Browse >
Home / Archive by category 'cybersecurity'
Okay, okay, I am not sure if this story is accurate, but it certainly is interesting. Navigate to “Microsoft President Blames Israeli Company for Rash of Cyberattacks, Wants Biden to Intervene.” The write up reports:
Smith [the Microsoft president] has suggested that NSO Group and similar companies are “a new generation of private companies akin to 21st-century mercenaries” who generate “cyber-attack proliferation to other governments that have the money but not the people to create their own weapons. In short, it adds another significant element to the cybersecurity threat landscape.”
If accurate, Mr. Smith may want to validate that industrial strength cyber tools are available from code dumps from other specialized software vendors, downloadable via Microsoft’s own Github, penetration testing tool developers and the third parties creating add on kits to these software, and on certain fora on either encrypted messaging platforms or the handful of remaining Dark Web sites which allow authorized users to buy or download exploits.
In the galaxy of specialized software firms, NSO Group has been illuminated due to its emergence as a PR magnet and the business set up of the company itself. However, there are other specialized software vendors and there are other sources of code, libraries, and information to guide the would be bad actor.
Microsoft itself suffered a security breach and promptly (after five or six months) took action. The company published a report. Now Microsoft is acting to focus attention on a company which may or may not have had an impact on the supply chain matter involving SolarWinds and possibly other cyber security firms.
This Microsoft assertion is almost as interesting as the death star response to the incident.
But the kicker is this report form Techradar: “Microsoft Azure Breach Left Thousands of Customer Records Exposed.” If correct, this statement seems to suggest that Microsoft is into shifting blame:
Thanks to questionable security practices by an app developer, more than half a million sensitive documents of its customers were exposed on the Internet. The documents were housed in an unprotected Microsoft Azure blob storage and could be viewed by anyone with the direct address of the files, without any kind of authentication.
Okay.
Stephen E Arnold, December 21, 2020
Here’s an interesting question I asked on a phone call on Sunday, December 20, 2020: “How many cyber security firms rely on open source software?”
Give up?
As far as my research team has been able to determine, no study is available to us to answer the question. I told the team that based on comments made in presentations, at lectures, and in booth demonstrations at law enforcement and intelligence conferences, most of the firms do. Whether it is a utility function like Elasticsearch or a component (code or library) that detects malicious traffic, open source is the go-to source.
The reasons are not far to seek and include:
- Grabbing open source code is easy
- Open source software is usually less costly than a proprietary commercial tool
- Licensing allows some fancy dancing
- Using what’s readily available and maintained by a magical community of one, two or three people is quick
- Assuming that the open source code is “safe”; that is, not malicious.
My question was prompted after I read “How US Agencies’ Trust in Untested Software Opened the Door to Hackers.” The write up states:
The federal government conducts only cursory security inspections of the software it buys from private companies for a wide range of activities, from managing databases to operating internal chat applications.
That write up ignores the open source components commercial cyber security firms use. The reason many of the services look and function in a similar manner is due to a reliance on open source methods as well as the nine or 10 work horse algorithms taught in university engineering programs.
What’s the result? A SolarWinds type of challenge. No one knows the scope, no one knows the optimal remediation path, and no one knows how many vulnerabilities exist and are actively being exploited.
Here’s another question, “How many of the whiz kids working in US government agencies communicate the exact process for selecting, vetting, and implementing open source components directly (via 18f type projects) or from vendors of proprietary cyber security software?”
Stephen E Arnold, December 21, 2020
Nope, not Covid. Nope, not the financial crisis. Nope, not the social discontinuities. Nope, not the big technology monopoly clown show.
What then?
How about security insecurity. Do you like the phrase? I do because it communicates that users of online systems may never know if the system or systems are secure.
One can pretend, what I call security theater, of course.
The new reality is that an actor or actors has slipped in the stage door after driving a delivery van near the security theater and double parked for what may have been months. The individuals do not work according to New York City labor rules. Nope, these actors moved around, ordered takeout, and lounged on the sidewalks. People passing did not notice. You know the New York attitude: We are definitely with it. This is Broadway.
I read “A Hack Foretold.” I was not impressed. The reason is that the original Internet was technology Play-Doh. Who could imagine the parti-colored constructs blobs of red, blue, and yellow could become.
