The capitalist tool suggesting capitalism does not work as desired. Remarkable.
Microsoft and Its Post Security Posture
October 1, 2021
Windows 11 seems like a half-baked pineapple upside down cake. My mother produced some spectacular versions of baking missteps. There was the SolarWinds’ version which had gaps everywhere, just hot air and holes. Then there was the Exchange Server variant. I exploded and only the hardiest ants would chow down on that disaster.
I thought about her baking adventures when I read “Microsoft Says Azure Users Will Have to Patch these Worrying Security Flaws Themselves.” Betty Crocker took the same approach when my beloved mother nuked a dessert.
Here’s the passage that evoked a Proustian memory:
instead of patching all affected Azure services, Microsoft has put an advisory stating that while it’ll update six of them, seven others must be updated by users themselves.
Let’s hope there’s a Sara Lee cake around to save the day for those who botch the remediation or just skip doing the baking thing.
Half baked? Yeah, and terrible.
Stephen E Arnold, October 1, 2021
India: Offensive Cyber Activity or a Swipe at Specialized Software and Threat Intelligence
September 29, 2021
I read “Exclusive: An American Company Fears Its Windows Hacks Helped India Spy On China And Pakistan.” The write up reports:
A U.S. company’s tech was abused by the Indian government, amidst warnings Americans are contributing to a spyware industry already under fire for being out of control.
The write up’s emphasis is on an intriguing point; to wit:
Sometimes American companies aren’t the victims, but the ones fueling costly digital espionage.
The named firm is Exodus. Forbes presents this factoid, which I assume is “true”:
“They’re significant because the size of the market is relatively small, and the skill set required [to find zero days] is in possession of just a few thousand people worldwide at any given time,” says Katie Moussouris, founder of Luta Security and creator of Microsoft’s bug bounty program to reward hackers for vulnerability disclosures.
Okay, the market is small. And the expert? From another low profile outfit called Luta. But the story is not straight forward.
Exodus pumped out a report of an exploit. India’s technology professionals (presumably one of the few thousand in the world) recognized the value of the information. Then hunted around for another vulnerability its cyber fighters could employ.
The Forbes’s report says:
Any such zero-day spill would be especially concerning coming from a company that tries to keep a lid on around 50 zero days a year, covering the world’s most popular operating systems, from Windows to Android to Apple’s iOS. And Brown isn’t alone in seeing his creation used in ways he didn’t intend.
Exodus cut off India from its threat information. The write up concludes:
With the supply there, American government is hungry for hacks of all kinds of technologies.
Several observations:
- How many companies pump out threat intelligence? Are there other examples of “customers” using threat intelligence to develop cyber weapons?
- Why is Microsoft opining about security; specifically, NSO Group? The reasons exploits exist may be in part due to the security posture of Microsoft itself. No, Windows 11 did not distract me from noticing the Redmond giant’s magnetism for bad actors.
- What’s the agenda for this story? A lack of regulation? The behavior of the many, many outfits engaged in generating alerts, notices of exploitable flaws, or the damage done by leaking once secret specialized software into the public spotlight?
Stephen E Arnold, September 29, 2021
Elastic: Differentiation and Wagon Circling
September 22, 2021
Elastic expects two recent acquisitions to beef up its security in the cloud. Betakit reports, “Cybersecurity Startup Cmd to Be Acquired by Enterprise Search Firm Elastic.” This deal is on the heels of the company’s announcement that it snapped up authorization policy management platform build.security. Writer Josh Scott tells us:
“Cmd was founded in 2016 by CSO Jake King, former security operations lead at Hootsuite, and Milun Tesovic, general partner at Expa. The startup offers a runtime security platform for cloud workloads and Linux assets, providing infrastructure detection and response capabilities to global brands, financial institutions, and software companies. Cmd’s offering observes real-time session activity and allows Linux administrators and developers to take immediate remediation action. … Following the close of the deal, Elastic plans to work with Cmd to integrate Cmd’s cloud native data collection capabilities directly into the company’s Elastic Agent product, and Cmd’s user experience and workflows into Kibana, Elastic’s data visualization offering.”
