June 10, 2021
“Many Staff Are Still Using Work Devices for Personal and Illegal Activities” explains something about insiders. Here’s the write up’s comment about something that I thought everyone knew:
Remote employees do not always consider cybersecurity risks.
This bears live in the woods statement is supported by thumbtyping research too. The write up reports:
The password security company [Yubico, a dongle outfit] surveyed 3,000 remote staff from around Europe and found that almost half (42%) use work-issued devices for personal tasks. Roughly a third of this group use corporate tech for banking and shopping, while 7% visit illegal streaming websites. What’s more, senior members of staff are among the worst offenders; 43% of business owners and 39% of C-level executives admit to misusing work devices, with many also dabbling in illegal activities online.
How do you like that ratio seven percent? I a government agency has 50,000 full time equivalents, 3,500 are off the reservation. An industrious bad actor could seek out one of these individuals in an effort to create some fun; for example, crafting a way to generate false passports, gaining access to a “secure” network, or fiddling with geo coordinates to make a border surveillance drone watch a McDonald’s, not the area around Organ Pipe Cactus near Lukeville, Arizona.
The write up quotes the cyber security vendor responsible for the original study as saying:
“With millions of workers focused on the pressures of completing tasks in varying and sometimes unusual circumstances, security best practices are often put on the backburner.”
What’s the fix? A Yubico key, of course. But wait. Aren’t there other factors to address? Nah. Time to let the dog out and make an iced coffee with almond milk and cinnamon.
Stephen E Arnold, June 10, 2021
June 9, 2021
I noted another allegedly true anecdote. If the information is correct, gentle reader, we have another example of the high school science club management method. Think acne, no date for the prom, and a weird laugh type of science club. Before you get too excited, yes, I was a member of my high school’s science club and I think an officer as well as a proponent of the HSSC approach to social interaction. Proud am I.
“Fastly Claims a Single Customer Responsible for Widespread Internet Outage” asserts:
The company is now claiming the issue stemmed from a bug and one customer’s configuration change. “We experienced a global outage due to an undiscovered software bug that surfaced on June 8 when it was triggered by a valid customer configuration change,” Nick Rockwell, the company’s SVP of engineering and infrastructure wrote in a blog post last night. “This outage was broad and severe, and we’re truly sorry for the impact to our customers and everyone who relies on them.”
Yep, a customer using the Fastly cloud service.
Two observations:
And what about Amazon’s bulletproof, super redundant, fail over whiz bang system. Oh, it failed for users.
Yep, high school science club thinking says, “We did not do it.” Yeah.
Stephen E Arnold, June 9, 2021
June 7, 2021
Are there security gaps in new cyber solutions? No one knows. “Expel for Microsoft Automates Security Operations across the Microsoft Tech Stack” states:
Expel for Microsoft automates security operations across the Microsoft tech stack, including Active Directory, AD Identity Protection, Azure, MCAS, Microsoft Defender for Endpoint, Office 365 and Sentinel. Expel connects via APIs and ingests security signals from Microsoft’s products into Expel Workbench, along with other third-party signals you have in place. Expel then applies its own detection engine along with threat intelligence gathered from across its broad customer base to quickly find activity that doesn’t look right – like suspicious logins, data exfiltration, suspicious RDP activity or unusual inbox rules. Specific context and business rules that are unique to your environment enhance these built-in detections as Expel’s detection engine learns what “normal” looks like for your organization.
A third party – Expel in this case – has developed a smart software wrapper with “rules” able to bring order to the rich and somewhat interesting Microsoft security solutions. Think of this as wrapping five or six Radio Shack kits in a single box, affixing appropriate wrapping paper, and delivering it to the lucky person.
With breaches seemingly on the rise, will this solution stem the tide? But what if the kits within the wrapped box have their own issues?
Worth watching because if bad actors come up with new angles, cyber security firms are in the uncomfortable position of reacting and spending more on marketing. Marketing is, as most know, more difficult than creating cyber security solutions which work.
