firms in my lectures to law enforcement, crime analysts, and intelligence professionals. I sit through some. One outfit offers weekly seven to 10 minute reports about some new, absolutely horrible cyber threat. Others want me to join a Zoom to watch a series of PowerPoint slides showing how the latest Zero Day will make life miserable for companies without their cloud-based security system.
I then read item after item about a new variant of a RAT, an exploit taking advantage of the Swiss cheese of enterprise software, or some new dump of personal financial data on a Dark Web site selling fulz. It seems to me as if the cyber security sector is better at marketing than delivering cyber security. That’s just my opinion, and I usually don’t make a big deal of the veggie burgers being sold as 100 percent prime sirloin.
I read “Digital Security Giant Entrust Breached by Ransomware Gang.” The article does little to make me feel warm and fuzzy about cyber security systems and their vendors. I learned:
Digital security giant Entrust has confirmed that it suffered a cyber attack where threat actors breached their network and stole data from internal systems.
Who are the customers of this “digital security giant”? The write up reported:
This includes US government agencies, such as the Department of Energy, Department of Homeland Security, the Department of the Treasury, the Department of Health & Human Services, the Department of Veterans Affairs, the Department of Agriculture, and many more.
Great. How effective are those whiz bang cyber security systems?
Yeah. I think I know the answer. Marketing is easier than delivering cyber security that works.
Stephen E Arnold, July 27, 2022
Google Play: Autosubscriber
July 22, 2022
I cam across a presentation available from the cyber firm Evina. “Autolycos” explains that one can / could download a malicious app from the Google Play Store. (How’s that smart software working to prevent this type of situation, Google? Hello, Google, are you there?)
The write up states:
In July 2022, a new malware family was discovered by top malware experts at Evina. This discovery is remarkable because new malware families are rarely detected (about once a year) and this specific new malware works in an entirely new way.
The operative word is “new.” Why is this important? Cyber security is a reactive business despite the marketing that says, “We predict threats before they do harm?” Well, marketing.
Among the malicious apps are:
- CoCo Camera
- Creative 3D Launcher
- Freeglow Camera
- Funny Camera
- GIF Keyboard
- Razer Keyboard and Theme
- VLOG Star Video Editor
- WOW Camera.
Aimed at younger folks? Sure looks that way;
The report points out:
The malware launches fraud attempts by . For some steps, it can execute urls on a remote browser and embed these results in the http requests. This operation is intended to make it harder for Google to differentiate Autolycos infected apps from legitimate ones. This is exactly why Autolycos remained unidentified for so long and reached over 3 million downloads.
The good news is that the apps appear to be popular outside the US, but there is tomorrow.
Stephen E Arnold, July 22, 2022
-
- Subscribe to Beyond Search
Feature archive
News archive
-
