• Home
• About
• Writers
• Landscape
• Wizards Index
• Fraud
• Wanna Be Like Larry?

Security Theatre: Act II of Flimsies or the Security Shibboleth Myth

The election is over. The activities in 2015 and 2016 were Act I. I think we are now in Act II of “Flimsies or the Security Shibboleth Myth.” I am perched happily on a small hill in rural Kentucky. I know zero about the machinations of the giant security outfits and the throbbing US government agencies. I do, however, read some news once in a while; for example, “SolarWinds Orion: More US Government Agencies Hacked.” The main idea is that the cyber breach and theft of pentest tools from FireEye, a prestigious cyber security firm, is very much in the news. The BBC story points out that a number of US government agencies were allegedly breached:

• US Department of Defense (does that include the Defense Intelligence Agency).
• US Department of State (does anyone work there any more?)
• US Department of Homeland Security
• US Department of Treasury (the FinCen folks perhaps?)

A contact told me that the estimable US Department of Commerce was a victim as well.

The main question for me is,

Do these Fancy Dan, often six figure or more cyber security systems work?

Another question:

Are the technologies ranging from Dark Web threat reports to smart software that works like a human immune system real or marketing fluff?

I don’t know the answer to these questions, but I am wondering what Act III will present.

Stephen E Arnold, December 16, 2020

Steele and Arnold: Cyber Security Hand Waving

On December 14, 2020, Robert David Steele, a former CIA professional, and I discussed security hand waving. You can view the short video at this link. My principal contribution was the identification of three types of organizations which have institutionalized security vulnerabilities. These are:

• Colleges and universities hiring instructors and other faculty without probing their backgrounds. No peer reviewed papers and a recommendation from a friend are not enough.
• University exchange programs in which students participate in multi-national research activities. Many of these programs include on campus visits, international travel, and significant information access. No significant vetting of these participants is conducted. Theses programs flourish near some interesting US government facilities; for example, Oak Ridge National Labs in Tennessee.
• Intern programs in the US government, although some state governments have similar set ups. These interns are pressed into duty for Web page maintenance, programming, and fixing broken software. Security checks do take place, but are these sufficiently rigorous when an intern is allegedly updating a Web page at the Railway Retirement Board or similar entity?

Bad actors can easily gain access to useful information. There’s more in the video. I do mention FireEye’s recent security issue, but my interpretation is quite different from the marketing and legal rah rah about the tiny little glitch. Take a peek because I continue to question the efficacy of the in-place security in many organizations. How easy is it to penetrate an organization? I provide three examples of methods which are popular despite the sharp increase in companies selling solutions to lock down unauthorized access.

Stephen E Arnold, December 15, 2020

Alleged CCP Database: 1.9 Million Entries

DarkCyber noted the availability of 1.9 million members of the Chinese Communist Party in 2016. We think we can here “The data are old,” “The data are a scam,” and “That was then, this is now” statements from those listed in the file. The information, which you will have to figure out for yourself, may be on the money or a bit of a spoof. Elaborate spoof, yes. It will help if you can read Chinese or have access to a system which can translate the ideographs into ASCII characters and normalized. Spellings can be variable depending on the translator or the machine translation system one uses. For now, the file is available on Go File at this link.\

Here’s a tiny snippet:

Are there uses of the data? Sure, how about:

• Filtering the list for those individuals in Canada, the UK, and the US and mapping the names against university faculty
• Filtering the list for graduate students in such countries as Australia, Canada, and France. While you are at it, why not do the same for graduate students in the US
• Filtering the list for individuals who are or have been part of a cultural or scientific exchange, particularly within driving or drone distance of a US national research laboratory; e.g., University of New Mexico or the University of Tennessee?

The data appear to be at least four years old and may turn out to be little more than a listing of individuals who purchased a SIM from a Chinese vendor in the last 48 months. On the other hand, some of the information may be a cyber confection. DarkCyber finds the circumstances of the data’s “availability,” its possible accuracy, and its available as open source information interesting.

Stephen E Arnold, December 14, 2020

Interesting Post on Microsoft Github: Teams Vulnerability

I found this interesting post on Github, one of Microsoft’s open source plays. “Important, Spoofing” – Zero-Click, Wormable, Cross-Platform Remote Code Execution in Microsoft Teams.” The post explains how to compromise a Teams environment by sending or editing an existing Teams message. The message looks just peachy to the recipients or recipients. Teams is plural. When the recipient looks at the message the malicious payload executes. The post points out:

That’s it. There is no further interaction from the victim. Now your company’s internal network, personal documents, 365 documents/mail/notes, secret chats are fully compromised. Think about it. One message, one channel, no interaction. Everyone gets exploited.

Microsoft calls the exploit spoofing. Keep in mind that Microsoft has more than 100 million active users of its Zoom killer.

