Cyber Security Management: Does It Work or Just Output Excuses?
September 23, 2022
It seems that cyber security is a bit of an issue at a number of organizations. Uber faces a teen and seems to say, “We’re a-okay.” A Chinese entity may have lost data about one billion people. If I poke around, I can find one or two examples of what seem to be cyber security challenges. Oh, sorry. Yes, one or two may be an understatement.
“Nearly a Third of Security Teams Lack a Management Platform for IT Secrets” suggests that there may be a problem with management. The write up states:
most security pros expect cyber attacks to intensify over the next year, some 32% surveyed lack a management platform for IT secrets, such as API keys, database passwords, and privileged credentials, posing significant security risks.
Does this mean that geared up outfits with layers of security, training programs for employees because phishing is a problem, and expensive real time flows of threat data about vectors with snappy names have a vulnerability?
Yes, some organizations have another cyber security issues with which to wrestle. Management of “information technology secrets” may pose a threat. More precisely, a failure to manage passwords and other “IT secrets” is lacking. No kidding? Poor or ineffective management. Who would have guessed that work-from-home, quiet quitters, and basic safeguards were inadequate. Wow. Insight!
The article says:
While many surprisingly report feeling prepared for attacks, security leaders admit their tech stacks lack essential tools: Some 84% are concerned about the dangers of hard-coded credentials in source code, but 25% don’t have software to remove them. And, more than one-quarter of respondents (26%) say they lack a remote connection management capability that can secure remote access to IT infrastructure.
I think this means that after many PowerPoints, trade show presentations, and big buck mergers and acquisitions, bad actors have some vulnerabilities to exploit.
Is it time perchance to rethink cyber security and the management thereof?
Nah, security is a cost center. And most executives with whom I talk are reasonably confident that their personnel, advisors, and information technology professionals are Top Guns, flying juiced up cyber gear.
Okay, no problem. That’s why storing Microsoft Teams’ tokens in plain text is such a great idea.
Stephen E Arnold, September 22, 2022
Darktrace–Thoma Bravo Deal: An Antigen Reaction?
September 21, 2022
Darktrace is one of the cyber threat detection outfits to which I pay some attention. I read “Darktrace Shares Plunge After Thoma Bravo Acquisition Falls Apart.”
The article quotes an expert as saying:
“I don’t think Thoma Bravo is backing off of Darktrace because of valuations,” he [Richard Stiennon, chief research analyst at IT-Harvest] says. “I think strategically there is not a clear market for the AI-enhanced threat hunting that Darktrace touts. The market is pretty much equal to Darktrace’s revenue today.”
My take on the deal is that the cyber threat detection and cyber threat information services are not convincing some skeptical prospects. News like the teen who compromised the Uber taxi service and the sharp rise in ransomware attacks has created some Nervous Nellies. Multi-persona phishing and old fashioned social engineer work in today’s work-from-home world. Plus, there is nothing like a bundle of cash promised to an insider who might be tempted to exchange access credentials for a new Tesla or a shopping spree at Costco.
Darktrace has done a masterful job of marketing. The Bayesian methods work reasonably well in certain use cases. Quite a chunk of change has been spent buying and marketing cyber related businesses.
One report (“Shares Plunge As US Private Equity Titan Backs Out of Darktrace Takeover“) said:
Darktrace revenue grew 45.7 per cent in the financial year to 30 June, while the customer base swelled 32.1 per cent year-over-year. However, the firm did note an accounting mishap, stating that $3.8m of revenue it had been recognising in the full year, including a portion recognised and reported in its unaudited half year results, was related to prior periods and should instead be recognised in full year 2021 results. This reallocation would reduce revenue reported this year to $415.5m from the $419.3m that was expected.
And cyber crime is at an all time high, but I am not sure any firm, including Darktrace, has cracked the code.
