• Home
• About
• Writers
• Landscape
• Wizards Index
• Fraud
• Wanna Be Like Larry?

Amazon: A Wild West Approach to Security

A story ostensibly about an “unprotected Elasticsearch cluster” and an administrator poses an interesting question which I will raise in a moment. You will want to read or scan “Sensitive Information of Millions of Panama Citizens Leaked.” The main idea is that information about citizens of Panama was leaked. The information appears to be germane to people with medical issues. That’s bad for several reasons:

1. People and their medical “histories” are sensitive and like a sizzling hamburger to bad actors interested in blackmail or some other negative action
2. Some citizens of Panama are often low profile. These individuals use Panama as a convenient base for one’s identity or one of many identities. There are also quick hops to nearby locations with a someone flexible approach to financial activities.
3. The “unsecured” Elasticsearch databases are findable using Shodan. This is a search system of considerable utility to certain organizations and individuals.

The system on which the data resided, if the write up is accurate, was Amazon AWS. Now the big question:

With the automation Amazon AWS offers customers, why aren’t basic security health checks routinely performed by Amazon’s smart software?

Snuffing out unprotected AWS servers / services is going to add to friction for customers and impose additional computational burdens on AWS.

One can point the finger at Elasticsearch administrators, but these people are driving Amazon’s digital vehicle. When a smart car mows down a pedestrian, whom do we scrutinize? The person walking or the goi go outfit which built the smart vehicle?

Does Amazon’s speeding AWS may need some driver safety functions? Air bags save lives, and the driver does not have to pay extra or be aware of these devices. Just a thought: Air bags and seat belts for Amazon AWS customers. Amazon, it seems, wants to help former employees become delivery people. What about the administrators of Elasticsearch? What’s their future?

Stephen E Arnold, May 14, 2019

How Does One Access an iPhone?

If you are interested in accessing a locked iPhone, you may want to add this write up to your reference file. DarkCyber is not sure the three ways to work around the iCloud lock cover the waterfront, but the information is suggestive. See “How Hackers and Scammers Break into iCloud-Locked iPhones.” DarkCyber is not thrilled that this type of information is floating around untethered. Just our viewpoint, of course. Vice’s editorial judgment is interesting.

Stephen E Arnold, May 9, 2019

So Much Protection, So Little Security

I receive emails from cyber security firms. The messages flow from Carbon Black, Recorded Future, DarkOwl, FireEye, IntSights, and others. an outfit named BrightTalk besieges me with announcements about cyber security webinars. The flood of information explains that cyber security tools are available, work, and are easy to use. I am not sure I have much confidence in these assurances.

In the midst of this wealth of security options, I find that article like “Unknown US Security Breach Exposes Data of 80 Million Households” suggest a problem exists. The write up states:

The breach was discovered by ‘hacktivists’ Noam Rotem and Ran Locar and highlighted by specialists at vpnMentor. They claim it is part of a 24GB trove of information that had been stored on an unprotected Microsoft Azure cloud server.

My thought for the day:

Marketing may exceed capabilities…at least for administrators of the Microsoft Azure cloud service.

And here’s a question:

Maybe security is a flight of fancy?

Stephen E Arnold, April 30, 2019

VPNs: You Have to Love These Outfits

What does a virtual private network do to protect one’s privacy? Who are the friends of a particular VPN? Who owns the VPN? Is that individual or group of owners friends with some interesting people? Why charge a person and not provide the advertised service? (This happened to the Beyond Search goose when we were researching “Dark Web Notebook.)

These questions are difficult to answer.

One slice of light appears in the article “There’s NordVPN Odd about This, Right? Infosec types Concerned over Strange App Traffic.” I am not thrilled with the headline, but some of the information in the article — assuming that the accuracy is on the money — is thought provoking.

I noted this statement attributed to a NordVPN expert:

NordVPN spokeswoman Laura Tyrell first told us: “I would like to assure you that we have not observed any irregular behavior that could in any way support the theory of our applications being compromised by a malicious actor.” She added: “Such domains are used as an important part of our workaround in environments and countries with heavy internet restrictions. To prevent such requests from contacting the domains which aren’t owned by us, we have modified our URI scheme. All URLs are being validated, so the problem as such will never occur. It is also important to note that no sensitive data is being sent or received through these addresses.”