The write up states with the assured naiveté of a thumb typer:
The point is the authorities have known about hacking for a long time. Whole bureaucracies have been established, and presidential directives have been promulgated, to enhance cybersecurity—and some of their actions have been effective. Still, the contest between cyber offense and -defense is a never-ending race, where the offense has the advantage and, so, the defense must never let up its guard. While security is a lot better than it used to be, vast networks have been left exposed in one way or another, and dedicated hackers who very much want to get inside those networks—and who have the resources of a nation-state—figure out a way.
I want to point out that the cyber security industry has flowered into billions of dollars a year because home economics majors, working with MBAs, constructed a fantasy story about computer security.
Security insecurity is little more than another symptom of efficiency thinking. What can be done to reduce costs and maximize revenue. Oh, so some people lose their jobs in Canton, Illinois, when the John Deere factory goes away. “Tough cookies,” say the efficiency wizards.
We have created a situation in which security insecurity is going to become a digital Covid. I am delighted I am old, retired, and living in a hollow in rural Kentucky. Can you imagine the meetings, the memoranda, the reports, and the self-serving explanations of:
- Cyber security vendors
- Smart software which acts like an antibody to protect a system
- Individual security experts who did the “good enough” work to spoof the clueless lawyers, accountants, bureaucrats, and MBAs who manage technology operations
- Consultants like those who populate LinkedIn and BrightTALK with lectures about security
- Experts who assert that monitoring the Dark Web, Facebook, and chat provide an early warning of actions to come.
I could go on and toss in security appliance vendors, university professors who convert a clever workaround into a peer reviewed paper for IEEE or ACM, and former bad actors who see the light and become trusted advisors after serving jail time.
The New Reality is that I am not sure how one goes about determining the priorities for figuring out what was compromised, determining what other vulnerabilities have been installed, and bring up systems which do not have the charming characteristics of specialized software firms which have code that hides itself so that it can happily reinstall itself.
I spoke with a former CIA professional twice in the last 48 hours. He asked me, “What do I recommend to remediate the problem?” My answer was, “Investigate.”
The actors lounging in front of the security theater are not chatterboxes, and I have seen zero verifiable evidence that defines the timing, scope, and actions of these actors. Why guess then? Why look back and say “woulda, coulda, shoulda.” The time to embrace the New Reality is here.
The security theater has to go dark, and we need a new construct. Expensive, time consuming, and difficult for sure. Failure, however, means changes that those wrought by Covid are trivial. Thumb typers, are you confident your online activities are secure? In deference to the holiday season, here’s a modified carol: Deck the halls with boughs of folly, Tra la la, la la la la.
Stephen E Arnold, December 21, 2020
I found this article interesting: “Pentagon Forces Emergency Shutdown of Computer Network Handling Classified Material.” Since I work in rural Kentucky, I have zero clue if the information in the write is accurate; nevertheless, let me highlight one of the statements in the write up:
An emergency shutdown of a classified internal communications network was ordered at the Pentagon Tuesday. The system, called the Secret Internet Protocol Router Network, handles not only classified information but “up to the secret level”…
My hunch is that this is an “abundance of caution” move. Why caution? Why now?
Possibly the SolarWinds misstep is a reason?
At lunch today, a member of my team and I discussed the marketing of smart, 24×7 cyber security systems. Many companies engaged in this type of activity. But how secure are such security systems. Many are more alike than different; for example:
- Use of open source software
- Reliance upon standard and often manipulable statistical procedures
- Licensing tools and content from companies also in the cyber security business.
The result? Fodder for sales professionals and former art history majors now engaged in public relations, webinar production, and Madison Avenue style pitch writing.
Oh, one other result. The possible security thing at a number of US government entities, large corporations, and probably a handful of non governmental organizations.
Big deal? For some, yep, big deal. For others, what’s the hoo-hah about? Just close that deal, book the business, and collect the fees. What’s more important than cyber security? Revenue perhaps?
Stephen E Arnold, December 18, 2020
I know you have heard about the end of year cyber attack. The end of 2020 is a zinger. But what caused the problem? Who is responsible? Which cyber security expert is the one to believe? Beyond Search has located an explanation, courtesy of Lorem Ipsum Anything. We posed these questions to the smart software at this next generation thumb typing site and learned:
Security harm resilience change others Beneficiaries food security persons groups objects. Institutions ecosystems entity referent security freedom change forces resilience example. Absence good want presence phenomenon range protection senses foundations secrecy. damage term purpose systems acts guarding security systems security guard security forces security companies. Security cameras e.g. state of mind telephone line containment room cell.
