Insider Threats: Still a Useful Mechanism for Bad Actors

January 27, 2022

I read “Ransomware Gangs Increase Efforts to Enlist Insiders for Attacks.” I am not down with the notion of “increase efforts.” Identifying individuals who will provide user names, passwords, or facile fingers to slip a malware loaded USB key into a computer connected to an organization’s network has been a go-to method for a long, long time.

The write up states:

The survey was conducted by Hitachi ID, which performed a similar study in November 2021. Compared to the previous survey, there has been a 17% rise in the number of employees offered money to aid in ransomware attacks against their employer. Most specifically, 65% of the survey respondents say that they or their employees were approached between December 7, 2021, and January 4, 2022, to help hackers establish initial access.

The factoid in the magic-with-statistics write up is that a lot of individuals report brushes with the insider ploy. What’s important to remember, an insider can come from several different pools of people:

  1. There are disaffected employees who can be identified and then interviewed for a bogus news service or for a consulting job. A skilled contact working with an annoyed employee  can often extract what might be termed a mother lode of useful information, including details about security, access, and other disaffected employees who want to put it to the “man” or “woman” who ruined a perfectly good morning of reading online news.
  2. Clueless former employees who respond to a LinkedIn-type job posting or an engaging individual in what sure looks like a chance encounter. Some individuals need or love money, and the engaging individual can buy or solicit security information from the CFE (clueless former employee).
  3. Happy current employees who find themselves confronted with a person who has information about a past indiscretion memorialized on Instagram, Meta, or TikTok. Maybe the current happy employee has forgotten text and images sent to an individual with some interesting preferences or behaviors. Blackmail? Well, more like leveraging TikTok-type data to identify and screen potential targets.
  4. Contractors — those faceless, often nameless — individuals who have to eat in their cube, not the two-star real employee cafeteria. Contractors can be hired and one can interact with these professionals. It is possible that these individuals can provide the keys to the kingdom so to speak without knowing the treasures unlocked with what seems to be casual conversation.
  5. Children of employees can be asked to give mom or dad a USB. The unwitting employee slams the key into the slot unaware that it has been weaponized. Who asks kids? A skilled operative can present herself as a colleague at the front door, explain this was your mom or dad’s memory stick, and ask the young person to hand it over to the parent. (If this method works, bingo. If it fails, another approach can be made. Wearing Covid masks and dressing in normcore gray with a worn ball cap can help too.)

Why am I identifying pools of insiders? Most of the cyber security firms do not have systems which cover these points of insider vulnerability. Do some of the firms purport to have these bases covered?

Of course.

That’s the point. The customer won’t know until it is too late. Predictive analytics and cyber threat intelligence struggle in certain situations. Insiders is one such example.

Stephen E Arnold, January 27, 2022

PR Dominance: NSO Group Vs Peloton

January 27, 2022

If you have followed the PR contrail behind the NSO Group, you probably know that the Israeli specialized software and services firm has become a household name at least among the policeware and intelware community. A recent example is reported in “Israel’s Attorney General Orders Probe of NSO Spyware Claims.” The write up explains:

Israel’s attorney general says he is launching an investigation into the police’s use of phone surveillance technology following reports that investigators tracked targets without proper authorization

Not good.

But there is a bright cloud on the horizon.

Second TV Show Emerges With Peloton Twist As A Plot Point” asserts:

Already reeling from its announcement last week that it is halting production of its connected fitness products as demand wanes, Peloton must now face another tv show that seems to indicate its devices may cause issues for a certain segment of the population.

Translating the muffy-wuffy writing, the idea is that a character in a US tv show rides a Peloton, suffers a heart attack, and dies. The alleged panini-zation of small creatures under one model’s walking belt was a definite negative. But not even NSO Group is depicted knocking off the talent in a program. Keep in mind that two shows use the Peloton as an artistic device a twist on the deus ex machina from high school English class required reading of Greek tragedies.