The author may not be a stellar headline writer, but I was able to understand this statement:

This was obviously bunkum and we said so.

If one works through the technical snippets, two things become evident:

1. The NordVPN is a busy little beaver in the sending and receiving department. Busy, busy.
2. The information security wizards contributing to the article are suspicious.

Net net: Maybe it is time to answer some questions about both the technical plumbing and the owners’ connections with other entities. We can maybe rule out Mr. Putin because NordVPN made the list of VPN services to be blocked in Russia. But there are other interesting friends some VPN providers may have.

Oh, those free VPN services? Yeah, not a good idea.

Stephen E Arnold, April 26, 2019

Phishers Experience Some Tiny Google Pushback

Hiding urls is a phisher’s best friend. Google wants to eliminate those pesky urls. The problem is that spoofing a Web site is easier when the GOOG simplifies life. There’s nothing like a PDF with malware to make one’s day.

If the information in “Google Takes a Tiny Step Toward Fixing AMP’s URL Problem” is accurate, the Google may be pushing back against the opportunities bad actors have to deceive a Web user. The write up does describe Google’s action as “tiny” and “tiny” may be miniscule. I learned:

When you click a link on your phone with a little lightning bolt next to it in Google search, you’re getting something in the AMP format. AMP stands for “Accelerated Mobile Pages,” and you’ve probably noticed that those pages load super quickly and usually look much simpler than regular webpages. You may have also noticed that the URL at the top of your browser started with “www.google.com/somethingorother” instead of with the webpage you thought you were visiting.

Yeah, about that “quickly.” Maybe not.

Phishers will be studying this alleged “tiny” change. Why? Phishing and spear phishing are one of the methods which are bring Dark Web type excitement to users of the good, old-fashioned Web. There are six or seven additional examples of metastatic technology in my keynote at the TechnoSecurity & Digital Forensics Conference in June 2019.

“Tiny”. Yep. And what about the “speed” of AMP pages?

Stephen E Arnold, April 17, 2019

Google and Identity Management

Google kills products. More than 100 since I did my last count. With that fact in mind, I read a second time “Google, Hyperledger Launch Online Identity Management Tools.” At first glance, the idea of a slightly different approach to identify management seems like a good but obvious idea. (Does Amazon have thoughts about identify management too?)

The write up explains:

Google unveiled five upgrades to its BeyondCorp cloud enterprise security service that enables identity and access management for employees, corporate partners, and customers.

Google wants to be the go to cloud provider of identity management services. Among the capabilities revealed, Google’s Android 7 and higher can be used as a two factor authentication dongle.

However, in the back of my mind is the memory of failed products and Google engineers losing interest in certain projects. No promotion, no internal buzz, then no engineers. The Google Search Appliance, for example, was not a thriller.

The idea that Google can and does lose interest in projects may provide a marketing angle Amazon can exploit. If Amazon ignores this “short attention span” issue, perhaps other companies will be less reluctant to point out that talk and a strong start are not finishing the race.

Stephen E Arnold, April 17, 2019

Microsoft: More Security Excitement

I read “Microsoft Informs Hackers Had Accessed Some Outlook Account Emails for Months.” The write up reports:

Microsoft has revealed that a hacker had access to the email addresses, folder names, and subject lines of emails, but not the content of emails or attachments of the Outlook users for three months.

That’s 90 days. Windows Defender was, I assume, on the job. The good news is that the bad actor was not able to read emails. The hacker wasn’t able “to steal login details of other personal information.” That’s good news too. Plus, Microsoft has “disabled the credentials used in the hack.”

Whoa, Nellie.

Windows Defender and presumably one or more of the companies offering super smart, super capable security services were protecting the company. I am besieged each week with requests to read white papers, participate in webinars, and get demonstrations of one of the hundreds of cyber security systems available today. These range from outfits which have former NSA, FBI, and CIA specialists monitoring their clients’ systems to companies that offer systems based on tireless artificially intelligence, proactive, predictive technology. Humans get involved only when the super system sends an alert. The idea is that every possible approach to security is available.

