Thinking about Security: Before and Earlier, Not After and Later

September 30, 2020

Many factors stand in the way of trustworthy AI, not the least of which is the involvement of those for whom a raise, a bonus, or a promotion is involved. Then there is the thorny issue of bias built into machine learning. InformationWeek, however, looks at a few more straightforward threats in its article, “Dark Side of AI: How to Make Artificial Intelligence Trustworthy.”

Gartner VP and analyst Avivah Litan notes that, though AI is becoming more mainstream, security and privacy considerations still keep many companies away. They are right to be concerned—according to Garnter’s research, consumers believe responsibility lies with organizations that adopt AI technology, not the developers or vendors behind it. Litan describes two common ways bad actors attack AI systems: malicious inputs and query attacks. She writes:

“Malicious inputs to AI models can come in the form of adversarial AI, manipulated digital inputs or malicious physical inputs. Adversarial AI may come in the form of socially engineering humans using an AI-generated voice, which can be used for any type of crime and considered a ‘new’ form of phishing. For example, in March of last year, criminals used AI synthetic voice to impersonate a CEO’s voice and demand a fraudulent transfer of $243,000 to their own accounts….“Query attacks involve criminals sending queries to organizations’ AI models to figure out how it’s working and may come in the form of a black box or white box. Specifically, a black box query attack determines the uncommon, perturbated inputs to use for a desired output, such as financial gain or avoiding detection. Some academics have been able to fool leading translation models by manipulating the output, resulting in an incorrect translation. A white box query attack regenerates a training dataset to reproduce a similar model, which might result in valuable data being stolen. An example of such was when a voice recognition vendor fell victim to a new, foreign vendor counterfeiting their technology and then selling it, which resulted in the foreign vendor being able to capture market share based on stolen IP.”

Litan emphasizes it is important organizations get ahead of security concerns. Not only will building in security measures at the outset thwart costly and embarrassing attacks, it is also less expensive than trying to tack them on later. She recommends three specific measures: conduct a threat assessment and carefully control access to and monitoring of training data/ models; add AI-specific aspects to the standard software development life cycle (SDLC) controls; and protect and maintain data repositories to prevent data poisoning. See the article for elaboration of each of these points.

Cynthia Murrell, September 30, 2020

Hacking a Mere Drone? Up Your Ante

September 29, 2020

So many technology headlines are the stuff that science fiction is made of. The newest headline is a threat is something not only out of science fiction but also from the suspense genre says Los Angeles Air Force Base: “SMC Team Supports First Satellite Hacking Exercise.”

For a over the year, the Space and Missile Systems Center (SMC) experts in ground and satellite technology led a satellite hacking exercise. The event culminated in the Space Security Challenge 2020: Hack-A-Sat. The Special Programs Directorate and the Enterprise Corps Cross Mission Ground and Communications cyber operations team combined their forces for the exercise:

“This challenge asked security researchers, commonly known as hackers, from across the country and around the world to focus their skills and creativity in solving cybersecurity challenges on space systems. These white-hat ethical hackers are members of the research and security communities focused on legally and safely finding vulnerabilities for many different types of systems. This challenge focused on bridging the gap between space, cyber and security communities and growing these ecosystems.”

DEF CON controlled the exercise environment so the teams could practice their skills safely and securely. The competitors explored the satellite system, including the radio frequency communications, ground segments, and satellite bus. The Hack-A-Sat was basically war games with code. The purpose was to expose the experts to new systems they otherwise might not have access to.

The teams want to practice their skills in simulations and Hack-A-Sat events in preparation for real life events. The more real life scenarios the experts experience the more prepared they are to troubleshoot system errors and emergencies.

The Hack-A-Sat event is part of the future mission to the moon and defending the

United States from enemy threats. However, if the United States can undertake these exercises, bad acting countries can as well. It would be horrible if authoritarian governments discovered how to hack US satellites. The metaphor is scary but apt: could the equivalent of a 9/11 terror attack happen by satellite hacks?

Whitney Grace, September 29, 2020

DarkCyber for September 22, 2020, Now Available: Bogus Passports, Chinese Data and Apps, and the Dronut Drone

September 22, 2020

DarkCyber for September 22, 2020, is now available. This week’s program features an update on falsified documents, three stories about China, and a report about the Dronut. You can view the video on YouTube. The video is available via the Beyond Search blog.

