Phishers Experience Some Tiny Google Pushback

April 17, 2019

Hiding urls is a phisher’s best friend. Google wants to eliminate those pesky urls. The problem is that spoofing a Web site is easier when the GOOG simplifies life. There’s nothing like a PDF with malware to make one’s day.

If the information in “Google Takes a Tiny Step Toward Fixing AMP’s URL Problem” is accurate, the Google may be pushing back against the opportunities bad actors have to deceive a Web user. The write up does describe Google’s action as “tiny” and “tiny” may be miniscule. I learned:

When you click a link on your phone with a little lightning bolt next to it in Google search, you’re getting something in the AMP format. AMP stands for “Accelerated Mobile Pages,” and you’ve probably noticed that those pages load super quickly and usually look much simpler than regular webpages. You may have also noticed that the URL at the top of your browser started with “” instead of with the webpage you thought you were visiting.

Yeah, about that “quickly.” Maybe not.

Phishers will be studying this alleged “tiny” change. Why? Phishing and spear phishing are one of the methods which are bring Dark Web type excitement to users of the good, old-fashioned Web. There are six or seven additional examples of metastatic technology in my keynote at the TechnoSecurity & Digital Forensics Conference in June 2019.

“Tiny”. Yep. And what about the “speed” of AMP pages?

Stephen E Arnold, April 17, 2019

Google and Identity Management

April 17, 2019

Google kills products. More than 100 since I did my last count. With that fact in mind, I read a second time “Google, Hyperledger Launch Online Identity Management Tools.” At first glance, the idea of a slightly different approach to identify management seems like a good but obvious idea. (Does Amazon have thoughts about identify management too?)

The write up explains:

Google unveiled five upgrades to its BeyondCorp cloud enterprise security service that enables identity and access management for employees, corporate partners, and customers.

Google wants to be the go to cloud provider of identity management services. Among the capabilities revealed, Google’s Android 7 and higher can be used as a two factor authentication dongle.

However, in the back of my mind is the memory of failed products and Google engineers losing interest in certain projects. No promotion, no internal buzz, then no engineers. The Google Search Appliance, for example, was not a thriller.

The idea that Google can and does lose interest in projects may provide a marketing angle Amazon can exploit. If Amazon ignores this “short attention span” issue, perhaps other companies will be less reluctant to point out that talk and a strong start are not finishing the race.

Stephen E Arnold, April 17, 2019

Microsoft: More Security Excitement

April 15, 2019

I read “Microsoft Informs Hackers Had Accessed Some Outlook Account Emails for Months.” The write up reports:

Microsoft has revealed that a hacker had access to the email addresses, folder names, and subject lines of emails, but not the content of emails or attachments of the Outlook users for three months.

That’s 90 days. Windows Defender was, I assume, on the job. The good news is that the bad actor was not able to read emails. The hacker wasn’t able “to steal login details of other personal information.” That’s good news too. Plus, Microsoft has “disabled the credentials used in the hack.”

Whoa, Nellie.

Windows Defender and presumably one or more of the companies offering super smart, super capable security services were protecting the company. I am besieged each week with requests to read white papers, participate in webinars, and get demonstrations of one of the hundreds of cyber security systems available today. These range from outfits which have former NSA, FBI, and CIA specialists monitoring their clients’ systems to companies that offer systems based on tireless artificially intelligence, proactive, predictive technology. Humans get involved only when the super system sends an alert. The idea is that every possible approach to security is available.

Microsoft can probably afford several systems and can use its own crack programmers to keep the company safe. Well, one caveat is that the programmers working on Windows 10 updates are probably not likely to be given responsibility for mission critical Microsoft security. Windows 10 updates are often of questionable quality.

A handful of questions occur to me:

  1. Perhaps Microsoft’s security expertise is not particularly good. Maybe on a par with the Windows 10 October 2018 update?
  2. Maybe Windows Defender cannot defend?
  3. Perhaps the over hyped, super capable cyber security systems do not work either?

Net net: With many well funded companies offering cyber security and big outfits entrusted by their customers with their data, are the emperors going to their yoga classes naked? Ugh. Horrible thought, but it may be accurate. At least put on some stretchy pants, please.

Stephen E Arnold, April 15, 2019

Forbes Raises Questions about Facebook Encryption

March 25, 2019

I am never sure if a story in Forbes (the capitalist tool) is real journalism or marketing. I was interested in a write up called “Could Facebook Start Mining Decrypted WhatsApp Messages For Ads And Counter-Terrorism?” The main point is that Facebook encryption could permit Facebook to read customers’ messages. The purpose of such access would be to sell ads and provide information to “governments or harvesters.” The write up states:

The problem is that end-to-end encryption only protects a message during transit. The sender’s device typically retains an unencrypted copy of the message, while the recipient’s device necessarily must decrypt the message to display to the user. If either of those two devices have been compromised by spyware, the messages between them can be observed in real-time regardless of how strong the underlying encryption is.

