Browse > Home / Archive by category 'cybersecurity'

Google and Mandiant: Will Google Be Able to Handle a People Business?

March 11, 2022

Talk about Google’s purchasing Mandiant is a hot topic. I want to comment about Protocol’s article “Google Wants to Be the Full-Service Security Cloud.” The write up is one of several mentioning an important fact:

The company currently has 2,200 employees, including 600 consultants and 300 intelligence analysts who respond to security breaches.

Mandiant, therefore, has about half of its employees performing consultant type work. Not long ago, Google benefited from the sale of Recorded Future, a company which was in the cyber security business AND had a capability that Google had not previously possessed. What was Recorded Future’s magic ingredient? My answer is, “Ability to index by time.” There were other Recorded Future capabilities. In-Q-Tel found the company interesting as well.

Now the Google is embracing the consultative business in which Mandiant has done well.  How will the Google management method apply to the individuals who make up about half the Mandiant work force?

If the past is an indication, Google does okay when the staff are like Google’s previous and current management. Google does less well when the professionals are less like those high school science club members who climbed the ladder at the Google.

To sum up: This deal is going to be interesting to watch. Microsoft is likely to be keen on following the tie up. Mandiant is, as you may recall, the outfit which blew the whistle on the SolarWinds’ misstep. Microsoft was snagged in the subsequent forensic analyses. Plus, the cyber security industry is enjoying some favorable winds. The issue, however, is that as threats become breaches, the flaws of the present approach to cyber security become more obvious. Online advertising, cloud computing, and cyber security — a delightful concoction or a volatile mix?

Stephen E Arnold, March 11, 2022

Written by Stephen E. Arnold · Filed Under cybersecurity, Google, News | Comments Off on Google and Mandiant: Will Google Be Able to Handle a People Business? 

Cybersecurity and Human Error. Pesky Humans

March 10, 2022

Workers make honest mistakes. And sometimes those mistakes lead to security breaches. Darktrace describes how to guard against human imperfection in its DarkReading blog post, “Insider Threats Are More than Just Malicious Employees.” There is the worker who implements a shortcut they believe is benign but actually opens a route for attack. Another may simply forget everything they were taught in security training. Then there is the employee who is more focused on their next gig than on maintaining security practices at a firm they are leaving.

One answer to such risks, writes features editor Fahmida Y. Rashid, is zero trust. Though it sounds cynical, the practice protects organizations from human error. Citing Darktrace threat analyst Toby Lewis, Rashid explains:

“Zero trust treats every connection and action as suspicious. There are signals to verify, such as the device being used, the time of the day, and the order of applications being accessed. If the user is straying outside what’s expected, it triggers an investigation, even if the activity is originating from inside the environment. … In a zero-trust organization, it would be harder for insiders to act badly, Lewis notes. By managing identity, security teams understand who the users are and determine what ‘normal’ looks like. This way, they can assess the level of risk for each person and get a sense of when to ask for more information.”

Network segmentation is the other suggestion. We learn:

“If the network has been divided into different compartments, then users have to authenticate each time they cross into a new area. Different parts of the network can be carved out based on risk and where sensitive data is stored. ‘Each part of your network should be behind its own set of locked doors,’ Lewis says. ‘You could only cross this barrier if you are a trusted person.’”

In an ideal world, workers would reliably adhere to best practices and security teams would have no reason to track employees’ work patterns. But since we are stuck in this imperfect world, companies must do what they can to guard against human imperfection.

Cynthia Murrell, March 10, 2022

Written by Stephen E. Arnold · Filed Under cybersecurity, News | Comments Off on Cybersecurity and Human Error. Pesky Humans 

Google: Defines Excellence for Android Users

March 3, 2022

I read a hoot of a story. “Data Stealing App Found in Google Play Downloaded Thousands of Times.” The idea for branded stores is consistency, compatibility, and trust. No one wants to buy an air fryer that explodes and maims an influencer. Why would one want to download a mobile app which allows a bad actor to seize data or control of one’s mobile device.

The write up reports:

A notorious Android banking trojan designed to steal user data, like passwords and text messages, has been discovered in Google Play and downloaded thousands of times. The TeaBot banking trojan, also known as Anatsa and Toddler, was first observed in May 2021 targeting European banks by stealing two-factor authentication codes sent by text message.

Yep, malware direct from the Google. Let’s rundown those qualities of a branded store:

  • Consistency
  • Compatibility
  • Trust

Check, check, and check.

Ah, Google, are you entering a security drag race against the Softies?

Stephen E Arnold, March 3, 2022

Written by Stephen E. Arnold · Filed Under cybercrime, cybersecurity, Google, News | 1 Comment 

Microsoft and Security: A Probably Trivial Item

March 2, 2022

An online publication called Venture Beat published “Russia May Use SolarWinds-Like Hacks in Cyberwar over Ukraine.” The article contained a paragraph I found suggestive. Here’s the passage:

…the attackers are believed to have gained access for as much as nine months to numerous companies and government agencies, including FireEye, Microsoft and the Departments of Defense, State and Treasury.

