Cisco Systems: Security? Well, the Ads Say So
August 12, 2022
I read a mildly amusing article which revealed a flaw in Cisco Systems’ security. The write up was “Cisco Hacked by Yanluowang Ransomware Gang, 2.8GB Allegedly Stolen.”
Why did I chuckle?
I noted these ads in a recent Google search about — you guessed it — network security.
The first ad is for networking solutions and Cisco’s secure firewall. Gander at this:
The second ad popped up when I searched for Cisco and its super expert Talos unit. Talos, an acquisition from Israel, is supposed to be one of the Fancy Dan threat intelligence outfits. The idea you know before there is trouble. Peek at this:
You can download the report from this link.
What did the article report as spot on information? Here’s a passage I noted:
The Yanluowang threat actors gained access to Cisco’s network using an employee’s stolen credentials after hijacking the employee’s personal Google account containing credentials synced from their browser. The attacker convinced the Cisco employee to accept multi-factor authentication (MFA) push notifications through MFA fatigue and a series of sophisticated voice phishing attacks initiated by the Yanluowang gang that impersonated trusted support organizations. The threat actors finally tricked the victim into accepting one of the MFA notifications and gained access to the VPN in the context of the targeted user. Once they gained a foothold on the company’s corporate network, Yanluowang operators spread laterally to Citrix servers and domain controllers.
Several observations:
- Cisco identified the bad actors as a group which sure seems to be from a specific country. Russia? No, that nation state has demonstrated that some of its tactical expertise falls short of a high water mark probably captured in a PowerPoint deck. Tanks? Remember?
- The security breach was something the vaunted Cisco security systems could not handle. An insider. Interesting because if this is indeed accurate, no organization can protect itself from an insider who is intentionally or unintentionally compromised. Is this useful information for a bad actor?
- If the Cisco security systems and its flow of threat intelligence were working, why is the company after the fact able to enhance or improve its own security. Wasn’t there a fairy tale about shoemaker’s children not having a snappy new paid of collectible shoes?
Net net: The buzz about a group of companies banding together to share security related information is interesting. What this story about the Cisco breach tells me is that teaming up is a way of circling the wagons. Maybe PowerPoints and ads not completely accurate? Nah, impossible.
Stephen E Arnold, August 12, 2022
DARPA Works to Limit Open Source Security Threats
August 9, 2022
Isn’t it a little late? Open-source code has become an integral part of nearly every facet of modern computing, including military and critical infrastructure applications. Now, reports MIT Technology Review, “The US Military Wants to Understand the Most Important Software on Earth.” It seems military researchers have just realized there is no control over, or even accounting for, the countless contributors to open-source projects like the Linux kernel. That software alone underpins the operation of most computers. And yet the feature that makes open-source software free and, therefore, ubiquitous also makes it vulnerable to bad actors.
Since it cannot turn back the clock and consider security before open-source code got baked into critical software, DARPA will instead scrutinize the people and organizations behind open-source projects. The program, dubbed “SocialCyber,” will take 18 months and millions of dollars to implement. It will use a combination of the latest AI tech and good old-fashioned sociology to pinpoint potential threats. Reporter Patrick Howell O’Neill writes:
“The ultimate goal is to detect and counteract any malicious campaigns to submit flawed code, launch influence operations, sabotage development, or even take control of open-source projects. To do this, the researchers will use tools such as sentiment analysis to analyze the social interactions within open-source communities such as the Linux kernel mailing list, which should help identify who is being positive or constructive and who is being negative and destructive. The researchers want insight into what kinds of events and behavior can disrupt or hurt open-source communities, which members are trustworthy, and whether there are particular groups that justify extra vigilance. These answers are necessarily subjective. But right now there are few ways to find them at all. Experts are worried that blind spots about the people who run open-source software make the whole edifice ripe for potential manipulation and attacks. For Bratus, the primary threat is the prospect of ‘untrustworthy code’ running America’s critical infrastructure—a situation that could invite unwelcome surprises. …This kind of research also aims to find underinvestment—that is critical software run entirely by one or two volunteers.”
The program relies on partnerships between DARPA and several small cybersecurity research firms like New York’s Margin Research. These firms will ascertain who is working on what open-source projects. Margin will focus on Linux, considered the most urgent point of concern. Open-source programming language Python, which is often used in machine-learning projects, is another priority. SocialCyber is quite an undertaking—it is the pound of cure we could have avoided with an ounce of foresight several years ago.
