Security Theatre: Act II of Flimsies or the Security Shibboleth Myth
December 16, 2020
The election is over. The activities in 2015 and 2016 were Act I. I think we are now in Act II of “Flimsies or the Security Shibboleth Myth.” I am perched happily on a small hill in rural Kentucky. I know zero about the machinations of the giant security outfits and the throbbing US government agencies. I do, however, read some news once in a while; for example, “SolarWinds Orion: More US Government Agencies Hacked.” The main idea is that the cyber breach and theft of pentest tools from FireEye, a prestigious cyber security firm, is very much in the news. The BBC story points out that a number of US government agencies were allegedly breached:
- US Department of Defense (does that include the Defense Intelligence Agency).
- US Department of State (does anyone work there any more?)
- US Department of Homeland Security
- US Department of Treasury (the FinCen folks perhaps?)
A contact told me that the estimable US Department of Commerce was a victim as well.
The main question for me is,
Do these Fancy Dan, often six figure or more cyber security systems work?
Another question:
Are the technologies ranging from Dark Web threat reports to smart software that works like a human immune system real or marketing fluff?
I don’t know the answer to these questions, but I am wondering what Act III will present.
Stephen E Arnold, December 16, 2020
Steele and Arnold: Cyber Security Hand Waving
December 15, 2020
On December 14, 2020, Robert David Steele, a former CIA professional, and I discussed security hand waving. You can view the short video at this link. My principal contribution was the identification of three types of organizations which have institutionalized security vulnerabilities. These are:
- Colleges and universities hiring instructors and other faculty without probing their backgrounds. No peer reviewed papers and a recommendation from a friend are not enough.
- University exchange programs in which students participate in multi-national research activities. Many of these programs include on campus visits, international travel, and significant information access. No significant vetting of these participants is conducted. Theses programs flourish near some interesting US government facilities; for example, Oak Ridge National Labs in Tennessee.
- Intern programs in the US government, although some state governments have similar set ups. These interns are pressed into duty for Web page maintenance, programming, and fixing broken software. Security checks do take place, but are these sufficiently rigorous when an intern is allegedly updating a Web page at the Railway Retirement Board or similar entity?
Bad actors can easily gain access to useful information. There’s more in the video. I do mention FireEye’s recent security issue, but my interpretation is quite different from the marketing and legal rah rah about the tiny little glitch. Take a peek because I continue to question the efficacy of the in-place security in many organizations. How easy is it to penetrate an organization? I provide three examples of methods which are popular despite the sharp increase in companies selling solutions to lock down unauthorized access.
Stephen E Arnold, December 15, 2020
Alleged CCP Database: 1.9 Million Entries
December 14, 2020
DarkCyber noted the availability of 1.9 million members of the Chinese Communist Party in 2016. We think we can here “The data are old,” “The data are a scam,” and “That was then, this is now” statements from those listed in the file. The information, which you will have to figure out for yourself, may be on the money or a bit of a spoof. Elaborate spoof, yes. It will help if you can read Chinese or have access to a system which can translate the ideographs into ASCII characters and normalized. Spellings can be variable depending on the translator or the machine translation system one uses. For now, the file is available on Go File at this link.\
Here’s a tiny snippet:
Are there uses of the data? Sure, how about:
- Filtering the list for those individuals in Canada, the UK, and the US and mapping the names against university faculty
- Filtering the list for graduate students in such countries as Australia, Canada, and France. While you are at it, why not do the same for graduate students in the US
- Filtering the list for individuals who are or have been part of a cultural or scientific exchange, particularly within driving or drone distance of a US national research laboratory; e.g., University of New Mexico or the University of Tennessee?
The data appear to be at least four years old and may turn out to be little more than a listing of individuals who purchased a SIM from a Chinese vendor in the last 48 months. On the other hand, some of the information may be a cyber confection. DarkCyber finds the circumstances of the data’s “availability,” its possible accuracy, and its available as open source information interesting.
