Browse > Home / Archive by category 'Security'

Cybersecurity Giant Vendor Fail Is Official: No Easy Fix

March 15, 2021

The marketing claims were hot air, it seems. The New York Times reports “White House Weighs New Cybersecurity Approach after Failure to Detect Hacks.” Let me be clear. Organizations spending money for advanced, artificially intelligent, and proactive methods for dealing with cyber attacks face some difficult circumstances. First, the cash is gone. Second, the fix is neither quick nor easy. Third, boards of directors and those with oversight will ask difficult questions to which there are no reassuring answers; for example, “What information has been lost exactly?”

The answer: “No one knows.”

The NYT states:

… The hacks were detected long after they had begun not by any government agency but by private computer security firms.

Let’s be clear. The SolarWinds’ misstep was detected because a single human chased down an anomaly related to allowing access to a single mobile phone.

Several observations are warranted:

  1. Cybersecurity vendors have been peddling systems which don’t work
  2. Companies are licensing these systems and assuming that their data are protected. The assumption is flawed and reflects poorly on the managers making these decisions.
  3. The lack of information about the inherent flaws in the Microsoft software build and updating processes, the mechanisms for generating “on the fly” builds of open source enabled code, and the indifference of developers to verifying that library code is free from malicious manipulation underscores systemic failures.

Remediating the issue will take more than BrightTALK security videos, more than conference presentations filled with buzzwords and glittering generalities, and more than irresponsible executives chasing big paydays.

The failure in technical education coupled with the disastrous erosion of responsible engineering practices has created “intrusions.”

Yes, intrusions and other impacts as well.

Stephen E Arnold, March 15, 2021

Written by Stephen E. Arnold · Filed Under DarkCyber, News, Security | Comments Off on Cybersecurity Giant Vendor Fail Is Official: No Easy Fix 

Insider Threat Info

March 15, 2021

Few people want to talk about trust within an organization. Even fewer bring up blackmail, outright dumbness, or selling secrets for cash. These topics do require discussion. Where organizations are at this moment is in a very tough spot.

Cyber security vendors will email white papers, give Zoom pitches, and accept money for licenses to software which managed to miss the antics of the SolarWinds’ bad actors for — what was it — six months, a year, maybe almost two years. Yeah.

Executives will turn cyber security over to a team, a new hire, a consultant or two (McKinsey & Co. has some specialists awaiting your call), and one or more information technology employees. Did I leave anyone out? Oh, right, senior management. Well, those men and women are above the fray because security….

The trade publications will comment, quote, explain, and create nifty diagrams. I use a couple of these in my cyber crime lectures. They add color, but not much information. Oh, well, arts and crafts are important.

The allegedly responsible parties dodge those digital balls flung by fast twitch bad actors.

Articles like “What Are Insider Threats in Cyber Security” are, therefore, helpful. In a few hundred words an outfit called News Patrolling offered some helpful information. For example, I found this passage on point:

the human factor is often the most difficult to control and predict when it comes to data security and protection.

The write up provides a run down of insider threat “types”; for example, the turncloak, the pawn, and the collusionist. Some are left out like those I identified; for instance, the dumb ones. The catalog of insider attack types is acceptable, but some types are omitted; for example, people who sell data on in an encrypted Telegram group or the person who throws away high value trash unwittingly or as a new age brush drop.

Nevertheless, this is a useful write up to discuss with colleagues. Maybe the conversation should be held in a Starbuck’s in Silicon Valley. Loud talking is okay.

Stephen E Arnold, March 15, 2021

Written by Stephen E. Arnold · Filed Under News, Security | Comments Off on Insider Threat Info 

Microsoft Exchange After Action Action: Adulting or Covering Up?

March 12, 2021

I read “Researcher Publishes Code to Exploit Microsoft Exchange Vulnerabilities on GitHub.” The allegedly accurate “real” news report states:

On Wednesday, independent security researcher Nguyen Jang published on GitHub a proof-of-concept tool to hack Microsoft Exchange servers that combined two of those vulnerabilities. Essentially, he published code that could be used to hack Microsoft customers, exploiting a bug used by Chinese government hackers—on an open-source platform owned by Microsoft.

What happened?

Microsoft, took down the hacking tool.  “GitHub took down it,” the researcher told Motherboard in an email. “They just send [sic] me an email.” On Thursday, a GitHub spokesperson confirmed to Motherboard that the company removed the code due to the potential damage it could cause.

