TikTok: Exploiting, Exploited, or Exploiter?
August 12, 2020
I read “TikTok Tracked Users’ Data with a Tactic Google Banned.” [Note: You will have to pay to view this article. Hey, The Murdoch outfit has to have a flow of money to offset its losses from some interesting properties, right?]
The write up reveals that TikTok, the baffler for those over 50, tricked users. Those lucky consumers of 30 second videos allegedly had one of their mobile devices ID numbers sucked into the happy outfit’s data maw. Those ID numbers — unlike the other codes in mobile devices — cannot be changed. (At least, that’s the theory.)
What can one do with a permanent ID number? Let us count some of the things:
- Track a user
- Track a user
- Track a user
- Obtain information to pressure a susceptible person into taking an action otherwise not considered by that person?
I think that covers the use cases.
The write up states with non-phone tap seriousness, a business practice of one of the Murdoch progeny:
The identifiers collected by TikTok, called MAC address, are most commonly used for advertising purposes.
Whoa, Nellie. This here is real journalism. A MAC address is shorthand for “media access control.” I think of the MAC address as a number tattooed on a person’s forehead. Sure, it can be removed… mostly. But once a user watches 30-second videos and chases around for “real” information on a network, that unique number can be used to hook together otherwise disparate items of information. The MAC is similar to one of those hash codes which allow fast access to data in a relational structure or maybe an interest graph. One can answer the question, “What are the sites with this MAC address in log files?” The answer can be helpful to some individuals.
There are some issues bubbling beneath the nice surface of the Murdoch article; for example:
- Why did Google prohibit access to a MAC address, yet leave a method to access the MAC address available to those in the know? (Those in the know include certain specialized services support US government agencies, ByteDance, and just maybe Google. You know Google. That is the outfit which wants to create a global seismic system using every Android device who owner gives permission to monitor earthquakes. Yep, is that permission really needed? Ho, ho, ho.)
- What vendors are providing MAC address correlations across mobile app content and advertising data? The WSJ is chasing some small fish who have visited these secret data chambers, but are there larger, more richly robust outfits in the game? (Yikes, that’s actually going to take more effort than calling a university professor who runs a company about advertising as a side gig. Effort? Yes, not too popular among some “real” Murdoch reporters.)
- What are the use cases for interest graphs based on MAC address data? In this week’s DarkCyber video available on Facebook at this link, you can learn about one interesting application: Targeting an individual who is susceptible to outside influence to take an action that individual otherwise would not take. Sounds impossible, no? Sorry, possible, yes.
To summarize, interesting superficial coverage but deeper research was needed to steer the writing into useful territory and away from the WSJ’s tendency to drift closer to News of the World-type information. Bad TikTok, okay. Bad Google? Hmmmm.
Stephen E Arnold, August 12, 2020
Spear Fishing: The Key to the Garmin Ransomware Attack
August 11, 2020
DarkCyber is not too keen on widely disseminated explanations of criminal procedures. “How to’s” may provide the equivalent of a jail house education to some. The article “Crypto-Ransomware in Action: A Closer Look at the WastedLocker Hijack of Garmin” explains the attack on the an outfit specializing geo-technology. Think GPS in consumer gizmos, aircraft, and vehicle. The write up quotes Kaspersky, a security outfit with some interesting allegations clinging to its shirt tails, as noting:
“This incident only highlights that there is a growing trend of targeted crypto-ransomware attacks against large corporations—in contrast to the more widespread and popular ransomware campaigns of the past, like WannaCry and NotPetya. While there are fewer victims, these targeted attacks are typically more sophisticated and destructive. And there is no evidence to suggest that they will decline in the near future. Therefore, it’s critical that organizations stay on alert and take steps to protect themselves.” [Fedor Sinitsyn, security expert at Kaspersky]
Additional details on the attack are available in the technical analysis on the Kaspersky Web site at this link. The write up includes screenshots and code samples. The details include this statement:
It uses a “classic” AES+RSA cryptographic scheme which is strong and properly implemented, and therefore the files encrypted by this sample cannot be decrypted without the threat actors’ private RSA key. The Garmin incident is the next in a series of targeted attacks on large organizations involving crypto-ransomware. Unfortunately, there is no reason to believe that this trend will decline in the near future.
DarkCyber agrees. Jail house learning?
Stephen E Arnold, August 11, 2020
Me Too, Me Too: Password Matching
August 7, 2020
Digital Shadows, founded in 2011, offered its Searchlight service. Terbium Labs, founded in 2013, offers its Matchlight services. Enzoic, founded in 2016, offered its password matching service. Scattered along the information highway are other cyber security firms offering variations on looking for compromised information on the Regular Web, the Dark Web, and in any other online source which the crawlers can reach. I mention these companies and their similar matching services because DarkCyber spotted “LogMeIn Introduces New Lastpass Security Dashboard and Dark Web Monitoring, Delivering a Complete Command Center for Managing Digital Security.” The write up states:
In addition to displaying weak and reused passwords, the new Security Dashboard now gives all LastPass users, regardless of tier, a full picture of their online security, providing complete control over their digital life and peace of mind that accounts are protected.