Stephen E Arnold, June 7, 2021
June 2, 2021
Here’s the good news in “SolarWinds Hackers Are Back with a New Mass Campaign, Microsoft Says.” Microsoft and other firms are taking actions to cope with the SolarWinds’ misstep. That’s the gaffe which compromised who knows how many servers, caught the news cycle, and left the real time cyber security threat detection systems enjoying a McDo burger with crow.
I circled this positive statement:
Microsoft security researchers assess that the Nobelium’s spear-phishing operations are recurring and have increased in frequency and scope,” the MSTC post concluded. “It is anticipated that additional activity may be carried out by the group using an evolving set of tactics.
The good news is the word “evolving.” That means that whatever the cyber security wizards are doing is having some impact.
However, the bulk of the write up makes clear that the bad actors (Russian again) are recycling known methods and exploiting certain “characteristics” of what sure seem to be Microsoft-related engineering.
There are some clues about who at Microsoft are tracking this stubbed toe; for example, a vice president of cust0omer security and trust. (I like that word “trust.”)
Several observations:
What’s my take away from the explanation of the security stubbed toe: No solution. Bad actors are on the offensive and vendors and users have to sit back and wait for the next really-no-big-deal breach. Minimization of an “issue” and explaining how someone else spilled the milk will be news again. I think the perpetual motion machine has been discovered in terms of security.
Stephen E Arnold, June 2, 2021
May 28, 2021
I read “The Future of Communication Surveillance: Moving Beyond Lexicons.” The article explains that word lists and indexing are not enough. (There’s no mention of non text objects and icons with specific meanings upon which bad actors agree before including them in a text message.)
I noted this passage:
Advanced technology such as artificial intelligence (AI), machine learning (ML) and pre-trained models can better detect misconduct and pinpoint the types of risk that a business cares about. AI and ML should work alongside metadata filtering and lexicon alerting to remove irrelevant data and classify communications.
This sounds like cheerleading. The Snowden dump of classified material makes clear that smart software was on the radar of the individuals creating the information released to journalists. Subsequent announcements from policeware and intelware vendors have included references to artificial intelligence and its progeny as a routine component. It’s been years since the assertions in the Snowden documents became known and yet shipping cyber security solutions are not delivering.
The article includes this statement about AI:
Automatically learn over time by taking input from the team’s review of prior alerts
And what about this one? AI can
Adapt quickly to changing language to identify phrases you didn’t know you needed to look for
What the SolarWinds’ misstep revealed was:
Yet we get this write up about the future of surveillance?
Incredible and disconnected from the real life performance of cyber security vendors’ systems.
Stephen E Arnold, May 28, 2021
February 25, 2021
I think that some believe the SolarWinds’ misstep should be called surfing the Microsoft access control process.” I may be wrong on that, of course. I did find some of the statements and quotations in an article called “Microsoft CEO For Global Rules On Data Safety, Privacy.” On the same day that another Microsoftie was explaining the security stumble which has compromised systems at Microsoft itself and a few minor US government agencies, the CEO of the outstanding software company allegedly said:
One thing I hope for is that we don’t fragment, that we are able to, whether it’s on privacy or data safety, bring together a set of global rules that will allow all of us to both comply and make sure that what we build is safe to use.
He allegedly noted:
One of the things we are trying to ensure is how do we have that design principles and engineering processes to ensure that the products and the services are respecting privacy, security, AI ethics as well as the fundamental Internet safety but beyond that there will be regulation.
With some of the source code for Azure, Exchange, and Outlook on the loose, one hopes that those authentication and access control systems are indeed secure. One hopes that the aggressively marketed Windows Defender actually defends. That system appears to have been blind to the surfing maneuvers executed by bad actors for months, maybe a year or more.
Microsoft’s core methods for granting efficient access to trusted users or functions with certifying tokens were compromised. At this time, the scope of the breached systems and the existence if any of sleeper code is not yet quantified.
