Albert the (Bug) Bounty Hunter
August 18, 2022
Albert Pedersen, an inquisitive scholar in Denmark, makes a hobby of prodding software for vulnerabilities. Now he has proudly collected a bounty after his second successful hunt. Gizmodo reports, “A College Student Discovered a Bug in Cloudflare Email Routing that Let You Read Any User’s Emails.” Email routing services allow users to create disposable email addresses that point back to their “real” accounts and can be valuable privacy tools. That is, if they are truly secure. Writer Lucas Ropek reports:
“Unfortunately, as demonstrated in research published Wednesday by a college student from Denmark, Cloudflare’s service had a giant bug in it. The flaw, when properly exploited, allowed any user to read—or even manipulate—other users’ emails. … The vulnerability, which Cloudflare has confirmed but says was never exploited, involved a flaw in the program’s ‘zone ownership verification’ system, meaning that it was possible for a hacker to reconfigure email routing and forwarding for email domains that weren’t owned by them. Proper manipulation of the exploit would have allowed someone with knowledge of the bug to re-route any users’ emails to their own address. It would have also allowed a hacker to prevent certain emails from being sent to the target at all. In his write-up, Pedersen notes that it’s not that difficult to find online lists of email addresses attached to Cloudflare’s service. Using one of those lists, a bad guy could have quite easily targeted anybody using the forwarding service. After discovering the exploit, Pedersen managed to reproduce it a number of times using multiple personal domains and decided to report the issue to Cloudflare’s bug bounty program.”
We are sure Cloudflare considers the bounty to be $6,000 well spent. Had the bug gone unsquashed, the repercussions may have gone well beyond the troublesome privacy issues. Bad actors could also have used it to reset passwords, gaining access to financial and other accounts. As Ropek points out, this is a good illustration of why two-factor authentication is worth the hassle. As talented as he is, the intrepid young Dane is only one person. He may not catch the next bug in time.
Cynthia Murrell, August 18, 2022
Is Google Drive — Gulp — a Hacking Tool for Bad Actors?
August 17, 2022
Russia is a near-impregnable force when it comes to hacking. Vladimir Putin’s home base is potentially responsible for influencing many events in the United States, including helping Donald Trump win his first presidential election. Russia neither confirms nor denies the roles hackers play in its and global politics. Unfortunately, Cyber Scoop shares how a common Google tool has been purloined by hackers: “Russian Hacking Unit Cozy Bears Adds Google Drive To Its Arsenal, Researchers Say.”
In what is one of the simplest ways to deliver malware, Russian hackers from the state-funded unit Cozy Bear are using Dropbox and Google Drive. Did you read that? Russian hackers are using legitimate cloud storage services, including one from one of the biggest tech giants, to deliver malware. Palo Alto Networks’ Unit 42 researchers are confounded by the delivery process, because it is hard to detect:
“This is a new tactic for this actor and one that proves challenging to detect due to the ubiquitous nature of these services and the fact that they are trusted by millions of customers worldwide,” the researchers said. “When the use of trusted services is combined with encryption, as we see here, it becomes extremely difficult for organizations to detect malicious activity in connection with the campaign.”
Russian hackers and other black hat people have used cloud storage services to deliver malware before, but using Google Drive is a new tactic. Google is a globally trusted brand that makes more people vulnerable to malware. When people see Google, they automatically trust it, so potential victims could unknowingly download malware.
Dropbox is deleting any accounts that are exploiting their services for hacking. The good news is cloud storage services want to protect users, but the bad news is they are not acting fast enough.
Whitney Grace, August 17, 2022
Quantum Supremacy Emulators: The Crypto Claim
August 16, 2022
I noted the silliness of the quantum supremacy claims first by the GOOG and then by the Red Hat dependent IBM. I pointed out that Intel claimed a quantum thing-a-ma-bob that would be a hub for certain quantum functions. Yeah, horse something, maybe ridge, maybe feathers. I mentioned in one of my blog posts or client emails that the US government aided by big wizards had developed algorithms that could not be broken by yet-to-be-invented quantum computers.
Now we have an interesting story that puts much of the quantum supremacy-type PR in a flaming dumpster. Wow, look at the dense smoke from a piddling fire.
“Post Quantum Encryption Contender Is Taken Out by Single-Core PC and 1 Hour” states:
SIKE is the second NIST-designated PQC candidate to be invalidated this year. In February, IBM post-doc researcher Ward Beullens published research that broke Rainbow, a cryptographic signature scheme with its security, according to Cryptomathic, “relying on the hardness of the problem of solving a large system of multivariate quadratic equations over a finite field.”
