China Write Up Includes a Juicy Factoid

December 24, 2020

Beijing Ransacked Data as US Sources Went Dark in China” is a political write up. However, the article contains one interesting factoid. Keep in mind that a “factoid” can be a chunk of the alternative reality in which some thumbtypers thrive.

Here’s the passage I noted:

“Chinese officials became much more reluctant to talk after [the WikiLeaks cables], because they didn’t believe we could keep it a secret,” recalled a current State Department official with extensive experience in China.

The “we” is US government officials.

Why would a Chinese professional perceive the US as unable to keep a secret? One possible explanation is that access to online systems was in hand. Therefore, information in a US government system would be available to other entities with a Chinese-style intelligence system.

I understand that there are only a couple of countries with Chinese style resources. But when it comes to security technology, even smaller outfits with a small number of skilled engineers and programmers can accomplish some surprising exploits.

The write up puts some color into the somewhat lifeless quote. In my opinion, the quote makes clear that at least one US government official appears to have acknowledged that “lights out” may a persistent characteristic for some US government entities.

Stephen E Arnold, December 24, 2020

Sun Spotting in the Solar Wind

December 23, 2020

I read “Partial Lists of Organizations Infected with Sunburst Malware Released Online.” The information in the write up, which I assume is sun spot on, makes it possible to do some solar observations. For example, here are some alleged victims of the ever-so-slight sun burn from the estimable firm SolarWinds. I have created a value score to indicate how much informational goodness can be sucked from the alleged targets. Our first solar flare consists of:

City of Barrie (Canada)

Newton Public Schools (US)

Regina Public Schools (Canada).

Granted these are likely to deliver a low payout for actors looking for really good stuff via the misstep. Score: 1 on a scale of 1 to 5 with 5 being an intel target of note.

How about these victims of the misstep? Let’s get rolling in data for carder sites.

BancCentral Financial Services Corp.

Stearns Bank

Signature Bank

Yes, better. Personally identifiable information, credit cards, debit cards, online bank account codes and passwords. Score 3.5

What about this group?

Cisco

Deloitte

Intel

Stratus Networks

Here I award a value score of 4.5.

But where are the other 17,991 names? Oh, probably just trivial outfits. A misstep that’s all. A misstep missed by the cyber security systems protecting most of these outfits.

And today (December 21), the share prices of most cyber security firms are rising. (We don’t do news, so the date of authorship, the date of our source, and the date of publication are likely to be different. Beyond Search is confident that spectacular metadata systems from Smartlogic and other firms can figure out mere dating conventions, right?)

Stephen E Arnold, December 23, 2020

4iQ: Smarter and Maybe Profitable with Alto Analytics?

December 23, 2020

The cyber intelligence firm has merged with Alto Analytics. The new outfit will be called Constella Intelligence. The two companies’ technologies will allow organizations to “anticipate and defeat digital risk.” You can read about this tie up in “4iQ and Alto Analytics Merge and Rebrand as Constella Intelligence.” The new firm is in the cyber security business. According to the announcement the company

… will empower organizations and intelligence professionals with comprehensive digital risk protection that covers brand, executive, fraud, geopolitical and identity threats.

One phrase struck me as particularly interesting; specifically:

“Through successful 4iQ Series C funding and the powerful combination of two market-leading organizations, Constella has incredible tools and resources to tackle the fast-evolving security landscape…

The “market leading” adjectival appears to position 4iQ and Alto among the luminaries of cyber intelligence. However, 4iQ’s quirky name and its similarity to other Dark Web and social media indexing tools did not capture the same market buzz as Shadowdragon, for example. Alto Analytics competes in a the crowded data analytics space.

The two entities apparently will join to justify this description:

Constella Intelligence is a leading global Digital Risk Protection business that works in partnership with some of the world’s largest organizations to safeguard what matters most and defeat digital risk. Its solutions are broad, collaborative and scalable, powered by a unique combination of proprietary data, technology and human expertise—including the largest breach data collection on the planet, with over 100 billion attributes and 45 billion curated identity records spanning 125 countries and 53 languages.

The merger is almost coincident with the revelations about the failure of cyber security vendors’ products to detect the SolarWinds breach. More firms will be seeking ways to rebrand, reposition, and reinvigorate their sales of products and services. Will 1 + 1 = 3?

Sure in the marketing department. Those art history majors are optimists.

Stephen E Arnold, December 22, 2020

Microsoft Fingers NSO Group as the Prime Mover in Cyber Attacks. Er, What?

