Russia: Inconsistent Cyber Attack Capabilities

October 7, 2022

Do you remember that Microsoft’s president Brad Smith opined that the SolarWinds’ misstep required about 1,000 engineers? I do. Let’s assume those engineers then turned their attention to compromising Ukraine as part of a special military operation.

Failure of Russia’s Cyber Attacks on Ukraine Is Most Important Lesson for NCSC” presents information I found interesting about Mr. Smith’s SolarWinds’ remark. [The NCSC is the United Kingdom’s National Cyber Security Council.’

Here’s the key passage from the write up:

Ukrainian cyber defences, IT security industry support and international collaboration have so far prevented Russian cyber attacks from having their intended destabilising impact during Russia’s invasion of Ukraine.

The write up also points out that a cyber content marketing campaign designed to undermine Ukraine’s leadership was also not effective.

Okay, but, Mr. Smith said that Russia was able to coordinate the efforts of 1,000 individuals to breach SolarWinds’ security and create considerable distress among some in commercial enterprises and other organizations.

How could Ukraine resist this type of capable force? I have no idea. I prefer to flip the information around and ask, “Why did SolarWinds’ security yield so easily?” Did Russia put more effort into breaching SolarWinds than fighting a kinetic war? Yeah, sure it did.

Maybe the 1,000 programmer idea was hand waving and blame shifting? Microsoft cannot make printers work. Why would Microsoft security be much better?

Stephen E Arnold, September 2022

Insider Threat: Worse Than Poisoned Open Source Code and Major Operating System Flaws?

October 5, 2022

Here’s a question for you.

What poses a greater threat to your organization? Select one item only, please.

[a] Flaws in mobile phones

[b] Poisoned open source code

[c] Cyber security and threat intelligence systems do not provide advertised security

[d] Insider threats

[e] Operating systems’ flaws.

If you want to check more than one item, congratulations. You are a person who is aware that most computing devices are insecure with some flaws baked in. Fixing up flawed hardware and software under attack is similar to repairing an L-29 while the Super Defin is in an air race.

Each day I receive emails asking me to join a webinar about a breakthrough in cyber security, new threats from the Dark Web, and procedures to ensure system integrity. I am not confident that these companies can deliver cyber security, particularly the type needed to deal with an insider who decides to help out bad actors.

NSA Employee Leaked Classified Cyber Intel, Charged with Espionage” reports:

A former National Security Agency employee was arrested on Wednesday for spying on the U.S. government on behalf of a foreign government. Jareh Sebastian Dalke, 30, was arrested in Denver, Colorado after allegedly committing three separate violations of the Espionage Act. Law enforcement allege that the violations were committed between August and September of 2022, after he worked as a information systems security designer at the agency earlier that summer.

So what’s the answer to the multiple choice test above? It’s D. Insider breaches suggest that management procedures are not working. Cyber security webinars don’t address this, and it appears that other training programs may not be pulling hard enough. Close enough for horse shoes may work when selling ads. For other applications, more rigor may be necessary.

Stephen E Arnold, October 5, 2022

Board Games at Microsoft? Maybe Corner Cutting?

September 30, 2022

I noted a write up called “Anonymous Lays Waste to Russian Message Board, Releases Entire Database Online.” The article describes what a merrie band of anonymous, distributed bad actors can do in today’s decentralized, Web 3 world of online games like Cat and Mouse. The article explains that Mr. Putin’s bureaucracy is a big, fat, and easy target to attack. One statement in the article caught my attention; to wit:

For all their reputation on cyber security and hacking, the Russians were careless…. KiraSec has taken down hundreds of Russian websites, Russian banks like alfabank, bank.yandex.ru, pro-Russian terror-leaning websites, Russian pedophile websites, Russian government websites, Russian porn sites and a lot more. The cyber activists also “hacked various Russian SCADAs and ICS, nuking their systems and completely destroying their industrial machines.”

I immediately thought about Microsoft’s Brad Smith suggesting that more than 1,000 programmers worked to make SolarWinds a household word. My thought was that Microsoft itself may share the systems engineering approach used to protect some Russian information assets. The key word is “careless.” Arrogance, indifference, and probably quite terrible management facilitated the loss of Russian data and the SolarWinds’ misstep.

I then spotted in my news headline stream this article from the UK online outfit The Register: “Excel’s Comedy of Errors Needs a New Script, Not New Scripting.” This article points out that Microsoft has introduced a new feature for Excel. I am not an individual who writes everything in Excel, including holiday greetings and lists of government officials names and email addresses. Some are.