Will Peloton continue its climb to the top of the PR leader board? My hunch is that NSO Group hope that it does.

Stephen E Arnold, January 27, 2022

Smooth Persuasion and Smoothie Excitement

January 27, 2022

I have seen the allegedly non deep fake video. I have scanned social media comments. And I read the definitive write up “A Top Merrill Lynch Financial Advisor Faces Charges after Hurling a Drink at a Smoothie-Store Employee and Making a Racist Remark, Police Say.” The write up reports:

A top financial advisor at Merrill Lynch was arrested and charged after he threw a drink at a worker at a smoothie store and made a racist remark during an altercation that appeared to arise from his son’s peanut allergy, the police said.

My hunch is that the “top financial advisor” assumed that the Smoothie professional knew his son’s medical history. The Smoothie professional prepared a Smoothie, including a compound known to trigger a response which can produce cardiac arrest or anaphylaxis, among other responses.

From my experience, “top financial advisors” can assume that anyone in their galaxy tunes into the music of the financial spheres. One tuned in, Smoothie orders and compliance with Wall Street type requests know what do do — now.

A failure to interact means that the ineffective employee will receive a harsh review when an annual people resources assessment takes place.

Several observations:

  1. The Smoothie professional failed to respond to the “top financial advisor’s” messaging outputs; therefore, that Smoothie professional is unlikely to be hired by a top New York money shop like a Merrill Lynch type of operation
  2. The “top financial advisor” appears to have the interpersonal skills suitable for a senior management role at a Silicon Valley-type of organization
  3. The verbal mastery of the alleged Smoothie critic uses crisp, no nonsense language; for example, according to the write up cited, “stupid, #$%#! ignorant high school kids” and “#$%#! immigrant loser.” Opportunities to join an online advertising copywriting team or possibly the outbound communications team at an artificial intelligence start up are likely to be plentiful.

To sum up: Another example of what I call the high school science club management method for interpersonal communications. Outstanding example indeed.

Stephen E Arnold, January 27, 2022

2022 Adds More Banished Words To The Lexicon

January 27, 2022

Every year since 1976 the Lake Superior State University located in Michigan compiles a list of banished words to protect and uphold standards in language. The New Zealand Herald examines the list in the article, “Banished Word List For 2022 Takes Aim At Some Kiwi Favorites.” New Zealanders should be upset, because their favorite phases “No worries” made the list.

Many of the words that made the list were due to overuse. In 2020, COVID related terms were high on the list. For 2021, colloquial phrases were criticized. Banned word nominations came from the US, Australia, Canada, Scotland, England, Belgium, and Norway.

“ ‘Most people speak through informal discourse. Most people shouldn’t misspeak through informal discourse. That’s the distinction nominators far and wide made, and our judges agreed with them,’ the university’s executive director of marketing and communications Peter Szatmary said.

LSSU president Dr Rodney Hanley said every year submitters suggested what words and terms to banish by paying close attention to what humanity utters and writes. ‘Taking a deep dive at the end of the day and then circling back make perfect sense. Wait, what?’ he joked.”

Words that made the list were: supply chain, you’re on mute, new normal, deep dive, circle back, asking for a friend, that being said, at the end of the day, no worries, and wait, what?

Whitney Grace January 27, 2022

Google CEO Named in Copyright Violation Suit: Travel Plans to India This Week, Mr. Pichai?

January 26, 2022

YouTube, Google, and copyright are a long-term threesome. Reports like “Suneel Darshan Files Complaint, Mumbai Police Books Google CEO Sundar Pichai and Others for Copyright Act Violation” are not likely to be a tweeter meme in the US. However, for the Indian film maker Suneel Darshan, it’s a big deal. Mr. Darshan appears to be unhappy with Google’s smart YouTube copyright violation system powered by Google’s deep diving, snorkel equipped machine learning systems for artificial intelligence.

