Cyber Security: PowerPoints Are Easy. Cyber Security? Not So Much
June 21, 2022
I received a couple of cyber security, cyber threat, and cyber risk reports every week. What’s interesting is that each of the cyber security vendors mentioned in the news releases, articles, and blog posts discover something no other cyber outfit talks about. Curious.
I read “Most Security Product Buyers Aren’t Getting Promised Results: RSA Panel.” The article explains that other people poking around in security have noticed some oddities, if not unexplained cyber threats too.
The article reports:
Hubback [an expert from ISTARI] said that “90% of the people that I spoke to said that the security technologies they were buying from the market are just not delivering the effect that the vendors claim they can deliver. … Quite a shocking proportion of people are suffering from technology that doesn’t deliver.”
I found this factoid in the write up interesting:
…vendors know their product and its strengths and weaknesses, but buyers don’t have the time or information to understand all their options. “This information asymmetry is the classic market for lemons, as described by George Akerlof in 1970,” said Hubback. “A vendor knows a lot more about the quality of the product than the buyer so the vendor is not incentivized to bring high-quality products to market because buyers can’t properly evaluate what they’re buying.”
Exploitation of a customer’s ignorance and trust?
Net net: Is this encouraging bad actors?
Stephen E Arnold, June 21, 2022
NSO Group: Is This a Baller Play to Regain Its PR Initiative or a Fumble?
June 15, 2022
Secrecy and confidentiality are often positive characteristics in certain specialized software endeavors. One might assume that firms engaged in providing technology, engineering support, and consulting services would operate with a low profile. I like to think of my first meeting with Admiral Craig Hosmer. We each arrived at the DC Army Navy Club at 2 30 pm Eastern time. The Admiral told me where to sit. He joined me about 15 minutes later. The Club was virtually empty; the room was small but comfortable; and the one staff member was behind the bar doing what bartenders do: Polishing glasses.
Looking back on that meeting in 1974, I am quite certain no one knew I was meeting the Admiral. I have no idea where the Admiral entered the building nor did I see who drove him to the 17th Street NW location. My thought is that this type of set up for a meeting was what I would call “low profile.”
“US Defence Contractor in Talks to Take Over NSO Group’s Hacking Technology” illustrates what happens when the type of every day precautions Admiral Hosmer took are ignored. A British newspaper reports:
The US defence contractor L3Harris is in talks to take over NSO Group’s surveillance technology, in a possible deal that would give an American company control over one of the world’s most sophisticated and controversial hacking tools. Multiple sources confirmed that discussions were centered on a sale of the Israeli company’s core technology – or code – as well as a possible transfer of NSO personnel to L3Harris.
Okay, so much for low profiling this type of deal.
I am not sure what “multiple sources” mean. If someone were writing about my meeting the Admiral, the only sources of information would have been me, the Admiral’s technical aide (a nuclear scientist from Argonne National Laboratory), and probably the bartender who did not approach the area in which the former chair of the Joint Committee on Atomic Energy were sitting.
But what have we got?
- A major newspaper’s story about a company which has made specialized services as familiar as TikTok
- Multiple sources of information. What? Who is talking? Why?
- A White House “official” making a comment. Who? Why? To whom?
- A reference to a specialized news service called “Intelligence Online”. What was the source of this outfit’s information? Is that source high value? Why is a news service plunging into frog killing hot water?
- Ramblings about the need to involve government officials in at least two countries. Who are the “officials”? Why are these people identified without specifics?
- References to human rights advocates. Which advocates? Why?
Gentle reader, I am a dinobaby who was once a consultant to the company which made this term popular. Perhaps a return to the good old days of low-profiling certain activities is appropriate?
One thing is certain: Not even Google’s 10-thumb approach to information about its allegedly smart software can top this NSO Group PR milestone.
Stephen E Arnold, June 15, 2022
The Alleged Apple M1 Vulnerability: Just Like Microsoft?