Stephen E Arnold, December 9, 2020

DarkCyber for December 1, 2020, Now Available

DarkCyber reports about Maltrail, an open source cyber tool for detecting malicious traffic. Crime as a Service matures. Now anyone can point-and-click through a ransomware attack. Bad actors helpfully make cyber crime less of a hassle. Insider threats — what DarkCyber calls “the Snowden play” — are becoming more prevalent. Why? A need for money, revenge, or a dose of that old Silicon Valley attitude.

The feature in this episode is a summary of the next-generation in entity recognition from videos and still images. Face recognition is not the most reliable technology in the world; however, researchers from China and Japan have figured out how to match a person’s gait to an individual. Ergo gait recognition. A link to the technical details appears in the program.

The program features a brief extract from a conversation between Robert David Steele, a former CIA professional, and Stephen E Arnold (owner of Dark Cyber). Arnold describes some of the less appreciated reasons why digital information creates new challenges for law enforcement and intelligence professionals. Good news? Not really.

The final story in the program addresses the urgent need for counter unmanned aerial systems by local, county, and statement law enforcement agencies. Individuals are ramming drones into police helicopters. The DarkCyber discussion of this problem includes a link to a series of recommendations promulgated by the British government to address this kinetic use of drones.

DarkCyber is produced by Beyond Search. The video program appears every two weeks. The third season of DarkCyber begins in January 2021. The program is non-commercial, does not accept advertising, and does not beg for dollars. How is this possible? DarkCyber is not sure.

You can view the program at this link.

Kenny Toth, December 1, 2020

Virtual Private Networks: Are These Private?

About a month ago, Google rolled out its own virtual private network. The timing was mostly in sync with Facebook’s expansion of encrypted services for its chat apps. Is encryption good for users, good for large technology companies, and good for law enforcement.

The story “Google One VPN: Everything You Need To Know” is representative of the coverage of Google’s VPN. I noted:

Google isn’t new to the world of VPNs. It actually has used one for its customers on Google Fi for many years now. Essentially with Google Fi, whenever you connected to a public WiFi network, you would automatically be connected through Google Fi’s VPN. As mentioned before, this is because Public WiFi networks are not secure. So while keeping you from using a lot of data, since Fi charges per gigabyte, it also kept you protected. Now, Google is just moving its VPN to where everyone can use it. Whether they are a Fi customer or not.

The write up does not answer the question about the “goodness” of the Google service. The write up asserts:

Google has said numerous times that it will not use the VPN connection to track, log or sell your browsing activity. But then again, how will we know that Google is not doing that? We won’t. And that goes for any other company too. It’s up to you, whether you trust Google not to collect this data when you’re using its VPN. But don’t forget, that if Google really wanted that data, it could easily get it from your Android smartphone too.

As I said in response to questions posed to me by a former CIA professional (view full 20 minute video here):

Online services are inherently surveillance mechanisms.

Many will not agree with this Arnold Law. That’s okay, but VPNs are particularly interesting because the user agreeing to participate in an allegedly secure and private man in the middle service. How secure is a man in the middle service?

Another good question just like “Are VPNs private?”

Stephen E Arnold, November 30, 2020

Amazon and the Cyber Security Industrial Complex

This is probably no big deal. Cyber security, threat intelligence, and wonky proprietary tools from startups populated by retired or RIFed intel officers are a big business. I was asked by a “real news” reporter, “How big?” I dutifully sent links to companies selling market forecasts for global cyber security revenues. How big were these numbers? Acquisition big. The hypothesis I have formulated is that when wild and crazy market size projections fly like hungry sparrows, there is a revenue problem. Specifically there are too many sparrows chasing available bugs and bread crumbs. That’s why Blackberry is in the cyber security business. Why LookingGlass stepped away from Cyveillance. That’s why Dark Web indexes of bad actors’ Crime as a Service offerings are a dime a dozen.

It is, therefore, no surprise that the write up “Trend Micro integrates with AWS Network Firewall” explains that Amazon is continuing to add to its pool of 65,000 plus partners. Many of these outfits like Palantir Technologies are in the cyber intelligence and cyber threat business. Bad actors beware.

The write up reports:

Trend Micro’s built-in IPS intelligence will inspect traffic for malicious intent so that the firewall can stop threats before they get a foothold in a virtual private cloud. Together, AWS and Trend Micro offer a simple, scalable service with reliable protection that does not require any infrastructure management.

What’s the hook? Here’s the statement I circled with an Amazon happy face:

Trend Micro’s threat intelligence will be available free with easy deployment for AWS Network Firewall customers.

What do I make of free cyber security services? No much but I hear the Bezos bulldozer pulling into the cyber intelligence and security services shopping mall. Roll up or roll over time for the cheerful orange machine with a big smile painted on the cab.

