Browse > Home / Archive by category 'Security'

Insider Security Risks

July 23, 2020

Let’s assume the Twitter security story is true. Insiders were engineered. Right. Insider security risks exist, and they are a potential sink hole. Fancy Dan cyber security systems can do some things well; most fail when it comes to handling the crazy stuff employees do, either intentionally or unintentionally.

43 Percent of Employees Make Mistakes That Have Cybersecurity Implications” reports:

A quarter of employees confess to clicking on links in a phishing email at work, with distraction cited as a top reason for falling for a phishing scam by 47 percent of employees. This is closely followed by the fact that the email ‘looked legitimate’ (43 percent), with 41 percent saying the phishing email looked like it came from a senior executive or a well-known brand.

Other findings:

include 58 percent of employees admitting to sending a work email to the wrong person, with 17 percent of those emails going to the wrong external party. This simple error can lead to serious consequences for both the individual and the company, who must report the incident to regulators as well as their customers. In fact, a fifth of respondents say their company had lost customers as a result of sending a misdirected email, while one in 10 employees (12 percent) lost their jobs.

How valid are these data? Tough to say, but the Twitter slip up flashes a yellow caution light. And errant USB drives, snatched mobile phones, and stolen laptops? There are a number of human-centric risks and the consequences in our fractious times can be unpleasant.

Stephen E Arnold, July 23, 2020

Written by Stephen E. Arnold · Filed Under News, Security | Comments Off on Insider Security Risks 

Twitter: Remediation or Yoga Babble?

July 20, 2020

I read “An Update on Our Security Incident.” The author is someone at Twitter. That’s reassuring to Mr. Obama, some bitcoin users, and maybe a friend from high school.

The “cause” was:

attackers targeted certain Twitter employees through a social engineering scheme.

Now remember this is an outfit which makes it possible to output information that can have an immediate and direct impact of individuals, organizations, and institutions. This is not a disgruntled student passing out mimeographed pages in the lunch room about the upcoming school dance in the aforementioned high school auditorium.

The cause was an organizational structure similar to a prom fund raising event at the Governor Dummer Academy.  Hence:

The attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections.

And not to worry. Only 130 Twitter accounts were “accessed.” No problem, mom, Mr. Obama’s account was not improperly used by “the attackers.” Really, Mom. Honest.

Let’s stop.

What was the cause?

The cause was a large and influential company failed to recruit, train, and monitor employees. That company did not have in place sufficient safeguards for its core administrative tools. That company does not have a full time chief executive officer. That company does not have a mechanism to know what is going on when the core administrative tools are used in an anomalous manner by an outsider.

That’s why the company was attacked and there are a few other reasons which seem highly probable to the DarkCyber research team:

  1. The alleged individual attacker or his shadow supporters wanted to demonstrate how one of the more influential social media companies could be successfully compromised
  2. The alleged individual attacker was testing systems and methods which could be used against or again to obtain access to an important channel of unmonitored real time data
  3. The alleged individual attacker was just one of those lone wolf hackers who sit up at night and decide which barn to set on fire.

Once again we have a good example of high school science club management.

The explanation is not going to reassure some people, maybe the former president of the United States? The explanation dances around the core issue: Mismanagement and a failure of governance.

High tech “cuteness” has become a pink Hello, Kitty line of polyester hipster T shirts.

Hey, Twitter. A “dog ate my homework” explanation misses what the breach reveals about management expertise.

Stephen E Arnold, July 20, 2020

Written by Stephen E. Arnold · Filed Under News, Security, Twitter | Comments Off on Twitter: Remediation or Yoga Babble? 

Arnold and Steele: Twitter Incident

July 17, 2020

Robert Steele, a former CIA professional, and I discuss the Twitter breach. Mr. Steele takes a broader view; I focus on specific operational actions by regulatory and enforcement entities. We disagreed on some points, but at the end of the 20 minute conversation, we agreed on a broad principle. Action is needed.

https://tinyurl.com/darkcybertwitter

You can view the program which has been viewed more than 7,000 times since July 16, 2020.

