Microsoft Security: Perhaps Revenue Does Not Correlate with Providing Security?
February 1, 2021
I want to keep this brief. Microsoft makes money from the sale of security services. “Microsoft CEO Satya Nadella: There Is a Big Crisis Right Now for cybersecurity” reports:
For the first time on Tuesday, Microsoft disclosed revenue from its various security offerings as part of its quarterly earnings — $10 billion over the last 12 months. That amounts to a 40% year-over-year jump in the growing security business, making up roughly 7% of the company’s total revenue for the previous year.
Here’s a fascinating passage:
Microsoft itself was also hacked, though no customer data was breached. A Reuters report indicated that, as part of the hack of the National Telecommunications and Information Agency, Microsoft’s Office 365 software was attacked, allowing the intruders to monitor agency emails for months. Microsoft, however, said at the time that it has identified no vulnerabilities in its cloud or Office software.
Er, what?
I don’t want to rain on this financial parade but The Register, a UK online information service, published “Unsecured Azure Blob Exposed 500,000+ Highly confidential Docs from UK Firm’s CRM Customers.” Furthermore, the Microsoft security services did not spot the SolarWinds’ misstep, which appears to have relied upon Microsoft’s much-loved streaming update service. The euphemism of “supply chain” strikes me as a way to short circuit criticism of a series of technologies which are easily exploited by at least one bad actor involved in the more than 12 month undetected breach of core systems at trivial outfits like US government agencies.
Net net: Generating revenue from security does not correlate with delivering securing or engineering core services to prevent breaches. And what about the failure to detect? Nifty, eh?
The February 9, 2021, DarkCyber video program takes a look at another of Microsoft’s remarkable dance steps related to the SolarWinds’ misstep. Do si do, promenade, and roll away to a half sashay! Ouch. Better watch where you put that expensive shoe.
Stephen E Arnold, February 1, 2021
Selling Technology in a Tough Market Roasting in Solar Waves
January 13, 2021
I read a post on Hacker’s News. You may be able to locate it at this link: http://solarleaks.net/. I don’t know if this is a scam or the answer to the question “Where’s the beef?” The message states:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Happy new year! Welcome to solarleaks.net (mirror: 5bpasg2kotxllmzsv6swwydbojnfuvfb7d6363pwe5wrzhjyn2ptvdqd.onion) We are putting data found during our recent adventure for sale. [Microsoft Windows (partial) source code and various Microsoft repositories] price: 600,000 USD data: msft.tgz.enc (2.6G) link: https://mega.nz/file/1ehgSSpD#nrtzQwh-qyCaUHBXo2qQ1dNbWiyVHCvg8J0As8VjrX0
The Solar Leaks’ post then provides information about the cost of the MSFT, Cisco, and FireEye, et al software. Prices begin at $50,000 for some alleged FireEye goodies and soar to $600,000 for the Microsoft crown jewels.
What’s important, however, is the post-SolarWinds’ misstep marketing environment. Sales professionals of products that provide enhanced cyber security, threat alerts, and the assorted jargon enhanced assertions have to close deals.
Just in time is a helpful write up from Entrepreneur Magazine called “8 Psychological Tricks to Increase Conversion Rates for SaaS Startups.” That’s on time and on target.
I am tempted to summarize the ideas with references to Machiavelli, Al Capone, and high school lovers promising to be together forever. But I will not. I will highlight three of the ideas, and you can pony up some cash to read the full entrepreneurial check list yourself.
Suggestion 1:
Offer fewer choices.
Okay, Amazon, Microsoft, and others offering secure cloud environments, are you listening? Fewer choices. The point of offering choices is to create an opportunity to confuse a customer and allow MBAs with spreadsheet fever to cook up pricing options guaranteed to lead to big surprises when the system is up and running. Cross that threshold and beyond the invoice! Outstanding.
Suggestion 2:
Introduce a third product.
You have to read the article to appreciate the wonderfulness of offering a print subscription, a digital subscription, and a com9bo subscription or an option that forces the “brain to focus on the two closest options.” I am confident that this is backed by an MBA-type book called “Thinking Slow and Slower.”
