Palantir: A Blinded Seeing Stone?

August 27, 2021

I try to keep pace with the innovations in intelware. That’s my term for specialized software designed to provide the actionable information required by intel professionals, law enforcement, and one or two attorneys who have moved past thumbtyping.

I am not sure if the article “FBI Palantir Glitch Allowed Unauthorized Access to Private Data” is on the money. The “real news” story asserted:

A computer glitch in a secretive software program used by the FBI allowed some unauthorized employees to access private data for more than a year, prosecutors revealed in a new court filing. The screw-up in the Palantir program — a software created by a sprawling data analytics company co-founded by billionaire Peter Thiel — was detailed in a letter by prosecutors in the Manhattan federal court case against accused hacker Virgil Griffith.

Please, read the source document. Also, my personal view is that such an access lapse is not good, but if the story is accurate, I am less concerned that other FBI officials may have had access to content in Gotham or whatever the system is branded these days is less problematic than oligarchs snooping or a Xi Jinping linked tong IT wonk poking around FBI only data.

My thoughts went in a different direction, and I want to capture them. Keep in mind, I don’t know if the access revelation is “true.” Nevertheless, here’s what I jotted down whilst sitting in a lecture about a smart bung for booze lovers:

  1. Was the access issue related to Microsoft Windows or to the AWS-type services on which some Palantir installations depend? Microsoft is another “here we go again” question, but the AWS question puts the Bezos bulldozer squarely in the security breach spotlight.
  2. How many days, weeks, or months was the access control out of bounds? An hour is one thing; the answer “We don’t have a clue” is another.
  3. If — note the if, please — the access issue is due to a Palantir specific feature or function, is there a current security audit of LE, military, and intel  related installations of the “seeing stone” itself? If the answer is “yes”, why was this access issue missed? Who did the audit? Who vetted the auditor? If the answer is “no,” what are the consequences for the other software vendors and IT professionals in the “fault chain”?

The article points out that a royal “we” is troubled. That’s nice. But let’s focus on more pointed questions and deal with what might be a digital Humpty Dumpty. Just my opinion from the underground bunker in rural Kentucky.

Stephen E Arnold, August 27, 2021

Big Tech Vows, Warrants, Commits, Guarantees, and Assures to Make Security Way Way Way Better

August 26, 2021

I had to laugh. I read some of the write ups explaining the pledges of big tech to the White House about security. The US is at or near the bottom when it comes to security. America plays offense. The defense thing is not what George Washington would do.

Here’s a representative write up: “Google, Microsoft Plan to Spend Billions on Cybersecurity after Meeting with Biden.” This triggered a chuckle and a snort:

IBM CEO Arvind Krishna told CNBC ahead of the meeting and outside the White House on Wednesday that cybersecurity is “the issue of the decade.” He said he hoped to see more coordination between the public and private sectors coming out of the meeting and said IBM would do its part to help skill workers in the space.

Why are adversaries of the US running exfiltration, ransomware, and intellectual property theft operations?

Let me count the ways:

  1. Systems from outfits like Apple and Microsoft can be compromised because security is an add on, an afterthought, or a function implemented to protect revenues
  2. Senior managers in many US firms are clueless about security and assume that our employees won’t create problems by selling access, clicking on scammer emails, or working from home on projects funded by bad actors
  3. Customers pay little or no attention to security, often ignoring or working around security safeguards when they exist. Hey, security distracts those folks from scrolling through Facebook or clicking on TikTok videos.

There are other reasons as well; for example, how about the steady flow of one off security gaps discovered by independent researchers. Where are the high end threat intelligence services. If a single person can find a big, gaping security hole, why are the hundreds of smart cyber security systems NOT finding this type of flaw? Oh, right. Well, gee. A zero day by 1,000 evil techies in China or Moldova is the answer. Sorry, not a good answer.

There is a cyber security crisis in America. Yes, Windows may be the giant piece of cheese for the digital rats. Why hack US systems? That’s where there are lots of tasty cheese.

Is there a fix which billions “invested” over five years can fix?

Nope.

Pipe dreams, empty words, and sheepish acquiescence to a fact that bad actors around the world find enervating.

More stringent action is needed from this day. That’s not happening in my opinion. Who created the cyber security problem? Oh, right the outfits promising do not do it again. Quick action after decades of hand waving. And government regulations, certification, and verification that cyber security systems actually work? Wow, that’s real work. Let’s have a meeting to discuss a statement of work and get some trusted consulting firm on this pronto.

