Thinking about Security: Before and Earlier, Not After and Later

September 30, 2020

Many factors stand in the way of trustworthy AI, not the least of which is the involvement of those for whom a raise, a bonus, or a promotion is involved. Then there is the thorny issue of bias built into machine learning. InformationWeek, however, looks at a few more straightforward threats in its article, “Dark Side of AI: How to Make Artificial Intelligence Trustworthy.”

Gartner VP and analyst Avivah Litan notes that, though AI is becoming more mainstream, security and privacy considerations still keep many companies away. They are right to be concerned—according to Garnter’s research, consumers believe responsibility lies with organizations that adopt AI technology, not the developers or vendors behind it. Litan describes two common ways bad actors attack AI systems: malicious inputs and query attacks. She writes:

“Malicious inputs to AI models can come in the form of adversarial AI, manipulated digital inputs or malicious physical inputs. Adversarial AI may come in the form of socially engineering humans using an AI-generated voice, which can be used for any type of crime and considered a ‘new’ form of phishing. For example, in March of last year, criminals used AI synthetic voice to impersonate a CEO’s voice and demand a fraudulent transfer of $243,000 to their own accounts….“Query attacks involve criminals sending queries to organizations’ AI models to figure out how it’s working and may come in the form of a black box or white box. Specifically, a black box query attack determines the uncommon, perturbated inputs to use for a desired output, such as financial gain or avoiding detection. Some academics have been able to fool leading translation models by manipulating the output, resulting in an incorrect translation. A white box query attack regenerates a training dataset to reproduce a similar model, which might result in valuable data being stolen. An example of such was when a voice recognition vendor fell victim to a new, foreign vendor counterfeiting their technology and then selling it, which resulted in the foreign vendor being able to capture market share based on stolen IP.”

Litan emphasizes it is important organizations get ahead of security concerns. Not only will building in security measures at the outset thwart costly and embarrassing attacks, it is also less expensive than trying to tack them on later. She recommends three specific measures: conduct a threat assessment and carefully control access to and monitoring of training data/ models; add AI-specific aspects to the standard software development life cycle (SDLC) controls; and protect and maintain data repositories to prevent data poisoning. See the article for elaboration of each of these points.

Cynthia Murrell, September 30, 2020

TikTok Ticks Along

September 18, 2020

US President Donald Trump allegedly banned Americans from using TikTok, because of potential information leaks to China. In an ironic twist, The Intercept explains “Leaked Documents Reveal What TikTok Shares With Authorities—In The U.S.” It is not a secret in the United States that social media platforms from TikTok to Facebook collect user data as ways to spy and sell products.

While the US monitors its citizens, it does not take the same censorship measures as China does with its people. It is alarming the amount of data TikTok gathers for the Chinese, but leaked documents show that the US also accesses that data. Data privacy has been a controversial topic for years within the United States and experts argue that TikTok collects the same type of information as Google, Amazon, and Facebook. The documents reveal that ByteDance, TikTok’s parent company, the FBI, and Department of Homeland Security monitored the platform.

Law enforcement officials use TikTok as a means to monitor social unrest related to the death of George Floyd. Floyd suffocated when a police officer cut off his oxygen attempting to restrain him during arrest. TikTok users post videos about Black Lives Matter, police protests, tips for disarming law enforcement, and even jokes about the US’s current upheaval. TikTok’s user agreement says it collects information and will share it with third parties. The third parties include law enforcement if TikTok feels there is an imminent danger.

TikTok, however, also censors videos, particularly those the Chinese government dislikes. These videos include political views, the Hong Kong protests, Uyghur internment camps, and people considered poor, disabled, or ugly.

Trump might try to make the US appear as the better country, but:

““The common concern, whether we’re talking about TikTok or Huawei, isn’t the intentions of that company necessarily but the framework within which it operates,” said Elsa Kania, an expert on Chinese technology at the Center for a New American Security. “You could criticize American companies for having an opaque relationship to the U.S. government, but there definitely is a different character to the ecosystem.” At the same time, she added, the Trump administration’s actions, including a handling of Portland protests that brought to mind the police crackdown in Hong Kong, have undercut official critiques of Chinese practices: “At a moment when we’re seeing attempts by the administration to draw a contrast in terms of values and ideology with China, these eerie parallels that keep recurring do really undermine that.”

