The Patching Play
April 25, 2022
I read “Patching Is Security Industry’s ‘Thoughts and Prayers’: Ex-NSA Man Aitel.” The former leader of ImmunitySec asserts that patching delivers a false sense of security. Other industry experts believe that patching has some value. Both are correct. In my opinion, both are missing an important aspects of patching software and systems to keep bad actors at bay.
What’s my view?
Patching — real or pretend — is a launch pad for marketing. A breach occurs and vendors have an opportunity to explain what steps have been taken to protect the software and services, partners, customers, and in some cases the vendors themselves. Wasn’t it Solar something?
Microsoft explained that bad actors marshaled a team of 1,000 programmers. That’s marketing because the bad actors were in that case countries, not disgruntled 40 years olds in a coffee shop.
The name of the game is cat and mouse. The bad actors find a flaw, exploit it, or sell it. The good actors respond the the issue and issue an alleged patch. The PR machines, which is like Jack Benny’s Maxwell with a transplanted Tesla electric motor fires up.
Will the wheels fall off? Haven’t they?
Stephen E Arnold, April 25, 2022
Microsoft: A Consistently Juicy Target
April 25, 2022
I am perched in Washington, DC, checking news flows. What did I spy this morning (April 24, 2022)? This article caught my eye: “Microsoft Exchange Servers Are Being Infected with Ransomware.” Is this a remembrance from times past? The story asserts as actual factual (but who knows anymore?):
In the attack the team studied, Hive commenced its assault via the exploitation of ProxyShell, a collection of Microsoft Exchange Server vulnerabilities (and critical ones at that) that provide a way for attackers to remotely execute code. Microsoft reportedly patched this problem in 2021.
The key phrase in this allegedly accurate write up is “Microsoft reported patched this problem in 2021.”
Several observations:
- Yo Windows Defender and the other Microsoft security systems, “What’s shaken’?”
- What’s with the “reportedly”? If the write up is accurate, the problem was fixed.
- How many thousands of bad actors are involved in this problem? Probably quite a few because this is CaaS, crime as a service.
Net net: Microsoft may be faced with security problems for which there is no reliable remediation. PR, however, is quite easy to deploy.
Stephen E Arnold, April 25, 2022
MBAs and Security Professionals: A New Opportunity?
April 18, 2022
I am not sure how quickly this information will diffuse into MBA programs and venture firms enjoying their stakes in cyber security firms. But the info will arrive, and it will add brio to PowerPoint sales decks.
“A Centralized Surveillance System That Keeps Up with Your Business Growth” states:
A robust surveillance system is undoubtedly an essential component to safeguarding businesses’ securities and assets.
These data come from a research firm of which I have never heard. Never mind that. The key point is that there will be 50 percent growth going forward.
What new planning, equipment, and software are needed? Check out this shopping list:
- Cameras
- Storage
- Maintenance
One may want to add additional legal fees unless one is running a business in an environment in which total surveillance is already a requirement.
Exciting stuff for consultants too, if the research is accurate. And the sponsor? Synology. Interesting marketing angle for storage. Just capture everything?
Stephen E Arnold, April 18, 2022
Being Googley: Is the Chrome Browser at Risk in Some SolarWinds?
April 15, 2022
I read “Google Issues Third Emergency Fix for Chrome This Year.” The main idea is that Google is pumping out software which appears to invite bad actors to a no-rules party. The article states:
The emergency updates the company issued this week impact the almost 3 billion users of its Chrome browser as well as those using other Chromium-based browsers, such as Microsoft Edge, Brave and Vivaldi. It is the third such emergency update Google has had to issue for Chrome this year.
Yeah, the browser thing.
Several observations:
- If a wildly popular Google output cannot be made secure, what about the services and software which are less engineer “rich”?
- Does Google deserve the scrutiny that Microsoft and other alleged monopolies attracts? Google has been “off the radar” compared with other companies in the last couple of years it seems.
- What will bad actors do with the signal that three security updates have been issued, and we have not made it to the summer solstice? My thought is that computer science students in some Eastern European countries will be getting some new homework assignments.
Like other large companies, making any security issue public poses risks: There are stakeholders, there are legal eagles, and there are those fresh faced, motivated students in countries which crank out capable programmers and engineers. Some of these individuals may find that exploit creation provides a way to spin up some extra cash.
