DarkTrace: A Tech NATO Like a Digital “Sharknado”?
June 7, 2022
Don’t get me wrong. I think the idea of group of countries coordinating cyber actions is a good idea. Maybe that’s why there is a Europol and alliances like Five Eyes. “Darktrace CEO Calls for a Tech NATO Amid Growing Cyber Threats” reports that the UK company thinks the idea is a good one. I learned:
Gustafsson [the senior executive at DarkTrace] wants to see the creation of a dedicated international cyber task force, or a “tech NATO”, where global partners can collaborate, agree, and ratify norms for the cybersphere—including what kind of response would be warranted for breaches.
The write up loses me with this passage:
Greater cooperation is certainly needed to combat evolving cyber threats. However, Gustafsson’s call for a “Tech NATO” is surprising—not least because NATO itself already has one in the form of the CCDCOE (Cooperative Cyber Defence Centre of Excellence).
If NATO has such an entity, why not build on that confederation?
I think that DarkTrace has been innovative in its messaging, not confusing. Most of the cyber threat firms are struggling with marketing messages. Each vendor discovers threats apparently unknown to any other vendor. Military cyber intelligence folks seem to be wrestling with 24×7 automated attacks at the same time the effervescent Elon Musk thwarts attempts to kill off his satellite-centric Internet service. After 100 days of deadly skirmishes, Russia has managed to turn off Ukrainian mobile service in several disputed regions. Speedy indeed.
Has DarkTrace succumbed to cyber threat marketing fatigue and aiming for the fences with Tech NATO? The 2013 was pretty wild and crazy. Will Tech NATO follow a similar trajectory? But it’s summer and marketing is hard.
Stephen E Arnold, June 6, 2022
Follina, Follina, Making Microsofties Cry
June 6, 2022
I read “China-Backed Hackers Are Exploiting Unpatched Microsoft Zero-Day.” According to the estimable Yahoo News outfit:
China-backed hackers are exploiting an unpatched Microsoft Office zero-day vulnerability, known as “Follina”, to execute malicious code remotely on Windows systems…. The flaw, which affects 41 Microsoft products including Windows 11 and Office 365, works without elevated privileges, bypasses Windows Defender detection, and does not need macro code to be enabled to execute binaries or scripts.
Ah, ha, Windows 11. The trusted protection thing? Yeah, well. The write up added some helpful time information:
The Follina zero-day was initially reported to Microsoft on April 12, after Word documents – which pretended to be from Russia’s Sputnik news agency offering recipients a radio interview – were found abusing the flaw in the wild. However, Shadow Chaser Group’s crazyman, the researcher who first reported the zero-day, said Microsoft initially tagged the flaw as not a “security-related issue”. The tech giant later informed the researcher that the “issue has been fixed,” but a patch does not appear to be available.
Bob Dylan’s song makes this latest security issue easy to remember:
Follina, Follina
Girl, you’re on my mind
I’m a-sittin down thinkin of you
I just can’t keep from crying
Big sobs, not sniffles.
Stephen E Arnold, June 6, 2022
Microsoft and Security: This Must Be an April Fool Joke in May, Right?
May 27, 2022
I read “Pwn2Own Hackers Just Broke Into Windows 11 and Teams in a Single Day.” Was this an Onion article? A write up from a former Punch writer? An output from Google’s almost human super capable smart software?
Nope. The source is a reliable online publication called Make Use Of or MUO to its friends.
I learned:
Day one of Pwn2Own is over, and taking a look at the bounty board shows that Microsoft’s software didn’t stand up well to the onslaught. The event saw three successful attacks on Microsoft Teams, and two against Windows 11. Each successful hack was rewarded accordingly, with the lowest bounty coming in at an impressive $40,000, and the biggest at an eye-watering $150,000.
Ah, Windows 11 and the feature-spawning Teams!
My view of Windows 11 is that it was pushed out to distract some Silicon Valley type news reporters from the massively bad SolarWinds’ misstep. Few agree with me.
Be that as it may, Windows 11 does not seem to be the paragon of security that I thought Microsoft explained. You know, the TPM thing and the idea that certain computers were not able to deal with the the Millie Vanillie approach to security. Catchy lyrics, but not exactly what paying customers expected.
The article cited concludes with this statement:
With hackers putting up big wins against Microsoft’s apps at Pwn2Win, it shows that the company’s software is perhaps not as secure as it should be. Hopefully, Microsoft can publish fixes for these exploits before they fall into the wrong hands.
Will Microsoft, like Netgear, find that it cannot “fix” certain issues with its software and systems.
Stephen E Arnold, May 27, 2022
Cybersecurity: Are the Gloves Off?
May 26, 2022
Cybersecurity has been a magnet for investments. Threats are everywhere! Threats are increasing! Ransomware destroys businesses and yours will be next? One thousand bad actors attack in the SolarWinds’ misstep, right? The sky is falling!