Here’s the passage I circled after I printed out the write up on a piece of paper:

Excel is already the single most dangerous tool to give to civilians. You can get things wrong in Word and PowerPoint all day long, and while they have their own security fun you’re not getting things wrong through a series of tiny letterboxes behind which can live the company’s most important numerical data. The Excel Blunder is its own genre of corporate terror: it brings down companies, it breaches data like a excited whale seeking sunlight, it can make a mockery of pandemic control. And because Excel is the only universal tool most users get for organizing any sort of data, the abuses and perversions it gets put to are endless.

What’s the connection between bad actors hacking Russia, Microsoft’s explanation of the SolarWinds’ misstep, and Excel’s new scripting method?

Insecurity appears to be part of the core business process.

No big deal. Some bad actors and a few cyber security vendors will be happy. Others will be “careless” and maybe clueless. That’s Clue the board game, not the motion picture.

Stephen E Arnold, September 30, 2022

Yo, Amazon, Hello, Facebook, Hey, Google, Sup, IBM: Any Moonlighting Wizards on Your Payroll?

September 28, 2022

A couple of years ago, I provided those in my LE and intel lectures with the names of some online recruiting services which say things like:

Hire Silicon Valley-caliber engineers at half the cost

The number of outfits offering programmers with in-demand skills is large. Do these “remote” employees have: [a] full time jobs at big tech firms, [b] work remotely with supervision from an indifferent 20 something or Microsoft Teams-type monitoring functions, or [c] have automated a full-time job so that an eight hour work day can be used to generate income from gig work or another full-time job?

I read “Wipro Chairman Rishad Premji Fires 300 Employees for Secretly for Moonlighting.” [Note: this item appeared in India and the provider of the content can be disappeared at any time or charge for access to the full text. There’s not much I can do to ameliorate this issue.] The article states:

Wipro has terminated 300 employees found to be moonlighting with its key rivals at the same time, its Chairman Rishad Premji said on Wednesday [September 21, 2022] . Speaking at the All India Management Association (AIMA) National Management Convention, Premji termed moonlighting is a complete violation of integrity “in its deepest form”. “The reality is that there are people today working for Wipro and working directly for one of our competitors and we have actually discovered 300 people in the last few months who are doing exactly that,” the Wipro Chairman said. The company has now terminated their employment for “act of integrity violation”.

I find the action of Mr. Premji instructive. I wonder why US-based high-tech firms do not take the same action.

The point I made in my lecture is that bad actors can pass themselves off as legitimate businesses just based in some interesting city like Athens, Greece. The technical skills required are advanced and not directly connected to anything other than helping a jewelry company or online egame service implement a resilient network. The person responding to this opportunity may have requisite experience working at a big US high tech company. The person does the work and forgets about the project. However, the entity doing the hiring is a bad actor. The task completed by the US high tech engineer snaps into a larger set of work.

Should the online recruitment outfit perform more due diligence on what looks like a legitimate company selling fountain pens or plumbing equipment in another country? The answer is, “Sure.” That’s not the case. Based on our research none of the recruiters or the gig workers did much if any investigation of the hiring outfit. If a company paid the matchmaker and the gig worker, that was the proof of appropriate activity.

The reality, which I described in my lecture, is that insiders are making it easy for bad actors to learn about certain companies. Furthermore, the simple and obvious coding task is just one component in what can be an illegal online operation. The example I provided to the LE and analysts in my lecture was an online streaming service with an illegal online gambling “feature.”

I can hear the senior managers’ excuses now:

  1. “Our employees are prohibited from doing outside work.” [Yeah, but does anyone validate this assertion?]
  2. “We have a personnel department which works closely with our security team to prevent this type of insider activity.” [Yeah, but telling me this is cheaper and easier than reporting on specific data compiled to reduce this type of activity, right?]
  3. “Our contractors are moderated and subject to the same security procedures as our work-from-home full time staff? [Yeah, but does anyone really know how that contractor located in another company actually operates?]k

Net net: Mr. Premji is on the right track. FYI: WiPro was founded in 1945 and the firm took action on this matter after 77 years. Speedy indeed.

Stephen E Arnold, September 28, 2022

Cyber Security Management: Does It Work or Just Output Excuses?

September 23, 2022

It seems that cyber security is a bit of an issue at a number of organizations. Uber faces a teen and seems to say, “We’re a-okay.” A Chinese entity may have lost data about one billion people. If I poke around, I can find one or two examples of what seem to be cyber security challenges. Oh, sorry. Yes, one or two may be an understatement.

“Nearly a Third of Security Teams Lack a Management Platform for IT Secrets” suggests that there may be a problem with management. The write up states:

most security pros expect cyber attacks to intensify over the next year, some 32% surveyed lack a management platform for IT secrets, such as API keys, database passwords, and privileged credentials, posing significant security risks.

