Is The TikTok Google Allegation Accurate?
July 21, 2022
Good question. I know that any outfit offering a “service” has individuals who can look at data, metadata, and any other “stuff” associated with a particular entity; for example, spend limit, contacts, and geodata. Privacy and security depend on access controls. In theory, certain data are sandboxed and special approvals may be needed to get into that nifty play area. The hitch in the git along is that a system fails, a senior executive needs something now to close a big deal, a friend begs for help with such and such a problem. There’s also just the endemic “good enough” and “close enough for horse shoes” attitude which affects TV personalities interaction with Air France to a busy parent trying to buy a hamburger and shake for a hungry lacrosse player at 4 pm on a blistering day in rural Kentucky.
That means… gaps, slip ups, work arounds, and doing what’s needed to fill time or get something done fast.
I read “Nothing Is Private: TikToker Who Says She’s a Former Google Admin Warns Workers about Work Accounts.” The information in the article is about a revelation on TikTok. The problem is that I am not sure the behavior described is accurate. Heck, it could be fabricated for some clicks and maybe an appearance on the Joe Rogan podcast. Fame is where you find it today.
The article states as what a TikTok denizen said:
Whatever you put in that account—whether it’s emails, photos, Google Drive documents, or anything else—is not private.
Okay, clear enough.
For fun, let’s assume the Xoogler spilling the beans on the utility of having access to billions of users information is sort of true.
Shocking?
Nah.
The write up says:
that means that a company has access to all of the documents within someone’s company Google account, which can include things like email drafts, G-chats, and Google Drive uploads. This also reportedly applies to universities with student Google accounts. Furthermore, one does not have to leave the job or university for their administrators to obtain this access. “I can get into any of it,” Lauren says. “Any of it!”
Ads, folks. Ads mean money. Who can resist generating revenue, beating performance targets, and getting a big bonus. Once Google would toss in a ski trip or a mouse pad. Go for it. The incentive plan is what makes the Googlers spin.
What’s the fix? The answer is:
Delete. Delete. Delete.
Sounds like reasonable advice if deletion is indeed “real.” Data are backed up and delete usually means removing a pointer to an object in a file. Those back ups, the copies of data tables in a marketing department laptop, or the data required to whip up a projection based on use of information to spur quicker depletion of ad inventory.
Probably not deleted.
Let’s assume the write up describes something the Google does not, could not, would not, and will not do. Wow. Bullet dodged.
But… what if…? Wow. Bullets incoming.
Stephen E Arnold, July 21, 2022
Proofpoint: Journalists Wear a Bull’s Eye instead of a Shirt with Ink Stained Cuffs
July 19, 2022
Proofpoint is a cyber security firm. The company published an interesting blog essay called “Above the Fold and in Your Inbox: Tracing State-Aligned Activity Targeting Journalists, Media.” The write up presents allegedly accurate information that a number of nation states are targeting journalists. This makes sense because some journalists are, in effect, crime and intelligence analysts at heart. Their methods are often similar to those used as certain government organizations.
Is this a new insight from the world’s intelligence professionals? I don’t think so.
The write up states:
Journalists and media organizations are well sought-after targets with Proofpoint researchers observing APT actors, specifically those that are state-sponsored or state-aligned, routinely masquerading as or targeting journalists and media organizations because of the unique access and information they can provide. The media sector and those that work within it can open doors that others cannot. A well-timed, successful attack on a journalist’s email account could provide insights into sensitive, budding stories and source identification. A compromised account could be used to spread disinformation or pro-state propaganda, provide disinformation during times of war or pandemic, or be used to influence a politically charged atmosphere. Most commonly, phishing attacks targeting journalists are used for espionage or to gain key insights into the inner workings of another government, company, or other area of state-designated import.
What nation states are allegedly targeting certain journalists? The article mentions by name these countries:
China
Iran
North Korea
Turkey (sic). The country’s new name is Türkiye
The article includes examples of the Proofpoint analysts’ identification of actions.
The write up concludes with what appears to be some free advice:
The varied approaches by APT actors—using web beacons for reconnaissance, credential harvesting, and sending malware to gain a foothold in a recipient’s network—means those operating in the media space need to stay vigilant.