The point for me is that the extent of the breaches is not fully known. It is easier to issue news releases and make high-profile marketing moves than come to grips with the allegedly accurate information in the Venture Beat article.

Stephen E Arnold,March 2, 2022

Written by Stephen E. Arnold · Filed Under cybercrime, cybersecurity, News | Comments Off on Microsoft and Security: A Probably Trivial Item 

Microsoft: The Security Supremo Cloud Pitch

February 28, 2022

I read “Microsoft’s New Security Chief Says It Is Time to Take Shelter in the Cloud.” The write up reports:

Microsoft has been hit by a series of high-profile cyber intrusions in recent years. In December 2020, the company said it had been compromised by the hackers behind the cyberattack on SolarWinds Corp.—a group that U.S. officials have linked to the Russian government. Months later, Microsoft’s widely used email product, Exchange, was targeted by a cyberattack that was eventually linked to the Chinese government.

I know. So now Microsoft wants me to trust their cloud service because it is more secure?

What’s interesting is that a former Amazon AWS executive is in charge. Apparently he has addressed assorted security concerns. He is, if true, a fast worker or a faster PR content generator.

The write up points to February 22, 2022, as the day it asserted it would repurpose the Microsoft security products for the Google cloud. Keep in mind that Microsoft security is compatible with Amazon’s cloud.

The write up includes this statement:

In addition to the SolarWinds and Exchange cyberattacks, the company in August had to repair a flaw in the Azure cloud—strategically Microsoft’s most-critical business—after a cybersecurity company found a bug that left customer data exposed. The Azure bug, which was discovered by the cybersecurity company Wiz Inc., rattled some Microsoft customers because it showed how hackers could steal data from thousands of customers by targeting one part of Microsoft’s cloud.

Saying security is different from delivering security. In some ways, Microsoft’s penchant for distraction with the wonky Windows 11 release and then the super spectacular metaverse game type thing have worked.

Now security is back in the spotlight. Oh, just move everything to the cloud. Lock in? Yep. More expensive? For some yes. Put all the eggs in one basket with some security issues? Sure, that makes perfect sense.

If you are doubtful about the cloud, navigate to “Report: 76% of IT Pros Say That Cloud Has Hit a Wall.” The main idea of that write up is that

multicloud, multitool environments have outgrown the tools and platforms that IT leaders currently rely on.

That’s what’s interesting about the Microsoft security PR. Flawed software? Seems possible.

Remember SolarWinds? Remember Exchange Server?

Stephen E Arnold, February 28, 2022

Written by Stephen E. Arnold · Filed Under cybersecurity, Marketing, Microsoft, News | Comments Off on Microsoft: The Security Supremo Cloud Pitch 

How to Be Happy the Microsoft Way: Endorsed by the Harvard Business Review?

February 25, 2022

I read a fascinating article about being happy. “A Microsoft Exec Says Tech, Not People, Makes Employees Really Happy” recycles an article from the estimable Harvard Business Review published an article titled “In a Hybrid World, Your Tech Defines Employee Experience.” I want to be upfront. I find most of the information in the HBR focused on authors hawking some type of consulting expertise. The outputs in the HBR acted like a magnet on blue chip consulting firms. Getting an article in the HBR was the equivalent of getting Elvis Presley to throw a perspiration tinged scarf to an adoring fan.

According to the source recycling the HRB information about being happy, I noted these statements of Delphic grade insight minus the blood of a dove, a goat, and possibly a misbehaving acolyte.

  1. Employee experiences are defined by technology.
  2. Technology and workplace tools are the new workplace. [HBR apparently likes this type of repetition]
  3. “Technology is “becoming central in attracting and retaining new talent, fostering workplace culture, creating productivity, and more.”

I want to offer some of my personal happy experiences with Microsoft technology:

  1. Updates which kill functions; for example, a system cannot print. This makes me happy for sure.
  2. Posturing about security when the vulnerabilities spawned by Microsoft software thrill bad actors each and every day.
  3. Microsoft Word’s remarkable ability to move images in delightful ways.
  4. The shallow spidering of the just so wonderful Bing content processing system.
  5. Rumors and allegations about Bill Gates and his interesting interactions with other Microsoft professionals
  6. A foldable phone with weird performance characteristics for two-screeners with good eyes
  7. Microsoft WiFi hardware which a Softie told me, “Doesn’t work.”
  8. Meaningless features in a screen capture utility
  9. Did I mention Exchange Server vulnerabilities? Yeah.
  10. And Teams for those using a Mac without a Microsoft 365 subscription. That’s a thrill.