Does this mean that geared up outfits with layers of security, training programs for employees because phishing is a problem, and expensive real time flows of threat data about vectors with snappy names have a vulnerability?

Yes, some organizations have another cyber security issues with which to wrestle. Management of “information technology secrets” may pose a threat. More precisely, a failure to manage passwords and other “IT secrets” is lacking. No kidding? Poor or ineffective management. Who would have guessed that work-from-home, quiet quitters, and basic safeguards were inadequate. Wow. Insight!

The article says:

While many surprisingly report feeling prepared for attacks, security leaders admit their tech stacks lack essential tools: Some 84% are concerned about the dangers of hard-coded credentials in source code, but 25% don’t have software to remove them. And, more than one-quarter of respondents (26%) say they lack a remote connection management capability that can secure remote access to IT infrastructure.

I think this means that after many PowerPoints, trade show presentations, and big buck mergers and acquisitions, bad actors have some vulnerabilities to exploit.

Is it time perchance to rethink cyber security and the management thereof?

Nah, security is a cost center. And most executives with whom I talk are reasonably confident that their personnel, advisors, and information technology professionals are Top Guns, flying juiced up cyber gear.

Okay, no problem. That’s why storing Microsoft Teams’ tokens in plain text is such a great idea.

Stephen E Arnold, September 22, 2022

Darktrace–Thoma Bravo Deal: An Antigen Reaction?

September 21, 2022

Darktrace is one of the cyber threat detection outfits to which I pay some attention. I read “Darktrace Shares Plunge After Thoma Bravo Acquisition Falls Apart.”

The article quotes an expert as saying:

“I don’t think Thoma Bravo is backing off of Darktrace because of valuations,” he [Richard Stiennon, chief research analyst at IT-Harvest] says. “I think strategically there is not a clear market for the AI-enhanced threat hunting that Darktrace touts. The market is pretty much equal to Darktrace’s revenue today.”

My take on the deal is that the cyber threat detection and cyber threat information services are not convincing some skeptical prospects. News like the teen who compromised the Uber taxi service and the sharp rise in ransomware attacks has created some Nervous Nellies. Multi-persona phishing and old fashioned social engineer work in today’s work-from-home world. Plus, there is nothing like a bundle of cash promised to an insider who might be tempted to exchange access credentials for a new Tesla or a shopping spree at Costco.

Darktrace has done a masterful job of marketing. The Bayesian methods work reasonably well in certain use cases. Quite a chunk of change has been spent buying and marketing cyber related businesses.

One report (“Shares Plunge As US Private Equity Titan Backs Out of Darktrace Takeover“) said:

Darktrace revenue grew 45.7 per cent in the financial year to 30 June, while the customer base swelled 32.1 per cent year-over-year. However, the firm did note an accounting mishap, stating that $3.8m of revenue it had been recognising in the full year, including a portion recognised and reported in its unaudited half year results, was related to prior periods and should instead be recognised in full year 2021 results. This reallocation would reduce revenue reported this year to $415.5m from the $419.3m that was expected.

And cyber crime is at an all time high, but I am not sure any firm, including Darktrace, has cracked the code.

Stephen E Arnold, September 21, 2022

Open Source: Everyone Uses It. Now Bad Actors Know Where to Aim

September 2, 2022

Peace of mind is a valuable thing, a commodity one might think worth allocating some funds to ensure, particularly when one is engaged in permanent cyber warfare. Yet, according to BetaNews, “80 Percent of Enterprises Use Open Source Software and Nearly All Worry About Security.” A recent report from Synopsys and based on research by Enterprise Strategy Group found 80% of enterprises use open source software (OSS), and 99% of those are concerned about related security issues. Apparently one percent is not paying attention—such worry is justified because few in the IT department know what’s in the open source libraries or know how to find manipulated or rogue instructions. Reporter Ian Barker tells us:

“In response to high profile supply chain attacks 73 percent of respondents say they have increased their efforts significantly to secure their organizations’ software supply chain. Steps taken include the adoption of some form of multi-factor authentication technology (33 percent), investment in application security testing controls (32 percent), and improved asset discovery to update their organization’s attack surface inventory (30 percent). Despite those efforts, 34 percent of organizations report that their applications have been exploited due to a known vulnerability in open source software within the last 12 months, with 28 percent having suffered a previously unknown zero-day exploit found in open source software.

Pressure to improve software supply chain risk management has shone a spotlight on software Bills of Materials (SBOMs). But exploding OSS usage and lackluster OSS management has made the compilation of SBOMs complex — the ESG research shows that 39 percent of survey respondents marked this task as a challenge of using OSS. … [The study also found] 97 percent of organizations have experienced a security incident involving their cloud-native applications within the last 12 months.”