What’s interesting is that the capability to perform this type of LastPass check has been around for many years. Progress. People seeing the “light”? Some bad actors simply brute force passwords because many individuals prefer passwords from this list. The fact that strong passwords are not widely used contributes to bad actors’ success.
Stephen E Arnold, August 7, 2020
European Union: Yes, Russia Warrants Some Attention
August 4, 2020
With so many smart people wrestling with the Google and cage fighting with England, I was surprised to read “EU, in First Ever Cyber Sanctions, Hits Russian Intelligence.” The allegedly accurate write up states:
Four members of Russia’s GRU military intelligence agency were singled out. The EU accuses them of trying to hack the wifi network of the Netherlands-based Organization for the Prohibition of Chemical Weapons, which has probed the use of chemical weapons in Syria. The 2018 attack was foiled by Dutch authorities.
In addition, two individuals described as “Chinese nationals” found themselves in the sanction target area.
There are several ways to look at this action. First, the Google is a bigger deal than the EU’s friend to the East. Second, the Brexit fishing rights thing distracted EU officials from mere intelligence and trans-national security matters. Third, maybe someone realized that cyber espionage and cyber attacks are something to think about. A couple of years or more seems pretty snappy compared to other EU projects.
Stephen E Arnold, August 3, 2020
IBM Discloses Iranian Hacking: Was Watson on the Job?
July 30, 2020
We spotted an interesting nugget of information in “Iran-Linked Hackers Mistakenly Leak Videos of Their Operations in Action: Report.”
The story reveals that:
IBM’s X-Force security team acquired about five hours of video footage of hacking operations by APT35, a hacking group linked to the Iranian government…
Where did the video originate? The answer: Iran.
The IBM researchers got a hold of the footage due to “a misconfiguration of security settings on a virtual private cloud server they’d observed in previous APT35 activity,” the report said, adding that the files were uploaded to the exposed server over a few days in May, just as IBM was monitoring the machine. The APT35 hackers recorded their operations to demonstrate to junior team members how to handle hacked accounts, according to the report. The videos show the hackers how to download the contents of compromised Gmail and Yahoo Mail accounts.
The report does not mention Watson. Interesting.
Stephen E Arnold, July 29, 2020
Digital Shadows: Cyber Monitoring Inside
July 29, 2020
DarkCyber has pointed out in this blog and in the DarkCyber video news programs that cyber security generates hyperbole. Funding sources pump in cash. Companies buy not one cyber security system; big and mid-sized outfits buy news ones with each change of security professionals.
Why?
Most of the cyber security systems focus on what happened in the past. However, bad actors — some well funded by low profile operators — focus on the here and now.
Not surprisingly, competing claims, pricing plays, and fearful prospects keep the wheel spinning.
“Digital Shadows Announces Integration with Atlassian Jira” indicates that the stealthy Digital Shadows has moved inside an issue tracking and project tracking platform. Presumably the “SearchLight Inside” deal will deliver better security to Jira users. Will this tie up boost Atlassian stock?
DarkCyber assumes that other Dark Web and cyber threat indexing services will pursue similar “inside” deals.
The real test comes when licensees of these “inside” cyber threat solutions demonstrate they can avoid Garmin- and Twitter-type security breaches.
Stephen E Arnold, July 29, 2020
DarkCyber for July 28, 2020, Now Available
July 28, 2020
The July 28, 2020, DarkCyber is now available. You can view the program on YouTube or on Vimeo.
DarkCyber reports about online, cyber crime, and lesser known Internet services. The July 28, 2020, program includes six stories. First, DarkCyber explains how the miniaturized surveillance device suitable for mounting on an insect moves its camera. With further miniaturization, a new type of drone swarm becomes practical. Second, DarkCyber explains that the value of a stolen personal financial instrument costs little. The vendors guarantee 80 percent success rate on their stolen personally identifiable information or fullz. Third, SIM card limits are in place in South Africa. Will such restrictions on the number of mobile SIM cards spread to other countries or are the limits already in place, just not understood. Fourth, Coinbase bought a bitcoin deanonymization company. Then Coinbase licensed the technology to the US Secret Service. Twitter denizens were not amused. Fifth, Microsoft released a road map to a specific type of malware. Then two years later the story was picked up, further disseminating what amounts to a how to. DarkCyber explains where to download the original document. The final story presents DarkCyber’s view of the management lapses which made the Twitter hack a reality. Adult management is now imperative at the social media company doing its best to create challenges for those who value civil discourse and an intact social fabric.