Many journalists, in my experience, are unaware of the nuances of staying vigilant. Targets are targets because they can be hit. Examples of what has happened are interesting. May I suggest that journalists receive appropriate instruction when learning their craft. Instruction in vigilance may need to be upgraded or enhanced. Many journalists — particularly what I call the Silicon Valley variety — are more interested in recognition, media clout, and being visible than stepping back and asking, “Have I been targeted, played, and manipulated?”
Stephen E Arnold, July 19, 2022
The Cost of Cyber Security Misconfiguration
July 18, 2022
The numbers tossed around about the cost of a security breach are interesting. I have formed the opinion that the cost estimates are a result of what I have called spreadsheet fever. Plug in numbers, make them flow, and go, baby, go. I read “Razer Seeks $7m from Capgemini for 2020 Data Breach.” The write up explains:
The Singapore-born gaming firm is seeking compensation of nearly US$7 million in damages, which also includes a US$2,000 reward to the security researcher who discovered the breach under the company’s bug bounty program.
What outfit is the target of the litigation? The write up says:
In its lawsuit, Razer alleged that the security breach was the result of a misconfiguration of the “ELK Stack,” caused by one of Capgemini’s employees.
The ELK is not the majestic animal. The ELK in the cyber context represents open source software glued together to deliver a range of security features. The trick is the configuration. Get a setting wrong, and the ELK is less healthy than some observers suspect. An unhealthy ELK can be problematic. This is not a big dead animal in the climate changed world. This creature puts revenue and others at risk of catching a bad disease themselves; for example, standing in the unemployment line, working the phone to reclaim their identity, and apply for a job at one of the booming cyber security vendors. Well, maybe not that particular angle.
The outcome of the lawsuit may provide some more data about the cost of a cyber screw up and details about the how of the alleged misstep.
Stephen E Arnold, July 19, 2022
Microsoft Security Team Helps Android Users. What about Microsoft Users? Meh?
July 13, 2022
Two items caught my attention this morning (July 4, 2022).
The first is “ALERT! Microsoft warns of dangerous Android malware on your phone that intercepts OTP, SMS too.” Locating this story might be tricky. I noted it on DailyHunt, an information service in India. The url displayed for me is in this link. Your mileage may vary. Yeah, the modern Internet. The article reports:
Toll fraud malware, a subcategory of billing fraud in which malicious applications subscribe users to premium services without their knowledge or consent, is one of the most prevalent types of Android malware.
What’s the fix? Here’s a helpful suggestion:
A rule of thumb is to avoid installing Android applications from untrusted sources (side loading) and always follow up with device updates.
The second was “Android Toll Fraud malware can subscribe users to premium services without consent.” Once again, the link to my source is this information highway signpost. Good luck because this may be similar to the now long gone Burma Shave signs. The article informed me that:
The toll fraud malware… purchases subscription on behalf of the user in a way that the overall process isn’t perceivable.
So what’s the fix?
One of the easiest ways to protect yourself from this malware is by download the latest version of available software update on your smartphone. Apart from that, avoid installing Android applications from untrusted sources. In addition to that, avoid granting SMS permissions, notification listener access, or accessibility access to any applications without a strong understanding of why the application needs it.
Helpful indeed.
Here’s a quick question: What about Microsoft security for its products and services? Meh. What’s important is a little bit of negative PR for the fun loving Googlers.
Stephen E Arnold, July 13, 2022
TikTok: One US Government Agency Is Not Addicted
July 6, 2022
“U.S. FCC Commissioner Wants Apple and Google to Remove TikTok from Their App Stores” appears to have avoided the digital addiction which some attribute to TikTok. As I have pointed out in my lectures, some Silicon Valley “real news” types are just thrilled with TikTok. Others, like myself, view the app with considerable suspicion. It appears that the UD Federal Communications Commission has some doubts as well.
The write up states:
A leader of the U.S. Federal Communications Commission said he has asked Apple and Google to remove TikTok from their app stores over China-related data security concerns.
The article points out:
- A China connection
- Data hoovering
- A surveillance tool.
The real news folks did not mention TikTok’s usefulness as a psyops weapon.
Oh, well. Why would psyops be important? Possibly manipulation, blackmail, weaponized information. Yeah, no big deal.
Stephen E Arnold, June xx, 2022
The Evolving Ransomware Arena
June 29, 2022
A new report from cybersecurity firm KELA updates us on shifts within the ransomware ecosystem. ZDNet summarizes the findings in, “Ransomware Attacks Have Dropped. And Gangs Are Attacking Each Other’s Victims.” The good news—the number of victims dropped by about 40% from 2021’s last fiscal quarter to the first quarter of this year. The bad news—financial services organizations are now in the top four targeted sectors. Time for each of us to confirm we have unique passwords for our banking logins. And maybe create fresh ones while we are at it.