Stephen E Arnold, December 14, 2020
Interesting Post on Microsoft Github: Teams Vulnerability
December 9, 2020
I found this interesting post on Github, one of Microsoft’s open source plays. “Important, Spoofing” – Zero-Click, Wormable, Cross-Platform Remote Code Execution in Microsoft Teams.” The post explains how to compromise a Teams environment by sending or editing an existing Teams message. The message looks just peachy to the recipients or recipients. Teams is plural. When the recipient looks at the message the malicious payload executes. The post points out:
That’s it. There is no further interaction from the victim. Now your company’s internal network, personal documents, 365 documents/mail/notes, secret chats are fully compromised. Think about it. One message, one channel, no interaction. Everyone gets exploited.
Microsoft calls the exploit spoofing. Keep in mind that Microsoft has more than 100 million active users of its Zoom killer.
Stephen E Arnold, December 9, 2020
DarkCyber for December 1, 2020, Now Available
December 1, 2020
DarkCyber reports about Maltrail, an open source cyber tool for detecting malicious traffic. Crime as a Service matures. Now anyone can point-and-click through a ransomware attack. Bad actors helpfully make cyber crime less of a hassle. Insider threats — what DarkCyber calls “the Snowden play” — are becoming more prevalent. Why? A need for money, revenge, or a dose of that old Silicon Valley attitude.
The feature in this episode is a summary of the next-generation in entity recognition from videos and still images. Face recognition is not the most reliable technology in the world; however, researchers from China and Japan have figured out how to match a person’s gait to an individual. Ergo gait recognition. A link to the technical details appears in the program.
The program features a brief extract from a conversation between Robert David Steele, a former CIA professional, and Stephen E Arnold (owner of Dark Cyber). Arnold describes some of the less appreciated reasons why digital information creates new challenges for law enforcement and intelligence professionals. Good news? Not really.
The final story in the program addresses the urgent need for counter unmanned aerial systems by local, county, and statement law enforcement agencies. Individuals are ramming drones into police helicopters. The DarkCyber discussion of this problem includes a link to a series of recommendations promulgated by the British government to address this kinetic use of drones.
DarkCyber is produced by Beyond Search. The video program appears every two weeks. The third season of DarkCyber begins in January 2021. The program is non-commercial, does not accept advertising, and does not beg for dollars. How is this possible? DarkCyber is not sure.
You can view the program at this link.
Kenny Toth, December 1, 2020
Virtual Private Networks: Are These Private?
November 30, 2020
About a month ago, Google rolled out its own virtual private network. The timing was mostly in sync with Facebook’s expansion of encrypted services for its chat apps. Is encryption good for users, good for large technology companies, and good for law enforcement.
The story “Google One VPN: Everything You Need To Know” is representative of the coverage of Google’s VPN. I noted:
Google isn’t new to the world of VPNs. It actually has used one for its customers on Google Fi for many years now. Essentially with Google Fi, whenever you connected to a public WiFi network, you would automatically be connected through Google Fi’s VPN. As mentioned before, this is because Public WiFi networks are not secure. So while keeping you from using a lot of data, since Fi charges per gigabyte, it also kept you protected. Now, Google is just moving its VPN to where everyone can use it. Whether they are a Fi customer or not.
The write up does not answer the question about the “goodness” of the Google service. The write up asserts:
Google has said numerous times that it will not use the VPN connection to track, log or sell your browsing activity. But then again, how will we know that Google is not doing that? We won’t. And that goes for any other company too. It’s up to you, whether you trust Google not to collect this data when you’re using its VPN. But don’t forget, that if Google really wanted that data, it could easily get it from your Android smartphone too.
As I said in response to questions posed to me by a former CIA professional (view full 20 minute video here):
Online services are inherently surveillance mechanisms.
Many will not agree with this Arnold Law. That’s okay, but VPNs are particularly interesting because the user agreeing to participate in an allegedly secure and private man in the middle service. How secure is a man in the middle service?
Another good question just like “Are VPNs private?”
Stephen E Arnold, November 30, 2020
Amazon and the Cyber Security Industrial Complex
November 24, 2020
This is probably no big deal. Cyber security, threat intelligence, and wonky proprietary tools from startups populated by retired or RIFed intel officers are a big business. I was asked by a “real news” reporter, “How big?” I dutifully sent links to companies selling market forecasts for global cyber security revenues. How big were these numbers? Acquisition big. The hypothesis I have formulated is that when wild and crazy market size projections fly like hungry sparrows, there is a revenue problem. Specifically there are too many sparrows chasing available bugs and bread crumbs. That’s why Blackberry is in the cyber security business. Why LookingGlass stepped away from Cyveillance. That’s why Dark Web indexes of bad actors’ Crime as a Service offerings are a dime a dozen.