Citing an article from TechCrunch, Scott notes that Cmd’s employees will be moving to Elastic, with King and CEO Santosh Krishnan slipping into executive roles. Elastic says current customers of both firms will benefit from the integration and specifically promises its existing clients will soon receive Cmd’s cloud security capabilities. Built around open source software, Elastic began as Elasticsearch Inc. in 2012, simplified its name in 2015, and went public in 2018. The company is based in Mountain View, California, and maintains offices around the world.
Cynthia Murrell, September 22, 2021
Triggering the Turtle Response: A Cyber Security Misstep?
September 15, 2021
One noble idea is to ask each and every organization to report a cyber attack and data breach. How are noble ideas like this greeted by commercial organizations or government bureaucrats with one eye on SES and one on retirement on a full pension? My hunch is that certain noble ideas are going to be ignored, sidestepped, or bulldozed under legal briefs.
I read “Exclusive: Wide-Ranging SolarWinds Probe Sparks Fear in Corporate America.” The trustworthy outfit Thomson Reuters says:
The SEC is asking companies to turn over records into “any other” data breach or ransomware attack since October 2019 if they downloaded a bugged network-management software update from SolarWinds Corp, which delivers products used across corporate America, according to details of the letters shared with Reuters. People familiar with the inquiry say the requests may reveal numerous unreported cyber incidents unrelated to the Russian espionage campaign, giving the SEC a rare level of insight into previously unknown incidents that the companies likely never intended to disclose.
Many organizations bite the bullet and keep cyber breach info under wraps. Examples include outfits dealing with financial transactions and juicy pharma companies, among others.
What’s going to happen? Investigators will find interesting information to explore and, in the manner of investigators, and piece together.
What’s one method of dealing with this intriguing government request? The turtle response. Pull one’s head into a shell and hope the legal eagles can make it safe to return to pre-SolarWinds’ practices.
Stephen E Arnold, September 15, 2021
T-Mobile Security: A Quote to Note
September 1, 2021
“T-Mobile Hacker Found Weakness” is a summary of the all-too-familiar story of a big company, indifference, security hand waving, and an alleged breach of alleged customers. Please, read the original “real” news story. No payee; no viewee, however. I want to highlight what I think is the most important direct quote in the write up; to wit:
Their security is awful.
That’s pretty juicy.
Wait, please. One more gem is tucked into the write up. Here’s that statement:
On August 13, the security research firm Unit221B LLC reported to T-Mobile that an account was attempting to sell T-Mobile customer data, according to the security firm.
What this statement, if accurate, suggests that the hundreds of high end, proactive threat detection systems did not spot this breach and offer of customer data.
One firm did. And what about other cyber security experts?
My hunch is that if the statements in the article are on the money, it may be time to entertain this question: Why don’t high end cyber security systems work?
Stephen E Arnold, September 1, 2021
Tips for Phishers
August 31, 2021
I spotted “AI Analysis Unveils the Most Effective Email Subject Lines for the Holidays.” My hunch is that a “real” news professionals wanted to provide helpful tips to those who engage in email marketing. The write up includes “tips” from professional email marketers. Here’s one example:
email subject lines that are direct or evoke curiosity or friendliness are the most likely to get opened
Gee, I wonder what other group of email marketers might benefit from such advice?
What about phishers? These are the bad actors who seek to compromise a user’s or an organization’s security via malicious email. With some cyber security solutions relying on rules, database look up, or the human recipient for blocking phishing attempts, the write up is likely to be quite useful. Just in time for the holidays: AI-derived tips for getting someone to open an email. Super thinking!
What bad actor can resist taking this advice?
Including empathy in your messages for your customers helps you make them feel that you are on their side.
Helpful, right?
Stephen E Arnold, August 31, 2021
Palantir: A Blinded Seeing Stone?
August 27, 2021
I try to keep pace with the innovations in intelware. That’s my term for specialized software designed to provide the actionable information required by intel professionals, law enforcement, and one or two attorneys who have moved past thumbtyping.