Cynthia Murrell, August 9, 2022
How Secure Is Cyber Security?
July 27, 2022
I have noted that cyber security companies invite me to webinars, briefings, conferences, and telephone calls. The subject of these calls is usually advanced, next-generation, proactive, smart, and intelligent cyber security solutions. The idea is that I will mention these firms in my lectures to law enforcement, crime analysts, and intelligence professionals. I sit through some. One outfit offers weekly seven to 10 minute reports about some new, absolutely horrible cyber threat. Others want me to join a Zoom to watch a series of PowerPoint slides showing how the latest Zero Day will make life miserable for companies without their cloud-based security system.
I then read item after item about a new variant of a RAT, an exploit taking advantage of the Swiss cheese of enterprise software, or some new dump of personal financial data on a Dark Web site selling fulz. It seems to me as if the cyber security sector is better at marketing than delivering cyber security. That’s just my opinion, and I usually don’t make a big deal of the veggie burgers being sold as 100 percent prime sirloin.
I read “Digital Security Giant Entrust Breached by Ransomware Gang.” The article does little to make me feel warm and fuzzy about cyber security systems and their vendors. I learned:
Digital security giant Entrust has confirmed that it suffered a cyber attack where threat actors breached their network and stole data from internal systems.
Who are the customers of this “digital security giant”? The write up reported:
This includes US government agencies, such as the Department of Energy, Department of Homeland Security, the Department of the Treasury, the Department of Health & Human Services, the Department of Veterans Affairs, the Department of Agriculture, and many more.
Great. How effective are those whiz bang cyber security systems?
Yeah. I think I know the answer. Marketing is easier than delivering cyber security that works.
Stephen E Arnold, July 27, 2022
Google Play: Autosubscriber
July 22, 2022
I cam across a presentation available from the cyber firm Evina. “Autolycos” explains that one can / could download a malicious app from the Google Play Store. (How’s that smart software working to prevent this type of situation, Google? Hello, Google, are you there?)
The write up states:
In July 2022, a new malware family was discovered by top malware experts at Evina. This discovery is remarkable because new malware families are rarely detected (about once a year) and this specific new malware works in an entirely new way.
The operative word is “new.” Why is this important? Cyber security is a reactive business despite the marketing that says, “We predict threats before they do harm?” Well, marketing.
Among the malicious apps are:
- CoCo Camera
- Creative 3D Launcher
- Freeglow Camera
- Funny Camera
- GIF Keyboard
- Razer Keyboard and Theme
- VLOG Star Video Editor
- WOW Camera.
Aimed at younger folks? Sure looks that way;
The report points out:
The malware launches fraud attempts by . For some steps, it can execute urls on a remote browser and embed these results in the http requests. This operation is intended to make it harder for Google to differentiate Autolycos infected apps from legitimate ones. This is exactly why Autolycos remained unidentified for so long and reached over 3 million downloads.
The good news is that the apps appear to be popular outside the US, but there is tomorrow.
Stephen E Arnold, July 22, 2022
Is The TikTok Google Allegation Accurate?
July 21, 2022
Good question. I know that any outfit offering a “service” has individuals who can look at data, metadata, and any other “stuff” associated with a particular entity; for example, spend limit, contacts, and geodata. Privacy and security depend on access controls. In theory, certain data are sandboxed and special approvals may be needed to get into that nifty play area. The hitch in the git along is that a system fails, a senior executive needs something now to close a big deal, a friend begs for help with such and such a problem. There’s also just the endemic “good enough” and “close enough for horse shoes” attitude which affects TV personalities interaction with Air France to a busy parent trying to buy a hamburger and shake for a hungry lacrosse player at 4 pm on a blistering day in rural Kentucky.
That means… gaps, slip ups, work arounds, and doing what’s needed to fill time or get something done fast.
I read “Nothing Is Private: TikToker Who Says She’s a Former Google Admin Warns Workers about Work Accounts.” The information in the article is about a revelation on TikTok. The problem is that I am not sure the behavior described is accurate. Heck, it could be fabricated for some clicks and maybe an appearance on the Joe Rogan podcast. Fame is where you find it today.
The article states as what a TikTok denizen said:
Whatever you put in that account—whether it’s emails, photos, Google Drive documents, or anything else—is not private.
Okay, clear enough.
For fun, let’s assume the Xoogler spilling the beans on the utility of having access to billions of users information is sort of true.
Shocking?
Nah.
