Browse > Home / Archive by category 'cybersecurity'

About Microsoft Exchange Security?

November 12, 2021

I spotted “Microsoft urges Exchange Admins to Patch Their On-Prem Servers Now.” I like the “now.” I interpret this suggestion to mean, “Well, our much hyped security enhancements… are sort of not enough.”

The write up asserts:

[“November 2021 Exchange Server Security Updates” goes on to add that the bug only impacts on-premise Microsoft Exchange servers, including those used by customers in Exchange Hybrid mode.

With Microsoft telemetry, smart updates, and remote access controls to Microsoft systems — why are licensees hanging in the digital wind?

Net net: This type of “bulletin” is catnip to bad actors. Perhaps it is too expensive to do more than issue PR about security.

Stephen E Arnold, November 12, 2021

Written by Stephen E. Arnold · Filed Under cybersecurity, Microsoft, News | Comments Off on About Microsoft Exchange Security? 

Who Remembers Palantir or Anduril? Maybe Peter Thiel?

November 4, 2021

Despite sci-fi stoked fears about artificial general intelligences (AGI) taking over the world, CNBC reports, “Palantir’s Peter Thiel Thinks People Should Be Concerned About Surveillance AI.” Theil, co-founder of Palantir and investor in drone-maker Anduril, is certainly in the position to know what he is talking about. The influential venture capitalist made the remarks at a recent event in Miami. Writer Sam Shead reports:

“Tech billionaire Peter Thiel believes that people should be more worried about ‘surveillance AI’ rather than artificial general intelligences, which are hypothetical AI systems with superhuman abilities. … Those that are worried about AGI aren’t actually ‘paying attention to the thing that really matters,’ Thiel said, adding that governments will use AI-powered facial recognition technology to control people. His comments come three years after Bloomberg reported that ‘Palantir knows everything about you.’ Thiel has also invested in facial recognition company Clearview AI and surveillance start-up Anduril. Palantir, which has a market value of $48 billion, has developed data trawling technology that intelligence agencies and governments use for surveillance and to spot suspicious patterns in public and private databases. Customers reportedly include the CIA, FBI, and the U.S. Army. AGI, depicted in a negative light in sci-fi movies such as ‘The Terminator’ and ‘Ex Machina,’ is being pursued by companies like DeepMind, which Thiel invested in before it was acquired by Google. Depending on who you ask, the timescale for reaching AGI ranges from a few years, to a few decades, to a few hundred years, to never.”

Yes, enthusiasm for AGI has waned as folks accept that success, if attainable at all, is a long way off. Meanwhile, Thiel is now very interested in crypto currencies. For the famously libertarian mogul, that technology helps pave the way for his vision of the future: a decentralized world. That is an interesting position for a friend of law enforcement.

Cynthia Murrell, November 4, 2021

Written by Stephen E. Arnold · Filed Under Business strategy, cybersecurity, intelware, law enforcement, News | Comments Off on Who Remembers Palantir or Anduril? Maybe Peter Thiel? 

Encouragement for Bad Actors: Plenty of Targets Guaranteed

November 2, 2021

If the information in the Silicon Valley-esque business news service Venture Beat is accurate, 2022 is going to be a good year for bad actors. “Report: 55% of Execs Say That SolarWinds Hack Hasn’t Affected Software Purchases.” Now “purchase” is a misleading word. Vendors like users to subscribe, so the revenue projections are less fraught. Subscriptions can be tough to terminate, and paying that bill is like a bad habit, easy to fall into, tough to get out of.

The article states:

According to a recent study by Venalfi, more than half of executives (55%) with responsibility for both security and software development reported that the SolarWinds hack has had little or no impact on the concerns they consider when purchasing software products for their company. Additionally, 69% say their company has not increased the number of security questions they are asking software providers about the processes used to assure software security and verify code.

This statement translates to status quo-ism.

The Microsoft products are targets because Microsoft’s yummy software is widely used and is like a 1980s Toys-R-Us filled with new Teddy bears, battery powered trucks, and role-model dolls.

What’s the fix for escalating cyber attacks? Different business policies and more rigorous security procedures.

To sum up, a potentially big year for bad actors, some of whom practice their craft from prison with a contraband smartphone. The Fancy Bear types will be dancing and some of the APT kids will be wallowing in endless chocolate cake.