How many of these individuals are available on gig work sites? What information is flowing through private Telegram groups? The limping Dark Web still has some interesting for a too.
Net net: What Googley vulnerabilities exist which have not been disclosed? How many weak spots exist in the Google just waiting for a bright person to exploit? We know what the article reports, and that information begs more difficult questions.
Stephen E Arnold, April 15, 2022
Google Hits Microsoft in the Nose: Alleges Security Issues
April 15, 2022
The Google wants to be the new Microsoft. Google wanted to be the big dog in social media. How did that turn out? Google wanted to diversify its revenue streams so that online advertising was not the main money gusher. How did that work out? Now there is a new dust up, and it will be more fun than watching the antics of coaches of Final Four teams. Go, Coach K!
The real news outfit NBC published “Attacking Rival, Google Says Microsoft’s Hold on Government Security Is a Problem.” The article presents as actual factual information:
Jeanette Manfra, director of risk and compliance for Google’s cloud services and a former top U.S. cybersecurity official, said Thursday that the government’s reliance on Microsoft — one of Google’s top business rivals — is an ongoing security threat. Manfra also said in a blog post published Thursday that a survey commissioned by Google found that a majority of federal employees believe that the government’s reliance on Microsoft products is a cybersecurity vulnerability.
There you go. A monoculture is vulnerable to parasites and other predations. So what’s the fix? Replace the existing monoculture with another one.
That’s a Googley point of view from Google’s cloud services unit.
And there are data to back up this assertion, at least data that NBC finds actual factual; for instance:
Last year, researchers discovered 21 “zero-days” — an industry term for a critical vulnerability that a company doesn’t have a ready solution for — actively in use against Microsoft products, compared to 16 against Google and 12 against Apple.
I don’t want to be a person who dismisses the value of my Google mouse pad, but I would offer:
- How are the anti ad fraud mechanisms working?
- What’s the issue with YouTube creators’ allegations of algorithmic oddity?
- What’s the issue with malware in approved Google Play apps?
- Are the incidents reported by Firewall Times resolved?
Microsoft has been reasonably successful in selling to the US government. How would the US military operate without PowerPoint slide decks?
From my point of view, Google’s aggressive security questions could be directed at itself? Does Google do the know thyself thing? Not when it comes to money is my answer. My view is that none of the Big Tech outfits are significantly different from one another.
Stephen E Arnold, April 15, 2022
Windows System Flaw Exploited In Ransomware
April 15, 2022
Will your Windows 11 set up result in losing your data? That’s a rumor. We learned that there may be other risks in the Microsoft ecosystem as well.
Microsoft Windows is the most deployed operating system in the world. It is also the easiest operating system to learn and, unfortunately, exploit. Tech Radar explains how bad actors hack Windows systems in the article, “Windows And LinkedIn Flaws Used In Conti Ransomware Attacks, Google Warns.”
The Conti ransomware group Exotic Lily work as initial access brokers to hack organizations, steal their digital data, and ransom it back to the rightful owners or sell access to the highest bidder. What is interesting is ransomware groups usually outsource their initial access efforts before taking over the attack, then deploying the malware. Google’s Threat Analysis Group research Exotic Lily and was surprised by the amount of advanced tactics and the large amount of grunt work it does. The Threat Analysis Group discovered that Exotic Lily works in the following way:
“The group would use domain and identity spoofing to pose as a legitimate business, and send out phishing emails, usually faking a business proposal. They would also use publicly available Artificial Intelligence (AI) tools to generate authentic images of humans, to create fake LinkedIn accounts, which would help the campaign’s credibility. After initial contact has been made, the threat actor would upload malware to a public file-sharing service, such as WeTransfer, to avoid detection by antivirus programs, and increase the chances of delivery to the target endpoint. The malware, usually a weaponized document, exploits a zero-day in Microsoft’s MSHTML browser engine, tracked as CVE-2021-40444. The second-stage deployment usually carried the BazarLoader.”
The Threat Analysis Group believes Exotic Lily is an independent operator and works for the highest bidder. It has used ransomware attacks based on Conti, Wizard Spider, and Dial. Exotic Lily targets healthcare, cyber security, and IT organizations, however, it has been expanding its victim base.