It is, therefore, no surprise that the write up “Trend Micro integrates with AWS Network Firewall” explains that Amazon is continuing to add to its pool of 65,000 plus partners. Many of these outfits like Palantir Technologies are in the cyber intelligence and cyber threat business. Bad actors beware.
The write up reports:
Trend Micro’s built-in IPS intelligence will inspect traffic for malicious intent so that the firewall can stop threats before they get a foothold in a virtual private cloud. Together, AWS and Trend Micro offer a simple, scalable service with reliable protection that does not require any infrastructure management.
What’s the hook? Here’s the statement I circled with an Amazon happy face:
Trend Micro’s threat intelligence will be available free with easy deployment for AWS Network Firewall customers.
What do I make of free cyber security services? No much but I hear the Bezos bulldozer pulling into the cyber intelligence and security services shopping mall. Roll up or roll over time for the cheerful orange machine with a big smile painted on the cab.
Stephen E Arnold, November 24, 2020
Work from Home: Manage This, Please
November 19, 2020
I read “Over Half of Remote Workers Admit to Using Rogue Tools Their IT teams Don’t Know About.” If the information in the write up is on the money, cyber security for the WFH crowd may be next to impossible. The write up reports:
According to a new report from mobile security firm NetMotion, the vast majority of remote workers (62 percent) are guilty of using Shadow IT, with some of them (25 percent) using a “significant number” of unapproved tools.
The article includes this statement:
“Sadly, our research showed that nearly a quarter of remote workers would rather suffer in silence than engage tech teams,” said Christopher Kenessey, CEO of NetMotion.
Net net: Bad actors relish the WFH revolution. The inducement of WFHers using software not vetted by their employer creates numerous opportunities for mischief. How does a firm addicted to Slack and Microsoft Teams deal with this situation:
Hey, team. I am using this nifty new app. It can speed up our production of content. You can download this software from a link I got on social media. Give it a whirl.
Manage this, please.
Stephen E Arnold, November 19, 2020
Security Is a Game
November 12, 2020
This article’s headline caught my attention: “Stop Thinking of Cybersecurity As a Problem: Think of It As a Game.” I think I understand. The write up asserts:
The thing is, cybersecurity isn’t a battle that’s ultimately won, but an ongoing game to play every day against attackers who want to take your systems down. We won’t find a one-size-fits-all solution for the vulnerabilities that were exposed by the pandemic. Instead, each company needs to charge the field and fend off their opponent based on the rules of play. Today, those rules are that anything connected to the internet is fair game for cybercriminals, and it’s on organizations to protect these digital assets.
Interesting idea. Numerous cyber security solutions are available. Some organizations have multiple solutions in place. Nevertheless, bad actors continue to have success. If the information in Risk Based Security 2020 Q3 Report Data Breach QuickView is anywhere close to accurate. The “game” is being won by bad actors: Lots of data was sucked down by cyber criminals in the last nine months.
Fun, right?
Stephen E Arnold, November 12, 2020
Organizational Security: Many Vendors, Many Breaches
October 30, 2020
I noted a write up with a fraught title: “Breaches Down 51%, Exposed Records Set New Record with 36 Billion So Far.” I interpreted this to mean “fewer security breaches but more data compromised.”
The write up explains the idea this way:
The number of records exposed has increased to a staggering 36 billion. There were 2,935 publicly reported breaches in the first three quarters of 2020, with the three months of Q3 adding an additional 8.3 billion records to what was already the “worst year on record,” Risk Based Security reveals.
Okay. How is this possible? The answer:
The report explores numerous factors such as how media coverage may be a factor contributing to the decline in publicly reported breaches. In addition, the increase of ransomware attacks may also have a part to play.
I interpreted this to mean, “Let’s not tell anyone.”
If you want a copy of this RiskBased Security report, navigate to this link. You will have to cough up an email and a name.
Net net: More data breaches and fewer organizations willing to talk about their security lapses. What about vendors of smart cyber security systems? Vendors are willing to talk about the value and performance of their products.
Talk, however, may be less difficult than dealing with security breaches.
Stephen E Arnold, October 30, 2020