• Home
• About
• Writers
• Landscape
• Wizards Index
• Fraud
• Wanna Be Like Larry?

BOB: A Blockchain Phone

Remember the comment by some FBI officials about going dark. The darkness is now spreading. “Meet BOB, World’s First Modular Blockchain-Powered Smartphone” reports that a crypto currency centric phone may become more widely available.

The write up states:

BOB runs on Function X OS, which is an open-source operating system. As it uses the blockchain ecosystem, every task on the phone, be it sending texts, making calls, browsing the web, and file sharing, all happen on a decentralized network, making it highly encrypted and thus secure. Each unit of the BOB is a node that supports the entire Function X blockchain system.

DarkCyber thinks that Mr. Comey was anticipating these types of devices as well as thinking about Facebook’s encrypted message systems.

For more details, consult the TechRadar article.

One important point: The BOB has a headphone jack. Even those concerned about privacy and secrecy like their tunes.

Stephen E Arnold, November 29, 2019

Secure Data? Maybe after a Data Loss?

Amid discussions of data breaches, one huge source of risk is often overlooked. Information Management warns us about “Unstructured Data: The Hidden Threat in Digital Business.” Writer Bernadette Nixon believes too many companies look at only their structured data when they plan security—sources like databases, spreadsheets, customer relationship management (CRM) systems, and enterprise resource planning (ERP) systems. However, the prevalence of unstructured data in business is growing, and procedures for securing it are not keeping up. Nixon writes:

“Unstructured data has become an integral part of how organizations conduct digital business. It’s often what enables an easier, faster customer experience. For example, would you rather fill out generic forms detailing your car’s damage or instantly share an image with an insurance agent? For convenience, we are all likely to opt to share unstructured data with an organization and businesses will continue to incorporate it into processes for exactly that reason. To that end, it’s no surprise that Gartner predicts that, by 2022, 80 percent of all global data will be unstructured. With the growth of unstructured data comes the unfortunate truth that it is much more difficult to control and secure than structured data. If an employee is taking information in the form of unstructured data and inputting it elsewhere, they might store the original document or picture on a local file share or leave it in an email as an attachment. Within one organization, the process for handling documents could vary across employees and teams and it’s entirely likely that management has no idea this is taking place.”

In order for organizations to plug this security gap, Nixon has some suggestions. Make it a priority for the IT department to secure unstructured data right away, before an issue comes up. Determine just what unstructured data is on hand and where it is stored, keeping in mind this might differ from one department to another. Finally, delineate clear, standardized procedures for handling and storing this data from the time it enters the system to the time it is destroyed. Ideally, as much of this workflow would be automated, saving time, removing responsibility from individual workers, and ensuring the process is followed correctly.

Cynthia Murrell, November 27, 2019

The Cost of Indifference and the Value of Data Governance

The DarkCyber team suggests a peek at “Unsecured Server Exposes 4 Billion Records, 1.2 Billion People.” The write up states:

The data itself comes from the data aggregator and enrichment companies People Data Labs (PDL) and OxyData.Io and contains basic personal information, such as names, home and mobile phone numbers and email addresses and what may be information scraped from LinkedIn, Facebook and other social media sources.

The write up points out that the data losses included:

• Over 1.5 billion unique people, including close to 260 million in the U.S.
• Over 1 billion personal email addresses. Work email for 70%+ decision makers in the US, UK, and Canada.
• Over 420 million LinkedIn URLs.
• Over 1 billion Facebook URLs and IDs.
• 400 million plus phone numbers with more than 200 million U.S.-based valid cell phone numbers.

The hosting provider may have been Amazon AWS. The software system was Elasticsearch. The individuals were those who set up the system.

Without reploughing a somewhat rocky field, one might suggest that default settings for cloud services, software, and passwords need a rethink. One might want to think about the staff assigned to the job of setting up the system. One might want to think about the sources of the information the company named in the article tapped. In short, one could think about quite a few points of failure.

Another approach might be to raise the question of responsibility. I suppose this is a type of governance, a term which refers to figuring out what’s to be done and how to complete tasks without creating this all-too-common situation of whizzy systems’ functioning as convenience stores for those who want data.