Writer Charlie Osborne also gives us a little dirt from behind the ransomware scenes:
“A notable shift is Conti’s place as one of the most prolific ransomware groups, alongside LockBit, Hive, Alphv/Blackcat, and Karakurt. … During the first few months of this year, Conti publicly pledged its support for Russia’s invasion of Ukraine. Following the Russian-speaking group’s declaration, in retaliation, an individual broke into its systems and leaked Conti’s malware code and internal chat logs – a treasure trove for researchers and defenders alike. While security teams were able to use the leaks to improve their understanding of the ransomware gang’s operations, it also impacted Conti’s place in the pecking order. According to KELA, Conti has been booted from the top spot in the months following the leak. While still active, it appears that Conti’s victim list decreased from January, with LockBit moving up the ranks. In Q1, LockBit hit 226 recorded victims, ranging from manufacturing and technology to the public sector. However, together with its suspected subsidiary KaraKurt, Conti is still the second-most active ransomware gang in 2022. Alphv is considered an emerging threat by KELA as a new player, having only really hit the spotlight in December 2021.”
And the race for dominance continues. The competition appears to be cutthroat, with gangs apparently attacking each other and/or targeting the same victims: In some cases, the stolen data published by several gangs was identical. Then again, that could be the result of cooperation. Researchers also found evidence of ransomware gangs collaborating with each other. How nice.
Cynthia Murrell, June 29, 2022
Cyber Security: PowerPoints Are Easy. Cyber Security? Not So Much
June 21, 2022
I received a couple of cyber security, cyber threat, and cyber risk reports every week. What’s interesting is that each of the cyber security vendors mentioned in the news releases, articles, and blog posts discover something no other cyber outfit talks about. Curious.
I read “Most Security Product Buyers Aren’t Getting Promised Results: RSA Panel.” The article explains that other people poking around in security have noticed some oddities, if not unexplained cyber threats too.
The article reports:
Hubback [an expert from ISTARI] said that “90% of the people that I spoke to said that the security technologies they were buying from the market are just not delivering the effect that the vendors claim they can deliver. … Quite a shocking proportion of people are suffering from technology that doesn’t deliver.”
I found this factoid in the write up interesting:
…vendors know their product and its strengths and weaknesses, but buyers don’t have the time or information to understand all their options. “This information asymmetry is the classic market for lemons, as described by George Akerlof in 1970,” said Hubback. “A vendor knows a lot more about the quality of the product than the buyer so the vendor is not incentivized to bring high-quality products to market because buyers can’t properly evaluate what they’re buying.”
Exploitation of a customer’s ignorance and trust?
Net net: Is this encouraging bad actors?
Stephen E Arnold, June 21, 2022
NSO Group: Is This a Baller Play to Regain Its PR Initiative or a Fumble?
June 15, 2022
Secrecy and confidentiality are often positive characteristics in certain specialized software endeavors. One might assume that firms engaged in providing technology, engineering support, and consulting services would operate with a low profile. I like to think of my first meeting with Admiral Craig Hosmer. We each arrived at the DC Army Navy Club at 2 30 pm Eastern time. The Admiral told me where to sit. He joined me about 15 minutes later. The Club was virtually empty; the room was small but comfortable; and the one staff member was behind the bar doing what bartenders do: Polishing glasses.
Looking back on that meeting in 1974, I am quite certain no one knew I was meeting the Admiral. I have no idea where the Admiral entered the building nor did I see who drove him to the 17th Street NW location. My thought is that this type of set up for a meeting was what I would call “low profile.”
“US Defence Contractor in Talks to Take Over NSO Group’s Hacking Technology” illustrates what happens when the type of every day precautions Admiral Hosmer took are ignored. A British newspaper reports:
The US defence contractor L3Harris is in talks to take over NSO Group’s surveillance technology, in a possible deal that would give an American company control over one of the world’s most sophisticated and controversial hacking tools. Multiple sources confirmed that discussions were centered on a sale of the Israeli company’s core technology – or code – as well as a possible transfer of NSO personnel to L3Harris.
Okay, so much for low profiling this type of deal.
