Cybersecurity: Are the Gloves Off?

May 26, 2022

Cybersecurity has been a magnet for investments. Threats are everywhere! Threats are increasing! Ransomware destroys businesses and yours will be next? One thousand bad actors attack in the SolarWinds’ misstep, right? The sky is falling!

Frightened yet?

Changes are evident. Let me offer two examples:

Lacework

The cybersecurity outfit Lacework has just allowed about 20 percent of their workforce to find their future elsewhere. Uber, perhaps? Piece work via Fiverr.com? A for-fee blog on Substack, the blog platform with real journalists, experts, pundits, wizards, etc.?

Cloud Security Firm Lacework Lays Off 20% of Staff

” reports:

A well-funded startup in the cybersecurity industry, Lacework, has become the latest tech firm to disclose a major round of layoffs amid fears of a broader economic slowdown. In a statement provided to Protocol, Lacework confirmed that the layoffs impacted 20% of its employees, in connection with what it called a “decision to restructure our business.”

Is the number of future hunters let loose in the datasphere accurate? The article points out that Lacework used the outstanding Twitter to say, 20 percent was a “significant overestimate.” Whom does one believe? In today’s world, I have to hold two contradictory statements in my mind because I sure as heck don’t know why a hot sector with a well funded company is making more parking available and reducing demand for the ping pong table.

Cybersecurity Does Not Work

The second example I noted an advertisement in my dead tree version of the Wall Street Journal. Here’s the ad from the May 26, 2022, publication:

tanium ad

The text Tanium advertisement declares that cybersecurity systems fail their customers. The idea is that there are many cybersecurity vendors, and each offers pretty good barriers to a couple of threats. The customers of these firms’ products have to buy multiple solutions. The fix? License Tanium, a “best place to work.”

Stepping Back

The first example provides a hint that certain companies in the cybersecurity market are taking steps to reduce costs. Nothing works quite as well as winnowing the herd. My hunch is that Lacework is like a priest in ancient Greece poking at a sacrificial lamb and declaring, “Prepare for the pestilence and the coming famine. Have a good day.”

The second example may signal that the policy of cybersecurity vendors not criticizing one another is over. Tanium is criticizing a pride of cyber lions. My hunch is that the gloves will be coming off. Saying that no other vendor can deal with cyber threats in the Wall Street Journal is a couple of levels above making snarky comments in a security trade show booth.

Net Net

Bad actors can add some of the Lacework castoffs to their virtual crimeware teams hiding behind the benign monikers of front companies in Greece and Italy, among other respected countries. The Tanium ad copy offers proof that existing cyber defense may have some gaps. The information will encourage bad actors to keep chipping away at juicy online targets. Change has arrived.

Stephen E Arnold, May 26, 2022

Cyber Safeguards: Do Digital Prophylactics Have Holes?

May 19, 2022

I have had a sneaking suspicion that cyber security vendors were prone to exaggerating the capabilities of their systems. I sit in webinars in which I hear about the exploit of the day. I scan newsfeeds to learn that each cyber security and threat intelligence experts announce with considerable confidence. (Why don’t other cyber security vendors announce the same exploit? Each vendor, it appears to me, finds something unique to explain and then neutralize…. after the fact.) I look at dozens of news releases about cyber security, threat detection, and the ransomware gang wanting citizens of Costa Rica to overthrow the country. So many vulnerabilities, it seems.

Report: 80% of Cyberattack Techniques Evade Detection by SIEMs” highlights a contrarian report from an outfit named CardinalOps. (You can learn more about the company at this link.) This company, founded in 2020, is involved in the security information and event management business. The acronym is SIEM, and it is bandied about with considerable abandon as a must-know acronym.

The VentureBeat article describes some of the information in the CardinalOps monograph called “The State of SIEM Detection Risk: Quantifying the Gaps in MITRE ATT&CK Coverage for Production SIEMs.”

(The catchy MITRE ATT&CK refers to an MIT Research activity (now MITRE). Here’s how the information is described by MITRE:

a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.)