Frightened yet?
Changes are evident. Let me offer two examples:
Lacework
The cybersecurity outfit Lacework has just allowed about 20 percent of their workforce to find their future elsewhere. Uber, perhaps? Piece work via Fiverr.com? A for-fee blog on Substack, the blog platform with real journalists, experts, pundits, wizards, etc.?
“Cloud Security Firm Lacework Lays Off 20% of Staff
” reports:
A well-funded startup in the cybersecurity industry, Lacework, has become the latest tech firm to disclose a major round of layoffs amid fears of a broader economic slowdown. In a statement provided to Protocol, Lacework confirmed that the layoffs impacted 20% of its employees, in connection with what it called a “decision to restructure our business.”
Is the number of future hunters let loose in the datasphere accurate? The article points out that Lacework used the outstanding Twitter to say, 20 percent was a “significant overestimate.” Whom does one believe? In today’s world, I have to hold two contradictory statements in my mind because I sure as heck don’t know why a hot sector with a well funded company is making more parking available and reducing demand for the ping pong table.
Cybersecurity Does Not Work
The second example I noted an advertisement in my dead tree version of the Wall Street Journal. Here’s the ad from the May 26, 2022, publication:
The text Tanium advertisement declares that cybersecurity systems fail their customers. The idea is that there are many cybersecurity vendors, and each offers pretty good barriers to a couple of threats. The customers of these firms’ products have to buy multiple solutions. The fix? License Tanium, a “best place to work.”
Stepping Back
The first example provides a hint that certain companies in the cybersecurity market are taking steps to reduce costs. Nothing works quite as well as winnowing the herd. My hunch is that Lacework is like a priest in ancient Greece poking at a sacrificial lamb and declaring, “Prepare for the pestilence and the coming famine. Have a good day.”
The second example may signal that the policy of cybersecurity vendors not criticizing one another is over. Tanium is criticizing a pride of cyber lions. My hunch is that the gloves will be coming off. Saying that no other vendor can deal with cyber threats in the Wall Street Journal is a couple of levels above making snarky comments in a security trade show booth.
Net Net
Bad actors can add some of the Lacework castoffs to their virtual crimeware teams hiding behind the benign monikers of front companies in Greece and Italy, among other respected countries. The Tanium ad copy offers proof that existing cyber defense may have some gaps. The information will encourage bad actors to keep chipping away at juicy online targets. Change has arrived.
Stephen E Arnold, May 26, 2022
Cyber Safeguards: Do Digital Prophylactics Have Holes?
May 19, 2022
I have had a sneaking suspicion that cyber security vendors were prone to exaggerating the capabilities of their systems. I sit in webinars in which I hear about the exploit of the day. I scan newsfeeds to learn that each cyber security and threat intelligence experts announce with considerable confidence. (Why don’t other cyber security vendors announce the same exploit? Each vendor, it appears to me, finds something unique to explain and then neutralize…. after the fact.) I look at dozens of news releases about cyber security, threat detection, and the ransomware gang wanting citizens of Costa Rica to overthrow the country. So many vulnerabilities, it seems.
“Report: 80% of Cyberattack Techniques Evade Detection by SIEMs” highlights a contrarian report from an outfit named CardinalOps. (You can learn more about the company at this link.) This company, founded in 2020, is involved in the security information and event management business. The acronym is SIEM, and it is bandied about with considerable abandon as a must-know acronym.
The VentureBeat article describes some of the information in the CardinalOps monograph called “The State of SIEM Detection Risk: Quantifying the Gaps in MITRE ATT&CK Coverage for Production SIEMs.”
(The catchy MITRE ATT&CK refers to an MIT Research activity (now MITRE). Here’s how the information is described by MITRE:
a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.)
With the jargon behind me, I want to highlight this passage from the article published by the estimable VentureBeat:
enterprise SIEMs are missing detections for 80% of all MITRE ATT&CK techniques and only address five of the top 14 ATT&CK techniques employed by adversaries in the wild.
What the CardinalOps monograph seems to say to me is: “The cyber security vendors’ software and systems don’t work as advertised.”
If I interpret the VentureBeat article correctly, the story ventures into territory avoided by most of those involved in cyber security. Criticizing the dozens, nay, hundreds of cyber defense companies and their services has been a no-no in my experience. Outfits which purport to review these systems rarely suggest that out of a hundred threats, about four out of five will zip right through the defenses.
(Is this way some upscale consultants suggest using layers of security. This phrase means to me: “License lots of systems and maybe the combination will stop threats.” The implication is that if one system is only 20 percent effective and my understanding that each cyber security vendor has some method to stop stuff their experts have identified, the average company only requires five systems running at the same time to reduce risks.)