Digitally speaking, of course.

Stephen E Arnold, November 2, 2021

Written by Stephen E. Arnold · Filed Under cybercrime, cybersecurity, News | Comments Off on Encouragement for Bad Actors: Plenty of Targets Guaranteed 

DarkCyber for November 2, 2021: Spies, Secrets, AI, and a Robot Dog with a Gun

November 2, 2021

The DarkCyber for November 2, 2021 is now available at this link. This program includes six cyber “bites”. These are short items about spies who hide secrets in peanut butter sandwiches, a drug lord who required 500 troops and 22 helicopters to arrest, where to get the Pandora Papers, a once classified document about autonomous killing policies, a US government Web site described as invasive, and a report about the National Security Agency’s contributions to computer science.

The feature in the cyber news program is a look at the Allen Institute’s Ask Delphi system. The smart software serves up answers to ethical questions. The outputs are interesting and provide an indication of the issues that bright AI engineers will have to address.

The final story provides information about a robot dog. The digital canine is equipped with a weapon which fires a cartridge the size of a hot dog at the World Series snack shop. That’s interesting information, but the “killer” feature is that the robot is its own master. Watch DarkCyber to learn the trick this machine can perform.

DarkCyber is produced by Stephen E Arnold. The video contains no advertising and the stories are not subsidized. The video is available at www.arnoldit.com/wordpress or at https://youtu.be/Y24vJetf5eY.

Kenny Toth, November 2, 2021

Written by Stephen E. Arnold · Filed Under cybercrime, cybersecurity, DarkCyber, law enforcement, News, Video | Comments Off on DarkCyber for November 2, 2021: Spies, Secrets, AI, and a Robot Dog with a Gun 

British Cyber Boss Nails Why Ransomware Is a Growth Business

October 29, 2021

I spotted “Ransomware Has Proliferated Because It’s Largely Uncontested, Says GCHQ Boss.” The statement is accurate but the word “uncontested” may have a nuance not hitting the radar of some of the cyber wizards residing in Harrod’s Creek, Kentucky.

“Uncontested” means a bunch of cyber sailboats are floating around with their commanders thinking about a grilled chicken.

The write up says:

we have up until quite recently left a lot of this playing space to those criminal actors in effect to proliferate and to make a lot of money.

Stated in the lingo of Harrod’s Creek, I think the head of the British version of the National Security Agency means coordinated, aggressive action is needed on a consistent, sustained basis.

Will this ideal be achieved? The write up provides one view:

There’s suspicion in the US that Russia turns a blind eye to ransomware gangs operating in its territory. Following the ransomware attack on Colonial Pipeline last year, Biden said he warned Russian President Vladimir Putin that critical infrastructure should be off limits.

Stephen E Arnold, October 29, 2021

Written by Stephen E. Arnold · Filed Under cybersecurity, News | Comments Off on British Cyber Boss Nails Why Ransomware Is a Growth Business 

SolarWinds: Three Is Allegedly Better Than One

October 29, 2021

Most organizations have one, generally semi-organized development approach. “SolarWinds’ CEO Wants To Give The Hackers Who Attacked It A Headache By Massively Multiplying Code” reports that the poster child for putting malware in a software distribution system has a way to thwart the 1,000 programmers bent on doing bad things to good American software.

And the solution? Forbes, the capitalist tool, reveals:

But arguably the biggest change—and the one that’s most likely to attract the attention of other CEOs and technology leaders—is his [Sudhakar Ramakrishna, the new SolarWinds CEO] decision to create three separate software development pipelines rather than the single one SolarWinds had before.

In bad actor land, one attack surface is okay. Three attack surfaces are, I suppose, more okay. SolarWinds begs to disagree.

The idea is that “hackers now have to break into multiple systems rather than a monolithic development pipeline.”

I did an analysis of the SolarWinds’ misstep for a financial outfit. A couple of members of my research team kept pressing me to emphasize that the breach may have been facilitated by an insider or by someone hired by a front company for a bad actor who had experience working in the SolarWinds’ digital vineyard. I mentioned the possibility and referenced several recruitment sites which say they can provide part-timers with experience in major enterprise software systems.

My question, “If the insider or the part time wizard is involved, maybe three development pipelines won’t work?” The possibility exists.

