June 28, 2021
I snipped a segment from my most recent lecture about the new Dark Web as this week’s DarkCyber video. More information about the program will appear on Tuesday, June 28, 2021. For now, I want to highlight the “real” news outfit CNBC and its take on TikTok. Remember that TikTok is harmless at least according to one Silicon Valley pundit and aspiring CIA professional.
“TikTok Insiders Say Social Media Company Is Tightly Controlled by Chinese Parent ByteDance” reports as actual factual information instantly doubted by Silicon Valley pundits:
This recruiter, along with four other former employees, told CNBC they’re concerned about the popular social media app’s Chinese parent company, which they say has access to American user data and is actively involved in the Los Angeles company’s decision-making and product development. These people asked to remain anonymous for fear of retribution from the company.
Hey, how about a quote from Jack Ma about the wonderfulness of the Chinese business methodology?
The write up adds:
Most notably, one employee said that ByteDance employees are able to access U.S. user data. This was highlighted in a situation where an American employee working on TikTok needed to get a list of global users, including Americans, who searched for or interacted with a specific type of content — that means users who searched for a specific term or hashtag or liked a particular category of videos. This employee had to reach out to a data team in China in order to access that information. The data the employee received included users’ specific IDs, and they could pull up whatever information TikTok had about those users. This type of situation was confirmed as a common occurrence by a second employee.
If you are interested in the value of data from a mere app, check out the DarkCyber program for June 28, 2021.
Stephen E Arnold, June 28, 2021
June 25, 2021
I keep a list of neologisms, jargon, and odd ball phrases. Examples include anting (crows which allow ants to clean up the feathery friends of horror movie script writers), industrial athlete (a Bezos bulldozer rah rah for warehouse workers who are sometimes allowed to visit the facilities), and pillbillies (residents of West Virginia and Kentucky who are addicted to opioids). I have others too including AIM (asymmetric information management) which I don’t understand at all.
Now I have a new one: ATT&CK. This is a coinage from a wordsmith at Mitre (the old MIT Research outfit) and its “Engenuity” unit. Those folks are heirs to assorted Boston poets I think. I am not sure what the letters mean, but here’s the explanation in “Tool Lets Users Supplement Mitre ATT&CK Knowledge Base with Their Own Threat Intel”:
Called ATT&CK Workbench, the free and open-source tool was designed to reduce the barriers preventing defenders from aligning their aggregated TTP intel with Mitre ATT&CK’s content. Officially announced today via press release and blog post, Workbench is a creation of Mitre Engenuity’s Center for Threat-Informed Defense, with contributions from Center members AttackIQ, HCA Healthcare, JPMorgan Chase, Microsoft and Verizon.
I want to point out that as far as my DarkCyber research team has been able determine, exactly none of the threat intelligence outfits alerted their customers to the SolarWinds’ misstep.
I have a buzzword for this in my collection too: Nonperformative. I think this means, “May not work.”
Stephen E Arnold, June 24, 2021
June 21, 2021
I read “State of the Windows: How Many Layers of UI Inconsistencies Are in Windows 10?” I found the listing of visual anomalies interesting. I don’t care much about Windows. We run a couple of applications and upgrade to new versions once the point releases and bugs have been identified and mostly driven into dark holes.
The write up points out:
As you may know, Microsoft is planning on overhauling the UI of Windows with their “Sun Valley” update, which aims to unify the design of the OS. However, as we can see, Windows is one behemoth of an operating system. Will their efforts to finally make a cohesive user experience succeed?
My answer to this question is that Microsoft has embraced processes which tolerate inconsistencies. I see this as a strategic or embedded function of the company’s management attitude: Good enough. If a company cannot make interfaces consistent, what about getting security issues, software update processes, and code quality under control.
I want to mention the allegation that Microsoft may have been signing malicious drivers. For more on this interesting assertion, navigate to Gossi The Dog at this link. One hopes the information in this sequence of messages and screenshots is fabricated. But if there are on the money, well …
If you can’t see it, perhaps “good enough” becomes “who cares.” Obviously some at Microsoft hold both of these strategic principles dear.
Stephen E Arnold, June 21, 2021
June 15, 2021
DarkCyber is a video news program issued every two weeks. The June 15, 2021, show includes five stories:
The DarkCyber video news program contains information presented in Stephen E Arnold’s lectures to law enforcement and intelligence professionals. His most recent lecture was the New Dark Web. He presented his most recent research findings to a group of more than 100 cyber fraud investigators working in Connecticut for a variety of LE and related organizations. The
The June 15, 2021, DarkCyber video program is available from Mr. Arnold’s blog splash page and can be viewed on YouTube. One important note: The video program does not contain advertisements or sponsored content. We know that’s unusual today, but the DarkCyber team prefers to operate without an invisible hand on the controls or an invisible foot on the team’s neck.
