• Home
• About
• Writers
• Landscape
• Wizards Index
• Fraud
• Wanna Be Like Larry?

Here Is a Cheery Observation: Everything Is Hackable

We noted Vineet Kumar’s observations about security. “From Needle to Airplane, Everything Is Hackable, Says India’s Leading Cybersecurity Guru” includes this statement:

Every industry is hackable today. From the needle to the airplane, everything is hackable today. Smart technology penetration into organizations and even into homes leaves everyone susceptible to hacking.

Is there a fix?

Yep, embrace Mr. Kumar’s Cyber Peace Foundation.

What’s the outfit deliver?

Cyber Peace Foundation is a leading multi-stakeholders initiative and is crowdsourcing cybersecurity needs for civil society. The organization has over 12,000 members and 1,200 volunteers, from different parts of the world. It engages in spreading awareness and promoting technical research and in bringing together the government, industry experts, and academia.

There’s also a conference and a global cyber challenge:

Throwing light on the need for safer cyberspace: There are different ways and means through which your data can be stolen. By just clicking on one link, all your date can be gone and you may not even realize that your data is gone.

If everything is hackable, presumably his conference registration and its other Web forms are security risks. Odd that he did not emphasize the security of his operation, its bug bounty hunters, and it ethical hackers exempt from his glittering generality about “everything.”

Gurus are exempt perhaps?

Stephen E Arnold, March 2, 2020

Clever Teens and a Less Than Clever Instagram

Teenagers are young, inexperienced, and do anything for a laugh. Most of their time their antics result in trouble with horrible consequences, but this time the victim is Instagram. Instagram is one of the most popular social media platforms for teenagers and, being a generation who never knew a world without the Internet, they figured out how to hack aka mess with the algorithm. CNET has the story about, “Teens Have Figured Out How To Mess With Instagram’s Tracking Algorithm.”

Teenagers may post their entire lives on social media, but some of them are concerned about social media platforms such as Instagram tracking their data. They especially do not like Instagram tracking them, so they formed a plan. Using groups of trusted friends with access to multiple accounts, teenagers are fooling Instagram. Here is how:

“First, make multiple accounts. You might have an Instagram account dedicated to you and friends, or another just for your hobby. Give access to one of these low-risk accounts to someone you trust.

Then request a password reset, and send the link to that trusted friend who’ll log on from a different device. Password resets don’t end Instagram sessions, so both you and the second person will be able to access the same account at the same time.

Finally, by having someone else post the photo, Instagram grabs metadata from a new, fresh device. Repeat this process with a network of, say, 20 users in 20 different locations with 20 different devices? Now you’re giving Instagram quite the confusing cocktail of data.”

The hilarious part is that while it is not against Instagram’s policies, the parent company Facebook advises against it because of security risks. While it is laughable that Facebook is worried about privacy, when that company and other collect user data to tailor Internet experiences with personalized ads. However, if one person on the Instagram account posted something malicious, the entire group is accountable.

In order to have access to one of these “hacking” accounts, users must follow strict rules. They must only post content that the original users approve, do not accept follow requests or follow others, and any violations results in dismissal from access.

Clever teens. Less clever Instagram and, by extension, the fun folks at Facebook.

Whitney Grace, March 1, 2020

Microsoft: More Excitement from the Outfit Which Ships Wonky Windows 10 Updates

China is worrisome, because the country keeps quiet and is quick to cover up anything that projects a negative light. Other facts about China include that it loves foreign money and advanced technology. The technology bit becomes worrisome, especially with a recent report from Tom’s Hardware: “Report: Microsoft Shared Cortana, Skype Recordings In China With Few Protections.” Like every large company, Microsoft wants Chinese dollars, so the company shared recordings from digital assistants to train the speech recognition with contractors. The Guardian reported that Microsoft shared these recordings with China minus security safeguards.

The source came from a former Microsoft contractor who listened to the recordings on his personal laptop. Microsoft apparently emailed URLs, emails, and passwords to contractors to access Cortana and Skype recordings. If they are only recordings used to train speech recognition, why is this alarming? All of China’s Internet traffic is filtered through a government blockade. So all of Microsoft’s Skype and Cortana recordings were inadvertently accessed by the Chinese government. But…

“But it gets worse. The Guardian reported that Microsoft generated the usernames and passwords used to access this system. The usernames were said to follow “a simple schema,” which suggests they would have been fairly easy to guess, and the password was “the same for every employee who joined in any given year.” Contractors were allowed to work from home, too, without direct supervision.”