A few observations:

First, the individuals involved in setting up this system were not, it seems, managed particularly well. That’s a problem when managers don’t know what to stipulate their contractors and employees must do to secure online services. These “individuals” work at different organizations. Thus, coordination and checks are difficult. But the alternative? Loss of data.

Second, the developers of the software understand the security implications of certain user actions. The fix is to purchase additional security. Security is not baked in. Security is an option. That approach may generate revenue, but the quest for revenue seems to have a downside. Loss of data.

Third, the operators of the cloud system continue to follow the “just a platform” approach to business. The idea is that the functionality of a cloud system makes it easy to deploy an application. In a hurry? No problem. Use the basics. Want something special? That takes time, and when done in a careless or partial way, loss of data.

It seems that “loss of data” may be preventable but loss of data is part of the standard operating procedure in the present managerial environment.

How does the problem become lessened? Governance. Will companies and individuals step up and go through the difficult task of figuring out what and how before losing data?

Unlikely. Painful lessons like the one revealed in the source article slip like rain water off the windshield of a car speeding down the information superhighway.

Dangerous? Sure. Will drivers slow down? Nope. The explanation after an accident was, “I don’t know. Car just skidded.” There’s insurance for automobile accidents. For cloud data wrecks, no consequences of a meaningful nature. Just blog posts. These are effective?

I will be talking about how the tendrils of the Dark Web and security lapses may create a greater interest in data governance. Exciting? Only if you were one of the billion or so whose personally identifiable information was put online in a less than secure way. I will be at the DG Vision Conference in Washington, DC, early in December 2019.

Stephen E Arnold, November 23, 2019

Remounting the Pegasus Named NSO

Those who care about security will want to check out the article, “Pegasus Spyware: All You Need to Know” from the Deccan Herald. Approximately 1,400 smartphones belonging to activists, lawyers, and journalists across four continents suffered cyber attacks that exploited a WhatsApp vulnerability, according to a statement from that company. They say the attacks used the Pegasus software made by (in)famous spyware maker NSO Group. Though the Israeli spyware firm insists only licensed government intelligence and law enforcement agencies use their products, WhatsApp remains unconvinced; the messaging platform is now suing NSO over this.

The article gives a little history on Pegasus and the investigation Citizen Lab and Lookout Security undertook in 2016. We learn the spyware takes two approaches to hacking into a device. The first relies on a familiar technique: phishing. The second, and much scarier, was not a practical threat until now. Writer David Binod Shrestha reports:

“The zero-click vector is far more insidious as it does not require the target user to click or open a link. Until the WhatsApp case, no example of this was seen in real-world usage. Zero-click vectors generally function via push messages that automatically load links within the SMS. Since a lot of recent phones can disable or block push messages, a workaround has evidently been developed. WhatsApp, in its official statement, revealed that a vulnerability in their voice call function was exploited, which allowed for ‘remote code execution via specially crafted series of packets sent to a target phone number.’ Basically, the phones were infected via an incoming call, which even when ignored, would install Pegasus on the device. The data packets containing the spyware code were carried via the internet connection and a small backdoor for its installation was immediately opened when the phone rang. The call would then be deleted from the log, removing any visible trace of infection. The only way you will know if your phone has been infected in the recent attacks is once WhatsApp notifies you via a message on the platform.”

Pegasus itself targets iPhones, but Android users are not immune; a version Google has called Chrysaor focuses on Android. Both versions immediately compromise nearly all the phone’s data (like personal data and passwords) and give hackers access to the mike and camera, live GPS location, keystroke logging, and phone calls. According to the Financial Times, the latest version of Pegasus can also access cloud-based accounts and bypass two-factor authentication. Perhaps most unnerving is the fact that all this activity is undetectable by the user. See the article for details on the spyware’s self-destruct mechanism.

