Follina, Follina, Making Microsofties Cry

June 6, 2022

I read “China-Backed Hackers Are Exploiting Unpatched Microsoft Zero-Day.” According to the estimable Yahoo News outfit:

China-backed hackers are exploiting an unpatched Microsoft Office zero-day vulnerability, known as “Follina”, to execute malicious code remotely on Windows systems…. The flaw, which affects 41 Microsoft products including Windows 11 and Office 365, works without elevated privileges, bypasses Windows Defender detection, and does not need macro code to be enabled to execute binaries or scripts.

Ah, ha, Windows 11. The trusted protection thing? Yeah, well. The write up added some helpful time information:

The Follina zero-day was initially reported to Microsoft on April 12, after Word documents – which pretended to be from Russia’s Sputnik news agency offering recipients a radio interview – were found abusing the flaw in the wild. However, Shadow Chaser Group’s crazyman, the researcher who first reported the zero-day, said Microsoft initially tagged the flaw as not a “security-related issue”. The tech giant later informed the researcher that the “issue has been fixed,” but a patch does not appear to be available.

Bob Dylan’s song makes this latest security issue easy to remember:

Follina, Follina
Girl, you’re on my mind
I’m a-sittin down thinkin of you
I just can’t keep from crying

Big sobs, not sniffles.

Stephen E Arnold, June 6, 2022

Netgear: A Pioneer in What Might Be Called Baked In Insecurity

May 31, 2022

Computer security is an essential component for anyone using the Internet, because hackers target companies and individuals with scams and ransomware as well as steal personal information and intellectual property. As remote work becomes more common, the need for enhanced digital security increases. Companies that build hardware and software for Internet access are challenged to build robust and secure products. They also stand behind their products’ quality, but in a recent case networking equipment manufacturer Netgear admitted a flaw. Forbes reports the details in, “Netgear Says It Can’t Fix Multiple Vulnerabilities On Two Of Its Routers For Homeworkers.”

Netgear described the BR200 and BR500 models as secure routers for at-home workers connecting to their corporate networks. Unfortunately, these routers have exploitable security vulnerabilities and they cannot be fixed. Netgear will replace the defective models with a free or discounted router. The problem is minuscule, but all it takes is one crack to bring down a dam:

“The vulnerability of these two routers means there could be a security breach if a user is visiting a suspicious website and clicking on a malicious link while they have the router’s built-in web interface for adjusting the router’s settings. Frankly, that’s pretty unlikely to happen but with computer security, no matter how minuscule the threat might be, it must be taken seriously. The hacker only has to get lucky once.”

It is wonderful that Netgear admitted the mistake and is working with its customers to resolve the issue. Netgear also released a list of precautions BR200 and BR500 owners could use to prevent the hack if they wish to keep the router.

We wish more companies would own up to mistakes like Netgear. Politicians could certainly learn a thing or two from Netgear. Could Microsoft garner a fresh insight? Maybe?

Whitney Grace, May 31, 2022

DuckDuckGo: A Duck May Be Plucked

May 25, 2022

Metasearch engines are not understood by most Internet users. Here’s my simplified take: A company thinks it can add value to the results output from an ad-supported search engine. Maybe the search engine is a for-fee outfit? Either way, the metasearch systems gets the okay to send queries and get results. The results stream back to the metasearch outfit and the value-adding takes place.

One of the better metasearch systems was the pre-IBM Vivisimo. This outfit sent out queries to an ad-supported search engine, accepted the results, and then clustered them. The results appeared to the Vivisimo user as a results list with some folders in a panel. The idea was that the user could scan the folders and the results list. The user could decide to click on a folder and see what results it contained or just click on a link. The magic, as I understood it, was that the clustering took place in near real time. Plus, the query on the original Vivisimo pre-IBM system could send the user’s query to multiple Web search engines. The results from each search system would be de-duplicated. An interesting factoid from the 2000s is that search systems returned overlapping results 70 percent of more of the time. Dumping the duplicates was helpful. There were other interesting metasearch systems as well, but I am just using Vivisimo as an example of a pretty good one.

Privacy, like security, is a tricky concept to explain.

Using privacy to sell a free Web search system raises a number of questions; for example:

  1. What’s privacy in the specific context of the metasearch engine mean?
  2. Where is the money coming from to keep the lights on at the metasearch outfit?
  3. What about log files?
  4. What about legal orders to reveal data about users?
  5. What’s the quid pro quo with the search engine or engines whose results the metasearch system uses?
  6. What part of the search chain captures data, inserts trackers, bugs, cookies, etc. into the user’s query?