The VentureBeat article about the CardinalOps report offers:
Rather than rely on subjective survey-based data, CardinalOps analyzed configuration data from real-world production SIEM instances to gain visibility into the current state of threat detection coverage in modern Security Operations Centers (SOCs). These organizations represent multibillion dollar, multinational corporations, which makes this one of the largest recorded samples of actual SIEM data analyzed to date, encompassing more than 14,000 log sources, thousands of detection rules and hundreds of log source types.
Okay, hard data, not soft podcast-grade chatter.
So what’s the fix if you are using popular systems from outfits like the lovable outfit Microsoft, the firm which shipped an update that breaks domain security? The article states:
The latest CardinalOps research provides readers with a series of best practice recommendations to help CISOs and detection engineering teams address these challenges, and be more intentional about how detection coverage is measured and continuously improved over time.
I think this means consulting. No surprise there.
To get a copy of the report, click here and amp up your fear. Email and captcha hoops required. You know, for security.
Net net: Marketing information may not describe accurately cyber security capabilities. Is this news?
Stephen E Arnold, May 19, 2022
On Mitigating Open-Source Vulnerabilities
May 16, 2022
Open-source software has saved countless developers from reinventing the proverbial wheel so they can instead spend their time creating new ways to use existing code. That’s great! Except for one thing: Now that open-source components make up about 90% of most applications, they pose tempting opportunities for hackers. Perhaps the juiciest targets lie in the military and intelligence communities. US counter-terrorism ops rely heavily on the likes of Palantir Technologies, a heavy user of and contributor to open-source software. Another example is the F-35 stealth fighter, which operates using millions of lines of code. A team of writers at War on the Rocks explores “Dependency Issues: Solving the World’s Open-Source Software Security Problem.” Solve it? Completely? Right, and there really is a tooth fairy. The article relates:
“The problem is that the open-source software supply chain can introduce unknown, possibly intentional, security weaknesses. One previous analysis of all publicly reported software supply chain compromises revealed that the majority of malicious attacks targeted open-source software. In other words, headline-grabbing software supply-chain attacks on proprietary software, like SolarWinds, actually constitute the minority of cases. As a result, stopping attacks is now difficult because of the immense complexity of the modern software dependency tree: components that depend on other components that depend on other components ad infinitum. Knowing what vulnerabilities are in your software is a full-time and nearly impossible job for software developers.”
So true. Still, writers John Speed Meyers, Zack Newman, Tom Pike, and Jacqueline Kazil sound optimistic as they continue:
“Fortunately, there is hope. We recommend three steps that software producers and government regulators can take to make open-source software more secure. First, producers and consumers should embrace software transparency, creating an auditable ecosystem where software is not simply mysterious blobs passed over a network connection. Second, software builders and consumers ought to adopt software integrity and analysis tools to enable informed supply chain risk management. Third, government reforms can help reduce the number and impact of open-source software compromises.”
The article describes each part of this plan in detail. It also does a good job explaining how we got so dependent on open-source software and describes ways hackers are able to leverage it. The writers submits that, by following these suggestions, entities both public and private can safely continue to benefit from open-source collaboration. If the ecosystem is made even a bit safer, we suppose that is better than nothing. After all, ditching open-source altogether seems nigh impossible at this point.
Cynthia Murrell, May 16, 2022
Some Criticism of Microsoft? Warranted or Not?
May 13, 2022
Microsoft’s LinkedIn comes out on top—in one regard, anyway. IT-Online reports, “LinkedIn the Brand Most Imitated for Phishing.” In its Brand Phishing Report for the first quarter of 2022, Check Point Research found the professional network was imitated in more than half of all phishing attempts during January, February, and March. The write-up tells us:
“Dominating the rankings for the first time ever, LinkedIn accounted for more than half (52%) of all phishing attempts during the quarter. This represents a dramatic 44% uplift from the previous quarter, where the professional networking site was in fifth position accounting for only 8% of phishing attempts. LinkedIn overtook DHL as the most targeted brand, which is now in second position and accounted for 14% of all phishing attempts during the quarter.”
Social media platforms in general jumped in popularity as phishing spots. Shipping companies like DHL, which became attractive targets with the rise in e-commerce, are now in second place. Apparently different types of companies make juicy bait for different kinds of attacks. The article quotes Check Point’s Omer Dembinsky:
“Some attacks will attempt to gain leverage over individuals or steal their information, such as those we’re seeing with LinkedIn. Others will be attempts to deploy malware on company networks, such as the fake emails containing spoof carrier documents that we’re seeing with the likes of Maersk.”
Of course, a phishing attack can only work if someone falls for it. Do not be that person. Dembinsky advises:
“The best defense against phishing threats, as ever, is knowledge. Employees in particular should be trained to spot suspicious anomalies such as misspelled domains, typos, incorrect dates and other details that can expose a malicious email or text message. LinkedIn users in particular should be extra vigilant over the course of the next few months.”
