BOB: A Blockchain Phone

November 29, 2019

Remember the comment by some FBI officials about going dark. The darkness is now spreading. “Meet BOB, World’s First Modular Blockchain-Powered Smartphone” reports that a crypto currency centric phone may become more widely available.

The write up states:

BOB runs on Function X OS, which is an open-source operating system. As it uses the blockchain ecosystem, every task on the phone, be it sending texts, making calls, browsing the web, and file sharing, all happen on a decentralized network, making it highly encrypted and thus secure. Each unit of the BOB is a node that supports the entire Function X blockchain system.

DarkCyber thinks that Mr. Comey was anticipating these types of devices as well as thinking about Facebook’s encrypted message systems.

For more details, consult the TechRadar article.

One important point: The BOB has a headphone jack. Even those concerned about privacy and secrecy like their tunes.

Stephen E Arnold, November 29, 2019

Secure Data? Maybe after a Data Loss?

November 27, 2019

Amid discussions of data breaches, one huge source of risk is often overlooked. Information Management warns us about “Unstructured Data: The Hidden Threat in Digital Business.” Writer Bernadette Nixon believes too many companies look at only their structured data when they plan security—sources like databases, spreadsheets, customer relationship management (CRM) systems, and enterprise resource planning (ERP) systems. However, the prevalence of unstructured data in business is growing, and procedures for securing it are not keeping up. Nixon writes:

“Unstructured data has become an integral part of how organizations conduct digital business. It’s often what enables an easier, faster customer experience. For example, would you rather fill out generic forms detailing your car’s damage or instantly share an image with an insurance agent? For convenience, we are all likely to opt to share unstructured data with an organization and businesses will continue to incorporate it into processes for exactly that reason. To that end, it’s no surprise that Gartner predicts that, by 2022, 80 percent of all global data will be unstructured. With the growth of unstructured data comes the unfortunate truth that it is much more difficult to control and secure than structured data. If an employee is taking information in the form of unstructured data and inputting it elsewhere, they might store the original document or picture on a local file share or leave it in an email as an attachment. Within one organization, the process for handling documents could vary across employees and teams and it’s entirely likely that management has no idea this is taking place.”

In order for organizations to plug this security gap, Nixon has some suggestions. Make it a priority for the IT department to secure unstructured data right away, before an issue comes up. Determine just what unstructured data is on hand and where it is stored, keeping in mind this might differ from one department to another. Finally, delineate clear, standardized procedures for handling and storing this data from the time it enters the system to the time it is destroyed. Ideally, as much of this workflow would be automated, saving time, removing responsibility from individual workers, and ensuring the process is followed correctly.

Cynthia Murrell, November 27, 2019

The Cost of Indifference and the Value of Data Governance

November 23, 2019

The DarkCyber team suggests a peek at “Unsecured Server Exposes 4 Billion Records, 1.2 Billion People.” The write up states:

The data itself comes from the data aggregator and enrichment companies People Data Labs (PDL) and OxyData.Io and contains basic personal information, such as names, home and mobile phone numbers and email addresses and what may be information scraped from LinkedIn, Facebook and other social media sources.

The write up points out that the data losses included:

  • Over 1.5 billion unique people, including close to 260 million in the U.S.
  • Over 1 billion personal email addresses. Work email for 70%+ decision makers in the US, UK, and Canada.
  • Over 420 million LinkedIn URLs.
  • Over 1 billion Facebook URLs and IDs.
  • 400 million plus phone numbers with more than 200 million U.S.-based valid cell phone numbers.

The hosting provider may have been Amazon AWS. The software system was Elasticsearch. The individuals were those who set up the system.

Without reploughing a somewhat rocky field, one might suggest that default settings for cloud services, software, and passwords need a rethink. One might want to think about the staff assigned to the job of setting up the system. One might want to think about the sources of the information the company named in the article tapped. In short, one could think about quite a few points of failure.

Another approach might be to raise the question of responsibility. I suppose this is a type of governance, a term which refers to figuring out what’s to be done and how to complete tasks without creating this all-too-common situation of whizzy systems’ functioning as convenience stores for those who want data.

A few observations:

First, the individuals involved in setting up this system were not, it seems, managed particularly well. That’s a problem when managers don’t know what to stipulate their contractors and employees must do to secure online services. These “individuals” work at different organizations. Thus, coordination and checks are difficult. But the alternative? Loss of data.

Second, the developers of the software understand the security implications of certain user actions. The fix is to purchase additional security. Security is not baked in. Security is an option. That approach may generate revenue, but the quest for revenue seems to have a downside. Loss of data.