December 21, 2020

Okay, okay, I am not sure if this story is accurate, but it certainly is interesting. Navigate to “Microsoft President Blames Israeli Company for Rash of Cyberattacks, Wants Biden to Intervene.” The write up reports:

Smith [the Microsoft president] has suggested that NSO Group and similar companies are “a new generation of private companies akin to 21st-century mercenaries” who generate “cyber-attack proliferation to other governments that have the money but not the people to create their own weapons. In short, it adds another significant element to the cybersecurity threat landscape.”

If accurate, Mr. Smith may want to validate that industrial strength cyber tools are available from code dumps from other specialized software vendors, downloadable via Microsoft’s own Github, penetration testing tool developers and the third parties creating add on kits to these software, and on certain fora on either encrypted messaging platforms or the handful of remaining Dark Web sites which allow authorized users to buy or download exploits.

In the galaxy of specialized software firms, NSO Group has been illuminated due to its emergence as a PR magnet and the business set up of the company itself. However, there are other specialized software vendors and there are other sources of code, libraries, and information to guide the would be bad actor.

Microsoft itself suffered a security breach and promptly (after five or six months) took action. The company published a report. Now Microsoft is acting to focus attention on a company which may or may not have had an impact on the supply chain matter involving SolarWinds and possibly other cyber security firms.

This Microsoft assertion is almost as interesting as the death star response to the incident.

But the kicker is this report form Techradar: “Microsoft Azure Breach Left Thousands of Customer Records Exposed.” If correct, this statement seems to suggest that Microsoft is into shifting blame:

Thanks to questionable security practices by an app developer, more than half a million sensitive documents of its customers were exposed on the Internet. The documents were housed in an unprotected Microsoft Azure blob storage and could be viewed by anyone with the direct address of the files, without any kind of authentication.

Okay.

Stephen E Arnold, December 21, 2020

Does Open Source Create Open Doors?

December 21, 2020

Here’s an interesting question I asked on a phone call on Sunday, December 20, 2020: “How many cyber security firms rely on open source software?”

Give up?

As far as my research team has been able to determine, no study is available to us to answer the question. I told the team that based on comments made in presentations, at lectures, and in booth demonstrations at law enforcement and intelligence conferences, most of the firms do. Whether it is a utility function like Elasticsearch or a component (code or library) that detects malicious traffic, open source is the go-to source.

The reasons are not far to seek and include:

  • Grabbing open source code is easy
  • Open source software is usually less costly than a proprietary commercial tool
  • Licensing allows some fancy dancing
  • Using what’s readily available and maintained by a magical community of one, two or three people is quick
  • Assuming that the open source code is “safe”; that is, not malicious.

My question was prompted after I read “How US Agencies’ Trust in Untested Software Opened the Door to Hackers.” The write up states:

The federal government conducts only cursory security inspections of the software it buys from private companies for a wide range of activities, from managing databases to operating internal chat applications.

That write up ignores the open source components commercial cyber security firms use. The reason many of the services look and function in a similar manner is due to a reliance on open source methods as well as the nine or 10 work horse algorithms taught in university engineering programs.

What’s the result? A SolarWinds type of challenge. No one knows the scope, no one knows the optimal remediation path, and no one knows how many vulnerabilities exist and are actively being exploited.

Here’s another question, “How many of the whiz kids working in US government agencies communicate the exact process for selecting, vetting, and implementing open source components directly (via 18f type projects) or from vendors of proprietary cyber security software?”

Stephen E Arnold, December 21, 2020

A New Year Is Coming: Let Us Confront the New Reality

December 21, 2020

Nope, not Covid. Nope, not the financial crisis. Nope, not the social discontinuities. Nope, not the big technology monopoly clown show.

What then?

How about security insecurity. Do you like the phrase? I do because it communicates that users of online systems may never know if the system or systems are secure.

One can pretend, what I call security theater, of course.

The new reality is that an actor or actors has slipped in the stage door after driving a delivery van near the security theater and double parked for what may have been months. The individuals do not work according to New York City labor rules. Nope, these actors moved around, ordered takeout, and lounged on the sidewalks. People passing did not notice. You know the New York attitude: We are definitely with it. This is Broadway.

I read “A Hack Foretold.” I was not impressed. The reason is that the original Internet was technology Play-Doh. Who could imagine the parti-colored constructs blobs of red, blue, and yellow could become.

