Are Threat Detection and Cyber Security Systems Working?

October 26, 2021

I read “Microsoft: Russian SVR Hacked at Least 14 IT Supply Chain Firms Since May.” The write up states:

Microsoft says the Russian-backed Nobelium threat group behind last year’s SolarWinds hack is still targeting the global IT supply chain, with 140 managed service providers (MSPs) and cloud service providers attacked and at least 14 breached since May 2021. This campaign shares all the signs of Nobelium’s approach to compromising a significant list of targets by breaching their service provider.

That’s interesting. At first glance, it seems as if a small number of targets succumbed.

On the other hand, it raises some questions:

  1. What cyber security and threat detection systems were in use at the 14 outfits breached?
  2. What caused the failure of the cyber security systems? Human error, lousy cyber security methods, or super crafty bad actors like insiders?
  3. Is a 10 percent failure rate acceptable? Microsoft seems agitated, but why didn’t Microsoft’s security protect 10 percent of the targets?

Each week I am invited to webinars to learn about advanced security systems. Am I to assume that if I receive 10 invites, one invite will be from an outfit whose technology cannot protect me?

The reports of breaches, the powers of giant software outfits, and the success of most companies in protecting themselves is somewhat cheering.

On the other hand, a known group operating for more than a year is still bedeviling some organizations. Why?

Stephen E Arnold, October 26, 2021

Microsoft and Russia: Who Does What to Whom?

October 26, 2021

Last year’s infamous Solar Winds attack really boosted Russia’s hacking community. That is one take-away from MarketBeat’s write-up, “Microsoft: Russia Behind 58% of Detected State-Backed Hacks.” Writer Frank Bajak shares some details from Microsoft’s second annual Digital Defense Report:

“Russia accounted for most state-sponsored hacking detected by Microsoft over the past year, with a 58% share, mostly targeting government agencies and think tanks in the United States, followed by Ukraine, Britain and European NATO members, the company said. The devastating effectiveness of the long-undetected SolarWinds hack — it mainly breached information technology businesses including Microsoft — also boosted Russian state-backed hackers’ success rate to 32% in the year ending June 30, compared with 21% in the preceding 12 months. China, meanwhile, accounted for fewer than 1 in 10 of the state-backed hacking attempts Microsoft detected but was successful 44% of the time in breaking into targeted networks, Microsoft said. … Only 4% of all state-backed hacking that Microsoft detected targeted critical infrastructure, the Redmond, Washington-based company said, with Russian agents far less interested in it than Chinese or Iranian cyber-operatives.”

Well, that is something. Ransomware, though, is also up, with the U.S. targeted three times as often as the next nation. Anyone who was affected by the Colonial Pipeline attack may be concerned about our infrastructure despite the lack of state-sponsored interest in sabotaging it. We are told state-backed attackers are mostly interested in intelligence gathering. Bajak cites Microsoft Digital Security Unit’s Cristin Goodwin as he writes:

“Goodwin finds China’s ‘geopolitical goals’ in its recent cyber espionage especially notable, including targeting foreign ministries in Central and South American countries where it is making Belt-and-Road-Initiative infrastructure investments and universities in Taiwan and Hong Kong where resistance to Beijing’s regional ambitions is strong.”

North Korea is another participant covered in the report. That country was in second place as a source of attacks at 23%, though their effectiveness was considerably less impressive—only 6% of their spear-phishing attempts were successful. Bajak closes by reminding us the report can only include attacks Microsoft actually detected. See the write-up or the report itself for more information.

Cynthia Murrell, October 26, 2021

Rogue in Vogue: What Can Happen When Specialized Software Becomes Available

October 25, 2021

I read “New York Times Journalist Ben Hubbard Hacked with Pegasus after Reporting on Previous Hacking Attempts.” I have no idea if the story is true or recounted accurately. The main point strikes me that a person or group allegedly used the NSO Group tools to compromise the mobile of a journalist.

