Project Zero Targets Who? What? Why?
October 18, 2019
Google is not one to keep its eyes on its own work, as the effective Project Zero demonstrates. That initiative’s researchers (a.k.a. hackers) seek out zero-day vulnerabilities in software created by Google and many other companies. Vice examines Project Zero in its article, “How Google Changed the Secretive Market for the Most Dangerous Hacks in the World.”
Since its launch in 2014, Project Zero reports it has found and helped fix more than 1,500 vulnerabilities. More than 300 of these were in Apple products, over 500 in Microsoft’s, and more than 200 in Adobe Flash, to give just a few examples. One of these researchers was part of the team that found the Intel chips’ Spectre and Meltdown vulnerabilities. The project has also influenced the cybersecurity industry in more general ways. Reporter Lorenzo Franceschi-Bicchierai writes:
“For one, Project Zero has normalized something that years ago was more controversial: a strict 90-day deadline for companies that receive its bug reports to patch the vulnerabilities. If they don’t patch in that time frame, Google drops the bugs itself. Microsoft, in particular, was not a fan of this policy at the beginning. Today, most companies that interact with Project Zero respect that 90-day deadline as an industry standard, a tidal change in the always controversial debate on the so-called ‘responsible disclosure’—the idea that security researchers who find vulnerabilities should first disclose them to the affected company, so that it can fix them before the bugs are exploited by hackers. According to its own tally, around 95 percent of bugs reported by Project Zero get patched within that deadline.”
Then there is the effect on what the article calls the “insecurity industry,” companies like Azimuth Security and NSO Group that also seek out zero-day vulnerabilities, but for a different reason. We’re told:
“Instead of reporting the vulnerabilities to the companies who own the software, these companies sell them to governments who turn them into tools to hack and surveil targets. ‘F— those guys,’ said a researcher who works for a company that does offensive security, referring to Project Zero. ‘They don’t make the world safer.’ The researcher … said that zero-day vulnerabilities are sometimes used to go after terrorists or dangerous criminals. So when Project Zero kills those bugs, it may be killing tools used by intelligence agencies to go after the bad guys, according to the researcher.”
That is one perspective, but one with which many security experts disagree. See the article for more on that dispute. There is no doubt companies the world over have benefited from Project Zero’s work, but what does Google get out of the effort? Good press is one thing, of course, but Franceschi-Bicchierai suggests another motive—the excuse to poke around in its competitors’ software and reveal their weaknesses. Whatever the motivations, Project Zero now seems entrenched in the cybersecurity landscape.
Now what about the timing of the announcement about Apple iPhone vulnerability and downplaying Android phone issues?
Minor issue, right?
Cynthia Murrell, October 18, 2019
Cyber Security: Hand Waving Instead of Results?
October 9, 2019
Beta News published what DarkCyber views as a bit of an exposé. “Security Professionals Struggle to Measure Success within the Business” recycles information which appears to come from a services firm called Thycotic. (DarkCyber has not been able to locate the referenced report.)
Among the statements in the write up, DarkCyber noted these as particularly thought provoking:
- “Nearly half (44 percent) [of those in the Thycotic sample] say their organization struggles to align security initiatives with the business’s overall goals”
- “More [than] 35 percent aren’t clear what the business goals are”
- “The most commonly used metric is to count the number of security breaches (56 percent) followed by the time taken to resolve a breach (51 percent). It appears, however, that these criteria may not be terribly useful.”
- “Around two in five (39 percent) say they have no way of measuring what difference past security initiatives have made to the business.”
- “36 percent agree it’s not a priority for them to measure security success once initiatives have been rolled out.”
These are interesting results. If an information unit cannot demonstrate that their security efforts are useful, budgets will be cut or staff rotated. Vendors will be sucked into this negative atmosphere.
Are cyber security vendors delivering solutions which work? Are customers able to use these products? Will executives lose confidence in their staff and vendors because security challenges continue to bedevil the organization?
The big question, however, remains:
Do the hundreds of vendors have solutions that are useful?
