TikTok: What Does the Software Do?

March 22, 2023

A day or two ago, information reached me in rural Kentucky about Google’s Project Zero cyber team. I think the main idea is that Google’s own mobiles, Samsung’s, and those of a handful of other vendors were vulnerable. Interesting. The people who make the phones do not know exactly what flaws or data drains their own devices have. What sticks in my mind is that these are not new mobiles like the Nothing Phone.

Why do I mention this? Software can exploit these flaws. Who knew? Obviously not Google when the phones were designed, coded, manufactured, or shipped. Some Googlers use these devices which is even more remarkable. How can a third party know exactly what functions or latent functions exist within hardware or software for that matter?

I assume that the many cyber experts will tell me, “We know.”

Okay, you know. I am not sure I believe you. Sorry.

Now I come to the TikTok is good, TikTok is evil write up “It’s Wild That Western Governments Have Decided That TikTok Might Spy for Chine. The App Hasn’t Helped Itself.” The article reports:

In December, TikTok admitted that some ByteDance staff in the US and China gained access to personal data of journalists in a bid to monitor their location and expose company leaks. A spokesperson said four employees who accessed the data had been fired, CNN reported at  the time. TikTok has maintained the app doesn’t spy on individuals, and has pointed to the steps it’s taking to hive off user information.  Theo Bertram, TikTok’s vice president for public policy in Europe, tweeted on Thursday that the app does not “collect any more data than other apps.”

What’s my point? The Google Project Zero team did not know what was possible with its own code on its own devices. Who knows exactly what the TikTok app does and does not do? Who knows what latent capabilities reside within the app?

The Wall Street Journal published ” on March 19, 2023, page A-4, “DOJ Looking into TikTok’s Tracking of Journalists.” The story contained a statement attributed to a TikTok executive. The snippet I clipped whilst waiting for a third-world airline is:

TikTok’s chief executive Shou Zi Chew has said that divesting the company from its Chinese owners doesn’t offer any more protection that a multibillion-dollar plan the company has already proposed.

Now I am supposed to trust software from an allegedly China-affiliated app? What?

In the absence of sufficient information, what is a prudent path. One can compartmentalize as I do. One can stop using the software as I have for certain applications? One can filter the malicious app so that it is not available? One can install cyber defenses that monitor what’s going in and out and capture data about those flows?

The bottom-line today March 18, 2023, is that we don’t know what we don’t know. Therefore, hasta la vista TikTok.

Stephen E Arnold, March 22, 2023

Wanna Be an Old Fashioned B&E Person?

March 8, 2023

I spotted another of the info dumps which make me nervous. “Red Team, Physical Security, Covert Entry, and EDC” is another list of helpful products and tools. (EDC means every day carry.) My personal preference is that this type of information not zip around so that curious high school science club members can get some helpful ideas. What makes this list interesting is the disclaimer. Legal eagles will definitely be reluctant to take flight after reading:

Disclaimer: I am not responsible for anyone using any information in this post for any illegal activities. Getting caught with possession of burglary tools will likely land you behind bars and possibly end with a multiple felony conviction. The information in this post is for legal and authorized engagements, and to use for educational purposes only.

These types of messages are appearing with greater frequency. A good example is the message from Vaga Bond about train hopping in some interesting countries like Russia and Morocco.

If you want to see these tools, navigate to one of CosmodiumCS’s helpful YouTube videos; for example, https://www.youtube.com/watch?v=ETMHHvRrH5A.

Stephen E Arnold, March 9, 2023

Unpatchable Windows Flaw? Will Surprises Reside in Smart Software from Microsoft?

March 7, 2023

No big deal? A flaw described as “Unpatchable”? Not to worry. Okay, I will pretend not to worry, but I am worrying. Many commercial and government systems may be at risk. “Stealthy UEFI Malware Bypassing Secure Boot Enabled by Unpatchable Windows Flaw” reports:

Researchers on Wednesday [presumably March 1, 2023] announced a major cybersecurity find—the world’s first-known instance of real-world malware that can hijack a computer’s boot process even when Secure Boot and other advanced protections are enabled and running on fully updated versions of Windows.