Stephen E Arnold, November 24, 2020

Work from Home: Manage This, Please

I read “Over Half of Remote Workers Admit to Using Rogue Tools Their IT teams Don’t Know About.” If the information in the write up is on the money, cyber security for the WFH crowd may be next to impossible. The write up reports:

According to a new report from mobile security firm NetMotion, the vast majority of remote workers (62 percent) are guilty of using Shadow IT, with some of them (25 percent) using a “significant number” of unapproved tools.

The article includes this statement:

“Sadly, our research showed that nearly a quarter of remote workers would rather suffer in silence than engage tech teams,” said Christopher Kenessey, CEO of NetMotion.

Net net: Bad actors relish the WFH revolution. The inducement of WFHers using software not vetted by their employer creates numerous opportunities for mischief. How does a firm addicted to Slack and Microsoft Teams deal with this situation:

Hey, team. I am using this nifty new app. It can speed up our production of content. You can download this software from a link I got on social media. Give it a whirl.

Manage this, please.

Stephen E Arnold, November 19, 2020

Security Is a Game

This article’s headline caught my attention: “Stop Thinking of Cybersecurity As a Problem: Think of It As a Game.” I think I understand. The write up asserts:

The thing is, cybersecurity isn’t a battle that’s ultimately won, but an ongoing game to play every day against attackers who want to take your systems down. We won’t find a one-size-fits-all solution for the vulnerabilities that were exposed by the pandemic. Instead, each company needs to charge the field and fend off their opponent based on the rules of play. Today, those rules are that anything connected to the internet is fair game for cybercriminals, and it’s on organizations to protect these digital assets.

Interesting idea. Numerous cyber security solutions are available. Some organizations have multiple solutions in place. Nevertheless, bad actors continue to have success. If the information in  Risk Based Security 2020 Q3 Report Data Breach QuickView is anywhere close to accurate. The “game” is being won by bad actors: Lots of data was sucked down by cyber criminals in the last nine months.

Fun, right?

Stephen E Arnold, November 12, 2020

Organizational Security: Many Vendors, Many Breaches

I noted a write up with a fraught title: “Breaches Down 51%, Exposed Records Set New Record with 36 Billion So Far.” I interpreted this to mean “fewer security breaches but more data compromised.”

The write up explains the idea this way:

The number of records exposed has increased to a staggering 36 billion. There were 2,935 publicly reported breaches in the first three quarters of 2020, with the three months of Q3 adding an additional 8.3 billion records to what was already the “worst year on record,” Risk Based Security reveals.

Okay. How is this possible? The answer:

The report explores numerous factors such as how media coverage may be a factor contributing to the decline in publicly reported breaches. In addition, the increase of ransomware attacks may also have a part to play.

I interpreted this to mean, “Let’s not tell anyone.”

If you want a copy of this RiskBased Security report, navigate to this link. You will have to cough up an email and a name.

Net net: More data breaches and fewer organizations willing to talk about their security lapses. What about vendors of smart cyber security systems? Vendors are willing to talk about the value and performance of their products.

Talk, however, may be less difficult than dealing with security breaches.

Stephen E Arnold, October 30, 2020

« Previous Page — Next Page »

• 

• Search the site

•  

  Subscribe to Beyond Search

  • 
  • 
   
  • 
   
  
  Feature archive
  News archive
   
  
  
  Stephen E. Arnold monitors search, content processing, text mining and related topics from his high-tech nerve center in rural Kentucky. He tries to winnow the goose feathers from the giblets. He works with colleagues worldwide to make this Web log useful to those who want to go "beyond search". Contact him at sa [at] arnoldit.com. His Web site with additional information about search is arnoldit.com.