Mr. Darshan — either for public relations or a desire to amp up his viewpoint — has filed what’s called in India a FIR or First Information Report. Named in the alleged copyright violation is Sundar Pichai and a handful of other Googlers.

So what? Several thoughts from my hollow in rural Kentucky:

  1. Lawyers will descend on the government offices and the zippy Indian legal system will move forward. In time, something will happen. In the meantime, it’s business as usual for the Google.
  2. Mr. Darshan captures the attention of television news hawks and tweeters and generates more interest in the allegedly pirate film “Ek Haseena Thi Ek Deewana Tha”.
  3. Indian authorities put Mr. Pichai and the other Googlers named in the copyright violation matter on a watch list.

Business trips to India could create some unexpected customs and immigration activity for Mr. Pichai and the Googlers identified by the aggrieved Mr. Darshan.

Does Mr. Pichai have upcoming travel plans to India? Compared to the Dark Patterns matter, spending a few extra minutes in the Mumbai International Airport may not make much difference unless the Googlers are hauled off to the Mumbai police headquarters. Take some tchotchkes maybe?

Stephen E Arnold, January 26, 2022

Facebook: Reluctant But Why?

January 26, 2022

The write up concerns Facebook in Australia. Australia has good relationships with the US. The bonds between Australia and the United Kingdom seem to be in reasonable shape as well. Australia, it seems to me, has been an origin point for some interesting ideas related to online.

Meta Most Reluctant to Work with Government: Home Affairs” points out that Meta (originally just plain old super community minded Facebook) is less enthusiastic about working with Australia’s government than some of its very large, possibly monopolistic fellow travelers.

The write up reports:

In a submission to the House Select Committee Inquiry into Social Media and Online Safety, Home Affairs criticized Meta for not doing enough to protect its users and for not adequately engaging with the government on these issues. In its own submission, Meta said it has “responded constructively” to Australian government inquiries and is “highly responsive” to local regulators.

I think this means that Meta is doing a better job at foot dragging than some other big technology firms. Like Meta’s recognition as the worst company in the United States, the highly responsive outfit has tallied points in the “less enthusiastic” competition.

The Australian government and Meta have other issues which have caused the US company to arm wrestle with Australian officials; for example, encryption of Facebook Messenger content, dealing with Australian media’s interest in compensation for its content, and ideas about privacy.

The write up does not answer the question “But why?”

To fill the void, may I suggest a cou8ple of reasons:

  1. Keep people in the dark. Disclosures about Meta technology, business practices, or data systems might inform the Australian government. With the information, the Australian government could formulate some new ideas about fining or controlling the community focused US outfit. In short, Meta information may lead to meta prosecution perhaps?
  2. Take steps to prevent data moving around the Five Eyes. Information disclosed in Australia might find its way to the US and the UK. Despite these countries’ security methods, some of that disclosed data could seep into the efficient machinery of the European Union. It is conceivable that the risk of becoming even more responsive to Australia increases the risk of EU action with regard to the community oriented social media company.
  3. Circle the wagons to prevent user defections. Cooperating in any way that become public could cause some Meta users to delete their accounts and prevent others in their span of control from using Meta services. This means a loss of revenue, and a loss of revenue has downside consequences; namely, encouragement for other high technology companies to nose into Meta territory.

I want to emphasize none of these ideas appear in the write up cited above. Furthermore, these are views which I developed talking with my colleagues about Meta.

Net net: Meta does not want information about its systems, methods, research, and policies. Frances Haugen, it seems, did not get that email.

Stephen E Arnold, January 26, 2022

Information Allegations Directed at Some Law Enforcement Entities

January 26, 2022

Before the advent of modern technology, police states were limited in the amount of surveillance they could conduct. As technology advances, the amount of information police can extract from people’s devices is as scary as science fiction. El Poder Deportivo explains a frightening surveillance tool US police are now using: “AI-Driven People Surveillance: US Cops Reportedly Utilizing Invasive Tool To Grab Candidates’ Social Media Marketing, Pornhub and Tinder.”

