Restaurant AI Has A Lot of Security Baggage

June 13, 2019

It might sound harmless, when we hear news of the food industry getting involved in AI to dial in dishes and accommodate our palettes. But if you are a bad guy, that looks a lot different. It looks like a buffet. We learned more about the odd risks that could crop up from such AI use from a recent Venture Beat story, “Ex-Googler Alon Chen’s Tastewise Uses AI to Identify and Predict Food Trends.”

According to the story:

“Using AI to predict food trends and stir up new recipes is nothing new, of course. IBM recently announced that it’s teaming up with McCormick & Company to create new flavors and foods with machine learning. IBM’s Chef Watson, a research project that sought to create new recipes by analyzing the chemical composition of hundreds of different ingredients, produced more than 10,000 novel recipes.”

Believe it or not, security agencies are using the same logic that the above organizations are using to predict eating patterns to predict criminal patterns. However, if you fear this is veering us closer to “Minority Report” status, you are not alone. Many experts are thinking about how to use this technology to fight crime, but still maintain human rights. A tricky proposition.

Patrick Roland, June 13, 2019

LookingGlass Threat Map

June 11, 2019

You may want to check out an interesting approach to marketing as practiced by a cyber intelligence firm. And if you are curious about threats posed by exploits, malware, and other cyber weapons, you will want to examine the LookingGlass Threat Map. The display shows attacks (attempted and successful). If you put your mouse on the map, you can display threats by region. The map is zoomable, so you can obtain information about target of the attack; for example, attacks in Italy. Click on a dot and information about the attack is displayed in a pop up window.


The map also displays a moving real time graph of attacks per second. DarkCyber found the scrolling list of attack types particularly interesting. One can see that the Sality variants are one of the more popular attacks at this time (Tuesday, June 11, 2019, 0603 US Eastern time).

The threat map provides graphs as well; for instance:


I discuss some of LookingGlass’ capabilities in my Dark Web 2 lectures. For more information about LookingGlass, navigate to the company’s Web site. The Sality exploit exists in variants. The software has been available for many years. It exploits the bad actors’ best friend: Microsoft Windows. After 16 years and numerous variants, one could ask the question, “What’s up with this, Microsoft?”

I won’t ask that question because I address Microsoft’s ball fumbling in the DarkCyber video for June 11, 2019.

Stephen E Arnold, June 11, 2019

About That Internet Traffic to China

June 10, 2019

The Cisco Talos researchers pointed out that a foundation server was under stress. I discussed this on June 4, 2019, in my lecture at the TechnoSecurity & Digital Forensics Conference. The idea of usurping control of lower level Internet services and devices is a wake up call. I noted the rerouting of Internet traffic to China in a number of reports such as this one: “For Two Hours, a Large Chunk of European Mobile Traffic Was Rerouted through China. It Was China Telecom, Again. The Same ISP Accused Last Year of “Hijacking the Vital Internet Backbone of Western Countries.”

According to the story:

The incident occurred because of a BGP route leak at Swiss data center colocation company Safe Host, which accidentally leaked over 70,000 routes from its internal routing table to the Chinese ISP.

My hunch is that the word “leak” which is used in the write up is short hand for hip hopping over more analytic explanations.

First, the BGP or border gateway protocol is one of those plumbing components which have become juicy targets of opportunity. The Internet Servicer Providers get these up and running and then worry only when something goes wrong.

China Telecom, the third largest ISP in China, noted the issue and, according to ZDNet,

re-announced Safe Host’s routes as its own, and by doing so, interposed itself as one of the shortest ways to reach Safe Host’s network and other nearby European telcos and ISPs.

When such issues like this magical “leak” occur, the fixes are applied quickly, often within minutes either by automated scripts or semi automated humans who are monitoring alerts or logs.

This problem took a couple of hours to remedy, and my thought is that one can learn a great deal in that two hour span; for example:

  • Length of time between “leak” and someone noticing
  • Facts about traffic volume, data types, handoff points in the flow, etc.
  • After event consequences; that is, fixes put in place to prevent such “leaks” in the future.

In short, one might gain some operational intelligence. That’s hypothetical, of course. Of course.

Like the attacks on Netnod servers, the goal is to gain access. With that access savvy operators will remain invisible. There’s no reason to let anyone know that a vital component of the increasingly burdened Information Highway is in the hands of bandits riding Mongolian ponies.

Was this a “leak”? Good question.