With the jargon behind me, I want to highlight this passage from the article published by the estimable VentureBeat:

enterprise SIEMs are missing detections for 80% of all MITRE ATT&CK techniques and only address five of the top 14 ATT&CK techniques employed by adversaries in the wild.

What the CardinalOps monograph seems to say to me is: “The cyber security vendors’ software and systems don’t work as advertised.”

If I interpret the VentureBeat article correctly, the story ventures into territory avoided by most of those involved in cyber security. Criticizing the dozens, nay, hundreds of cyber defense companies and their services has been a no-no in my experience. Outfits which purport to review these systems rarely suggest that out of a hundred threats, about four out of five will zip right through the defenses.

(Is this way some upscale consultants suggest using layers of security. This phrase means to me: “License lots of systems and maybe the combination will stop threats.” The implication is that if one system is only 20 percent effective and my understanding that each cyber security vendor has some method to stop stuff their experts have identified, the average company only requires five systems running at the same time to reduce risks.)

The VentureBeat article about the CardinalOps report offers:

Rather than rely on subjective survey-based data, CardinalOps analyzed configuration data from real-world production SIEM instances to gain visibility into the current state of threat detection coverage in modern Security Operations Centers (SOCs). These organizations represent multibillion dollar, multinational corporations, which makes this one of the largest recorded samples of actual SIEM data analyzed to date, encompassing more than 14,000 log sources, thousands of detection rules and hundreds of log source types.

Okay, hard data, not soft podcast-grade chatter.

So what’s the fix if you are using popular systems from outfits like the lovable outfit Microsoft, the firm which shipped an update that breaks domain security? The article states:

The latest CardinalOps research provides readers with a series of best practice recommendations to help CISOs and detection engineering teams address these challenges, and be more intentional about how detection coverage is measured and continuously improved over time.

I think this means consulting. No surprise there.

To get a copy of the report, click here and amp up your fear. Email and captcha hoops required. You know, for security.

Net net: Marketing information may not describe accurately cyber security capabilities. Is this news?

Stephen E Arnold, May 19, 2022

On Mitigating Open-Source Vulnerabilities

May 16, 2022

Open-source software has saved countless developers from reinventing the proverbial wheel so they can instead spend their time creating new ways to use existing code. That’s great! Except for one thing: Now that open-source components make up about 90% of most applications, they pose tempting opportunities for hackers. Perhaps the juiciest targets lie in the military and intelligence communities. US counter-terrorism ops rely heavily on the likes of Palantir Technologies, a heavy user of and contributor to open-source software. Another example is the F-35 stealth fighter, which operates using millions of lines of code. A team of writers at War on the Rocks explores “Dependency Issues: Solving the World’s Open-Source Software Security Problem.” Solve it? Completely? Right, and there really is a tooth fairy. The article relates:

“The problem is that the open-source software supply chain can introduce unknown, possibly intentional, security weaknesses. One previous analysis of all publicly reported software supply chain compromises revealed that the majority of malicious attacks targeted open-source software. In other words, headline-grabbing software supply-chain attacks on proprietary software, like SolarWinds, actually constitute the minority of cases. As a result, stopping attacks is now difficult because of the immense complexity of the modern software dependency tree: components that depend on other components that depend on other components ad infinitum. Knowing what vulnerabilities are in your software is a full-time and nearly impossible job for software developers.”

So true. Still, writers John Speed Meyers, Zack Newman, Tom Pike, and Jacqueline Kazil sound optimistic as they continue:

“Fortunately, there is hope. We recommend three steps that software producers and government regulators can take to make open-source software more secure. First, producers and consumers should embrace software transparency, creating an auditable ecosystem where software is not simply mysterious blobs passed over a network connection. Second, software builders and consumers ought to adopt software integrity and analysis tools to enable informed supply chain risk management. Third, government reforms can help reduce the number and impact of open-source software compromises.”

The article describes each part of this plan in detail. It also does a good job explaining how we got so dependent on open-source software and describes ways hackers are able to leverage it. The writers submits that, by following these suggestions, entities both public and private can safely continue to benefit from open-source collaboration. If the ecosystem is made even a bit safer, we suppose that is better than nothing. After all, ditching open-source altogether seems nigh impossible at this point.