Makes the uptown explanations from assorted experts wishing they could have explained the cyber kick in the ribs as well. Yep, 2020 is year to remember. “Absence good want presence.”
Well said.
Stephen E Arnold, December 18, 2020
Written by Stephen E. Arnold · Filed Under cybercrime, cybersecurity, News, Security | Comments Off on Explaining the 2020 End of Year Cyber Hack of Big, Fat Targets of Opportunity
The cybersecurity firm responsible for safeguarding data at government organizations (including several US federal agencies) and Fortune 500 companies around the world recently announced it suffered a breach. CEO Kevin Mandia tried to downplay the implications and persuade us his company has everything under control, but Tech Central explains “Why Everyone Should Be Worried by the FireEye Hack.” FireEye revealed the attacker was probably a “sophisticated state-sponsored actor,” but Tech Central informs us:
“Reporters with the Washington Post were more specific: It was Russia. And not just any Russians, but a group known as ‘APT29’ or ‘Cozy Bear,’ hackers affiliated with the Kremlin’s intelligence services. Cozy Bear’s pedigree includes past hacks of the US state department and White House during the Obama administration and, perhaps most famously, of the Democratic National Committee’s servers during the 2016 presidential campaign. (Who did the state department and the White House recruit to clean up the earlier breaches? FireEye.) FireEye said the hackers pilfered its so-called ‘Red Team’ tools. That’s the stuff companies like FireEye use to test vulnerabilities of computer networks to make them more resilient. The tools are meant to mimic a complex assault, and now they’re in the hands of a hostile player. FireEye said the hackers focused primarily on information from its government clients, and it released 300 countermeasures for its customers and the public to use against hacks enabled by the stolen tools. The company also said it hadn’t seen any of its tools used yet for break-ins, and none involved ‘zero-day’ exploits. … ‘We do not believe that this theft will greatly advance the attacker’s overall capabilities,’ FireEye noted.”
Readers should take that assertion with a grain of salt; we are told the federal Cybersecurity & Infrastructure Security Agency is not so confident. Cybersecurity vendors seem to be better at marketing than protecting themselves and, by extension, their clients. This PR challenge is high, though, as the company’s stock market dive reveals. We’re reminded FireEye is not the first cybersecurity firm to be hacked. If the guardians themselves are not secure, is anyone?
Cynthia Murrell, December 17, 2020
Written by Stephen E. Arnold · Filed Under cybersecurity, News | Comments Off on FireEye Breach a Major Concern
Update 3, December 16, 2020 at 1005 am US Eastern, the White House has activate its cyber emergency response protocol. Source: “White House Quietly Activates Cyber Emergency Response” at Cyberscoop.com. The directive is located at this link and verified at 1009 am US Eastern as online.
Update 2, December 16, 2020 at 1002 am US Eastern. The Department of Treasury has been identified as a entity compromised by the SolarWinds’ misstep. Source: US “Treasury, Commerce Depts. Hacked through SolarWinds Compromise” at KrebsonSecurity.com
Update 1, December 16, 2020, at 950 am US Eastern. The SolarWinds’ security misstep may have taken place in 2018. Source: “SolarWinds Leaked FTP Credentials through a Public GitHub Repo “mib-importer” Since 2018” at SaveBreach.com
I talked about security theater in a short interview/conversation with a former CIA professional. The original video of that conversation is here. My use of the term security theater is intended to convey the showmanship that vendors of cyber security software have embraced for the last five years, maybe more. The claims of Dark Web threat intelligence, the efficacy of investigative software with automated data feeds, and Bayesian methods which inoculate a client from bad actors— maybe this is just Madison Avenue gone mad. On the other hand, maybe these products and services don’t work particularly well. Maybe these products and services are anchored in what bad actors did yesterday and are blind to the here and now of dudes and dudettes with clever names?
Evidence of this approach to a spectacular security failure is documented in the estimable Wall Street Journal (hello, Mr. Murdoch) and the former Ziff entity ZDNet. Numerous online publications have reported, commented, and opined about the issue. One outfit with a bit of first hand experience with security challenges (yes, I am thinking about Microsoft) reported “SolarWinds Says Hack Affected 18,000 Customers, Including Two Major Government Agencies.”