Kenny Toth, June 15, 2021
June 14, 2021
My hunch is that the cyber security breaches center of flaws in Microsoft Windows. The cyber security vendors, the high priced consultants, and even the bad actors renting their services to help regular people are mostly ineffectual. The rumors about a new Windows are interesting. The idea that Windows 10 will not be supported in the future is less interesting. I interpret the information as a signal that Microsoft has to find a fix. Marketing, a “new” Windows, and mucho hand waving will make the problem go away. But will it? Nope. Law enforcement, intelligence professionals, and security experts are operating in reactive mode. Something happens; people issue explanations; and the next breach occurs. Consider gamers. These are not just teenies. Nope. Those trying to practice “adulting” are into these escapes. TechRepublic once again states the obvious in “Fallout of EA Source Code Breach Could Be Severe, Cybersecurity Experts Say.” Here’s an extract:
The consequences of the hack could be existential, said Saryu Nayyar, CEO of cybersecurity firm Gurucul. “This sort of breach could potentially take down an organization,” she said in a statement to TechRepublic. “Game source code is highly proprietary and sensitive intellectual property that is the heartbeat of a company’s service or offering. Exposing this data is like virtually taking its life. Except that in this case, EA is saying only a limited amount of game source code and tools have been exfiltrated. Even so, the heartbeat has been interrupted and there’s no telling how this attack will ultimately impact the life blood of the company’s gaming services down the line.”
I like that word “existential.”
I want to call attention to this story in Today Online: “Japan’s Mizuho Bank CEO to Resign after Tech Problems.” Does this seem like a good idea? To me, it may be appropriate in certain situations. A new top dog at Microsoft would have a big job to do for these reasons:
But what’s the method in the US. Keep ‘em on the job. How is that working?
Stephen E Arnold, June 14, 2021
June 11, 2021
NPR has shared the transcript of an All Things Considered interview with former NSA general counsel Glenn Gerstell in, “USAID Hack: Former NSA Official Calls U.S. Cyber Insecurity a ‘Chronic Disease.’” The exchange is not reassuring. Host Michel Martin begins with the recent news of another breach, announced by Microsoft late last month. Once again the perpetrators appear to be Russian operatives, probably the same ones that were behind the SolarWinds attack. Not that Putin will admit as much when he is confronted, as he will likely be, by President Biden at their upcoming meeting in Geneva. We note this exchange:
“MARTIN: Why do you think these attacks keep happening despite the sanctions that the Biden administration has already imposed, you know, on Russia? And do you think the government’s doing enough to protect itself against these threats and also us, the public?
“GERSTELL: Well, your question is really the key one. And I think the lesson we learn from this is that this in some ways, our cyber insecurity in this regard, is a chronic disease for which we don’t have a single cure. It’s not an illness for which there’s a particular drug that we could take to get rid of it. So unfortunately, however, we’re at the beginning end of this chronic condition. This is going to get worse before it gets better. It will ultimately get better. But in the meantime, we have sophisticated attackers, nation states and criminals who can co-opt legitimate servers and companies and computers and softwares. And this proves, unfortunately, that our current scheme of deterrents simply isn’t working.”
What will work is the multi-billion dollar question. Martin wonders whether there are any plans to regulate crypto currency. Gerstell allows that is a step that might be taken, but it would do little to disrupt either spying or the sowing of chaos generated by these types of attacks. It could, however, curtail the sort of ransomware attack that recently shut down a pipeline on the East Coast and had some fools pumping gasoline into plastic bags and other unwise receptacles. That would be something, we suppose.
Cynthia Murrell, June 11, 2021
June 10, 2021
“Many Staff Are Still Using Work Devices for Personal and Illegal Activities” explains something about insiders. Here’s the write up’s comment about something that I thought everyone knew:
Remote employees do not always consider cybersecurity risks.
This bears live in the woods statement is supported by thumbtyping research too. The write up reports:
The password security company [Yubico, a dongle outfit] surveyed 3,000 remote staff from around Europe and found that almost half (42%) use work-issued devices for personal tasks. Roughly a third of this group use corporate tech for banking and shopping, while 7% visit illegal streaming websites. What’s more, senior members of staff are among the worst offenders; 43% of business owners and 39% of C-level executives admit to misusing work devices, with many also dabbling in illegal activities online.