Cynthia Murrell, May 16, 2022

Some Criticism of Microsoft? Warranted or Not?

May 13, 2022

Microsoft’s LinkedIn comes out on top—in one regard, anyway. IT-Online reports, “LinkedIn the Brand Most Imitated for Phishing.” In its Brand Phishing Report for the first quarter of 2022, Check Point Research found the professional network was imitated in more than half of all phishing attempts during January, February, and March. The write-up tells us:

“Dominating the rankings for the first time ever, LinkedIn accounted for more than half (52%) of all phishing attempts during the quarter. This represents a dramatic 44% uplift from the previous quarter, where the professional networking site was in fifth position accounting for only 8% of phishing attempts. LinkedIn overtook DHL as the most targeted brand, which is now in second position and accounted for 14% of all phishing attempts during the quarter.”

Social media platforms in general jumped in popularity as phishing spots. Shipping companies like DHL, which became attractive targets with the rise in e-commerce, are now in second place. Apparently different types of companies make juicy bait for different kinds of attacks. The article quotes Check Point’s Omer Dembinsky:

“Some attacks will attempt to gain leverage over individuals or steal their information, such as those we’re seeing with LinkedIn. Others will be attempts to deploy malware on company networks, such as the fake emails containing spoof carrier documents that we’re seeing with the likes of Maersk.”

Of course, a phishing attack can only work if someone falls for it. Do not be that person. Dembinsky advises:

“The best defense against phishing threats, as ever, is knowledge. Employees in particular should be trained to spot suspicious anomalies such as misspelled domains, typos, incorrect dates and other details that can expose a malicious email or text message. LinkedIn users in particular should be extra vigilant over the course of the next few months.”

In Check Point’s list of the top ten companies to find themselves on phishing hooks, LinkedIn and DH are followed by Google (at 7%), Microsoft (6%), FedEx (6%), WhatsApp (4%), Amazon (2%), Maersk (1%), AliExpress (0.8%), and Apple (0.8%).

Cynthia Murrell, May 13, 2022

Using a VPN in India?

May 10, 2022

I read “VPN Providers Are Ordered to Store User Data for 5 or More Years in India.” The land of Khichdi is a fair piece from rural Kentucky. On the other hand, the VPN providers and crypto exchange platforms can be as near as one’s mobile phone or laptop. So what?

The write up points out:

The Indian government has published a directive that will force VPN providers and crypto exchange platforms to store user data for at least five years, even when customers have since terminated their relationship with the companies in question. Decision makers at businesses who don’t comply with the new ruling could face up to one year in prison, with it going into effect in late June 2022.

Yes, just another law. What makes this interesting is that  VPN, according to some enthusiastic promotional material, preserves one’s online privacy. That sounds like a great idea to many people.

What happens if those VPN records are reviewed prior to their deletion by the VPN providers who insist that the users’ data are not preserved? I also like the VPN vendors who suggest that logs are not preserved.

If India’s directive yields some bad actor identification and incarceration, what other countries will use India’s approach as a springboard. The abuse of some online capabilities has been friction free in some places. Russia appears to have some doubts about VPNs. China? Yep, China too.

Perhaps the days of laissez-faire will end with a reprimand from Yama?

Stephen E Arnold, May 10, 2022

Cyber Security: Oxymoron?

May 9, 2022

I read an interesting article called “Botnet That Hid for 18 Months Boasted Some of the Coolest Tradecraft Ever.” I am not sure I would have described the method as “cool,” but as some say, “Let many flowers bloom.”

The main point of the article is a sequence of actions which compromise a target without calling attention to the attack or leaving size 13 digital footprints. The diagrams provide a broad overview of the major components, but there are no code snippets. That’s a plus in my book because many cyber revelations are cookbooks with easy-to-follow recipes for dorm room cyber snacks.

What caught my attention is this statement in the excellent write up:

One of the ways the hackers maintain a low profile is by favoring standard Windows protocols over malware to move laterally. To move to systems of interest, UNC3524 used a customized version of WMIEXEC, a tool that uses Windows Management Instrumentation to establish a shell on the remote system.

