Smart Software and Cyber Security

December 30, 2020

Smart software appears to be the solution to escalating cyber security woes. An unusual article (actually more of a collection of dot points) provides some insight into the challenges makers of smart security software have to overcome. Navigate to “What is the Impact of Artificial Intelligence on Cyber Security?” and scroll to the section titled “Why Did Artificial Intelligence Fail?” Here are three of the 10 reasons:

  • When you stuck in a never-ending development loop
  • Most AI models decay overtime
  • Optimizing for the wrong thing.

Before I read the article, I had been operating on a simple principle: Smart cyber security software is an oxymoron. Yikes. I did not know I was stuck in a never ending development loop or optimizing for the wrong thing.

The article offers a number of statements which, I assume, are intended to be factoids. In reality, the collection of information is a gathering of jargon and sales babble.

The write up reveals how to get rid of security smart software failures. There are seven items on this list. Here’s one: Statistical Methodology.

Several observations:

  • Smart software works when knowns are trimmed to a manageable “space”.
  • The “space” is unfortunately dynamic, so the AI has to be able to change. It usually needs the help of humans and an often expensive retraining cycle.
  • The known space is what the best of the bad actors use in order to attack in new ways.

Net net: The SolarWinds’ misstep illustrates that exactly zero of the classified systems used to monitor adversaries’ cyber attacks rang the klaxon. To make matters more embarrassing, exactly zero of the commercial threat intelligence and cyber monitoring systems punched a buzzer either.

Conclusion: Lists and marketing hoo had are not delivering. The answer to the question What is the impact of artificial intelligence on security? is an opportunity to over promise and under deliver perhaps?

Stephen E Arnold, December 30, 2020

DarkCyber for December 29, 2020, Is Now Available

December 29, 2020

DarkCyber for December 29, 2020, is now available on YouTube at this link or on the Beyond Search blog at this link. This week’s program includes seven stories. These are:

A Chinese consulting firm publishes a report about the low profile companies indexing the Dark Web. The report is about 114 pages long and does not include Chinese companies engaged in this business.

A Dark Web site easily accessible with a standard Internet browser promises something that DarkCyber finds difficult to believe. The Web site contains what are called “always” links to Dark Web sites; that is, those with Dot Onion addresses.

Some pundits have criticized the FBI and Interpol for their alleged failure to take down Jokerstash. This Dark Web site sells access to “live” credit cards and other financial data. Among those suggesting that the two law enforcement organizations are falling short of the mark are four cyber security firms. DarkCyber explains one reason for this alleged failure.

NSO Group, a specialized services company, has been identified as the company providing technology to “operators” surveilling dozens of Al Jazeera journalists. DarkCyber points out that a commercial firm is not in a position to approve or disapprove the use of its technology by the countries which license the Pegasus platform.

Facebook has escalated its dispute with Apple regarding tracking. Now the social media company has alleged that contractors to the French military are using Facebook in Africa via false accounts. What’s interesting is that Russia is allegedly engaged in a disinformation campaign in Africa as well.

The drone news this week contaisn two DJI items. DJI is one of the world’s largest vendors of consumer and commercial drones. The US government has told DJI that it may no longer sell its drones in the US. DJI products remain available in the US. DJI drones have been equipped with flame throwers to destroy wasp nests. The flame throwing drones appear formidable.

DarkCyber is a twice a month video news program reporting on the Dark Web, lesser known Internet services, and cyber crime. The program is produced by Stephen E Arnold and does not accept advertising or sponsorships.

Kenny Toth, December 29, 2020

SolarWinds: One Interesting Message

December 28, 2020

I read “Wave of Cyberattacks Exposes the Powerlessness of IT Security Chiefs.” With all the hoohah about cyber superiority from government officials and commercial enterprises, one troubling fact is clear: If the advanced systems could not detect the attack nor could top secret security systems monitoring possible bad actors, the defensive and alerting methods are broken. The write up points out security focuses on a wide spread weak link:

Splunk, a U.S. company, publishes an annual list of “10 things that keeps CISOs up at night,” and this year’s includes the expanded “attack surface” created by the growing use of the internet of things (web-connected devices) and the growing use of cloud computing, “malicious insiders” and the “alert fatigue” resulting from so many layers of data security inside a big organization. But apart from that, Splunk notes the lack of money to ensure data security. “CISOs continue to face challenges in securing substantial budgets, largely because they have difficulty forecasting threats and achieving measurable results from security investments…
He said 66% of  CISOs surveyed said they didn’t have adequate staff. Others cited increasingly onerous regulations and their lack of access to top management.