How do you like that ratio seven percent? I a government agency has 50,000 full time equivalents, 3,500 are off the reservation. An industrious bad actor could seek out one of these individuals in an effort to create some fun; for example, crafting a way to generate false passports, gaining access to a “secure” network, or fiddling with geo coordinates to make a border surveillance drone watch a McDonald’s, not the area around Organ Pipe Cactus near Lukeville, Arizona.
The write up quotes the cyber security vendor responsible for the original study as saying:
“With millions of workers focused on the pressures of completing tasks in varying and sometimes unusual circumstances, security best practices are often put on the backburner.”
What’s the fix? A Yubico key, of course. But wait. Aren’t there other factors to address? Nah. Time to let the dog out and make an iced coffee with almond milk and cinnamon.
Stephen E Arnold, June 10, 2021
June 9, 2021
I noted another allegedly true anecdote. If the information is correct, gentle reader, we have another example of the high school science club management method. Think acne, no date for the prom, and a weird laugh type of science club. Before you get too excited, yes, I was a member of my high school’s science club and I think an officer as well as a proponent of the HSSC approach to social interaction. Proud am I.
“Fastly Claims a Single Customer Responsible for Widespread Internet Outage” asserts:
The company is now claiming the issue stemmed from a bug and one customer’s configuration change. “We experienced a global outage due to an undiscovered software bug that surfaced on June 8 when it was triggered by a valid customer configuration change,” Nick Rockwell, the company’s SVP of engineering and infrastructure wrote in a blog post last night. “This outage was broad and severe, and we’re truly sorry for the impact to our customers and everyone who relies on them.”
Yep, a customer using the Fastly cloud service.
Two observations:
And what about Amazon’s bulletproof, super redundant, fail over whiz bang system. Oh, it failed for users.
Yep, high school science club thinking says, “We did not do it.” Yeah.
Stephen E Arnold, June 9, 2021
June 7, 2021
Are there security gaps in new cyber solutions? No one knows. “Expel for Microsoft Automates Security Operations across the Microsoft Tech Stack” states:
Expel for Microsoft automates security operations across the Microsoft tech stack, including Active Directory, AD Identity Protection, Azure, MCAS, Microsoft Defender for Endpoint, Office 365 and Sentinel. Expel connects via APIs and ingests security signals from Microsoft’s products into Expel Workbench, along with other third-party signals you have in place. Expel then applies its own detection engine along with threat intelligence gathered from across its broad customer base to quickly find activity that doesn’t look right – like suspicious logins, data exfiltration, suspicious RDP activity or unusual inbox rules. Specific context and business rules that are unique to your environment enhance these built-in detections as Expel’s detection engine learns what “normal” looks like for your organization.
A third party – Expel in this case – has developed a smart software wrapper with “rules” able to bring order to the rich and somewhat interesting Microsoft security solutions. Think of this as wrapping five or six Radio Shack kits in a single box, affixing appropriate wrapping paper, and delivering it to the lucky person.
With breaches seemingly on the rise, will this solution stem the tide? But what if the kits within the wrapped box have their own issues?
Worth watching because if bad actors come up with new angles, cyber security firms are in the uncomfortable position of reacting and spending more on marketing. Marketing is, as most know, more difficult than creating cyber security solutions which work.
Stephen E Arnold, June 7, 2021
June 2, 2021
Here’s the good news in “SolarWinds Hackers Are Back with a New Mass Campaign, Microsoft Says.” Microsoft and other firms are taking actions to cope with the SolarWinds’ misstep. That’s the gaffe which compromised who knows how many servers, caught the news cycle, and left the real time cyber security threat detection systems enjoying a McDo burger with crow.
I circled this positive statement:
Microsoft security researchers assess that the Nobelium’s spear-phishing operations are recurring and have increased in frequency and scope,” the MSTC post concluded. “It is anticipated that additional activity may be carried out by the group using an evolving set of tactics.
The good news is the word “evolving.” That means that whatever the cyber security wizards are doing is having some impact.
However, the bulk of the write up makes clear that the bad actors (Russian again) are recycling known methods and exploiting certain “characteristics” of what sure seem to be Microsoft-related engineering.
There are some clues about who at Microsoft are tracking this stubbed toe; for example, a vice president of cust0omer security and trust. (I like that word “trust.”)
Several observations:
What’s my take away from the explanation of the security stubbed toe: No solution. Bad actors are on the offensive and vendors and users have to sit back and wait for the next really-no-big-deal breach. Minimization of an “issue” and explaining how someone else spilled the milk will be news again. I think the perpetual motion machine has been discovered in terms of security.
Stephen E Arnold, June 2, 2021