June 15, 2022
I read “MIT Researchers Uncover Unpatchable Flaw in Apple M1 Chips.” I have no idea if the exploit is one that can be migrated to a Dark Web or Telegram Crime as a Service pitch. Let’s assume that there may be some truth to the clever MIT wizards’ discoveries.
First, note this statement from the cited article:
The researchers — which presented their findings to Apple — noted that the Pacman attack isn’t a “magic bypass” for all security on the M1 chip, and can only take an existing bug that pointer authentication protects against.
And this:
In May last year, a developer discovered an unfixable flaw in Apple’s M1 chip that creates a covert channel that two or more already-installed malicious apps could use to transmit information to each other. But the bug was ultimately deemed “harmless” as malware can’t use it to steal or interfere with data that’s on a Mac.
I may be somewhat jaded, but if these statements are accurate, the “unpatchable” adjective is a slide of today’s reality. Windows Defender may not defend. SolarWinds’ may burn with unexpected vigor. Cyber security software may be more compelling in a PowerPoint deck than installed on a licensee’s system wherever it resides.
The key point is that like many functions in modern life, there is no easy fix. Human error? Indifference? Clueless quality assurance and testing processes?
My hunch is that this is a culmination of the attitude of “good enough” and “close enough for horseshoes.”
One certainty: Bad actors are encouraged by assuming that whatever is produced by big outfits will have flaws, backdoors, loopholes, stupid mistakes, and other inducements to break laws.
Perhaps it is time for a rethink?
Stephen E Arnold, June 15, 2022
Microsoft: Helping Out Google Security. What about Microsoft Security?
June 14, 2022
While Microsoft is not among the big tech giants, the company still holds a prominent place within the technology industry. Microsoft studies rival services and products to gain insights as well as share anything to lower their standing such as a security threat, “Microsoft Researchers Discover Serious Security Vulnerabilities In Big-Name Android Apps.” The Microsoft 365 Defender Research Team found a slew of severe vulnerabilities in the mce Systems mobile framework used by large companies, including Rogers Communications, Bell Canada, and AT&T, for their apps.
Android phones have these apps preinstalled in the OS and they are downloaded by millions of users. These vulnerabilities could allow bad actors to remotely attack phones. The types of attacks range from command injection to privilege escalation.
The Microsoft 365 Defender Research Team shared the discovery:
“Revealing details of its findings, the security research team says: ‘Coupled with the extensive system privileges that pre-installed apps have, these vulnerabilities could have been attack vectors for attackers to access system configuration and sensitive information’.
In the course of its investigation, the team found the mce Systems’ framework had a “BROWSABLE” service activity that an attacker could remotely invoke to exploit several vulnerabilities that could allow adversaries to implant a persistent backdoor or take substantial control over the device.”
Vulnerabilities also affected apps on Apple phones. Preinstalled apps simplify device activation, troubleshooting, and optimize performance. Unfortunately, this gives apps control over the majority of the phone and the bad actors will exploit them to gain access. Microsoft is worked with mce Systems to fix the threats.
Interestingly, Microsoft found the security threats. Maybe Microsoft wants to reclaim its big tech title by protecting the world from Google’s spies?
Whitney Grace, June 14, 2022
DarkTrace: A Tech NATO Like a Digital “Sharknado”?
June 7, 2022
Don’t get me wrong. I think the idea of group of countries coordinating cyber actions is a good idea. Maybe that’s why there is a Europol and alliances like Five Eyes. “Darktrace CEO Calls for a Tech NATO Amid Growing Cyber Threats” reports that the UK company thinks the idea is a good one. I learned:
Gustafsson [the senior executive at DarkTrace] wants to see the creation of a dedicated international cyber task force, or a “tech NATO”, where global partners can collaborate, agree, and ratify norms for the cybersphere—including what kind of response would be warranted for breaches.
The write up loses me with this passage:
Greater cooperation is certainly needed to combat evolving cyber threats. However, Gustafsson’s call for a “Tech NATO” is surprising—not least because NATO itself already has one in the form of the CCDCOE (Cooperative Cyber Defence Centre of Excellence).