Some people can figure out how to abuse brilliantly crafted systems, but wonky stuff. Hasta la vista, data. Microsoft released a press release that stated the recordings were fewer than ten words, no one had access to longer conversations, they always observe the highest privacy standards, and they have updated their privacy standards. In other words, Microsoft failed and Chinese contractors outsmarted their system.

Microsoft and other companies working with Chinese contractors and other foreign entities can do better to protect sensitive material. Now about those Windows 10 updates.

Whitney Grace, February 24, 2020

Encrypted Chat: Important but Possibly a Threat to Some Interests

Here is some interesting, if blatantly slanted, information. The founder of Telegram Messenger, Pavel Durov, describes the reasons his company’s rival is trouble in the post, “Why Using WhatsApp Is Dangerous.” He writes:

“A few months ago I wrote about a WhatsApp backdoor that allowed hackers to access all data on any phone running WhatsApp [1]. Facebook, its parent company, claimed at the time that they had no proof the flaw had ever been used by attackers [2]. Last week it became clear that this backdoor had been exploited to extract private communications and photos of Jeff Bezos – the richest person on the planet – who unfortunately relied on WhatsApp [3]. Since the attack seemed to originate from a foreign government, it is likely that countless other business and government leaders have been targeted [4]. In my November post, I predicted this would happen [5]. The United Nations now recommends its officials remove WhatsApp from their devices [6], while people close to Donald Trump have been advised to change their phones [7]. Given the gravity of the situation, one would expect Facebook/WhatsApp to apologize and pledge not to plant backdoors in their apps going forward. Instead, they announced that Apple, not WhatsApp, was to blame. Facebook’s vice president claimed that iOS, rather than WhatsApp, had been hacked [8].”

(Yes, those numbers represent footnote citations. See the post for those, and many more, relevant links.)

The post explains why, exactly, the Bezos breach could not have been the fault of iOS. It also explains why WhatsApp’s promise of “end-to-end encryption” is not all it’s cracked up to be. For one thing, users tend to back their chats up to the cloud; we’re reminded, as an example, that the FBI got Apple to relinquish plans to encrypt its iCloud. Then there are the backdoors—enforcement agencies pressure app developers to secretly build vulnerabilities into their platforms. These are usually described as “accidental” security flaws when discovered, as 12 have been found in WhatsApp in the last year alone. Finally, it is impossible to know whether the encryption implemented on a messaging app uses the code the company claims it does. Except for Telegram, of course, which has been open source with fully documented encryption since 2013, Durov emphasizes.

The telegram founder cheerfully admits his bias, asserting that, of course, he believes Telegram Secret Chats is more secure than the competition. That is largely because, unlike other platforms, his company refuses to comply with enforcement agencies’ demands for backdoors. As a result, Telegram is banned in Russia and Iran, unlike the dodgy WhatsApp. To read more details of Durov’s/ Telegram’s perspective, check out the post for yourself.

Cynthia Murrell, February 18, 2020

Tor Deanonymization

DarkCyber noted “Deanonymizing Tor Circuits.” The write up may be useful to some wrestling with bot attacks using the Tor “network.” The comments to the post on Hacker News contain some useful information as well. These comments are at this link.

Several of the observations characterize the tone and content of the comment set:

• [On anonymity] “Tor is the only viable alternative and we know it can be at least seriously compromised by the bigger nations.”
• [On guard control] “There’s a second attack. The attacker can run one or more hostile guard nodes. If he can knock me off enough guards, my tor daemon will eventually choose one of his guards. Then he can identify my actual network address and directly attack my server.”
• [The problem] “Censorship is a political problem, technical solutions provide a temporary hot fix, but the political problem has to be solved at one point.”
• [Example of a block] “Operators of Internet sites have the ability to prevent traffic from Tor exit nodes or to offer reduced functionality for Tor users. … The BBC blocks the IP addresses of all known Tor guards and exit nodes from its iPlayer service, although relays and bridges are not blocked.”

Some HackerNews items can be difficult to locate via the site’s search utility. As a result, collecting Tor related information can be challenging.