Interesting.

Two questions crossed my mind:

  1. Is Microsoft showing more management responsibility with regard to the data posted on GitHub? Editorial control is often useful, particularly when the outputting mechanism provides a wealth of information and code. Some of these items can be used to create issues. Microsoft purchased GitHub and may now be forced to take a more adult view of the service.
  2. Is Microsoft covering up the flaws in its core processes? After reading Microsoft’s explanations of the Solarwinds’ misstep, the injection of marketing spin and intriguing rhetoric about responsibility open the door to a bit of Home Depoting; that is, paint, wood panel, and bit of carpet make an an ageing condo look better.

Worth watching both the breaches which are concerning and the GitHub service which can cause some individuals’ brows to furrow.

Stephen E Arnold, March 12, 2021

Written by Stephen E. Arnold · Filed Under Business strategy, Microsoft, News, Open source, Security | Comments Off on Microsoft Exchange After Action Action: Adulting or Covering Up? 

Microsoft: Stunned by Its Own Insecure Petard?

March 12, 2021

I read “10 Key Microsoft Ignite Takeaways for CIOs.” Marketing fluff except for one wild and crazy statement. Here’s the passage I found amusing:

By midyear, enterprises will also be able to control in which datacenter Microsoft stores documents shared through Teams, group by group or even for individual users, making it more useful in some regulated industries or where there are concerns about the security of data. These controls will mirror those available for Exchange and SharePoint. There will also be an option to make end-to-end-encrypted one-to-one voice or video calls, that CIOs can enable on a per-employee basis, and to limit meeting attendance only to invited participants. A future update could see the addition of end-to-end encrypted meetings, too. For companies that are centralizing their investment in such collaboration, McQuire said, “Security is arguably the number one selection criterion.”

Assume this number one selection criterion is on the money. What’s the Microsoft security posture with SolarWinds and the Exchange breaches?

That petard packs quite a wallop, and it is not from marketing hoohah. There’s nothing like a marketing oriented conference to blow smoke to obfuscate the incredible security issues Microsoft has created. But conferences and marketing talk are easier than remediating the security problems.

Stephen E Arnold, March 12, 2021

Written by Stephen E. Arnold · Filed Under Microsoft, News, Security | Comments Off on Microsoft: Stunned by Its Own Insecure Petard? 

Quantum Computing: The Solution to SolarWinds and Microsoft Security Gaps

March 12, 2021

I am an optimist. I have been waking up with the idea that life is good and my work might make the world a slightly better place. However, I don’t put much trust in unicorns (nifty horses with a long pointy horn or the Silicon Valley type), fairies, or magical mermaids. When new technology comes along, I view the explanations of the technology’s wonders with skepticism. Mobile phones are interesting, but the phone has been around for a while. Shrinking chips make it possible to convert the “phone” into a general purpose thumbtyping machine. Nifty, but still a phone on steroids.

I thought about the human tendency to grasp for silver bullets. This characteristic runs through Jacques Ellul’s book The Technology Bluff. Its decades-old explanations and analyses are either unknown or ignored by many informed individuals. My hunch is that the Murdoch-owned Wall Street Journal assumes that its writers are responsible for understanding certain topics.

I read “Effective Cybersecurity Needs Quantum Computing.” Perhaps I should send a copy of Dr. Ellul’s book? But why? It’s not like the hippy dippy books included in the Murdoch book reviews. Dr. Ellul likes interesting words; for example, Mancipium. Does Mr. Murdoch’s oldest son know the meaning of the word? He should he lives in a mancipum-infused environment.

The essay asserts that a new and essentially unworkable technology will deal with the current cybersecurity challenges. How many years will be required to covert baby step lab experiments into a scalable solution to the business methods employed at outfits like SolarWinds and Microsoft? One, maybe five, or a more realistic 25 years?

The problems caused by flawed, short cut riddled, and uninformed approaches to coding, building, deploying, and updating enterprise software are here-and-now puzzles. For a point of reference, the White House sounded an alarm that a really big problem exists and poses threats today.

Sure, let’s kick back and wait for the entities of nifty technology to deliver solutions. IBM, Google, and other firms are beavering away on the unicornesque quantum computing. That’s fine, but to covert expensive, complex research and development projects into a solution for the vulnerability of that email you sent a few minutes ago is just off the wall. Sure, there may be a tooth fairy or a wizard with a magic wand, but that’s not going to be the fix quantum computing allegedly will deliver.