Something in the cyber security establishment enables breaches.

Stephen E Arnold, December 28, 2020

China Write Up Includes a Juicy Factoid

December 24, 2020

Beijing Ransacked Data as US Sources Went Dark in China” is a political write up. However, the article contains one interesting factoid. Keep in mind that a “factoid” can be a chunk of the alternative reality in which some thumbtypers thrive.

Here’s the passage I noted:

“Chinese officials became much more reluctant to talk after [the WikiLeaks cables], because they didn’t believe we could keep it a secret,” recalled a current State Department official with extensive experience in China.

The “we” is US government officials.

Why would a Chinese professional perceive the US as unable to keep a secret? One possible explanation is that access to online systems was in hand. Therefore, information in a US government system would be available to other entities with a Chinese-style intelligence system.

I understand that there are only a couple of countries with Chinese style resources. But when it comes to security technology, even smaller outfits with a small number of skilled engineers and programmers can accomplish some surprising exploits.

The write up puts some color into the somewhat lifeless quote. In my opinion, the quote makes clear that at least one US government official appears to have acknowledged that “lights out” may a persistent characteristic for some US government entities.

Stephen E Arnold, December 24, 2020

Sun Spotting in the Solar Wind

December 23, 2020

I read “Partial Lists of Organizations Infected with Sunburst Malware Released Online.” The information in the write up, which I assume is sun spot on, makes it possible to do some solar observations. For example, here are some alleged victims of the ever-so-slight sun burn from the estimable firm SolarWinds. I have created a value score to indicate how much informational goodness can be sucked from the alleged targets. Our first solar flare consists of:

City of Barrie (Canada)

Newton Public Schools (US)

Regina Public Schools (Canada).

Granted these are likely to deliver a low payout for actors looking for really good stuff via the misstep. Score: 1 on a scale of 1 to 5 with 5 being an intel target of note.

How about these victims of the misstep? Let’s get rolling in data for carder sites.

BancCentral Financial Services Corp.

Stearns Bank

Signature Bank

Yes, better. Personally identifiable information, credit cards, debit cards, online bank account codes and passwords. Score 3.5

What about this group?

Cisco

Deloitte

Intel

Stratus Networks

Here I award a value score of 4.5.

But where are the other 17,991 names? Oh, probably just trivial outfits. A misstep that’s all. A misstep missed by the cyber security systems protecting most of these outfits.

And today (December 21), the share prices of most cyber security firms are rising. (We don’t do news, so the date of authorship, the date of our source, and the date of publication are likely to be different. Beyond Search is confident that spectacular metadata systems from Smartlogic and other firms can figure out mere dating conventions, right?)

Stephen E Arnold, December 23, 2020

4iQ: Smarter and Maybe Profitable with Alto Analytics?

December 23, 2020

The cyber intelligence firm has merged with Alto Analytics. The new outfit will be called Constella Intelligence. The two companies’ technologies will allow organizations to “anticipate and defeat digital risk.” You can read about this tie up in “4iQ and Alto Analytics Merge and Rebrand as Constella Intelligence.” The new firm is in the cyber security business. According to the announcement the company

… will empower organizations and intelligence professionals with comprehensive digital risk protection that covers brand, executive, fraud, geopolitical and identity threats.

One phrase struck me as particularly interesting; specifically:

“Through successful 4iQ Series C funding and the powerful combination of two market-leading organizations, Constella has incredible tools and resources to tackle the fast-evolving security landscape…

The “market leading” adjectival appears to position 4iQ and Alto among the luminaries of cyber intelligence. However, 4iQ’s quirky name and its similarity to other Dark Web and social media indexing tools did not capture the same market buzz as Shadowdragon, for example. Alto Analytics competes in a the crowded data analytics space.

The two entities apparently will join to justify this description:

Constella Intelligence is a leading global Digital Risk Protection business that works in partnership with some of the world’s largest organizations to safeguard what matters most and defeat digital risk. Its solutions are broad, collaborative and scalable, powered by a unique combination of proprietary data, technology and human expertise—including the largest breach data collection on the planet, with over 100 billion attributes and 45 billion curated identity records spanning 125 countries and 53 languages.