Stephen E Arnold, July 17, 2020

Written by Stephen E. Arnold · Filed Under News, Security, Twitter | Comments Off on Arnold and Steele: Twitter Incident 

And Microsoft Wants Its Partners to Support Government Entities?

July 16, 2020

The article “Hack of 251 Law Enforcement Web Sites Exposes Personal Data of 700,000 Cops” troubles me for two reasons.

First, the loss of the data increases risk for the professionals listed in the data files. Not good.

Second, the write up asserts as “real” news:

All of the hacked websites were hosted and built by the Texas web development firm Netsential on Windows servers located in Houston. They were all running the same custom (and insecure) content management system, developed using Microsoft’s ASP.NET framework in the programming language VBScript, using Microsoft Access databases. Because they all run the same software, if a hacker could find a vulnerability in one of the websites that allowed them to download all the data from it, they could use that vulnerability to hack the rest of the websites without much additional effort.

DarkCyber believes that much of the 21st century cyber software jabber is marketing speak.

image

If the statement about Microsoft’s infrastructure and software is accurate, there are some questions to answer:

  1. How did the Microsoft partner program allow “experts” certified by Microsoft to create a system with some interesting security issues?
  2. Where did the Netsential Web site go? Why did its content disappear?
  3. What does this incident mean in the context of the Department of Defense JEDI contract?

DarkCyber is concerned when a giant corporation cannot update its own Windows 10 operating system and fail to ensure that its partners are qualified to perform sensitive work in a careful manner.

Is there some useful code on Microsoft Github? Snap. Github fell over again just as I was looking.

Another troubling US technology lapse it seems for a company wanting to provide cloud services to the US government and law enforcement.

Stephen E Arnold, July 16, 2020

Written by Stephen E. Arnold · Filed Under Cloud computing, Microsoft, News, Security | Comments Off on And Microsoft Wants Its Partners to Support Government Entities? 

What Is the Work Around When a Huawei Ban Gets Traction?

July 16, 2020

DarkCyber noticed a news item in IT Online. “Counterfeit Cisco Devices Open Backdoors into Organizations’ Systems” states:

The counterfeits were discovered by an IT company after a software update stopped them from working, which is a common reaction of forged/modified hardware to new software.

Years ago, I learned that a Chinese manufacturer of telecommunications devices was running two lines. One line handled the US product. The other line generated “special” versions of the US product? I was unable to verify this interesting comment.

Some manufacturers in countries what was quaintly called “the Far East” may have decided to produce the equivalent of knock off watches.

If the IT Online report is accurate, these devices may be good enough to capture data from an organization of interest.

Supply chain security? Some US companies may say, “Yep, we will jump on that… right away.”

Stephen E Arnold, July 16, 2020

Written by Stephen E. Arnold · Filed Under News, Security | Comments Off on What Is the Work Around When a Huawei Ban Gets Traction? 

Do It Huiwei, Please

July 9, 2020

Believe it or not.

Huawei is a mobile device brand not well known in the United States, but it provides an Android based device to millions of consumers in the eastern hemisphere. Huawai devices are manufactured in China and in May the company held its seventeenth annual analyst summit. Ameyaw Debrah shares the story in the article, “Huawei Analyst Summit: Security And Privacy In A Seamless AI Life-Only You Control Your Personal Data.”

The Vice President of Consumer Cloud Services Eric Tan delivered the keynote speech called “Rethink the Seamless AI Experience with the Global HMS Ecosystem” related to Huawei’s privacy and security related to the cloud, hardware, application development, and global certifications. Tan stated that Huawei abides by GDPR, GAPP, and local laws to guarantee privacy compliance.