Third, the operators of the cloud system continue to follow the “just a platform” approach to business. The idea is that the functionality of a cloud system makes it easy to deploy an application. In a hurry? No problem. Use the basics. Want something special? That takes time, and when done in a careless or partial way, loss of data.

It seems that “loss of data” may be preventable but loss of data is part of the standard operating procedure in the present managerial environment.

How does the problem become lessened? Governance. Will companies and individuals step up and go through the difficult task of figuring out what and how before losing data?

Unlikely. Painful lessons like the one revealed in the source article slip like rain water off the windshield of a car speeding down the information superhighway.

Dangerous? Sure. Will drivers slow down? Nope. The explanation after an accident was, “I don’t know. Car just skidded.” There’s insurance for automobile accidents. For cloud data wrecks, no consequences of a meaningful nature. Just blog posts. These are effective?

I will be talking about how the tendrils of the Dark Web and security lapses may create a greater interest in data governance. Exciting? Only if you were one of the billion or so whose personally identifiable information was put online in a less than secure way. I will be at the DG Vision Conference in Washington, DC, early in December 2019.

Stephen E Arnold, November 23, 2019

Remounting the Pegasus Named NSO

November 15, 2019

Those who care about security will want to check out the article, “Pegasus Spyware: All You Need to Know” from the Deccan Herald. Approximately 1,400 smartphones belonging to activists, lawyers, and journalists across four continents suffered cyber attacks that exploited a WhatsApp vulnerability, according to a statement from that company. They say the attacks used the Pegasus software made by (in)famous spyware maker NSO Group. Though the Israeli spyware firm insists only licensed government intelligence and law enforcement agencies use their products, WhatsApp remains unconvinced; the messaging platform is now suing NSO over this.

The article gives a little history on Pegasus and the investigation Citizen Lab and Lookout Security undertook in 2016. We learn the spyware takes two approaches to hacking into a device. The first relies on a familiar technique: phishing. The second, and much scarier, was not a practical threat until now. Writer David Binod Shrestha reports:

“The zero-click vector is far more insidious as it does not require the target user to click or open a link. Until the WhatsApp case, no example of this was seen in real-world usage. Zero-click vectors generally function via push messages that automatically load links within the SMS. Since a lot of recent phones can disable or block push messages, a workaround has evidently been developed. WhatsApp, in its official statement, revealed that a vulnerability in their voice call function was exploited, which allowed for ‘remote code execution via specially crafted series of packets sent to a target phone number.’ Basically, the phones were infected via an incoming call, which even when ignored, would install Pegasus on the device. The data packets containing the spyware code were carried via the internet connection and a small backdoor for its installation was immediately opened when the phone rang. The call would then be deleted from the log, removing any visible trace of infection. The only way you will know if your phone has been infected in the recent attacks is once WhatsApp notifies you via a message on the platform.”

Pegasus itself targets iPhones, but Android users are not immune; a version Google has called Chrysaor focuses on Android. Both versions immediately compromise nearly all the phone’s data (like personal data and passwords) and give hackers access to the mike and camera, live GPS location, keystroke logging, and phone calls. According to the Financial Times, the latest version of Pegasus can also access cloud-based accounts and bypass two-factor authentication. Perhaps most unnerving is the fact that all this activity is undetectable by the user. See the article for details on the spyware’s self-destruct mechanism.

Shrestha shares a list of suggestions for avoiding a Pegasus attack. They are oft-prescribed precautions, but they bear repeating:

“*Never open links or download or open files sent from an unknown source

*Switch off push SMS messages in your device settings

*If you own an iPhone, do not jailbreak it yourself to get around restrictions

*Always install software updates and patches on time

*Turn off Wi-Fi, Bluetooth and locations services when not in use

*Encrypt any sensitive data located on your phone

*Periodically back up your files to a physical storage

*Do not blindly approve app permission requests”

For those who do fall victim to Pegasus, Citizen Lab suggests these remedies—they should delink their cloud accounts, replace their device altogether, change all their passwords, and take security more seriously on the new device. Ouch! Best avoid the attacks altogether.

Cynthia Murrell, November 15, 2019

Quantum Cryptography: Rain on the Parade

November 11, 2019

I know (not too well, which may be a good thing) who is trying to cash in the quantum gold rush. The angle for this entrepreneur is that quantum computing will allow government entities to break encryption.

The hitch in the git along is that there are bad actors who are involved in quantum computing. There are good actors who are creating quantum-safe cryptography with quantum computers.

Confused? Don’t be. People who need to encrypt gravitate to the high horsepower computers. The people who want to break encryption do what’s necessary to get access to quantum computers. The method used by Saudi Arabia to obtain specific social media data worked like a champ.