Microsoft’s good enough engineering has produced technology which in “unpatchable.” Shouldn’t that effort be directed toward creating software which is patchable? I know. I know. People are in a hurry. There are those TikToks to watch. Plus, who wants to fool around with secure boot issues when the future is smart software.

As the Microsofties chase after the elusive “it understands human utterance” bunny rabbit, what gotchas will be tucked inside ChatGPT-inspired applications? I am not very good at predicting the future. I am not dumb enough to say, “Hey, that Microsoft smart software will be okay.” Microsoft is good at marketing. May I suggest that Microsoft is not so good at producing software that meets users’ expectations for security.

Stephen E Arnold, March 7, 2023

Identity Theft Made Easy: Why?

December 30, 2022

Some automobiles are lemons aka money holes, because they have defects that keep breaking. Many services are like that as well, including rental car insurance, extended warranties on electronics, and identity theft protection. Life Hacker explains why identity theft protection services are a scam in the story: “Identity Theft Protection Is Mostly Bullshit.”

Most Americans receive emails or physical letters from their place of work, medical offices, insurance agencies, etc. that their personal information was involved in a data breach. As a token of atonement, victims are given free Identity Theft Protection (ITP) aka a useless service. These services promise to monitor the Internet and Dark Web for your personal information. This includes anything from your credit cards to social security number. Identity theft victims deal with ruined credit scores and possibly stolen funds. Identity Theft Protection services seem to be a good idea, until you realize that you can do the monitoring yourself for free.

ITP services monitor credit reports, social media accounts, the Dark Web, and personal financial accounts. Some of these services such as credit reports and your financial accounts will alert you when there is suspicious activity. You can do the following for free:

“You can access your credit reports for free once a year. And you should! It’s a fast and pretty straightforward operation, and at a glance you can see if someone has opened a credit card or taken out a loan in your name. In fact, the number one best way to stop folks from stealing your identity is to freeze your credit, which prevents anyone—even if they have your personal information—from getting a new credit card or loan. While this doesn’t protect you from every single kind of fraud out there, it removes the most common vectors that identity thieves use.”

The US government also maintains a Web site to assist identity theft victims. It is wise to remember that ITP services are different from identity theft insurance. The latter is the same as regular insurance, except it is meant to help when your information is stolen.

Practice good identity hygiene by monitoring your accounts and not posting too much personal information online.

Why is identity theft like a chicken wing left on a picnic table? Careless human or indifferent maintenance worker?

Whitney Grace, December 30, 2022

Who Can See Your Kiddies?

December 20, 2022

In an alarmingly hilarious situation, iCloud users are seeing photos of strangers on their devices. What sounds like a hacker’s gaff, actually proves to be a security risk. XDA Developers investigates what is going on with iCloud in, “iCloud For Windows Users Are Reportedly Seeing Random Family Photos From Strangers.”

People buy Apple products for its better security and privacy settings than PC devices. While Apple has an iCloud app for PC users, the app is not working as well as its fellow Apple products:

“Based on the reports, the corrupted files seemingly revolve around videos shot on iPhone 13 Pro and iPhone 14 Pro models. The footage in some cases is showing a black screen with scan lines. Though, what’s more worrisome is the random content that is showing up for some users. While it’s not confirmed yet, these photos of families, children, and other private moments could potentially belong to other people’s iCloud libraries. If this is the case, then Apple could get in some serious trouble. Unfortunately, deleting the iCloud for Windows app seemingly doesn’t solve this, as the issues are being reflected on the server.”

No one is certain what is causing the bug, but Apple needs to get on the problem. Apple will probably blame the issue on PCs being inept devices and the compatibility between Macs and PCs could be the reason. Apple is not infallible and here is a lesson in humility.

Whitney Grace, December 20, 2022

Google to Microsoft: We Are Trying to Be Helpful

December 16, 2022

Ah, those fun loving alleged monopolies are in the news again. Microsoft — famous in some circles for its interesting approach to security issues — allegedly has an Internet Explorer security problem. Wait! I thought the whole wide world was using Microsoft Edge, the new and improved solution to Web access.