The write up states with the assured naiveté of a thumb typer:

The point is the authorities have known about hacking for a long time. Whole bureaucracies have been established, and presidential directives have been promulgated, to enhance cybersecurity—and some of their actions have been effective. Still, the contest between cyber offense and -defense is a never-ending race, where the offense has the advantage and, so, the defense must never let up its guard. While security is a lot better than it used to be, vast networks have been left exposed in one way or another, and dedicated hackers who very much want to get inside those networks—and who have the resources of a nation-state—figure out a way.

I want to point out that the cyber security industry has flowered into billions of dollars a year because home economics majors, working with MBAs, constructed a fantasy story about computer security.

Security insecurity is little more than another symptom of efficiency thinking. What can be done to reduce costs and maximize revenue. Oh, so some people lose their jobs in Canton, Illinois, when the John Deere factory goes away. “Tough cookies,” say the efficiency wizards.

We have created a situation in which security insecurity is going to become a digital Covid. I am delighted I am old, retired, and living in a hollow in rural Kentucky. Can you imagine the meetings, the memoranda, the reports, and the self-serving explanations of:

  • Cyber security vendors
  • Smart software which acts like an antibody to protect a system
  • Individual security experts who did the “good enough” work to spoof the clueless lawyers, accountants, bureaucrats, and MBAs who manage technology operations
  • Consultants like those who populate LinkedIn and BrightTALK with lectures about security
  • Experts who assert that monitoring the Dark Web, Facebook, and chat provide an early warning of actions to come.

I could go on and toss in security appliance vendors, university professors who convert a clever workaround into a peer reviewed paper for IEEE or ACM, and former bad actors who see the light and become trusted advisors after serving jail time.

The New Reality is that I am not sure how one goes about determining the priorities for figuring out what was compromised, determining what other vulnerabilities have been installed, and bring up systems which do not have the charming characteristics of specialized software firms which have code that hides itself so that it can happily reinstall itself.

I spoke with a former CIA professional twice in the last 48 hours. He asked me, “What do I recommend to remediate the problem?” My answer was, “Investigate.”

The actors lounging in front of the security theater are not chatterboxes, and I have seen zero verifiable evidence that defines the timing, scope, and actions of these actors. Why guess then? Why look back and say “woulda, coulda, shoulda.” The time to embrace the New Reality is here.

The security theater has to go dark, and we need a new construct. Expensive, time consuming, and difficult for sure. Failure, however, means changes that those wrought by Covid are trivial. Thumb typers, are you confident your online activities are secure? In deference to the holiday season, here’s a modified carol: Deck the halls with boughs of folly, Tra la la, la la la la.

Stephen E Arnold, December 21, 2020

Zipper the SIPR: The SolarWinds Blow

December 18, 2020

I found this article interesting: “Pentagon Forces Emergency Shutdown of Computer Network Handling Classified Material.” Since I work in rural Kentucky, I have zero clue if the information in the write is accurate; nevertheless, let me highlight one of the statements in the write up:

An emergency shutdown of a classified internal communications network was ordered at the Pentagon Tuesday. The system, called the Secret Internet Protocol Router Network, handles not only classified information but “up to the secret level”…

My hunch is that this is an “abundance of caution” move. Why caution? Why now?

Possibly the SolarWinds misstep is a reason?

At lunch today, a member of my team and I discussed the marketing of smart, 24×7 cyber security systems. Many companies engaged in this type of activity. But how secure are such security systems. Many are more alike than different; for example:

  • Use of open source software
  • Reliance upon standard and often manipulable statistical procedures
  • Licensing tools and content from companies also in the cyber security business.

The result? Fodder for sales professionals and former art history majors now engaged in public relations, webinar production, and Madison Avenue style pitch writing.

Oh, one other result. The possible security thing at a number of US government entities, large corporations, and probably a handful of non governmental organizations.

Big deal? For some, yep, big deal. For others, what’s the hoo-hah about? Just close that deal, book the business, and collect the fees. What’s more important than cyber security? Revenue perhaps?

Stephen E Arnold, December 18, 2020

Explaining the 2020 End of Year Cyber Hack of Big, Fat Targets of Opportunity

December 18, 2020

I know you have heard about the end of year cyber attack. The end of 2020 is a zinger. But what caused the problem? Who is responsible? Which cyber security expert is the one to believe? Beyond Search has located an explanation, courtesy of Lorem Ipsum Anything. We posed these questions to the smart software at this next generation thumb typing site and learned:

Security harm resilience change others Beneficiaries food security persons groups objects. Institutions ecosystems entity referent security freedom change forces resilience example. Absence good want presence phenomenon range protection senses foundations secrecy. damage term purpose systems acts guarding security systems security guard security forces security companies. Security cameras e.g. state of mind telephone line containment room cell.

