Cybersecurity Lapse: Lawyers and Technology
October 29, 2020
“Hackers Steal Personal Data of Google Employees after Breaching US Law Firm” is an interesting article. First, it reminds the reader that security at law firms may not be a core competency. Second, it makes clear that personal information can be captured in order to learn about every elected officials favorite company Google.
The write up states:
Fragomen, Del Rey, Bernsen & Loewy LLP, a law firm that offers employment verification compliance services to Google in the United States, suffered unauthorized access into its computer systems in September that resulted in hackers accessing the personal information of present and former Google employees.
The article quotes to a cyber security professional from ImmuniWeb. I learned:
According to Ilia Kolochenko, Founder & CEO of ImmuniWeb, the fact that hackers targeted a law firm that stores a large amount of data associated with present and former Google employees is not surprising as law firms possess a great wealth of the most confidential and sensitive data of their wealthy or politically-exposed clients, and habitually cannot afford the same state-of-the-art level of cybersecurity as the original data owners.
This law firm, according to the write up, handles not just the luminary Google. It also does work for Lady Gaga and Run DMC.
Stephen E Arnold, October 29, 2020
Covid Trackers Are Wheezing in Europe
October 19, 2020
COVID-19 continues to roar across the world. Health professionals and technologists have combined their intellects attempting to provide tools to the public. The Star Tribune explains how Europe wanted to use apps to track the virus: “As Europe Faces 2nd Wave Of Virus, Tracing Apps Lack Impact.”
Europe planned that mobile apps tracking where infected COVID-19 individuals are located would be integral to battling the virus. As 2020 nears the end, the apps have failed because of privacy concerns, lack of public interest, and technical problems. The latter is not a surprise given the demand for a rush job. The apps were supposed to notify people when they were near infected people.
Health professionals predicted that 60% of European country populations would download and use the apps, but adoption rates are low. The Finnish, however, reacted positively and one-third of the country downloaded their country’s specific COVID-19 tracking app. Finland’s population ironically resists wearing masks in public.
The apps keep infected people’s identities secret. Their data remains anonymous and the apps only alert others if they come in contact with a virus carrier. If the information provides any help to medical professionals remains to be seen:
“We might never know for sure, said Stephen Farrell, a computer scientist at Trinity College Dublin who has studied tracing apps. That’s because most apps don’t require contact information from users, without which health authorities can’t follow up. That means it’s hard to assess how many contacts are being picked up only through apps, how their positive test rates compare with the average, and how many people who are being identified anyway are getting tested sooner and how quickly. ‘I’m not aware of any health authority measuring and publishing information about those things, and indeed they are likely hard to measure,’ Farrell said.”
Are these apps actually helpful? Maybe. But they require maintenance and constant updating. They could prevent some of the virus from spreading, but sticking to tried and true methods of social distancing, wearing masks, and washing hands work better.
Whitney Grace, October 19, 2020
China Alert from the FBI
October 10, 2020
DarkCyber noted “New FBI Film Warns about China’s Recruitment of US Officials.” The DarkCyber research team has not viewed this video. We did note this statement in the article about the video:
FBI Director Christopher Wray and other officials have said that China’s goal of becoming the world’s top technology provider is fueling Beijing’s aggressive techniques to get as much information on technologies from around the world as possible. “Social media deception continues to be a popular technique for foreign intelligence services and other hostile actors to glean valuable information from unsuspecting Americans,” NCSC Director William Evanina said in a statement. “Through this movie and other resources, we hope to raise awareness among Americans so they can guard against online approaches from unknown parties that could put them, their organization, and even national security at risk.”
Data generated by social media provides one skilled in certain arts to:
- Identify individuals who may be susceptible to pressure or payoffs
- Provide hints about an individual’s weaknesses or pressure points
- Pinpoint activities, including destinations, so that person contact can be initiated.
The cavalier dismissal of social media like TikTok as no big deal is not warranted. The FBI’s concern is understandable. If anything, enforcement agencies should have been more aggressive. The film is a useful first step, but more communication about the risks certain countries pose to the security of US businesses and governmental agencies is needed.