The merger is almost coincident with the revelations about the failure of cyber security vendors’ products to detect the SolarWinds breach. More firms will be seeking ways to rebrand, reposition, and reinvigorate their sales of products and services. Will 1 + 1 = 3?

Sure in the marketing department. Those art history majors are optimists.

Stephen E Arnold, December 22, 2020

Microsoft Fingers NSO Group as the Prime Mover in Cyber Attacks. Er, What?

December 21, 2020

Okay, okay, I am not sure if this story is accurate, but it certainly is interesting. Navigate to “Microsoft President Blames Israeli Company for Rash of Cyberattacks, Wants Biden to Intervene.” The write up reports:

Smith [the Microsoft president] has suggested that NSO Group and similar companies are “a new generation of private companies akin to 21st-century mercenaries” who generate “cyber-attack proliferation to other governments that have the money but not the people to create their own weapons. In short, it adds another significant element to the cybersecurity threat landscape.”

If accurate, Mr. Smith may want to validate that industrial strength cyber tools are available from code dumps from other specialized software vendors, downloadable via Microsoft’s own Github, penetration testing tool developers and the third parties creating add on kits to these software, and on certain fora on either encrypted messaging platforms or the handful of remaining Dark Web sites which allow authorized users to buy or download exploits.

In the galaxy of specialized software firms, NSO Group has been illuminated due to its emergence as a PR magnet and the business set up of the company itself. However, there are other specialized software vendors and there are other sources of code, libraries, and information to guide the would be bad actor.

Microsoft itself suffered a security breach and promptly (after five or six months) took action. The company published a report. Now Microsoft is acting to focus attention on a company which may or may not have had an impact on the supply chain matter involving SolarWinds and possibly other cyber security firms.

This Microsoft assertion is almost as interesting as the death star response to the incident.

But the kicker is this report form Techradar: “Microsoft Azure Breach Left Thousands of Customer Records Exposed.” If correct, this statement seems to suggest that Microsoft is into shifting blame:

Thanks to questionable security practices by an app developer, more than half a million sensitive documents of its customers were exposed on the Internet. The documents were housed in an unprotected Microsoft Azure blob storage and could be viewed by anyone with the direct address of the files, without any kind of authentication.

Okay.

Stephen E Arnold, December 21, 2020

Does Open Source Create Open Doors?

December 21, 2020

Here’s an interesting question I asked on a phone call on Sunday, December 20, 2020: “How many cyber security firms rely on open source software?”

Give up?

As far as my research team has been able to determine, no study is available to us to answer the question. I told the team that based on comments made in presentations, at lectures, and in booth demonstrations at law enforcement and intelligence conferences, most of the firms do. Whether it is a utility function like Elasticsearch or a component (code or library) that detects malicious traffic, open source is the go-to source.

The reasons are not far to seek and include:

  • Grabbing open source code is easy
  • Open source software is usually less costly than a proprietary commercial tool
  • Licensing allows some fancy dancing
  • Using what’s readily available and maintained by a magical community of one, two or three people is quick
  • Assuming that the open source code is “safe”; that is, not malicious.

My question was prompted after I read “How US Agencies’ Trust in Untested Software Opened the Door to Hackers.” The write up states:

The federal government conducts only cursory security inspections of the software it buys from private companies for a wide range of activities, from managing databases to operating internal chat applications.

That write up ignores the open source components commercial cyber security firms use. The reason many of the services look and function in a similar manner is due to a reliance on open source methods as well as the nine or 10 work horse algorithms taught in university engineering programs.

What’s the result? A SolarWinds type of challenge. No one knows the scope, no one knows the optimal remediation path, and no one knows how many vulnerabilities exist and are actively being exploited.

Here’s another question, “How many of the whiz kids working in US government agencies communicate the exact process for selecting, vetting, and implementing open source components directly (via 18f type projects) or from vendors of proprietary cyber security software?”

Stephen E Arnold, December 21, 2020

A New Year Is Coming: Let Us Confront the New Reality

December 21, 2020

Nope, not Covid. Nope, not the financial crisis. Nope, not the social discontinuities. Nope, not the big technology monopoly clown show.

What then?

How about security insecurity. Do you like the phrase? I do because it communicates that users of online systems may never know if the system or systems are secure.

One can pretend, what I call security theater, of course.

The new reality is that an actor or actors has slipped in the stage door after driving a delivery van near the security theater and double parked for what may have been months. The individuals do not work according to New York City labor rules. Nope, these actors moved around, ordered takeout, and lounged on the sidewalks. People passing did not notice. You know the New York attitude: We are definitely with it. This is Broadway.