No problem with this description. Intentionally or unintentionally, the statement makes clear why compromising user devices is an important tool in some government’s investigative and intelligence toolbox. Why decrypt of the bad actor’s mobile device or computer just emails the information to a third party?

I noted this statement as well:

The messaging app itself has access to the clear text message on both the sender and recipient’s devices.

If I understand the assertion, Facebook can read the messages sent by its encrypted service.

The write up asserts:

As its encrypted applications are increasingly used by terrorists and criminals and to share hate speech and horrific content, the company will come under further pressure to peel back the protections of encryption.

Even if Facebook wants to leave encrypted information in unencrypted form, outside pressures may force Facebook to just decrypt and process the information.

The conclusion of the write up is interesting:

Putting this all together, it is a near certainty that Facebook did not propose its grand vision of platform-wide end-to-end encryption without a clear plan in place to ensure it would be able to continue to monetize its users just as effectively as in its pre-encryption era. The most likely scenario is a combination of behavioral affinity inference through unencrypted metadata and on-device content mining. In the end, as end-to-end encryption meets the ad-supported commercial reality of Facebook, it is likely that we will see a dawn of a new era of on-device encrypted message mining in which Facebook is able to mine us more than ever under the guise of keeping us safe.

Speculation? Part of the capitalist toolkit it seems. Is there a solution? The write up just invokes Orwell. Fear, uncertainty, doubt. Whatever sells. But news?

Stephen E Arnold, March 25, 2019

Juicy Target: Big Cloudy Agglomerations of Virtual and Tangible Gizmos

March 9, 2019

Last week I had a call about the vulnerability of industrial facilities. The new approach is to push certain control, monitoring, and administrative systems to the cloud. The idea is that smart milling machines, welders, and similar expensive equipment can push their data to the “cloud.” The magic in the cloud then rolls up the data, giving the manufacturing outfit a big picture view of the individual machines in multiple locations. Need a human to make sure the industrial robots are working happily? Nope. Just look at a “dashboard.” If a deity were into running a chemical plant or making automobiles, the approach is common sense.

I read “Citrix Hacked and Didn’t Know Until FBI Alert.” The FBI is capable, but each week I receive email from companies which perform autonomous, proactive monitoring to identify, predict, and prevent breaches.

The write up points out

The firm attributed the attack to an Iranian group called “IRIDIUM” and says it made off with “at least 6 terabytes of sensitive data stored in the Citrix enterprise network, including e-mail correspondence, files in network shares and other services used for project management and procurement.”

The article buries this statement deep in the report:

The breach disclosure comes just three days after Citrix updated its SD-WAN offering to help enterprises to administer user-centric policies and connect branch employees to applications in the cloud with greater security and reliability. The product is intended to simplify branch networking by converging WAN edge capabilities and defining security zones to apply different policies for different users.

What’s the implication?

Forget Go to My PC vulnerabilities. Old news. The bad actors may have the opportunity to derail certain industrial and manufacturing processes. What happens when a chemical plant gets the wrong instructions.

Remember the Port of Texas City mishap? A tragic failure. Accidental.

But Citrix style breaches combined with “we did not know” may presage intentional actions in the future.

Yep, cloudy with a chance of pain.

Stephen E Arnold, March 9, 2019

Simple Ways Intelligence is Fighting Cyber Crimes

March 8, 2019

Our world has never been more technologically advanced, that’s a fact. That also means that the digital threats have never been more dire, right? Yes and no, according to one source, who says that the technology might change but humans never do. We learned more from a recent CNBC story, “Google Infosec Head Heather Adkins: Ignore Scare Stories.”

According to the story:

“Adkins said sometimes the marketplace suffers from a “proliferation of cybersecurity professionals” offering conflicting advice on passwords, antivirus software, safety practices and so on…But the best rules for individuals looking to secure their personal information are the classics, Adkins said…Keep your software up to date, and don’t re-use the same password.”

This and many other examples show that good old fashioned foresight and detective work can still help fight cybercrime, even in this world of machine learning and nanotech. As Adkins says, let’s look forward in regards to security, but also not forget our past.

However, fear, uncertainty, and doubt sell—particularly to some executives uncomfortable with today’s business environment.

Patrick Roland, March 8, 2019

SIM Swapping: Trust Google?

March 2, 2019

Anyone holding crypto currency should be aware by now of SIM swapping, a hacking technique that involves tricking telecom companies into redirecting the victim’s phone number to the attacker’s device. Now, The Next Web tells us, “Google’s Head of Account Security Has Fix for Crypto currency SIM-Swapping.” Note that the fix involves a physical device, not just a download. Writer David Canellis explains:

“An overt reliance on SMS-based two-factor authentication (2FA) systems has only compounded the problem. While these are regarded as an upgrade to traditional verification methods like usernames and passwords, SMS-based 2FA presents cybercriminals with a clear attack vector. If hackers can take control of a phone number, it would be them who receive the special codes, allowing instant access to sensitive information.

