Is This for Interns, Contractors, and Others Whom You Trust?
June 14, 2023
Note: This essay is the work of a real and still-alive dinobaby. No smart software involved, just a dumb humanoid.
Not too far from where my office is located, an esteemed health care institution is in its second month of a slight glitch. The word in Harrod’s Creek is that security methods at use at a major hospital were — how shall I frame this — a bit like the 2022-2023 University of Kentucky’s’ basketball team’s defense. In Harrod’s Creek lingo, this statement would translate to standard English as “them ‘Cats did truly suck.”
A young temporary worker looks at her boss. She says, “Yes, I plugged a USB drive into this computer because I need to move your PowerPoint to a different machine to complete the presentation.” The boss says, “Okay, you can use the desktop in my office. I have to go to a cyber security meeting. See you after lunch. Text me if you need a password to something.” The illustration for this hypothetical conversation emerged from the fountain of innovation known as MidJourney.
The chatter about assorted Federal agencies’ cyber personnel meeting with the institution’s own cyber experts are flitting around. When multiple Federal entities park their unobtrusive and sometimes large black SUVs close to the main entrance, someone is likely to notice.
This short blog post, however, is not about the lame duck cyber security at the health care facility. (I would add an anecdote about an experience I had in 2022. I showed up for a check up at a unit of the health care facility. Upon arriving, I pronounced my date of birth and my name. The professional on duty said, “We have an appointment for your wife and we have her medical records.” Well, that was a trivial administrative error: Wrong patient, confidential information shipped to another facility, and zero idea how that could happen. I made the appointment myself and provided the required information. That’s a great computer systems and super duper security in my book.)
The question at hand, however, is: “How can a profitable, marketing oriented, big time in their mind health care outfit, suffer a catastrophic security breach?”
I shall point you to one possible pathway: Temporary workers, interns, and contractors. I will not mention other types of insiders.
Please, point your browser to Hak5.org and read about the USB Rubber Ducky. With a starting price of $80US, this USB stick has some functions which can accomplish some interesting actions. The marketing collateral explains:
Computers trust humans. Humans use keyboards. Hence the universal spec — HID, or Human Interface Device. A keyboard presents itself as a HID, and in turn it’s inherently trusted as human by the computer. The USB Rubber Ducky — which looks like an innocent flash drive to humans — abuses this trust to deliver powerful payloads, injecting keystrokes at superhuman speeds.
With the USB Rubby Ducky, one can:
- Install backdoors
- Covertly exfiltrate documents
- Capture credential
- Execute compound actions.
Plus, if there is a USB port, the Rubber Ducky will work.
I mention this device because it may not too difficult for a bad actor to find ways into certain types of super duper cyber secure networks. Plus temporary workers and even interns welcome a coffee in an organization’s cafeteria or a nearby coffee shop. Kick in a donut and a smile and someone may plug the drive in for free!
Stephen E Arnold, June 14, 2023
Google: Responsible and Trustworthy Chrome Extensions with a Dab of Respect the User
June 7, 2023
“More Malicious Extensions in Chrome Web Store” documents some Chrome extensions (add ins) which allegedly compromise a user’s computer. Google has been using words like responsible and trust with increasing frequency. With Chrome in use by more than half of those with computing devices, what’s the dividing line between trust and responsibility for Google smart software and stupid but market leading software like Chrome. If a non-Google third party can spot allegedly problematic extensions, why can’t Google? Is part of the answer, “Talk is cheap. Fixing software is expensive”? That’s a good question.
The cited article states:
… we are at 18 malicious extensions with a combined user count of 55 million. The most popular of these extensions are Autoskip for Youtube, Crystal Ad block and Brisk VPN: nine, six and five million users respectively.
The write up crawfishes, stating:
Mind you: just because these extensions monetized by redirecting search pages two years ago, it doesn’t mean that they still limit themselves to it now. There are way more dangerous things one can do with the power to inject arbitrary JavaScript code into each and every website.
My reaction is that why are these allegedly malicious components in the Google “store” in the first place?
I think the answer is obvious: Talk is cheap. Fixing software is expensive. You may disagree, but I hold fast to my opinion.
Stephen E Arnold, June 7, 2023
What a Difference a Format Makes. 24 Little Bytes
May 5, 2023
Note: This essay is the work of a real and still-alive dinobaby. No smart software involved, just a dumb humanoid.
Lawyer Carl Oppedahl has strong feelings about the Patent Office’s push to shift applications from PDF format to the DOCX format. In his most recent blog post on the subject he considers, “How Successful Have USPTO;s DOCX Training Webinars Been?” His answer, in short, is not very.