Microsoft can probably afford several systems and can use its own crack programmers to keep the company safe. Well, one caveat is that the programmers working on Windows 10 updates are probably not likely to be given responsibility for mission critical Microsoft security. Windows 10 updates are often of questionable quality.

A handful of questions occur to me:

1. Perhaps Microsoft’s security expertise is not particularly good. Maybe on a par with the Windows 10 October 2018 update?
2. Maybe Windows Defender cannot defend?
3. Perhaps the over hyped, super capable cyber security systems do not work either?

Net net: With many well funded companies offering cyber security and big outfits entrusted by their customers with their data, are the emperors going to their yoga classes naked? Ugh. Horrible thought, but it may be accurate. At least put on some stretchy pants, please.

Stephen E Arnold, April 15, 2019

Forbes Raises Questions about Facebook Encryption

I am never sure if a story in Forbes (the capitalist tool) is real journalism or marketing. I was interested in a write up called “Could Facebook Start Mining Decrypted WhatsApp Messages For Ads And Counter-Terrorism?” The main point is that Facebook encryption could permit Facebook to read customers’ messages. The purpose of such access would be to sell ads and provide information to “governments or harvesters.” The write up states:

The problem is that end-to-end encryption only protects a message during transit. The sender’s device typically retains an unencrypted copy of the message, while the recipient’s device necessarily must decrypt the message to display to the user. If either of those two devices have been compromised by spyware, the messages between them can be observed in real-time regardless of how strong the underlying encryption is.

No problem with this description. Intentionally or unintentionally, the statement makes clear why compromising user devices is an important tool in some government’s investigative and intelligence toolbox. Why decrypt of the bad actor’s mobile device or computer just emails the information to a third party?

I noted this statement as well:

The messaging app itself has access to the clear text message on both the sender and recipient’s devices.

If I understand the assertion, Facebook can read the messages sent by its encrypted service.

The write up asserts:

As its encrypted applications are increasingly used by terrorists and criminals and to share hate speech and horrific content, the company will come under further pressure to peel back the protections of encryption.

Even if Facebook wants to leave encrypted information in unencrypted form, outside pressures may force Facebook to just decrypt and process the information.

The conclusion of the write up is interesting:

Putting this all together, it is a near certainty that Facebook did not propose its grand vision of platform-wide end-to-end encryption without a clear plan in place to ensure it would be able to continue to monetize its users just as effectively as in its pre-encryption era. The most likely scenario is a combination of behavioral affinity inference through unencrypted metadata and on-device content mining. In the end, as end-to-end encryption meets the ad-supported commercial reality of Facebook, it is likely that we will see a dawn of a new era of on-device encrypted message mining in which Facebook is able to mine us more than ever under the guise of keeping us safe.

Speculation? Part of the capitalist toolkit it seems. Is there a solution? The write up just invokes Orwell. Fear, uncertainty, doubt. Whatever sells. But news?

Stephen E Arnold, March 25, 2019

Juicy Target: Big Cloudy Agglomerations of Virtual and Tangible Gizmos

Last week I had a call about the vulnerability of industrial facilities. The new approach is to push certain control, monitoring, and administrative systems to the cloud. The idea is that smart milling machines, welders, and similar expensive equipment can push their data to the “cloud.” The magic in the cloud then rolls up the data, giving the manufacturing outfit a big picture view of the individual machines in multiple locations. Need a human to make sure the industrial robots are working happily? Nope. Just look at a “dashboard.” If a deity were into running a chemical plant or making automobiles, the approach is common sense.

I read “Citrix Hacked and Didn’t Know Until FBI Alert.” The FBI is capable, but each week I receive email from companies which perform autonomous, proactive monitoring to identify, predict, and prevent breaches.

The write up points out

The firm attributed the attack to an Iranian group called “IRIDIUM” and says it made off with “at least 6 terabytes of sensitive data stored in the Citrix enterprise network, including e-mail correspondence, files in network shares and other services used for project management and procurement.”

