June 15, 2021
DarkCyber is a video news program issued every two weeks. The June 15, 2021, show includes five stories:
The DarkCyber video news program contains information presented in Stephen E Arnold’s lectures to law enforcement and intelligence professionals. His most recent lecture was the New Dark Web. He presented his most recent research findings to a group of more than 100 cyber fraud investigators working in Connecticut for a variety of LE and related organizations. The
The June 15, 2021, DarkCyber video program is available from Mr. Arnold’s blog splash page and can be viewed on YouTube. One important note: The video program does not contain advertisements or sponsored content. We know that’s unusual today, but the DarkCyber team prefers to operate without an invisible hand on the controls or an invisible foot on the team’s neck.
Kenny Toth, June 15, 2021
June 14, 2021
My hunch is that the cyber security breaches center of flaws in Microsoft Windows. The cyber security vendors, the high priced consultants, and even the bad actors renting their services to help regular people are mostly ineffectual. The rumors about a new Windows are interesting. The idea that Windows 10 will not be supported in the future is less interesting. I interpret the information as a signal that Microsoft has to find a fix. Marketing, a “new” Windows, and mucho hand waving will make the problem go away. But will it? Nope. Law enforcement, intelligence professionals, and security experts are operating in reactive mode. Something happens; people issue explanations; and the next breach occurs. Consider gamers. These are not just teenies. Nope. Those trying to practice “adulting” are into these escapes. TechRepublic once again states the obvious in “Fallout of EA Source Code Breach Could Be Severe, Cybersecurity Experts Say.” Here’s an extract:
The consequences of the hack could be existential, said Saryu Nayyar, CEO of cybersecurity firm Gurucul. “This sort of breach could potentially take down an organization,” she said in a statement to TechRepublic. “Game source code is highly proprietary and sensitive intellectual property that is the heartbeat of a company’s service or offering. Exposing this data is like virtually taking its life. Except that in this case, EA is saying only a limited amount of game source code and tools have been exfiltrated. Even so, the heartbeat has been interrupted and there’s no telling how this attack will ultimately impact the life blood of the company’s gaming services down the line.”
I like that word “existential.”
I want to call attention to this story in Today Online: “Japan’s Mizuho Bank CEO to Resign after Tech Problems.” Does this seem like a good idea? To me, it may be appropriate in certain situations. A new top dog at Microsoft would have a big job to do for these reasons:
But what’s the method in the US. Keep ‘em on the job. How is that working?
Stephen E Arnold, June 14, 2021
June 11, 2021
NPR has shared the transcript of an All Things Considered interview with former NSA general counsel Glenn Gerstell in, “USAID Hack: Former NSA Official Calls U.S. Cyber Insecurity a ‘Chronic Disease.’” The exchange is not reassuring. Host Michel Martin begins with the recent news of another breach, announced by Microsoft late last month. Once again the perpetrators appear to be Russian operatives, probably the same ones that were behind the SolarWinds attack. Not that Putin will admit as much when he is confronted, as he will likely be, by President Biden at their upcoming meeting in Geneva. We note this exchange:
“MARTIN: Why do you think these attacks keep happening despite the sanctions that the Biden administration has already imposed, you know, on Russia? And do you think the government’s doing enough to protect itself against these threats and also us, the public?
“GERSTELL: Well, your question is really the key one. And I think the lesson we learn from this is that this in some ways, our cyber insecurity in this regard, is a chronic disease for which we don’t have a single cure. It’s not an illness for which there’s a particular drug that we could take to get rid of it. So unfortunately, however, we’re at the beginning end of this chronic condition. This is going to get worse before it gets better. It will ultimately get better. But in the meantime, we have sophisticated attackers, nation states and criminals who can co-opt legitimate servers and companies and computers and softwares. And this proves, unfortunately, that our current scheme of deterrents simply isn’t working.”
What will work is the multi-billion dollar question. Martin wonders whether there are any plans to regulate crypto currency. Gerstell allows that is a step that might be taken, but it would do little to disrupt either spying or the sowing of chaos generated by these types of attacks. It could, however, curtail the sort of ransomware attack that recently shut down a pipeline on the East Coast and had some fools pumping gasoline into plastic bags and other unwise receptacles. That would be something, we suppose.
Cynthia Murrell, June 11, 2021
June 10, 2021
“Many Staff Are Still Using Work Devices for Personal and Illegal Activities” explains something about insiders. Here’s the write up’s comment about something that I thought everyone knew:
Remote employees do not always consider cybersecurity risks.