Shrestha shares a list of suggestions for avoiding a Pegasus attack. They are oft-prescribed precautions, but they bear repeating:

“*Never open links or download or open files sent from an unknown source

*Switch off push SMS messages in your device settings

*If you own an iPhone, do not jailbreak it yourself to get around restrictions

*Always install software updates and patches on time

*Turn off Wi-Fi, Bluetooth and locations services when not in use

*Encrypt any sensitive data located on your phone

*Periodically back up your files to a physical storage

*Do not blindly approve app permission requests”

For those who do fall victim to Pegasus, Citizen Lab suggests these remedies—they should delink their cloud accounts, replace their device altogether, change all their passwords, and take security more seriously on the new device. Ouch! Best avoid the attacks altogether.

Cynthia Murrell, November 15, 2019

Quantum Cryptography: Rain on the Parade

I know (not too well, which may be a good thing) who is trying to cash in the quantum gold rush. The angle for this entrepreneur is that quantum computing will allow government entities to break encryption.

The hitch in the git along is that there are bad actors who are involved in quantum computing. There are good actors who are creating quantum-safe cryptography with quantum computers.

Confused? Don’t be. People who need to encrypt gravitate to the high horsepower computers. The people who want to break encryption do what’s necessary to get access to quantum computers. The method used by Saudi Arabia to obtain specific social media data worked like a champ.

That brings me to “Komodo to Lead Blockchain Revolution with Quantum-Safe Cryptography.” The write up says:

As a blockchain platform, Stadelmann said that Komodo is trying to solve the problem and has implemented quantum-safe cryptographic solutions for the past couple of years which will not be able to crack cryptographic signatures. Using an IBM-built technology, known as Dilithium, into its blockchain platform, he said the new digital signature algorithm will create a key which cannot be cracked by a quantum computer.

Sounds good. Just another cat and mouse game. The people working to cash in on this scare tactic may find that organizations face the status quo, not doomsday. Confused? Just the status quo perhaps?

Stephen E Arnold, November 11, 2019

The Golden Age of Surveillance

Back in 2016, then-FBI general counsel Jim Baker famously fought tooth and nail to force Apple to grant the Bureau access to an encrypted phone following a terrorist attack in San Bernardino. (The FBI eventually found another way to access the data, so the legal issue was sidestepped.) Now we learn Baker has evolved on the issue in the write-up, “Former FBI General Counsel who Fought Apple Has Now ‘Rethought’ Encryption” at 9To5Mac. Writer Ben Lovejoy pulls highlights from a lengthy piece Baker wrote for the Lawfare blog describing his current position on encryption. While he stands by his actions in the San Bernardino case, he now sees the need to balance law enforcement’s need for information and the rest of society’s need to protect valuable data from bad actors. Lovejoy writes:

“Baker says that strong encryption still poses a substantial problem for law enforcement, but he now recognizes that there is no way to square the circle of protecting both personal and government data on the one hand, and allowing law enforcement to access data on the other.

‘A solution that focuses solely on law enforcement’s concerns will have profound negative implications for the nation across many dimensions. I am unaware of a technical solution that will effectively and simultaneously reconcile all of the societal interests at stake in the encryption debate, such as public safety, cybersecurity and privacy as well as simultaneously fostering innovation and the economic competitiveness of American companies in a global marketplace.’

“He says that forcing US companies to create compromised systems would simply shift demand to foreign-made products that remain secure. Additionally, a lot can be done with metadata- that is, records of who contacted who, rather than what was said.

‘Further, the situation for law enforcement may not actually be as bad as some claim. In fact, some argue that society is in a “golden age of surveillance” as substantially more data- especially metadata- than ever before is available for collection and analysis by law enforcement.’”

“Golden age of surveillance” indeed—the man has a point. He stresses, in particular, the importance of avoiding potential spyware in Chinese-made equipment. He urges government officials to embrace encryption as necessary or, if they refuse to do that, find another way to guard against existential cyber threats. He observes they have yet to do so effectively.

Cynthia Murrell, November 1, 2019

Another Cyber Firm Reports about Impending Doom

Identity intelligence firm 4iQ summarizes the results of recent research in the write-up, “Identity Protection & Data Breach Survey.” They polled 2,300 participants regarding data breaches and identity protection issues. You can see a slide show of the results here that presents the results in graph-form.