Stephen E Arnold, October 8, 2020
Corporate Reputations and Sketchy Security
October 7, 2020
Cyber attacks are on the rise not only for individuals, but also for businesses, hospitals, banks, and other organizations. While organizations dedicate entire departments to cyber security, they still run the risk of their reputations being harmed. Daiji World explains more about threat
In the article “Reputational Risks From Cyber Attacks On Rise As Episodes Become Public: Moody’s.”
Consumers want reliable organizations to purchase goods and services from as well as manage their health and finances, but if organizations become cyber attack victims their clients lose trust in them. Moody’s Investors Service reported on the topic and said companies that rely heavily on their reputations and/or it is easy for their clients to switch to a competitor suffer the most from cyber attacks.
Organizations avoided disclosing cyber attacks in the past, because they did not want to further damage their reputations. Bad actors, however, enjoy bragging about their conquests and also want their victims to squirm in a public forum, so they announce their attacks online. New laws also require organizations to notify clients if there is a breach. Moody’s also wrote:
“’Damaged reputations can result in increases in the cost of capital, regulatory costs and additional costs for attracting and hiring talent. Companies with damaged reputations may also lose the support of customers, investors and other counterparties, causing a reduction in revenue…
“Besides, the report cited that companies with lower customer bargaining power or confidence-sensitive business models have more exposure to cyber-related reputational risks.’The effects vary, with acute financial consequences for some companies and little or no impact for others. Companies can employ various strategies to reduce customer churn and limit reputational harm, although these strategies can be expensive or frustrate customers,’ the report suggested.”
Ransomware tactics are still preferred by bad actors. Organizations only pay the ransom if they are publicly called out, while others do not have a choice due to the sensitive nature of the data.
In the future, organizations must budget for bigger cyber security departments and insurance for ransomware attacks. Insurance companies probably already have.
Whitney Grace, October 7, 2020
Thinking about Security: Before and Earlier, Not After and Later
September 30, 2020
Many factors stand in the way of trustworthy AI, not the least of which is the involvement of those for whom a raise, a bonus, or a promotion is involved. Then there is the thorny issue of bias built into machine learning. InformationWeek, however, looks at a few more straightforward threats in its article, “Dark Side of AI: How to Make Artificial Intelligence Trustworthy.”
Gartner VP and analyst Avivah Litan notes that, though AI is becoming more mainstream, security and privacy considerations still keep many companies away. They are right to be concerned—according to Garnter’s research, consumers believe responsibility lies with organizations that adopt AI technology, not the developers or vendors behind it. Litan describes two common ways bad actors attack AI systems: malicious inputs and query attacks. She writes:
“Malicious inputs to AI models can come in the form of adversarial AI, manipulated digital inputs or malicious physical inputs. Adversarial AI may come in the form of socially engineering humans using an AI-generated voice, which can be used for any type of crime and considered a ‘new’ form of phishing. For example, in March of last year, criminals used AI synthetic voice to impersonate a CEO’s voice and demand a fraudulent transfer of $243,000 to their own accounts….“Query attacks involve criminals sending queries to organizations’ AI models to figure out how it’s working and may come in the form of a black box or white box. Specifically, a black box query attack determines the uncommon, perturbated inputs to use for a desired output, such as financial gain or avoiding detection. Some academics have been able to fool leading translation models by manipulating the output, resulting in an incorrect translation. A white box query attack regenerates a training dataset to reproduce a similar model, which might result in valuable data being stolen. An example of such was when a voice recognition vendor fell victim to a new, foreign vendor counterfeiting their technology and then selling it, which resulted in the foreign vendor being able to capture market share based on stolen IP.”
Litan emphasizes it is important organizations get ahead of security concerns. Not only will building in security measures at the outset thwart costly and embarrassing attacks, it is also less expensive than trying to tack them on later. She recommends three specific measures: conduct a threat assessment and carefully control access to and monitoring of training data/ models; add AI-specific aspects to the standard software development life cycle (SDLC) controls; and protect and maintain data repositories to prevent data poisoning. See the article for elaboration of each of these points.
