Log4Shell: Tough to Hide This Fire
December 28, 2021
Billy Joel is absolutely right when he sang the acclaimed song “We Didn’t Start The Fire” about the world’s slow demise. Unlike the planet, the Internet is regularly set ablaze and the demise is quick. The current flame is “Log4Shell” and it gives bad actors back doors into clouds and enterprise systems to steal data, download malware, erase information, and cause mayhem. AP News explores the breach in: “‘The Internet’s On Fire’ As Techs Race To Fix Software Flaw.”
The bug dubbed “Log4Shell” originated in open source Apache software used to run Web sites and other Web services. While open source software is a boon to the world, it is not updated as quickly as proprietary software. Amazon, for example, updates itself daily while systems running Apache only update at their owners’ behest.
Funny enough the “Log4Shell” vulnerability was first noticed in a children’s game:
“The first obvious signs of the flaw’s exploitation appeared in Minecraft, an online game hugely popular with kids and owned by Microsoft. Meyers and security expert Marcus Hutchins said Minecraft users were already using it to execute programs on the computers of other users by pasting a short message in a chat box.Microsoft said it had issued a software update for Minecraft users. ‘Customers who apply the fix are protected, it said.”
Cyber security is not child’s play, but hacking is for some bad actors. Thankfully developers are working on a patch to prevent further damage. Security professionals really should not panicking and combine their knowledge to find a solution quicker.
A couple of points:
- The issue allegedly was disclosed by an Alibaba tech professional, possibly Chen Zhaojun
- China suspender an apparently “big” cyber security deal with Alibaba after the disclosure
Are these two actions connected; specifically, did China lose control of a really nifty zero day? Beyond Search thinks that the career trajectory of some Alibaba professionals will be interesting to watch. Are there IT jobs in Ürümqi?
Whitney Grace, December 28, 2021
Whitney Grace, December 27, 2021
Russia May Not Contribute to the Tor Project in 2022
December 28, 2021
This is probably not a surprise to those involved with the Tor Project. We noted some evidence of Russia’s view of anonymized Internet browsing in “Russia Blocks Privacy Service Tor In Latest Move To Control Internet.” The article reports:
Russia’s media regulator has blocked the online anonymity service Tor in what is seen as the latest move by Moscow to bring the Internet in Russia under its control. Roskomnadzor announced it had blocked access to the popular service on December 8, cutting off users’ ability to thwart government surveillance by cloaking IP addresses.
The Tor Project responded with some tech tips for ways to get around the Putin partition. (Think Tor bridge. Some details are at this link.)
Does this mean that Russia has no interest in Tor? Nope. We think that some of Mr. Putin’s fellow travelers are hosting Tor relay servers, but that’s just something we heard from a person yapping about freedom.
What’s next? How about blocking any service originating in nation states not getting with Mr. Putin’s Ukrainian program? It is unlikely that Sergey Brin’s flight on a Russian rocket ship will become a reality in 2022. We also heard that the Google Cloud hosts some services that Mr. Putin thinks may erode the freedoms enjoyed by Russian citizens.
Stephen E Arnold, December 28, 2021
Red Kangaroos? Maybe a Nuisance. Online Trolls? Very Similar
December 16, 2021
It is arguable that trolls are the worst bullies in history, because online anonymity means they do not face repercussions. Trolls’ behavior caused innumerable harm, including suicides, psychological problems, and real life bullying. Local and international governments have taken measures to prevent cyber bullying, but ABC Australia says the country continent is taking a stand: “Social Media Companies Could Be Forced To Give Out Names And Contact Details, Under New Anti-Troll Laws.”
Australia’s federal government is drafting laws that could force social media companies to reveal trolls’ identities. The new legislation aims to hold trolls accountable for their poor behavior by having social media companies collect user information and share it with courts in defamation cases. The new laws would also hold social media companies liable for hosted content instead of users and management companies. Australia’s prime minister stated:
“Prime Minister Scott Morrison said he wanted to close the gap between real life and discourse online. ‘The rules that exist in the real world must exist in the digital and online world,’ he said. ‘The online world shouldn’t be a wild west, where bots and bigots and trolls and others can anonymously go around and harm people and hurt people.’”
The new law would require social media companies to have a complaints process for people who feel like they have been defamed. The process would ask users to delete defamatory material. If they do not, the complaint could be escalated to where users details are shared to issue court orders so people can pursue defamation action.
One of the biggest issues facing the legislation is who is responsible for trolls’ content. The new law wants social media companies to be held culpable. The complaints system would allow the social media companies to use it as a defense in defamation cases.
The article does not discuss what is deemed “defamatory” content. Anything and everything is offensive to someone, so the complaints system will be abused. What rules will be instituted to prevent abuse of the complaints system? Who will monitor it and who will pay for it? An analogous example is YouTube system of what constitutes as “appropriate” children’s videos and how they determine flagged videos for intellectual theft as well as inappropriate content. In short, YouTube’s system is not doing well.