Researchers found that fewer than half the respondents had been notified they were victims of a breach. Most of them were offered identity protections services as a result, but about half of those felt that fell short of adequately addressing the problem. We also learn:

“*Nearly 40% of respondents believe they have already suffered identity theft and more than half of respondents, 55%, believe that it’s likely their personally identifiable information (PII) is already in the hands of criminals. As a result, 62% of respondents are concerned that their PII could be used by someone to commit fraud.

*More than half, 52%, of respondents said they would expect their own online security error to negatively or very negatively affect their standing with their employer—an additional stress for working Americans—so it’s not surprising then, that 60% of respondents believe there’s a ‘blame-the-victim’ problem with cybercrime.

*A strong majority, 63%, are concerned that prior breaches could lead to future identity fraud, and 37% believe they have already been a victim of fraud as a result of a cybercrime incident.”

As for protecting personal identifiable information, 75% feel their employers are doing a fair to excellent job, but only 42% feel the government is do so effectively. They feel even less confident about their personal efforts, however, with only 15% calling themselves “very effective” (23% rated their employers as “very effective”).

On that last point, 4iQ states it demonstrates that “everyday consumers may feel unprepared to contend with the threats presented by cybercrime,” which is not surprising from a company that sells solutions to that problem. We know there are free and low-cost measures individuals can take to boost their own security, but some will be willing to pay for extra reassurance on top of those precautions. Based in Los Altos, California, 4iQ was founded in 2016.

Cynthia Murrell, October 29, 2019

Security Industry Blind Spot: Homogeneity

Push aside the mewlings about Facebook. Ignore Google’s efforts to quash employee meetings about unionization. Sidestep the phrase “intelligent cloud revenue.”

An possibly more significant item appeared in “Information Security Industry at Risk from Lack of Diversity.” The write up states:

The Chartered Institute of Information Security (CIISec) finds that 89 percent of respondents to its survey are male, and 89 percent over 35, suggesting the profession is still very much in the hands of older men.

Furthermore, the security industry is wallowing in venture funding. That easy money has translated into a welter of security solutions. At cyber security conferences, one can license smart monitoring, intelligent and proactive systems, and automated responses.

The problem is that this security country club may be fooling itself and its customers.

The write up quotes from the CIISec report, presenting this segment:

“If the industry starts to attract a more diverse range of people whilst spreading awareness of the opportunity available, we could be well on the way to truly modernizing the industry,” adds Finch. “Key to all this will be both organizations and individuals having a framework that can show exactly what skills are necessary to fulfill what roles. This will not only help hire the right people. It will also mean that it the routes to progress through an individual’s career are clearly marked, ensuring that individuals who enthusiastically join the industry don’t over time become jaded or burn out due to a lack of opportunity.”

Partially correct opines DarkCyber. The security offered is a me-too approach. Companies find themselves struggling to implement and make use of today’s solutions. The result? Less security and vendors who talk security but deliver confusion.

Meanwhile those bad actors continue to diversify, gain state support, and exploit what are at the end of a long day, vulnerable organizational systems.

Stephen E Arnold, October 24, 2019

NordVPN: An Insecure Security Service?

In 2016, one of the DarkCyber research team signed up for NordVPN. We wanted to test several of the companies offering enhanced security products. After filling out the form in April 2016, the service did not activate. We heard from a person calling herself “Christina.” She was a floundering professional. We explained the misfire. The we heard from Zack in 2017 who wanted us to renew the service which was not available to the DarkCyber professionals. We concluded that NordVPN was more trouble than it was worth, and the company could take money via a credit card, fail to deliver the service, yet spam DarkCyber for a renewal. Now that’s more than foundering. That’s either clumsy, misguided, or what the Wall Street crowd calls Black Edge behavior.

We thought about Christine and Zack when we read “NordVPN Confirms It Was Hacked.” If the write up is accurate, the security company NordVPN is not completely secure. The write up reports:

NordVPN, a virtual private network provider that promises to “protect your privacy online,” has confirmed it was hacked. The admission comes following rumors that the company had been breached. It first emerged that NordVPN had an expired internal private key exposed, potentially allowing anyone to spin out their own servers imitating NordVPN.