Suggestion 3:
Increase quantities rather than reduce the price.
Ah, yes, buy five packages of cookies and get an extra 20 percent discount. That’s okay, but I don’t have any place to put extra bags of cookies in my one bedroom trailer parked in Sunrise Acres in Bullet County, Kentucky. More, more, more. Yes, bullet proof. No pun intended.
With cyber security delivered via the cloud in the great SaaS approach, the trick to making sales is to shift from professional sales person to a street hustler offering “original” watches as tourists exit the bus from a tour of the Forbidden City.
What about clarity, factual information, and services which work, well, maybe just mostly work.
Good enough.
Stephen E Arnold, January 13, 2021
SolarWinds Are Gusting and Blowing Hard
January 5, 2021
Many pundits have reacted to the New York Times’ story “As Understanding of Russian Hacking Grows, So Does Alarm.” Work through those analyses. What’s missing? Quite a lot, but in this short blog post I want to address one issue that has mostly ignored.
At one time, there was a list on the SolarWinds’ Web site of the outfits which had been compromised. That list disappeared. I posted “Sun Spotting in the Solar Wind” on December 23, 2020. In that post, I reported three outfits which had been allegedly compromised by the SolarWinds’ misstep (and some of the information I used as a source remains online):
City of Barrie (Canada)
Newton Public Schools (US)
Regina Public Schools (Canada).
The question is, “Why are outfits like a municipality known as part of the Greater Golden Horseshoe, Newton’s public schools, and the Regina public schools? (I’ve been to Regina in the winter. Unforgettable is it.)
My research team and I discussed the alleged exploits taking up residence in these organizations; that is, allegedly, of course, of course.
Here’s what my team offered:
- A launch pad for secondary attacks. The idea is that the original compromise was like a rat carrying fleas infected with the bubonic plague (arguably more problematic than the Rona)
- A mechanism for placing malicious code on the computing devices of administrators, instructors, and students. As these individuals thumb typed away, these high trust individuals were infecting others in their social circle. If the infections were activated, downloads of tertiary malware could take place.
- Institutions like these would connect to other networks. Malware could be placed in server nodes serving other institutions; for example, big outfits like Rogers Communications, a government ministry or two, and possibly the cloud customers of the beloved Rogers as well as BCE (Bell Canada’s parent) and Telus.
The odd ducks in the list of compromised organization, just might not be so odd after all.
That’s the problem, isn’t it? No one knows exactly when the misstep took place, what primary and downstream actions were triggered, and where subsequent rats with fleas infected with bubonic plague have go to.
Net net: It’s great to read so many words about a misstep and not have signals that the issue is understood, not even by the Gray Lady herself.
Stephen E Arnold, January 6, 2020
About Those Insider Threat Security Systems
January 1, 2021
Fortinet published a report about insider threats. You can get a copy at this link. The document reveals the trends and challenges facing organizations from insider threats; that is, someone inside an organization helps a bad actor access off-limits systems and services. One statistic jumped out at me: About 70 percent of the companies in the 2019 survey “feel moderately to extremely vulnerable to insider attacks.”
What about 2020? The Hollywood trade publication Variety published “Ticketmaster Will Pay $10 Million Fine to Settle Federal Charges It Hacked Rival’s System.” Hollywood. Companies brokering tickets in the time of Covid. I learned:
Ticketmaster agreed to pay a $10 million criminal fine to avoid prosecution over charges that it illegally accessed systems of a startup rival to steal proprietary info in an attempt to “choke off” the smaller company’s business, federal authorities said.
How did Ticketmaster compromise the target? Hacking, crimeware as a service, Fancy Dan penetration testing tools?