Makes the uptown explanations from assorted experts wishing they could have explained the cyber kick in the ribs as well. Yep, 2020 is year to remember. “Absence good want presence.”

Well said.

Stephen E Arnold, December 18, 2020

FireEye Breach a Major Concern

December 17, 2020

The cybersecurity firm responsible for safeguarding data at government organizations (including several US federal agencies) and Fortune 500 companies around the world recently announced it suffered a breach. CEO Kevin Mandia tried to downplay the implications and persuade us his company has everything under control, but Tech Central explains “Why Everyone Should Be Worried by the FireEye Hack.” FireEye revealed the attacker was probably a “sophisticated state-sponsored actor,” but Tech Central informs us:

“Reporters with the Washington Post were more specific: It was Russia. And not just any Russians, but a group known as ‘APT29’ or ‘Cozy Bear,’ hackers affiliated with the Kremlin’s intelligence services. Cozy Bear’s pedigree includes past hacks of the US state department and White House during the Obama administration and, perhaps most famously, of the Democratic National Committee’s servers during the 2016 presidential campaign. (Who did the state department and the White House recruit to clean up the earlier breaches? FireEye.) FireEye said the hackers pilfered its so-called ‘Red Team’ tools. That’s the stuff companies like FireEye use to test vulnerabilities of computer networks to make them more resilient. The tools are meant to mimic a complex assault, and now they’re in the hands of a hostile player. FireEye said the hackers focused primarily on information from its government clients, and it released 300 countermeasures for its customers and the public to use against hacks enabled by the stolen tools. The company also said it hadn’t seen any of its tools used yet for break-ins, and none involved ‘zero-day’ exploits. … ‘We do not believe that this theft will greatly advance the attacker’s overall capabilities,’ FireEye noted.”

Readers should take that assertion with a grain of salt; we are told the federal Cybersecurity & Infrastructure Security Agency is not so confident. Cybersecurity vendors seem to be better at marketing than protecting themselves and, by extension, their clients. This PR challenge is high, though, as the company’s stock market dive reveals. We’re reminded FireEye is not the first cybersecurity firm to be hacked. If the guardians themselves are not secure, is anyone?

Cynthia Murrell, December 17, 2020

Security Vendors: Despite Marketing Claims for Smart Software Knee Jerk Response Is the Name of the Game

December 16, 2020

Update 3, December 16, 2020 at 1005 am US Eastern, the White House has activate its cyber emergency response protocol. Source: “White House Quietly Activates Cyber Emergency Response” at Cyberscoop.com. The directive is located at this link and verified at 1009 am US Eastern as online.

Update 2, December 16, 2020 at 1002 am US Eastern. The Department of Treasury has been identified as a entity compromised by the SolarWinds’ misstep. Source: US “Treasury, Commerce Depts. Hacked through SolarWinds Compromise” at KrebsonSecurity.com

Update 1, December 16, 2020, at 950 am US Eastern. The SolarWinds’ security misstep may have taken place in 2018. Source: “SolarWinds Leaked FTP Credentials through a Public GitHub Repo “mib-importer” Since 2018” at SaveBreach.com

I talked about security theater in a short interview/conversation with a former CIA professional. The original video of that conversation is here. My use of the term security theater is intended to convey the showmanship that vendors of cyber security software have embraced for the last five years, maybe more. The claims of Dark Web threat intelligence, the efficacy of investigative software with automated data feeds, and Bayesian methods which inoculate a client from bad actors— maybe this is just Madison Avenue gone mad. On the other hand, maybe these products and services don’t work particularly well. Maybe these products and services are anchored in what bad actors did yesterday and are blind to the here and now of dudes and dudettes with clever names?

Evidence of this approach to a spectacular security failure is documented in the estimable Wall Street Journal (hello, Mr. Murdoch) and the former Ziff entity ZDNet. Numerous online publications have reported, commented, and opined about the issue. One outfit with a bit of first hand experience with security challenges (yes, I am thinking about Microsoft) reported “SolarWinds Says Hack Affected 18,000 Customers, Including Two Major Government Agencies.”

One point seems to be sidestepped in the coverage of this “concern.” The corrective measures kicked in after the bad actors had compromised and accessed what may be sensitive data. Just a mere 18,000 customers were affected. Who were these “customers”? The list seems to have been disappeared from the SolarWinds’ Web site and from the Google cache. But Newsweek, an online information service, posted this which may, of course, be horse feathers (sort of like security vendors’ security systems?):

Read more

« Previous PageNext Page »

  • Archives

  • Recent Posts

  • Meta