Irony, Outrage, Speculation: Amazon Rings the PR Gong

January 23, 2020

Remember the Gong Show? The host was an alleged government asset. The content of the show was humans performing. The focus was on humans who sang, dance, and cavorted in weird, sometimes incredible ways. The result? The host rang a gong. The performer, hooked by a big old person cane, found himself or herself dragged from the camera’s eye.

The elements of the program:

  • Alleged government connections
  • A ranking system for wild and crazy performances
  • The big humiliation with the old person’s cane.

I thought of the Gong Show as I worked my way through dozens and dozens of write ups about the hacking of a mobile phone used by Jeff Bezos, the motive force of Amazon. You know Amazon: The online bookstore, the operator of the S3 leaking buckets, and policeware vendor.

The most interesting reports swirl around what Vice encapsulates in the article “Here Is the Technical Report Suggesting Saudi Arabia’s Prince Hacked Jeff Bezos’ Phone.” The report reveals

that forensic investigators found a suspicious file but no evidence of any malware on the phone.

Interesting, but not as fascinating as the assertions about who allegedly compromised Mr. Bezos’ mobile, when the alleged data sucking took place, and when the content was spirited away, how the compromise actually was implemented, and where those data went.

DarkCyber finds it interesting that fingers are pointed at countries, some government officials, Facebook’s always-interesting WhatsApp software, and at NSO Group, a company certain media outlets frequently reference. (NSO Group may be one of the specialized software vendors getting more publicity than Star Wars’ films.)

In our DarkCyber video news program, we devote almost two full minutes to the problems information technology managers face when implementing cyber security.

The Bezos Affair presents an opportunity to confront an unpleasant reality: Security is difficult.

The real time monitoring, the smart cyber defenses, the companies creating policeware, and the methods available to actors—each of these underscore how vulnerable individuals and organizations are.

The speculation, however, does little to make clear how protections can be achieved. In fact, the coverage of the Bezos Affair has reduced the coverage of what may be an even more egregious security lapse explained in “Microsoft Blames Itself for Customer Support Data Leak.” The “misconfiguration” error exposed 250 million customer records.

One gets the coverage, a world leader is implicated, an Israeli company is cast in a negative light. These are real time “real news” factoids. But the loss of 250 million customer records by Microsoft, the possible vendor for the US Department of Defense, is ignored.

Why are these problems commonplace? The answer, which we provide in our January 28, 2020, video, is provided. That answer is going to be a surprise. You can view the video program on the Beyond Search / DarkCyber blog by clicking the video promo image. No ads, no sponsors, no outside influencers, and no odd ball “You may also like.”

Stephen E Arnold, January 23, 2020

Mobile Security: Bad News, Consumer

January 1, 2020

An online information service called Hindu Business Line has become a source for amusing digital information. Consider the factoids included in “Most People Are Not Aware of Malware on Their Mobile’.” A word of caution, the Web page may redirect some users to a malicious site, which makes the information just so much more special.

Here are some of the factoids:

  • 23 percent of organizations in Indian run a risk of malware attacks. (DarkCyber thinks that the risk is much higher because malware is a growth business and most users are clueless when it comes to preventing and neutralizing mobile centric malware. Example: The page for this content.)
  • It takes about a year for a person to realize that a mobile device has been affected. (DarkCyber thinks that most users dispose of their mobile phone before the malware has been discovered.)
  • Globally 25 million devices are infected. (DarkCyber wants to point out that there are about 4.5 billion mobile phones globally. Source: Statista. The 25 million number seems quite modest and probably wildly off the mark.)
  • Google had 16 apps on its store which were malware mechanisms. (DarkCyber wants to remind its gentle readers that these are apps Google said it knew about. The real number of malware apps is not known by users and Google is not a Chatty Cathy on this subject.)

Yep, great article. Outstanding in fact.

Stephen E Arnold, January 1, 2020

Happy New Year, Security Buffs

January 1, 2020

DarkCyber spotted a write up which revealed an unpleasant (not inconvenient) truth. Navigate to “Complexity Is the Biggest Enemy for Cybersecurity Practitioner.” The idea is that security problems exist due to complexity. Here’s a passage that intrigued us:

If you look at all the breaches, whether they’re on cloud or on premise, you will find that those organizations had the technology, but they didn’t have a synchronized policy. So there has been a gap in the policy deployment because they have been using different tools with different policy engines and configurations or many features haven’t been turned on because existence of many tools creates so much complexity, which is the biggest enemy for any cybersecurity practitioner.

Over time, humans make things more complicated. A simple solution is often neither desirable or possible. Thus, gaps exist, opportunities for mischief abound, and organizations remain vulnerable in ways not understood or anticipated.