Kenny Toth, September 22, 2020

Passport Report: Useful Guidance for Governments and Bad Actors?

September 15, 2020

The consulting firm Bearing Point is an interesting outfit. Marketing, of course, is job one. DarkCyber noted “BearingPoint Study Assesses the Digital Maturity of Passport Services in Countries around the Globe.” The document provides the firm’s assessment of government processes related to digital work flows. Not surprisingly, the report finds opportunities for improvement across the 20 countries surveyed.

A passage DarkCyber noted states:

No examined countries currently assessed to be at level five.

Surprising? No, the object of the study is to sell consulting services for online passport application services.

However, the report provides some useful insights for bad actors interested in figuring out what type of false documents to purchase via an illegal channel. That’s right. The report is a compendium of ideas for bad actors; for example:

The study covers twenty countries selected from across Europe and other regions. The countries included in the study are Australia, Austria, Belgium, Brazil, Canada, Denmark, Estonia, Finland, France, Germany, Ireland, the Netherlands, New Zealand, Norway, Romania, Singapore, Sweden, Switzerland, the UK, and the USA. Of the countries included in the study, eleven offered a partial or full online passport application service. Australia, Brazil, Estonia, France, Switzerland, and the USA were assessed at level three in the service maturity assessment. Level three represents a partial online application service in which citizens can submit application details (all data required excluding the passport image) online, in advance of attending an appointment to complete the application. The critical efficiency at this level is minimizing the volume of data inaccuracy associated with paper applications and capturing the data in advance of attending a public office, which leads to a reduction in data errors and also provides a more efficient service. Finland, Ireland, New Zealand, Singapore and the UK were assessed at level four. This represents a passport service that offers citizens an entirely online application process, though some offline interaction may be required. Passport services at this level offer online services for handling problems with the application, for example, resubmitting a photo digitally if the initially submitted photo did not meet specified standards.

The countries with what appear to be business processes in need of digital enhancement are countries like Romania and Sweden. Sweden?

The report could be used as a shopping guide for false documents which may be used to enter a country illegally. On the other hand, the report is designed to help Bearing Point sell consulting services.

Interesting information if the data are accurate.

Stephen E Arnold, September 15, 2020

Happy Saturday: Malicious PayPal Sites

September 14, 2020

DarkCyber spotted “10 Malicious PayPal Sites.” The write up consists of a list of sites, which the wise Web surfer may wish to avoid. Each of the sites contains the string “paypal” in its name. The domains are interesting as well; for example, “verifiedly” and “watch4dollar.” What’s interesting is that existing cyber security methods are not flagging or filtering these sites. Even more disturbing is the idea that a person would click on a site named “paypalsupport.” If anyone has tried to obtain support from PayPal, the idea that a legitimate PayPal site would offer useful information to a user with a question is a tip off that something is not in line with normal PayPal behaviors.

Stephen E Arnold, September 14, 2020

DarkCyber for September 8, 2020: Innovation, Black Hat SEO, Drovorub, Sparks Snuffed, and Killer Drones

September 8, 2020

DarkCyber Video News for September 8, 2020, is now available. You can view the video on YouTube, Facebook, and the DarkCyber blog.

The program covers five stories:

First, the Apple-Fortnite dispute has created some new opportunities for bad actors and their customers. The market for stolen Fortnite accounts is robust. Accounts are for sale on the Dark Web and the Regular Web. Some resellers are allegedly generating six figures per month by selling hapless gamers’ accounts.

Second, you can learn how to erode relevance and make a page jump higher in the Google search results lists. Pay $50 and you get information to set up an Amazon or eBay store with little or no investment. No inventory has to be purchased, stored, and shipped. Sound like magic?

Third, the FBI and NSA have published a free analysis of Drovorub malware. If you are responsible for a Linux server, requesting a free copy of the publication may save you time, money, and loss of important data.

Fourth, a team of international law enforcement professionals shut down the Sparks video piracy operation. The impact of the shut down hits pirate sites and torrents. Three of the alleged operators have been identified. Two are under arrest, and the third is fleeing Interpol.

Finally, in this program’s drone report, DarkCyber explains how drug lords are using consumer drones in a novel and deadly way. Consumer-grade drones are fitted with explosives and a detonator. Each drone comes with a radio control unit and a remote trigger for the explosive’s on drone detonator. The purpose is to fly the drone near a target and set off the explosive. To ensure a kill, each of the weaponized drones carries a container of steel ball bearings to ensure the mission is accomplished.