The social media companies should be culpable in some way, such as sharing user information when there is dangerous behavior, i.e.e suicide, any kind of abuse, child pornography, planned shooting attacks and other crimes. Sexist and abusive comments that are not an opinion, i.e., saying someone should die or is stupid for being a woman, should be monitored and users held accountable. It is a fine line, though, determining the dangers in many cases.
Whitney Grace, December 16, 2021
Specialized Software Vendors: Should They Remember the Domino Theory?
December 15, 2021
Lining up dominoes, knocking one down, and watching the others in a line react to what some non-nuclear types call a chain reaction is YouTube fodder. One can watch geometric growth manifested in knocked down dominoes. Click here for the revelation. We may have some domino action in the specialized software and services market. This “specialized software and services” is my code word for developers of intelware and policeware.
“US Calls for Sanctions against NSO Group and Other Spyware Firms” reports:
a group of politicians (including Senate Finance Committee chair Ron Wyden, House Intelligence Committee chair Adam Schiff and 16 other Democrats) accuses NSO and three other foreign surveillance firms of helping authoritarian governments to commit human rights abuses.
And what firms are the intended focus of this hoped for action? According to the write up, the companies are:
- Amesys (now called Nexa Technologies). This was a company which found purchase in some interesting countries bordering the Mediterranean, garnered some attention, and morphed into today’s organization.)
- DarkMatter (based in United Arab Emirates). This is an interesting outfit which has allegedly recruited in the US and possibly developed a super duper secure mobile device. The idea was to avoid surveillance. Right?
- Trovicor (based in Germany) once was allegedly a unit of Nokia Siemens Networks and is mentioned in a fiery write up called “Explosive Wikileaks Files Reveal Mass Interception of Entire Population.” That’s a grabber headline I suppose. True or false? I have zero idea but it illustrates the enthusiasm some evidence when realizing that interesting companies provide some unique services to their customers.
The reason for the hand waving is the publicity the NSO Group has inadvertently generated.
Will the knock on NSO Group have an impact on Amesys Nexa, DarkMatter, and Trovicor? Those YouTube videos may foreshadow what might happen if government officials look for the more interesting and more technologically advanced specialized software and services companies. Where can one find a list of such organizations? Perhaps the developer of the new OSINT service knows? Curious? Write darkcyber333 @ yandex dot com.
Stephen E Arnold, December 15, 2021
Chinese Company Excitement: Xiaomi
December 15, 2021
Own stock in Alibaba? Well, think Xiaomi.
Lithuania made a discovery during a recent cybersecurity assessment that, honestly, does not surprise us in the least. We learn of the finding in Big Technology’s piece, “A Xiaomi Phone Might’ve Shipped With a Censorship List in Europe. Now What?” A certain Xiaomi phone model sold in Europe was found to carry a built-in censorship list of about 450 political terms, like “democratic movement” and “long live Taiwan’s independence.” The blocklist lay dormant, but it could have been activated remotely at any time. It is thought its inclusion on phones shipped outside China, where censorship is the norm, may have been a mistake. Reporter Alex Kantrowitz writes:
“After the government published its findings, things got weird. The list swelled to more than 1,000 terms, including hundreds of non-political terms like ‘pornography,’ seemingly to turn the political blocklist into something more generic. Then, it disappeared. ‘They reacted,’ Margiris Abukevicius, Lithuania’s vice minister for defense, told me. ‘It wasn’t publicized from their side.’ The accusations, which Xiaomi disputes, clarified just how fraught the West’s relationship is with China’s growing technology power. As China-based tech companies like Xiaomi and TikTok flourish, there’s still no playbook in North America or Europe to deal with their potential to censor or steer culture via algorithms. TikTok, with its inscrutable feed, remains unchecked. And the Lithuanian government’s report on Xiaomi, replicated by another researcher, sparked a collective shrug. ‘Western countries,’ Abukevicius said, ‘are more and more reliant on technologies, and a big part of those technologies comes from countries which are not friendly, which we don’t trust, and it poses risks.’ How to address those risks remains unclear, though. Xiaomi was Europe’s top-selling smartphone manufacturer in the second quarter of 2021, and it’s number two in the world overall.”
Not in the US, though. Xiaomi was blacklisted here until recently, and FCC commissioner Brendan Carr is taking Lithuania’s discovery into account as he decides whether to allow Xiaomi smartphones to run on our wireless networks. In Europe, more countries are investigating the matter. It is uncertain what measures will be taken; an outright ban seems “extreme,” we’re told, considering there is no evidence the blocklist was ever activated within the EU. Kantrowitz points out the bigger issue going forward is a more general one—Western nations need a plan to address the culture clash and potential security risks cropping up on our devices.