I have tears in my eyes and not from laughing. Nothing funny here.

Stephen E Arnold, August 26, 2021

Fancy Code? Nope, Just Being Nice to Apple Customer Care

August 25, 2021

I continue to be fascinated by the number of cyber security companies reporting new exploits. If an exploit is a hot ticket, should not multiple cyber security threat identification services report a breach? Maybe, but the reality is that some expensive and often exotic smart software fumble the ball.

How do bad actors gain access to what these individuals perceive as high value targets? It is not a team of hackers sponsored by a rogue state or a tech-literate oligarch. The crime often is the anti-security action of a single individual.

Lone wolves being nice is a technique not captured by artificially intelligent, over-hyped platforms. “La Puente Man Steals 620,000 iCloud Photos in Plot to Find Images of Nude Women” may be an example of the methods which can penetrate the security of outfits which tout their concerns about privacy and take pains to publicize how secure their online systems, services, and products are.

The allegedly accurate write up states:

Chi, who goes by David, admitted that he impersonated Apple customer support staff in emails that tricked unsuspecting victims into providing him with their Apple IDs and passwords, according to court records. He gained unauthorized access to photos and videos of at least 306 victims across the nation, most of them young women, he acknowledged in his plea agreement with federal prosecutors in Tampa, Fla.

The “real” news report added some color to this action:

Chi said he hacked into the accounts of about 200 of the victims at the request of people he met online. Using the moniker “icloudripper4you,” Chi marketed himself as capable of breaking into iCloud accounts to steal photos and videos, he admitted in court papers. Chi acknowledged in court papers that he and his unnamed co-conspirators used a foreign encrypted email service to communicate with each other anonymously. When they came across nude photos and videos stored in victims’ iCloud accounts, they called them “wins,” which they collected and shared with one another.

What’s happening in this example?

  • Social engineering
  • Pretending to be a concerned professional at a big company
  • A distributed group of anti security types who don’t know one another too well
  • Victims.

Net net: Fancy security systems are indeed fancy. The security part is different from what bad actors are doing. That’s a bit of a problem for outfits like Microsoft and T-Mobile, among others.

Stephen E Arnold, August 25, 2021

CISA Head Embraces Cooperation with Public-Private Task Force

August 20, 2021

Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly is wielding the power of cooperation in the fight against ransomware and other threats. Her agency will work with both other security agencies and big tech companies. This novel approach might just work. The article “Black Hat: New CISA Head Woos Crowd With Public-Private Task Force” at Threatpost reports on Easterly’s keynote presentation at this year’s Black Hat USA conference.

The partnership is logically named the Joint Cyber Defense Collaborative (JCDC) and had 20 corporate partners signed up by the end of July. Amazon, AT&T, Google Cloud, Microsoft, Verizon, and FireEye Mandiant are some of the biggest names participating. (Is FireEye, perhaps, trying to redeem itself?) Easterly also plans to work with other federal agencies like the DoD, NSA, and FBI to make sure their efforts align. We are told ransomware will be the team’s first priority. Writer Tom Spring reveals a bit about the new director:

“Easterly is a former NSA deputy for counterterrorism and has a long history within the U.S. intelligence community. She served for more than 20 years in the Army, where she is credited for creating the armed service’s first cyber battalion. More recently she worked at Morgan Stanley as global head of the company’s cybersecurity division. Easterly replaced CISA acting director Brandon Wales after the agency’s founder and former director Christopher Krebs was fired by former President Trump in 2020.”

But will the cybersecurity veteran be able to win over her corporate colleagues? The article notes one point in her favor:

“During a question-and-answer session, the CISA director scored points with the audience by stating that she supported strong encryption. ‘I realized that there are other points of view across the government, but I think strong encryption is absolutely fundamental for us to be able to do what we need to do,’ she said. … While acknowledging distrust within some segments of the cybersecurity community, Easterly urged the audience of security professionals to trust people first. ‘We know some people never want to trust an organization,’ she said. ‘In reality we trust people – you trust people. … When you work closely together with someone to solve problems, you can begin to create that trust.’

Will the JCDC members and CISA’s fellow agencies be able to trust one another enough to make the partnership a success? We certainly hope so, because effective solutions are sorely needed.

Cynthia Murrell, August 20, 2021

A Simple Question: Just One Cyber Security Firm?

August 17, 2021

There are quite a few cyber security, cyber intelligence, and cyber threat companies. I have a list of about 100 of the better known outfits in this business. Presumably there are dozens, maybe hundreds of trained analysts and finely tuned intelware programs looking for threats and stolen data 24×7.

