Cyber Security: Hand Waving Instead of Results?

October 9, 2019

Beta News published what DarkCyber views as a bit of an exposé. “Security Professionals Struggle to Measure Success within the Business” recycles information which appears to come from a services firm called Thycotic. (DarkCyber has not been able to locate the referenced report.)

Among the statements in the write up, DarkCyber noted these as particularly thought provoking:

  • “Nearly half (44 percent) [of those in the Thycotic sample] say their organization struggles to align security initiatives with the business’s overall goals”
  • “More [than] 35 percent aren’t clear what the business goals are”
  • “The most commonly used metric is to count the number of security breaches (56 percent) followed by the time taken to resolve a breach (51 percent). It appears, however, that these criteria may not be terribly useful.”
  • “Around two in five (39 percent) say they have no way of measuring what difference past security initiatives have made to the business.”
  • “36 percent agree it’s not a priority for them to measure security success once initiatives have been rolled out.”

These are interesting results. If an information unit cannot demonstrate that their security efforts are useful, budgets will be cut or staff rotated. Vendors will be sucked into this negative atmosphere.

Are cyber security vendors delivering solutions which work? Are customers able to use these products? Will executives lose confidence in their staff and vendors because security challenges continue to bedevil the organization?

The big question, however, remains:

Do the hundreds of vendors have solutions that are useful?

Paying invoices for hand waving can be an issue in some organizations. Well funded cyber security start ups might run into choppy waters after several years of smooth sailing and the support of investors who believe that nothing can derail new cyber security solutions.

Stephen E Arnold, October 9, 2019

Encryption: Change May Be Imposed

October 8, 2019

In our DarkCyber videos we reported about Australia’s efforts to obtain access to encrypted communications. We noted that other Five Eyes partners would pick up the idea and move it forward. “The Open Letter from the Governments of US, UK, and Australia to Facebook is An All-Out Attack on Encryption” from the Electronic Frontier Foundation explains that several countries have demanded access to secure messages. The EFF states:

This is a staggering attempt to undermine the security and privacy of communications tools used by billions of people. Facebook should not comply. The letter comes in concert with the signing of a new agreement between the US and UK to provide access to allow law enforcement in one jurisdiction to more easily obtain electronic data stored in the other jurisdiction. But the letter to Facebook goes much further: law enforcement and national security agencies in these three countries are asking for nothing less than access to every conversation that crosses every digital device.

The EFF states:

What’s more, the backdoors into encrypted communications sought by these governments would be available not just to governments with a supposedly functional rule of law. Facebook and others would face immense pressure to also provide them to authoritarian regimes, who might seek to spy on dissidents in the name of combatting terrorism or civil unrest, for example. The Department of Justice and its partners in the UK and Australia claim to support “strong encryption,” but the unfettered access to encrypted data described in this letter is incompatible with how encryption actually works.

DarkCyber wants to point out that flows of digital information work like sandblasters; that is, the data flows erode existing structures. When societal conventions are blasted by bits, the darker side of human nature has a new greenhouse in which to flourish.

DarkCyber believes that a new context exists in the digital environment. We understand what EFF says, but it seems clear that access to encrypted content is just one facet of other changes; for example, cutting off Internet access, censorship, and similar actions.

New world. Old arguments may not gain traction.

Stephen E Arnold, October 8, 2019

A Snowden Fave Has a Quirk

October 7, 2019

If you use Signal, a fave of Edward Snowden, there’s a possible security flaw. Signal is a messaging app with a charming feature if “Signal: Incoming Call Can Be Connected without User Interaction” is on the money. The write up asserts:

Using a modified client, it is possible to send the “connect” message to a callee device when an incoming call is in progress, but has not yet been accepted by the user. This causes the call to be answered, even though the user has not interacted with the device. The connected call will only be an audio call, as the user needs to manually enable video in all calls. The iOS client has a similar logical problem, but the call is not completed due to an error in the UI caused by the unexpected sequence of states. I would recommend improving the logic in both clients, as it is possible the UI problem doesn’t occur in all situations.

The article provides technical information about this issue.

DarkCyber Mr. Snowden has adjusted his secure messaging opsec when he is not seeking life in France or preparing for a for-fee lecture.

Stephen E Arnold, October 5, 2019

Cyber Security: Not for Cloud Misconfigurations

September 25, 2019

DarkCyber has been discussing the apparent ineffectiveness of the cyber defense technology offered by dozens of vendors. Despite the escalation in marketing hype, security issues are like exhaust fumes — everywhere. “99 Percent of All Misconfigurations in the Public Cloud Go Unreported” flashes credibility lights with its “99 percent” and “all” headline.