Cynthia Murrell, December xx, 2021
Russia, Tor, and Maybe Sybil Are a Thing?
December 14, 2021
Dictatorships are in vogue, at least in some parts of the world. One interesting response to the Onion Router Technology has been to look up that well known person Sybil. That individual makes it possible to participate in onion routing. Then Sybil’s admirers can process assorted Internet metadata and time stamps in order to learn some interesting things. One of those interesting things is explained in “Russia Ratchets Up Internet Control by Blocking Tor.” Russia learned that it does not want the Onion Router within the land of vodka, bears, and forgotten gulags. Makes sense, doesn’t it?
The write up says:
GlobalCheck, a group that monitors websites’ accessibility in Russia, confirmed that blocking had begun.
Is it possible to block Tor?
Probably not 100 percent. But the steps, including the enabling legislation, suggest that getting caught might have consequences. Believe it or not, there is a person who gets some support from the Russian government to locate burial grounds associated with gulags.
Perhaps that individual will get the opportunity to have some new explorations to undertake?
Stephen E Arnold, December 14, 2021
US Government Procurement: Diagram the Workflow: How Many Arrows Point Fingers?
December 8, 2021
I want to keep this short. For a number of years, I have pointed out that current Federal procurement procedures and the policies the steps are supposed to implement create some issues. I like to mention procurement time for advanced software. By the time the procurement goes through the RFQ, the RFP, the proposal evaluation, the selection, the little meeting at which losers express their concerns, and the award — the advanced technology is often old technology. Another issue is the importance of marketing hoo hah which often leads the Federal government to purchase products and services which are different from that which was described in the PowerPoint presentations and the proposals. There are other interesting characteristics of the process; for example, coffee chats with senators, nice lunches with important people who may pop up on a cable TV talking head program, or good old friendship from a college social group. Ah, yes. Procurement.
“US Government Agencies Bought Chinese Surveillance Tech Despite Federal Ban” is a collection of some procurement anecdotes. Interesting? Not particularly. Why? There are no consequences for buying products and services from vendors who should not be eligible for US government contracts. The article focuses on Chinese related missteps. The explanations are crafted to avoid getting anyone in legal hot water.
Net net: I worked in DC starting in the early 1970s. How much has changed in the last 50 years. Not much. China is nemesis but China was a bit of a nemesis 50 years ago. The FARs have been updated. Nevertheless, some interesting purchases have been made over the years. Where’s the Golden Fleece Award now? Are there some unwanted and unloved tanks parked somewhere? What about certain air superiority systems which experience more downtime than a second hand taxi purchased from a shady character in Mexico City. Yes, procurement and some proud moments. Why not fire up that TikTok and ignore the useful data hosed back to certain servers?
Stephen E Arnold, December 8, 2021
If One Thinks One Is Caesar, Is That Person Caesar? Thumbs Up or Thumbs Down
December 7, 2021
I read a story which may or may not be spot on. Nevertheless, I found it amusing, and if true, not so funny. The story is “Facebook Refuses to Recognize Biden’s FTC As Legitimate.” I am not sure if the original version of JP Morgan would have made this statement. Maybe he did?
Here’s a statement from the article which I circled in Facebook blue:
The FTC didn’t “plausibly establish” that the company “maintained a monopoly through unlawful, anticompetitive conduct.” It asked the court to dismiss the complaint with prejudice. In the court filing, Facebook also once again argued that Khan should recuse herself, saying that her not doing so will “taint all of the agency’s litigation choices in the event the case proceeds.”
I think Julius Caesar, before he had a bad day, allegedly said:
If you must break the law, do it to seize power: in all other cases observe it.
My thought is, “Enough of this pretending to be powerful.” Let’s make the US a real 21st century banana republic. Is there a T shirt which says, “Tech Rules” on the back and “I am Julius” on the front? There may be a market for one or two.
Stephen E Arnold, December 7, 2021
Surveillance Made Easy: The Russian Way
December 2, 2021
US tech companies want a foothold in the Russian market and Putin wants them to have an edge to step on. There is a caveat, they must have an presence in Russia by the end of 2021 or else…er…face restrictions or bans. Rappler explains why Russia wants thirteen foreign technology companies to establish offices in: “Moscow Tells 13 Mostly US Tech Firms They Must Set Up In Russia By 2022.”
Communications regulator Roskomndazor released the demand on Monday, November 22 that explained what the companies needed to do and targeted ones that already have Russian offices:
“Foreign social media giants with more than 500,000 daily users have been obliged to open offices in Russia since a new law took effect on July 1. The list published on Monday names the companies for the first time. It lists Alphabet’s Google, Facebook, Twitter, TikTok, and messaging app Telegram, all of which Russia has fined this year for failing to delete content it deems illegal. Apple, which Russia has targeted for alleged abuse of its dominant position in the mobile applications market, was also on the list.”