Paying invoices for hand waving can be an issue in some organizations. Well funded cyber security start ups might run into choppy waters after several years of smooth sailing and the support of investors who believe that nothing can derail new cyber security solutions.
Stephen E Arnold, October 9, 2019
Encryption: Change May Be Imposed
October 8, 2019
In our DarkCyber videos we reported about Australia’s efforts to obtain access to encrypted communications. We noted that other Five Eyes partners would pick up the idea and move it forward. “The Open Letter from the Governments of US, UK, and Australia to Facebook is An All-Out Attack on Encryption” from the Electronic Frontier Foundation explains that several countries have demanded access to secure messages. The EFF states:
This is a staggering attempt to undermine the security and privacy of communications tools used by billions of people. Facebook should not comply. The letter comes in concert with the signing of a new agreement between the US and UK to provide access to allow law enforcement in one jurisdiction to more easily obtain electronic data stored in the other jurisdiction. But the letter to Facebook goes much further: law enforcement and national security agencies in these three countries are asking for nothing less than access to every conversation that crosses every digital device.
The EFF states:
What’s more, the backdoors into encrypted communications sought by these governments would be available not just to governments with a supposedly functional rule of law. Facebook and others would face immense pressure to also provide them to authoritarian regimes, who might seek to spy on dissidents in the name of combatting terrorism or civil unrest, for example. The Department of Justice and its partners in the UK and Australia claim to support “strong encryption,” but the unfettered access to encrypted data described in this letter is incompatible with how encryption actually works.
DarkCyber wants to point out that flows of digital information work like sandblasters; that is, the data flows erode existing structures. When societal conventions are blasted by bits, the darker side of human nature has a new greenhouse in which to flourish.
DarkCyber believes that a new context exists in the digital environment. We understand what EFF says, but it seems clear that access to encrypted content is just one facet of other changes; for example, cutting off Internet access, censorship, and similar actions.
New world. Old arguments may not gain traction.
Stephen E Arnold, October 8, 2019
A Snowden Fave Has a Quirk
October 7, 2019
If you use Signal, a fave of Edward Snowden, there’s a possible security flaw. Signal is a messaging app with a charming feature if “Signal: Incoming Call Can Be Connected without User Interaction” is on the money. The write up asserts:
Using a modified client, it is possible to send the “connect” message to a callee device when an incoming call is in progress, but has not yet been accepted by the user. This causes the call to be answered, even though the user has not interacted with the device. The connected call will only be an audio call, as the user needs to manually enable video in all calls. The iOS client has a similar logical problem, but the call is not completed due to an error in the UI caused by the unexpected sequence of states. I would recommend improving the logic in both clients, as it is possible the UI problem doesn’t occur in all situations.
The article provides technical information about this issue.
DarkCyber Mr. Snowden has adjusted his secure messaging opsec when he is not seeking life in France or preparing for a for-fee lecture.
Stephen E Arnold, October 5, 2019
Cyber Security: Not for Cloud Misconfigurations
September 25, 2019
DarkCyber has been discussing the apparent ineffectiveness of the cyber defense technology offered by dozens of vendors. Despite the escalation in marketing hype, security issues are like exhaust fumes — everywhere. “99 Percent of All Misconfigurations in the Public Cloud Go Unreported” flashes credibility lights with its “99 percent” and “all” headline.
The write up asserts:
The surge in adoption of cloud-based technologies and Infrastructure-as-a-Service (IaaS) has added a new facet to cyber threats — the loss of information caused by misconfigurations and weak credentials in the public cloud space.
That statement sounds plausible.
The write up adds:
The report says that the top ten most commonly-misconfigured settings in AWS, the most popular IaaS provider for enterprise firms alongside Microsoft Azure, are as below:
- EBS Data Encryption
- Unrestricted Outbound Access
- EC2 Security Group Port Config
- Provisioning Access to Resources using IAM Roles
- Unrestricted Access to Non-Http/Https ports
- Unrestricted Inbound Access on Uncommon Ports
- Unused Security Groups
- Unrestricted ICMP Access
- EC2 Security Group Inbound Access Configuration
- EC2 Instance Belongs to a VPC
If the data are accurate, Amazon is a security “challenge.”