The answer? Read it for yourself:
A former employee of ticketing firm CrowdSurge (which later merged with Songkick) who had joined Live Nation shared URLs with Ticketmaster employees that provided access to draft ticketing web pages that Songkick had built in an attempt to “steal back” one of Songkick’s top artist clients, federal prosecutors said. Ticketmaster, owned by Live Nation Entertainment, said in a statement that in 2017 it fired both Zeeshan Zaidi, former head of Ticketmaster’s artist services division, and the former CrowdSurge exec, Stephen Mead, “after their conduct came to light.”
How do AI infused insider trading systems work? It seems that hiring an employee from a company with interesting ways of dealing with former employees’ access rights is simple.
Companies create their own insider threat issues. No software smart or dumb can prevent problems caused by lazy, incompetent, or distracted organizations’ staff.
Stephen E Arnold, January 1, 2021
Microsoft: Information Released Like a Gentle Solar Wind
December 31, 2020
I read the New Year’s Eve missive from Microsoft, a company which tries to be “transparent, “Microsoft Internal Solorigate Investigation Update.” I am not sure, but I think the Microsoft Word spell checker does not know that SolarWinds is not spelled Solarigate. Maybe Microsoft is writing about some other security breach or prefers a neologism to end the fine year 2020?
Here’s a passage I found interesting:
Our investigation has, however, revealed attempted activities beyond just the presence of malicious SolarWinds code in our environment. This activity has not put at risk the security of our services or any customer data, but we want to be transparent and share what we’re learning as we combat what we believe is a very sophisticated nation-state actor. We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories. The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated. [Bold added to highlight intriguing statements]
To me, an old person who lives in rural Kentucky, it sure sounds as if Microsoft is downplaying:
- Malicious code within Microsoft’s systems
- The code performed “unusual activity” whatever this actually means I don’t know
- The malicious code made it to MSFT source code repositories
- Whatever happened has allegedly been fixed up.
What’s that unknown unknowns idea? Microsoft may be writing as if there are no unknown unknowns related to the SolarWinds misstep.
If you want more timely Solarigate misstep info, here’s what Microsoft suggests as a New Year’s Eve diversion:
For the up-to-date information and guidance, please visit our resource center at https://aka.ms/solorigate.
Stephen E Arnold, December 31, 2020
What Can a System Administrator Do? The Zoom Example
December 22, 2020
I don’t want to make a big deal of what is common knowledge among those who are system administrators. My French bulldog does not worry about a person with root access. He chews his bone and barks at UPS trucks.
I, on the other hand, do know what system administrators can do and do do. After more than 50 years of professional work, I have learned first hand what unmanaged, poorly supervised, and careless watching of watchers can yield. Let me tell you: There’s quite a bit of excitement out in the real world.
But why listen to an old timer who should be ensconced in a Covid ridden old-age home?
Navigate to “Ex Zoom China Employee Faces US Dissident Censoring Charge.” To make the story short, a person with root access or access to functions of a system administrators censored customers’ information.
Is this important?
Yes, but not because Zoom is more or less like other successful high technology companies.
The action illustrates the inherent weakness of existing controls over systems access. The alleged perpetrator may have been acting due to personal beliefs. The individual could have been paid to block the content. The person with access could have been following orders.
The point is that a system administrator can do many things: Monitor a colleague, gather data in order to blackmail a person, alter information, block content, and define what is real and verifiable.
Let’s take another step. Read “Study Finds That Robots Can Pressure People to Do Risky Things.” Let’s assume that some people are more likely to respond to robot pressure. A robot can be either a Boston Dynamics type of mechanical reindeer or a software script. An engineer with root can instruct a software robot to deliver information of a specific type to people. Some of those people will respond and maybe do risky things. Other people will believe the outputs and make decisions within that information frame. Like goldfish in a bowl of water, the environment becomes that which is accepted. That’s what a system administrator can do if so inclined and operating without oversight.
Is the online information reality real, accurate, or shaped?
Stephen E Arnold, December 21, 2020
A New Year Is Coming: Let Us Confront the New Reality
December 21, 2020
Nope, not Covid. Nope, not the financial crisis. Nope, not the social discontinuities. Nope, not the big technology monopoly clown show.
What then?