According to “CVE-2022-41128: Type Confusion in Internet Explorer’s JScript9 Engine,” Internet Explorer after decades of continuous improvement and its replacement has a security vulnerability. Are you still using Internet Explorer? The answer may be, “Sure you are.”

With Internet Explorer following Bob down the trail of Microsoft’s most impressive software, the Redmond crowd the Microsoft Office application uses bits and pieces of Internet Explorer. Thrilling, right?

Google explains the Microsoft issue this way:

The JIT compiler generates code that will perform a type check on the variable q at the entry of the boom function. The JIT compiler wrongly assumes the type will not change throughout the rest of the function. This assumption is broken when q is changed from d (an Int32Array) to e (an Object). When executing q[0] = 0x42424242, the compiled code still thinks it is dealing with the previous Int32Array and uses the corresponding offsets. In reality, it is writing to wherever e.e points to in the case of a 32-bit process or e.d in the case of a 64-bit process. Based on the patch, the bug seems to lie within a flawed check in GlobOpt::OptArraySrc, one of the optimization phases. GlobOpt::OptArraySrc calls ShouldExpectConventionalArrayIndexValue and based on its return value will (in some cases wrongly) skip some code.

Got that.

The main idea is that Google is calling attention to the future great online game company’s approach to software engineering. In a word or two, “Poor to poorer.”

My view of the helpful announcement is that Microsoft Certified Professionals will have to explain this problem. Google’s sales team will happily point out this and other flaws in the Microsoft approach to enterprise software.

If you can’t trust a Web browser or remove flawed code from a widely used app, what’s the fix?

Ready for the answer: “Helpful cyber security revelations that make the online ad giant look like a friendly, fluffy Googzilla. Being helpful is the optimal way to conduct business.

Stephen E Arnold, December 16, 2022

Apple, the Privacy and Security Outfit, Has a New Spin for Pix

December 16, 2022

In an alarmingly hilarious situation, iCloud users are seeing photos of strangers on their devices. What sounds like a hacker’s gaff, actually proves to be a security risk. XDA Developers investigates what is going on with iCloud in, “iCloud For Windows Users Are Reportedly Seeing Random Family Photos From Strangers.”

People buy Apple products for its better security and privacy settings than PC devices. While Apple has an iCloud app for PC users, the app is not working as well as its fellow Apple products:

“Based on the reports, the corrupted files seemingly revolve around videos shot on iPhone 13 Pro and iPhone 14 Pro models. The footage in some cases is showing a black screen with scan lines. Though, what’s more worrisome is the random content that is showing up for some users. While it’s not confirmed yet, these photos of families, children, and other private moments could potentially belong to other people’s iCloud libraries. If this is the case, then Apple could get in some serious trouble. Unfortunately, deleting the iCloud for Windows app seemingly doesn’t solve this, as the issues are being reflected on the server.”

No one is certain what is causing the bug, but Apple needs to get on the problem. Apple will probably blame the issue on PCs being inept devices and the compatibility between Macs and PCs could be the reason. Apple is not infallible and here is a lesson in humility.

Whitney Grace, December 16, 2022

Small Snowden Item: Not Rooting for US Soccer Team?

December 6, 2022

I think the answer to the question, “Is Edward Snowden rooting for the US soccer team?” is no. I read “Edward Snowden Swears Allegiance to Russia and Receives Passport, Lawyer Says”. [Note: In the spirit of capitalism, you will have to pay to view the original story.] The Bezos affiliated real news outfit said:

It’s unclear whether Snowden swore the oath of allegiance at the same time as he was granted a passport, but the two are common procedures when foreigners become Russian citizens. The text includes swearing “to protect the freedom and independence of the Russian Federation, to be loyal to Russia, to respect its culture, history and traditions,” and to promise to “perform the duties of a citizen of the Russian Federation for the good of the state and society.” Kucherena [The estimable Mr. Snowden’s legal eagle] added that Snowden’s wife, Lindsay Mills, was also undergoing the Russian citizenship application process and that the couple’s children would likely attend Russian schools, when ready.