What’s the fix?

The expert opining in the article has an answer: “An API based approach.”

Complex?

Yeah, that’s the challenge the cybersecurity industry faces. Its simple solutions are too complex for many potential customers.

Net net: Become a cyber security consultant. The tyro will be wrong, but so will the experts.

Stephen E Arnold, January 1, 2019

A Reminder about Malware

December 25, 2019

Digital information systems are faster, more reliable, take up less space, and offer greater insights than paper systems. The one great thing about paper systems, however, is they are immune to malware infestations. Chiapas Parlelo delves into how cyber criminals are using malware to extort money from businesses in the article, “Cyber Criminals: Network Harassment And Extortion Of Large Companies Through Malware.”

A growing cyber crime is uploading malware into a company’s network, then hackers usurp control of the network and hold it for ransom. If the company refuses to pay the ransom, the hackers threaten to destroy or post the information, often it is sensitive and private. Malware is one of the biggest types of cyber crime in Mexico, but it is one among many that includes financial, child pornography, and sexually explicit photos (usually with women). Other crimes are smaller in nature, such as the removal of a few pesos from an account or credit car scams. Cyber crimes cost Mexico three billion dollars in 2016.

The amount of cyber crimes continue to rise, but the best way to not be a victim is to take preventative measures:

“One of the main approaches to cyber criminology is prevention…the importance of basic care measures to avoid being the victim of an attack. He also mentioned that, beyond taking care of the privacy settings of what is shared, special attention should be paid to the content.”

People need cybercrime literacy. It is similar to teaching children not to speak with strangers or follow a person down a dark alley. Educate yourself and it will knock a large portion of the attacks.

Whitney Grace, December 25, 2019

BOB: A Blockchain Phone

November 29, 2019

Remember the comment by some FBI officials about going dark. The darkness is now spreading. “Meet BOB, World’s First Modular Blockchain-Powered Smartphone” reports that a crypto currency centric phone may become more widely available.

The write up states:

BOB runs on Function X OS, which is an open-source operating system. As it uses the blockchain ecosystem, every task on the phone, be it sending texts, making calls, browsing the web, and file sharing, all happen on a decentralized network, making it highly encrypted and thus secure. Each unit of the BOB is a node that supports the entire Function X blockchain system.

DarkCyber thinks that Mr. Comey was anticipating these types of devices as well as thinking about Facebook’s encrypted message systems.

For more details, consult the TechRadar article.

One important point: The BOB has a headphone jack. Even those concerned about privacy and secrecy like their tunes.

Stephen E Arnold, November 29, 2019

Secure Data? Maybe after a Data Loss?

November 27, 2019

Amid discussions of data breaches, one huge source of risk is often overlooked. Information Management warns us about “Unstructured Data: The Hidden Threat in Digital Business.” Writer Bernadette Nixon believes too many companies look at only their structured data when they plan security—sources like databases, spreadsheets, customer relationship management (CRM) systems, and enterprise resource planning (ERP) systems. However, the prevalence of unstructured data in business is growing, and procedures for securing it are not keeping up. Nixon writes:

“Unstructured data has become an integral part of how organizations conduct digital business. It’s often what enables an easier, faster customer experience. For example, would you rather fill out generic forms detailing your car’s damage or instantly share an image with an insurance agent? For convenience, we are all likely to opt to share unstructured data with an organization and businesses will continue to incorporate it into processes for exactly that reason. To that end, it’s no surprise that Gartner predicts that, by 2022, 80 percent of all global data will be unstructured. With the growth of unstructured data comes the unfortunate truth that it is much more difficult to control and secure than structured data. If an employee is taking information in the form of unstructured data and inputting it elsewhere, they might store the original document or picture on a local file share or leave it in an email as an attachment. Within one organization, the process for handling documents could vary across employees and teams and it’s entirely likely that management has no idea this is taking place.”

In order for organizations to plug this security gap, Nixon has some suggestions. Make it a priority for the IT department to secure unstructured data right away, before an issue comes up. Determine just what unstructured data is on hand and where it is stored, keeping in mind this might differ from one department to another. Finally, delineate clear, standardized procedures for handling and storing this data from the time it enters the system to the time it is destroyed. Ideally, as much of this workflow would be automated, saving time, removing responsibility from individual workers, and ensuring the process is followed correctly.