• Categories

  • 3D-Printing
  • Acquisition
  • Advertising
  • Aggregation
  • AI
  • Alexa
  • algorithms
  • Amazon
  • Amazonia
  • Analytics
  • Appliance
  • Applications
  • Audio
  • Augmented Reality
  • Big data
  • Bing
  • Bitcoin
  • Bitext
  • Book review
  • Business intelligence
  • Business process
  • Business strategy
  • Censorship
  • Cloud computing
  • Company Profile
  • Conferences
  • Connectors
  • Consulting
  • Consumer
  • Content processing
  • Copyright
  • Corporate Concerns
  • Cost
  • Crawl
  • Crowdfunding
  • cryptocurrency
  • Customer support
  • Cyber OSINT
  • cybercrime
  • cybersecurity
  • Dark Web
  • DarkCyber
  • Data
  • Data mining
  • Database
  • Deepfakes
  • Digital Assistant
  • Digital Library
  • E2EE
  • ECommerce
  • EDiscovery
  • Editorial opinion
  • Education
  • Emoticons
  • Enterprise
  • Enterprise search
  • Entity extraction
  • Ethics
  • Facebook
  • Faceted search
  • Factualities
  • Feature
  • Federated search
  • Financial
  • Fogint
  • Google
  • Governance
  • Government
  • Hackers
  • healthcare
  • IBM Watson
  • Image search
  • Indexing
  • Infrastructure
  • Innovation
  • Integration
  • intelware
  • Interface
  • Internet
  • Interview
  • Investment
  • law enforcement
  • Legal matters
  • Library automation
  • Management
  • Marketing
  • Mathematics
  • Metadata
  • Microsoft
  • Mobile
  • Natural language processing
  • News
  • NGIA
  • Online (general)
  • Open Access
  • Open source
  • OSINT
  • Osint Radar
  • Overflight
  • Palantir
  • Patents
  • Personnel
  • Podcast
  • Policeware
  • Portals
  • Predictive coding
  • Privacy
  • Profile
  • Publishing
  • Quotation
  • Real time search
  • Reference tool
  • Rich media
  • Robot Writer
  • Search
  • Search enabled applications
  • search engine
  • Search quality
  • Security
  • Semantic
  • Sentiment analysis
  • SEO
  • SharePoint
  • Short Honks
  • Smart Technology
  • Social
  • Social Media
  • software
  • Statistics
  • Taxonomy
  • Technology
  • Text analytics
  • Text processing
  • Tools
  • Tor
  • Training
  • Translation
  • Twitter
  • Uncategorized
  • Unstructured Data
  • User experience
  • User Interface
  • Vertical search
  • Video
  • visualization
  • Voice search
  • Voice technology
  • Web 3
  • Web Services
  • Webinar
  • Windows
  • Work flow
  • XML
  • Yahoo

• Archives

  Archives Select Month April 2025 March 2025 February 2025 January 2025 December 2024 November 2024 October 2024 September 2024 August 2024 July 2024 June 2024 May 2024 April 2024 March 2024 February 2024 January 2024 December 2023 November 2023 October 2023 September 2023 August 2023 July 2023 June 2023 May 2023 April 2023 March 2023 February 2023 January 2023 December 2022 November 2022 October 2022 September 2022 August 2022 July 2022 June 2022 May 2022 April 2022 March 2022 February 2022 January 2022 December 2021 November 2021 October 2021 September 2021 August 2021 July 2021 June 2021 May 2021 April 2021 March 2021 February 2021 January 2021 December 2020 November 2020 October 2020 September 2020 August 2020 July 2020 June 2020 May 2020 April 2020 March 2020 February 2020 January 2020 December 2019 November 2019 October 2019 September 2019 August 2019 July 2019 June 2019 May 2019 April 2019 March 2019 February 2019 January 2019 December 2018 November 2018 October 2018 September 2018 August 2018 July 2018 June 2018 May 2018 April 2018 March 2018 February 2018 January 2018 December 2017 November 2017 October 2017 September 2017 August 2017 July 2017 June 2017 May 2017 April 2017 March 2017 February 2017 January 2017 December 2016 November 2016 October 2016 September 2016 August 2016 July 2016 June 2016 May 2016 April 2016 March 2016 February 2016 January 2016 December 2015 November 2015 October 2015 September 2015 August 2015 July 2015 June 2015 May 2015 April 2015 March 2015 February 2015 January 2015 December 2014 November 2014 October 2014 September 2014 August 2014 July 2014 June 2014 May 2014 April 2014 March 2014 February 2014 January 2014 December 2013 November 2013 October 2013 September 2013 August 2013 July 2013 June 2013 May 2013 April 2013 March 2013 February 2013 January 2013 December 2012 November 2012 October 2012 September 2012 August 2012 July 2012 June 2012 May 2012 April 2012 March 2012 February 2012 January 2012 December 2011 November 2011 October 2011 September 2011 August 2011 July 2011 June 2011 May 2011 April 2011 March 2011 February 2011 January 2011 December 2010 November 2010 October 2010 September 2010 August 2010 July 2010 June 2010 May 2010 April 2010 March 2010 February 2010 January 2010 December 2009 November 2009 October 2009 September 2009 August 2009 July 2009 June 2009 May 2009 April 2009 March 2009 February 2009 January 2009 December 2008 November 2008 October 2008 September 2008 August 2008 July 2008 June 2008 May 2008 April 2008 March 2008 February 2008 January 2008 November 5

• Recent Posts

  • Original Research: Not-So-Original Assertions about Content Appropriation
  • A Reminder That Academic Papers Can Be Science Fiction
  • The AI Market: The Less-Educated
  • The First AI-Written Paper To Pass Peer Review
  • FOGINT: Targets Draw Attention. Signal Is a Target

• Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org