None of these questions catch the attention of the real news folks nor do most users know what the questions require to answer. The metasearch engines typically do not become chatty Cathies when someone like me shows up to gather information about metasearch systems. I recall the nervousness of the New York City wizard who cooked up Ixquick and the evasiveness of the owner of the Millionshort services.

Now we come to the the notion that a duck can be plucked. My hunch is that plucking a duck is a messy affair both duck and duck plucker.

DuckDuckGo Browser Allows Microsoft Trackers Due to Search Agreement” presents information which appears to suggest that the “privacy” oriented DuckDuckGo metasearch system is not so private as some believed. The cited article states:

The privacy-focused DuckDuckGo browser purposely allows Microsoft trackers on third-party sites due to an agreement in their syndicated search content contract between the two companies.

You can read the cited article to get more insight into the assertion that DuckDuck has been pluck plucked in the feathered hole of privacy.

Am I surprised? No. Search is without a doubt one of the most remarkable business segments for soft fraud. How do I know? My partners and I created The Point in 1994, and even though you don’t remember it, I sure remember what I learned about finding information online. Lycos (CMGI) bought our curated search business, and I wrote several books about search. You know what? No one wants to think about search and soft fraud. Maybe more people should?

Net net: Free comes at a cost. One does not know what one does not know.

Stephen E Arnold, May 25, 2022

True or False: Google and Dangerous Functionality

May 13, 2022

I want to be clear: I cannot determine if security-related announcements are PR emissions, legitimate items of data, or clickbait craziness. I am on the fence with the information is “Google Cloud Apparently Has a Security Issue Even Firewalls Can’t Stop.”

The write up presents as real news:

A misconfiguration in Google Cloud Platform has been found which could give threat actors full control over a target virtual machine (VM) endpoint

These virtual machines are important cogs in some bad actors machinery. Sure, legitimate outfits rely on the Google for important work as well. Therefore, the announcement points some bad actors toward a new opportunity to poke around and outfits engaged in ethically informed activities to batten down their digital hatches.

The write up points out that the Google agreed that “misconfiguration could bypass firewall settings.”

And the Google, being Googley, semi-agrees. Does this mean that the Google Cloud is just semi-vulnerable?

Stephen E Arnold, May 13, 2022

Ethical Behavior and the Ivy League: Redefinition by Example

April 5, 2022

First, MIT and its dalliance with the sophisticated Jeffrey Epstein. Then there was Harvard and its indifference to an allegation of improper interpersonal behavior. Sordid details abound in this allegedly accurate report. Now Yale. The bastion of “the dog”, the football game, Skull and Bones, etc., etc.

A Former Yale Employee Admits She Stole $40 Million in Electronics from the University” makes clear that auditing, resource management, and personnel supervision are not the esteemed institution greatest strengths.

I gave a talk at Yale a decade ago. The subject was Google, sparked because one of the Yale brain trust found my analysis interesting. Strange, I thought, at the time. No one else cares about my research about Google’s systems and methods. I showed up and was greeted as though I was one of the gang. (I wasn’t.)

At dinner someone asked me, “Where did you get your PhD?” I replied with my standard line: “I don’t have a PhD. I quit to take a job at Halliburton Nuclear.” As you might imagine, the others at the dinner were not impressed.

I gave my lecture and no one — absolutely none of the 100 people in the room — asked a question. No big deal. I am familiar with the impact some of my work has elicited. One investment banker big wheel threw an empty Diet Pepsi can at me after I explained how the technology of CrossZ (a non US analytics company) preceded in invention the outfit the banked just pumped millions into. Ignorance is bliss. Same at Yale during and after my lecture.

Has Yale changed? Seems to be remarkably consistent: Detached from the actions of mere humans, convinced of a particular world view, and into the zeitgeist of being of Yale.

But $40 million?

An ethical wake up call? Nope, hit the snooze button.

Stephen E Arnold, April 5, 2022

Microsoft Help Files: Truly Helpful?

March 28, 2022

We are approaching April Fools’ Day. One company reliably provides a clever way to make me laugh. CHM? Do you know what the acronym means? No. It is a short hand way to say Compiled HTML Help file. CHH becomes CHM. Makes perfect sense to a Softie.

The tickled ribs result from bad actors using the CHM files to deliver malware.  You can read the explanation and inspiration for bad actors in “Microsoft Help Files Disguise Vidar Malware.”

The write up states:

… the .ISO file contains a .CHM file named “pss10r.chm.” Towards the end of the file’s code is a snippet of HTML application (HTA) code containing JavaScript  that covertly triggers a second file, “app.exe.” This is, in fact, Vidar malware. “One of the objects unpacked from the .CHM is the HTML file ‘PSSXMicrosoftSupportServices_HP05221271.htm’ —  the primary object that gets loaded once the CHM pss10r.chm is opened,” according to the Trustwave writeup. “This HTML has a button object which automatically triggers the silent re-execution of the .CHM “pss10r.chm” with mshta.” Mshta is a Windows binary used for executing HTA files.