Cynthia Murrell, November 27, 2019

The Cost of Indifference and the Value of Data Governance

November 23, 2019

The DarkCyber team suggests a peek at “Unsecured Server Exposes 4 Billion Records, 1.2 Billion People.” The write up states:

The data itself comes from the data aggregator and enrichment companies People Data Labs (PDL) and OxyData.Io and contains basic personal information, such as names, home and mobile phone numbers and email addresses and what may be information scraped from LinkedIn, Facebook and other social media sources.

The write up points out that the data losses included:

  • Over 1.5 billion unique people, including close to 260 million in the U.S.
  • Over 1 billion personal email addresses. Work email for 70%+ decision makers in the US, UK, and Canada.
  • Over 420 million LinkedIn URLs.
  • Over 1 billion Facebook URLs and IDs.
  • 400 million plus phone numbers with more than 200 million U.S.-based valid cell phone numbers.

The hosting provider may have been Amazon AWS. The software system was Elasticsearch. The individuals were those who set up the system.

Without reploughing a somewhat rocky field, one might suggest that default settings for cloud services, software, and passwords need a rethink. One might want to think about the staff assigned to the job of setting up the system. One might want to think about the sources of the information the company named in the article tapped. In short, one could think about quite a few points of failure.

Another approach might be to raise the question of responsibility. I suppose this is a type of governance, a term which refers to figuring out what’s to be done and how to complete tasks without creating this all-too-common situation of whizzy systems’ functioning as convenience stores for those who want data.

A few observations:

First, the individuals involved in setting up this system were not, it seems, managed particularly well. That’s a problem when managers don’t know what to stipulate their contractors and employees must do to secure online services. These “individuals” work at different organizations. Thus, coordination and checks are difficult. But the alternative? Loss of data.

Second, the developers of the software understand the security implications of certain user actions. The fix is to purchase additional security. Security is not baked in. Security is an option. That approach may generate revenue, but the quest for revenue seems to have a downside. Loss of data.

Third, the operators of the cloud system continue to follow the “just a platform” approach to business. The idea is that the functionality of a cloud system makes it easy to deploy an application. In a hurry? No problem. Use the basics. Want something special? That takes time, and when done in a careless or partial way, loss of data.

It seems that “loss of data” may be preventable but loss of data is part of the standard operating procedure in the present managerial environment.

How does the problem become lessened? Governance. Will companies and individuals step up and go through the difficult task of figuring out what and how before losing data?

Unlikely. Painful lessons like the one revealed in the source article slip like rain water off the windshield of a car speeding down the information superhighway.

Dangerous? Sure. Will drivers slow down? Nope. The explanation after an accident was, “I don’t know. Car just skidded.” There’s insurance for automobile accidents. For cloud data wrecks, no consequences of a meaningful nature. Just blog posts. These are effective?

I will be talking about how the tendrils of the Dark Web and security lapses may create a greater interest in data governance. Exciting? Only if you were one of the billion or so whose personally identifiable information was put online in a less than secure way. I will be at the DG Vision Conference in Washington, DC, early in December 2019.

Stephen E Arnold, November 23, 2019

Remounting the Pegasus Named NSO

November 15, 2019

Those who care about security will want to check out the article, “Pegasus Spyware: All You Need to Know” from the Deccan Herald. Approximately 1,400 smartphones belonging to activists, lawyers, and journalists across four continents suffered cyber attacks that exploited a WhatsApp vulnerability, according to a statement from that company. They say the attacks used the Pegasus software made by (in)famous spyware maker NSO Group. Though the Israeli spyware firm insists only licensed government intelligence and law enforcement agencies use their products, WhatsApp remains unconvinced; the messaging platform is now suing NSO over this.

The article gives a little history on Pegasus and the investigation Citizen Lab and Lookout Security undertook in 2016. We learn the spyware takes two approaches to hacking into a device. The first relies on a familiar technique: phishing. The second, and much scarier, was not a practical threat until now. Writer David Binod Shrestha reports:

“The zero-click vector is far more insidious as it does not require the target user to click or open a link. Until the WhatsApp case, no example of this was seen in real-world usage. Zero-click vectors generally function via push messages that automatically load links within the SMS. Since a lot of recent phones can disable or block push messages, a workaround has evidently been developed. WhatsApp, in its official statement, revealed that a vulnerability in their voice call function was exploited, which allowed for ‘remote code execution via specially crafted series of packets sent to a target phone number.’ Basically, the phones were infected via an incoming call, which even when ignored, would install Pegasus on the device. The data packets containing the spyware code were carried via the internet connection and a small backdoor for its installation was immediately opened when the phone rang. The call would then be deleted from the log, removing any visible trace of infection. The only way you will know if your phone has been infected in the recent attacks is once WhatsApp notifies you via a message on the platform.”