The write up asserts:

The surge in adoption of cloud-based technologies and Infrastructure-as-a-Service (IaaS) has added a new facet to cyber threats — the loss of information caused by misconfigurations and weak credentials in the public cloud space.

That statement sounds plausible.

The write up adds:

The report says that the top ten most commonly-misconfigured settings in AWS, the most popular IaaS provider for enterprise firms alongside Microsoft Azure, are as below:

  • EBS Data Encryption
  • Unrestricted Outbound Access
  • EC2 Security Group Port Config
  • Provisioning Access to Resources using IAM Roles
  • Unrestricted Access to Non-Http/Https ports
  • Unrestricted Inbound Access on Uncommon Ports
  • Unused Security Groups
  • Unrestricted ICMP Access
  • EC2 Security Group Inbound Access Configuration
  • EC2 Instance Belongs to a VPC

If the data are accurate, Amazon is a security “challenge.”

Has Amazon done enough to make certain that its customers are not creating risks for others? If Amazon is a security problem, are the vendors of pricey cyber security systems providing tools and solutions that shore up known weak spots?

Two questions. Answers?

Stephen E Arnold, September 25, 2019

Google: Managing Staff a Challenge

September 24, 2019

DarkCyber is not sure about the accuracy of “Exclusive: Google Insider Turns Over 950 Pages Of Docs And Laptop To DOJ.” The story appeared on Saraacarter.com (the second “a” is a middle initial). Ms. Carter’s about page states:

Sara A. Carter is a national and international award-winning investigative reporter whose stories have ranged from national security, terrorism, immigration and front line coverage of the wars in Afghanistan and Iraq. Sara A. Carter is currently an investigative reporter and Fox News Contributor. Her stories can be found at saraacarter.com. She formerly worked as a senior national security correspondent for Circa News.

The write up asserts that:

A former Google insider claiming the company created algorithms to hide its political bias within artificial intelligence platforms – in effect targeting particular words, phrases and contexts to promote, alter, reference or manipulate perceptions of Internet content – delivered roughly 950 pages of documents to the Department of Justice’s Antitrust division Friday.

The story is dated August 13, 2019, and DarkCyber spotted the link on September 23, 2019. In August 2019, Project Veritas revealed that the alleged Google insider is / was Zachary Vorhies.

Project Veritas does have a Google Document Dump page. You can view the files and download them at this link. A representative document is “Algorithmic Discrimination from and Environmental Psychology Perspective: Str5ee-Inducing Differential Treatment.”

The write up is an academic review of findings which, upon reflection, are mostly common sense. Manipulation can be accomplished via stress causing and stress relieving.

What struck DarkCyber as interesting is that the cache of documents has not made much of a splash in the last few weeks.

Other observations include:

  • Unlike the now long-offline Google research papers which I cited in my 2003 Google Legacy monograph, the documents in this cache are more touchy-feely.
  • Google’s ability to control its confidential documents appears to have some gaps.
  • The “insider” turned canary reveals that Google is not generating happy Xooglers.

Net net: The high school science club approach to management may need some upgrades.

Stephen E Arnold, September 24, 2019

Emailing Phishing: Yes, It Works

September 19, 2019

Phishing scams aka spam are arguably the oldest Internet scam. One would think that after almost thirty years with the Internet and email, people would have wised up to phishing scams, but no. People still fall for them and ZDNet has an article that explains why, “Phishing Emails: Here’s Why We Are Still Getting Caught After All These Years.” Here is an interesting fact, phishing emails are actually the first stage in security and data hacks within the past few years.

Google blocks more than 100 million scam emails a day and 68% of the messages are new variations of ones already blocked. What is even more interesting is who the phishing campaigns target. Enterprise users are five times more likely than a regular Gmail user to be targeted, while education users are two times more likely, government workers are three times likely, and non-profits have a 3.8 more likelihood than regular consumers. The scams only last a certain length of time to avoid detection, sometimes they last hours or only a few minutes. The scams mask themselves:

“While bulk phishing campaigns only last for 13 hours, more focused attacks are even more short lived; what Google terms as a ’boutique campaign’ — something aimed at just a few individuals in a company — lasts just seven minutes. In half of all phishing campaigns, the email pretends to have come from the email provider, in a quarter it claims to be from a cloud services provider; after that it’s most likely masquerading as a message from a financial services company or ecommerce site.”