Everyone will keep trying. Perhaps a functioning quantum computer will become available to make hunting for flaws more helpful. No, wait a minute. The super algorithm was compromised by a single core PC chugging along for one hour.
Oh, well, as long as one doesn’t look too closely some of the quantum supremacy PR sounds great. In my opinion, some of the stuff is a bit silly.
Stephen E Arnold, August 16, 2022
Cisco Systems: Security? Well, the Ads Say So
August 12, 2022
I read a mildly amusing article which revealed a flaw in Cisco Systems’ security. The write up was “Cisco Hacked by Yanluowang Ransomware Gang, 2.8GB Allegedly Stolen.”
Why did I chuckle?
I noted these ads in a recent Google search about — you guessed it — network security.
The first ad is for networking solutions and Cisco’s secure firewall. Gander at this:
The second ad popped up when I searched for Cisco and its super expert Talos unit. Talos, an acquisition from Israel, is supposed to be one of the Fancy Dan threat intelligence outfits. The idea you know before there is trouble. Peek at this:
You can download the report from this link.
What did the article report as spot on information? Here’s a passage I noted:
The Yanluowang threat actors gained access to Cisco’s network using an employee’s stolen credentials after hijacking the employee’s personal Google account containing credentials synced from their browser. The attacker convinced the Cisco employee to accept multi-factor authentication (MFA) push notifications through MFA fatigue and a series of sophisticated voice phishing attacks initiated by the Yanluowang gang that impersonated trusted support organizations. The threat actors finally tricked the victim into accepting one of the MFA notifications and gained access to the VPN in the context of the targeted user. Once they gained a foothold on the company’s corporate network, Yanluowang operators spread laterally to Citrix servers and domain controllers.
Several observations:
- Cisco identified the bad actors as a group which sure seems to be from a specific country. Russia? No, that nation state has demonstrated that some of its tactical expertise falls short of a high water mark probably captured in a PowerPoint deck. Tanks? Remember?
- The security breach was something the vaunted Cisco security systems could not handle. An insider. Interesting because if this is indeed accurate, no organization can protect itself from an insider who is intentionally or unintentionally compromised. Is this useful information for a bad actor?
- If the Cisco security systems and its flow of threat intelligence were working, why is the company after the fact able to enhance or improve its own security. Wasn’t there a fairy tale about shoemaker’s children not having a snappy new paid of collectible shoes?
Net net: The buzz about a group of companies banding together to share security related information is interesting. What this story about the Cisco breach tells me is that teaming up is a way of circling the wagons. Maybe PowerPoints and ads not completely accurate? Nah, impossible.
Stephen E Arnold, August 12, 2022
DARPA Works to Limit Open Source Security Threats
August 9, 2022
Isn’t it a little late? Open-source code has become an integral part of nearly every facet of modern computing, including military and critical infrastructure applications. Now, reports MIT Technology Review, “The US Military Wants to Understand the Most Important Software on Earth.” It seems military researchers have just realized there is no control over, or even accounting for, the countless contributors to open-source projects like the Linux kernel. That software alone underpins the operation of most computers. And yet the feature that makes open-source software free and, therefore, ubiquitous also makes it vulnerable to bad actors.
Since it cannot turn back the clock and consider security before open-source code got baked into critical software, DARPA will instead scrutinize the people and organizations behind open-source projects. The program, dubbed “SocialCyber,” will take 18 months and millions of dollars to implement. It will use a combination of the latest AI tech and good old-fashioned sociology to pinpoint potential threats. Reporter Patrick Howell O’Neill writes:
“The ultimate goal is to detect and counteract any malicious campaigns to submit flawed code, launch influence operations, sabotage development, or even take control of open-source projects. To do this, the researchers will use tools such as sentiment analysis to analyze the social interactions within open-source communities such as the Linux kernel mailing list, which should help identify who is being positive or constructive and who is being negative and destructive. The researchers want insight into what kinds of events and behavior can disrupt or hurt open-source communities, which members are trustworthy, and whether there are particular groups that justify extra vigilance. These answers are necessarily subjective. But right now there are few ways to find them at all. Experts are worried that blind spots about the people who run open-source software make the whole edifice ripe for potential manipulation and attacks. For Bratus, the primary threat is the prospect of ‘untrustworthy code’ running America’s critical infrastructure—a situation that could invite unwelcome surprises. …This kind of research also aims to find underinvestment—that is critical software run entirely by one or two volunteers.”
The program relies on partnerships between DARPA and several small cybersecurity research firms like New York’s Margin Research. These firms will ascertain who is working on what open-source projects. Margin will focus on Linux, considered the most urgent point of concern. Open-source programming language Python, which is often used in machine-learning projects, is another priority. SocialCyber is quite an undertaking—it is the pound of cure we could have avoided with an ounce of foresight several years ago.