This bears live in the woods statement is supported by thumbtyping research too. The write up reports:
The password security company [Yubico, a dongle outfit] surveyed 3,000 remote staff from around Europe and found that almost half (42%) use work-issued devices for personal tasks. Roughly a third of this group use corporate tech for banking and shopping, while 7% visit illegal streaming websites. What’s more, senior members of staff are among the worst offenders; 43% of business owners and 39% of C-level executives admit to misusing work devices, with many also dabbling in illegal activities online.
How do you like that ratio seven percent? I a government agency has 50,000 full time equivalents, 3,500 are off the reservation. An industrious bad actor could seek out one of these individuals in an effort to create some fun; for example, crafting a way to generate false passports, gaining access to a “secure” network, or fiddling with geo coordinates to make a border surveillance drone watch a McDonald’s, not the area around Organ Pipe Cactus near Lukeville, Arizona.
The write up quotes the cyber security vendor responsible for the original study as saying:
“With millions of workers focused on the pressures of completing tasks in varying and sometimes unusual circumstances, security best practices are often put on the backburner.”
What’s the fix? A Yubico key, of course. But wait. Aren’t there other factors to address? Nah. Time to let the dog out and make an iced coffee with almond milk and cinnamon.
Stephen E Arnold, June 10, 2021
June 9, 2021
I noted another allegedly true anecdote. If the information is correct, gentle reader, we have another example of the high school science club management method. Think acne, no date for the prom, and a weird laugh type of science club. Before you get too excited, yes, I was a member of my high school’s science club and I think an officer as well as a proponent of the HSSC approach to social interaction. Proud am I.
“Fastly Claims a Single Customer Responsible for Widespread Internet Outage” asserts:
The company is now claiming the issue stemmed from a bug and one customer’s configuration change. “We experienced a global outage due to an undiscovered software bug that surfaced on June 8 when it was triggered by a valid customer configuration change,” Nick Rockwell, the company’s SVP of engineering and infrastructure wrote in a blog post last night. “This outage was broad and severe, and we’re truly sorry for the impact to our customers and everyone who relies on them.”
Yep, a customer using the Fastly cloud service.
Two observations:
And what about Amazon’s bulletproof, super redundant, fail over whiz bang system. Oh, it failed for users.
Yep, high school science club thinking says, “We did not do it.” Yeah.
Stephen E Arnold, June 9, 2021
June 7, 2021
Are there security gaps in new cyber solutions? No one knows. “Expel for Microsoft Automates Security Operations across the Microsoft Tech Stack” states:
Expel for Microsoft automates security operations across the Microsoft tech stack, including Active Directory, AD Identity Protection, Azure, MCAS, Microsoft Defender for Endpoint, Office 365 and Sentinel. Expel connects via APIs and ingests security signals from Microsoft’s products into Expel Workbench, along with other third-party signals you have in place. Expel then applies its own detection engine along with threat intelligence gathered from across its broad customer base to quickly find activity that doesn’t look right – like suspicious logins, data exfiltration, suspicious RDP activity or unusual inbox rules. Specific context and business rules that are unique to your environment enhance these built-in detections as Expel’s detection engine learns what “normal” looks like for your organization.
A third party – Expel in this case – has developed a smart software wrapper with “rules” able to bring order to the rich and somewhat interesting Microsoft security solutions. Think of this as wrapping five or six Radio Shack kits in a single box, affixing appropriate wrapping paper, and delivering it to the lucky person.
With breaches seemingly on the rise, will this solution stem the tide? But what if the kits within the wrapped box have their own issues?
Worth watching because if bad actors come up with new angles, cyber security firms are in the uncomfortable position of reacting and spending more on marketing. Marketing is, as most know, more difficult than creating cyber security solutions which work.
Stephen E Arnold, June 7, 2021
June 2, 2021
Here’s the good news in “SolarWinds Hackers Are Back with a New Mass Campaign, Microsoft Says.” Microsoft and other firms are taking actions to cope with the SolarWinds’ misstep. That’s the gaffe which compromised who knows how many servers, caught the news cycle, and left the real time cyber security threat detection systems enjoying a McDo burger with crow.
I circled this positive statement:
Microsoft security researchers assess that the Nobelium’s spear-phishing operations are recurring and have increased in frequency and scope,” the MSTC post concluded. “It is anticipated that additional activity may be carried out by the group using an evolving set of tactics.
The good news is the word “evolving.” That means that whatever the cyber security wizards are doing is having some impact.
However, the bulk of the write up makes clear that the bad actors (Russian again) are recycling known methods and exploiting certain “characteristics” of what sure seem to be Microsoft-related engineering.
There are some clues about who at Microsoft are tracking this stubbed toe; for example, a vice president of cust0omer security and trust. (I like that word “trust.”)