An even scarier fact is that 45% of the Internet does not understand phishing scams. The phishing bad actors play on the naiveté and use psychological tricks, such as urgency and fear, to get people to comply.

People need to wise up and be aware of Internet scams and phishing attacks. Be aware that a reputable company will never ask for your password and always check the email address to see if it appears suspicious. If it has lot of numbers and letters and does not come from the company’s official domain, it is a scam.

Whitney Grace, September 19, 2019

Understanding Social Engineering

September 6, 2019

“Quiet desperation”? Nope, just surfing on psychological predispositions. Social engineering leads to a number of fascinating security lapses. For a useful analysis of how pushing buttons can trigger some interesting responses, navigate to “Do You Love Me? Psychological Characteristics of Romance Scam Victims.” The write up provides some useful insights. We noted this statement from the article:

a susceptibility to persuasion scale has been developed with the intention to predict likelihood of becoming scammed. This scale includes the following items: premeditation, consistency, sensation seeking, self-control, social influence, similarity, risk preferences, attitudes toward advertising, need for cognition, and uniqueness. The current work, therefore, suggests some merit in considering personal dispositions might predict likelihood of becoming scammed.

Cyberpsychology at work.

Stephen E Arnold, September 6, 2019

MAGA: Making Android Great Again?

August 30, 2019

My feeds were stuffed with references to Google’s announcement that Apple’s iPhone security sucks. Here’s a sampling of the headlines I spotted:

Google reveals years-long ‘indiscriminate’ iPhone hack. Most of the vulnerabilities targeted were found in the iPhone’s default Safari web browser. Source: The National

Google discovered ‘sustained attacks’ over at least two years against iPhone users. Source: Neowin.net

Google says hacked websites were attacking iPhones for years. Now-fixed exploits were used to install monitoring implants. Source: TechSpot

And there are more. The Guardian, Inquirer, PocketLint, MIT Technology Review, and others.

DarkCyber does not want to think negative thoughts about Google’s discovery. Apple addressed the issue promptly. On the plus side of the ledger, Google could have made the announcement after the US holiday weekend. Why now?

DarkCyber wants to point out that another article, this one about Google Chrome, offered this headline: “A major Google Chrome bug could let criminals attack your PC remotely.”

Not too much coverage of this item compared with the damning revelation that iPhones. Are. Insecure!

DarkCyber suggests that the information presented at CVE Details may be of interest. This site presents a possibly accurate list of Google Android security issues.

DarkCyber wants to point out:

  1. If a device is any place other than a Faraday cage, unplugged, and behind a security perimeter, that device may be vulnerable
  2. Mass market devices are compromisable because users have “interesting behaviors.” Curious about that to which DarkCyber refers? Check out this link.
  3. Hardened devices which are “black” are not popular because they are [a] expensive to produce and keep up to date, [b] more difficult to use than a consumer phone, [c] expensive, and [d] also vulnerable.

Security exposés capture headlines. Vendors of cyber security services and products make these types of revelations part of their standard operating procedure.

Capturing headlines informs bad actors that there are vulnerabilities to be discovered. “Hey, why not check out this method” publicity is an interesting approach. Is Google grandstanding?

Plus, Google may introduce its own MAGA hat. A “Make Android Great Again” chapeau could knock the famous Google flashing lapel pin off its top spot in the Google collectible hall of fame.

Stephen E Arnold, August 30, 2019

CafePress: Just 23 Million Customer Details May Have Slipped Away

August 6, 2019

I read “CafePress Hacked, 23M Accounts Compromised. Is Yours One Of Them?” Several years ago I participated in a meeting at which a senior officer of CafePress was in the group. The topic was a conference at which I was going to deliver a lecture about cyber security. I recall that the quite confident CafePress C suite executive pointed out to me that the firm had first rate security. Interesting, right?

The write up in the capitalist tool said:

According to that HIBP notification, the breach itself took place on Feb 20 and compromised a total of 23,205,290 accounts. The data was provided to Troy Hunt at HIBP from a source attributed as JimScott.Sec@protonmail.com.

I thought that an outfit with first rate security would not fall to a bad actor. I also assumed that the company would have reported the issue to customers promptly. It seems as though the breach took placed more than five months ago. (February 2019 and today is August 5, 2019.)

What’s DarkCyber’s take on this?