If NATO has such an entity, why not build on that confederation?
I think that DarkTrace has been innovative in its messaging, not confusing. Most of the cyber threat firms are struggling with marketing messages. Each vendor discovers threats apparently unknown to any other vendor. Military cyber intelligence folks seem to be wrestling with 24×7 automated attacks at the same time the effervescent Elon Musk thwarts attempts to kill off his satellite-centric Internet service. After 100 days of deadly skirmishes, Russia has managed to turn off Ukrainian mobile service in several disputed regions. Speedy indeed.
Has DarkTrace succumbed to cyber threat marketing fatigue and aiming for the fences with Tech NATO? The 2013 was pretty wild and crazy. Will Tech NATO follow a similar trajectory? But it’s summer and marketing is hard.
Stephen E Arnold, June 6, 2022
Follina, Follina, Making Microsofties Cry
June 6, 2022
I read “China-Backed Hackers Are Exploiting Unpatched Microsoft Zero-Day.” According to the estimable Yahoo News outfit:
China-backed hackers are exploiting an unpatched Microsoft Office zero-day vulnerability, known as “Follina”, to execute malicious code remotely on Windows systems…. The flaw, which affects 41 Microsoft products including Windows 11 and Office 365, works without elevated privileges, bypasses Windows Defender detection, and does not need macro code to be enabled to execute binaries or scripts.
Ah, ha, Windows 11. The trusted protection thing? Yeah, well. The write up added some helpful time information:
The Follina zero-day was initially reported to Microsoft on April 12, after Word documents – which pretended to be from Russia’s Sputnik news agency offering recipients a radio interview – were found abusing the flaw in the wild. However, Shadow Chaser Group’s crazyman, the researcher who first reported the zero-day, said Microsoft initially tagged the flaw as not a “security-related issue”. The tech giant later informed the researcher that the “issue has been fixed,” but a patch does not appear to be available.
Bob Dylan’s song makes this latest security issue easy to remember:
Follina, Follina
Girl, you’re on my mind
I’m a-sittin down thinkin of you
I just can’t keep from crying
Big sobs, not sniffles.
Stephen E Arnold, June 6, 2022
Microsoft and Security: This Must Be an April Fool Joke in May, Right?
May 27, 2022
I read “Pwn2Own Hackers Just Broke Into Windows 11 and Teams in a Single Day.” Was this an Onion article? A write up from a former Punch writer? An output from Google’s almost human super capable smart software?
Nope. The source is a reliable online publication called Make Use Of or MUO to its friends.
I learned:
Day one of Pwn2Own is over, and taking a look at the bounty board shows that Microsoft’s software didn’t stand up well to the onslaught. The event saw three successful attacks on Microsoft Teams, and two against Windows 11. Each successful hack was rewarded accordingly, with the lowest bounty coming in at an impressive $40,000, and the biggest at an eye-watering $150,000.
Ah, Windows 11 and the feature-spawning Teams!
My view of Windows 11 is that it was pushed out to distract some Silicon Valley type news reporters from the massively bad SolarWinds’ misstep. Few agree with me.
Be that as it may, Windows 11 does not seem to be the paragon of security that I thought Microsoft explained. You know, the TPM thing and the idea that certain computers were not able to deal with the the Millie Vanillie approach to security. Catchy lyrics, but not exactly what paying customers expected.
The article cited concludes with this statement:
With hackers putting up big wins against Microsoft’s apps at Pwn2Win, it shows that the company’s software is perhaps not as secure as it should be. Hopefully, Microsoft can publish fixes for these exploits before they fall into the wrong hands.
Will Microsoft, like Netgear, find that it cannot “fix” certain issues with its software and systems.
Stephen E Arnold, May 27, 2022
Cybersecurity: Are the Gloves Off?
May 26, 2022
Cybersecurity has been a magnet for investments. Threats are everywhere! Threats are increasing! Ransomware destroys businesses and yours will be next? One thousand bad actors attack in the SolarWinds’ misstep, right? The sky is falling!