DarkCyber is a production of Stephen E Arnold and the DarkCyber research team.

Kenny Toth, September 8, 2020

Why Update? Surprise, Hacker Masquerade Time

September 1, 2020

Hacker Masquerade vulnerability assessment firm Positive Technologies has shared some results from their penetration tests (“pentests) on corporate information systems. Though they do not reveal data on individual clients, they report some eye-opening statistics. IT Brief reports on these findings in, “Hackers Difficult to Distinguish from Legitimate Users—Study.” Writer Shannon Williams tells us:

“At 61% of the companies, we found at least one simple way to obtain control of infrastructure that would have been feasible even for a low-skilled hacker. The testers noted that legitimate actions that would be unrecognizable from regular user activity accounted for 47% of the actions that allowed pentesters to create an attack vector. These actions included creating new privileged users on network hosts, creating a memory dump of lsass.exe, exporting registry hives, and sending requests to the domain controller. These actions allow hackers to obtain credentials from corporate network users or information required to develop the attack. The risk is that it is hard to differentiate between such actions and the usual activities of users and administrators, making it more likely that the attack will remain unnoticed. These incidents can however be detected with security incident detection systems. The testing also demonstrated that the attackers can exploit known vulnerabilities found in outdated software versions to remotely execute arbitrary code, escalate privileges, or learn important information. What the experts see most often is lack of current OS updates.”

And that, boys and girls, is why we must always keep our operating systems up to date. The write-up shares a little about how hackers can use OS quirks to gain access to and traverse systems. Keeping your Windows updated will not, however, patch holes caused by lax permissions, single-factor authentication routines, and other liabilities. Not surprisingly, Positive Technologies’ Ekaterina Kilyusheva suggests companies hire a specialist to perform an internal pentest that will assess their systems’ vulnerabilities.

Cynthia Murrell, September 1, 2020

DarkCyber for 8-25-20: Andrax Hacker Toolkit, NSO Group PR Push, Tor Under Attack, and Eagle Drone Killer

August 25, 2020

DarkCyber is a video news program produced by Stephen E Arnold, publisher of Beyond Search and DarkCyber. You can view this week’s program on YouTube or Facebook.

The program for August 25, 2020, contains four stories. The first focuses on a hacker’s toolkit called Andrax. The packager of this penetration testing bundle makes some bold claims. Security professionals who use highly-regard pentest systems from ImmunitySec are called “dumbs” and “lamers.” Clever or uninformed marketing? You have to determine the answer for yourself.

The second story summarizes highlights of Massachusetts Institute of Technology’s “Technology Review” interview with the founder of NSO Group. NSO Group–unlike most vendors of specialized software–has been the subject of media scrutiny. In the interview, the founder of NSO Group seems to suggest that he does not understand the intelware market. Even more interesting is MIT’s decision to publish the interview and give NSO Group more media exposure. DarkCyber asks a question others have not posed.

The third story reviews two surprising items of information from a Nusenu study or analysis. (Nusenu may be a security firm, a Web services vendor, or a single individual.) The first interesting revelation in the Nusenu report is that about 25 percent of Tor relay exit servers have been compromised by an unknown third party. The second juicy morsel is the identification of five Internet service providers who may be hosting Tor relay servers and other interesting services.

The final story zooms to a single eagle. The Michigan government learned that an expensive drone was destroyed by an eagle. If you want your own raptor to knock down surveillance drones, DarkCyber provides a company that will provide an organic c-UAS (counter unmanned aerial system).

Kenny Toth, August 25, 2020


KnowBe4: Leveraging Mitnick

August 21, 2020

Many hackers practice their “art,” because they want to beat the system, make easy money, and challenge themselves. White hat hackers are praised for their Batman vigilante tactics, but the black hat hackers like Kevin Mitnick cannot even be classified as a Robin Hood. Fast Company article, “I Hired An Infamous Hacker-And It Was The Best Decision I Ever Made” tells Stu Sjourverman’s story about hiring Kevin Mitnick.