The delay between our June 9, 2020, video about artificial intelligence composing “real” music and today’s program is easy to explain. Stephen E Arnold, the 76 year old wobbling through life, had the DarkCyber and Beyond Search team working on his three presentations at the US National Cyber Crime Conference. These programs are available via the NCC contact point in the Massachusetts’ Attorney General Office.
The three lectures were:
- Amazon policeware, which we pre-recorded in the DarkCyber format
- A live lecture about investigative software
- A live lecture about Dark Web trends in 2020.
Based on data available to the DarkCyber team, the septuagenarian reached about 500 of the 2000 attendees. Go figure.
Kenny Toth, July 28, 2020
The Cloud Becomes the New PC, So the Cloud Becomes the Go To Attack Vector
July 24, 2020
Cloud providers are not Chatty Cathies when it comes to some of their customers’ more interesting activities. Take malware, for example. Bad actors can use cloud services for a number of activities, including a temporary way station when deploying malware, delivering bogus or spoofed Web sites as part of a social engineering play, or just launching phishing emails. Major cloud providers are sprawling operations, and management tools are still in their infancy. In fact, management software for cloud operators are in a cat-and-mouse race. Something happens, and the cloud provider responds.
“Hackers Found Using Google Cloud to Hide Phishing Attacks” provides some information about the Google and its struggles to put on a happy face for prospects and regulators while some Googlers are reading books about dealing with stressful work.
The article reports:
Researchers at cybersecurity firm Check Point on Tuesday cited an instance when hackers used advanced features on Google Cloud Platform to host phishing pages and hide them. Some of the warning signs that users generally look out for in a phishing attack include suspicious-looking domains, or websites without a HTTPS certificate. However, by using well-known public cloud services such as Google Cloud or Microsoft Azure to host their phishing pages, the attackers can overcome this obstacle and disguise their malicious intent, improving their chances of ensnaring even security-savvy victims…
What’s the fix?
Obviously vendors of cloud management software, hawkers of smart cyber security systems, and bright young PhD track cyber specialists have ideas.
The reality may be that for now, there is no solution. Exposed Amazon S3 buckets, Google based endeavors, and Microsoft (no, we cannot update Windows 10 without crashing some machines) Azure vectors are here to stay.
Perhaps one should tweet this message? Oh, right, Twitter was compromised. Yeah.
Stephen E Arnold, July 24, 2020
Once Again: NSO Group Becomes a Magnet for Real Journalists
July 16, 2020
We spotted one of those “We don’t have or can’t tell you where we got this information” write ups. The article is “Source: Spain Is a Customer of NSO Group.” The main idea of the article is that a government licensed software developed for … wait for it … governments. According to the “source” with some inputs from other real news outfits like The Guardian and El Pais, the NSO Group’s specialized software was used to obtain information about … wait for it … politicians in Spain.
The write up states:
The cell phones of several politicians in Spain, including that of the president of one of the countries’ autonomous regional parliaments, were targeted with spyware made by NSO Group, an Israeli company that sells surveillance and hacking tools to governments around the world, according to The Guardian and El Pais . Motherboard confirmed the specifics with security researchers who investigated the attempted hack and a Facebook employee who has knowledge of the case.
Interesting. But a couple of questions come to mind:
- Was the alleged use of the software a complement to an investigation; for example, inciting civil unrest?
- Was the alleged use of the software gathering data on matter one and obtained information on a collateral or unrelated matter two?
- Why aren’t the sources identified? Policy or some special rules of “real” journalism that elude me?
The disclaimer “We cannot confirm whether these specific attempted hacks” does nothing to alter my perception of the article; to wit: The article wants to draw attention to a particular specialized software developer and connect that company to the alleged use of the software by a licensee of the software. How’s that work? Consider the manufacturer of a knife. The purchaser of the knife uses it to kill an intruder. Is the knife manufacturer responsible? What applies to companies which are in the business of developing specialized software tools is different from the knife manufacturer.
I want to point out the Bank Info Security reported that an Israeli court dismissed a complaint against the NSO Group. Amnesty International accused the NSO group of violating human rights. On the surface, it seems that the allegations of Amnesty International were found to be without much heft.
The real question is, “Why are outfits like Vice and Amnesty International chasing NSO Group?”
DarkCyber has some hunches about the “why”? For example:
- Companies which develop specialized services and operate in a classified or community environment populated by government customers are somehow offensive to the “real” journalists. Is this a factor? Sensibilities are activated.