Cynthia Murrell, September 30, 2020
TikTok Ticks Along
September 18, 2020
US President Donald Trump allegedly banned Americans from using TikTok, because of potential information leaks to China. In an ironic twist, The Intercept explains “Leaked Documents Reveal What TikTok Shares With Authorities—In The U.S.” It is not a secret in the United States that social media platforms from TikTok to Facebook collect user data as ways to spy and sell products.
While the US monitors its citizens, it does not take the same censorship measures as China does with its people. It is alarming the amount of data TikTok gathers for the Chinese, but leaked documents show that the US also accesses that data. Data privacy has been a controversial topic for years within the United States and experts argue that TikTok collects the same type of information as Google, Amazon, and Facebook. The documents reveal that ByteDance, TikTok’s parent company, the FBI, and Department of Homeland Security monitored the platform.
Law enforcement officials use TikTok as a means to monitor social unrest related to the death of George Floyd. Floyd suffocated when a police officer cut off his oxygen attempting to restrain him during arrest. TikTok users post videos about Black Lives Matter, police protests, tips for disarming law enforcement, and even jokes about the US’s current upheaval. TikTok’s user agreement says it collects information and will share it with third parties. The third parties include law enforcement if TikTok feels there is an imminent danger.
TikTok, however, also censors videos, particularly those the Chinese government dislikes. These videos include political views, the Hong Kong protests, Uyghur internment camps, and people considered poor, disabled, or ugly.
Trump might try to make the US appear as the better country, but:
““The common concern, whether we’re talking about TikTok or Huawei, isn’t the intentions of that company necessarily but the framework within which it operates,” said Elsa Kania, an expert on Chinese technology at the Center for a New American Security. “You could criticize American companies for having an opaque relationship to the U.S. government, but there definitely is a different character to the ecosystem.” At the same time, she added, the Trump administration’s actions, including a handling of Portland protests that brought to mind the police crackdown in Hong Kong, have undercut official critiques of Chinese practices: “At a moment when we’re seeing attempts by the administration to draw a contrast in terms of values and ideology with China, these eerie parallels that keep recurring do really undermine that.”
Where is the matter now? We will have to ask an oracle.
Whitney Grace, September 18, 2020
VPN Usage: Just Slightly Unbelievable Data
September 15, 2020
How about virtual private networks? What about those free VPNs? How effective are specialized VPNs which bond two or more Internet connections?
Interesting questions.
“VPN Usage Now Makes Up Almost All Enterprise Traffic” does not answer these questions, but the write up reports about a study which offers some interesting and, to DarkCyber, slightly unbelievable data; for example:
- VPN usage has gone from 10 or 15% of enterprise traffic to maybe 95%
- Bad actor attacks on VPNs have “increased dramatically,” although no data are offered
- Three-quarters of desktop devices (77%) have adequate antivirus or cybersecurity software installed, falling some way short of total protection
- 17% of laptops supplied by UK employers also lacked security software.
There is nothing like survey data without information about who, how, and data analysis methods.
Microsoft wants to make its “defender” system a service one cannot turn off or uninstall. If this occurs, how will the research data be affected?
Questions? Just more questions?
Stephen E Arnold, September 15, 020
Oh, Oh, Millennials Want Their Words and Services Enhanced. Okay, Done!
September 9, 2020
A couple of amusing items caught my attention this morning. The first is Amazon’s alleged demand that a Silicon Valley real news outlet modify its word choice.
The Bezos bulldozer affects the social environment. The trillion horsepower Prime machine wants to make sure that its low cost gizmos are not identified with surveillance. Why is that? Perhaps because their inclusion of microphones, arrays, and assorted software designed to deal with voices in far corners performs surveillance? DarkCyber does not know. The solution? Amazon = surveillance. Now any word will do, right?