Stephen E Arnold, June 10, 2019

When Know How Gets Loose: Excitement Ensues

May 23, 2019

Bad actor hackers are pains in the rear, especially when they steal personal information. They are even worse when they steal from the government and use the stolen information for nefarious purposes. From The Trenches World Report explains the how and why about the hackers in that “China Used NSA Cyber weapon To Hack Targets, Symantec Says.”

The NSA developed a hacking tool dubbed “Double Pulsar” that can secretly download malware onto Windows-based PCs. Chinese hackers stole it, put their stamp on it, and used it on unsuspecting victims back in 2016. There was evidence that the altered Black Pulsar paired with another Chinese hacking tool were used in attacks in Belgium and Hong Kong. What is even worse is that the Chinese hacking tool could only hack 32-bit systems, but was revamped to attack 64-bit systems with newer Windows versions.

It is unknown how the alleged Chinese hackers obtained Double Pulsar. The possible theories are that an NSA server with bad security or a NSA employee went rogue. Another idea is that the hackers collected some NSA traffic that contained Double Pulsar..

“Whatever the case may be, the findings underscore the risks of NSA cyber weapons falling into the wrong hands. Double Pulsar, itself, is no longer a secret. In April 2017, a mysterious party called the Shadow Brokers went online and dumped a cache of NSA hacking tools, which included details on Double Pulsar. A month later, the same NSA hacking tools were used to launch Wannacry, a ransomware attack that hit Windows machines across the world.

Who the Shadows Brokers are remains a mystery. But according to Symantec, the Chinese hacking group that gained access to Double Pulsar no longer appears to be active. In Nov. 2017, the US publicly charged three members of the group with hacking crimes and intellectual property theft.”

One more hacking tool is now an open source piece. DarkCyber is not keen on certain types of technology becoming widely available.

Whitney Grace, May 23, 2018

Amazon: A Wild West Approach to Security

May 14, 2019

A story ostensibly about an “unprotected Elasticsearch cluster” and an administrator poses an interesting question which I will raise in a moment. You will want to read or scan “Sensitive Information of Millions of Panama Citizens Leaked.” The main idea is that information about citizens of Panama was leaked. The information appears to be germane to people with medical issues. That’s bad for several reasons:

  1. People and their medical “histories” are sensitive and like a sizzling hamburger to bad actors interested in blackmail or some other negative action
  2. Some citizens of Panama are often low profile. These individuals use Panama as a convenient base for one’s identity or one of many identities. There are also quick hops to nearby locations with a someone flexible approach to financial activities.
  3. The “unsecured” Elasticsearch databases are findable using Shodan. This is a search system of considerable utility to certain organizations and individuals.

The system on which the data resided, if the write up is accurate, was Amazon AWS. Now the big question:

With the automation Amazon AWS offers customers, why aren’t basic security health checks routinely performed by Amazon’s smart software?

Snuffing out unprotected AWS servers / services is going to add to friction for customers and impose additional computational burdens on AWS.

One can point the finger at Elasticsearch administrators, but these people are driving Amazon’s digital vehicle. When a smart car mows down a pedestrian, whom do we scrutinize? The person walking or the goi go outfit which built the smart vehicle?

Does Amazon’s speeding AWS may need some driver safety functions? Air bags save lives, and the driver does not have to pay extra or be aware of these devices. Just a thought: Air bags and seat belts for Amazon AWS customers. Amazon, it seems, wants to help former employees become delivery people. What about the administrators of Elasticsearch? What’s their future?

Stephen E Arnold, May 14, 2019

How Does One Access an iPhone?

May 9, 2019

If you are interested in accessing a locked iPhone, you may want to add this write up to your reference file. DarkCyber is not sure the three ways to work around the iCloud lock cover the waterfront, but the information is suggestive. See “How Hackers and Scammers Break into iCloud-Locked iPhones.” DarkCyber is not thrilled that this type of information is floating around untethered. Just our viewpoint, of course. Vice’s editorial judgment is interesting.

Stephen E Arnold, May 9, 2019

So Much Protection, So Little Security

April 30, 2019

I receive emails from cyber security firms. The messages flow from Carbon Black, Recorded Future, DarkOwl, FireEye, IntSights, and others. an outfit named BrightTalk besieges me with announcements about cyber security webinars. The flood of information explains that cyber security tools are available, work, and are easy to use. I am not sure I have much confidence in these assurances.

In the midst of this wealth of security options, I find that article like “Unknown US Security Breach Exposes Data of 80 Million Households” suggest a problem exists. The write up states:

The breach was discovered by ‘hacktivists’ Noam Rotem and Ran Locar and highlighted by specialists at vpnMentor. They claim it is part of a 24GB trove of information that had been stored on an unprotected Microsoft Azure cloud server.

