How Does One Access an iPhone?
May 9, 2019
If you are interested in accessing a locked iPhone, you may want to add this write up to your reference file. DarkCyber is not sure the three ways to work around the iCloud lock cover the waterfront, but the information is suggestive. See “How Hackers and Scammers Break into iCloud-Locked iPhones.” DarkCyber is not thrilled that this type of information is floating around untethered. Just our viewpoint, of course. Vice’s editorial judgment is interesting.
Stephen E Arnold, May 9, 2019
So Much Protection, So Little Security
April 30, 2019
I receive emails from cyber security firms. The messages flow from Carbon Black, Recorded Future, DarkOwl, FireEye, IntSights, and others. an outfit named BrightTalk besieges me with announcements about cyber security webinars. The flood of information explains that cyber security tools are available, work, and are easy to use. I am not sure I have much confidence in these assurances.
In the midst of this wealth of security options, I find that article like “Unknown US Security Breach Exposes Data of 80 Million Households” suggest a problem exists. The write up states:
The breach was discovered by ‘hacktivists’ Noam Rotem and Ran Locar and highlighted by specialists at vpnMentor. They claim it is part of a 24GB trove of information that had been stored on an unprotected Microsoft Azure cloud server.
My thought for the day:
Marketing may exceed capabilities…at least for administrators of the Microsoft Azure cloud service.
And here’s a question:
Maybe security is a flight of fancy?
Stephen E Arnold, April 30, 2019
VPNs: You Have to Love These Outfits
April 26, 2019
What does a virtual private network do to protect one’s privacy? Who are the friends of a particular VPN? Who owns the VPN? Is that individual or group of owners friends with some interesting people? Why charge a person and not provide the advertised service? (This happened to the Beyond Search goose when we were researching “Dark Web Notebook.)
These questions are difficult to answer.
One slice of light appears in the article “There’s NordVPN Odd about This, Right? Infosec types Concerned over Strange App Traffic.” I am not thrilled with the headline, but some of the information in the article — assuming that the accuracy is on the money — is thought provoking.
I noted this statement attributed to a NordVPN expert:
NordVPN spokeswoman Laura Tyrell first told us: “I would like to assure you that we have not observed any irregular behavior that could in any way support the theory of our applications being compromised by a malicious actor.” She added: “Such domains are used as an important part of our workaround in environments and countries with heavy internet restrictions. To prevent such requests from contacting the domains which aren’t owned by us, we have modified our URI scheme. All URLs are being validated, so the problem as such will never occur. It is also important to note that no sensitive data is being sent or received through these addresses.”
The author may not be a stellar headline writer, but I was able to understand this statement:
This was obviously bunkum and we said so.
If one works through the technical snippets, two things become evident:
- The NordVPN is a busy little beaver in the sending and receiving department. Busy, busy.
- The information security wizards contributing to the article are suspicious.
Net net: Maybe it is time to answer some questions about both the technical plumbing and the owners’ connections with other entities. We can maybe rule out Mr. Putin because NordVPN made the list of VPN services to be blocked in Russia. But there are other interesting friends some VPN providers may have.
Oh, those free VPN services? Yeah, not a good idea.
Stephen E Arnold, April 26, 2019
Phishers Experience Some Tiny Google Pushback
April 17, 2019
Hiding urls is a phisher’s best friend. Google wants to eliminate those pesky urls. The problem is that spoofing a Web site is easier when the GOOG simplifies life. There’s nothing like a PDF with malware to make one’s day.
If the information in “Google Takes a Tiny Step Toward Fixing AMP’s URL Problem” is accurate, the Google may be pushing back against the opportunities bad actors have to deceive a Web user. The write up does describe Google’s action as “tiny” and “tiny” may be miniscule. I learned:
When you click a link on your phone with a little lightning bolt next to it in Google search, you’re getting something in the AMP format. AMP stands for “Accelerated Mobile Pages,” and you’ve probably noticed that those pages load super quickly and usually look much simpler than regular webpages. You may have also noticed that the URL at the top of your browser started with “www.google.com/somethingorother” instead of with the webpage you thought you were visiting.
Yeah, about that “quickly.” Maybe not.
Phishers will be studying this alleged “tiny” change. Why? Phishing and spear phishing are one of the methods which are bring Dark Web type excitement to users of the good, old-fashioned Web. There are six or seven additional examples of metastatic technology in my keynote at the TechnoSecurity & Digital Forensics Conference in June 2019.
“Tiny”. Yep. And what about the “speed” of AMP pages?
Stephen E Arnold, April 17, 2019
Google and Identity Management
April 17, 2019
Google kills products. More than 100 since I did my last count. With that fact in mind, I read a second time “Google, Hyperledger Launch Online Identity Management Tools.” At first glance, the idea of a slightly different approach to identify management seems like a good but obvious idea. (Does Amazon have thoughts about identify management too?)