I also noted:

“Once UNC3524 successfully obtained privileged credentials to the victim’s mail environment, they began making Exchange Web Services (EWS) API requests to either the on-premises Microsoft Exchange or Microsoft 365 Exchange Online environment,” the Mandiant researchers wrote. “In each of the UNC3524 victim environments, the threat actor would target a subset of mailboxes….”

With the core functionality of the Microsoft software and services the pivot on which the system and methods of the attacker pivot, what does this suggest about cyber security going forward?

My answer: There is an attack surface of significant scope. Plus, undetectable but for specialized analyses. The ball is in the hands of Microsoft. The bad actors just toss it around.

Stephen E Arnold, May 9, 2022

What Is Crazier Than Enterprise Search? Maybe Content Management Systems?

May 4, 2022

I met a content management system guru many years ago. He explained to me in a remarkably patronizing way that CMS was the future of enterprise content. The words “all” and the phrase “search is just a utility” still echo when I think of him.

He was incorrect. CMS is certainly not a replacement for an XML repository which can “point” to objects like a sales presentation which began life as a PowerPoint and then emerged as a nifty PDF for the 20 somethings in marketing.

CMS, in my view, boils down to clunky systems which allow different people with a wide range of cognitive content to create, retrieve, and do stuff with text and some art. Search remains pretty darned crazy as a market sector, but there are some open source options and a number of semi-useful cloud services. The tendency for art history majors to bandy the word “all” in chats about a CMS continues to make me laugh. Right, “all”. What about company videos on RuTube.ru? I am waiting for an answer.

There is something that CMS is quite skilled. “Vulnerable Plugins Plague the CMS Website Security Landscape” states:

According to the researchers, vulnerable plugins and extensions “account for far more website compromises than out-of-date, core CMS files,” with roughly half of website intrusions recorded by the firm’s clients occurring on a domain with an up-to-date CMS. Threat actors will often leverage legitimate — but hijacked — websites to host malware, credit card skimmers, or for the deployment of spam.

Thank goodness these CMS cannot index “all” content, which limits breach risks to some degree.

Quite an attack surface: Art history majors versus the bad actors with engineering degrees from a technical university or an enterprising coder who dropped out of school to sell his services via Aletenen.

Stephen E Arnold, May 4, 2022

App Tracking? Sure, Why Not?

May 4, 2022

Big tech companies, including Google, Facebook, and Apple, are supposed to cut back on the amount of data they collect from users via apps. Despite the lip service to users, apps are still collecting data and it appears these companies will not stop anytime soon. Daiji World explains how much data apps are still gathering in: “Apps Still tracking Users’ Data On Apple App Store.”

A University of Oxford research term investigated 1759 Apple IOS apps in the United Kingdom App Store. The team monitored these apps before and after Apple implemented new tracking policies that supposedly make it harder to track users. Unfortunately, these apps are still tracking users as well as collecting user fingerprinting. The team found hard evidence of user tracking:

“The researchers found real-world evidence of apps computing a mutual fingerprinting-derived identifier through the use of “server-side code” — a violation of Apple’s new policies and highlighting the limits of Apple’s enforcement power as a privately-owned data protection regulator. ‘Indeed, Apple itself engages in some forms of user tracking and exempts invasive data practices like first-party tracking and credit scoring from its new privacy rules,’ claimed Konrad Kollnig, Department of Computer Science, University of Oxford.”

Apple’s Privacy Nutrition Labels are also inaccurate and are in direct conflict with Apple’s marketing claims. It is a disappointment that Apple is purposely misleading its users. Enforcing user privacy laws is sporadic, and tech companies barely follow what they set for themselves. Apple has its own OS, so they have a closed technology domain that they control:

“ ‘Apple’s privacy efforts are hampered by its closed-source philosophy on iOS and the opacity around its enforcement of its App Store review policies. These decisions by Apple remain an important driver behind limited transparency around iOS privacy,” [the research team] emphasised.”

Does this come as a surprise for anyone? Nope.