Another speaker, Dr. Wang Chenglu spoke about “Software-Powered, Seamless AI Experiences and Ecosystems.” He stated how distributed security builds trust between people, data, and devices to protect user privacy and data:

“He explained that firstly, ensure that users are using the correct devices to process data and Huawei has developed a comprehensive security and privacy management system that covers smart phone chips, kernels, EMUI, and applications. This allows devices to establish trusted connections and transfer data based on end-to-end encryption.

Secondly, ensure the right people are accessing data and operating services via the distributed security architecture which makes coordinated, multi-device authentication possible. An authentication capability resource pool is established by combining the hardware capabilities of different devices. The system provides the best security authentication measures based on authentication requests and security level requirements in different business scenarios.”

Huawei stressed that privacy and security are its MO, but can one believe that “only you control your private life” when. a country-supported company is coding up a storm?”

Whitney Grace, July 9, 2020

Written by Stephen E. Arnold · Filed Under Mobile, News, Privacy, Security | Comments Off on Do It Huiwei, Please 

Work from Home and Be Insecure. Sure, It Is Standard Operating Procedure

June 22, 2020

Remote working is the new normal with COVID-19 and companies have prepped for that in the past decade…sort of. Companies were prepared for telecommuting in short term bursts and a limited number of employees, but not for a consistent length of time. Why? Working remotely requires more than a reliable Internet connection and laptop. It needs a secure network says Tech Radar in, “Most Companies ‘Unprepared’ For Secure Remote Working.”

According to the 2020 Remote Work Report, 41% of companies do not have proper networks to secure their data. They cite lack of the right equipment as the biggest problem. Despite the lack of security, companies will continue to allow their workers to remotely work.

Also according to the report, 72% states malware was their biggest worry. Compliance with their security regulations is another issue says 63%, including the EU’s General Protection Regulation. Companies are also worried about securing Web applications, video conferencing, and file sharing.

It is not surprising that this happened, because tradition lingers on in the business world. Even the most technologically advanced companies have security issues, for example Google says Channel News Asia: “Google Sees Resurgence In State-Backed Hacking, Phishing Related To COVID-19.”

Google sent out warnings:

“Security experts at Alphabet Inc’s Google sent 1,755 warnings in April to users whose accounts were targets of government-backed attackers, following a resurgence in hacking and phishing attempts related to the coronavirus outbreak.

Google said on Wednesday its Threat Analysis Group saw new activity from “hack-for-hire” firms, many based in India, that have been creating Gmail accounts spoofing the World Health Organization (WHO).”

Even the experts are vulnerable! Nobody is safe.

Whitney Grace, June 22, 2020

Written by Stephen E. Arnold · Filed Under News, Security | Comments Off on Work from Home and Be Insecure. Sure, It Is Standard Operating Procedure 

Free Surveillance: A Marketing Thing

June 14, 2020

There is one key reason many companies once hesitated to let workers telecommute, especially firms that handle sensitive information: security. However, the COVID-19 pandemic is forcing companies to find a way. Mondo Visione reports on one possible solution for financial firms in the brief write-up, “SteelEye Offers Free Communications Surveillance to Support Remote Working—90-Day Offer Aims to Assist Compliance Teams as Employees Work from Multiple Sites.” We learn:

“SteelEye, the compliance technology and data analytics firm, today announced that it is offering financial firms the opportunity to use its Communications Surveillance service for free for up to 90 days as the market adapts to a new style of working. As firms reopen their offices, reduced density rules are likely to prevail for some time, meaning a workforce that is spread between the office and home. Monitoring communications by staff working in multiple locations will require changes in compliance processes, which may prove challenging if access to on-premise technology is needed. To help compliance teams adapt to more flexible working conditions, SteelEye’s Communications Surveillance service is being offered for up to 90, days and 50 monitored users, at no charge and with no obligation for future use. It includes monitoring MS Exchange email and Bloomberg chat, and can be seamlessly integrated to capture communications from staff working remotely.”