All this, and the use of open source software is expected to jump to 99% next year. It seems those who hold organizational purse strings care more about saving a few bucks than about their cybersecurity teams’ sleepless nights. If they suffer a breach, however, they may find that metaphoric purse has acquired a large hole. Just a thought, but an ounce of prevention may be warranted here.

Cheap and easy? Yep.

Cynthia Murrell, September 2, 2022

A US Government Classification Wowza!

August 30, 2022

I read “What’s in a Classified Document?” The title is interesting because it suggests that classified information is like a cook book. The contents of the cook book are “known”; that is, step-by-step information about making grilled chicken. The write up explains:

Breakdowns of the various levels of information classification are available online, but they’re not that helpful out of context.

That makes sense: No context, no or limited understanding.

The write up continues:

Most classified materials, however, just aren’t all that sexy at first glance.

I noted this statement:

Technical and scientific documents, for instance, are almost always highly valuable.

And this caught my eye:

One of the greatest risks is that an adversary will learn how we’ve discovered their secrets.

I also put a check mark by this sentence:

Finally, it’s important to understand that, in many cases, what’s classified is not a particular set of facts but what the intelligence community thinks those facts mean.

Looking at the information about secrets, I think the obvious statements are okay. The point to me is that old fashioned methods of enforcing secrecy are probably better than the methods in use today.

Unfortunately the Information wants to be free and the Sharing is caring ideas are not in line with my views. The message I take away from this write up is that beliefs, ideas, and procedures have been eroded in the last decade or so.

But I am a dinobaby. What do I know? Well, enough to point out that the apparatus of secrecy might be a useful project for someone not in the lobbying business, not a Beltway Bandit, and not an individual preparing a flight path as a consultant.

Stephen E Arnold, August 30, 2022

A Hidden Nugget about E2EE Use as a Filter

August 23, 2022

I am not a fan of Silicon Valley type “real” news. Political biases usually color the factoids. I read “Inside Facebook’s Encryption Conundrum.” [Believe it or not you may have to spit out personal info or pay to read this hyperlinked document.] I don’t care too much about Facebook’s conundrums. Mismanaged online services are poorly understood by those who live and die by social media. The goldfish does not know the water in its bowl contains amorphous scales of lead and lead phosphate.

I am going to ignore the description of the Zuckbook’s business processes and focus on what I perceive to be the nugget in the write up:

In recent conversations with Meta employees, I’ve come to understand more about what’s taking so long — and how consumer apathy toward encryption has created challenges for the company as it works to create a secure messaging app that its user base will actually use.

Translating into Beyond Search lingo yields, “People don’t know and don’t care.”

Ergo, anyone using an encrypted messaging app is signaling:

I know;

I care;

Therefore, why not monitor me?

You may have a different conclusion. I believe use of apps like Telegram provides an important signal. Apathy is a filter. Is the opposite important?

Stephen E Arnold, August 23, 2022

TikTok: Allegations of Keylogging

August 22, 2022

I am not a TikTok person; therefore, I exist in a trend free zone. Others are sucking down short videos with alacrity. I admire a company, possibly linked to China’s government, which has pioneered a next generation video editor and caused the Alphabet Google YouTube DeepMind thing to innovate via its signature “me too” method of innovation.

Now TikTok has another feature, which is an interesting allegation. “TikTok’s In-App Browser Can Monitor Your Every Click and Keystroke” asserts:

When Krause [a security researcher] dug a little deeper into what these apps’ in-app browsers really do, he’d found that TikTok does some bad things, including monitoring all of users’ keyboard inputs and taps. So, if you open a web page inside of TikTok’s app, and enter your credit card details there, TikTok can access all of those details. TikTok is also the only app, out of all the apps Krause has looked into, that doesn’t even offer an option to open the link in the device’s default browser, forcing you to go through its own in-app browser.

Let’s assume this finding is spot on. First question: Does anyone care? Second question: So what?

I don’t have answers to either question. I do, however, have several observations:

  1. Oracle, for some reason, seems to care. The estimable database company is making an effort to find information that suggests TikTok data are kept in a cupboard. Only grandma can check out who will be an easy target for psychological manipulation. No results yet, but if TikTok is a neutral service, why’s Oracle involved?
  2. A number of Silicon Valley pundits have pointed out that TikTok is no big deal. That encapsulates the “so what” issue. “Put that head in the sand and opine forward” is the rule of thumb for these insightful folks.
  3. Keyloggers are a fave of certain actors. TikTok may have found them useful for benign purposes.

Quite an allegation.

Stephen E Arnold, August 22, 2022

« Previous PageNext Page »

  • Archives

  • Recent Posts

  • Meta