Cynthia Murrell, August 9, 2022
How Secure Is Cyber Security?
July 27, 2022
I have noted that cyber security companies invite me to webinars, briefings, conferences, and telephone calls. The subject of these calls is usually advanced, next-generation, proactive, smart, and intelligent cyber security solutions. The idea is that I will mention these firms in my lectures to law enforcement, crime analysts, and intelligence professionals. I sit through some. One outfit offers weekly seven to 10 minute reports about some new, absolutely horrible cyber threat. Others want me to join a Zoom to watch a series of PowerPoint slides showing how the latest Zero Day will make life miserable for companies without their cloud-based security system.
I then read item after item about a new variant of a RAT, an exploit taking advantage of the Swiss cheese of enterprise software, or some new dump of personal financial data on a Dark Web site selling fulz. It seems to me as if the cyber security sector is better at marketing than delivering cyber security. That’s just my opinion, and I usually don’t make a big deal of the veggie burgers being sold as 100 percent prime sirloin.
I read “Digital Security Giant Entrust Breached by Ransomware Gang.” The article does little to make me feel warm and fuzzy about cyber security systems and their vendors. I learned:
Digital security giant Entrust has confirmed that it suffered a cyber attack where threat actors breached their network and stole data from internal systems.
Who are the customers of this “digital security giant”? The write up reported:
This includes US government agencies, such as the Department of Energy, Department of Homeland Security, the Department of the Treasury, the Department of Health & Human Services, the Department of Veterans Affairs, the Department of Agriculture, and many more.
Great. How effective are those whiz bang cyber security systems?
Yeah. I think I know the answer. Marketing is easier than delivering cyber security that works.
Stephen E Arnold, July 27, 2022
Google Play: Autosubscriber
July 22, 2022
I cam across a presentation available from the cyber firm Evina. “Autolycos” explains that one can / could download a malicious app from the Google Play Store. (How’s that smart software working to prevent this type of situation, Google? Hello, Google, are you there?)
The write up states:
In July 2022, a new malware family was discovered by top malware experts at Evina. This discovery is remarkable because new malware families are rarely detected (about once a year) and this specific new malware works in an entirely new way.
The operative word is “new.” Why is this important? Cyber security is a reactive business despite the marketing that says, “We predict threats before they do harm?” Well, marketing.
Among the malicious apps are:
- CoCo Camera
- Creative 3D Launcher
- Freeglow Camera
- Funny Camera
- GIF Keyboard
- Razer Keyboard and Theme
- VLOG Star Video Editor
- WOW Camera.
Aimed at younger folks? Sure looks that way;
The report points out:
The malware launches fraud attempts by . For some steps, it can execute urls on a remote browser and embed these results in the http requests. This operation is intended to make it harder for Google to differentiate Autolycos infected apps from legitimate ones. This is exactly why Autolycos remained unidentified for so long and reached over 3 million downloads.
The good news is that the apps appear to be popular outside the US, but there is tomorrow.
Stephen E Arnold, July 22, 2022
Is The TikTok Google Allegation Accurate?
July 21, 2022
Good question. I know that any outfit offering a “service” has individuals who can look at data, metadata, and any other “stuff” associated with a particular entity; for example, spend limit, contacts, and geodata. Privacy and security depend on access controls. In theory, certain data are sandboxed and special approvals may be needed to get into that nifty play area. The hitch in the git along is that a system fails, a senior executive needs something now to close a big deal, a friend begs for help with such and such a problem. There’s also just the endemic “good enough” and “close enough for horse shoes” attitude which affects TV personalities interaction with Air France to a busy parent trying to buy a hamburger and shake for a hungry lacrosse player at 4 pm on a blistering day in rural Kentucky.
That means… gaps, slip ups, work arounds, and doing what’s needed to fill time or get something done fast.
I read “Nothing Is Private: TikToker Who Says She’s a Former Google Admin Warns Workers about Work Accounts.” The information in the article is about a revelation on TikTok. The problem is that I am not sure the behavior described is accurate. Heck, it could be fabricated for some clicks and maybe an appearance on the Joe Rogan podcast. Fame is where you find it today.
The article states as what a TikTok denizen said:
Whatever you put in that account—whether it’s emails, photos, Google Drive documents, or anything else—is not private.
Okay, clear enough.
For fun, let’s assume the Xoogler spilling the beans on the utility of having access to billions of users information is sort of true.
Shocking?
Nah.
