Insider Threats: Still a Useful Mechanism for Bad Actors

January 27, 2022

I read “Ransomware Gangs Increase Efforts to Enlist Insiders for Attacks.” I am not down with the notion of “increase efforts.” Identifying individuals who will provide user names, passwords, or facile fingers to slip a malware loaded USB key into a computer connected to an organization’s network has been a go-to method for a long, long time.

The write up states:

The survey was conducted by Hitachi ID, which performed a similar study in November 2021. Compared to the previous survey, there has been a 17% rise in the number of employees offered money to aid in ransomware attacks against their employer. Most specifically, 65% of the survey respondents say that they or their employees were approached between December 7, 2021, and January 4, 2022, to help hackers establish initial access.

The factoid in the magic-with-statistics write up is that a lot of individuals report brushes with the insider ploy. What’s important to remember, an insider can come from several different pools of people:

  1. There are disaffected employees who can be identified and then interviewed for a bogus news service or for a consulting job. A skilled contact working with an annoyed employee  can often extract what might be termed a mother lode of useful information, including details about security, access, and other disaffected employees who want to put it to the “man” or “woman” who ruined a perfectly good morning of reading online news.
  2. Clueless former employees who respond to a LinkedIn-type job posting or an engaging individual in what sure looks like a chance encounter. Some individuals need or love money, and the engaging individual can buy or solicit security information from the CFE (clueless former employee).
  3. Happy current employees who find themselves confronted with a person who has information about a past indiscretion memorialized on Instagram, Meta, or TikTok. Maybe the current happy employee has forgotten text and images sent to an individual with some interesting preferences or behaviors. Blackmail? Well, more like leveraging TikTok-type data to identify and screen potential targets.
  4. Contractors — those faceless, often nameless — individuals who have to eat in their cube, not the two-star real employee cafeteria. Contractors can be hired and one can interact with these professionals. It is possible that these individuals can provide the keys to the kingdom so to speak without knowing the treasures unlocked with what seems to be casual conversation.
  5. Children of employees can be asked to give mom or dad a USB. The unwitting employee slams the key into the slot unaware that it has been weaponized. Who asks kids? A skilled operative can present herself as a colleague at the front door, explain this was your mom or dad’s memory stick, and ask the young person to hand it over to the parent. (If this method works, bingo. If it fails, another approach can be made. Wearing Covid masks and dressing in normcore gray with a worn ball cap can help too.)

Why am I identifying pools of insiders? Most of the cyber security firms do not have systems which cover these points of insider vulnerability. Do some of the firms purport to have these bases covered?

Of course.

That’s the point. The customer won’t know until it is too late. Predictive analytics and cyber threat intelligence struggle in certain situations. Insiders is one such example.

Stephen E Arnold, January 27, 2022

Windows 11: Loved and Wanted? Sure As Long As No One Thinks about MSFT Security Challenges

January 10, 2022

I hold the opinion that the release of Windows 11 was a red herring. How does one get the tech pundits, podcasters, and bloggers to write about something other than SolarWinds, Exchange, etc.? The answer from my point of view was to release the mostly odd Windows 10 refresh.

Few in my circle agreed with me. One of my team installed Windows 11 on one of our machines and exclaimed, “I’m feeling it.” Okay, I’m not. No Android app support, round corners, and like it, dude, you must use Google Chrome, err, I mean Credge.

I read “Only 0.21%, Almost No One Wants to Upgrade Windows 11.” Sure, the headline is confusing, but let’s look at the data. I believe everything backed by statistical procedures practiced by an art history major whose previous work experience includes taking orders at Five Guys.

The write up states:

According to the latest research by IT asset management company Lansweeper, although Windows 10 users can update Windows 11 for free, it is currently only 0.21%. Of PC users are running Windows 11.

I am not sure what this follow on construction means:

At present, Windows 11 is very good. Probably the operating system with the least proportion.

I think the idea is that people are not turning cartwheels over Windows 11. Wasn’t Windows 10 supposed to be the last version of Windows?