I read “Secret Terrorist Watchlist with 2 million Records Exposed Online.” The write up states:

July this year, Security Discovery researcher Bob Diachenko came across a plethora of JSON records in an exposed Elasticsearch cluster that piqued his interest.

Here’s my question: Why was a single researcher the only expert aware of this serious breach (if indeed it is valid)?

My hunch is that the Fancy Dan 24×7 smart systems and the legions of developers refining smart intelware have produced systems that simply don’t work. If they did, numerous alerting services would have spotted the alleged do not fly data. The “single researcher” would have been late to the party. He wasn’t. Thank goodness for this research, Mr. Diachenko.

Those systems, as far as I know, did not. The question remains, “Maybe these commercial services don’t work particularly well?” Marketing is really easy, even fun. Delivering on crazy assertions is a different sort of job.

Stephen E Arnold, August 17, 2021

Insider Threat Quantified: Whom Does One Trust?

August 15, 2021

Whom does one trust? Not too many is my answer.

Workers Increasingly Steal company Data during Turnover Tsunami” contains some interesting data; for example:

there were about 65m attempts made by staff to exfiltrate source code from their corporate network in the three months to the end of June, up from about 20m in each of the previous three quarters.

The paywalled article includes some quotes from experts and underscores the fraying social fabric among workers and employers.

Phishing is a security problem. But the insider threat may be another, possibly more challenging, issue to resolve.

Stephen E Arnold, August 20, 2021

Microsoft: Maybe ESET-Type Companies Are a Problem?

August 12, 2021

Microsoft security may have a problem other than bad actors compromising systems. The news cycle has moved forward, but I still chuckle at the SolarWinds’ misstep. How many super duper cyber solutions failed to detect the months long compromise of core Windows processes? I don’t know, and my hunch is that whoever knows does not want to talk about the timeline. That’s understandable.

I read “IISpy: A Complex Server?Side Backdoor with Anti?Forensic Features.” The source appears to be We Live Security which is reporting about an ESET research finding. (I find it interesting that cyber security researchers report interesting things that other cyber security vendors appear not to report or possibly know about. Interesting or a signal that cyber security systems are not particularly effective when new methods poke through a secured system, saying, “Surprise!)

The write up states:

According to ESET telemetry, this backdoor has been active since at least July 2020, and has been used with Juicy Potato (detected as Win64/HackTool.JuicyPotato by ESET security solutions), which is a privilege escalation tool. We suspect the attackers first obtain initial access to the IIS server via some vulnerability, and then use Juicy Potato to obtain the administrative privileges that are required to install IISpy as a native IIS extension. According to our telemetry, IISpy affects a small number of IIS servers located in Canada, the USA and the Netherlands – but this is likely not the full picture, as it is still common for administrators to not use any security software on servers, and thus our visibility into IIS servers is limited.

If the affected server is the exact one the bad actor wants, numbers may not be germane. Also, does the phrase “not the full picture” indicate that the cyber researchers are not exactly what’s going on?

Interesting questions from my point of view.

If I step back, what’s my observation:

Perhaps cyber security is in a quite pitiful state. If this is accurate, why would the US government offer Amazon AWS another $10 billion deal? Microsoft will contest this important award. You can read the Microsoft News story “Microsoft Challenges the Government’s Decision to Award Amazon a NSA Cloud-Computing Contract, Which Could Be Worth $10 Billion” to get a sense about the disconnect between selling and addressing what may be fundamental security issues.

Would that money, time, and effort be better invested in addressing what seems to be another troubling security issue?

The answer to this question would be in my opinion a true juicy potato.

Stephen E Arnold, August 12, 2021

DarkCyber for August 10, 2021 Now Available

August 10, 2021

The DarkCyber video for August 10, 2021 is now available at this link. The program includes a snapshot of NSO Group’s content marketing campaign, information about inherently insecure software, fine dining at the Central Intelligence Agency, and a sure fire way to phish with quite tasty bait. The drone story explains an autonomous drone. Just give it a goal and the drone figures out what to do. No human input required. Best of all, a swarm of drones can interact with other drones in the swarm to reach a decision about how to achieve an objective. DarkCyber is produced by Stephen E Arnold, publisher of Beyond Search. The DarkCyber videos are issued every two weeks and are available at www.arnoldit.com/wordpress as well as Youtube.