I am not sure if the article “FBI Palantir Glitch Allowed Unauthorized Access to Private Data” is on the money. The “real news” story asserted:
A computer glitch in a secretive software program used by the FBI allowed some unauthorized employees to access private data for more than a year, prosecutors revealed in a new court filing. The screw-up in the Palantir program — a software created by a sprawling data analytics company co-founded by billionaire Peter Thiel — was detailed in a letter by prosecutors in the Manhattan federal court case against accused hacker Virgil Griffith.
Please, read the source document. Also, my personal view is that such an access lapse is not good, but if the story is accurate, I am less concerned that other FBI officials may have had access to content in Gotham or whatever the system is branded these days is less problematic than oligarchs snooping or a Xi Jinping linked tong IT wonk poking around FBI only data.
My thoughts went in a different direction, and I want to capture them. Keep in mind, I don’t know if the access revelation is “true.” Nevertheless, here’s what I jotted down whilst sitting in a lecture about a smart bung for booze lovers:
- Was the access issue related to Microsoft Windows or to the AWS-type services on which some Palantir installations depend? Microsoft is another “here we go again” question, but the AWS question puts the Bezos bulldozer squarely in the security breach spotlight.
- How many days, weeks, or months was the access control out of bounds? An hour is one thing; the answer “We don’t have a clue” is another.
- If — note the if, please — the access issue is due to a Palantir specific feature or function, is there a current security audit of LE, military, and intel related installations of the “seeing stone” itself? If the answer is “yes”, why was this access issue missed? Who did the audit? Who vetted the auditor? If the answer is “no,” what are the consequences for the other software vendors and IT professionals in the “fault chain”?
The article points out that a royal “we” is troubled. That’s nice. But let’s focus on more pointed questions and deal with what might be a digital Humpty Dumpty. Just my opinion from the underground bunker in rural Kentucky.
Stephen E Arnold, August 27, 2021
Big Tech Vows, Warrants, Commits, Guarantees, and Assures to Make Security Way Way Way Better
August 26, 2021
I had to laugh. I read some of the write ups explaining the pledges of big tech to the White House about security. The US is at or near the bottom when it comes to security. America plays offense. The defense thing is not what George Washington would do.
Here’s a representative write up: “Google, Microsoft Plan to Spend Billions on Cybersecurity after Meeting with Biden.” This triggered a chuckle and a snort:
IBM CEO Arvind Krishna told CNBC ahead of the meeting and outside the White House on Wednesday that cybersecurity is “the issue of the decade.” He said he hoped to see more coordination between the public and private sectors coming out of the meeting and said IBM would do its part to help skill workers in the space.
Why are adversaries of the US running exfiltration, ransomware, and intellectual property theft operations?
Let me count the ways:
- Systems from outfits like Apple and Microsoft can be compromised because security is an add on, an afterthought, or a function implemented to protect revenues
- Senior managers in many US firms are clueless about security and assume that our employees won’t create problems by selling access, clicking on scammer emails, or working from home on projects funded by bad actors
- Customers pay little or no attention to security, often ignoring or working around security safeguards when they exist. Hey, security distracts those folks from scrolling through Facebook or clicking on TikTok videos.
There are other reasons as well; for example, how about the steady flow of one off security gaps discovered by independent researchers. Where are the high end threat intelligence services. If a single person can find a big, gaping security hole, why are the hundreds of smart cyber security systems NOT finding this type of flaw? Oh, right. Well, gee. A zero day by 1,000 evil techies in China or Moldova is the answer. Sorry, not a good answer.
There is a cyber security crisis in America. Yes, Windows may be the giant piece of cheese for the digital rats. Why hack US systems? That’s where there are lots of tasty cheese.
Is there a fix which billions “invested” over five years can fix?
Nope.
Pipe dreams, empty words, and sheepish acquiescence to a fact that bad actors around the world find enervating.
More stringent action is needed from this day. That’s not happening in my opinion. Who created the cyber security problem? Oh, right the outfits promising do not do it again. Quick action after decades of hand waving. And government regulations, certification, and verification that cyber security systems actually work? Wow, that’s real work. Let’s have a meeting to discuss a statement of work and get some trusted consulting firm on this pronto.
I have tears in my eyes and not from laughing. Nothing funny here.