I am going to stick with my hypothesis that Windows 11 was pushed out the door, surprising Windows experts with allegedly “insider knowledge” about what Microsoft was going to do. The objective was to deflect attention from Microsoft’s significant security challenges.

Those challenges have been made a little more significant with Bleeping Computer’s report “Microsoft Code Sign Check Bypassed to Drop Zloader.”

Is it time for Windows 12, removing Paint, and charging extra for Notepad?


Stephen E Arnold, January 10, 2022

Add Metal Detectors To Hacked Items List

January 3, 2022

It is a horrifying (and not surprising) fact that with the correct technology skills, bad actors can hack into anything. The obvious targets are security cameras, financial institution systems, mobile devices, and now metal detectors. Gizmodo reports that, “Walk-Through Metal Detectors Can Be Hacked, New Research Finds.”

Metal detectors are key security tools used by airports, convention centers, banks, schools, prisons, government buildings, and more. White hat researchers discovered that Garrett manufactured metal detectors contain nine software vulnerabilities. Hackers can exploit these security flaws to offline, alter data, or upset the metal detectors’ functionality.

Garrett received bad news about the vulnerability:

“Unfortunately, according to researchers with Cisco Talos, Garrett’s widely used iC module is in trouble. The product, which provides network connectivity to two of the company’s popular walk-through detectors (the Garrett PD 6500i and the Garrett MZ 6100), basically acts as a control center for the detector’s human operator: using a laptop or other interface, an operator can use the module to remotely control a detector, as well as engage in “real-time monitoring and diagnostics,” according to a website selling the product.”

The good news is that if Garrett updates its software, the security threats are neutralized. Bad actors exploit weaknesses for money, fame, and fun. It would be within their wheelhouse to shut down metal detectors in a major airport or important government building to see the resulting chaos. Knowing the mentality of these bad actor, they would be stupid enough to brag about it online.

Whitney Grace, January 3, 2022

The Value of Turning Off Malware Scanning: Allow Exchange to Function?

January 1, 2022

Happy New Year. Problems with Microsoft Exchange 2019? The fix is quite special and you can get  some suggestions for getting mail working again from Reddit’s sysadmin forum. Try this link to learn how to by pass the malware engine. The trick is to disable malware scanning or use the bypass method described in the Reddit post.

Several thoughts:

  1. Useful issue for computer science classes in certain countries unfriendly toward the US to explore
  2. There is room for improvement in Microsoft software quality control processes
  3. This Microsoft Exchange issue matches nicely with netlogon and no-auth exchange RCE missteps.

Here’s the link to the fix:

Outstanding work, Microsoft.

PS. The Register added another MSFT Happy New Year in its post “Going Round in Circles with Windows in Singapore.” There is an illustration of the helpful, detailed, extremely useful error notification. Outstanding work, price war cloud people called Redmondians.

Stephen E Arnold, January 1, 2022

Russia, Tor, and Maybe Sybil Are a Thing?

December 14, 2021

Dictatorships are in vogue, at least in some parts of the world. One interesting response to the Onion Router Technology has been to look up that well known person Sybil. That individual makes it possible to participate in onion routing. Then Sybil’s admirers can process assorted Internet metadata and time stamps in order to learn some interesting things. One of those interesting things is explained in “Russia Ratchets Up Internet Control by Blocking Tor.” Russia learned that it does not want the Onion Router within the land of vodka, bears, and forgotten gulags. Makes sense, doesn’t it?

The write up says:

GlobalCheck, a group that monitors websites’ accessibility in Russia, confirmed that blocking had begun.

Is it possible to block Tor?

Probably not 100 percent. But the steps, including the enabling legislation, suggest that getting caught might have consequences. Believe it or not, there is a person who gets some support from the Russian government to locate burial grounds associated with gulags.

Perhaps that individual will get the opportunity to have some new explorations to undertake?