How about security insecurity. Do you like the phrase? I do because it communicates that users of online systems may never know if the system or systems are secure.
One can pretend, what I call security theater, of course.
The new reality is that an actor or actors has slipped in the stage door after driving a delivery van near the security theater and double parked for what may have been months. The individuals do not work according to New York City labor rules. Nope, these actors moved around, ordered takeout, and lounged on the sidewalks. People passing did not notice. You know the New York attitude: We are definitely with it. This is Broadway.
I read “A Hack Foretold.” I was not impressed. The reason is that the original Internet was technology Play-Doh. Who could imagine the parti-colored constructs blobs of red, blue, and yellow could become.
The write up states with the assured naiveté of a thumb typer:
The point is the authorities have known about hacking for a long time. Whole bureaucracies have been established, and presidential directives have been promulgated, to enhance cybersecurity—and some of their actions have been effective. Still, the contest between cyber offense and -defense is a never-ending race, where the offense has the advantage and, so, the defense must never let up its guard. While security is a lot better than it used to be, vast networks have been left exposed in one way or another, and dedicated hackers who very much want to get inside those networks—and who have the resources of a nation-state—figure out a way.
I want to point out that the cyber security industry has flowered into billions of dollars a year because home economics majors, working with MBAs, constructed a fantasy story about computer security.
Security insecurity is little more than another symptom of efficiency thinking. What can be done to reduce costs and maximize revenue. Oh, so some people lose their jobs in Canton, Illinois, when the John Deere factory goes away. “Tough cookies,” say the efficiency wizards.
We have created a situation in which security insecurity is going to become a digital Covid. I am delighted I am old, retired, and living in a hollow in rural Kentucky. Can you imagine the meetings, the memoranda, the reports, and the self-serving explanations of:
- Cyber security vendors
- Smart software which acts like an antibody to protect a system
- Individual security experts who did the “good enough” work to spoof the clueless lawyers, accountants, bureaucrats, and MBAs who manage technology operations
- Consultants like those who populate LinkedIn and BrightTALK with lectures about security
- Experts who assert that monitoring the Dark Web, Facebook, and chat provide an early warning of actions to come.
I could go on and toss in security appliance vendors, university professors who convert a clever workaround into a peer reviewed paper for IEEE or ACM, and former bad actors who see the light and become trusted advisors after serving jail time.
The New Reality is that I am not sure how one goes about determining the priorities for figuring out what was compromised, determining what other vulnerabilities have been installed, and bring up systems which do not have the charming characteristics of specialized software firms which have code that hides itself so that it can happily reinstall itself.
I spoke with a former CIA professional twice in the last 48 hours. He asked me, “What do I recommend to remediate the problem?” My answer was, “Investigate.”
The actors lounging in front of the security theater are not chatterboxes, and I have seen zero verifiable evidence that defines the timing, scope, and actions of these actors. Why guess then? Why look back and say “woulda, coulda, shoulda.” The time to embrace the New Reality is here.
The security theater has to go dark, and we need a new construct. Expensive, time consuming, and difficult for sure. Failure, however, means changes that those wrought by Covid are trivial. Thumb typers, are you confident your online activities are secure? In deference to the holiday season, here’s a modified carol: Deck the halls with boughs of folly, Tra la la, la la la la.
Stephen E Arnold, December 21, 2020
Zipper the SIPR: The SolarWinds Blow
December 18, 2020
I found this article interesting: “Pentagon Forces Emergency Shutdown of Computer Network Handling Classified Material.” Since I work in rural Kentucky, I have zero clue if the information in the write is accurate; nevertheless, let me highlight one of the statements in the write up:
An emergency shutdown of a classified internal communications network was ordered at the Pentagon Tuesday. The system, called the Secret Internet Protocol Router Network, handles not only classified information but “up to the secret level”…
My hunch is that this is an “abundance of caution” move. Why caution? Why now?
Possibly the SolarWinds misstep is a reason?