Stephen E Arnold, September 21, 2022
Open Source: Everyone Uses It. Now Bad Actors Know Where to Aim
September 2, 2022
Peace of mind is a valuable thing, a commodity one might think worth allocating some funds to ensure, particularly when one is engaged in permanent cyber warfare. Yet, according to BetaNews, “80 Percent of Enterprises Use Open Source Software and Nearly All Worry About Security.” A recent report from Synopsys and based on research by Enterprise Strategy Group found 80% of enterprises use open source software (OSS), and 99% of those are concerned about related security issues. Apparently one percent is not paying attention—such worry is justified because few in the IT department know what’s in the open source libraries or know how to find manipulated or rogue instructions. Reporter Ian Barker tells us:
“In response to high profile supply chain attacks 73 percent of respondents say they have increased their efforts significantly to secure their organizations’ software supply chain. Steps taken include the adoption of some form of multi-factor authentication technology (33 percent), investment in application security testing controls (32 percent), and improved asset discovery to update their organization’s attack surface inventory (30 percent). Despite those efforts, 34 percent of organizations report that their applications have been exploited due to a known vulnerability in open source software within the last 12 months, with 28 percent having suffered a previously unknown zero-day exploit found in open source software.
Pressure to improve software supply chain risk management has shone a spotlight on software Bills of Materials (SBOMs). But exploding OSS usage and lackluster OSS management has made the compilation of SBOMs complex — the ESG research shows that 39 percent of survey respondents marked this task as a challenge of using OSS. … [The study also found] 97 percent of organizations have experienced a security incident involving their cloud-native applications within the last 12 months.”
All this, and the use of open source software is expected to jump to 99% next year. It seems those who hold organizational purse strings care more about saving a few bucks than about their cybersecurity teams’ sleepless nights. If they suffer a breach, however, they may find that metaphoric purse has acquired a large hole. Just a thought, but an ounce of prevention may be warranted here.
Cheap and easy? Yep.
Cynthia Murrell, September 2, 2022
A US Government Classification Wowza!
August 30, 2022
I read “What’s in a Classified Document?” The title is interesting because it suggests that classified information is like a cook book. The contents of the cook book are “known”; that is, step-by-step information about making grilled chicken. The write up explains:
Breakdowns of the various levels of information classification are available online, but they’re not that helpful out of context.
That makes sense: No context, no or limited understanding.
The write up continues:
Most classified materials, however, just aren’t all that sexy at first glance.
I noted this statement:
Technical and scientific documents, for instance, are almost always highly valuable.
And this caught my eye:
One of the greatest risks is that an adversary will learn how we’ve discovered their secrets.
I also put a check mark by this sentence:
Finally, it’s important to understand that, in many cases, what’s classified is not a particular set of facts but what the intelligence community thinks those facts mean.
Looking at the information about secrets, I think the obvious statements are okay. The point to me is that old fashioned methods of enforcing secrecy are probably better than the methods in use today.
Unfortunately the Information wants to be free and the Sharing is caring ideas are not in line with my views. The message I take away from this write up is that beliefs, ideas, and procedures have been eroded in the last decade or so.
But I am a dinobaby. What do I know? Well, enough to point out that the apparatus of secrecy might be a useful project for someone not in the lobbying business, not a Beltway Bandit, and not an individual preparing a flight path as a consultant.
Stephen E Arnold, August 30, 2022
A Hidden Nugget about E2EE Use as a Filter
August 23, 2022
I am not a fan of Silicon Valley type “real” news. Political biases usually color the factoids. I read “Inside Facebook’s Encryption Conundrum.” [Believe it or not you may have to spit out personal info or pay to read this hyperlinked document.] I don’t care too much about Facebook’s conundrums. Mismanaged online services are poorly understood by those who live and die by social media. The goldfish does not know the water in its bowl contains amorphous scales of lead and lead phosphate.
I am going to ignore the description of the Zuckbook’s business processes and focus on what I perceive to be the nugget in the write up:
In recent conversations with Meta employees, I’ve come to understand more about what’s taking so long — and how consumer apathy toward encryption has created challenges for the company as it works to create a secure messaging app that its user base will actually use.
Translating into Beyond Search lingo yields, “People don’t know and don’t care.”
Ergo, anyone using an encrypted messaging app is signaling:
I know;
I care;
Therefore, why not monitor me?
You may have a different conclusion. I believe use of apps like Telegram provides an important signal. Apathy is a filter. Is the opposite important?
Stephen E Arnold, August 23, 2022
TikTok: Allegations of Keylogging
August 22, 2022
I am not a TikTok person; therefore, I exist in a trend free zone. Others are sucking down short videos with alacrity. I admire a company, possibly linked to China’s government, which has pioneered a next generation video editor and caused the Alphabet Google YouTube DeepMind thing to innovate via its signature “me too” method of innovation.