Stephen E Arnold, February 4, 2020

Amazon Security in the News: AWS Documentation

Curious about Amazon’s security features? Navigate to this link and review AWS Security Documentation by Category. In order to make sense of the information, one needs to speak Amazonia; for example, Glacier, Snowball, ECR, ECS, and SQS plus another bulldozer blade of product and service nomenclature. Because an Amazon phone breach allegedly took place, DarkCyber entered the query “mobile” into the AWS Security Documentation search function. Here’s the result:

There were 138 pages of results, numbering 1,379 results.

A somewhat cursory review of the information provided zero guidance related to the security issue encountered by Mr. Bezos. Perhaps if he had used an Amazon phone, the documentation would have provided some guidance? Perhaps.

Stephen E Arnold, January 29, 2020

Irony, Outrage, Speculation: Amazon Rings the PR Gong

Remember the Gong Show? The host was an alleged government asset. The content of the show was humans performing. The focus was on humans who sang, dance, and cavorted in weird, sometimes incredible ways. The result? The host rang a gong. The performer, hooked by a big old person cane, found himself or herself dragged from the camera’s eye.

The elements of the program:

• Alleged government connections
• A ranking system for wild and crazy performances
• The big humiliation with the old person’s cane.

I thought of the Gong Show as I worked my way through dozens and dozens of write ups about the hacking of a mobile phone used by Jeff Bezos, the motive force of Amazon. You know Amazon: The online bookstore, the operator of the S3 leaking buckets, and policeware vendor.

The most interesting reports swirl around what Vice encapsulates in the article “Here Is the Technical Report Suggesting Saudi Arabia’s Prince Hacked Jeff Bezos’ Phone.” The report reveals

that forensic investigators found a suspicious file but no evidence of any malware on the phone.

Interesting, but not as fascinating as the assertions about who allegedly compromised Mr. Bezos’ mobile, when the alleged data sucking took place, and when the content was spirited away, how the compromise actually was implemented, and where those data went.

DarkCyber finds it interesting that fingers are pointed at countries, some government officials, Facebook’s always-interesting WhatsApp software, and at NSO Group, a company certain media outlets frequently reference. (NSO Group may be one of the specialized software vendors getting more publicity than Star Wars’ films.)

In our DarkCyber video news program, we devote almost two full minutes to the problems information technology managers face when implementing cyber security.

The Bezos Affair presents an opportunity to confront an unpleasant reality: Security is difficult.

The real time monitoring, the smart cyber defenses, the companies creating policeware, and the methods available to actors—each of these underscore how vulnerable individuals and organizations are.

The speculation, however, does little to make clear how protections can be achieved. In fact, the coverage of the Bezos Affair has reduced the coverage of what may be an even more egregious security lapse explained in “Microsoft Blames Itself for Customer Support Data Leak.” The “misconfiguration” error exposed 250 million customer records.

One gets the coverage, a world leader is implicated, an Israeli company is cast in a negative light. These are real time “real news” factoids. But the loss of 250 million customer records by Microsoft, the possible vendor for the US Department of Defense, is ignored.

Why are these problems commonplace? The answer, which we provide in our January 28, 2020, video, is provided. That answer is going to be a surprise. You can view the video program on the Beyond Search / DarkCyber blog by clicking the video promo image. No ads, no sponsors, no outside influencers, and no odd ball “You may also like.”

Stephen E Arnold, January 23, 2020

Mobile Security: Bad News, Consumer

An online information service called Hindu Business Line has become a source for amusing digital information. Consider the factoids included in “Most People Are Not Aware of Malware on Their Mobile’.” A word of caution, the Web page may redirect some users to a malicious site, which makes the information just so much more special.

Here are some of the factoids:

• 23 percent of organizations in Indian run a risk of malware attacks. (DarkCyber thinks that the risk is much higher because malware is a growth business and most users are clueless when it comes to preventing and neutralizing mobile centric malware. Example: The page for this content.)
• It takes about a year for a person to realize that a mobile device has been affected. (DarkCyber thinks that most users dispose of their mobile phone before the malware has been discovered.)
• Globally 25 million devices are infected. (DarkCyber wants to point out that there are about 4.5 billion mobile phones globally. Source: Statista. The 25 million number seems quite modest and probably wildly off the mark.)
• Google had 16 apps on its store which were malware mechanisms. (DarkCyber wants to remind its gentle readers that these are apps Google said it knew about. The real number of malware apps is not known by users and Google is not a Chatty Cathy on this subject.)

Yep, great article. Outstanding in fact.