The article buries this statement deep in the report:

The breach disclosure comes just three days after Citrix updated its SD-WAN offering to help enterprises to administer user-centric policies and connect branch employees to applications in the cloud with greater security and reliability. The product is intended to simplify branch networking by converging WAN edge capabilities and defining security zones to apply different policies for different users.

What’s the implication?

Forget Go to My PC vulnerabilities. Old news. The bad actors may have the opportunity to derail certain industrial and manufacturing processes. What happens when a chemical plant gets the wrong instructions.

Remember the Port of Texas City mishap? A tragic failure. Accidental.

But Citrix style breaches combined with “we did not know” may presage intentional actions in the future.

Yep, cloudy with a chance of pain.

Stephen E Arnold, March 9, 2019

Simple Ways Intelligence is Fighting Cyber Crimes

Our world has never been more technologically advanced, that’s a fact. That also means that the digital threats have never been more dire, right? Yes and no, according to one source, who says that the technology might change but humans never do. We learned more from a recent CNBC story, “Google Infosec Head Heather Adkins: Ignore Scare Stories.”

According to the story:

“Adkins said sometimes the marketplace suffers from a “proliferation of cybersecurity professionals” offering conflicting advice on passwords, antivirus software, safety practices and so on…But the best rules for individuals looking to secure their personal information are the classics, Adkins said…Keep your software up to date, and don’t re-use the same password.”

This and many other examples show that good old fashioned foresight and detective work can still help fight cybercrime, even in this world of machine learning and nanotech. As Adkins says, let’s look forward in regards to security, but also not forget our past.

However, fear, uncertainty, and doubt sell—particularly to some executives uncomfortable with today’s business environment.

Patrick Roland, March 8, 2019

« Previous Page — Next Page »

• 

• Search the site

•  

  Subscribe to Beyond Search

  • 
  • 
   
  • 
   
  
  Feature archive
  News archive
   
  
  
  Stephen E. Arnold monitors search, content processing, text mining and related topics from his high-tech nerve center in rural Kentucky. He tries to winnow the goose feathers from the giblets. He works with colleagues worldwide to make this Web log useful to those who want to go "beyond search". Contact him at sa [at] arnoldit.com. His Web site with additional information about search is arnoldit.com.

• Categories

  • 3D-Printing
  • Acquisition
  • Advertising
  • Aggregation
  • AI
  • Alexa
  • algorithms
  • Amazon
  • Amazonia
  • Analytics
  • Appliance
  • Applications
  • Audio
  • Augmented Reality
  • Big data
  • Bing
  • Bitcoin
  • Bitext
  • Book review
  • Business intelligence
  • Business process
  • Business strategy
  • Censorship
  • Cloud computing
  • Company Profile
  • Conferences
  • Connectors
  • Consulting
  • Consumer
  • Content processing
  • Copyright
  • Corporate Concerns
  • Cost
  • Crawl
  • Crowdfunding
  • cryptocurrency
  • Customer support
  • Cyber OSINT
  • cybercrime
  • cybersecurity
  • Dark Web
  • DarkCyber
  • Data
  • Data mining
  • Database
  • Deepfakes
  • Digital Assistant
  • Digital Library
  • E2EE
  • ECommerce
  • EDiscovery
  • Editorial opinion
  • Education
  • Emoticons
  • Enterprise
  • Enterprise search
  • Entity extraction
  • Ethics
  • Facebook
  • Faceted search
  • Factualities
  • Feature
  • Federated search
  • Financial
  • Fogint
  • Google
  • Governance
  • Government
  • Hackers
  • healthcare
  • IBM Watson
  • Image search
  • Indexing
  • Infrastructure
  • Innovation
  • Integration
  • intelware
  • Interface
  • Internet
  • Interview
  • Investment
  • law enforcement
  • Legal matters
  • Library automation
  • Management
  • Marketing
  • Mathematics
  • Metadata
  • Microsoft
  • Mobile
  • Natural language processing
  • News
  • NGIA
  • Online (general)
  • Open Access
  • Open source
  • OSINT
  • Osint Radar
  • Overflight
  • Palantir
  • Patents
  • Personnel
  • Podcast
  • Policeware
  • Portals
  • Predictive coding
  • Privacy
  • Profile
  • Publishing
  • Quotation
  • Real time search
  • Reference tool
  • Rich media
  • Robot Writer
  • Search
  • Search enabled applications
  • search engine
  • Search quality
  • Security
  • Semantic
  • Sentiment analysis
  • SEO
  • SharePoint
  • Short Honks
  • Smart Technology
  • Social
  • Social Media
  • software
  • Statistics
  • Taxonomy
  • Technology
  • Text analytics
  • Text processing
  • Tools
  • Tor
  • Training
  • Translation
  • Twitter
  • Uncategorized
  • Unstructured Data
  • User experience
  • User Interface
  • Vertical search
  • Video
  • visualization
  • Voice search
  • Voice technology
  • Web 3
  • Web Services
  • Webinar
  • Windows
  • Work flow
  • XML
  • Yahoo