I read “A Hack Foretold.” I was not impressed. The reason is that the original Internet was technology Play-Doh. Who could imagine the parti-colored constructs blobs of red, blue, and yellow could become.

The write up states with the assured naiveté of a thumb typer:

The point is the authorities have known about hacking for a long time. Whole bureaucracies have been established, and presidential directives have been promulgated, to enhance cybersecurity—and some of their actions have been effective. Still, the contest between cyber offense and -defense is a never-ending race, where the offense has the advantage and, so, the defense must never let up its guard. While security is a lot better than it used to be, vast networks have been left exposed in one way or another, and dedicated hackers who very much want to get inside those networks—and who have the resources of a nation-state—figure out a way.

I want to point out that the cyber security industry has flowered into billions of dollars a year because home economics majors, working with MBAs, constructed a fantasy story about computer security.

Security insecurity is little more than another symptom of efficiency thinking. What can be done to reduce costs and maximize revenue. Oh, so some people lose their jobs in Canton, Illinois, when the John Deere factory goes away. “Tough cookies,” say the efficiency wizards.

We have created a situation in which security insecurity is going to become a digital Covid. I am delighted I am old, retired, and living in a hollow in rural Kentucky. Can you imagine the meetings, the memoranda, the reports, and the self-serving explanations of:

  • Cyber security vendors
  • Smart software which acts like an antibody to protect a system
  • Individual security experts who did the “good enough” work to spoof the clueless lawyers, accountants, bureaucrats, and MBAs who manage technology operations
  • Consultants like those who populate LinkedIn and BrightTALK with lectures about security
  • Experts who assert that monitoring the Dark Web, Facebook, and chat provide an early warning of actions to come.

I could go on and toss in security appliance vendors, university professors who convert a clever workaround into a peer reviewed paper for IEEE or ACM, and former bad actors who see the light and become trusted advisors after serving jail time.

The New Reality is that I am not sure how one goes about determining the priorities for figuring out what was compromised, determining what other vulnerabilities have been installed, and bring up systems which do not have the charming characteristics of specialized software firms which have code that hides itself so that it can happily reinstall itself.

I spoke with a former CIA professional twice in the last 48 hours. He asked me, “What do I recommend to remediate the problem?” My answer was, “Investigate.”

The actors lounging in front of the security theater are not chatterboxes, and I have seen zero verifiable evidence that defines the timing, scope, and actions of these actors. Why guess then? Why look back and say “woulda, coulda, shoulda.” The time to embrace the New Reality is here.

The security theater has to go dark, and we need a new construct. Expensive, time consuming, and difficult for sure. Failure, however, means changes that those wrought by Covid are trivial. Thumb typers, are you confident your online activities are secure? In deference to the holiday season, here’s a modified carol: Deck the halls with boughs of folly, Tra la la, la la la la.

Stephen E Arnold, December 21, 2020

Zipper the SIPR: The SolarWinds Blow

December 18, 2020

I found this article interesting: “Pentagon Forces Emergency Shutdown of Computer Network Handling Classified Material.” Since I work in rural Kentucky, I have zero clue if the information in the write is accurate; nevertheless, let me highlight one of the statements in the write up:

An emergency shutdown of a classified internal communications network was ordered at the Pentagon Tuesday. The system, called the Secret Internet Protocol Router Network, handles not only classified information but “up to the secret level”…

My hunch is that this is an “abundance of caution” move. Why caution? Why now?

Possibly the SolarWinds misstep is a reason?

At lunch today, a member of my team and I discussed the marketing of smart, 24×7 cyber security systems. Many companies engaged in this type of activity. But how secure are such security systems. Many are more alike than different; for example:

  • Use of open source software
  • Reliance upon standard and often manipulable statistical procedures
  • Licensing tools and content from companies also in the cyber security business.

The result? Fodder for sales professionals and former art history majors now engaged in public relations, webinar production, and Madison Avenue style pitch writing.

Oh, one other result. The possible security thing at a number of US government entities, large corporations, and probably a handful of non governmental organizations.

Big deal? For some, yep, big deal. For others, what’s the hoo-hah about? Just close that deal, book the business, and collect the fees. What’s more important than cyber security? Revenue perhaps?

Stephen E Arnold, December 18, 2020

« Previous PageNext Page »

  • Archives

  • Recent Posts

  • Meta