We are fascinated with VPN services. Some are free and some like NordVPN seem to collect money and leave their systems vulnerable.

What’s our recommendation? DarkCyber thinks ignoring NordVPN might be a pre-installation step to consider.

Oh, Christine, when you take money, you should deliver the product. And, Zack, no, DarkCyber will not renew.

Why?

Read the articles about NordVPN finding itself which may be the digital equivalent of a security soup from a questionable cafeteria.

Stephen E Arnold, October 22, 2019

Supremely Secure?

Suprema is a South Korean security company that specializes in cyber security. One of Suprema’s products are a line of fingerprint readers. The BBC reports that the company was hacked, “Biostar 2: Suprema Plays Down Fingerprint Leak Report.” A cyber security research group hacked Suprema’s Biostar 2, accessed customer information, then alerted Suprema to the leak.

The cyber security research group’s action was benign, but it did point to a flaw in the system and Suprema was not happy. Suprema assured their clients that none of the information was breached and that the amount of customers affected was very small. A South Korean police force was worried they were among the potential victims, but apparently no biometrics systems were exposed.

“The dispute over how big the leak was can be explained by the fact the researchers say they did not, for ethical reasons, attempt to download all the fingerprint files.Rather, they had taken “hundreds” of samples of data, said Mr Rotem. And these appeared to encode fingerprint patterns from a random selection of accounts in the Biostar 2 dataset. They then used Suprema’s software to convert about half a dozen examples into visible fingerprint patterns. From this, they estimated the dataset contained “at least over a million” fingerprint patterns in total. “We have evidence that biometric data was leaked,” Mr Rotem told BBC News.”

The actual data sets were not downloaded due to ethnical reasons. The research team actually did Suprema a favor by pointing out the crack before bad actors access the system, but Suprema would have preferred that one of their system regulators had discovered the issue. It should not matter who found the leak, because customers were at stake. Suprema sells security, but does not practice it.

Whitney Grace, October 19, 2019

« Previous Page — Next Page »

• 

• Search the site

•  

  Subscribe to Beyond Search

  • 
  • 
   
  • 
   
  
  Feature archive
  News archive
   
  
  
  Stephen E. Arnold monitors search, content processing, text mining and related topics from his high-tech nerve center in rural Kentucky. He tries to winnow the goose feathers from the giblets. He works with colleagues worldwide to make this Web log useful to those who want to go "beyond search". Contact him at sa [at] arnoldit.com. His Web site with additional information about search is arnoldit.com.

• Categories

  • 3D-Printing
  • Acquisition
  • Advertising
  • Aggregation
  • AI
  • Alexa
  • algorithms
  • Amazon
  • Amazonia
  • Analytics
  • Appliance
  • Applications
  • Audio
  • Augmented Reality
  • Big data
  • Bing
  • Bitcoin
  • Bitext
  • Book review
  • Business intelligence
  • Business process
  • Business strategy
  • Censorship
  • Cloud computing
  • Company Profile
  • Conferences
  • Connectors
  • Consulting
  • Consumer
  • Content processing
  • Copyright
  • Corporate Concerns
  • Cost
  • Crawl
  • Crowdfunding
  • cryptocurrency
  • Customer support
  • Cyber OSINT
  • cybercrime
  • cybersecurity
  • Dark Web
  • DarkCyber
  • Data
  • Data mining
  • Database
  • Deepfakes
  • Digital Assistant
  • Digital Library
  • E2EE
  • ECommerce
  • EDiscovery
  • Editorial opinion
  • Education
  • Emoticons
  • Enterprise
  • Enterprise search
  • Entity extraction
  • Ethics
  • Facebook
  • Faceted search
  • Factualities
  • Feature
  • Federated search
  • Financial
  • Google
  • Governance
  • Government
  • Hackers
  • healthcare
  • IBM Watson
  • Image search
  • Indexing
  • Infrastructure
  • Innovation
  • Integration
  • intelware
  • Interface
  • Internet
  • Interview
  • Investment
  • law enforcement
  • Legal matters
  • Library automation
  • Management
  • Marketing
  • Mathematics
  • Metadata
  • Microsoft
  • Mobile
  • Natural language processing
  • News
  • NGIA
  • Online (general)
  • Open Access
  • Open source
  • OSINT
  • Osint Radar
  • Overflight
  • Palantir
  • Patents
  • Personnel
  • Podcast
  • Policeware
  • Portals
  • Predictive coding
  • Privacy
  • Profile
  • Publishing
  • Quotation
  • Real time search
  • Reference tool
  • Rich media
  • Robot Writer
  • Search
  • Search enabled applications
  • search engine
  • Search quality
  • Security
  • Semantic
  • Sentiment analysis
  • SEO
  • SharePoint
  • Short Honks
  • Smart Technology
  • Social
  • Social Media
  • software
  • Statistics
  • Taxonomy
  • Technology
  • Text analytics
  • Text processing
  • Tools
  • Tor
  • Training
  • Translation
  • Twitter
  • Uncategorized
  • Unstructured Data
  • User experience
  • User Interface
  • Vertical search
  • Video
  • visualization
  • Voice search
  • Voice technology
  • Web 3
  • Web Services
  • Webinar
  • Windows
  • Work flow
  • XML
  • Yahoo