Stephen E Arnold, August 26, 2021
Fancy Code? Nope, Just Being Nice to Apple Customer Care
August 25, 2021
I continue to be fascinated by the number of cyber security companies reporting new exploits. If an exploit is a hot ticket, should not multiple cyber security threat identification services report a breach? Maybe, but the reality is that some expensive and often exotic smart software fumble the ball.
How do bad actors gain access to what these individuals perceive as high value targets? It is not a team of hackers sponsored by a rogue state or a tech-literate oligarch. The crime often is the anti-security action of a single individual.
Lone wolves being nice is a technique not captured by artificially intelligent, over-hyped platforms. “La Puente Man Steals 620,000 iCloud Photos in Plot to Find Images of Nude Women” may be an example of the methods which can penetrate the security of outfits which tout their concerns about privacy and take pains to publicize how secure their online systems, services, and products are.
The allegedly accurate write up states:
Chi, who goes by David, admitted that he impersonated Apple customer support staff in emails that tricked unsuspecting victims into providing him with their Apple IDs and passwords, according to court records. He gained unauthorized access to photos and videos of at least 306 victims across the nation, most of them young women, he acknowledged in his plea agreement with federal prosecutors in Tampa, Fla.
The “real” news report added some color to this action:
Chi said he hacked into the accounts of about 200 of the victims at the request of people he met online. Using the moniker “icloudripper4you,” Chi marketed himself as capable of breaking into iCloud accounts to steal photos and videos, he admitted in court papers. Chi acknowledged in court papers that he and his unnamed co-conspirators used a foreign encrypted email service to communicate with each other anonymously. When they came across nude photos and videos stored in victims’ iCloud accounts, they called them “wins,” which they collected and shared with one another.
What’s happening in this example?
- Social engineering
- Pretending to be a concerned professional at a big company
- A distributed group of anti security types who don’t know one another too well
- Victims.
Net net: Fancy security systems are indeed fancy. The security part is different from what bad actors are doing. That’s a bit of a problem for outfits like Microsoft and T-Mobile, among others.
Stephen E Arnold, August 25, 2021
CISA Head Embraces Cooperation with Public-Private Task Force
August 20, 2021
Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly is wielding the power of cooperation in the fight against ransomware and other threats. Her agency will work with both other security agencies and big tech companies. This novel approach might just work. The article “Black Hat: New CISA Head Woos Crowd With Public-Private Task Force” at Threatpost reports on Easterly’s keynote presentation at this year’s Black Hat USA conference.
The partnership is logically named the Joint Cyber Defense Collaborative (JCDC) and had 20 corporate partners signed up by the end of July. Amazon, AT&T, Google Cloud, Microsoft, Verizon, and FireEye Mandiant are some of the biggest names participating. (Is FireEye, perhaps, trying to redeem itself?) Easterly also plans to work with other federal agencies like the DoD, NSA, and FBI to make sure their efforts align. We are told ransomware will be the team’s first priority. Writer Tom Spring reveals a bit about the new director:
“Easterly is a former NSA deputy for counterterrorism and has a long history within the U.S. intelligence community. She served for more than 20 years in the Army, where she is credited for creating the armed service’s first cyber battalion. More recently she worked at Morgan Stanley as global head of the company’s cybersecurity division. Easterly replaced CISA acting director Brandon Wales after the agency’s founder and former director Christopher Krebs was fired by former President Trump in 2020.”
But will the cybersecurity veteran be able to win over her corporate colleagues? The article notes one point in her favor:
“During a question-and-answer session, the CISA director scored points with the audience by stating that she supported strong encryption. ‘I realized that there are other points of view across the government, but I think strong encryption is absolutely fundamental for us to be able to do what we need to do,’ she said. … While acknowledging distrust within some segments of the cybersecurity community, Easterly urged the audience of security professionals to trust people first. ‘We know some people never want to trust an organization,’ she said. ‘In reality we trust people – you trust people. … When you work closely together with someone to solve problems, you can begin to create that trust.’
Will the JCDC members and CISA’s fellow agencies be able to trust one another enough to make the partnership a success? We certainly hope so, because effective solutions are sorely needed.
Cynthia Murrell, August 20, 2021
-
- Subscribe to Beyond Search
Feature archive
News archive
-