The write up explains:
Google unveiled five upgrades to its BeyondCorp cloud enterprise security service that enables identity and access management for employees, corporate partners, and customers.
Google wants to be the go to cloud provider of identity management services. Among the capabilities revealed, Google’s Android 7 and higher can be used as a two factor authentication dongle.
However, in the back of my mind is the memory of failed products and Google engineers losing interest in certain projects. No promotion, no internal buzz, then no engineers. The Google Search Appliance, for example, was not a thriller.
The idea that Google can and does lose interest in projects may provide a marketing angle Amazon can exploit. If Amazon ignores this “short attention span” issue, perhaps other companies will be less reluctant to point out that talk and a strong start are not finishing the race.
Stephen E Arnold, April 17, 2019
Microsoft: More Security Excitement
April 15, 2019
I read “Microsoft Informs Hackers Had Accessed Some Outlook Account Emails for Months.” The write up reports:
Microsoft has revealed that a hacker had access to the email addresses, folder names, and subject lines of emails, but not the content of emails or attachments of the Outlook users for three months.
That’s 90 days. Windows Defender was, I assume, on the job. The good news is that the bad actor was not able to read emails. The hacker wasn’t able “to steal login details of other personal information.” That’s good news too. Plus, Microsoft has “disabled the credentials used in the hack.”
Whoa, Nellie.
Windows Defender and presumably one or more of the companies offering super smart, super capable security services were protecting the company. I am besieged each week with requests to read white papers, participate in webinars, and get demonstrations of one of the hundreds of cyber security systems available today. These range from outfits which have former NSA, FBI, and CIA specialists monitoring their clients’ systems to companies that offer systems based on tireless artificially intelligence, proactive, predictive technology. Humans get involved only when the super system sends an alert. The idea is that every possible approach to security is available.
Microsoft can probably afford several systems and can use its own crack programmers to keep the company safe. Well, one caveat is that the programmers working on Windows 10 updates are probably not likely to be given responsibility for mission critical Microsoft security. Windows 10 updates are often of questionable quality.
A handful of questions occur to me:
- Perhaps Microsoft’s security expertise is not particularly good. Maybe on a par with the Windows 10 October 2018 update?
- Maybe Windows Defender cannot defend?
- Perhaps the over hyped, super capable cyber security systems do not work either?
Net net: With many well funded companies offering cyber security and big outfits entrusted by their customers with their data, are the emperors going to their yoga classes naked? Ugh. Horrible thought, but it may be accurate. At least put on some stretchy pants, please.
Stephen E Arnold, April 15, 2019
Forbes Raises Questions about Facebook Encryption
March 25, 2019
I am never sure if a story in Forbes (the capitalist tool) is real journalism or marketing. I was interested in a write up called “Could Facebook Start Mining Decrypted WhatsApp Messages For Ads And Counter-Terrorism?” The main point is that Facebook encryption could permit Facebook to read customers’ messages. The purpose of such access would be to sell ads and provide information to “governments or harvesters.” The write up states:
The problem is that end-to-end encryption only protects a message during transit. The sender’s device typically retains an unencrypted copy of the message, while the recipient’s device necessarily must decrypt the message to display to the user. If either of those two devices have been compromised by spyware, the messages between them can be observed in real-time regardless of how strong the underlying encryption is.
No problem with this description. Intentionally or unintentionally, the statement makes clear why compromising user devices is an important tool in some government’s investigative and intelligence toolbox. Why decrypt of the bad actor’s mobile device or computer just emails the information to a third party?
I noted this statement as well:
The messaging app itself has access to the clear text message on both the sender and recipient’s devices.
If I understand the assertion, Facebook can read the messages sent by its encrypted service.
The write up asserts:
As its encrypted applications are increasingly used by terrorists and criminals and to share hate speech and horrific content, the company will come under further pressure to peel back the protections of encryption.
Even if Facebook wants to leave encrypted information in unencrypted form, outside pressures may force Facebook to just decrypt and process the information.
The conclusion of the write up is interesting:
Putting this all together, it is a near certainty that Facebook did not propose its grand vision of platform-wide end-to-end encryption without a clear plan in place to ensure it would be able to continue to monetize its users just as effectively as in its pre-encryption era. The most likely scenario is a combination of behavioral affinity inference through unencrypted metadata and on-device content mining. In the end, as end-to-end encryption meets the ad-supported commercial reality of Facebook, it is likely that we will see a dawn of a new era of on-device encrypted message mining in which Facebook is able to mine us more than ever under the guise of keeping us safe.
Speculation? Part of the capitalist toolkit it seems. Is there a solution? The write up just invokes Orwell. Fear, uncertainty, doubt. Whatever sells. But news?