Now TikTok has another feature, which is an interesting allegation. “TikTok’s In-App Browser Can Monitor Your Every Click and Keystroke” asserts:
When Krause [a security researcher] dug a little deeper into what these apps’ in-app browsers really do, he’d found that TikTok does some bad things, including monitoring all of users’ keyboard inputs and taps. So, if you open a web page inside of TikTok’s app, and enter your credit card details there, TikTok can access all of those details. TikTok is also the only app, out of all the apps Krause has looked into, that doesn’t even offer an option to open the link in the device’s default browser, forcing you to go through its own in-app browser.
Let’s assume this finding is spot on. First question: Does anyone care? Second question: So what?
I don’t have answers to either question. I do, however, have several observations:
- Oracle, for some reason, seems to care. The estimable database company is making an effort to find information that suggests TikTok data are kept in a cupboard. Only grandma can check out who will be an easy target for psychological manipulation. No results yet, but if TikTok is a neutral service, why’s Oracle involved?
- A number of Silicon Valley pundits have pointed out that TikTok is no big deal. That encapsulates the “so what” issue. “Put that head in the sand and opine forward” is the rule of thumb for these insightful folks.
- Keyloggers are a fave of certain actors. TikTok may have found them useful for benign purposes.
Quite an allegation.
Stephen E Arnold, August 22, 2022
Albert the (Bug) Bounty Hunter
August 18, 2022
Albert Pedersen, an inquisitive scholar in Denmark, makes a hobby of prodding software for vulnerabilities. Now he has proudly collected a bounty after his second successful hunt. Gizmodo reports, “A College Student Discovered a Bug in Cloudflare Email Routing that Let You Read Any User’s Emails.” Email routing services allow users to create disposable email addresses that point back to their “real” accounts and can be valuable privacy tools. That is, if they are truly secure. Writer Lucas Ropek reports:
“Unfortunately, as demonstrated in research published Wednesday by a college student from Denmark, Cloudflare’s service had a giant bug in it. The flaw, when properly exploited, allowed any user to read—or even manipulate—other users’ emails. … The vulnerability, which Cloudflare has confirmed but says was never exploited, involved a flaw in the program’s ‘zone ownership verification’ system, meaning that it was possible for a hacker to reconfigure email routing and forwarding for email domains that weren’t owned by them. Proper manipulation of the exploit would have allowed someone with knowledge of the bug to re-route any users’ emails to their own address. It would have also allowed a hacker to prevent certain emails from being sent to the target at all. In his write-up, Pedersen notes that it’s not that difficult to find online lists of email addresses attached to Cloudflare’s service. Using one of those lists, a bad guy could have quite easily targeted anybody using the forwarding service. After discovering the exploit, Pedersen managed to reproduce it a number of times using multiple personal domains and decided to report the issue to Cloudflare’s bug bounty program.”
We are sure Cloudflare considers the bounty to be $6,000 well spent. Had the bug gone unsquashed, the repercussions may have gone well beyond the troublesome privacy issues. Bad actors could also have used it to reset passwords, gaining access to financial and other accounts. As Ropek points out, this is a good illustration of why two-factor authentication is worth the hassle. As talented as he is, the intrepid young Dane is only one person. He may not catch the next bug in time.
Cynthia Murrell, August 18, 2022
Is Google Drive — Gulp — a Hacking Tool for Bad Actors?
August 17, 2022
Russia is a near-impregnable force when it comes to hacking. Vladimir Putin’s home base is potentially responsible for influencing many events in the United States, including helping Donald Trump win his first presidential election. Russia neither confirms nor denies the roles hackers play in its and global politics. Unfortunately, Cyber Scoop shares how a common Google tool has been purloined by hackers: “Russian Hacking Unit Cozy Bears Adds Google Drive To Its Arsenal, Researchers Say.”
In what is one of the simplest ways to deliver malware, Russian hackers from the state-funded unit Cozy Bear are using Dropbox and Google Drive. Did you read that? Russian hackers are using legitimate cloud storage services, including one from one of the biggest tech giants, to deliver malware. Palo Alto Networks’ Unit 42 researchers are confounded by the delivery process, because it is hard to detect:
“This is a new tactic for this actor and one that proves challenging to detect due to the ubiquitous nature of these services and the fact that they are trusted by millions of customers worldwide,” the researchers said. “When the use of trusted services is combined with encryption, as we see here, it becomes extremely difficult for organizations to detect malicious activity in connection with the campaign.”