Stephen E Arnold, October 29, 2021

Written by Stephen E. Arnold · Filed Under cybersecurity, News | Comments Off on SolarWinds: Three Is Allegedly Better Than One 

Are Threat Detection and Cyber Security Systems Working?

October 26, 2021

I read “Microsoft: Russian SVR Hacked at Least 14 IT Supply Chain Firms Since May.” The write up states:

Microsoft says the Russian-backed Nobelium threat group behind last year’s SolarWinds hack is still targeting the global IT supply chain, with 140 managed service providers (MSPs) and cloud service providers attacked and at least 14 breached since May 2021. This campaign shares all the signs of Nobelium’s approach to compromising a significant list of targets by breaching their service provider.

That’s interesting. At first glance, it seems as if a small number of targets succumbed.

On the other hand, it raises some questions:

  1. What cyber security and threat detection systems were in use at the 14 outfits breached?
  2. What caused the failure of the cyber security systems? Human error, lousy cyber security methods, or super crafty bad actors like insiders?
  3. Is a 10 percent failure rate acceptable? Microsoft seems agitated, but why didn’t Microsoft’s security protect 10 percent of the targets?

Each week I am invited to webinars to learn about advanced security systems. Am I to assume that if I receive 10 invites, one invite will be from an outfit whose technology cannot protect me?

The reports of breaches, the powers of giant software outfits, and the success of most companies in protecting themselves is somewhat cheering.

On the other hand, a known group operating for more than a year is still bedeviling some organizations. Why?

Stephen E Arnold, October 26, 2021

Written by Stephen E. Arnold · Filed Under cybersecurity, Microsoft, News | Comments Off on Are Threat Detection and Cyber Security Systems Working? 

Microsoft and Russia: Who Does What to Whom?

October 26, 2021

Last year’s infamous Solar Winds attack really boosted Russia’s hacking community. That is one take-away from MarketBeat’s write-up, “Microsoft: Russia Behind 58% of Detected State-Backed Hacks.” Writer Frank Bajak shares some details from Microsoft’s second annual Digital Defense Report:

“Russia accounted for most state-sponsored hacking detected by Microsoft over the past year, with a 58% share, mostly targeting government agencies and think tanks in the United States, followed by Ukraine, Britain and European NATO members, the company said. The devastating effectiveness of the long-undetected SolarWinds hack — it mainly breached information technology businesses including Microsoft — also boosted Russian state-backed hackers’ success rate to 32% in the year ending June 30, compared with 21% in the preceding 12 months. China, meanwhile, accounted for fewer than 1 in 10 of the state-backed hacking attempts Microsoft detected but was successful 44% of the time in breaking into targeted networks, Microsoft said. … Only 4% of all state-backed hacking that Microsoft detected targeted critical infrastructure, the Redmond, Washington-based company said, with Russian agents far less interested in it than Chinese or Iranian cyber-operatives.”

Well, that is something. Ransomware, though, is also up, with the U.S. targeted three times as often as the next nation. Anyone who was affected by the Colonial Pipeline attack may be concerned about our infrastructure despite the lack of state-sponsored interest in sabotaging it. We are told state-backed attackers are mostly interested in intelligence gathering. Bajak cites Microsoft Digital Security Unit’s Cristin Goodwin as he writes:

“Goodwin finds China’s ‘geopolitical goals’ in its recent cyber espionage especially notable, including targeting foreign ministries in Central and South American countries where it is making Belt-and-Road-Initiative infrastructure investments and universities in Taiwan and Hong Kong where resistance to Beijing’s regional ambitions is strong.”

North Korea is another participant covered in the report. That country was in second place as a source of attacks at 23%, though their effectiveness was considerably less impressive—only 6% of their spear-phishing attempts were successful. Bajak closes by reminding us the report can only include attacks Microsoft actually detected. See the write-up or the report itself for more information.

Cynthia Murrell, October 26, 2021

Written by Stephen E. Arnold · Filed Under cybersecurity, Microsoft, News | Comments Off on Microsoft and Russia: Who Does What to Whom? 

Rogue in Vogue: What Can Happen When Specialized Software Becomes Available

October 25, 2021

I read “New York Times Journalist Ben Hubbard Hacked with Pegasus after Reporting on Previous Hacking Attempts.” I have no idea if the story is true or recounted accurately. The main point strikes me that a person or group allegedly used the NSO Group tools to compromise the mobile of a journalist.