Where is the matter now? We will have to ask an oracle.

Whitney Grace, September 18, 2020

VPN Usage: Just Slightly Unbelievable Data

September 15, 2020

How about virtual private networks? What about those free VPNs? How effective are specialized VPNs which bond two or more Internet connections?

Interesting questions.

VPN Usage Now Makes Up Almost All Enterprise Traffic” does not answer these questions, but the write up reports about a study which offers some interesting and, to DarkCyber, slightly unbelievable data; for example:

  • VPN usage has gone from 10 or 15% of enterprise traffic to maybe 95%
  • Bad actor attacks on VPNs have “increased dramatically,” although no data are offered
  • Three-quarters of desktop devices (77%) have adequate antivirus or cybersecurity software installed, falling some way short of total protection
  • 17% of laptops supplied by UK employers also lacked security software.

There is nothing like survey data without information about who, how, and data analysis methods.

Microsoft wants to make its “defender” system a service one cannot turn off or uninstall. If this occurs, how will the research data be affected?

Questions? Just more questions?

Stephen E Arnold, September 15, 020

Oh, Oh, Millennials Want Their Words and Services Enhanced. Okay, Done!

September 9, 2020

A couple of amusing items caught my attention this morning. The first is Amazon’s alleged demand that a Silicon Valley real news outlet modify its word choice.

image

The Bezos bulldozer affects the social environment. The trillion horsepower Prime machine wants to make sure that its low cost gizmos are not identified with surveillance. Why is that? Perhaps because their inclusion of microphones, arrays, and assorted software designed to deal with voices in far corners performs surveillance? DarkCyber does not know. The solution? Amazon = surveillance. Now any word will do, right?

The second item is mentioned in “Microsoft Confirms Why Windows Defender Can’t Be Disabled via Registry.” The idea is that Microsoft’s system is now becoming Bob’s mom. You remember Bob, don’t you. User controls? Ho ho ho.

The third item is a rib tickler. You worry about censorship for text and videos, don’t you. Now you can worry about Google’s new user centric ability to filter your phone calls. That’s a howler. What if the call is from a person taking Google to court? Filtered. This benefits everyone. You can get the allegedly full story in “Google New Verified Calls Feature Will Tell You Why a Business Is Calling You.” Helpful.

Each of these examples amuse me. Shall we complain about Chinese surveillance apps?

These outfits are extending their perimeters as far as possible before the ever vigilant, lobbyist influenced political animals begin the great monopoly game.

Stephen E Arnold, September 9, 2020

Monoculture and Monopoly Law: Attraction to a Single Point Occurs and Persists

September 2, 2020

Did you hear the alarm clock ring? “Zoom Is Now Critical Infrastructure. That’s a Concern” makes it clear that even the deep sleepers can wake up. What’s the tune on these wizards’ mobile phone? Maybe a fabulous fake of “Still Drowsy after All These Years.” (Sorry, Mr. Simon.)

The write up makes clear that the Brookings community and scholars have been told the following:

  • Zoom is the information superhighway for education
  • Zoom content is visible to Zoom
  • Zoom is fending off the likes of Apple and Facetime, Google Meet and Hangouts, and Microsoft Teams (Skype shoved its hands in the barbeque briquettes, thus making that service less interesting.)
  • Zoom goes down, thus wrecking havoc.

The write up does not suggest that Zoom is up to fancy dancing with authorities from another nation state. The write up does not delve into the tale of the stunning Alex Panos, a human Swiss Army Knife of security. The write up does not articulate this Arnold Law:

A monoculture and a monopoly manifest attraction to a single online point.

A corrolary is:

That single point persists.

In the absence of meaningful oversight, Zoom is, according to the write up:

By contrast, a successful cyber attack targeting Zoom could bring education and an enormous amount of business activity to a complete halt.

And what about the Zoom data? Useful to some perhaps?