Interesting. I assume information will surface about the forthcoming Russian film “Dinner with Vlad” starring the bold, brave bag man Mr. Snowden and the somewhat weighty Mr. Segal. The plot is, as I understand it, Vlad asks his guests about Russia’s most appealing aspect. Mr. Snowden says, “It’s the great Internet connections”, and Mr. Seagal says, “It the food.” The three stars drink Russian vodka and engage in an arm wrestling competition. Vlad wins and the three drooks head to a cover band featuring Pussy Riot tunes. Mr. Snowden and Mr. Seagal give inspired lectures during the band’s break. Males in the audience are enlisted. Females? Well, fade to black.

Stephen E Arnold, December 6, 2022

Microsoft and Security: Customers! Do Better

November 7, 2022

I have a hunch that cyber security is like Google in the early 2000s. Magic, distractions, and blather helped disguise the firm’s systems and methods for generating revenue. Now (November 4, 2022) the cyber security sector may be taking a page or two from the early Google game plan. Who can blame the cyber security vendors, all 3000 to 7000 of them in the US alone. The variance is a result of the methodology of the business analysts answering the question, “How many companies are chasing commercial, non profit, and government prospects. Either number makes it clear that cyber security is a very big business.

Now stick with me: What operating system and office software is used by about two thirds of the organizations in the United States. The answer, if I can believe the data from my research team, is close enough for horse shoes. Personally, I would peg the penetration of Microsoft software at closer to 90 percent, but let’s go with the 67 percent, plus or minus five percent. That means that cyber security vendors have to provide security for companies already obtaining allegedly secure software and services from Microsoft.

With cyber crime, breaches, zero days, etc, etc going up with dizzying speed, what’s the message I carry away? The answer is, “Cyber security is not working.”

I read “Microsoft Warns Businesses to Up Their Security Game against These Top Threats.” The article then identifies security as a problem. The solution, if I understand the article, is:

Microsoft suggests throughout the MDDR that organizations implement a number of its products into its tech stack to protect against and deal with threats, such as its Security Service Line for support throughout a ransomware attack, and Microsoft Defender for Endpoint for cloud-based protection.

If you are not familiar with MDDR the acronym stands for the Microsoft Digital Defense Report. Presumably Microsoft’s crack security experts and the best available cyber consultants crafted the methods summarized in the article.

The irony is that Microsoft’s own products and services create a large attack surface. Microsoft’s own security tools seem to have chinks, cracks, and gaps which assorted bad actors can exploit.

Net net: Perhaps Microsoft should do security better. Aren’t customers buying solutions which work and do in a way that protects business information and processes? Perhaps less writing about security and more doing security could be helpful?

Stephen E Arnold, November 7, 2022

Computer Security Procedures: Carelessness, Indifference, Poor Management or a Trifecta?

September 27, 2022

$35M Fine for Morgan Stanley after Unencrypted, Unwiped Hard Drives Are Auctioned”  raises an interesting question about security in an important company. The write up asserts:

The SEC action said that the improper disposal of thousands of hard drives starting in 2016 was part of an “extensive failure” over a five-year period to safeguard customers’ data as required by federal regulations. The agency said that the failures also included the improper disposal of hard drives and backup tapes when decommissioning servers in local branches. In all, the SEC said data for 15 million customers was exposed.

Morgan Stanley. Outstanding. If the story is accurate, the auctioning of the drives fits with the parsimonious nature of banks in my experience. Banks like to accept money; banks do not like to output money. Therefore, selling old stuff is a matter of removing the detritus, notifying the person charged with moving surplus to a vendor, and cashing the check for the end of life, zero life clutter. Standard operating procedure? Probably. Does senior management know about hardware security for old gear? My hunch is that most senior managers know about [a] cross selling, [b] sparking deals, [c] getting on a talking head financial news show, and [d] getting the biggest bonus possible. Security is well down my hypothetical list.

Net net: Security is easy to talk about. Security requires management know how and attention to business processes, not just deals and bonus payments.

Stephen E Arnold, September 27, 2022

« Previous PageNext Page »

  • Archives

  • Recent Posts

  • Meta