- The “real” journalists are just now realizing that those charged with enforcing the laws of countries are using specialized tools for investigations or addressing challenges which in the opinion of the government customers threaten civil order. This “sudden discovery” is like a child’s getting a new toy for her birthday. By golly, that toy is going to get some attention because it is novel to the childish mind.
- The “real” journalists are trying to come up with “news” which is stale, routine, and institutionalized in government entities throughout the world. The focus, however, is one the producer of specialized software, not on the specific government entity licensing the software.
DarkCyber believes the truth is closer to the child’s fascination with what the child with its immature perception sees as mesmerizing.
News flash for the “real” journalists: Chasing vendors of specialized software may not be the revenue and attention magnet for which the publications hunger. Plus, there may be some unintended consequences of speculative writing about topics presented without context.
Stick with facts and identified sources. Could the NSO Group articles be converted into a Quibi program? Advance the “real” agenda with short video. Worth a shot? Sources may not be needed for a short form Quibi thing.
Stephen E Arnold, July 16, 2020
Google, TikTok, and Seriousness
July 15, 2020
Short form video is in the news. TikTok captivates millions of eyeballs. Many of these eyeballs belong to Americans. Most of these Americans choose not to understand several nuances of “free” 30 second videos created, transmitted, viewed, and forwarded via a mobile device; to wit:
- Software for mobile phones can covertly or overtly suck up data and send those data to a control node
- Those data can be cross correlated in order to yield useful insights about the activities, preferences, and information flowing into and out of a mobile device equipped with an application. Maybe TikTok does this too?
- Those digital data can be made available to third parties; for example, advertising analytics vendors and possibly, just maybe, a country’s intelligence services.
The Information published one of those “we can’t tell you where we got these data but by golly this stuff is rock solid” stories. This one is called “TikTok Agreed to Buy More Than $800 Million in Cloud Services From Google.” Let’s assume that this story about the Google TikTok deal is indeed accurate. We learn:
Last week, though, word surfaced of a buzzy new customer for Google Cloud—TikTok, the app for sharing short videos that is the year’s runaway social media hit. The deal is a lucrative one for Google Cloud, The Information has learned. In a three-year agreement signed in May 2019, TikTok committed to buying more than $800 million of cloud services from Google over that period…
What’s with the Google? Great or lousy business judgment? Does Google’s approach to a juicy deal include substantial discounts in order to get cash in the door? Is the deal another attempt by the Google to get at least some of the China market which it masterfully mishandled by advising the Chinese government to change its ways?
Nope. The new Google wants to grow by locking down multi year contracts. The belief is that these “big deals” will give the Google Cloud the protein shake muscles needed to deal with the Microsofties and the Bezos bulldozer.
New management, new thinking at the GOOG, and there will be more of the newness revealed with each tweak of a two decades old “system.”
At the same time as the Information “real” news story arrived in the DarkCyber news center, a pundit published MBA type write up popped into our “real news” folder. This write up is “The TikTok War.”
Unlike the Information’s story, the Stratechery essay is MBA consultant speak, which is different from “real news.” The point of the 3,900 word consultant report is:
I believe it is time to take China seriously and literally…
There you go: An MBA consulting revelation. One should take China seriously and literally.
Okay. Insight. Timely. Incisive.
From this conclusion, TikTok’s service is no longer appropriate in the US. Banning is probably a super duper idea if I understand the TikTok War. (How does one fight a war by banning digital information? Oh, well, irrelevant question. What’s that truism about ostriches putting their heads in the sand? Also irrelevant.)
Let’s step back and put these two different TikTok articles in a larger context.
The Information wants everyone to know that a mysterious “source” has said that Google has a three year deal with TikTok. This is a surprise? Nope. Google is on the hunt for cash because after Google’s own missteps, it is faced with hard to control costs and some real live “just like Google” competitors; namely, Amazon, Apple, Facebook, and Netflix. There’s also the mounting challenges of political and social annoyances to add some spice to the Googlers’ day.
The MBA consultant analysis points out that China has to be taken seriously. Prior to TikTok, China was not taken seriously? I suppose TikTok is the catalyst for seriousness. More likely, the TikTok thing evokes MBA consultant outputs to confirm what many people sort of intuit but have not been able to sum up with a “now is the time” utterance.
In my lecture yesterday for the National Cyber Crime Conference, I presented a diagram of how Chinese telecommunications and software systems can exfiltrate information with or without TikTok.
Banning an app is another one of those “Wow, the barn burned and Alibaba built a giant data center where the Milking Shorthorns once stood” moments.
Sourceless revelations about Google’s willingness to offer a deal to a China centric TikTok and MBA consultant revelations that one should take China seriously warrants one response: The ship sailed, returned, built a giant digital port, and has refueled for a return journey. Ban away.
Stephen E Arnold, July 15, 2020
-
- Subscribe to Beyond Search
Feature archive
News archive
-