Pegasus itself targets iPhones, but Android users are not immune; a version Google has called Chrysaor focuses on Android. Both versions immediately compromise nearly all the phone’s data (like personal data and passwords) and give hackers access to the mike and camera, live GPS location, keystroke logging, and phone calls. According to the Financial Times, the latest version of Pegasus can also access cloud-based accounts and bypass two-factor authentication. Perhaps most unnerving is the fact that all this activity is undetectable by the user. See the article for details on the spyware’s self-destruct mechanism.

Shrestha shares a list of suggestions for avoiding a Pegasus attack. They are oft-prescribed precautions, but they bear repeating:

“*Never open links or download or open files sent from an unknown source

*Switch off push SMS messages in your device settings

*If you own an iPhone, do not jailbreak it yourself to get around restrictions

*Always install software updates and patches on time

*Turn off Wi-Fi, Bluetooth and locations services when not in use

*Encrypt any sensitive data located on your phone

*Periodically back up your files to a physical storage

*Do not blindly approve app permission requests”

For those who do fall victim to Pegasus, Citizen Lab suggests these remedies—they should delink their cloud accounts, replace their device altogether, change all their passwords, and take security more seriously on the new device. Ouch! Best avoid the attacks altogether.

Cynthia Murrell, November 15, 2019

Quantum Cryptography: Rain on the Parade

November 11, 2019

I know (not too well, which may be a good thing) who is trying to cash in the quantum gold rush. The angle for this entrepreneur is that quantum computing will allow government entities to break encryption.

The hitch in the git along is that there are bad actors who are involved in quantum computing. There are good actors who are creating quantum-safe cryptography with quantum computers.

Confused? Don’t be. People who need to encrypt gravitate to the high horsepower computers. The people who want to break encryption do what’s necessary to get access to quantum computers. The method used by Saudi Arabia to obtain specific social media data worked like a champ.

That brings me to “Komodo to Lead Blockchain Revolution with Quantum-Safe Cryptography.” The write up says:

As a blockchain platform, Stadelmann said that Komodo is trying to solve the problem and has implemented quantum-safe cryptographic solutions for the past couple of years which will not be able to crack cryptographic signatures. Using an IBM-built technology, known as Dilithium, into its blockchain platform, he said the new digital signature algorithm will create a key which cannot be cracked by a quantum computer.

Sounds good. Just another cat and mouse game. The people working to cash in on this scare tactic may find that organizations face the status quo, not doomsday. Confused? Just the status quo perhaps?

Stephen E Arnold, November 11, 2019

The Golden Age of Surveillance

November 1, 2019

Back in 2016, then-FBI general counsel Jim Baker famously fought tooth and nail to force Apple to grant the Bureau access to an encrypted phone following a terrorist attack in San Bernardino. (The FBI eventually found another way to access the data, so the legal issue was sidestepped.) Now we learn Baker has evolved on the issue in the write-up, “Former FBI General Counsel who Fought Apple Has Now ‘Rethought’ Encryption” at 9To5Mac. Writer Ben Lovejoy pulls highlights from a lengthy piece Baker wrote for the Lawfare blog describing his current position on encryption. While he stands by his actions in the San Bernardino case, he now sees the need to balance law enforcement’s need for information and the rest of society’s need to protect valuable data from bad actors. Lovejoy writes:

“Baker says that strong encryption still poses a substantial problem for law enforcement, but he now recognizes that there is no way to square the circle of protecting both personal and government data on the one hand, and allowing law enforcement to access data on the other.

‘A solution that focuses solely on law enforcement’s concerns will have profound negative implications for the nation across many dimensions. I am unaware of a technical solution that will effectively and simultaneously reconcile all of the societal interests at stake in the encryption debate, such as public safety, cybersecurity and privacy as well as simultaneously fostering innovation and the economic competitiveness of American companies in a global marketplace.’

“He says that forcing US companies to create compromised systems would simply shift demand to foreign-made products that remain secure. Additionally, a lot can be done with metadata- that is, records of who contacted who, rather than what was said.

‘Further, the situation for law enforcement may not actually be as bad as some claim. In fact, some argue that society is in a “golden age of surveillance” as substantially more data- especially metadata- than ever before is available for collection and analysis by law enforcement.’”

“Golden age of surveillance” indeed—the man has a point. He stresses, in particular, the importance of avoiding potential spyware in Chinese-made equipment. He urges government officials to embrace encryption as necessary or, if they refuse to do that, find another way to guard against existential cyber threats. He observes they have yet to do so effectively.

Cynthia Murrell, November 1, 2019

Next Page »

  • Archives

  • Recent Posts

  • Meta