Russian hackers and other black hat people have used cloud storage services to deliver malware before, but using Google Drive is a new tactic. Google is a globally trusted brand that makes more people vulnerable to malware. When people see Google, they automatically trust it, so potential victims could unknowingly download malware.
Dropbox is deleting any accounts that are exploiting their services for hacking. The good news is cloud storage services want to protect users, but the bad news is they are not acting fast enough.
Whitney Grace, August 17, 2022
Quantum Supremacy Emulators: The Crypto Claim
August 16, 2022
I noted the silliness of the quantum supremacy claims first by the GOOG and then by the Red Hat dependent IBM. I pointed out that Intel claimed a quantum thing-a-ma-bob that would be a hub for certain quantum functions. Yeah, horse something, maybe ridge, maybe feathers. I mentioned in one of my blog posts or client emails that the US government aided by big wizards had developed algorithms that could not be broken by yet-to-be-invented quantum computers.
Now we have an interesting story that puts much of the quantum supremacy-type PR in a flaming dumpster. Wow, look at the dense smoke from a piddling fire.
“Post Quantum Encryption Contender Is Taken Out by Single-Core PC and 1 Hour” states:
SIKE is the second NIST-designated PQC candidate to be invalidated this year. In February, IBM post-doc researcher Ward Beullens published research that broke Rainbow, a cryptographic signature scheme with its security, according to Cryptomathic, “relying on the hardness of the problem of solving a large system of multivariate quadratic equations over a finite field.”
Everyone will keep trying. Perhaps a functioning quantum computer will become available to make hunting for flaws more helpful. No, wait a minute. The super algorithm was compromised by a single core PC chugging along for one hour.
Oh, well, as long as one doesn’t look too closely some of the quantum supremacy PR sounds great. In my opinion, some of the stuff is a bit silly.
Stephen E Arnold, August 16, 2022
Cisco Systems: Security? Well, the Ads Say So
August 12, 2022
I read a mildly amusing article which revealed a flaw in Cisco Systems’ security. The write up was “Cisco Hacked by Yanluowang Ransomware Gang, 2.8GB Allegedly Stolen.”
Why did I chuckle?
I noted these ads in a recent Google search about — you guessed it — network security.
The first ad is for networking solutions and Cisco’s secure firewall. Gander at this:
The second ad popped up when I searched for Cisco and its super expert Talos unit. Talos, an acquisition from Israel, is supposed to be one of the Fancy Dan threat intelligence outfits. The idea you know before there is trouble. Peek at this:
You can download the report from this link.
What did the article report as spot on information? Here’s a passage I noted:
The Yanluowang threat actors gained access to Cisco’s network using an employee’s stolen credentials after hijacking the employee’s personal Google account containing credentials synced from their browser. The attacker convinced the Cisco employee to accept multi-factor authentication (MFA) push notifications through MFA fatigue and a series of sophisticated voice phishing attacks initiated by the Yanluowang gang that impersonated trusted support organizations. The threat actors finally tricked the victim into accepting one of the MFA notifications and gained access to the VPN in the context of the targeted user. Once they gained a foothold on the company’s corporate network, Yanluowang operators spread laterally to Citrix servers and domain controllers.
Several observations:
- Cisco identified the bad actors as a group which sure seems to be from a specific country. Russia? No, that nation state has demonstrated that some of its tactical expertise falls short of a high water mark probably captured in a PowerPoint deck. Tanks? Remember?
- The security breach was something the vaunted Cisco security systems could not handle. An insider. Interesting because if this is indeed accurate, no organization can protect itself from an insider who is intentionally or unintentionally compromised. Is this useful information for a bad actor?
- If the Cisco security systems and its flow of threat intelligence were working, why is the company after the fact able to enhance or improve its own security. Wasn’t there a fairy tale about shoemaker’s children not having a snappy new paid of collectible shoes?
Net net: The buzz about a group of companies banding together to share security related information is interesting. What this story about the Cisco breach tells me is that teaming up is a way of circling the wagons. Maybe PowerPoints and ads not completely accurate? Nah, impossible.
Stephen E Arnold, August 12, 2022
-
- Subscribe to Beyond Search
Feature archive
News archive
-