Assurances are useful in some circumstances. Foundational engineering flaws are slightly more challenging to address.
But “hope” is good. Let’s concentrate security with Microsoft procedures. Sounds good, right? Talk is easier than reengineering perhaps?
Stephen E Arnold, February 25, 2021
February 24, 2021
To break up the monotony of quarantine life, a new trend appeared on the Internet due to the large use of videoconferencing. Called “zoombombing,” the new activity is when a stranger joins an online videoconference and disrupts it with lewd comments, activities, and other chaos. Science Magazine shares how zoom bombers are usually not random strangers: “‘Zoombombing’ Research Shows Legitimate Meeting Attendees Cause Most Attacks.”
Zoombombing videos went viral rather quickly. Many of these disruptions incited humor, but soon became annoyances. Boston University and Binghamton University researchers discovered that most zoombombing attacks are “inside jobs.”
“Assistant Professor Jeremy Blackburn and PhD student Utkucan Balci from the Department of Computer Science at Binghamton’s Thomas J. Watson College of Engineering and Applied Science teamed up with Boston University Assistant Professor Gianluca Stringhini and PhD student Chen Ling to analyze more than 200 calls from the first seven months of 2020.
The researchers found that the vast majority of zoombombing are not caused by attackers stumbling upon meeting invitations or “bruteforcing” their ID numbers, but rather by insiders who have legitimate access to these meetings, particularly students in high school and college classes. Authorized users share links, passwords and other information on sites such as Twitter and 4chan, along with a call to stir up trouble.”
Hackers are not causing the problem, but invited participants to the Zoom call. Inside jobs are giggles, but they point to the underlying problem of anonymity. If people are not afraid of repercussions, then they are more likely to say/do racist, sexist, and related things.
The researchers were forced to study antisocial behavior in their studies and had to take mental health breaks due to the depravity.
Whitney Grace, February 24, 2021
February 23, 2021
DarkCyber, Series 3, Number 4 includes five stories. The first summarizes the value of an electronic game’s software. Think millions. The second explains that Lokinet is now operating under the brand Oxen. The idea is that the secure services’ offerings are “beefier.” The third story provides an example of how smaller cyber security startups can make valuable contributions in the post-SolarWinds’ era. The fourth story highlights a story about the US government’s getting close to an important security implementation, only to lose track of the mission. And the final story provides some drone dope about the use of unmanned aerial systems on Super Bowl Sunday as FBI agents monitored an FAA imposed no fly zone. You could download the video at this url after we uploaded it to YouTube.
But…
YouTube notified Stephen E Arnold that his interview with Robert David Steele, a former CIA professional, was removed from YouTube. The reason was “bullying.” Mr. Arnold is 76 or 77, and he talked with Mr. Steele about the Jeffrey Epstein allegations. Mr. Epstein was on the radar of Mr. Steele because the legal allegations were of interest to an international tribunal about human trafficking and child sex crime. Mr. Steele is a director of that tribunal. Bullying about a deceased person allegedly involved in a decades long criminal activity? What?
What’s even more interesting is that the DarkCyber videos, which appear every 14 days focus on law enforcement, intelligence, and cyber crime issues. One law enforcement professional told Mr. Arnold after his Dark Web lecture at the National Cyber Crime Conference in 2020, you make it clear that investigators have to embrace new technology and not wait for budgets to accommodate more specialists.
Mr. Arnold told me that he did not click the bright red button wanting Google / YouTube to entertain an appeal. I am not certain about his reasoning, but I assume that Mr. Arnold, who was an advisor to the world’s largest online search system, was indifferent to the censorship. My perception is that Mr. Arnold recognizes that Alphabet, Google, and YouTube are overwhelmed with management challenges, struggling to figure out how to deal with copyright violations, hate content, and sexually related information. Furthermore, Alphabet, Google, and YouTube face persistent legal challenges, employee outcries about discrimination, and ageing systems and methods.