Stephen E Arnold, March 25, 2019
Juicy Target: Big Cloudy Agglomerations of Virtual and Tangible Gizmos
March 9, 2019
Last week I had a call about the vulnerability of industrial facilities. The new approach is to push certain control, monitoring, and administrative systems to the cloud. The idea is that smart milling machines, welders, and similar expensive equipment can push their data to the “cloud.” The magic in the cloud then rolls up the data, giving the manufacturing outfit a big picture view of the individual machines in multiple locations. Need a human to make sure the industrial robots are working happily? Nope. Just look at a “dashboard.” If a deity were into running a chemical plant or making automobiles, the approach is common sense.
I read “Citrix Hacked and Didn’t Know Until FBI Alert.” The FBI is capable, but each week I receive email from companies which perform autonomous, proactive monitoring to identify, predict, and prevent breaches.
The write up points out
The firm attributed the attack to an Iranian group called “IRIDIUM” and says it made off with “at least 6 terabytes of sensitive data stored in the Citrix enterprise network, including e-mail correspondence, files in network shares and other services used for project management and procurement.”
The article buries this statement deep in the report:
The breach disclosure comes just three days after Citrix updated its SD-WAN offering to help enterprises to administer user-centric policies and connect branch employees to applications in the cloud with greater security and reliability. The product is intended to simplify branch networking by converging WAN edge capabilities and defining security zones to apply different policies for different users.
What’s the implication?
Forget Go to My PC vulnerabilities. Old news. The bad actors may have the opportunity to derail certain industrial and manufacturing processes. What happens when a chemical plant gets the wrong instructions.
Remember the Port of Texas City mishap? A tragic failure. Accidental.
But Citrix style breaches combined with “we did not know” may presage intentional actions in the future.
Yep, cloudy with a chance of pain.
Stephen E Arnold, March 9, 2019
Simple Ways Intelligence is Fighting Cyber Crimes
March 8, 2019
Our world has never been more technologically advanced, that’s a fact. That also means that the digital threats have never been more dire, right? Yes and no, according to one source, who says that the technology might change but humans never do. We learned more from a recent CNBC story, “Google Infosec Head Heather Adkins: Ignore Scare Stories.”
According to the story:
“Adkins said sometimes the marketplace suffers from a “proliferation of cybersecurity professionals” offering conflicting advice on passwords, antivirus software, safety practices and so on…But the best rules for individuals looking to secure their personal information are the classics, Adkins said…Keep your software up to date, and don’t re-use the same password.”
This and many other examples show that good old fashioned foresight and detective work can still help fight cybercrime, even in this world of machine learning and nanotech. As Adkins says, let’s look forward in regards to security, but also not forget our past.
However, fear, uncertainty, and doubt sell—particularly to some executives uncomfortable with today’s business environment.
Patrick Roland, March 8, 2019
SIM Swapping: Trust Google?
March 2, 2019
Anyone holding crypto currency should be aware by now of SIM swapping, a hacking technique that involves tricking telecom companies into redirecting the victim’s phone number to the attacker’s device. Now, The Next Web tells us, “Google’s Head of Account Security Has Fix for Crypto currency SIM-Swapping.” Note that the fix involves a physical device, not just a download. Writer David Canellis explains:
“An overt reliance on SMS-based two-factor authentication (2FA) systems has only compounded the problem. While these are regarded as an upgrade to traditional verification methods like usernames and passwords, SMS-based 2FA presents cybercriminals with a clear attack vector. If hackers can take control of a phone number, it would be them who receive the special codes, allowing instant access to sensitive information.
We also noted:
“Google is one of many tech giants to present a solution. It released its Titan Keys last August, a $50 set of hardware devices that cryptographically ties particular devices to accounts, effectively keeping anyone without a registered device at bay. Users connect the Key to a device, such as a laptop or a smartphone, and sign into the account they wish to protect. This can be done via USB, NFC, or Bluetooth. A button then is pressed on the Key which will cryptographically register the device to a user account. It’s not exactly necessary to carry around the Keys, but users will need to have at least one handy to sign in. Purchasers of Titan Keys can also enroll in Google’s Advanced Protection Platform, which provides a supplementary bundle of security measures.”
Canellis notes that crypto currency makes for a tempting target. While typical attacks net hackers a fraction of a cent per victim, a bad actor can make thousands of dollars from one successful attack. The Titan Keys work because they cut out the telecoms—there is no one for hackers to bamboozle. Navigate to the source article for more information on the device and how it works. Canellis observes what could be taken as a warning—today’s world of online banking and mobile apps makes for a less secure banking environment than we older folks grew up with.
Whom do we trust? Google? Another third party?
Cynthia Murrell, March 2, 2019
-
- Subscribe to Beyond Search
Feature archive
News archive
-