Stephen E Arnold, September 2, 2020

Why Update? Surprise, Hacker Masquerade Time

September 1, 2020

Hacker Masquerade vulnerability assessment firm Positive Technologies has shared some results from their penetration tests (“pentests) on corporate information systems. Though they do not reveal data on individual clients, they report some eye-opening statistics. IT Brief reports on these findings in, “Hackers Difficult to Distinguish from Legitimate Users—Study.” Writer Shannon Williams tells us:

“At 61% of the companies, we found at least one simple way to obtain control of infrastructure that would have been feasible even for a low-skilled hacker. The testers noted that legitimate actions that would be unrecognizable from regular user activity accounted for 47% of the actions that allowed pentesters to create an attack vector. These actions included creating new privileged users on network hosts, creating a memory dump of lsass.exe, exporting registry hives, and sending requests to the domain controller. These actions allow hackers to obtain credentials from corporate network users or information required to develop the attack. The risk is that it is hard to differentiate between such actions and the usual activities of users and administrators, making it more likely that the attack will remain unnoticed. These incidents can however be detected with security incident detection systems. The testing also demonstrated that the attackers can exploit known vulnerabilities found in outdated software versions to remotely execute arbitrary code, escalate privileges, or learn important information. What the experts see most often is lack of current OS updates.”

And that, boys and girls, is why we must always keep our operating systems up to date. The write-up shares a little about how hackers can use OS quirks to gain access to and traverse systems. Keeping your Windows updated will not, however, patch holes caused by lax permissions, single-factor authentication routines, and other liabilities. Not surprisingly, Positive Technologies’ Ekaterina Kilyusheva suggests companies hire a specialist to perform an internal pentest that will assess their systems’ vulnerabilities.

Cynthia Murrell, September 1, 2020

Insider Threats: Yep, a Problem for Cyber Security Systems

August 20, 2020

The number of cyber threat, security, alerting, and pentesting services is interesting. Cyber security investments have helped cultivate an amazing number of companies. DarkCyber’s research team has a difficult time keeping up with startups, new studies about threats, and systems which are allegedly one step ahead of bad actors. Against this context, two news stories caught our attention. It is too soon to determine if these reports are spot on, but each is interesting.

The first report appeared in Time Magazine’s story “Former CIA Officer Charged With Giving China Classified Information.” China is in the news, and this article reveals that China is or was inside two US government agencies. The story is about what insiders can do when they gather information and pass it to hostile third parties. The problem with insiders is that detecting improper behavior is difficult. There are cyber security firms which assert that their systems can detect these individuals’ actions. If the Time article is accurate, perhaps the US government should avail itself of such a system. Oh, right. The US government has invested in such systems. Time Magazine, at least in my opinion, did not explore what cyber security steps were in place. Maybe a follow up article will address this topic?

The second news item concerns a loss of health related personally identifiable information. The data breach is described in “Medical Data of Auto Accident Victims Exposed Online.” The security misstep allowed a bad actor to abscond with 2.5 million health records. The company responsible for the data loss is a firm engaged in artificial intelligence. The article explains that a PII health record can fetch hundreds of dollars when sold on “the Dark Web.” There is scant information about the security systems in place at this firm. That information strikes me as important.

Several questions come to mind:

  • What cyber security systems were in place and operating when these breaches took place?
  • Why did these systems fail?
  • Are security procedures out of step with what bad actors are actually doing?
  • What systemic issues exist to create what appear to be quite serious lapses?

DarkCyber does not have answers to these questions. DarkCyber is becoming increasingly less confident in richly funded, over-hyped, and ever fancier smart security systems. Maybe these whizzy new solutions just don’t work?

Stephen E Arnold, August 20, 2020

The Old and Not-So-Bold Dieblold?

August 16, 2020

Robbing ATMs with specialized hardware is not new. What is new is using the manufacturer’s own software to facilitate the attacks. Ars Technica reports, “Crooks Have Acquired Proprietary Diebold Software to ‘Jackpot’ ATMs.” Say, doesn’t Diebold also make voting machines? Perhaps there are some things that should not be automated.