Stephen E Arnold, December 14, 2021

Monopolies Know Best: The Amazon Method Involves a Better Status Page

December 13, 2021

Here’s the fix for the Amazon AWS outage: An updated status page. “Amazon Web Services Explains Outage and Will Make It Easier to Track Future Ones” reports:

A major Amazon Web Services outage on Tuesday started after network devices got overloaded, the company said on Friday [December 10, 2021] .  Amazon ran into issues updating the public and taking support inquiries, and now will revamp those systems.

Several questions arise:

  1. How are those two pizza technical methods working out?
  2. What about automatic regional load balancing and redundancy?
  3. What is up with replicating the mainframe single point of failure in a cloudy world?

Neither the write up nor Amazon have answers. I have a thought, however. Monopolies see efficiency arising from:

  1. Streamlining by shifting human intermediated work to smart software which sort of works until it does not.
  2. Talking about technical prowess via marketing centric content and letting the engineering sort of muddle along until it eventually, if ever, catches up to the Mad Ave prose, PowerPoints, and rah rah speeches at bespoke conferences
  3. Cutting costs where one can; for example, robust network devices and infrastructure.

The AT&T approach is a goner, but it seems to be back, just in the form of Baby Bell thinking applied to an online bookstore which dabbles in national security systems and methods, selling third party products with mysterious origins, and promoting audio books to those who have cancelled the service due to endless email promotions.

Yep, outstanding, just from Wall Street’s point of view. From my vantage point, another sign of deep seated issues. What outfit is up next? Google, Microsoft, or some back office provider of which most humans have never heard?

The new and improved approach to an AT&T type business is just juicy with wonderfulness. Two pizzas. Yummy.

Stephen E Arnold, December 13, 2021

US Government Procurement: Diagram the Workflow: How Many Arrows Point Fingers?

December 8, 2021

I want to keep this short. For a number of years, I have pointed out that current Federal procurement procedures and the policies the steps are supposed to implement create some issues. I like to mention procurement time for advanced software. By the time the procurement goes through the RFQ, the RFP, the proposal evaluation, the selection, the little meeting at which losers express their concerns, and the award — the advanced technology is often old technology. Another issue is the importance of marketing hoo hah which often leads the Federal government to purchase products and services which are different from that which was described in the PowerPoint presentations and the proposals. There are other interesting characteristics of the process; for example, coffee chats with senators, nice lunches with important people who may pop up on a cable TV talking head program, or good old friendship from a college social group. Ah, yes. Procurement.

US Government Agencies Bought Chinese Surveillance Tech Despite Federal Ban” is a collection of some procurement anecdotes. Interesting? Not particularly. Why? There are no consequences for buying products and services from vendors who should not be eligible for US government contracts. The article focuses on Chinese related missteps. The explanations are crafted to avoid getting anyone in legal hot water.

Net net: I worked in DC starting in the early 1970s. How much has changed in the last 50 years. Not much. China is nemesis but China was a bit of a nemesis 50 years ago. The FARs have been updated. Nevertheless, some interesting purchases have been made over the years. Where’s the Golden Fleece Award now? Are there some unwanted and unloved tanks parked somewhere? What about certain air superiority systems which experience more downtime than a second hand taxi purchased from a shady character in Mexico City. Yes, procurement and some proud moments. Why not fire up that TikTok and ignore the useful data hosed back to certain servers?

Stephen E Arnold, December 8, 2021

An Impossible Dream? Where Is the Windmill?

December 1, 2021

Cyberattacks are only growing in frequency, sophistication, and ROI for hackers. We know most companies need to do a better job at protecting themselves, but what will make the difference? Perhaps the problem lies in the gaps between departments. Network World suggests “3 Steps to Better Collaboration Between Networking and Security Pros.” IT Research firm Enterprise Management Associates finds many companies recognize the need for these departments to work more closely but are having trouble effectively bringing them together. The article identifies four key challenges: separate data silos, skill and knowledge differences between the teams, architectural complexity and, surprise, lack of funding. Writer Shamus McGillicuddy suggests three solutions. The first is to create common data repositories:

“The first priority is to establish a shared data repository that both teams can rely on for a common view of the network. In many companies, security teams are constantly requesting data from the network team when conducting investigations. If that’s the case, the network team should identify the data that security teams frequently request and establish repositories that are accessible to them. … network teams and security teams should centralize packet-capture infrastructure as much as possible so that both teams have a common record of raw traffic data.”