That brings me to “Komodo to Lead Blockchain Revolution with Quantum-Safe Cryptography.” The write up says:

As a blockchain platform, Stadelmann said that Komodo is trying to solve the problem and has implemented quantum-safe cryptographic solutions for the past couple of years which will not be able to crack cryptographic signatures. Using an IBM-built technology, known as Dilithium, into its blockchain platform, he said the new digital signature algorithm will create a key which cannot be cracked by a quantum computer.

Sounds good. Just another cat and mouse game. The people working to cash in on this scare tactic may find that organizations face the status quo, not doomsday. Confused? Just the status quo perhaps?

Stephen E Arnold, November 11, 2019

The Golden Age of Surveillance

November 1, 2019

Back in 2016, then-FBI general counsel Jim Baker famously fought tooth and nail to force Apple to grant the Bureau access to an encrypted phone following a terrorist attack in San Bernardino. (The FBI eventually found another way to access the data, so the legal issue was sidestepped.) Now we learn Baker has evolved on the issue in the write-up, “Former FBI General Counsel who Fought Apple Has Now ‘Rethought’ Encryption” at 9To5Mac. Writer Ben Lovejoy pulls highlights from a lengthy piece Baker wrote for the Lawfare blog describing his current position on encryption. While he stands by his actions in the San Bernardino case, he now sees the need to balance law enforcement’s need for information and the rest of society’s need to protect valuable data from bad actors. Lovejoy writes:

“Baker says that strong encryption still poses a substantial problem for law enforcement, but he now recognizes that there is no way to square the circle of protecting both personal and government data on the one hand, and allowing law enforcement to access data on the other.

‘A solution that focuses solely on law enforcement’s concerns will have profound negative implications for the nation across many dimensions. I am unaware of a technical solution that will effectively and simultaneously reconcile all of the societal interests at stake in the encryption debate, such as public safety, cybersecurity and privacy as well as simultaneously fostering innovation and the economic competitiveness of American companies in a global marketplace.’

“He says that forcing US companies to create compromised systems would simply shift demand to foreign-made products that remain secure. Additionally, a lot can be done with metadata- that is, records of who contacted who, rather than what was said.

‘Further, the situation for law enforcement may not actually be as bad as some claim. In fact, some argue that society is in a “golden age of surveillance” as substantially more data- especially metadata- than ever before is available for collection and analysis by law enforcement.’”

“Golden age of surveillance” indeed—the man has a point. He stresses, in particular, the importance of avoiding potential spyware in Chinese-made equipment. He urges government officials to embrace encryption as necessary or, if they refuse to do that, find another way to guard against existential cyber threats. He observes they have yet to do so effectively.

Cynthia Murrell, November 1, 2019

Another Cyber Firm Reports about Impending Doom

October 29, 2019

Identity intelligence firm 4iQ summarizes the results of recent research in the write-up, “Identity Protection & Data Breach Survey.” They polled 2,300 participants regarding data breaches and identity protection issues. You can see a slide show of the results here that presents the results in graph-form.

Researchers found that fewer than half the respondents had been notified they were victims of a breach. Most of them were offered identity protections services as a result, but about half of those felt that fell short of adequately addressing the problem. We also learn:

“*Nearly 40% of respondents believe they have already suffered identity theft and more than half of respondents, 55%, believe that it’s likely their personally identifiable information (PII) is already in the hands of criminals. As a result, 62% of respondents are concerned that their PII could be used by someone to commit fraud.

*More than half, 52%, of respondents said they would expect their own online security error to negatively or very negatively affect their standing with their employer—an additional stress for working Americans—so it’s not surprising then, that 60% of respondents believe there’s a ‘blame-the-victim’ problem with cybercrime.

*A strong majority, 63%, are concerned that prior breaches could lead to future identity fraud, and 37% believe they have already been a victim of fraud as a result of a cybercrime incident.”

As for protecting personal identifiable information, 75% feel their employers are doing a fair to excellent job, but only 42% feel the government is do so effectively. They feel even less confident about their personal efforts, however, with only 15% calling themselves “very effective” (23% rated their employers as “very effective”).

On that last point, 4iQ states it demonstrates that “everyday consumers may feel unprepared to contend with the threats presented by cybercrime,” which is not surprising from a company that sells solutions to that problem. We know there are free and low-cost measures individuals can take to boost their own security, but some will be willing to pay for extra reassurance on top of those precautions. Based in Los Altos, California, 4iQ was founded in 2016.

Cynthia Murrell, October 29, 2019

Security Industry Blind Spot: Homogeneity

October 24, 2019

Push aside the mewlings about Facebook. Ignore Google’s efforts to quash employee meetings about unionization. Sidestep the phrase “intelligent cloud revenue.”