• Archives

  Archives Select Month July 2024 June 2024 May 2024 April 2024 March 2024 February 2024 January 2024 December 2023 November 2023 October 2023 September 2023 August 2023 July 2023 June 2023 May 2023 April 2023 March 2023 February 2023 January 2023 December 2022 November 2022 October 2022 September 2022 August 2022 July 2022 June 2022 May 2022 April 2022 March 2022 February 2022 January 2022 December 2021 November 2021 October 2021 September 2021 August 2021 July 2021 June 2021 May 2021 April 2021 March 2021 February 2021 January 2021 December 2020 November 2020 October 2020 September 2020 August 2020 July 2020 June 2020 May 2020 April 2020 March 2020 February 2020 January 2020 December 2019 November 2019 October 2019 September 2019 August 2019 July 2019 June 2019 May 2019 April 2019 March 2019 February 2019 January 2019 December 2018 November 2018 October 2018 September 2018 August 2018 July 2018 June 2018 May 2018 April 2018 March 2018 February 2018 January 2018 December 2017 November 2017 October 2017 September 2017 August 2017 July 2017 June 2017 May 2017 April 2017 March 2017 February 2017 January 2017 December 2016 November 2016 October 2016 September 2016 August 2016 July 2016 June 2016 May 2016 April 2016 March 2016 February 2016 January 2016 December 2015 November 2015 October 2015 September 2015 August 2015 July 2015 June 2015 May 2015 April 2015 March 2015 February 2015 January 2015 December 2014 November 2014 October 2014 September 2014 August 2014 July 2014 June 2014 May 2014 April 2014 March 2014 February 2014 January 2014 December 2013 November 2013 October 2013 September 2013 August 2013 July 2013 June 2013 May 2013 April 2013 March 2013 February 2013 January 2013 December 2012 November 2012 October 2012 September 2012 August 2012 July 2012 June 2012 May 2012 April 2012 March 2012 February 2012 January 2012 December 2011 November 2011 October 2011 September 2011 August 2011 July 2011 June 2011 May 2011 April 2011 March 2011 February 2011 January 2011 December 2010 November 2010 October 2010 September 2010 August 2010 July 2010 June 2010 May 2010 April 2010 March 2010 February 2010 January 2010 December 2009 November 2009 October 2009 September 2009 August 2009 July 2009 June 2009 May 2009 April 2009 March 2009 February 2009 January 2009 December 2008 November 2008 October 2008 September 2008 August 2008 July 2008 June 2008 May 2008 April 2008 March 2008 February 2008 January 2008 November 5

• Recent Posts

  • Silicon Valley Streetbeefs
  • If Math Is Running Out of Problems, Will AI Help Out the Humans?
  • How Can Creatives Survive AI Disruptions?
  • Google and Third-Party Cookies: The Writing Is on the Financial Projection Worksheet
  • The Simple Fix: Door Dash Some Diversity in AI

• Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org