What does this mean? In early March 2021, we will announce other video services which will make the DarkCyber video programs available.
The DarkCyber team is composed of individuals who are not bullies. If anything, the group is more accurately characterized as researchers and analysts who prefer the libraries of days gone by to the zip zip world of thumbtypers, smart software, and censorship of content related to law enforcement and intelligence professionals.
Mr. Arnold was discussing online clickfraud at lunch next week. Would that make an interesting subject for a DarkCyber story? With two firms controlling more than two thirds of the online advertising, click fraud is a hot potato topic. How does it happen? What’s done to prevent it? What’s the cost to the advertisers? What are the legal consequences of the activity?
Kenny Toth, February 23, 2021
February 22, 2021
One of the news items in an upcoming DarkCyber talks about LinkedIn phishing exploits. I want to mention this method of hijacking or intruding into a system for two reasons. First, Microsoft has been explaining and reframing the SolarWinds’ security misstep for a couple of months. The Redmond giant has used explanations of the breach to market its Windows and Azure security systems. LinkedIn is a Microsoft property, and it seems as if Microsoft would clamp down on phishing attacks after it lost some of the source code to Exchange and a couple of other Microsoft crown jewels. Second, LinkedIn, like Microsoft Teams, is going through a featuritis phase. The service is making publishing, rich media, in message links, and group functions more easily available. The goal is to increase the social network’s value and revenue, particularly among those seeking employment. There’s nothing like a malicious exploit that kills a job hunter’s computing to brighten one’s day.
The article “Phishers Tricking Users via Fake LinkedIn Private Shared Document” explains the exploit. The write up says:
The phishing message is delivered via LinkedIn’s internal messaging system and looks like it has been sent by one of the victim’s contacts. The message urges the recipient to follow a third-party link to view a document.
If you want more details, check out the full Help Net Security post.
In the wake of SolarWinds, I think that Microsoft needs to button up its security. Less marketing and more substantive action seems to be appropriate. Microsoft will be the plumbing for the JEDI program. What vulnerabilities exist within this system? Hopefully none, but recent events and this LinkedIn phishing information suggest reality is insecure.
Stephen E Arnold, February 22, 2021
February 19, 2021
I asked myself this question, “What threats does cyber security software thwart?” The SolarWinds’ misstep went undetected for months, maybe a year or more. I read “France Agency ANSSI Links Russia’s Sandworm APT to Attacks on Hosting Providers.” Reuters ran a short news item as well. You can read the report via this link. I don’t want to wade through the cyber security jargon in this post. Instead I want to highlight one fact: The “intrusions” dated back to 2017. Okay, this is another time block in which cyber security systems operated and failed to detect the malicious behavior.
The vector of attack was software used by Centreon. What’s Centreon do?
What’s ANSSI?
The French National Agency for the Security of Information Systems or Agence nationale de la sécurité des systèmes d’information.
What’s Centreon? LinkedIn says:
Centreon is a global provider of business-aware IT monitoring for always-on operations and performance excellence. The company’s holistic, AIOps-ready platform is designed for today’s complex, distributed hybrid cloud infrastructures. Privately held, Centreon was founded in 2005 as an open source software framework. Today, Centreon is trusted by organizations of all sizes across a wide range of public and private sectors. Centreon is headquartered in Paris and Toronto, with sales offices in Geneva, Luxembourg and Toulouse.
What’s Hub One?
It is a subsidiary of Aéroports de Paris. Hub One provides high speed radio networks and services to outfits like Air France and the French government.
What’s an APT?
An advanced persistent threat. The idea is that malware is inside a system or software and is able to remain undetected while it follows instructions from a bad actor.
Now back to the 2017 date.
The point is that current cyber security systems may not be able to provide the defenses which marketers tout.
We’re talking years which strikes me as very SolarWinds-like. Then there is the persistent question: What’s up with the commercial cyber security systems?
Stephen E Arnold, February 19, 2021