The article concludes:

Hubbard was repeatedly subjected to targeted hacking with NSO Group’s Pegasus spyware. The hacking took place after the very public reporting in 2020 by Hubbard and the Citizen Lab that he had been a target. The case starkly illustrates the dissonance between NSO Group’s stated concerns for human rights and oversight, and the reality: it appears that no effective steps were taken by the company to prevent the repeated targeting of a prominent American journalist’s phone.

The write up makes clear one point I have commented upon in the past; that is, making specialized software and systems available without meaningful controls creates opportunities for problematic activity.

When specialized technology is developed using expertise and sometimes money and staff of nation states, making these tools widely available means a loss of control.

As access and knowledge of specialized tool systems and methods diffuses, it becomes easier and easier to use specialized technology for purposes for which the innovations were not intended.

Now bad actors, introductory programming classes in many countries, individuals with agendas different from those of their employer, disgruntled software engineers, and probably a couple of old time programmers with a laptop in an elder care facility can:

  • Engage in Crime as a Service
  • Use a bot to poison data sources
  • Access a target’s mobile device
  • Conduct surveillance operations
  • Embed obfuscated code in open source software components.

If the cited article is not accurate, it provides sufficient information to surface and publicize interesting ideas. If the write up is accurate, the control mechanisms in the countries actively developing and licensing specialized software are not effective in preventing misuse. For cloud services, the controls should be easier to apply.

Is every company, every nation, and every technology savvy individual a rogue? I hope not.

Stephen E Arnold, October 25, 2021

No Click Excitement: Interaction-Less Vulnerabilities in Messaging Apps

October 20, 2021

Google researcher Natalie Silvanovich has made it her mission to investigate one particular type of vulnerability—one that allows attackers to access video and/or audio without the victim so much as clicking a link. Wired discusses her unnerving findings in, “Messaging Apps Have an Eavesdropping Problem.” Writer Lily Hay Newman tells us:

“Silvanovich has spent years studying “interaction-less” vulnerabilities, hacks that don’t require their targets to click a malicious link, download an attachment, enter a password in the wrong place, or participate in any way. Those attacks have taken on increasing significance as targeted mobile surveillance explodes around the world.”

The resolute researcher presented her findings at the recent Black Hat security conference in Las Vegas. Her search turned up bugs in apps domestic and foreign, from Facebook Messenger, Google Duo, and Signal to JioChat and Viettel Mocha. The vulnerabilities she found were eagerly patched by the respective developers once she notified them, but her discoveries reveal a problem more widespread than had been suspected. It seems that some of the vulnerabilities resulted from honest mistakes by developers using the open source communication tool WebRTC. Other times, though, it had to do with how an app connects calls. We learn:

“When someone calls you on an internet-based communication app, the system can start setting up the connection between your devices right away, a process known as ‘establishment,’ so the call can start instantly when you hit accept. Another option is for the app to hang back a bit, wait to see if you accept the call, and then take a couple of seconds to establish the communication channel once it knows your preference. … Most mainstream services take the other route, though, setting up the communication channel and even starting to send data like audio and video streams in advance to offer a near-instantaneous connection should the call’s recipient pick up. Doing that prep work doesn’t inherently introduce vulnerabilities, and it can be done in a privacy-preserving way. But it does create more opportunities for mistakes.”

Concerned users may want to favor Telegram—Silvanovich found that app takes the slower but safer route. Though the snippets hackers can capture with these vulnerabilities may or may not be valuable, many find it worth a try—such attacks are difficult to detect and to trace. Careful design and implementation on the part of app developers are the keys to avoiding such breaches, she tells us.

Cynthia Murrell October 20, 2021

Digital Shadows Announces Social Monitor

October 19, 2021

Deep fakes? They are here and Digital Shadows has a service for those who live in fear of digital manipulation.