The write up says:
that means that a company has access to all of the documents within someone’s company Google account, which can include things like email drafts, G-chats, and Google Drive uploads. This also reportedly applies to universities with student Google accounts. Furthermore, one does not have to leave the job or university for their administrators to obtain this access. “I can get into any of it,” Lauren says. “Any of it!”
Ads, folks. Ads mean money. Who can resist generating revenue, beating performance targets, and getting a big bonus. Once Google would toss in a ski trip or a mouse pad. Go for it. The incentive plan is what makes the Googlers spin.
What’s the fix? The answer is:
Delete. Delete. Delete.
Sounds like reasonable advice if deletion is indeed “real.” Data are backed up and delete usually means removing a pointer to an object in a file. Those back ups, the copies of data tables in a marketing department laptop, or the data required to whip up a projection based on use of information to spur quicker depletion of ad inventory.
Probably not deleted.
Let’s assume the write up describes something the Google does not, could not, would not, and will not do. Wow. Bullet dodged.
But… what if…? Wow. Bullets incoming.
Stephen E Arnold, July 21, 2022
Proofpoint: Journalists Wear a Bull’s Eye instead of a Shirt with Ink Stained Cuffs
July 19, 2022
Proofpoint is a cyber security firm. The company published an interesting blog essay called “Above the Fold and in Your Inbox: Tracing State-Aligned Activity Targeting Journalists, Media.” The write up presents allegedly accurate information that a number of nation states are targeting journalists. This makes sense because some journalists are, in effect, crime and intelligence analysts at heart. Their methods are often similar to those used as certain government organizations.
Is this a new insight from the world’s intelligence professionals? I don’t think so.
The write up states:
Journalists and media organizations are well sought-after targets with Proofpoint researchers observing APT actors, specifically those that are state-sponsored or state-aligned, routinely masquerading as or targeting journalists and media organizations because of the unique access and information they can provide. The media sector and those that work within it can open doors that others cannot. A well-timed, successful attack on a journalist’s email account could provide insights into sensitive, budding stories and source identification. A compromised account could be used to spread disinformation or pro-state propaganda, provide disinformation during times of war or pandemic, or be used to influence a politically charged atmosphere. Most commonly, phishing attacks targeting journalists are used for espionage or to gain key insights into the inner workings of another government, company, or other area of state-designated import.
What nation states are allegedly targeting certain journalists? The article mentions by name these countries:
China
Iran
North Korea
Turkey (sic). The country’s new name is Türkiye
The article includes examples of the Proofpoint analysts’ identification of actions.
The write up concludes with what appears to be some free advice:
The varied approaches by APT actors—using web beacons for reconnaissance, credential harvesting, and sending malware to gain a foothold in a recipient’s network—means those operating in the media space need to stay vigilant.
Many journalists, in my experience, are unaware of the nuances of staying vigilant. Targets are targets because they can be hit. Examples of what has happened are interesting. May I suggest that journalists receive appropriate instruction when learning their craft. Instruction in vigilance may need to be upgraded or enhanced. Many journalists — particularly what I call the Silicon Valley variety — are more interested in recognition, media clout, and being visible than stepping back and asking, “Have I been targeted, played, and manipulated?”
Stephen E Arnold, July 19, 2022
The Cost of Cyber Security Misconfiguration
July 18, 2022
The numbers tossed around about the cost of a security breach are interesting. I have formed the opinion that the cost estimates are a result of what I have called spreadsheet fever. Plug in numbers, make them flow, and go, baby, go. I read “Razer Seeks $7m from Capgemini for 2020 Data Breach.” The write up explains:
The Singapore-born gaming firm is seeking compensation of nearly US$7 million in damages, which also includes a US$2,000 reward to the security researcher who discovered the breach under the company’s bug bounty program.
What outfit is the target of the litigation? The write up says:
In its lawsuit, Razer alleged that the security breach was the result of a misconfiguration of the “ELK Stack,” caused by one of Capgemini’s employees.
The ELK is not the majestic animal. The ELK in the cyber context represents open source software glued together to deliver a range of security features. The trick is the configuration. Get a setting wrong, and the ELK is less healthy than some observers suspect. An unhealthy ELK can be problematic. This is not a big dead animal in the climate changed world. This creature puts revenue and others at risk of catching a bad disease themselves; for example, standing in the unemployment line, working the phone to reclaim their identity, and apply for a job at one of the booming cyber security vendors. Well, maybe not that particular angle.
The outcome of the lawsuit may provide some more data about the cost of a cyber screw up and details about the how of the alleged misstep.