Apple can d whatever it wants because it is a prime technology company and it develops everything in-house. The only way to enforce privacy laws is transparency, but Apple will not become crystal clear because it will mean the company will lose profits.

Whitney Grace, May 4, 2022

Apple and Stalking? The Privacy Outfit?

May 3, 2022

Here is a tale of unintended, though not unanticipated, consequences. Engadget tells us “Police Reports Suggest a Larger Pattern of AirTag Stalking.” A few isolated cases of bad actors using Apple AirTags to facilitate stalking or car theft have come to light since the device was released in April 2021. To learn how widespread the problem is, Motherboard requested any records mentioning the technology from dozens of police departments around the country. Writer K. Holt summarizes:

“Motherboard received 150 reports from eight police departments and found that, in 50 cases, women called the cops because they received notifications suggesting that someone was tracking them with an AirTag or they heard the device chiming. (An AirTag will chime after it has been separated from its owner for between eight and 24 hours.) Half of those women suspected the tags were planted in their car by a man they knew, such as a current or former romantic partner or their boss. The vast majority of the reports were filed by women. There was just one case in which a man made a report after suspecting that an ex was using an AirTag (which costs just $29) to stalk him. Around half of the reports mentioned AirTags in the contexts of thefts or robberies. Just one instance of AirTag-related stalking would be bad enough. Fifty reports in eight jurisdictions in eight months is a not insignificant number and there are likely other cases elsewhere that haven’t been disclosed.”

Apple was aware the product had the potential to be abused, which is why the alerts cited by victims were built into it from the start. The company has since made some tweaks to make it more obvious if its product has been slipped into one’s belongings, like chiming sooner or making those notification messages clearer. At first the notifications only worked on iOS devices, leaving Android users in the dark. An Android app has since been released, but those users must be aware of the problem, and remember to manually scan for potential AirTag-alongs, for it to be of any use. Google is reportedly working on OS-level detection, which would be some consolation.

And the bad actors? Probably beavering away.

Cynthia Murrell, May 3, 2022

UAE Earns a Spot on Global Gray List

April 26, 2022

Forget Darkmatter. This is a gray matter.

Where is the best place to stash ill-gotten gains? The Cayman Islands and Switzerland come to mind, and we have to admit the US is also in the running. But there is another big contender—the United Arab Emirates. The StarTribune reports, “Anti-Money-Laundering Body Puts UAE on Global ‘Gray’ List.” Writer Jon Gambrell tells us:

“A global body focused on fighting money laundering has placed the United Arab Emirates on its so-called ‘gray list’ over concerns that the global trade hub isn’t doing enough to stop criminals and militants from hiding wealth there. The decision late Friday night by the Paris-based Financial Action Task Force [FATF] puts the UAE, home to Dubai and oil-rich Abu Dhabi, on a list of 23 countries including fellow Mideast nations Jordan, Syria and Yemen.”

Will the official censure grievously wound business in the country? Not by a long shot, though it might slightly tarnish its image and even affect interest rates. The FATF admits the UAE has made significant progress in fighting the problem but insists more must be done. Admittedly, the task was monumental from the start. We learn:

“The UAE long has been known as a place where bags of cash, diamonds, gold and other valuables can be moved into and through. In recent years, the State Department had described ‘bulk cash smuggling’ as ‘a significant problem’ in the Emirates. A 2018 report by the Washington-based Center for Advanced Defense Studies, relying on leaked Dubai property data, found that war profiteers, terror financiers and drug traffickers sanctioned by the U.S. had used the city-state’s boom-and-bust real estate market as a safe haven for their money.”

Is the government motivated to change its country’s ways? Yes, according to a statement from the Emirates’ Executive Office of Anti-Money Laundering and Countering the Financing of Terrorism. That ponderously named body promises to continue its efforts to thwart and punish the bad actors. The country’s senior diplomat also chimed in on Twitter, pledging ever stronger cooperation with global partners to address the issue.

Cynthia Murrell, April 26, 2022

« Previous PageNext Page »

  • Archives

  • Recent Posts

  • Meta