We also noted:

“Google is one of many tech giants to present a solution. It released its Titan Keys last August, a $50 set of hardware devices that cryptographically ties particular devices to accounts, effectively keeping anyone without a registered device at bay. Users connect the Key to a device, such as a laptop or a smartphone, and sign into the account they wish to protect. This can be done via USB, NFC, or Bluetooth. A button then is pressed on the Key which will cryptographically register the device to a user account. It’s not exactly necessary to carry around the Keys, but users will need to have at least one handy to sign in. Purchasers of Titan Keys can also enroll in Google’s Advanced Protection Platform, which provides a supplementary bundle of security measures.”

Canellis notes that crypto currency makes for a tempting target. While typical attacks net hackers a fraction of a cent per victim, a bad actor can make thousands of dollars from one successful attack. The Titan Keys work because they cut out the telecoms—there is no one for hackers to bamboozle. Navigate to the source article for more information on the device and how it works. Canellis observes what could be taken as a warning—today’s world of online banking and mobile apps makes for a less secure banking environment than we older folks grew up with.

Whom do we trust? Google? Another third party?

Cynthia Murrell, March 2, 2019

VPNs Possibly Aid Chinese Intelligence

February 18, 2019

China’s military and intelligence might has grown by leaps and bounds. By some estimates, it leads the world in many categories of defense. While there’s no conclusive evidence, the amount of information being harvested by Chinese online companies is staggering and could prove a connection, as we discovered in a recent Tech In Asia story, “Facebook’s Research App Isn’t The Only VPN To Mine User Data.”

According to the story:

“VPNs are supposed to help you protect your data. But the Facebook flap shows that there’s one party that has full access to everything you’re doing: the VPN provider itself. And it’s a concern with several Chinese-owned VPNs, which reportedly send data back to China.”

With enormous streams of data flowing back to China and the potential for it to be used by intel communities, it’s no shock that the Pentagon recently began revising its artificial intelligence strategy. This comes because China and Russia, specifically, are beginning to chip away at America’s technological edge. It’s exciting to see the US intelligence community take a greater stake on AI and its related strains. We hope this is the beginning of a boom in the industry.

Patrick Roland, February 18, 2019

Zerodium Boosts Payouts for Zero Day Exploits to US$2 Million

January 14, 2019

The Hacker News reported that Zerodium will pay up to $2 million for an iPhone zero day exploit. The idea is that the market for iPhone hacks is robust even if Apple is struggling to hits its internal sales targets. The write up states:

Zerodium—a startup by the infamous French-based company Vupen that buys and sells zero-day exploits to government agencies around the world—said it would now pay up to $2 million for remote iOS jailbreaks and $1 million for exploits that target secure messaging apps.

The big payout is for a remote hack which jailbreaks an iPhone. The idea is that an entity can access an iPhone remotely and perform actions on that iPhone with having direct physical access to the device. The approach is known as a “zero click” exploit; that is, no user interaction required.

The company is also offering a payout of $1 million for WhatsApp exploits.

The reason? Hacker News explains:

The hike in the price is in line with demand and the tougher security of the latest operating systems and messaging apps, as well as to attract more researchers, hackers and bug hunters to seek complex exploit chains.

DarkCyber anticipates more price increases as bad actors shift to encrypted messaging for certain types of communications and transactions.

Stephen E Arnold, January 14, 2019

Data Protection: Many Vendors, Many Incidents

January 4, 2019

This is one of our DarkCyber news items.

Search engines are getting smarter and better, especially since they began to incorporate social media in their indexing. It is harder than ever to protect personal information, then there is the rising Dark Web fear. While there are services out there that say they can monitor the Dark Web and the vanilla Web to protect your information there are things you can do to protect yourself. TechRadar shares some tips in the article, “AI And The Next Generation Of Search Engines.”

The article focuses on Xiliab’s Frank Cha, who works on South Korea’s largest AI developer. Xiliab recently developed the DataXchain data trading platform that is described as the search engine of the future. Cha explained why DataXchain is the search engine of the future:

“Dataxchain engine is the next generation of data trading engine which enables not only data processing such as automatic data collection, classification, tagging, and curation but also enables data transactions. These transactions are directly applied to human development without human intervention by pre-processing data matching and deep learning engine. These trials can be accessed to the implicit knowledge through the intervention of people that the traditional search engine already had.”

Cha stresses the biggest challenge with DataXchain is creating connections with clients. He said, “When this connection becomes a chain, we will be able to exchange value for private data of each individual or organization and it will bring innovation to sophisticated AI in dataXchain…”

It is also being for national defense, which can be translated into protecting an individual’s data without changing the algorithm.

It is a basic interview without much meat about how to protect your data. Defensive forces can use the same algorithm as regular people, but that does not sound reassuring. How about speaking in layman’s terms?

With many competitors why are their so many successful breaches?

Whitney Grace, January 4, 2019

Next Page »

  • Archives

  • Recent Posts

  • Meta