If the companies do not follow the new demand, they will face restrictions of data collection, money transfers, and advertising or bans.
Russia wants to promote its own tech industry. The government is doing so by proposing more taxes on foreign companies, tax cuts for domestic tech, and any device to offer Russian software when brand new.
The demand is also viewed as a way for Russian to exert more control over the Internet and technology. It could hinder individual and corporate freedoms.
Rules are not clear about what and how tech companies should represent themselves in Russia. The Roskomndazor did say foreign entities are required to limit information that violates Russian legislation.
Russia might be masking domestic technology development and economic recovery behind surveillance.
Whitney Grace, December 2, 2021
Frisky Israeli Cyber Innovators Locked Down and Confined to Quarters
November 26, 2021
Before the NSO Group demonstrated remarkable PR powers, cyber centric companies in Israel were able to market to a large number of prospects. Conference organizers could count on NSO Group to provide speakers, purchase trade show space, and maybe sponsor a tchotchke for attendees. Governments and even some commercial enterprises knew about NSO Group’s technological capabilities and the firm’s ability to provide a network which eliminated quite a bit of the muss and fuss associated with mobile device surveillance, data analysis, and related activities.
How did that work out?
The PR sparked “real journalists” to use their powers of collecting information, analyzing those items, and making warranted conclusions about NSO Group’s enabling activities. Sure, pesky Canadian researchers were writing about NSO Group, but there wasn’t a “real news” story. Then… bingo. A certain individual associated with a “real news” organization was terminated and the arrows of data and supposition pointed to NSO Group’s capabilities and what one of the firm’s alleged customers was able to do with the system.
The journalistic horses raced out of the gate, and the NSO Group became a “thing.”
Vendors of specialized software are not accustomed to the spotlight. Making sales, collecting fees, and enjoying pats on the backs from colleagues who try hard to keep a low, low profile are more typical activities. But, oh, those spotlights.
The consequences have been ones to which cyber innovators like to avoid. Former superiors send email asking, “What are you doing?” Then government committees, consisting of people who don’t know much about next generation technologies, have to be briefed. And those explanations are painful because the nuances of cyber centric firms are different from explaining how to plug in a Tesla in Tel Aviv. Oh, painful.
Now, if the information in the Calcalist’s article “The Ministry of Defense Has Cut by Two-Thirds the Number of Countries That Cyber Companies Can Sell To” is accurate, the Israeli government has put a shock collar on NSO Group’s ankle and clamped the devices on other firm’s well-formed, powerful legs as well. The message is clear: Stay in bounds or you will be zapped. (I leave it to you to figure out what “zap” connotes.)
The publication’s story says:
The [Israeli] Ministry of Defense has cut by two-thirds the number of countries that cyber companies can sell to The previous list included 102 countries to which cyber exports are allowed, and now it includes only 37 countries. The latest list from the beginning of November does not include countries such as Morocco, Mexico, Saudi Arabia and the United Arab Emirates.
Who’s at fault? The Calcalist offers this statement:
It is implied that Israel used in a very permissive manner the special certificates that it may grant and was in any case aware of where the Israeli society is known. It is important to note that the new list includes companies to which cyber can now be exported and it is possible that in the past lists there were other countries to which systems could be exported without fear.
My knowledge of Hebrew is lousy and Google translate is not helping me much. The main idea is that up and down the chain of command, the “chain” was not managed well. Hence, the PR gaffes, the alleged terminations, and the large number of high intensity lights directed at companies which once thrived in the shadows.
Some observations:
- Countries unable to acquire the technology associated with NSO Group are likely to buy from non-Israeli firms. Gee, I wonder if China and Russia have specialized software vendors who will recognize a sales opportunity and not do the PR thing in which NSO Group specialized?
- The publicity directed at NSO Group has been a more successful college class than the dump of information from the Hacking Team. A better class may translate to more capable coders who can duplicate and possibly go beyond the Israeli firms’ capabilities. This is a new state of affairs in my opinion.
- Cyber technologies are the lubricant for modern warfare. Israel had a lead in this software sector. It is now highly likely that the slick system of government specialists moving into the private sector with “support” from certain entities may be changed. Bummer for some entrepreneurs? Yep.
Net net: The NSO Group’s PR excesses — combined with its marketing know how — has affected a large number of companies. Keeping secrets is known to be a wise practice for some activities. Blending secrecy with market dynamics is less wise in my experience. This NSO Group case is more impactful than the Theranos Silicon Valley matter.
Stephen E Arnold, November 25, 2021
-
- Subscribe to Beyond Search
Feature archive
News archive
-