In Check Point’s list of the top ten companies to find themselves on phishing hooks, LinkedIn and DH are followed by Google (at 7%), Microsoft (6%), FedEx (6%), WhatsApp (4%), Amazon (2%), Maersk (1%), AliExpress (0.8%), and Apple (0.8%).
Cynthia Murrell, May 13, 2022
Using a VPN in India?
May 10, 2022
I read “VPN Providers Are Ordered to Store User Data for 5 or More Years in India.” The land of Khichdi is a fair piece from rural Kentucky. On the other hand, the VPN providers and crypto exchange platforms can be as near as one’s mobile phone or laptop. So what?
The write up points out:
The Indian government has published a directive that will force VPN providers and crypto exchange platforms to store user data for at least five years, even when customers have since terminated their relationship with the companies in question. Decision makers at businesses who don’t comply with the new ruling could face up to one year in prison, with it going into effect in late June 2022.
Yes, just another law. What makes this interesting is that VPN, according to some enthusiastic promotional material, preserves one’s online privacy. That sounds like a great idea to many people.
What happens if those VPN records are reviewed prior to their deletion by the VPN providers who insist that the users’ data are not preserved? I also like the VPN vendors who suggest that logs are not preserved.
If India’s directive yields some bad actor identification and incarceration, what other countries will use India’s approach as a springboard. The abuse of some online capabilities has been friction free in some places. Russia appears to have some doubts about VPNs. China? Yep, China too.
Perhaps the days of laissez-faire will end with a reprimand from Yama?
Stephen E Arnold, May 10, 2022
Cyber Security: Oxymoron?
May 9, 2022
I read an interesting article called “Botnet That Hid for 18 Months Boasted Some of the Coolest Tradecraft Ever.” I am not sure I would have described the method as “cool,” but as some say, “Let many flowers bloom.”
The main point of the article is a sequence of actions which compromise a target without calling attention to the attack or leaving size 13 digital footprints. The diagrams provide a broad overview of the major components, but there are no code snippets. That’s a plus in my book because many cyber revelations are cookbooks with easy-to-follow recipes for dorm room cyber snacks.
What caught my attention is this statement in the excellent write up:
One of the ways the hackers maintain a low profile is by favoring standard Windows protocols over malware to move laterally. To move to systems of interest, UNC3524 used a customized version of WMIEXEC, a tool that uses Windows Management Instrumentation to establish a shell on the remote system.
I also noted:
“Once UNC3524 successfully obtained privileged credentials to the victim’s mail environment, they began making Exchange Web Services (EWS) API requests to either the on-premises Microsoft Exchange or Microsoft 365 Exchange Online environment,” the Mandiant researchers wrote. “In each of the UNC3524 victim environments, the threat actor would target a subset of mailboxes….”
With the core functionality of the Microsoft software and services the pivot on which the system and methods of the attacker pivot, what does this suggest about cyber security going forward?
My answer: There is an attack surface of significant scope. Plus, undetectable but for specialized analyses. The ball is in the hands of Microsoft. The bad actors just toss it around.
Stephen E Arnold, May 9, 2022
What Is Crazier Than Enterprise Search? Maybe Content Management Systems?
May 4, 2022
I met a content management system guru many years ago. He explained to me in a remarkably patronizing way that CMS was the future of enterprise content. The words “all” and the phrase “search is just a utility” still echo when I think of him.
He was incorrect. CMS is certainly not a replacement for an XML repository which can “point” to objects like a sales presentation which began life as a PowerPoint and then emerged as a nifty PDF for the 20 somethings in marketing.
CMS, in my view, boils down to clunky systems which allow different people with a wide range of cognitive content to create, retrieve, and do stuff with text and some art. Search remains pretty darned crazy as a market sector, but there are some open source options and a number of semi-useful cloud services. The tendency for art history majors to bandy the word “all” in chats about a CMS continues to make me laugh. Right, “all”. What about company videos on RuTube.ru? I am waiting for an answer.
There is something that CMS is quite skilled. “Vulnerable Plugins Plague the CMS Website Security Landscape” states:
According to the researchers, vulnerable plugins and extensions “account for far more website compromises than out-of-date, core CMS files,” with roughly half of website intrusions recorded by the firm’s clients occurring on a domain with an up-to-date CMS. Threat actors will often leverage legitimate — but hijacked — websites to host malware, credit card skimmers, or for the deployment of spam.
Thank goodness these CMS cannot index “all” content, which limits breach risks to some degree.
Quite an attack surface: Art history majors versus the bad actors with engineering degrees from a technical university or an enterprising coder who dropped out of school to sell his services via Aletenen.
Stephen E Arnold, May 4, 2022
-
- Subscribe to Beyond Search
Feature archive
News archive
-