Bad actors often pose as corporations’ executives and other key personnel on social media. Sometimes the goal is to damage the target’s reputation, but more often it is to enact a phishing scheme. Either way, companies must put a stop to these efforts as soon as possible. We learn there is a new tool for that from, “Digital Shadows Launches SocialMonitor—a Key Defense Against Executive Impersonation on Social Media” posted at PR Newswire. The press release tells us:

“All social media platforms will take down fake accounts once alerted but keeping on top of the constant creation of fake profiles is a challenge. SocialMonitor overcomes these challenges by adding targeted human collection to SearchLight’s existing broad automated coverage. Digital Shadows customers simply need to register key staff members within the SearchLight portal. Thereafter, users will receive ‘Impersonating Employee Profile’ alerts which will be pre-vetted by its analyst team. This ensures that organizations only receive relevant notifications of concern. Russell Bentley at Digital Shadows comments: ‘Fake profiles on social media are rife and frequently used to spread disinformation or redirect users to scams or malware. Social media providers have taken steps such as providing a verified profile checkmark and removing fake accounts. However, there is often too long a window of opportunity before action can be taken. SocialMonitor provides organizations with a proactive defense so that offending profiles can be taken down quickly, protecting their customers and corporate reputation.’”

Note this is yet another consumer-facing app from Digital Shadows, the firm that appears to be leading the Dark Web indexing field. Curious readers can click here to learn more about SocialMonitor. Digital Shadows offers a suite of products to protect its clients from assorted cyber threats. Based in San Francisco, the company was founded in 2011.

Cynthia Murrell October 19, 2021

DarkCyber for October 19, 2021: DDoS Takedown, More NSO Group PR, VPN Shift, and Autonomous Kills

October 19, 2021

DarkCyber reports about cyber security, online services, and smart software. You can view this program at this url.

This edition of the program includes four stories:

  1. The US Department of Justice terminated 15 Internet domains involved in denial of service functions. These offered crime as a service and allowed customers to launch DDoS attacks with minimal technical expertise.
  2. The NSO Group captured headlines again. The result of revelations in a British legal proceeding resulted in the Israeli specialized services firm firing one of its Middle Eastern clients.
  3. Roll ups are popular among some financial experts. Aggregation means less competition and greater market reach. Consolidation is underway in the virtual private network sector. Will Kape Technology’s acquisition of Private Internet Access and Express VPN produce benefits for customers?
  4. The final story explores the most innovative facet of Israel’s alleged autonomous termination of a nuclear scientist. The smart software is just part of the story.

DarkCyber is produced by Stephen E Arnold, publisher of Beyond Search.

Kenny Toth, October 19, 2021

Office 365: A Petri Dish for Malware?

October 18, 2021

Microsoft has a PR problem? Microsoft may have other issues as well, but “Infosec Expert Beaumont Slams Microsoft Over Hosting Malware for Years” seems like a semi-negative write up. Is the situation as dire as the article suggests? I don’t know, but it seems as if it is not what you would call:

  1. A ringing endorsement for Microsoft security
  2. An illustration of Microsoft’s approach to Office 365

The write up asserts:

An overwhelming majority of ransomware attacks only Windows, with an analysis by staff of the Google-owned VirusTotal database last Thursday showing that 95% of 80 million samples analysed — all the way back to January 2020 — were aimed at Windows.

How has Microsoft responded? The write up quotes infosec expert Beaumont as saying:

Before the train of MS employees arrive saying ‘just report it’, try getting them and future ones taken down yourselves. I did. It was a disaster.

The write up, which is a mish mash of quotes and tweets, contains a number of interesting allegedly true factoids.

True? Maybe. Not-so-great PR for the company that follows China’s content guidelines? Sure seems like it.

Stephen E Arnold, October 18, 2021

Human Editors and Subject Matter Experts? Dinosaurs but Just from a Previous Era

October 15, 2021

I read “Bugs in our Pockets: The Risks of Client-Side Scanning.” The embargo is amusing, and it underscores the issues related to confidential information and the notion of information wants to be free. Amusing, maybe not?