SteelEye’s modular, cloud-based Communications Surveillance system can be deployed quickly, the company’s CEO promises, and clients can be on boarded within 24 hours. Risk detection, oversight, and compliance are the platform’s priorities. Founded in 2017, SteelEye is based in London.

Cynthia Murrell, June 14, 2020

Written by Stephen E. Arnold · Filed Under News, Security | Comments Off on Free Surveillance: A Marketing Thing 

Mobile Security Is Possible, But It Is Work

June 10, 2020

Ads are a pain on desktop devices, but they are even more annoying on mobile devices. The worst type of ads are the ones where the X is hidden, making it impossible to close the ad. Mobile ads are only getting worse as mobile devices become SOP and IT-Online shares more insight into the “Mobile Adware: The Silent Plague With No Origin.”

The article focuses on a research from the Check Point’s Cyber Security Report 2020 and the insights are alarming. According to the security report, 27% of companies experienced a security breach through a mobile device. What is even worse is that most companies do not prioritize mobile security, making mobile devices the most vulnerable area. Check Point’s regional director stated:

“ ‘It only takes one compromised mobile device for cybercriminals to steal confidential information and access an organisation’s corporate network,’ explains Pankaj Bhula, Regional Director: Africa at Check Point. ‘More and more mobile threats are created each day, with higher levels of sophistication and larger success rates. Mobile adware, a form of malware designed to display unwanted advertisements on a user’s screen, is utilised by cybercriminals to execute sixth-generation cyberattacks.’”

Adware is like a plague, because it can secretly be downloaded onto a phone and collect a user’s personal information from location to banking information. Adware is designed to sneak onto a phone and deleting it is harder than finding an X on an annoying ad. Adware sneaks onto mobiles devices through applications, usually through a device’s specific store.

It is smart advice to not download third party apps from unverified companies, especially ones discussed in ads or low download rates. Do not trust anything without researching it first.

Whitney Grace, June 10, 2020

Written by Stephen E. Arnold · Filed Under Mobile, News, Security | Comments Off on Mobile Security Is Possible, But It Is Work 

Sensors and Surveillance: A Marriage Made in Sci Fi

May 4, 2020

We can expect the volume of data available for analyses, tracking, and monitoring to skyrocket. EurekaAlert!, a site operated by the American Association for the Advancement of Science, reports, “Tiny Sensors Fit 30,000 to a Penny, Transmit Data from Living Tissue.” The project out of the Cornell Center for Materials Research was described in the team’s paper, published in PNAS on April 16. The optical wireless integrated circuits (OWICs) are a mere 100 microns in size. The news release explains:

“[The sensors] are equipped with an integrated circuit, solar cells and light-emitting diodes (LEDs) that enable them to harness light for power and communication. And because they are mass fabricated, with up to 1 million sitting on an 8-inch wafer, each device costs a fraction of that same penny. The sensors can be used to measure inputs like voltage and temperature in hard-to-reach environments, such as inside living tissue and micro fluidic systems. For example, when rigged with a neural sensor, they would be able to noninvasively record nerve signals in the body and transmit findings by blinking a coded signal via the LED. … The OWICS are essentially paramecium-size smartphones that can be specialized with apps. But rather than rely on cumbersome radio frequency technology, as cell phones do, the researchers looked to light as a potential power source and communication medium.”

The researchers have already formed a company, OWiC Technologies, to market the sensors and have applied for a patent. The first planned application is a line of e-tags for product identification. The write-up predicts many different uses will follow for these micro sensors that can track more complicated data with less power for fewer dollars. Stay tuned.

Cynthia Murrell, May 4, 2020

Written by Stephen E. Arnold · Filed Under News, Privacy, Security | Comments Off on Sensors and Surveillance: A Marriage Made in Sci Fi 

« Previous PageNext Page »

  • Archives

  • Recent Posts

  • Meta