With the preliminaries out of the way the malware payload downloads, does some house cleaning, and phones home.

Microsoft, the go to solution for compromising security? Maybe. And what about Defender? What about the super smart cyber security systems from big name vendors. Yeah, how about those defenses?

Now we know there is one thing worse than the informational content of Microsoft help files.

Want to guess?

The Register reports that “Microsoft Azure developers targeted by 200 data stealing npm packages.” Not familiar with npm? NPM is a software registry and contains more than 750,000 code packages. Some open source developers use npm to share software. What if an npm code package has been modified so that malicious actions are included?


Stephen E Arnold, March 28, 2022

Amazon: Insider Threats at the Online Bookstore

February 22, 2022

When I mention that insider threats are a big deal for organizations, some people roll their eyes. Executives want to hear that smart software, equipped with real time threat intelligence, and adaptive perimeter devices eliminate most security threats.

Yeah, but not in my experience. Most people don’t realize how desperate some people are for money or attention. One of those odd ball posts in a free news service said that in the US up to two thirds of the working class have no savings. Big earners don’t need money, or that’s what many people think.

Quick example: Years ago I worked for a big time financial executive at a then super big time financial services firm. When he and I went to lunch, he would ask me to pick up the tab. He explained that he could expense me more easily than shove more charges into his company expense report. I asked how that was possible. The person made more than $1 million per year excluding the new year bonus. The answer was instructive.

I noted these points:

  • The need for a New York Athletic Club membership. His employer wanted him to go to Crunch.
  • The need for three country club memberships. The company paid for one.
  • The need for three nannies because his wife worked long hours and the children required attention because the pride number three
  • The need for a car service. The company only paid for rides from the Manhattan office to his home when he worked after 7 pm. He needed more flexible car service.
  • Mortgage payments sucked up cash for the big house in a state bordering New York and a weekend getaway in Florida.
  • His desire to invest in hot growth companies.
  • Miscellaneous expenses like personal auto leases, sneakers, and private schools for his pride or future influencers.

I have not forgotten about the other six deadly sins nor the simple desire to make more money to outdo one’s MBA classmates. Nor have I forgotten the power of carnal desire and the unreasonable effectiveness of honey traps, old Facebook posts, or leaked email.

Against this backdrop think about the information in this allegedly true story: “Former Amazon Employee Sentenced to 10 Months in Prison for Involvement in Bribery Scheme.” The write up reports:

Kadimisetty is one of six individuals who the U.S. Department of Justice charged with conspiracy for allegedly bribing Amazon employees to gain an “upper hand” over other sellers on Amazon’s online marketplace. In addition to Kadimisetty, the group of individuals included seller consultant Ed Rosenberg, Joseph Nilsen, Kristen Leccese, Hadis Nuhanovic and Nishad Kunju, who was employed by Amazon in India until 2018. Between late 2017 and 2020, these people allegedly bribed Amazon employees to leak information about the company’s search and ranking algorithms, as well as share confidential data on third-party sellers they competed with on the marketplace. [emphasis added]

Insiders? Yep. Friends of insiders? Maybe? Do automated smart cyber systems identify these individuals? Sure in marketing presentations. In real life? Well… Companies are big and management is tough. When images of a malfunction which allowed an F 35 fall off the deck of an aircraft carrier suggested that’s the way things are. Sure.

Stephen E Arnold, February 22, 2022

Microsoft: Engineering Insecurity

February 11, 2022

I read the happy words in “Former Amazon Exec Inherits Microsoft’s Complex Cybersecurity Legacy in Quest to Solve ‘One of the Greatest Challenges of our Time.’”

Bringing together existing groups from across the company, the new organization numbers 10,000 people including existing and open positions, representing more than 5% of the tech giant’s nearly 200,000 employees.

Microsoft has 200,000 employees and 10,000 of them are working to deal with the “greatest challenge” of our time. How many might be willing to share information with bad actors for cash? How many might make a coding error, plan to go back and fix it, and then forget? How many are working to deal with the security issues which keep Steve Gibson chortling when he explains a problem for a listener to the Security Now podcast?

Now that macros have been disabled a massive security issue has been addressed. Quick action which took more than two decades to wrestle to the ground. Plus, there’s the change in what one can permit Defender to defend. This is an outstanding move for those who locate and test specialized service software. Helpful? Well, sort of.

But the big things to me are update processes, Exchange, the the MSFT fluggy clouds. For me, no answers yet.