The write up says:
that means that a company has access to all of the documents within someone’s company Google account, which can include things like email drafts, G-chats, and Google Drive uploads. This also reportedly applies to universities with student Google accounts. Furthermore, one does not have to leave the job or university for their administrators to obtain this access. “I can get into any of it,” Lauren says. “Any of it!”
Ads, folks. Ads mean money. Who can resist generating revenue, beating performance targets, and getting a big bonus. Once Google would toss in a ski trip or a mouse pad. Go for it. The incentive plan is what makes the Googlers spin.
What’s the fix? The answer is:
Delete. Delete. Delete.
Sounds like reasonable advice if deletion is indeed “real.” Data are backed up and delete usually means removing a pointer to an object in a file. Those back ups, the copies of data tables in a marketing department laptop, or the data required to whip up a projection based on use of information to spur quicker depletion of ad inventory.
Probably not deleted.
Let’s assume the write up describes something the Google does not, could not, would not, and will not do. Wow. Bullet dodged.
But… what if…? Wow. Bullets incoming.
Stephen E Arnold, July 21, 2022
Proofpoint: Journalists Wear a Bull’s Eye instead of a Shirt with Ink Stained Cuffs
July 19, 2022
Proofpoint is a cyber security firm. The company published an interesting blog essay called “Above the Fold and in Your Inbox: Tracing State-Aligned Activity Targeting Journalists, Media.” The write up presents allegedly accurate information that a number of nation states are targeting journalists. This makes sense because some journalists are, in effect, crime and intelligence analysts at heart. Their methods are often similar to those used as certain government organizations.
Is this a new insight from the world’s intelligence professionals? I don’t think so.
The write up states:
Journalists and media organizations are well sought-after targets with Proofpoint researchers observing APT actors, specifically those that are state-sponsored or state-aligned, routinely masquerading as or targeting journalists and media organizations because of the unique access and information they can provide. The media sector and those that work within it can open doors that others cannot. A well-timed, successful attack on a journalist’s email account could provide insights into sensitive, budding stories and source identification. A compromised account could be used to spread disinformation or pro-state propaganda, provide disinformation during times of war or pandemic, or be used to influence a politically charged atmosphere. Most commonly, phishing attacks targeting journalists are used for espionage or to gain key insights into the inner workings of another government, company, or other area of state-designated import.
What nation states are allegedly targeting certain journalists? The article mentions by name these countries:
China
Iran
North Korea
Turkey (sic). The country’s new name is Türkiye
The article includes examples of the Proofpoint analysts’ identification of actions.
The write up concludes with what appears to be some free advice:
The varied approaches by APT actors—using web beacons for reconnaissance, credential harvesting, and sending malware to gain a foothold in a recipient’s network—means those operating in the media space need to stay vigilant.
Many journalists, in my experience, are unaware of the nuances of staying vigilant. Targets are targets because they can be hit. Examples of what has happened are interesting. May I suggest that journalists receive appropriate instruction when learning their craft. Instruction in vigilance may need to be upgraded or enhanced. Many journalists — particularly what I call the Silicon Valley variety — are more interested in recognition, media clout, and being visible than stepping back and asking, “Have I been targeted, played, and manipulated?”
Stephen E Arnold, July 19, 2022
The Cost of Cyber Security Misconfiguration
July 18, 2022
The numbers tossed around about the cost of a security breach are interesting. I have formed the opinion that the cost estimates are a result of what I have called spreadsheet fever. Plug in numbers, make them flow, and go, baby, go. I read “Razer Seeks $7m from Capgemini for 2020 Data Breach.” The write up explains:
The Singapore-born gaming firm is seeking compensation of nearly US$7 million in damages, which also includes a US$2,000 reward to the security researcher who discovered the breach under the company’s bug bounty program.
What outfit is the target of the litigation? The write up says:
In its lawsuit, Razer alleged that the security breach was the result of a misconfiguration of the “ELK Stack,” caused by one of Capgemini’s employees.
The ELK is not the majestic animal. The ELK in the cyber context represents open source software glued together to deliver a range of security features. The trick is the configuration. Get a setting wrong, and the ELK is less healthy than some observers suspect. An unhealthy ELK can be problematic. This is not a big dead animal in the climate changed world. This creature puts revenue and others at risk of catching a bad disease themselves; for example, standing in the unemployment line, working the phone to reclaim their identity, and apply for a job at one of the booming cyber security vendors. Well, maybe not that particular angle.
The outcome of the lawsuit may provide some more data about the cost of a cyber screw up and details about the how of the alleged misstep.
Stephen E Arnold, July 19, 2022
-
- Subscribe to Beyond Search
Feature archive
News archive
-