The WSJ essay states:

The extraordinary sensitivity of qubits reveals interference instantly and unfailingly. They would alert us when hackers read, copy or corrupt transmitted files.

Sure, if someone pays attention. I want to point out that exactly zero of the cybersecurity systems monitoring the SolarWinds’ misstep sounded an alarm. Hooking these systems into a quantum system will result in what, another two to five years of development. Walking by today’s quantum computers and waving an iPhone close to a component can create some excitement. Why? Yep, sensitivity. But why worry about trivial details.

The Murdocher does admit that quantum computers are years away, there is zero value in kicking today’s security disasters down the road like a discard can of Pabst Blue Ribbon beer. Funding is fine. Conflating the current radiation poisoning of digital systems with quantum computing is like waiting for an Uber or Lyft driver to come by in a chariot pulled by a unicorn.

Stephen E Arnold, March 12, 2021

Written by Stephen E. Arnold · Filed Under News, Security, Technology, Uncategorized | Comments Off on Quantum Computing: The Solution to SolarWinds and Microsoft Security Gaps 

Apple: Yep, the Secure System

March 12, 2021

One of the best things about Apple products are their resistance to viruses and malware. However, when a bad actor sinks their coding fangs into the Mac OS and figures out how to corrupt the software, cyber security professionals pay attention. Ars Technica reports that, “New Malware Found On 30,000 Macs Has Security Pros Stumped.”

The downloaded malware has yet to do anything nefarious other than ping a control server to check for new commands. Security experts believe that there could be an ultimate end action, but it has not happened yet. The malware also has a self-destruction capability, usually that action is reserved for stealth software. It also runs on the new M1 chip and uses the macOS Installer JavaScript API for commands. Red Canary researchers call the new malware “Silver Sparrow.”

Developers are skeptical about Silver Sparrow’s end purpose, but are impressed that it broke through Apple’s legendary defenses:

“An Apple spokesperson provided a comment on the condition they not be named and the comment not be quoted. The statement said that after finding the malware, Apple revoked the developer certificates. Apple also noted there’s no evidence of a malicious payload being delivered. Last, the company said it provides a variety of hardware and software protections and software updates and that the Mac App Store is the safest venue to obtain macOS software.

Among the most impressive things about Silver Sparrow is the number of Macs it has infected. Red Canary researchers worked with their counterparts at Malwarebytes, with the latter group finding Silver Sparrow installed on 29,139 macOS endpoints as of Wednesday. That’s a significant achievement.”

Apple thankfully caught the malware before any damage was done, but it proves that Mac are not invincible and dedicated hackers can penetrate the OS. Will Apple start peddling virus protection software and add an exorbitant price tag?

Whitney Grace, March 12, 2021

Written by Stephen E. Arnold · Filed Under News, Security | 2 Comments 

DarkCyber for March 9, 2021, Now Available

March 9, 2021

This week’s DarkCyber is available on YouTube. The program includes two stories. The first is a summary of our SolarWinds’ research project. An investment firm commissioned a report to answer this question, “What are some companies that will benefit from the breach of SolarWinds’ Orion enterprise software?” The second story describes a loitering drone which has seen action in a recent hot fire skirmish.

The SolarWinds’ story comes at the breach of SolarWinds’ Orion product from a different angle. Most of the existing studies focus on what happened and what organizations are affected. Those reports fall into several broad categories: [1] Technobabble. These are explanations ignoring the obvious fact that non of the installed cyber security systems spotted the SolarWinds’ malware for more than six months, maybe more. [2] After action reports identifying issues with how SolarWinds and many other organizations software are assembled; for example, the use of open source libraries without making sure these libraries do not contain malware and managing basic security processes. [3] Academic / technical discussions of the specific types of malware used in the breach. (The reality is that the malware was based on existing exploits and used methods frequently discussed on hacker forums.)