• Archives

  Archives Select Month March 2025 February 2025 January 2025 December 2024 November 2024 October 2024 September 2024 August 2024 July 2024 June 2024 May 2024 April 2024 March 2024 February 2024 January 2024 December 2023 November 2023 October 2023 September 2023 August 2023 July 2023 June 2023 May 2023 April 2023 March 2023 February 2023 January 2023 December 2022 November 2022 October 2022 September 2022 August 2022 July 2022 June 2022 May 2022 April 2022 March 2022 February 2022 January 2022 December 2021 November 2021 October 2021 September 2021 August 2021 July 2021 June 2021 May 2021 April 2021 March 2021 February 2021 January 2021 December 2020 November 2020 October 2020 September 2020 August 2020 July 2020 June 2020 May 2020 April 2020 March 2020 February 2020 January 2020 December 2019 November 2019 October 2019 September 2019 August 2019 July 2019 June 2019 May 2019 April 2019 March 2019 February 2019 January 2019 December 2018 November 2018 October 2018 September 2018 August 2018 July 2018 June 2018 May 2018 April 2018 March 2018 February 2018 January 2018 December 2017 November 2017 October 2017 September 2017 August 2017 July 2017 June 2017 May 2017 April 2017 March 2017 February 2017 January 2017 December 2016 November 2016 October 2016 September 2016 August 2016 July 2016 June 2016 May 2016 April 2016 March 2016 February 2016 January 2016 December 2015 November 2015 October 2015 September 2015 August 2015 July 2015 June 2015 May 2015 April 2015 March 2015 February 2015 January 2015 December 2014 November 2014 October 2014 September 2014 August 2014 July 2014 June 2014 May 2014 April 2014 March 2014 February 2014 January 2014 December 2013 November 2013 October 2013 September 2013 August 2013 July 2013 June 2013 May 2013 April 2013 March 2013 February 2013 January 2013 December 2012 November 2012 October 2012 September 2012 August 2012 July 2012 June 2012 May 2012 April 2012 March 2012 February 2012 January 2012 December 2011 November 2011 October 2011 September 2011 August 2011 July 2011 June 2011 May 2011 April 2011 March 2011 February 2011 January 2011 December 2010 November 2010 October 2010 September 2010 August 2010 July 2010 June 2010 May 2010 April 2010 March 2010 February 2010 January 2010 December 2009 November 2009 October 2009 September 2009 August 2009 July 2009 June 2009 May 2009 April 2009 March 2009 February 2009 January 2009 December 2008 November 2008 October 2008 September 2008 August 2008 July 2008 June 2008 May 2008 April 2008 March 2008 February 2008 January 2008 November 5

• Recent Posts

  • AI and Two Villages: A Challenge in Some Large Countries
  • A French Outfit Points Out Some Issues with Starlink-Type Companies
  • From $20 a Month to $20K a Month. Great Idea… or Not?
  • Next-Gen IT Professionals: Up for Doing a Good Job?
  • AI Generated Code Adds To Technical Debt

• Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org