At lunch today, a member of my team and I discussed the marketing of smart, 24×7 cyber security systems. Many companies engaged in this type of activity. But how secure are such security systems. Many are more alike than different; for example:
- Use of open source software
- Reliance upon standard and often manipulable statistical procedures
- Licensing tools and content from companies also in the cyber security business.
The result? Fodder for sales professionals and former art history majors now engaged in public relations, webinar production, and Madison Avenue style pitch writing.
Oh, one other result. The possible security thing at a number of US government entities, large corporations, and probably a handful of non governmental organizations.
Big deal? For some, yep, big deal. For others, what’s the hoo-hah about? Just close that deal, book the business, and collect the fees. What’s more important than cyber security? Revenue perhaps?
Stephen E Arnold, December 18, 2020
Explaining the 2020 End of Year Cyber Hack of Big, Fat Targets of Opportunity
December 18, 2020
I know you have heard about the end of year cyber attack. The end of 2020 is a zinger. But what caused the problem? Who is responsible? Which cyber security expert is the one to believe? Beyond Search has located an explanation, courtesy of Lorem Ipsum Anything. We posed these questions to the smart software at this next generation thumb typing site and learned:
Security harm resilience change others Beneficiaries food security persons groups objects. Institutions ecosystems entity referent security freedom change forces resilience example. Absence good want presence phenomenon range protection senses foundations secrecy. damage term purpose systems acts guarding security systems security guard security forces security companies. Security cameras e.g. state of mind telephone line containment room cell.
Makes the uptown explanations from assorted experts wishing they could have explained the cyber kick in the ribs as well. Yep, 2020 is year to remember. “Absence good want presence.”
Well said.
Stephen E Arnold, December 18, 2020
Security Vendors: Despite Marketing Claims for Smart Software Knee Jerk Response Is the Name of the Game
December 16, 2020
Update 3, December 16, 2020 at 1005 am US Eastern, the White House has activate its cyber emergency response protocol. Source: “White House Quietly Activates Cyber Emergency Response” at Cyberscoop.com. The directive is located at this link and verified at 1009 am US Eastern as online.
Update 2, December 16, 2020 at 1002 am US Eastern. The Department of Treasury has been identified as a entity compromised by the SolarWinds’ misstep. Source: US “Treasury, Commerce Depts. Hacked through SolarWinds Compromise” at KrebsonSecurity.com
Update 1, December 16, 2020, at 950 am US Eastern. The SolarWinds’ security misstep may have taken place in 2018. Source: “SolarWinds Leaked FTP Credentials through a Public GitHub Repo “mib-importer” Since 2018” at SaveBreach.com
I talked about security theater in a short interview/conversation with a former CIA professional. The original video of that conversation is here. My use of the term security theater is intended to convey the showmanship that vendors of cyber security software have embraced for the last five years, maybe more. The claims of Dark Web threat intelligence, the efficacy of investigative software with automated data feeds, and Bayesian methods which inoculate a client from bad actors— maybe this is just Madison Avenue gone mad. On the other hand, maybe these products and services don’t work particularly well. Maybe these products and services are anchored in what bad actors did yesterday and are blind to the here and now of dudes and dudettes with clever names?
Evidence of this approach to a spectacular security failure is documented in the estimable Wall Street Journal (hello, Mr. Murdoch) and the former Ziff entity ZDNet. Numerous online publications have reported, commented, and opined about the issue. One outfit with a bit of first hand experience with security challenges (yes, I am thinking about Microsoft) reported “SolarWinds Says Hack Affected 18,000 Customers, Including Two Major Government Agencies.”
One point seems to be sidestepped in the coverage of this “concern.” The corrective measures kicked in after the bad actors had compromised and accessed what may be sensitive data. Just a mere 18,000 customers were affected. Who were these “customers”? The list seems to have been disappeared from the SolarWinds’ Web site and from the Google cache. But Newsweek, an online information service, posted this which may, of course, be horse feathers (sort of like security vendors’ security systems?):
-
- Subscribe to Beyond Search
Feature archive
News archive
-