Stephen E Arnold, July 19, 2022
Microsoft Security Team Helps Android Users. What about Microsoft Users? Meh?
July 13, 2022
Two items caught my attention this morning (July 4, 2022).
The first is “ALERT! Microsoft warns of dangerous Android malware on your phone that intercepts OTP, SMS too.” Locating this story might be tricky. I noted it on DailyHunt, an information service in India. The url displayed for me is in this link. Your mileage may vary. Yeah, the modern Internet. The article reports:
Toll fraud malware, a subcategory of billing fraud in which malicious applications subscribe users to premium services without their knowledge or consent, is one of the most prevalent types of Android malware.
What’s the fix? Here’s a helpful suggestion:
A rule of thumb is to avoid installing Android applications from untrusted sources (side loading) and always follow up with device updates.
The second was “Android Toll Fraud malware can subscribe users to premium services without consent.” Once again, the link to my source is this information highway signpost. Good luck because this may be similar to the now long gone Burma Shave signs. The article informed me that:
The toll fraud malware… purchases subscription on behalf of the user in a way that the overall process isn’t perceivable.
So what’s the fix?
One of the easiest ways to protect yourself from this malware is by download the latest version of available software update on your smartphone. Apart from that, avoid installing Android applications from untrusted sources. In addition to that, avoid granting SMS permissions, notification listener access, or accessibility access to any applications without a strong understanding of why the application needs it.
Helpful indeed.
Here’s a quick question: What about Microsoft security for its products and services? Meh. What’s important is a little bit of negative PR for the fun loving Googlers.
Stephen E Arnold, July 13, 2022
TikTok: One US Government Agency Is Not Addicted
July 6, 2022
“U.S. FCC Commissioner Wants Apple and Google to Remove TikTok from Their App Stores” appears to have avoided the digital addiction which some attribute to TikTok. As I have pointed out in my lectures, some Silicon Valley “real news” types are just thrilled with TikTok. Others, like myself, view the app with considerable suspicion. It appears that the UD Federal Communications Commission has some doubts as well.
The write up states:
A leader of the U.S. Federal Communications Commission said he has asked Apple and Google to remove TikTok from their app stores over China-related data security concerns.
The article points out:
- A China connection
- Data hoovering
- A surveillance tool.
The real news folks did not mention TikTok’s usefulness as a psyops weapon.
Oh, well. Why would psyops be important? Possibly manipulation, blackmail, weaponized information. Yeah, no big deal.
Stephen E Arnold, June xx, 2022
The Evolving Ransomware Arena
June 29, 2022
A new report from cybersecurity firm KELA updates us on shifts within the ransomware ecosystem. ZDNet summarizes the findings in, “Ransomware Attacks Have Dropped. And Gangs Are Attacking Each Other’s Victims.” The good news—the number of victims dropped by about 40% from 2021’s last fiscal quarter to the first quarter of this year. The bad news—financial services organizations are now in the top four targeted sectors. Time for each of us to confirm we have unique passwords for our banking logins. And maybe create fresh ones while we are at it.
Writer Charlie Osborne also gives us a little dirt from behind the ransomware scenes:
“A notable shift is Conti’s place as one of the most prolific ransomware groups, alongside LockBit, Hive, Alphv/Blackcat, and Karakurt. … During the first few months of this year, Conti publicly pledged its support for Russia’s invasion of Ukraine. Following the Russian-speaking group’s declaration, in retaliation, an individual broke into its systems and leaked Conti’s malware code and internal chat logs – a treasure trove for researchers and defenders alike. While security teams were able to use the leaks to improve their understanding of the ransomware gang’s operations, it also impacted Conti’s place in the pecking order. According to KELA, Conti has been booted from the top spot in the months following the leak. While still active, it appears that Conti’s victim list decreased from January, with LockBit moving up the ranks. In Q1, LockBit hit 226 recorded victims, ranging from manufacturing and technology to the public sector. However, together with its suspected subsidiary KaraKurt, Conti is still the second-most active ransomware gang in 2022. Alphv is considered an emerging threat by KELA as a new player, having only really hit the spotlight in December 2021.”
And the race for dominance continues. The competition appears to be cutthroat, with gangs apparently attacking each other and/or targeting the same victims: In some cases, the stolen data published by several gangs was identical. Then again, that could be the result of cooperation. Researchers also found evidence of ransomware gangs collaborating with each other. How nice.
Cynthia Murrell, June 29, 2022
-
- Subscribe to Beyond Search
Feature archive
News archive
-