The second item is mentioned in “Microsoft Confirms Why Windows Defender Can’t Be Disabled via Registry.” The idea is that Microsoft’s system is now becoming Bob’s mom. You remember Bob, don’t you. User controls? Ho ho ho.
The third item is a rib tickler. You worry about censorship for text and videos, don’t you. Now you can worry about Google’s new user centric ability to filter your phone calls. That’s a howler. What if the call is from a person taking Google to court? Filtered. This benefits everyone. You can get the allegedly full story in “Google New Verified Calls Feature Will Tell You Why a Business Is Calling You.” Helpful.
Each of these examples amuse me. Shall we complain about Chinese surveillance apps?
These outfits are extending their perimeters as far as possible before the ever vigilant, lobbyist influenced political animals begin the great monopoly game.
Stephen E Arnold, September 9, 2020
Monoculture and Monopoly Law: Attraction to a Single Point Occurs and Persists
September 2, 2020
Did you hear the alarm clock ring? “Zoom Is Now Critical Infrastructure. That’s a Concern” makes it clear that even the deep sleepers can wake up. What’s the tune on these wizards’ mobile phone? Maybe a fabulous fake of “Still Drowsy after All These Years.” (Sorry, Mr. Simon.)
The write up makes clear that the Brookings community and scholars have been told the following:
- Zoom is the information superhighway for education
- Zoom content is visible to Zoom
- Zoom is fending off the likes of Apple and Facetime, Google Meet and Hangouts, and Microsoft Teams (Skype shoved its hands in the barbeque briquettes, thus making that service less interesting.)
- Zoom goes down, thus wrecking havoc.
The write up does not suggest that Zoom is up to fancy dancing with authorities from another nation state. The write up does not delve into the tale of the stunning Alex Stamos, a human Swiss Army Knife of security. The write up does not articulate this Arnold Law:
A monoculture and a monopoly manifest attraction to a single online point.
A corrolary is:
That single point persists.
In the absence of meaningful oversight, Zoom is, according to the write up:
By contrast, a successful cyber attack targeting Zoom could bring education and an enormous amount of business activity to a complete halt.
And what about the Zoom data? Useful to some perhaps?
Stephen E Arnold, September 2, 2020
Why Update? Surprise, Hacker Masquerade Time
September 1, 2020
Hacker Masquerade vulnerability assessment firm Positive Technologies has shared some results from their penetration tests (“pentests) on corporate information systems. Though they do not reveal data on individual clients, they report some eye-opening statistics. IT Brief reports on these findings in, “Hackers Difficult to Distinguish from Legitimate Users—Study.” Writer Shannon Williams tells us:
“At 61% of the companies, we found at least one simple way to obtain control of infrastructure that would have been feasible even for a low-skilled hacker. The testers noted that legitimate actions that would be unrecognizable from regular user activity accounted for 47% of the actions that allowed pentesters to create an attack vector. These actions included creating new privileged users on network hosts, creating a memory dump of lsass.exe, exporting registry hives, and sending requests to the domain controller. These actions allow hackers to obtain credentials from corporate network users or information required to develop the attack. The risk is that it is hard to differentiate between such actions and the usual activities of users and administrators, making it more likely that the attack will remain unnoticed. These incidents can however be detected with security incident detection systems. The testing also demonstrated that the attackers can exploit known vulnerabilities found in outdated software versions to remotely execute arbitrary code, escalate privileges, or learn important information. What the experts see most often is lack of current OS updates.”
And that, boys and girls, is why we must always keep our operating systems up to date. The write-up shares a little about how hackers can use OS quirks to gain access to and traverse systems. Keeping your Windows updated will not, however, patch holes caused by lax permissions, single-factor authentication routines, and other liabilities. Not surprisingly, Positive Technologies’ Ekaterina Kilyusheva suggests companies hire a specialist to perform an internal pentest that will assess their systems’ vulnerabilities.
Cynthia Murrell, September 1, 2020
-
- Subscribe to Beyond Search
Feature archive
News archive
-