Mitnick is a typical child hacker prodigy, who learned about easy money through pirated software. He went to prison for a year, violated his parole, and was viewed as an antihero by some and villain by others. Either way, his background was controversial and yet Sjourverman decided to hire him. Sjourverman was forming a new company centered on “social engineering” or “hacking the human,” terms used to describe tricking people into clicking harmful links or downloading malware invested attachments. For his new cybersecurity company, Sjourverman knew he needed a hacker:

“That was a turning point for my startup, KnowBe4. By recruiting Mitnick, we gained invaluable insights about where employees are most vulnerable. We were able to use those insights to develop a practical platform where companies can see where their own employees stumble and, most importantly, train them to recognize and avoid potential pitfalls. This is essential for any business because if all other security options fail, employees become a company’s last line of defense—one unintentional blunder can infect the entire network and bring down the whole company.”

Mitnick’s infamous reputation also gave the new startup a type of legitimacy. Other players in the cybersecurity industry knew about Mitnick’s talents and using them for white hat tactics gave KnowBe4 an advantage over rivals. Mitnick also became the center of KnowBe4’s marketing strategy, because he was a reformed criminal, understood the hacker community, and gave the startup an edgy yet authentic identity.

Hiring Mitnick proved to be the necessary step to make KnowBe4 a reputable and profitable business. It is also a story about redemption, because Mitnick donned the white hat and left his criminal past behind.

Will KnowBe4’s marketing maintain its momentum? Cyber security firms appear to be embracing Madison Avenue techniques. Watch next week’s DarkCyber for a different take on NSO Group’s “in the spotlight” approach to generating cyber intelligence sales.

Whitney Grace, August 21, 2020

DarkCyber for August 11, 2020, Now Available

August 11, 2020

DarkCyber is a video news program about the Dark Web, cyber crime, and lesser known Internet services. The program for August 11, 2020, covers four stories. This week’s program is available on YouTube at this link. [Note below]

Stephen E Arnold, the producer of DarkCyber, illustrates how to jam Alexa’s surveillance components. When a white noise is not enough, Arnold points to a Web site which sells a wide array of jamming equipment. The video features a diagram of how a jamming device can disrupt mobile signals, Wi-Fi, and Bluetooth from a vehicle. If a basic mobile jammer is not suitable, Arnold provides information about a military-grade detection and jamming device with a comprehensive kill chain subsystem. Arnold reminds the viewer that use of some jamming devices can have unexpected consequences.

The second story addresses the TikTok dust up between the US and China. Arnold focuses on the trivializing of the TikTok threat by pundits. These individuals, in Arnold’s opinion, are not assessing the social engineering risks posed by a TikTok-type service. Data from a consumer app can pinpoint an individual who may be susceptible to cash inducements or threats to compromise the security of a workplace. TikTok videos may be silly, but the operators of the services are unlikely to be blind to the value of the data and its utility.

The third story considers iPhone hacking. Software, available via the regular Web, promises to hack an iPhone. If that approach does not work, there are hackers advertising iPhone hacking on the regular Internet. But what if the hack requires more aggressiveness? Arnold provides a link to a Dark Web site which makes clear that its operator will do anything for money. Can the iPhone be hacked? That depends on one’s willingness to believe information published on the Internet.

The final story focuses on the August 2020 Interpol report about cyber crime in the time of Covid. The report is available without charge, and its findings echo those of speakers at the 2020 National Cyber Crime Conference, held in July 2020. Arnold provides the url from which the new report can be downloaded without charge.

I wanted to point out that we will no longer post a copy of the video on Vimeo. That company sent an email demanding that Stephen E Arnold upgrade to a Pro account. Instead of saying, “We are raising prices,” Vimeo threatened Arnold with termination of his account because the free DarkCyber video is a commercial enterprise. Arnold wrote Vimeo twice pointing out that he retired in 2013, produces the video without financial support or sponsorship, and makes the content available to anyone interested in the Dark Web, cybercrime, and lesser known Internet services. Arnold told me,

“Millennial marketers at Vimeo thinks it is doing its job by making false accusations and then ignoring respectful questions about the fee change. Cancel culture to Vimeo, ‘You are history. This is your termination notice.’

We will give Facebook a whirl and include that url if the service allows easy access with a minimum of invasive surveillance, pop ups, and targeted advertising for WhatsApp.

Kenny Toth, August 11, 2020

Next Page »

  • Archives

  • Recent Posts

  • Meta