Has Amazon done enough to make certain that its customers are not creating risks for others? If Amazon is a security problem, are the vendors of pricey cyber security systems providing tools and solutions that shore up known weak spots?
Two questions. Answers?
Stephen E Arnold, September 25, 2019
Google: Managing Staff a Challenge
September 24, 2019
DarkCyber is not sure about the accuracy of “Exclusive: Google Insider Turns Over 950 Pages Of Docs And Laptop To DOJ.” The story appeared on Saraacarter.com (the second “a” is a middle initial). Ms. Carter’s about page states:
Sara A. Carter is a national and international award-winning investigative reporter whose stories have ranged from national security, terrorism, immigration and front line coverage of the wars in Afghanistan and Iraq. Sara A. Carter is currently an investigative reporter and Fox News Contributor. Her stories can be found at saraacarter.com. She formerly worked as a senior national security correspondent for Circa News.
The write up asserts that:
A former Google insider claiming the company created algorithms to hide its political bias within artificial intelligence platforms – in effect targeting particular words, phrases and contexts to promote, alter, reference or manipulate perceptions of Internet content – delivered roughly 950 pages of documents to the Department of Justice’s Antitrust division Friday.
The story is dated August 13, 2019, and DarkCyber spotted the link on September 23, 2019. In August 2019, Project Veritas revealed that the alleged Google insider is / was Zachary Vorhies.
Project Veritas does have a Google Document Dump page. You can view the files and download them at this link. A representative document is “Algorithmic Discrimination from and Environmental Psychology Perspective: Str5ee-Inducing Differential Treatment.”
The write up is an academic review of findings which, upon reflection, are mostly common sense. Manipulation can be accomplished via stress causing and stress relieving.
What struck DarkCyber as interesting is that the cache of documents has not made much of a splash in the last few weeks.
Other observations include:
- Unlike the now long-offline Google research papers which I cited in my 2003 Google Legacy monograph, the documents in this cache are more touchy-feely.
- Google’s ability to control its confidential documents appears to have some gaps.
- The “insider” turned canary reveals that Google is not generating happy Xooglers.
Net net: The high school science club approach to management may need some upgrades.
Stephen E Arnold, September 24, 2019
Emailing Phishing: Yes, It Works
September 19, 2019
Phishing scams aka spam are arguably the oldest Internet scam. One would think that after almost thirty years with the Internet and email, people would have wised up to phishing scams, but no. People still fall for them and ZDNet has an article that explains why, “Phishing Emails: Here’s Why We Are Still Getting Caught After All These Years.” Here is an interesting fact, phishing emails are actually the first stage in security and data hacks within the past few years.
Google blocks more than 100 million scam emails a day and 68% of the messages are new variations of ones already blocked. What is even more interesting is who the phishing campaigns target. Enterprise users are five times more likely than a regular Gmail user to be targeted, while education users are two times more likely, government workers are three times likely, and non-profits have a 3.8 more likelihood than regular consumers. The scams only last a certain length of time to avoid detection, sometimes they last hours or only a few minutes. The scams mask themselves:
“While bulk phishing campaigns only last for 13 hours, more focused attacks are even more short lived; what Google terms as a ’boutique campaign’ — something aimed at just a few individuals in a company — lasts just seven minutes. In half of all phishing campaigns, the email pretends to have come from the email provider, in a quarter it claims to be from a cloud services provider; after that it’s most likely masquerading as a message from a financial services company or ecommerce site.”
An even scarier fact is that 45% of the Internet does not understand phishing scams. The phishing bad actors play on the naiveté and use psychological tricks, such as urgency and fear, to get people to comply.
People need to wise up and be aware of Internet scams and phishing attacks. Be aware that a reputable company will never ask for your password and always check the email address to see if it appears suspicious. If it has lot of numbers and letters and does not come from the company’s official domain, it is a scam.