But is Google overstating, do some marketing, or trying to help out valued users?
Whitney Grace, April 11, 2022
PR or Reality? Only the Cyber Firms Know the Answer
April 6, 2022
Cyber crimes are on the rise. Businesses and individuals are the targets of malware bad actors. IT Online details how cyber security firms handle attacks: “What Happens Inside A Cybercrime War-Room?” As a major business player in Africa, South Africa fends off many types of cyber attacks: coin miner modules, viruses downloaded with bad software, self-spreading crypto mining malware, and ransomware.
The good news about catching cyber criminals is that white hat experts know how their counterparts work and can use technology like automation and machine learning against them. Carlo Bolzonello is the country manager for South Africa’s Trellis’s branch. He said that cyber crime organizations are run like regular businesses, except their job is to locate and target IT vulnerable environments. Once the bad business has the victim in its crosshairs, the bad actors exploit it for money or other assets for exploration or resale.
Bolzonello continued to explain that while it is important to understand how the enemy works, it is key that organizations have a security operations center armed with various tools that can pull information about possible threats into one dashboard:
“That single dashboard can show where a threat has emerged, and where it has spread to, so that action can be taken, immediately. It can reveal whether ransomware has gained access via a “recruitment” email sent to executives, whether a “living off the land” binary has taken hold via a download of an illicit copy of a movie, or whether a coin miner module has inserted itself via pirated software. Having this information to hand helps the SOC design and implement a quick and effective response, to stop the attack spreading further, and to prevent it costing money for people and businesses.”
Having a centralized dashboards allows organizations respond quicker and keep their enemies in check. Black hat cyber organizations actually might have a reverse of a security operations center that allow them to locate vulnerabilities. PR or reality? A bit of both perhaps?
Whitney Grace, April 6, 2022
Anti-Drone Measures: A Bit Like Enterprise Cyber Security?
April 5, 2022
The big news is that whatever anti-drone technology is being used by “the West”, it is not working at 100 percent efficiency. The Wall Street Journal, published on April Fool’s Day, the story “Drones Evade West’s Air Defense.” I could not spot the exact write up in my online resources, but this particular item is in the dead tree edition. If you go to an office which has humanoids who subscribe to the hard copy, you can check out the story on Page A-9. Story locations vary by edition because… advertising.
There is an online version with the jazzy title “NATO Investigates How Russian and Ukrainian Drones Bypassed Europe’s Air Defense System.” You might be able to view the article at this link, but you probably will either have to pay or see a cheerful 404 error. These folks are in the money business. News — mostly like the Ford 150 — is cargo, and it has a cult I believe.
The point of both write ups is that both Russian and Ukrainian drones have not be interdicted by anti-drone systems. How did those in neighboring companies know that Russian and Ukrainian drones were entering their air space and zipping through their anti-droned borders?
Drones crashed. People walked up and noted, “Okay, explosives on that one.” Another person spots a drone in a field and says, “Looks like this one has cameras, not bombs.”
Countries whose borders have been subject to drone incursions include Romania, Croatia, and Poland. There may be others, but some of the countries have areas which are a difficult to reach, even for an Eva Zu Beck type of person.
NATO is looking into the anti drone measures. That makes sense, since most vendors of military grade anti drone systems have PowerPoint decks which make it clear, “Our system works.” Should I name vendors? Nah, remember Ubiquiti and Mr. Krebs. (That sounds like a children’s program on a PBS station to me.) Slide decks become the reality until a drone with explosives plops down near a pre-school.
My immediate reaction to these Wall Street Journal stories was, “Maybe the anti-drone defense vendors operate with the same reliability as the vendors of enterprise cyber security systems?” The PowerPoint decks promise the same efficacy. There are even private YouTube videos which show drone defense vendors systems EMPing, blasting, or just knocking those evil constructs out of the sky. (Check out Anduril’s offering in this collision centric method, please.)
For several years I followed drone technology for an investment outfit. I learned that the information about the drone described devices best suited for science fiction. I read patents which were not in the fiction section of my local library. I watched YouTube videos with nifty DaVinci Fusion video effects.
The reality?
NATO is now investigating.