  1. The attitude of a CafePress executive makes clear that confidence and arrogance are poor substitutes for knowledge.
  2. The company looks like it needs a security and management health check.
  3. A failure to act more quickly suggests significant governance issues.

How about a T shirt with the CafePress logo and the phrase “First Rate Security” printed on the front?

Stephen E Arnold, August 6, 2019

 

 

Capital One, Amazon, Cats, and the Common Infrastructure Play

July 31, 2019

I read “Hacking Suspect Acted Oddly Online.” (Note: the online story is paywalled by Rupert Murdoch. You may  be able to get a peek at the dead tree version of this story in the Wall Street Journal for July 31, 2019.) Yep, Internet cat angle, self incrimination, and public content dissemination. That’s a plot hook which may make a great Lifetime or Netflix program. Amazon is likely to pass on funding the film version of this now familiar story.

Here’s the plot:

There’s the distraught financial institution, in this case, the lovable Capital One. This is the outfit known for “what’s in your pocket”? Good question. The financial outfit teamed up with Amazon in 2015, and according to the “real news” outfit:

In 2015, Capital One Chief Information Officer Rob Alexander said, “The financial services industry attracts some of the worst cyber criminals. So we worked closely with the Amazon team to develop a security model, which we believe enables us to operate more securely in the public cloud than we can even in our own data centers.”

That sounds darned good, but data affecting about 100 million people was breached. That number has not been verified to my satisfaction, and DarkCyber awaits additional data. But 100 million is a good enough number for the story.

Next we have a protagonist with some employment history at Amazon. Remember that this is the cloud service which was in the chain of data compromise. But — and this is important — Amazon was not at fault. The security problem was a is configured bit of “infrastructure.” Plus, the infrastructure which was the point of weakness is “common to both cloud and on premises data center environments.”

The story ends with a suspect. If the program becomes a mini series, we will follow the protagonist with empathy for cats through a trial, and perhaps a variation on the story weaving of “Orange Is the New Black.”

What’s missing from the analysis in the “real news” outlets? Here in Harrod’s Creek, Kentucky, we think of Amazon as an outfit with nifty white Mercedes Benz vans and fast moving van drivers.

But a couple of the pundits lounging in the convenience story / tavern floated some ideas:

  1. Why is Amazon not providing a system to address misconfiguration? It seems that 100 million people are now aware of this dropped ball.
  2. Why is an Amazon person, presumably with Amazon expertise, behaving in a manner that appears problematic? If the person was hired, what’s the flaw in the Amazon hiring process? If the person was terminated for a germane reason, why was the person not given appropriate “support” to make the transition from Amazonian to a person with unusual online activities? How does Amazon prevent information from being used by a former employee? What can be improved? Are there other former Amazon employees who are able to behave in an allegedly problematic way?
  3. Why is the problem “common” to use Capital One’s alleged word quoted in the WSJ story? There are dozens upon dozens of firms which are marketing themselves as cyber safeguard providers. Are these services used by Amazon, or is Amazon relying on home grown solutions. There are indeed Amazon’s own security tools. But are these findable, usable, reliable, and efficacious? Security may be lost in the thicket of proliferating Amazon products, services, and features. In effect, is it possible that Amazon is not doing enough to prevent such security lapses associated closely with its cloud solutions.

Stepping back, let’s think about this incident in a cinematic way:

  1. A giant company offering services which are so complex that problems are likely to result from component interactions, blundering customers, and former employees with a behavior quirk.
  2. A financial services firm confident of its technical competence. (Note that this financial firm with a previous compliance allegation which seemed to pivot on money laundering and ended with a $100 million fine. See “Compliance Weaknesses Cost Capital One $100M”, October 23, 2018. You will have to pay to view this allegedly accurate write up.
  3. A protagonist who seemed to send up distress flags via online communication channels.

What’s the big story?

Maybe there’s a “heart of darkness” with regard to security within the Amazon jungle.

To which jungle was Joseph Conrad, author of the “Heart of Darkness” referring?

“Nowhere did we stop long enough to get a particularized impression, but the general sense of vague and oppressive wonder grew upon me. It was like a weary pilgrimage amongst hints for nightmares.”

Psychological, digital, or financial? With the JEDI contract award fast approaching, will the procurement officials interpret the Capital One breach as a glimpse of the future. Maybe Oracle is correct in its view of Amazon?

Stephen E Arnold, July 31, 2019

Next Page »

  • Archives

  • Recent Posts

  • Meta