The write up looks a bit like a paper destined for a pay-to-play publisher or an outfit which cultivates a cabal-like approach to publishing. (Hello, ACM?) The paper includes 13 authors, and I suppose the idea is to convey consensus or a lead author who wishes to keep his or her head below the concrete bunker in order to avoid direct hits from those who don’t agree with the write up.

I neither agree nor disagree. I interpreted the write up as:

  • A clever bit of SEO, particularly the embargo and the availability of the paper to certain saucy online information services
  • A way to present some entities, although with the titles and email contacts favored by some link hunters
  • A technical bit of push back for assorted government mumbling about privacy, security, and another assault on personal freedoms.

Yep, the sky is falling.

Please, read the paper. One business executive allegedly said, “There is no return to normal. Today’s environment is the new normal.”

Is it possible this paper triggers Apple TV or YouTube to cue 1973 hit “The Way We Were”?

Stephen E Arnold, October 15, 2021

Data Confidence: The Check Is in the Mail

October 15, 2021

Why are we not surprised? SeattlePI reports, “Americans Have Little Trust in Online Security: AP-NORC Poll.” Writer Matt O’Brien reveals:

“The poll by The Associated Press-NORC Center for Public Affairs Research and MeriTalk shows that 64% of Americans say their social media activity is not very or not at all secure. About as many have the same security doubts about online information revealing their physical location. Half of Americans believe their private text conversations lack security. And they’re not just concerned. They want something done about it. Nearly three-quarters of Americans say they support establishing national standards for how companies can collect, process and share personal data.”

Few have any hope such standards will be enacted by federal officials, however. Even after years filled with private sector hacks and scandals, we’re told 56% of respondents would trust corporations to safeguard their data before they would the government. The write-up continues:

“About 71% of Americans believe that individuals’ data privacy should be treated as a national security issue, with a similar level of support among Democrats and Republicans. But only 23% are very or somewhat satisfied in the federal government’s current efforts to protect Americans’ privacy and secure their personal data online. ‘This is not a partisan issue,’ said Colorado state Rep. Terri Carver, a Republican who co-sponsored a consumer data privacy bill signed into law by Democratic Gov. Jared Polis in July. It takes effect in 2023.”

The bill would give users in Colorado the right to access and delete personal information online, echoing similar legislation in Virginia and California. Predictably, Facebook and other tech companies opposed the bill.

Cynthia Murrell, October 15, 2021

Another Reason for Windows 11?

October 13, 2021

The team at Beyond Search talked yesterday about Windows 11. One individual installed the system on one of our test-only machines and reported, “Not too exciting.” Another dismissed the Windows 11 as a distraction from the still-lingering SolarWinds and Exchange Server security face plants. I took a look and said, “Run some tests to see what it does to the performance of our AMD 5950X machines.”

Then I turned my attention to more interesting things. This morning my trusty Overflight system spit out this headline: “Microsoft: Here’s Why We Shrunk Windows 11 Update Sizes by 40%.” I noted this statement in the article:

…It was necessary to reduce the size of them, which in the past have been almost 5 GB in size.   In a word, it’s about bandwidth, which millions of households in the US have a shortage of due to poor broadband in remote areas.

Maybe cost is a factor?

My hunch is that Microsoft has many employees who have opinions about the shift from the last Windows to a last-plus-n Windows.

Several observations from our underground computer lab in rural Kentucky:

  1. Updates create problems for Microsoft; for example, security issues lurk and actors world wide are enthusiastic about exploring “new” code from Microsoft. Vulnerabilities R’Us it seems.
  2. Implementing procedures which produce stable code are more expensive than figuring out how to reduce code bloat in updates. Therefore, the pitch touted in the write up cited above.
  3. Microsoft has shifted from 10,000 sail boats going in the same general direction to 20,000 motor boats going someplace. Evidence? The changing explanation for the existence of Windows 11.

Net net: Big and changing operating system may add vulnerabilities, not just rounded corners and a distraction from deeper issues.

Stephen E Arnold, October 13, 2021

« Previous PageNext Page »

  • Archives

  • Recent Posts

  • Meta