Frightened yet?
Changes are evident. Let me offer two examples:
Lacework
The cybersecurity outfit Lacework has just allowed about 20 percent of their workforce to find their future elsewhere. Uber, perhaps? Piece work via Fiverr.com? A for-fee blog on Substack, the blog platform with real journalists, experts, pundits, wizards, etc.?
“Cloud Security Firm Lacework Lays Off 20% of Staff
” reports:
A well-funded startup in the cybersecurity industry, Lacework, has become the latest tech firm to disclose a major round of layoffs amid fears of a broader economic slowdown. In a statement provided to Protocol, Lacework confirmed that the layoffs impacted 20% of its employees, in connection with what it called a “decision to restructure our business.”
Is the number of future hunters let loose in the datasphere accurate? The article points out that Lacework used the outstanding Twitter to say, 20 percent was a “significant overestimate.” Whom does one believe? In today’s world, I have to hold two contradictory statements in my mind because I sure as heck don’t know why a hot sector with a well funded company is making more parking available and reducing demand for the ping pong table.
Cybersecurity Does Not Work
The second example I noted an advertisement in my dead tree version of the Wall Street Journal. Here’s the ad from the May 26, 2022, publication:
The text Tanium advertisement declares that cybersecurity systems fail their customers. The idea is that there are many cybersecurity vendors, and each offers pretty good barriers to a couple of threats. The customers of these firms’ products have to buy multiple solutions. The fix? License Tanium, a “best place to work.”
Stepping Back
The first example provides a hint that certain companies in the cybersecurity market are taking steps to reduce costs. Nothing works quite as well as winnowing the herd. My hunch is that Lacework is like a priest in ancient Greece poking at a sacrificial lamb and declaring, “Prepare for the pestilence and the coming famine. Have a good day.”
The second example may signal that the policy of cybersecurity vendors not criticizing one another is over. Tanium is criticizing a pride of cyber lions. My hunch is that the gloves will be coming off. Saying that no other vendor can deal with cyber threats in the Wall Street Journal is a couple of levels above making snarky comments in a security trade show booth.
Net Net
Bad actors can add some of the Lacework castoffs to their virtual crimeware teams hiding behind the benign monikers of front companies in Greece and Italy, among other respected countries. The Tanium ad copy offers proof that existing cyber defense may have some gaps. The information will encourage bad actors to keep chipping away at juicy online targets. Change has arrived.
Stephen E Arnold, May 26, 2022
Cyber Safeguards: Do Digital Prophylactics Have Holes?
May 19, 2022
I have had a sneaking suspicion that cyber security vendors were prone to exaggerating the capabilities of their systems. I sit in webinars in which I hear about the exploit of the day. I scan newsfeeds to learn that each cyber security and threat intelligence experts announce with considerable confidence. (Why don’t other cyber security vendors announce the same exploit? Each vendor, it appears to me, finds something unique to explain and then neutralize…. after the fact.) I look at dozens of news releases about cyber security, threat detection, and the ransomware gang wanting citizens of Costa Rica to overthrow the country. So many vulnerabilities, it seems.
“Report: 80% of Cyberattack Techniques Evade Detection by SIEMs” highlights a contrarian report from an outfit named CardinalOps. (You can learn more about the company at this link.) This company, founded in 2020, is involved in the security information and event management business. The acronym is SIEM, and it is bandied about with considerable abandon as a must-know acronym.
The VentureBeat article describes some of the information in the CardinalOps monograph called “The State of SIEM Detection Risk: Quantifying the Gaps in MITRE ATT&CK Coverage for Production SIEMs.”
(The catchy MITRE ATT&CK refers to an MIT Research activity (now MITRE). Here’s how the information is described by MITRE:
a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.)
With the jargon behind me, I want to highlight this passage from the article published by the estimable VentureBeat:
enterprise SIEMs are missing detections for 80% of all MITRE ATT&CK techniques and only address five of the top 14 ATT&CK techniques employed by adversaries in the wild.