Jackpotting is a technique in which thieves convince an ATM to spit out cash, sometimes as quickly as 1.7 bills per second. One way to achieve this is to attach a hacking device, or “black box,” to the machine, either by physically breaking into the machine’s face or connecting to its network cables. Not surprisingly, these attacks usually occur on outdoor ATMs. (Another way is by breaking in and swapping out the machine’s hard drive. Then there is the email route: malware is unwittingly installed by a network admin after a successful phishing attempt.) Black boxes mimic the machine’s internal software with a laptop or using Raspberry Pi or Arduino hardware. Now, some thieves are leveraging Diebold’s own proprietary code against it. An advisory from the manufacturer states:

“Some of the successful attacks show a new adapted Modus Operandi on how the attack is performed. Although the fraudster is still connecting an external device, at this stage of our investigations it appears that this device also contains parts of the software stack of the attacked ATM. … The investigation into how these parts were obtained by the fraudster is ongoing. One possibility could be via an offline attack against an unencrypted hard disc.”

For now, most of these attacks appear to be occurring in Europe, particularly on the ProCash 2050xs USB model. It could be worse. Reporter Dan Goodin observes:

“The new attack variation described by Diebold is both good and bad news for consumers. On the one hand, there’s no indication thieves are using their recently acquired software stack to steal card data. The bad news is that attackers appear to have their hands on proprietary software that makes attacks more effective. The recent increase in successful jackpotting ultimately results in higher fees, as financial institutions pass on the costs caused by the losses.”

The write-up concludes with Diebold’s advice to avoid falling victim to a hacked ATM—stick to ATMs at major banks, shield the keypad while entering your PIN, and review each bank statement for suspicious activity. And Diebold “security”? Well.

Cynthia Murrell, August 16, 2020

Spearphishing: The Pursuit of an Elusive Dorsey?

August 5, 2020

I read “Twitter Says Hack Targeted Employees Using Spearphishing.” Yep, spearphishing. That’s jargon for sending a person email and using words to obtain access. Here’s what a digital spear gun looks like:

image

Click away.

The write up states:

Twitter said in a security update late Thursday that the July 15 incident by bitcoin scammers stemmed from a “spear phishing” attack which deceived employees about the origin of the messages.

A bad actor, allegedly a teen, jumped in the digital ocean, carrying a mobile phone and a digital spear fishing device:

image

Once the target was in sight, the teen released the pointy digital stream.

The result?

The remarkable Dorsey fish appears to have been targeted by the teen.

image

High-tech? The write up reports:

John Dickson of the security firm Denim Group said the latest disclosure does not necessarily suggest a sophisticated attack from a nation-state. “They conned people over the phone,” Dickson said, saying it may have been possible to find targets through research on LinkedIn or Google. “This is like the original hackers from the 1980s and 1990s; they were very good at conning people and getting them to give their credentials.”

Has the Dorsey fish been beached? Did the Dorsey fish swim away? Did the Dorsey fish notice the digital attack?

No answers which satisfy DarkCyber have been forthcoming. There’s no visual evidence of the succulent Dorsey fish being steamed and served to the Twitter Board of Directors:

image

Looks tasty. Speared phish steamed for two minutes and then sautéed with cyber veggies.

Stephen E Arnold, August 5, 2020

European Union Tries Panenka to Score Against Encrypted Data

July 31, 2020

Let’s assume this write up is accurate: “EU Plans to Use Supercomputers to Break Encryption But Also Wants Platforms to Create Opportunities to Snoop on End-to-End Communications.”

The “going dark” argument is not moving fast enough for European Union regulators. The fix is a “decryption platform.” The idea is to decrypt certain messages. The interesting part of the tactic is summarized in this passage:

Internet service providers such as Google, Facebook and Microsoft are to create opportunities to read end-to-end encrypted communications. If criminal content is found, it should be reported to the relevant law enforcement authorities. To this end, the Commission has initiated an “expert process” with the companies in the framework of the EU Internet Forum, which is to make proposals in a study. This process could later result in a regulation or directive that would force companies to cooperate.

The article points out:

There’s no way to “create opportunities” to read end-to-end encrypted communications without weakening the latter.

Worth monitoring the idea and its implementation and its opportunities.

Stephen E Arnold, July 31, 2020

Next Page »

  • Archives

  • Recent Posts

  • Meta