The article concludes:

Hubbard was repeatedly subjected to targeted hacking with NSO Group’s Pegasus spyware. The hacking took place after the very public reporting in 2020 by Hubbard and the Citizen Lab that he had been a target. The case starkly illustrates the dissonance between NSO Group’s stated concerns for human rights and oversight, and the reality: it appears that no effective steps were taken by the company to prevent the repeated targeting of a prominent American journalist’s phone.

The write up makes clear one point I have commented upon in the past; that is, making specialized software and systems available without meaningful controls creates opportunities for problematic activity.

When specialized technology is developed using expertise and sometimes money and staff of nation states, making these tools widely available means a loss of control.

As access and knowledge of specialized tool systems and methods diffuses, it becomes easier and easier to use specialized technology for purposes for which the innovations were not intended.

Now bad actors, introductory programming classes in many countries, individuals with agendas different from those of their employer, disgruntled software engineers, and probably a couple of old time programmers with a laptop in an elder care facility can:

  • Engage in Crime as a Service
  • Use a bot to poison data sources
  • Access a target’s mobile device
  • Conduct surveillance operations
  • Embed obfuscated code in open source software components.

If the cited article is not accurate, it provides sufficient information to surface and publicize interesting ideas. If the write up is accurate, the control mechanisms in the countries actively developing and licensing specialized software are not effective in preventing misuse. For cloud services, the controls should be easier to apply.

Is every company, every nation, and every technology savvy individual a rogue? I hope not.

Stephen E Arnold, October 25, 2021

Written by Stephen E. Arnold · Filed Under cybercrime, cybersecurity, intelware, News | Comments Off on Rogue in Vogue: What Can Happen When Specialized Software Becomes Available 

No Click Excitement: Interaction-Less Vulnerabilities in Messaging Apps

October 20, 2021

Google researcher Natalie Silvanovich has made it her mission to investigate one particular type of vulnerability—one that allows attackers to access video and/or audio without the victim so much as clicking a link. Wired discusses her unnerving findings in, “Messaging Apps Have an Eavesdropping Problem.” Writer Lily Hay Newman tells us:

“Silvanovich has spent years studying “interaction-less” vulnerabilities, hacks that don’t require their targets to click a malicious link, download an attachment, enter a password in the wrong place, or participate in any way. Those attacks have taken on increasing significance as targeted mobile surveillance explodes around the world.”

The resolute researcher presented her findings at the recent Black Hat security conference in Las Vegas. Her search turned up bugs in apps domestic and foreign, from Facebook Messenger, Google Duo, and Signal to JioChat and Viettel Mocha. The vulnerabilities she found were eagerly patched by the respective developers once she notified them, but her discoveries reveal a problem more widespread than had been suspected. It seems that some of the vulnerabilities resulted from honest mistakes by developers using the open source communication tool WebRTC. Other times, though, it had to do with how an app connects calls. We learn:

“When someone calls you on an internet-based communication app, the system can start setting up the connection between your devices right away, a process known as ‘establishment,’ so the call can start instantly when you hit accept. Another option is for the app to hang back a bit, wait to see if you accept the call, and then take a couple of seconds to establish the communication channel once it knows your preference. … Most mainstream services take the other route, though, setting up the communication channel and even starting to send data like audio and video streams in advance to offer a near-instantaneous connection should the call’s recipient pick up. Doing that prep work doesn’t inherently introduce vulnerabilities, and it can be done in a privacy-preserving way. But it does create more opportunities for mistakes.”

Concerned users may want to favor Telegram—Silvanovich found that app takes the slower but safer route. Though the snippets hackers can capture with these vulnerabilities may or may not be valuable, many find it worth a try—such attacks are difficult to detect and to trace. Careful design and implementation on the part of app developers are the keys to avoiding such breaches, she tells us.

Cynthia Murrell October 20, 2021

Written by Stephen E. Arnold · Filed Under cybersecurity, Mobile, News | Comments Off on No Click Excitement: Interaction-Less Vulnerabilities in Messaging Apps 

« Previous PageNext Page »

  • Archives

  • Recent Posts

  • Meta