I recall one meeting at which a senior Softie took an iPhone from an employee in a meeting with lots of people in the audience. I recall the baffled looks on the faces of Microsoft Research experts when I asked for a show of hands for those who were familiar with Kolmogorov’s approach to probability. No hands went up. Bummer. I recall a mobile meeting in which I was told, “Mobiles will never have multiple radios.”

Ah, memories.

But the HBR write up explains that my experiences would make me happier via technology.

Yeah, right. Thoughts from the Microsoft person who pointed the finger at a 1,000 engineers directed by a nation state to compromise Citadel Windows. Yep, that person.

Stephen E Arnold, February 25, 2022

Written by Stephen E. Arnold · Filed Under cybersecurity, Marketing, News, Technology | Comments Off on How to Be Happy the Microsoft Way: Endorsed by the Harvard Business Review? 

Yep, Those Microsoft Exchange Servers Are Appealing to Some Bad Actors

February 22, 2022

I know that few agree with my assessment of Windows 11; that is, rushed out without informing the Twit.tv experts. Why? To get attention focused on something other than Microsoft security issues. SolarWinds? Exchange Server? I don’t know.

Then I irritated a few folks with my opinion that the big deal for the electronic game company and the attendant meta chant is essentially another distraction? Why? Maybe the wonderful Windows Defender system before an issue was fixed recently? Maybe another problem with Azure? I don’t know.

I do know that I read some information, which if true, makes clear that the US has a problem with security. And I know that some of the “problem” is a result of Microsoft’s software and systems. My source is the “real” news article FBI Says BlackByte Ransomware “FBI Says BlackByte Ransomware Group Has Breached Critical US Infrastructure.” Let’s assume that the information in the write up is mostly on the money.

First, we note that the FBI issued a statement available here which says that malware has compromised multiple businesses. What’s interesting is that infrastructure sectors appear to have been compromised. What does that mean? My take is that this is a gentle way of saying that bad actors can muck up certain organizations, financial functions, and food (maybe jiggle the chemicals for fertilizer or send box cars to Texas?).

Second, the write up points out that an NFL football team’s systems may have been fiddled. Interesting indeed. Why? No idea.

Third, this paragraph is the one which I think is the most important:

In their warning, the authorities said some victims reported that the bad actors used a known Microsoft Exchange Server vulnerability to gain access to their networks. The authorities have also released filenames, indicators of compromise and hashes that IT personnel can use to check their networks for presence of the ransomware.

Yep, Microsoft. Exchange Servers.

Windows 11 distracted for a while. The game deal is headed for legal choppy water. What will Microsofties roll out next? A phone, a new foldable perhaps, another reorganization?

Fascinating that security issues keep emerging and with each revelation the stakes creep higher. Bad actors may find this information encouraging. I find it downright awful.

Stephen E Arnold, February 22, 2022

Written by Stephen E. Arnold · Filed Under cybersecurity, Government, News | Comments Off on Yep, Those Microsoft Exchange Servers Are Appealing to Some Bad Actors 

Department of Defense: Troubling News about Security

February 21, 2022

It looks like a lack of resources and opaque commercial cloud providers are two factors hampering the DOD’s efforts to keep the nation cyber-safe. Breaking Defense discusses recent research from the Pentagon’s Director of Operational Test and Evaluation (DOT&E) in, “Pentagon’s Cybersecurity Tests Aren’t Realistic, Tough Enough: Report.” We encourage anyone interested in this important topic to check out the article and/or the report itself. Reporter Jaspreet Gill summarizes:

“[The report] states DoD should refocus its cybersecurity efforts on its cyber defender personnel instead of focusing primarily on the technology associated with cyber tools, networks and systems, and train them to face off against more real threats earlier in the process. For now, cybersecurity ‘Red Teams’ are stretched too thin and the ones that do test military systems are doing it with one hand tied behind their back compared to what actual adversaries would do, the report said.”

Enabling these teams to do their best work would mean giving them more time on the network to test vulnerabilities, more extensive toolsets, realistic rules of engagement, and better end-to-end planning, the report explains. In addition, it states, cyber security training must be expanded to include mission defense teams, system users, response-action teams, commanders, and network operators. We also learn that current funding practices effectively prohibit setting up offices dedicated to cyber technology effectiveness and training. Seriously? See the write-up for more recommendations that should be obvious.

The following bit is particularly troubling in this age of increasing privatization and corporate power. Gill informs us:

“The assessment also found DoD’s cyber concerns increasingly mirror those in the commercial sector due to increasing reliance on commercial products and infrastructure, especially with cloud services. The report recommends the Pentagon renegotiate contracts with commercial cloud providers and establish requirements for future contracts. ‘The DOD increasingly uses commercial cloud services to store highly sensitive, classified data, but current contracts with cloud vendors do not allow the DOD to independently assess the security of cloud infrastructure owned by the commercial vendor, preventing the DOD from fully assessing the security of commercial clouds. Current and future contracts must provide for threat-realistic, independent security assessments by the DOD of commercial clouds, to ensure critical data is protected.’”