Kenny Toth, August 10, 2021

New Malware MosaicLoader Takes Unusual Attack Vector

August 5, 2021

ZDNet warns us about some micro targeting from bad actors in, “This Password-Stealing Windows Malware is Distributed Via Ads in Search Results.” The malware was first identified by Bitdefender, which named it MosaicLoader. The security experts believe a new group is behind these attacks, one not tied to any known entities. Writer Danny Palmer tells us:

“MosaicLoader can be used to download a variety of threats onto compromised machines, including Glupteba, a type of malware that creates a backdoor onto infected systems, which can then be used to steal sensitive information, including usernames and passwords, as well as financial information. Unlike many forms of malware, which get distributed via phishing attacks or unpatched software vulnerabilities, MosaicLoader is delivered to victims via advertising. Links to the malware appear at the top of search results when people search for cracked versions of popular software. Automated systems used to buy and serve advertising space likely means that nobody in the chain – aside from the attackers – know the adverts are malicious at all. The security company said that employees working from home are at higher risk of downloading cracked software. ‘Most likely, attackers are purchasing adverts with downstream ad networks – small ad networks that funnel ad traffic to larger and larger providers. They usually do this over the weekend when manual ad vetting is impacted by the limited staff on call,’ Bogdan Botezatu, director of threat research and reporting at Bitdefender, told ZDNet.”

Antivirus software might catch MosaicLoader—if users have not disabled it because they are downloading illegally cracked software. Oops. Once downloaded, the malware can steal usernames and passwords, farm out crypto currency mining, and install Trojan software through which malefactors can access the machine. Users should be safe if they do not attempt to download pirated software. Sometimes, though, such software does a good job of posing as legitimate. Palmer advises readers to avoid being duped by navigating away if instructed to disable antivirus software before downloading any program. That is always good advice.

Cynthia Murrell, August 5, 2021

NSO Group and an Alert Former French Diplomat: Observation Is Often Helpful

August 2, 2021

I read “French Ex-Diplomat Saw Potential for Misuse While Working at NSO.” The allegedly accurate write up reports that Gerard Araud [once a French ambassador] took a position at NSO Group. The write up adds:

His one-year mission from September 2019, along with two other external consultants from the United States, was to look at how the company could improve its human rights record after a host of negative news stories. Earlier that year, the group’s technology had been linked publicly to spying or attempted spying on the murdered Saudi journalist Jamal Khashoggi by Saudi Arabian security forces, which it denied. The group was acquired in 2019 by a London-based private equity group, Novalpina, which hired Araud to recommend ways to make the company’s safeguard procedures “more rigorous and a bit more systematic,” he said.

The write up explains how a prospect becomes an NSO Group customer:

Its [the Pegasus software and access credentials] export is regulated “like an arms sale,” said Araud, meaning NSO must seek approval from the Israeli government to sell it, and state clients then sign a lengthy commercial contract stipulating how the product will be used. They are meant to deploy Pegasus only to tackle organised crime or terrorism — the company markets itself this way — but Araud said “you could see all the potential for misuse, even though the company wasn’t always responsible.”

The argute veteran of the French ambassadorial team maybe, possibly, could have discerned the potential for misuse of the Pegasys system.

The write up includes this information, allegedly direct from the former diplomat, who obviously provides information diplomatically:

In a firm that practices “a form of extreme secrecy,” he says he nonetheless became convinced that NSO Group worked with Israel’s Mossad secret services, and possibly with the CIA. He said there were three Americans who sat on the group’s advisory board with links to the US intelligence agency, and the company has said that its technology cannot be used to target US-based numbers.  “There’s a question about the presence of Mossad and the CIA. I thought it was both of them, but I have no proof,” he said. “But I suspect they’re both behind it with what you call a ‘backdoor’.” A “backdoor” is a technical term meaning the security services would be able to monitor the deployment of Pegasus and possibly the intelligence gathered as a result.

Interesting. Several years ago, the BBC published “When Is a Diplomat Really Just a Spy?” In that 2018 write up, the Beeb stated:

So where do you draw the line between official diplomacy and the murky world of espionage? “Every embassy in the world has spies,” says Prof Anthony Glees, director of the Centre for Security and Intelligence Studies at the University of Buckingham. And because every country does it, he says there’s “an unwritten understanding” that governments are prepared to “turn a blind eye” to what goes on within embassies.

Would French diplomats have some exposure to ancillary duties at a French embassy? Potentially.

Stephen E Arnold, August 3, 2021

« Previous PageNext Page »

  • Archives

  • Recent Posts

  • Meta