The catch—this change may require updates to data stores, which means spending some dough. Then there is the issue of training staff to better understand each other. McGillicuddy suggests it is up to management, not the teams themselves, to identify the necessary know-how:

“Leadership should recognize how skills gaps are undermine NetSecOps partnerships and lead from the top to close those gaps. Also, network infrastructure professionals are usually quite knowledgeable about network security concepts. They can bring that to bear as much as possible to find common ground with the security team.”

Again, companies must be willing to allocate funds to this endeavor. Finally, architecture should be simplified. The write-up stresses:

“If complexity is getting in the way, the network team should kill complexity and modernize legacy architecture as much as possible. One option is to adopt automation solutions that abstract complexity. And as they move into new environments like the cloud and work-from-anywhere, they should design for simplicity as much as possible.”

This step might be the most costly of the three, especially if legacy systems must be overhauled. All told, companies can be looking at a significant investment to establish harmony between their networking and security departments. The alternative, though, may be to risk a much more costly (and embarrassing) data breach in the future.

Cynthia Murrell, December 1, 2021

DarkCyber for November 30, 2021: Sean Brizendine, SecureX

November 30, 2021

This DarkCyber program features an interview with Sean Brizendine. He is one of the founders of SecureX, where he serves as the director of Blockchain technology. The interview covers:

  • SecureX’s secret sauce in the crypto currency and services market
  • How open source software fits into the company’s technology portfolio
  • How the products and services further the capabilities of Web 3.0, distributed computing, and enhanced online security.

Mr. Brizendine is a certified Certified IIB Council Blockchain Professional & EC Council Online University Lecturer covering Blockchain in their Cyber Talk Webinar Series.

You can view the 11 minute interview on YouTube at this link.

Kenny Toth, November 30, 2021

An Epidemic of Whistle Blowing?

October 22, 2021

Are organizations prepared for an epidemic of whistle blowing?

This question struck me as I read “How One Facebook Worker Unfriended the Giant Social Network.” Here’s the statement in the article which caught my attention:

“There has just been a general awakening amongst workers at the tech companies asking, `What am I doing here?’” said Jonas Kron of Trillium Investment Management, which has pushed Google to increase protection for employees who raise the alarm about corporate misdeeds. “When you have hundreds of thousands of people asking that question, it’s inevitable you’ll get more whistleblowing,” he said.

The comment touched upon two issues which I don’t think have been resolved.

The first is the “awakening.” The idea that workers are “woke” is interesting. My reaction is that the flood of information about social unraveling, breakdowns in what were supposed to be reliable services, and the waves of disturbing news have broken down the “I’m entitled” Drosophila in these folks’ brains. Woke is not a good word. I think something along the lines “I understand now” is more accurate.

The second is the statement that a particular individual who allegedly “has pushed Google to increase protection for employees who raise the alarm about corporate misdeeds.” Okay, that’s interesting. How is that working out for those of the Timnit Gebru ilk?

Net net: Whistle blowers can present different reasons for their actions. The write up makes clear that the “cult of me” is alive and well. Some “me’s” are into dumping documents and information which are confidential. These actions take place even though the person has signed an agreement to keep an organization’s data secret. Guess that piece of paper is not working too well, right? Plus, an investment professional urging the Google to alter its DNA is a helpful endorsement of an individual’s valiant effort to induce change and get some good vibes for the action. Whistle blowing may be little more than an extension of an individual’s need to be the nail that sticks up.

Stephen E Arnold, October 22, 2021

« Previous PageNext Page »

  • Archives

  • Recent Posts

  • Meta