Whitney Grace, September 19, 2019
Understanding Social Engineering
September 6, 2019
“Quiet desperation”? Nope, just surfing on psychological predispositions. Social engineering leads to a number of fascinating security lapses. For a useful analysis of how pushing buttons can trigger some interesting responses, navigate to “Do You Love Me? Psychological Characteristics of Romance Scam Victims.” The write up provides some useful insights. We noted this statement from the article:
a susceptibility to persuasion scale has been developed with the intention to predict likelihood of becoming scammed. This scale includes the following items: premeditation, consistency, sensation seeking, self-control, social influence, similarity, risk preferences, attitudes toward advertising, need for cognition, and uniqueness. The current work, therefore, suggests some merit in considering personal dispositions might predict likelihood of becoming scammed.
Cyberpsychology at work.
Stephen E Arnold, September 6, 2019
MAGA: Making Android Great Again?
August 30, 2019
My feeds were stuffed with references to Google’s announcement that Apple’s iPhone security sucks. Here’s a sampling of the headlines I spotted:
Google reveals years-long ‘indiscriminate’ iPhone hack. Most of the vulnerabilities targeted were found in the iPhone’s default Safari web browser. Source: The National
Google discovered ‘sustained attacks’ over at least two years against iPhone users. Source: Neowin.net
Google says hacked websites were attacking iPhones for years. Now-fixed exploits were used to install monitoring implants. Source: TechSpot
And there are more. The Guardian, Inquirer, PocketLint, MIT Technology Review, and others.
DarkCyber does not want to think negative thoughts about Google’s discovery. Apple addressed the issue promptly. On the plus side of the ledger, Google could have made the announcement after the US holiday weekend. Why now?
DarkCyber wants to point out that another article, this one about Google Chrome, offered this headline: “A major Google Chrome bug could let criminals attack your PC remotely.”
Not too much coverage of this item compared with the damning revelation that iPhones. Are. Insecure!
DarkCyber suggests that the information presented at CVE Details may be of interest. This site presents a possibly accurate list of Google Android security issues.
DarkCyber wants to point out:
- If a device is any place other than a Faraday cage, unplugged, and behind a security perimeter, that device may be vulnerable
- Mass market devices are compromisable because users have “interesting behaviors.” Curious about that to which DarkCyber refers? Check out this link.
- Hardened devices which are “black” are not popular because they are [a] expensive to produce and keep up to date, [b] more difficult to use than a consumer phone, [c] expensive, and [d] also vulnerable.
Security exposés capture headlines. Vendors of cyber security services and products make these types of revelations part of their standard operating procedure.
Capturing headlines informs bad actors that there are vulnerabilities to be discovered. “Hey, why not check out this method” publicity is an interesting approach. Is Google grandstanding?
Plus, Google may introduce its own MAGA hat. A “Make Android Great Again” chapeau could knock the famous Google flashing lapel pin off its top spot in the Google collectible hall of fame.
Stephen E Arnold, August 30, 2019
CafePress: Just 23 Million Customer Details May Have Slipped Away
August 6, 2019
I read “CafePress Hacked, 23M Accounts Compromised. Is Yours One Of Them?” Several years ago I participated in a meeting at which a senior officer of CafePress was in the group. The topic was a conference at which I was going to deliver a lecture about cyber security. I recall that the quite confident CafePress C suite executive pointed out to me that the firm had first rate security. Interesting, right?
The write up in the capitalist tool said:
According to that HIBP notification, the breach itself took place on Feb 20 and compromised a total of 23,205,290 accounts. The data was provided to Troy Hunt at HIBP from a source attributed as JimScott.Sec@protonmail.com.
I thought that an outfit with first rate security would not fall to a bad actor. I also assumed that the company would have reported the issue to customers promptly. It seems as though the breach took placed more than five months ago. (February 2019 and today is August 5, 2019.)
What’s DarkCyber’s take on this?
- The attitude of a CafePress executive makes clear that confidence and arrogance are poor substitutes for knowledge.
- The company looks like it needs a security and management health check.
- A failure to act more quickly suggests significant governance issues.
How about a T shirt with the CafePress logo and the phrase “First Rate Security” printed on the front?
Stephen E Arnold, August 6, 2019
-
- Subscribe to Beyond Search
Feature archive
News archive
-