Several observations:
What’s my take away from the explanation of the security stubbed toe: No solution. Bad actors are on the offensive and vendors and users have to sit back and wait for the next really-no-big-deal breach. Minimization of an “issue” and explaining how someone else spilled the milk will be news again. I think the perpetual motion machine has been discovered in terms of security.
Stephen E Arnold, June 2, 2021
May 28, 2021
I read “The Future of Communication Surveillance: Moving Beyond Lexicons.” The article explains that word lists and indexing are not enough. (There’s no mention of non text objects and icons with specific meanings upon which bad actors agree before including them in a text message.)
I noted this passage:
Advanced technology such as artificial intelligence (AI), machine learning (ML) and pre-trained models can better detect misconduct and pinpoint the types of risk that a business cares about. AI and ML should work alongside metadata filtering and lexicon alerting to remove irrelevant data and classify communications.
This sounds like cheerleading. The Snowden dump of classified material makes clear that smart software was on the radar of the individuals creating the information released to journalists. Subsequent announcements from policeware and intelware vendors have included references to artificial intelligence and its progeny as a routine component. It’s been years since the assertions in the Snowden documents became known and yet shipping cyber security solutions are not delivering.
The article includes this statement about AI:
Automatically learn over time by taking input from the team’s review of prior alerts
And what about this one? AI can
Adapt quickly to changing language to identify phrases you didn’t know you needed to look for
What the SolarWinds’ misstep revealed was:
Yet we get this write up about the future of surveillance?
Incredible and disconnected from the real life performance of cyber security vendors’ systems.
Stephen E Arnold, May 28, 2021
February 25, 2021
I think that some believe the SolarWinds’ misstep should be called surfing the Microsoft access control process.” I may be wrong on that, of course. I did find some of the statements and quotations in an article called “Microsoft CEO For Global Rules On Data Safety, Privacy.” On the same day that another Microsoftie was explaining the security stumble which has compromised systems at Microsoft itself and a few minor US government agencies, the CEO of the outstanding software company allegedly said:
One thing I hope for is that we don’t fragment, that we are able to, whether it’s on privacy or data safety, bring together a set of global rules that will allow all of us to both comply and make sure that what we build is safe to use.
He allegedly noted:
One of the things we are trying to ensure is how do we have that design principles and engineering processes to ensure that the products and the services are respecting privacy, security, AI ethics as well as the fundamental Internet safety but beyond that there will be regulation.
With some of the source code for Azure, Exchange, and Outlook on the loose, one hopes that those authentication and access control systems are indeed secure. One hopes that the aggressively marketed Windows Defender actually defends. That system appears to have been blind to the surfing maneuvers executed by bad actors for months, maybe a year or more.
Microsoft’s core methods for granting efficient access to trusted users or functions with certifying tokens were compromised. At this time, the scope of the breached systems and the existence if any of sleeper code is not yet quantified.
Assurances are useful in some circumstances. Foundational engineering flaws are slightly more challenging to address.
But “hope” is good. Let’s concentrate security with Microsoft procedures. Sounds good, right? Talk is easier than reengineering perhaps?
Stephen E Arnold, February 25, 2021
February 24, 2021
To break up the monotony of quarantine life, a new trend appeared on the Internet due to the large use of videoconferencing. Called “zoombombing,” the new activity is when a stranger joins an online videoconference and disrupts it with lewd comments, activities, and other chaos. Science Magazine shares how zoom bombers are usually not random strangers: “‘Zoombombing’ Research Shows Legitimate Meeting Attendees Cause Most Attacks.”
Zoombombing videos went viral rather quickly. Many of these disruptions incited humor, but soon became annoyances. Boston University and Binghamton University researchers discovered that most zoombombing attacks are “inside jobs.”
“Assistant Professor Jeremy Blackburn and PhD student Utkucan Balci from the Department of Computer Science at Binghamton’s Thomas J. Watson College of Engineering and Applied Science teamed up with Boston University Assistant Professor Gianluca Stringhini and PhD student Chen Ling to analyze more than 200 calls from the first seven months of 2020.
The researchers found that the vast majority of zoombombing are not caused by attackers stumbling upon meeting invitations or “bruteforcing” their ID numbers, but rather by insiders who have legitimate access to these meetings, particularly students in high school and college classes. Authorized users share links, passwords and other information on sites such as Twitter and 4chan, along with a call to stir up trouble.”
Hackers are not causing the problem, but invited participants to the Zoom call. Inside jobs are giggles, but they point to the underlying problem of anonymity. If people are not afraid of repercussions, then they are more likely to say/do racist, sexist, and related things.
The researchers were forced to study antisocial behavior in their studies and had to take mental health breaks due to the depravity.
Whitney Grace, February 24, 2021