My thought for the day:

Marketing may exceed capabilities…at least for administrators of the Microsoft Azure cloud service.

And here’s a question:

Maybe security is a flight of fancy?

Stephen E Arnold, April 30, 2019

VPNs: You Have to Love These Outfits

April 26, 2019

What does a virtual private network do to protect one’s privacy? Who are the friends of a particular VPN? Who owns the VPN? Is that individual or group of owners friends with some interesting people? Why charge a person and not provide the advertised service? (This happened to the Beyond Search goose when we were researching “Dark Web Notebook.)

These questions are difficult to answer.

One slice of light appears in the article “There’s NordVPN Odd about This, Right? Infosec types Concerned over Strange App Traffic.” I am not thrilled with the headline, but some of the information in the article — assuming that the accuracy is on the money — is thought provoking.

I noted this statement attributed to a NordVPN expert:

NordVPN spokeswoman Laura Tyrell first told us: “I would like to assure you that we have not observed any irregular behavior that could in any way support the theory of our applications being compromised by a malicious actor.” She added: “Such domains are used as an important part of our workaround in environments and countries with heavy internet restrictions. To prevent such requests from contacting the domains which aren’t owned by us, we have modified our URI scheme. All URLs are being validated, so the problem as such will never occur. It is also important to note that no sensitive data is being sent or received through these addresses.”

The author may not be a stellar headline writer, but I was able to understand this statement:

This was obviously bunkum and we said so.

If one works through the technical snippets, two things become evident:

  1. The NordVPN is a busy little beaver in the sending and receiving department. Busy, busy.
  2. The information security wizards contributing to the article are suspicious.

Net net: Maybe it is time to answer some questions about both the technical plumbing and the owners’ connections with other entities. We can maybe rule out Mr. Putin because NordVPN made the list of VPN services to be blocked in Russia. But there are other interesting friends some VPN providers may have.

Oh, those free VPN services? Yeah, not a good idea.

Stephen E Arnold, April 26, 2019

Phishers Experience Some Tiny Google Pushback

April 17, 2019

Hiding urls is a phisher’s best friend. Google wants to eliminate those pesky urls. The problem is that spoofing a Web site is easier when the GOOG simplifies life. There’s nothing like a PDF with malware to make one’s day.

If the information in “Google Takes a Tiny Step Toward Fixing AMP’s URL Problem” is accurate, the Google may be pushing back against the opportunities bad actors have to deceive a Web user. The write up does describe Google’s action as “tiny” and “tiny” may be miniscule. I learned:

When you click a link on your phone with a little lightning bolt next to it in Google search, you’re getting something in the AMP format. AMP stands for “Accelerated Mobile Pages,” and you’ve probably noticed that those pages load super quickly and usually look much simpler than regular webpages. You may have also noticed that the URL at the top of your browser started with “” instead of with the webpage you thought you were visiting.

Yeah, about that “quickly.” Maybe not.

Phishers will be studying this alleged “tiny” change. Why? Phishing and spear phishing are one of the methods which are bring Dark Web type excitement to users of the good, old-fashioned Web. There are six or seven additional examples of metastatic technology in my keynote at the TechnoSecurity & Digital Forensics Conference in June 2019.

“Tiny”. Yep. And what about the “speed” of AMP pages?

Stephen E Arnold, April 17, 2019

Google and Identity Management

April 17, 2019

Google kills products. More than 100 since I did my last count. With that fact in mind, I read a second time “Google, Hyperledger Launch Online Identity Management Tools.” At first glance, the idea of a slightly different approach to identify management seems like a good but obvious idea. (Does Amazon have thoughts about identify management too?)

The write up explains:

Google unveiled five upgrades to its BeyondCorp cloud enterprise security service that enables identity and access management for employees, corporate partners, and customers.

Google wants to be the go to cloud provider of identity management services. Among the capabilities revealed, Google’s Android 7 and higher can be used as a two factor authentication dongle.

However, in the back of my mind is the memory of failed products and Google engineers losing interest in certain projects. No promotion, no internal buzz, then no engineers. The Google Search Appliance, for example, was not a thriller.

The idea that Google can and does lose interest in projects may provide a marketing angle Amazon can exploit. If Amazon ignores this “short attention span” issue, perhaps other companies will be less reluctant to point out that talk and a strong start are not finishing the race.

Stephen E Arnold, April 17, 2019

Next Page »

  • Archives

  • Recent Posts

  • Meta