Police in Michigan are using a tool called SocialNet that captures data from social media and other pertinent Web sites. ShadowDragon is responsible for inventing SocialNet. Unfortunately or fortunately, depending on your political stance, Michigan is not the only state that is ShadowDragon’s customers. Massachusetts and the US Department of Immigration are on that list.

Law enforcement officials are not broadcasting they are using SocialNet, but the information it is in use is available after a little detective work. Michigan nor ShadowDragon admit what agencies are using SocialNet, but documents show that it was purchased through a third party called Kaseware.

Local and state governments spent a lot of money on the SocialNet application. Authorities are also whitewashing their justification for purchasing and using SocialNet.

It is not surprising that US police are using advances tools to collect people’s personal information. Law enforcement and governments have been doing that for centuries. The bigger question to ask if the US police are collecting the information lawfully or illegally?

“Likening ‘predictive policing’ to ‘AI-driven racial profiling and society surveillance,’ the United states Civil Liberties Union (ACLU) Michigan workplace observed that ShadowDragon tools broken the “basic right to confidentiality.” In a number of tweets, the ACLU required the usage of such hardware to finish.”

SocialNet will probably be used in both positive and negative ways. It will capture plenty of evidence to put bad actors behind bars as well as hinder individuals who the governments do not like. In the wake of the NSO Group’s publicity tsunami, more specialized software vendors are likely to be subject to scrutiny.

Whitney Grace, January 26, 2022

What Does Go Bro Suggest for Software?

January 26, 2022

Traditionally IT workers and sports fans are traditionally represented by the stereotypical portrayals of nerds and jocks. The jocks are very buff, popular individuals while nerd are smart, socially awkward people. Since the advancement of computer science, the Internet, and videogames, the stereotypes have eroded. ReadWrite explains how the jock and nerd chasm is smaller in, “Why Software Product Development Is The Ultimate Team Sport.”

Teamwork is essential to a successful IT department and/or company. It is extremely important for software product development. Contrary to popular conceptions, programmers and their teams do not isolate themselves. Instead Programmers are part of a dynamic team effort comparable to how professional sports teams are managed.

Software product development teams should be carefully built and be allowed to discover their own work rapport:

“To a large extent, these teams should be able to work free of bureaucracy and politics, focusing entirely on the product at hand. To do that, the other stakeholders need to collaborate to ensure teams have the guidance, resources, and time they need to work with a high degree of independence.

Just as important as assembling the constituent parts and letting them operate autonomously is finding the right fit between them. Teams obviously need to have the right combination of skills to turn the software product development process into a functional, finished product. But they also need the right mix of personalities, clear roles for everyone involved, a cohesive leadership structure, and effective communication channels.”

Similar to sports teams, software development groups need to adapt to uncut, overcome persistent obstacles, create meaningful innovation, overcoming persistent obstacles, being able to repeat success. These are all situations that not only sports and software teams handle, but also all teams in all industries.

Whitney Grace, January 26, 2022

Meta Zuck: AIR SC Sort of Sketched Out

January 25, 2022

I read Facebook’s (Meta’s) blog post called “Introducing the AI Research SuperCluster — Meta’s Cutting-Edge AI Supercomputer for AI Research.” The AIR SC states:

Today, Meta is announcing that we’ve designed and built the AI Research SuperCluster (RSC) — which we believe is among the fastest AI supercomputers running today and will be the fastest AI supercomputer in the world when it’s fully built out in mid-2022.

Then this statement:

Ultimately, the work done with RSC will pave the way toward building technologies for the next major computing platform — the metaverse, where AI-driven applications and products will play an important role.

So the AIR SC is sort of real. The applications for the AIR SC are sort of metaverse. That’s not here either in my opinion.