Stephen E Arnold, January 1, 2020

Happy New Year, Security Buffs

DarkCyber spotted a write up which revealed an unpleasant (not inconvenient) truth. Navigate to “Complexity Is the Biggest Enemy for Cybersecurity Practitioner.” The idea is that security problems exist due to complexity. Here’s a passage that intrigued us:

If you look at all the breaches, whether they’re on cloud or on premise, you will find that those organizations had the technology, but they didn’t have a synchronized policy. So there has been a gap in the policy deployment because they have been using different tools with different policy engines and configurations or many features haven’t been turned on because existence of many tools creates so much complexity, which is the biggest enemy for any cybersecurity practitioner.

Over time, humans make things more complicated. A simple solution is often neither desirable or possible. Thus, gaps exist, opportunities for mischief abound, and organizations remain vulnerable in ways not understood or anticipated.

What’s the fix?

The expert opining in the article has an answer: “An API based approach.”

Complex?

Yeah, that’s the challenge the cybersecurity industry faces. Its simple solutions are too complex for many potential customers.

Net net: Become a cyber security consultant. The tyro will be wrong, but so will the experts.

Stephen E Arnold, January 1, 2019

A Reminder about Malware

Digital information systems are faster, more reliable, take up less space, and offer greater insights than paper systems. The one great thing about paper systems, however, is they are immune to malware infestations. Chiapas Parlelo delves into how cyber criminals are using malware to extort money from businesses in the article, “Cyber Criminals: Network Harassment And Extortion Of Large Companies Through Malware.”

A growing cyber crime is uploading malware into a company’s network, then hackers usurp control of the network and hold it for ransom. If the company refuses to pay the ransom, the hackers threaten to destroy or post the information, often it is sensitive and private. Malware is one of the biggest types of cyber crime in Mexico, but it is one among many that includes financial, child pornography, and sexually explicit photos (usually with women). Other crimes are smaller in nature, such as the removal of a few pesos from an account or credit car scams. Cyber crimes cost Mexico three billion dollars in 2016.

The amount of cyber crimes continue to rise, but the best way to not be a victim is to take preventative measures:

“One of the main approaches to cyber criminology is prevention…the importance of basic care measures to avoid being the victim of an attack. He also mentioned that, beyond taking care of the privacy settings of what is shared, special attention should be paid to the content.”

People need cybercrime literacy. It is similar to teaching children not to speak with strangers or follow a person down a dark alley. Educate yourself and it will knock a large portion of the attacks.

Whitney Grace, December 25, 2019

« Previous Page — Next Page »

• 

• Search the site

•  

  Subscribe to Beyond Search

  • 
  • 
   
  • 
   
  
  Feature archive
  News archive
   
  
  
  Stephen E. Arnold monitors search, content processing, text mining and related topics from his high-tech nerve center in rural Kentucky. He tries to winnow the goose feathers from the giblets. He works with colleagues worldwide to make this Web log useful to those who want to go "beyond search". Contact him at sa [at] arnoldit.com. His Web site with additional information about search is arnoldit.com.