My point is that it is easy to sell certain government types advanced technology with PowerPoints and slick videos. This generalization applies to hardware and to software cyber systems.
I don’t need to invoke the SolarWinds’ misstep. I don’t need to recycle the information in the Wall Street Journal stories or the somewhat unusual content in Perun’s drone video.
Is procurement to blame? Partially. I think that Parkinson’s Law (1958) gets closer to the truth, particularly when combined with the observations in the Peter Principle (1971). Universals are at work with the assistance of fast talkers, PowerPoints, and video “proof”.
Stephen E Arnold, April 4, 2022
System Glitches: A Glimpse of Our Future?
April 4, 2022
I read “Nearly All Businesses Hit by IT Downtime Last Year – Here’s What’s to Blame.” The write up reports:
More than three-quarters (75%) of businesses experienced downtime in 2021, up 25% compared to the previous year, new research has claimed. Cybersecurity firm Acronis polled more than 6,200 IT users and IT managers from small businesses and enterprises in 22 countries, finding that downtime stemmed from multiple sources, with system crashes (52%) being the most prevalent cause. Human error (42%) was also a major issue, followed by cyber attacks (36%) and insider attacks (20%).
Interesting. A cyber security company reports these data. The cyber security industry sector should know. Many of the smart systems have demonstrated that those systems are somewhat slow when it comes to safeguarding licensees.
What’s the cause of the issue?
There are “crashes.” But what’s a crash. Human error. Humans make mistakes and most of the software systems with which I am familiar are dumb: Blackmagic ATEM software which “forgets” that users drag and drop. Users don’t intuitively know to put an image one place and then put that image another so that the original image is summarily replaced. Windows Defender lights up when we test software from an outfit named Chris. Excel happily exports to PowerPoint but loses the format of the table when it is pasted. There are USB keys and Secure Digital cards which just stop working. Go figure. There are enterprise search systems which cannot display a document saved by a colleague before lunch. Where is it? Yeah, good question. In the indexing queue maybe? Oh, well, perhaps tomorrow the colleague will get the requested feedback?
My takeaway from the write up is that the wild and crazy, helter skelter approach to software and some hardware has created weaknesses, flaws, and dependencies no one knows about. When something goes south, the Easter egg hunt begins. A dead Android device elicits button pushing and the hope that the gizmo shows some signs of life. Mostly not in my experience.
Let’s assume the research is correct. The increase noted in the write up means that software and systems will continue to degrade. What’s the fix? Like many things — from making a government bureaucracy more effective to having an airline depart on time — seem headed on a downward path.
My take is that we are getting a glimpse of the future. Reality is very different from the perfectly functioning demo and the slick assertions in a PowerPoint deck.
Stephen E Arnold, April 4, 2022
Why Did I Change DarkCyber?
March 31, 2022
This week we made available an interview with a senior manager of an intelware company. At lunch, a person asked me why I changed the editorial coverage of DarkCyber and reduced the number of videos I made available.
I sang my favorite song, “I am 77 and the days dwindle down.” The he/she/them ate the burrito and the conversation shifted to electric vehicles.
There is another reason for my focus on interviews. A good example of my rethink appears in “Ubiquiti Seeks $425 Million in Damages Against Industry Blogger Brian Krebs.” The main idea is that writing about cyber security can open the cages of the legal eagles.
The write up reports:
Ubiquiti on Tuesday filed a lawsuit against industry blogger Brian Krebs for $425 million in damages for allegedly falsely accusing the company of “covering up” a cyber attack. According to the complaint, Krebs intentionally misled the public about a data breach and a subsequent blackmail attempt.
I don’t know the particulars of this legal allegation. I do know that I am skeptical of many of the claims made by cyber security firms. The PowerPoint decks are so darned convincing until something goes south.
At my age, I would rather interview people about their products; hence, the shift in the DarkCyber focus. I will continue to ask questions and write what I think is super funny commentary on the information I locate via open sources.
That’s the separating the goose feathers from the giblets. Plus, who wants to deal with the hassles of explaining that the methods of a blogger writing about security are not up to snuff.
I will speak with Tibby and Pepita about their research methods later today. They are usually more interested in delivery vans than online research, but these comprise my research team.
Stephen E Arnold, March 31, 2022