Well yes—again that seems obvious. Public-private partnerships should be enacted with a dash of common sense. Unfortunately, that can be difficult to come by amidst bureaucracy.

Cynthia Murrell, February 21, 2022

Written by Stephen E. Arnold · Filed Under cybersecurity, Government, News | Comments Off on Department of Defense: Troubling News about Security 

NordVPN: Mostly Ironclad Privacy

February 3, 2022

Panama-based VPN provider NordVPN swore in 2017 that it would refuse requests from any foreign government to release customer data. In the wake of what happened to VPNLab after its tussle with Europol, however, TechRadar Pro reports, “NordVPN Will Now Comply with Law Enforcement Data Requests.” The firm still promises privacy—unless and until the legal eagles appear. We learn NordVPN recently revised the original, 2017 blog post in which it promised unwavering privacy to reflect the new reality. Reporter Anthony Spadafora writes:

“Now though, the original blog post has been edited and the post now reads: ‘NordVPN operates under the jurisdiction of Panama and will only comply with requests from foreign governments and law enforcement agencies if these requests are delivered according to laws and regulations.’ [Emphasis mine.] The revised blog post also goes a bit further in regard to NordVPN’s zero-logs policy by explaining that the company will log a user’s VPN activity if there is a court order to do so: ‘We are 100% committed to our zero-logs policy – to ensure users’ ultimate privacy and security, we never log their activity unless ordered by a court in an appropriate, legal way.’ Meanwhile, the company updated its privacy policy back in July of last year with a new section that contains further details on information requests. A NordVPN spokesperson explained in an email to TechRadar Pro that the sole reason it changed its blog post in the first place was to dissociate its company from bad actors following PCMag’s original article on the matter.”

Spadafora points out the now shuttered VPNLab mostly catered to cybercriminals—a very different outfit from NordVPN. He also emphasizes that, despite the new language, NordVPN still offers a no-logs VPN, so there would be little to no pre-existing data for the company to relinquish even if law enforcement did come knocking. At this point, such a request is purely hypothetical—the firm notes it has yet to receive a single national security letter, gag order, or warrant from government organizations asking for user information since it was founded in 2012. We suspect they hope that streak continues.

Cynthia Murrell, February 2, 2022

Written by Stephen E. Arnold · Filed Under cybersecurity, Marketing, News | Comments Off on NordVPN: Mostly Ironclad Privacy 

Google Docs: Exploit or Exploited?

February 2, 2022

Real-time collaboration has been a boon for teams working remotely over the last couple of years. For Google Docs, however, the feature has opened the door to a hazardous vulnerability. Security Boulevard reports on a “‘Massive Wave’ of Hackers Exploiting Comments in Google Docs.” Writer Teri Robinson tells us:

“It seems like users are now paying the price for Google not fully closing or mitigating a vulnerability in the comment feature of Google Docs—since December a ‘massive wave’ of hackers have exploited the flaw through impersonation and phishing to send malicious content to those using email—primarily Outlook—and Google Docs, according to researchers at Avanan. The targets? Just about any end user. Taking advantage of the ‘seamless nature’ of Google Docs that lets employees collaborate in real-time around the globe, the hackers simply add a comment to a Google Doc that mentions the target with an @. ‘By doing so, an email is automatically sent to that person’s inbox. In that email, which comes from Google, the full comment, including the bad links and text, is included,’ Avanan researchers wrote in a blog post. ‘Further, the email address isn’t shown, just the attackers’ name, making this ripe for impersonators.’ Avanan observed the hackers hitting more than ‘500 inboxes across 30 tenants … using over 100 different Gmail accounts.’”

The hackers’ efforts were helped by the fact their content was delivered directly by Google, which raises flags for neither most users nor their junk filters. That senders’ email addresses are hidden makes it that much harder to spot imposters. (Though, it should be noted, even if an address checks out it could be coming from a compromised account.) As many of our readers know, it just takes one worker falling for the trick to compromise an entire organization. Avanan researchers advise us not to reflexively trust messages just because they come through a trusted platform. Be sure to hover over links before clicking to confirm they will send you to an expected destination. And, as Robinson concludes:

“If users are unsure that a sender is on the up-and-up, they should contact the legitimate sender for confirmation that they sent a document, Avanan said.”

Yep, Google Docs, now mostly for fee thrills.

Cynthia Murrell, February 2, 2022

Written by Stephen E. Arnold · Filed Under cybersecurity, Google, News | Comments Off on Google Docs: Exploit or Exploited? 

« Previous PageNext Page »

  • Archives

  • Recent Posts

  • Meta