I am not sure what “multiple sources” mean. If someone were writing about my meeting the Admiral, the only sources of information would have been me, the Admiral’s technical aide (a nuclear scientist from Argonne National Laboratory), and probably the bartender who did not approach the area in which the former chair of the Joint Committee on Atomic Energy were sitting.
But what have we got?
- A major newspaper’s story about a company which has made specialized services as familiar as TikTok
- Multiple sources of information. What? Who is talking? Why?
- A White House “official” making a comment. Who? Why? To whom?
- A reference to a specialized news service called “Intelligence Online”. What was the source of this outfit’s information? Is that source high value? Why is a news service plunging into frog killing hot water?
- Ramblings about the need to involve government officials in at least two countries. Who are the “officials”? Why are these people identified without specifics?
- References to human rights advocates. Which advocates? Why?
Gentle reader, I am a dinobaby who was once a consultant to the company which made this term popular. Perhaps a return to the good old days of low-profiling certain activities is appropriate?
One thing is certain: Not even Google’s 10-thumb approach to information about its allegedly smart software can top this NSO Group PR milestone.
Stephen E Arnold, June 15, 2022
The Alleged Apple M1 Vulnerability: Just Like Microsoft?
June 15, 2022
I read “MIT Researchers Uncover Unpatchable Flaw in Apple M1 Chips.” I have no idea if the exploit is one that can be migrated to a Dark Web or Telegram Crime as a Service pitch. Let’s assume that there may be some truth to the clever MIT wizards’ discoveries.
First, note this statement from the cited article:
The researchers — which presented their findings to Apple — noted that the Pacman attack isn’t a “magic bypass” for all security on the M1 chip, and can only take an existing bug that pointer authentication protects against.
And this:
In May last year, a developer discovered an unfixable flaw in Apple’s M1 chip that creates a covert channel that two or more already-installed malicious apps could use to transmit information to each other. But the bug was ultimately deemed “harmless” as malware can’t use it to steal or interfere with data that’s on a Mac.
I may be somewhat jaded, but if these statements are accurate, the “unpatchable” adjective is a slide of today’s reality. Windows Defender may not defend. SolarWinds’ may burn with unexpected vigor. Cyber security software may be more compelling in a PowerPoint deck than installed on a licensee’s system wherever it resides.
The key point is that like many functions in modern life, there is no easy fix. Human error? Indifference? Clueless quality assurance and testing processes?
My hunch is that this is a culmination of the attitude of “good enough” and “close enough for horseshoes.”
One certainty: Bad actors are encouraged by assuming that whatever is produced by big outfits will have flaws, backdoors, loopholes, stupid mistakes, and other inducements to break laws.
Perhaps it is time for a rethink?
Stephen E Arnold, June 15, 2022
Microsoft: Helping Out Google Security. What about Microsoft Security?
June 14, 2022
While Microsoft is not among the big tech giants, the company still holds a prominent place within the technology industry. Microsoft studies rival services and products to gain insights as well as share anything to lower their standing such as a security threat, “Microsoft Researchers Discover Serious Security Vulnerabilities In Big-Name Android Apps.” The Microsoft 365 Defender Research Team found a slew of severe vulnerabilities in the mce Systems mobile framework used by large companies, including Rogers Communications, Bell Canada, and AT&T, for their apps.
Android phones have these apps preinstalled in the OS and they are downloaded by millions of users. These vulnerabilities could allow bad actors to remotely attack phones. The types of attacks range from command injection to privilege escalation.
The Microsoft 365 Defender Research Team shared the discovery:
“Revealing details of its findings, the security research team says: ‘Coupled with the extensive system privileges that pre-installed apps have, these vulnerabilities could have been attack vectors for attackers to access system configuration and sensitive information’.
In the course of its investigation, the team found the mce Systems’ framework had a “BROWSABLE” service activity that an attacker could remotely invoke to exploit several vulnerabilities that could allow adversaries to implant a persistent backdoor or take substantial control over the device.”
Vulnerabilities also affected apps on Apple phones. Preinstalled apps simplify device activation, troubleshooting, and optimize performance. Unfortunately, this gives apps control over the majority of the phone and the bad actors will exploit them to gain access. Microsoft is worked with mce Systems to fix the threats.
Interestingly, Microsoft found the security threats. Maybe Microsoft wants to reclaim its big tech title by protecting the world from Google’s spies?
Whitney Grace, June 14, 2022
-
- Subscribe to Beyond Search
Feature archive
News archive
-