So what’s going on? Here are my thoughts:

  1. Facebook wants to stake out conceptual territory claims as AT&T did with its non 5G announcements about the under construction 5G capabilities.
  2. Facebook wants to show that its AIR SC is bigger, better, faster, and more super than anything from the Amazon, Google, or other quasi-monopolies who want systems that will dominate the super computer league table for now and possibly forever unless government regulators or user behavior changes the game plan.
  3. Facebook believes the Silicon Valley marketing mantra, “Fake it until you make it” with a possible change. I interpret the announcement to say, “Over promise and under deliver.” I admit I have become jaded with the antics of these corporate giants who have been able to operate without meaningful oversight or what some might call ethical guidelines for a couple of decades.

In the old days, companies in the Silicon Valley mode did vaporware. The tradition continues? Sure, why not? There’s even a TikTok style video to get the AIR SC message across.

Stephen E Arnold, January 25, 2022

Excited about Microsoft and Games? What about Other Issues? Like, Uh, Security?

January 25, 2022

We learn of a recent complaint against SolarWinds from GitHub contributor jaybobo, who helpfully shares both the full filing and key highlights. The case was filed in Delaware’s Court of Chancery by shareholders, including the Construction Industry Laborers Pension Fund and the Central Laborers’ Pension Fund. In light of the Sunburst hack, the plaintiffs assert the company failed to appropriately secure their investments against cybersecurity risks. The complaint alleges:

“SolarWinds: (i) used weak passwords for its software download webpages such as ‘solarwinds123;’ (ii) did not properly segment its IT network; (iii) directed its clients to disable antivirus scanning and firewall protection on its Orion software; (iv) cut investments in cybersecurity; and (v) listed its sensitive and high-value clients on its webpage for anyone to see.”

Oof—these are indeed the opposite of security best practices. The parties insist this alleged negligence allowed the Sunburst attack to succeed, tanking their investments. The filing describes the impact:

“In the days following the Company’s initial public disclosure of SUNBURST in December 2020, SolarWinds’ stock lost nearly 40% of its value. As of today, the stock trades at more than a 30% discount to its pre-revelation trading price. For the six months ended June 30, 2021, the Company incurred $34 million in direct expenses related to SUNBURST, stemming from, inter alia, costs to investigate and remediate the cyber attack; legal, consulting, and other professional service expenses; and public relations costs. In the first six months ended June 30, 2021, the Company also experienced a 27% decline in its license revenue relative to the previous year. SolarWinds explained that this decline was ‘primarily due to decreased sales of our licensed products as a result of the Cyber Incident [i.e., SUNBURST]’ (among other factors). The Company’s net increase in cash and cash equivalents for the same period was down over 74% relative to the previous year, which the Company also attributed, in part, to SUNBURST.”

The plaintiffs go on to note several ongoing investigations and lawsuits now facing SolarWinds as a result of the debacle. Then there are the related insurance rate hikes, finance charges, and compliance activities. They estimate these factors add another $20 million a year in expenses that will also diminish their investments. The filing requests several measures from the court, like requiring the company to implement better security and, of course, awarding damages.

We want to point out the information in “Microsoft Discovers Undisclosed Bug in SolarWinds Server.” That write up which we spotted on January 22, 2022 (a Saturday by the way) states:

During the sustained monitoring of threats taking advantage of the ‘Log4j2’ vulnerabilities, the Microsoft Threat Intelligence Centre (MSTIC) team observed activity related to attacks being propagated via a previously undisclosed vulnerability in the SolarWinds ‘Serv-U’ software. “We discovered that the vulnerability is an input validation vulnerability that could allow attackers to build a query given some input and send that query over the network without sanitation,” Microsoft said in its security update. SolarWinds said the Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized.

Worth monitoring security, but the metaverse more zippy.

Cynthia Murrell, January 25, 2021

Next Page »

  • Archives

  • Recent Posts

  • Meta