One point seems to be sidestepped in the coverage of this “concern.” The corrective measures kicked in after the bad actors had compromised and accessed what may be sensitive data. Just a mere 18,000 customers were affected. Who were these “customers”? The list seems to have been disappeared from the SolarWinds’ Web site and from the Google cache. But Newsweek, an online information service, posted this which may, of course, be horse feathers (sort of like security vendors’ security systems?):
Read more
The election is over. The activities in 2015 and 2016 were Act I. I think we are now in Act II of “Flimsies or the Security Shibboleth Myth.” I am perched happily on a small hill in rural Kentucky. I know zero about the machinations of the giant security outfits and the throbbing US government agencies. I do, however, read some news once in a while; for example, “SolarWinds Orion: More US Government Agencies Hacked.” The main idea is that the cyber breach and theft of pentest tools from FireEye, a prestigious cyber security firm, is very much in the news. The BBC story points out that a number of US government agencies were allegedly breached:
- US Department of Defense (does that include the Defense Intelligence Agency).
- US Department of State (does anyone work there any more?)
- US Department of Homeland Security
- US Department of Treasury (the FinCen folks perhaps?)
A contact told me that the estimable US Department of Commerce was a victim as well.
The main question for me is,
Do these Fancy Dan, often six figure or more cyber security systems work?
Another question:
Are the technologies ranging from Dark Web threat reports to smart software that works like a human immune system real or marketing fluff?
I don’t know the answer to these questions, but I am wondering what Act III will present.
Stephen E Arnold, December 16, 2020
Written by Stephen E. Arnold · Filed Under cybercrime, cybersecurity, News | Comments Off on Security Theatre: Act II of Flimsies or the Security Shibboleth Myth
On December 14, 2020, Robert David Steele, a former CIA professional, and I discussed security hand waving. You can view the short video at this link. My principal contribution was the identification of three types of organizations which have institutionalized security vulnerabilities. These are:
- Colleges and universities hiring instructors and other faculty without probing their backgrounds. No peer reviewed papers and a recommendation from a friend are not enough.
- University exchange programs in which students participate in multi-national research activities. Many of these programs include on campus visits, international travel, and significant information access. No significant vetting of these participants is conducted. Theses programs flourish near some interesting US government facilities; for example, Oak Ridge National Labs in Tennessee.
- Intern programs in the US government, although some state governments have similar set ups. These interns are pressed into duty for Web page maintenance, programming, and fixing broken software. Security checks do take place, but are these sufficiently rigorous when an intern is allegedly updating a Web page at the Railway Retirement Board or similar entity?
Bad actors can easily gain access to useful information. There’s more in the video. I do mention FireEye’s recent security issue, but my interpretation is quite different from the marketing and legal rah rah about the tiny little glitch. Take a peek because I continue to question the efficacy of the in-place security in many organizations. How easy is it to penetrate an organization? I provide three examples of methods which are popular despite the sharp increase in companies selling solutions to lock down unauthorized access.
Stephen E Arnold, December 15, 2020
Written by Stephen E. Arnold · Filed Under cybersecurity, News | Comments Off on Steele and Arnold: Cyber Security Hand Waving
DarkCyber noted the availability of 1.9 million members of the Chinese Communist Party in 2016. We think we can here “The data are old,” “The data are a scam,” and “That was then, this is now” statements from those listed in the file. The information, which you will have to figure out for yourself, may be on the money or a bit of a spoof. Elaborate spoof, yes. It will help if you can read Chinese or have access to a system which can translate the ideographs into ASCII characters and normalized. Spellings can be variable depending on the translator or the machine translation system one uses. For now, the file is available on Go File at this link.\
Here’s a tiny snippet:
Are there uses of the data? Sure, how about:
- Filtering the list for those individuals in Canada, the UK, and the US and mapping the names against university faculty
- Filtering the list for graduate students in such countries as Australia, Canada, and France. While you are at it, why not do the same for graduate students in the US
- Filtering the list for individuals who are or have been part of a cultural or scientific exchange, particularly within driving or drone distance of a US national research laboratory; e.g., University of New Mexico or the University of Tennessee?
The data appear to be at least four years old and may turn out to be little more than a listing of individuals who purchased a SIM from a Chinese vendor in the last 48 months. On the other hand, some of the information may be a cyber confection. DarkCyber finds the circumstances of the data’s “availability,” its possible accuracy, and its available as open source information interesting.
Stephen E Arnold, December 14, 2020
« Previous Page — Next Page »