In the course of our exploration of the hack, we learned that the existing, easily findable information provided a road map for the bad actors. Instead of lightning flashes of genius, the bad actors learned from a range of sources. We mention some of these in this video summary of portions of our research. Then we looked at SolarWinds itself. In this video summary, we provide a snapshot of the distraction factors at SolarWinds in the months leading up to the discovery of the breach. We identify the numerous balls SolarWinds’ executives were juggling. Obviously the firm’s security ball was fumbled by the juggler. The video summary identifies the types of commercial and open source software enabling the breach. One interesting finding is that Microsoft GitHub is the “home” for many useful tools. Some of these were likely to have facilitated certain functions added to existing malware. The final part of the video summary reveals the major findings of our research and analysis process.  A more comprehensive and detailed version of this summary will be presented to units of the US government in March. Some of the information will be provided to the attendees at the US 2021 National Cyber Crime Conference. The DarkCyber video summary, we believe, is useful.

There is no written report available to the public. However, if you want a comprehensive briefing about the report, please, write us at darkcyber333 at yandex dot com. There is a charge for the one hour Zoom briefing and a 30 minute question-and-answer session following the formal presentation.

The second story documents the steady advance of artificial intelligence deployed in autonomous kamikaze drones.

Kenny Toth, March 9, 2021

Written by Stephen E. Arnold · Filed Under DarkCyber, News, Security, Video | Comments Off on DarkCyber for March 9, 2021, Now Available 

Microsoft Outlook Users: Maybe Proton Mail?

March 8, 2021

I spotted another write up about the security issues with the Azure, Defender, and Office365 services. Wow, nation states and groups of allegedly China-aligned hackers are making Microsoft look worse than Jackie Smith when he dropped a game winner for the Dallas Cowboys years ago. It seems as if bad actors are trying to out do one another in exposing the vulnerabilities of the Redmond construct. Wowza.

I read “White House Warns of Active Threat Following Microsoft Outlook Breach.” The write up states:

“We can’t stress enough that patching and mitigation is not remediation if the servers have already been compromised, and it is essential that any organization with a vulnerable server take measures to determine if they were already targeted,” the White House official said.

Several observations:

  1. If I were involved in the JEDI procurement, I would not be too enthusiastic about Microsoft technology being the plumbing for the Department of Defense. Hey, I know PowerPoint is the go to tool in many DoD units, but it appears that there may be some bad actors able to get their digital paws on the PPTX attachments to Outlook email.
  2. Microsoft is fighting an after action situation. The bad actors are forcing Microsoft to rush code fixes to large, already compromised organizations. If the bad actors are indeed “inside” certain entities, the bad actors are likely to have access to these speedy fixes and be able to exploit them. Why not substitute a “real” MSFT fix with a certified malware infused fix. Sounds like something bad actors might consider.
  3. In my lecture to a group of US government cyber security professionals in 48 hours, I use the analogy of radiation poisoning for the SolarWinds’ and Microsoft Exchange breaches. Once the polonium is in the target, the fix is neither quick, simple, or ultimately likely to work.

Net net: Other bad actors will learn from these breaches and launch their own initiatives. That’s not good because there are quite a few bad actors eagers to make a mockery of US technology. I think one might characterize the Microsoft “repair after the barn burns down” as bad optics.

It’s bad something, for sure. Remember. It is the White House sounding the alarm, not an alphabet soup agency.

Stephen E Arnold, March 9, 2021

Written by Stephen E. Arnold · Filed Under Business strategy, Microsoft, News, Security | Comments Off on Microsoft Outlook Users: Maybe Proton Mail? 

Microsoft: Yeah, about Those Distributed Systems and the Wonderful Exchange Systems

March 8, 2021

I found the information about the most recently disclosed Microsoft Exchange breaches troubling. The “1,000 bad actors” comment from the Softies seemed to say:

Hey, how can a company like Microsoft defend itself against a 1,000 programmers focused on undermining out approach to building, deploying, and servicing our software?

Yep, 1,000 bad actors were allegedly needed to create the issues associated with SolarWinds and the assorted silly names attached to malware available via certain “dark” channels?

How many bad actors does it take to create issues for what is it? 20,000 or more organizations. One news service based in India did its level best to maintain an even tone in “Over 20,000 U.S. Organizations Compromised through Microsoft Flaw.” See the number? 20,000. Maybe India does not buy into a larger number; for example, Krebs on Security states: “At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software.”

Just a delta of 10,000? Hey, no big deal.

Now who pulled off this hack in the midst of the SolarWinds’ misstep? China. The country is larger than Russia which managed an estimated 18,000 compromised systems.