An possibly more significant item appeared in “Information Security Industry at Risk from Lack of Diversity.” The write up states:

The Chartered Institute of Information Security (CIISec) finds that 89 percent of respondents to its survey are male, and 89 percent over 35, suggesting the profession is still very much in the hands of older men.

Furthermore, the security industry is wallowing in venture funding. That easy money has translated into a welter of security solutions. At cyber security conferences, one can license smart monitoring, intelligent and proactive systems, and automated responses.

The problem is that this security country club may be fooling itself and its customers.

The write up quotes from the CIISec report, presenting this segment:

“If the industry starts to attract a more diverse range of people whilst spreading awareness of the opportunity available, we could be well on the way to truly modernizing the industry,” adds Finch. “Key to all this will be both organizations and individuals having a framework that can show exactly what skills are necessary to fulfill what roles. This will not only help hire the right people. It will also mean that it the routes to progress through an individual’s career are clearly marked, ensuring that individuals who enthusiastically join the industry don’t over time become jaded or burn out due to a lack of opportunity.”

Partially correct opines DarkCyber. The security offered is a me-too approach. Companies find themselves struggling to implement and make use of today’s solutions. The result? Less security and vendors who talk security but deliver confusion.

Meanwhile those bad actors continue to diversify, gain state support, and exploit what are at the end of a long day, vulnerable organizational systems.

Stephen E Arnold, October 24, 2019

NordVPN: An Insecure Security Service?

October 22, 2019

In 2016, one of the DarkCyber research team signed up for NordVPN. We wanted to test several of the companies offering enhanced security products. After filling out the form in April 2016, the service did not activate. We heard from a person calling herself “Christina.” She was a floundering professional. We explained the misfire. The we heard from Zack in 2017 who wanted us to renew the service which was not available to the DarkCyber professionals. We concluded that NordVPN was more trouble than it was worth, and the company could take money via a credit card, fail to deliver the service, yet spam DarkCyber for a renewal. Now that’s more than foundering. That’s either clumsy, misguided, or what the Wall Street crowd calls Black Edge behavior.

We thought about Christine and Zack when we read “NordVPN Confirms It Was Hacked.” If the write up is accurate, the security company NordVPN is not completely secure. The write up reports:

NordVPN, a virtual private network provider that promises to “protect your privacy online,” has confirmed it was hacked. The admission comes following rumors that the company had been breached. It first emerged that NordVPN had an expired internal private key exposed, potentially allowing anyone to spin out their own servers imitating NordVPN.

We are fascinated with VPN services. Some are free and some like NordVPN seem to collect money and leave their systems vulnerable.

What’s our recommendation? DarkCyber thinks ignoring NordVPN might be a pre-installation step to consider.

Oh, Christine, when you take money, you should deliver the product. And, Zack, no, DarkCyber will not renew.

Why?

Read the articles about NordVPN finding itself which may be the digital equivalent of a security soup from a questionable cafeteria.

Stephen E Arnold, October 22, 2019

Supremely Secure?

October 19, 2019

Suprema is a South Korean security company that specializes in cyber security. One of Suprema’s products are a line of fingerprint readers. The BBC reports that the company was hacked, “Biostar 2: Suprema Plays Down Fingerprint Leak Report.” A cyber security research group hacked Suprema’s Biostar 2, accessed customer information, then alerted Suprema to the leak.

The cyber security research group’s action was benign, but it did point to a flaw in the system and Suprema was not happy. Suprema assured their clients that none of the information was breached and that the amount of customers affected was very small. A South Korean police force was worried they were among the potential victims, but apparently no biometrics systems were exposed.

“The dispute over how big the leak was can be explained by the fact the researchers say they did not, for ethical reasons, attempt to download all the fingerprint files.Rather, they had taken “hundreds” of samples of data, said Mr Rotem. And these appeared to encode fingerprint patterns from a random selection of accounts in the Biostar 2 dataset. They then used Suprema’s software to convert about half a dozen examples into visible fingerprint patterns. From this, they estimated the dataset contained “at least over a million” fingerprint patterns in total. “We have evidence that biometric data was leaked,” Mr Rotem told BBC News.”

The actual data sets were not downloaded due to ethnical reasons. The research team actually did Suprema a favor by pointing out the crack before bad actors access the system, but Suprema would have preferred that one of their system regulators had discovered the issue. It should not matter who found the leak, because customers were at stake. Suprema sells security, but does not practice it.

Whitney Grace, October 19, 2019

Next Page »

  • Archives

  • Recent Posts

  • Meta