• Categories

  • 3D-Printing
  • Acquisition
  • Advertising
  • Aggregation
  • AI
  • Alexa
  • algorithms
  • Amazon
  • Amazonia
  • Analytics
  • Appliance
  • Applications
  • Audio
  • Augmented Reality
  • Big data
  • Bing
  • Bitcoin
  • Bitext
  • Book review
  • Business intelligence
  • Business process
  • Business strategy
  • Censorship
  • Cloud computing
  • Company Profile
  • Conferences
  • Connectors
  • Consulting
  • Consumer
  • Content processing
  • Copyright
  • Corporate Concerns
  • Cost
  • Crawl
  • Crowdfunding
  • cryptocurrency
  • Customer support
  • Cyber OSINT
  • cybercrime
  • cybersecurity
  • Dark Web
  • DarkCyber
  • Data
  • Data mining
  • Database
  • Deepfakes
  • Digital Assistant
  • Digital Library
  • E2EE
  • ECommerce
  • EDiscovery
  • Editorial opinion
  • Education
  • Emoticons
  • Enterprise
  • Enterprise search
  • Entity extraction
  • Ethics
  • Facebook
  • Faceted search
  • Factualities
  • Feature
  • Federated search
  • Financial
  • Google
  • Governance
  • Government
  • Hackers
  • healthcare
  • IBM Watson
  • Image search
  • Indexing
  • Infrastructure
  • Innovation
  • Integration
  • intelware
  • Interface
  • Internet
  • Interview
  • Investment
  • law enforcement
  • Legal matters
  • Library automation
  • Management
  • Marketing
  • Mathematics
  • Metadata
  • Microsoft
  • Mobile
  • Natural language processing
  • News
  • NGIA
  • Online (general)
  • Open Access
  • Open source
  • OSINT
  • Osint Radar
  • Overflight
  • Palantir
  • Patents
  • Personnel
  • Podcast
  • Policeware
  • Portals
  • Predictive coding
  • Privacy
  • Profile
  • Publishing
  • Quotation
  • Real time search
  • Reference tool
  • Rich media
  • Robot Writer
  • Search
  • Search enabled applications
  • search engine
  • Search quality
  • Security
  • Semantic
  • Sentiment analysis
  • SEO
  • SharePoint
  • Short Honks
  • Smart Technology
  • Social
  • Social Media
  • software
  • Statistics
  • Taxonomy
  • Technology
  • Text analytics
  • Text processing
  • Tools
  • Tor
  • Training
  • Translation
  • Twitter
  • Uncategorized
  • Unstructured Data
  • User experience
  • User Interface
  • Vertical search
  • Video
  • visualization
  • Voice search
  • Voice technology
  • Web 3
  • Web Services
  • Webinar
  • Windows
  • Work flow
  • XML
  • Yahoo

• Archives

  Archives Select Month July 2024 June 2024 May 2024 April 2024 March 2024 February 2024 January 2024 December 2023 November 2023 October 2023 September 2023 August 2023 July 2023 June 2023 May 2023 April 2023 March 2023 February 2023 January 2023 December 2022 November 2022 October 2022 September 2022 August 2022 July 2022 June 2022 May 2022 April 2022 March 2022 February 2022 January 2022 December 2021 November 2021 October 2021 September 2021 August 2021 July 2021 June 2021 May 2021 April 2021 March 2021 February 2021 January 2021 December 2020 November 2020 October 2020 September 2020 August 2020 July 2020 June 2020 May 2020 April 2020 March 2020 February 2020 January 2020 December 2019 November 2019 October 2019 September 2019 August 2019 July 2019 June 2019 May 2019 April 2019 March 2019 February 2019 January 2019 December 2018 November 2018 October 2018 September 2018 August 2018 July 2018 June 2018 May 2018 April 2018 March 2018 February 2018 January 2018 December 2017 November 2017 October 2017 September 2017 August 2017 July 2017 June 2017 May 2017 April 2017 March 2017 February 2017 January 2017 December 2016 November 2016 October 2016 September 2016 August 2016 July 2016 June 2016 May 2016 April 2016 March 2016 February 2016 January 2016 December 2015 November 2015 October 2015 September 2015 August 2015 July 2015 June 2015 May 2015 April 2015 March 2015 February 2015 January 2015 December 2014 November 2014 October 2014 September 2014 August 2014 July 2014 June 2014 May 2014 April 2014 March 2014 February 2014 January 2014 December 2013 November 2013 October 2013 September 2013 August 2013 July 2013 June 2013 May 2013 April 2013 March 2013 February 2013 January 2013 December 2012 November 2012 October 2012 September 2012 August 2012 July 2012 June 2012 May 2012 April 2012 March 2012 February 2012 January 2012 December 2011 November 2011 October 2011 September 2011 August 2011 July 2011 June 2011 May 2011 April 2011 March 2011 February 2011 January 2011 December 2010 November 2010 October 2010 September 2010 August 2010 July 2010 June 2010 May 2010 April 2010 March 2010 February 2010 January 2010 December 2009 November 2009 October 2009 September 2009 August 2009 July 2009 June 2009 May 2009 April 2009 March 2009 February 2009 January 2009 December 2008 November 2008 October 2008 September 2008 August 2008 July 2008 June 2008 May 2008 April 2008 March 2008 February 2008 January 2008 November 5

• Recent Posts

  • Silicon Valley Streetbeefs
  • If Math Is Running Out of Problems, Will AI Help Out the Humans?
  • How Can Creatives Survive AI Disruptions?
  • Google and Third-Party Cookies: The Writing Is on the Financial Projection Worksheet
  • The Simple Fix: Door Dash Some Diversity in AI

• Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org