Okay, it is time to face up to reality:

  1. The oh-so-nifty distributed systems which rely on libraries which may or may not be secure is a big, fat sitting duck
  2. There is no quick fix. Microsoft’s rush rush patches don’t seem to be working if the sources I have reviewed are on the money
  3. Microsoft’s method of shoving software to licensees creates problems; for example, check out KIR, a tool that undoes updates which kill or impair licensees’ systems.

Who spotted the breach? Microsoft Defender, the Azure security system, Microsoft’s own security teams? Nope, allegedly an outfit call Volexity.

Exactly what was being monitored by the hundreds of super duper security sleuthers who sell threat intelligence, AI infused cyber security systems, and special entities which perform checks on crucial systems?

Pretty much checking out YouTube, sending text messages about pizza, and posting to Twitter about the perils of Facebook and Google.

The scale of the Exchange misstep is interesting.

What happens if one of the groups undermining the computer systems of the US decide to terminate the systems for finance, travel, and mobile communications?

Here’s my answer: Find a donkey and a cart. Life will change quickly and no quick patch for deeply flawed Microsoft technical processes will arrive to make everything better again.

Microsoft’s methods are the problem. And what about the 1,000 programmers? That’s Microsoft speak for flaws which a small group of focused bad actors can achieve. The only coding that takes a 1,000 people is Microsoft’s Teams unit. Those folks are adding features while core functions are stripped bare, exploited, and turned into weapons.

It will be interesting to learn what Microsoft apologists involved in the JEDI program say about this misstep.

Keep in mind. No one knows exactly how many systems have been and remain compromised by by the SolarWinds’ and the most recently revealed Exchange fumble.

What will Brad Smith say? I can hardly wait assuming that my systems are not zapped by bad actors who are surfing on shoddy solutions.

Stephen E Arnold, March 8, 2021

Written by Stephen E. Arnold · Filed Under Microsoft, News, Security | Comments Off on Microsoft: Yeah, about Those Distributed Systems and the Wonderful Exchange Systems 

Cloud or Not? Fighting Words for Sure

March 5, 2021

I read “SolarWinds Hack Pits Microsoft against Dell, IBM over How Companies Store Data.” Ah, ha, a dispute with no clear resolution. The write up suggests that some big dogs in technology will be fighting over the frightened gazelles. Will the easily frightened commercial buyers take off when the word “cloud” is voiced. Or, will the sheep-inspired animals head for the perceived security of computers in the farm house?

The write up states:

[The dispute over where to put data] pits Microsoft Corp., which is urging clients to rely on cloud-computing systems, against others including Dell Technologies Inc. and International Business Machines Corp., who argue customers want to mix the cloud with the more traditional on-premise data-storage systems in a construct called hybrid-cloud.

Do you want pickle on top of a hamburger or underneath the juicy patty? Which method? Come on. Decide.

The write up reports:

Microsoft, one of the world’s biggest cloud vendors, has said cloud services offer customers the most robust data protection. A mixed approach “creates an additional seam that organizations need to secure. A consequence of this decision is that if the on-premises environment is compromised, this creates opportunities for attackers to target cloud services,” Microsoft said in a blog post on its investigation of the hack.  The notion that the hybrid cloud is less secure is inaccurate, said Paul Cormier, chief executive of Red Hat, the business IBM acquired two years ago in part in a bet on the growing demand for hybrid cloud services. “Any software could get broken into. The cloud providers could get broken into as well,” he told The Wall Street Journal.

Plus the article points out:

Microsoft itself was a victim in the attack and had some of its source code used to write software downloaded. The hackers viewed software linked to Microsoft’s Azure cloud, the company said. Mr. Smith, at the Senate hearing on the hack on Tuesday, called for a “full examination of what other cloud services and networks the Russians have accessed.”

I don’t think any computer data are secure, but that’s just me. Here in Harrod’s Creek, professional etch secrets on lumps of boghead. Once the message has been read, one burns it. Good for secrecy, not so good for the environment.

Who will win this battle? The key is marketing. Security is a slippery fish particularly when the boats are owned by Dell, IBM, and Microsoft. The SolarWinds’ attack exploited the cloud and on premises devices. How does one spell “insider threat”? One can unplug computing devices. Put them in a locked room. Don’t let anyone enter the room. Is that a solution?

Stephen E Arnold, March 5, 2021

Written by Stephen E. Arnold · Filed Under Microsoft, News, Security | Comments Off on Cloud or Not? Fighting Words for Sure 

« Previous PageNext Page »

  • Archives

  • Recent Posts

  • Meta