What the CardinalOps monograph seems to say to me is: “The cyber security vendors’ software and systems don’t work as advertised.”
If I interpret the VentureBeat article correctly, the story ventures into territory avoided by most of those involved in cyber security. Criticizing the dozens, nay, hundreds of cyber defense companies and their services has been a no-no in my experience. Outfits which purport to review these systems rarely suggest that out of a hundred threats, about four out of five will zip right through the defenses.
(Is this way some upscale consultants suggest using layers of security. This phrase means to me: “License lots of systems and maybe the combination will stop threats.” The implication is that if one system is only 20 percent effective and my understanding that each cyber security vendor has some method to stop stuff their experts have identified, the average company only requires five systems running at the same time to reduce risks.)
The VentureBeat article about the CardinalOps report offers:
Rather than rely on subjective survey-based data, CardinalOps analyzed configuration data from real-world production SIEM instances to gain visibility into the current state of threat detection coverage in modern Security Operations Centers (SOCs). These organizations represent multibillion dollar, multinational corporations, which makes this one of the largest recorded samples of actual SIEM data analyzed to date, encompassing more than 14,000 log sources, thousands of detection rules and hundreds of log source types.
Okay, hard data, not soft podcast-grade chatter.
So what’s the fix if you are using popular systems from outfits like the lovable outfit Microsoft, the firm which shipped an update that breaks domain security? The article states:
The latest CardinalOps research provides readers with a series of best practice recommendations to help CISOs and detection engineering teams address these challenges, and be more intentional about how detection coverage is measured and continuously improved over time.
I think this means consulting. No surprise there.
To get a copy of the report, click here and amp up your fear. Email and captcha hoops required. You know, for security.
Net net: Marketing information may not describe accurately cyber security capabilities. Is this news?
Stephen E Arnold, May 19, 2022
On Mitigating Open-Source Vulnerabilities
May 16, 2022
Open-source software has saved countless developers from reinventing the proverbial wheel so they can instead spend their time creating new ways to use existing code. That’s great! Except for one thing: Now that open-source components make up about 90% of most applications, they pose tempting opportunities for hackers. Perhaps the juiciest targets lie in the military and intelligence communities. US counter-terrorism ops rely heavily on the likes of Palantir Technologies, a heavy user of and contributor to open-source software. Another example is the F-35 stealth fighter, which operates using millions of lines of code. A team of writers at War on the Rocks explores “Dependency Issues: Solving the World’s Open-Source Software Security Problem.” Solve it? Completely? Right, and there really is a tooth fairy. The article relates:
“The problem is that the open-source software supply chain can introduce unknown, possibly intentional, security weaknesses. One previous analysis of all publicly reported software supply chain compromises revealed that the majority of malicious attacks targeted open-source software. In other words, headline-grabbing software supply-chain attacks on proprietary software, like SolarWinds, actually constitute the minority of cases. As a result, stopping attacks is now difficult because of the immense complexity of the modern software dependency tree: components that depend on other components that depend on other components ad infinitum. Knowing what vulnerabilities are in your software is a full-time and nearly impossible job for software developers.”
So true. Still, writers John Speed Meyers, Zack Newman, Tom Pike, and Jacqueline Kazil sound optimistic as they continue:
“Fortunately, there is hope. We recommend three steps that software producers and government regulators can take to make open-source software more secure. First, producers and consumers should embrace software transparency, creating an auditable ecosystem where software is not simply mysterious blobs passed over a network connection. Second, software builders and consumers ought to adopt software integrity and analysis tools to enable informed supply chain risk management. Third, government reforms can help reduce the number and impact of open-source software compromises.”
The article describes each part of this plan in detail. It also does a good job explaining how we got so dependent on open-source software and describes ways hackers are able to leverage it. The writers submits that, by following these suggestions, entities both public and private can safely continue to benefit from open-source collaboration. If the ecosystem is made even a bit safer, we suppose that is better than nothing. After all, ditching open-source altogether seems nigh impossible at this point.
Cynthia Murrell, May 16, 2022