Some of the security issues are unknown unknowns. I am not sure there is a solution, but a former Amazon executive is on a quest just like those described by the noted futurist Miguel de Cervantes Saavedra who described the antics of an individual with certain firmly held ideas about windmills.

Stephen E Arnold, February 11, 2022

Insider Threats: Still a Useful Mechanism for Bad Actors

January 27, 2022

I read “Ransomware Gangs Increase Efforts to Enlist Insiders for Attacks.” I am not down with the notion of “increase efforts.” Identifying individuals who will provide user names, passwords, or facile fingers to slip a malware loaded USB key into a computer connected to an organization’s network has been a go-to method for a long, long time.

The write up states:

The survey was conducted by Hitachi ID, which performed a similar study in November 2021. Compared to the previous survey, there has been a 17% rise in the number of employees offered money to aid in ransomware attacks against their employer. Most specifically, 65% of the survey respondents say that they or their employees were approached between December 7, 2021, and January 4, 2022, to help hackers establish initial access.

The factoid in the magic-with-statistics write up is that a lot of individuals report brushes with the insider ploy. What’s important to remember, an insider can come from several different pools of people:

  1. There are disaffected employees who can be identified and then interviewed for a bogus news service or for a consulting job. A skilled contact working with an annoyed employee  can often extract what might be termed a mother lode of useful information, including details about security, access, and other disaffected employees who want to put it to the “man” or “woman” who ruined a perfectly good morning of reading online news.
  2. Clueless former employees who respond to a LinkedIn-type job posting or an engaging individual in what sure looks like a chance encounter. Some individuals need or love money, and the engaging individual can buy or solicit security information from the CFE (clueless former employee).
  3. Happy current employees who find themselves confronted with a person who has information about a past indiscretion memorialized on Instagram, Meta, or TikTok. Maybe the current happy employee has forgotten text and images sent to an individual with some interesting preferences or behaviors. Blackmail? Well, more like leveraging TikTok-type data to identify and screen potential targets.
  4. Contractors — those faceless, often nameless — individuals who have to eat in their cube, not the two-star real employee cafeteria. Contractors can be hired and one can interact with these professionals. It is possible that these individuals can provide the keys to the kingdom so to speak without knowing the treasures unlocked with what seems to be casual conversation.
  5. Children of employees can be asked to give mom or dad a USB. The unwitting employee slams the key into the slot unaware that it has been weaponized. Who asks kids? A skilled operative can present herself as a colleague at the front door, explain this was your mom or dad’s memory stick, and ask the young person to hand it over to the parent. (If this method works, bingo. If it fails, another approach can be made. Wearing Covid masks and dressing in normcore gray with a worn ball cap can help too.)

Why am I identifying pools of insiders? Most of the cyber security firms do not have systems which cover these points of insider vulnerability. Do some of the firms purport to have these bases covered?

Of course.

That’s the point. The customer won’t know until it is too late. Predictive analytics and cyber threat intelligence struggle in certain situations. Insiders is one such example.

Stephen E Arnold, January 27, 2022

Windows 11: Loved and Wanted? Sure As Long As No One Thinks about MSFT Security Challenges

January 10, 2022

I hold the opinion that the release of Windows 11 was a red herring. How does one get the tech pundits, podcasters, and bloggers to write about something other than SolarWinds, Exchange, etc.? The answer from my point of view was to release the mostly odd Windows 10 refresh.

Few in my circle agreed with me. One of my team installed Windows 11 on one of our machines and exclaimed, “I’m feeling it.” Okay, I’m not. No Android app support, round corners, and like it, dude, you must use Google Chrome, err, I mean Credge.

I read “Only 0.21%, Almost No One Wants to Upgrade Windows 11.” Sure, the headline is confusing, but let’s look at the data. I believe everything backed by statistical procedures practiced by an art history major whose previous work experience includes taking orders at Five Guys.

The write up states:

According to the latest research by IT asset management company Lansweeper, although Windows 10 users can update Windows 11 for free, it is currently only 0.21%. Of PC users are running Windows 11.

I am not sure what this follow on construction means:

At present, Windows 11 is very good. Probably the operating system with the least proportion.

I think the idea is that people are not turning cartwheels over Windows 11. Wasn’t Windows 10 supposed to be the last version of Windows?

I am going to stick with my hypothesis that Windows 11 was pushed out the door, surprising Windows experts with allegedly “insider knowledge” about what Microsoft was going to do. The objective was to deflect attention from Microsoft’s significant security challenges.

Those challenges have been made a little more significant with Bleeping Computer’s report “Microsoft Code Sign Check Bypassed to Drop Zloader.”

Is it time for Windows 12, removing Paint, and charging extra for Notepad?


Stephen E Arnold, January 10, 2022

Next Page »

  • Archives

  • Recent Posts

  • Meta