Oppendahl recently conducted two webinars for law offices that regularly file clients’ patent applications. He polled his attendees and reports the vast majority of them felt the Patent Office has not done a good job of communicating the pros and cons of DOCX filing. More significant, though, may be the majority of attendees who say they will not or might not submit filings in DOCX in the future, despite the $200 – $400 fee for stubbornly sticking with PDFs. In our experience PDFs are a PITA, so why is there such a strong resistance to change?
I sat through a recording of Oppendahl’s first webinar on the subject, and if you believe his account there are actually some very good reasons. It is all about protecting one’s client. Oh, and protecting oneself from a malpractice claim. That could be worth a few hundred bucks (which one might pass on to the client anyway.) His executive-summary slide specifies:
“DOCX filing puts you more at risk than PDF filing
PDF filing:
*You can protect yourself tomorrow or next month or TYFNIL [ten years from now in litigation].
*The Ack Receipt Message Digest allows you to prove the PDF file you preserved is the same PDF file that was uploaded to the PTO.
*You get an audit trail.
DOCX filing:
*You cannot prove what DOCX file you actually uploaded.
*The PTO throws away the DOCX file you uploaded (D1) and only keeps their manipulated version (D2).
*There is no Ack Receipt Message Digest available to prove the DOCX file you preserved is the same DOCX file that you uploaded to the USPTO.
*The USPTO destroys the audit trail.
*There is an Ack Receipt Message Digest relating to DOCX. It does not match the file you uploaded (D1) so you cannot use it to prove what you filed. It does match the file D2 that became authoritative the instant that you clicked ‘submit,’ so TYFNIL it permits the infringer to prove that you must have clicked ‘submit’ and you agreed that your uploaded DOCX file D1 was not controlling.
*In other words TYFNIL if you try to point to what you say you uploaded, and you try to say that this is what should have issued in the patent the Message Digest will serve to say that you agreed that what you uploaded was irrelevant to what should have issued in the patent. The Message Digest serves to say that you agreed that the patent should issue based on what was in that manipulated version D2.
*In the DOCX filing system, the Message Digest has been repurposed to protect the USPTO and to protect infringers, and no longer protects you, the applicant or practitioner.”
Like I said, strong feelings. For details on each of these points, one really just needs to listen to the first 45 minutes of the webinar, not all one-and-a-half hours. A key point lies in that D1 versus D2 issue. The D2, which submitters are required to verify, is what emerges from the other side of the PTO’s proprietary docx validator software. According to Oppendahl, that software has been proven to introduce errors, like changing a mu to a u or a square root sign to a smiley face for example. For patents that involve formulas or the like, that can be a huge issue. To avoid such errors being set in stone, filers (or their paralegals) must check the submitted document against the new one character by character while the midnight EST deadline looms. Not ideal.
Another important issue is the value of the Ack Receipt Message Digest facilitated by PDFs but not DOCX documents. The technology involves hash functions and is an interesting math tangent if you’re into that kind of thing.
So why is the Patent Office pushing so hard? Apparently it is so they can automate their approval process. Automation is often a good thing, and we understand why they are eager to speed up the process and reduce their backlog. But the Patent Office may be jumping the gun if applicants’ legitimate legal standing is falling through the cracks.
Cynthia Murrell, May 5, 2023
TikTok: What Does the Software Do?
March 22, 2023
A day or two ago, information reached me in rural Kentucky about Google’s Project Zero cyber team. I think the main idea is that Google’s own mobiles, Samsung’s, and those of a handful of other vendors were vulnerable. Interesting. The people who make the phones do not know exactly what flaws or data drains their own devices have. What sticks in my mind is that these are not new mobiles like the Nothing Phone.
Why do I mention this? Software can exploit these flaws. Who knew? Obviously not Google when the phones were designed, coded, manufactured, or shipped. Some Googlers use these devices which is even more remarkable. How can a third party know exactly what functions or latent functions exist within hardware or software for that matter?
I assume that the many cyber experts will tell me, “We know.”
Okay, you know. I am not sure I believe you. Sorry.
Now I come to the TikTok is good, TikTok is evil write up “It’s Wild That Western Governments Have Decided That TikTok Might Spy for Chine. The App Hasn’t Helped Itself.” The article reports:
In December, TikTok admitted that some ByteDance staff in the US and China gained access to personal data of journalists in a bid to monitor their location and expose company leaks. A spokesperson said four employees who accessed the data had been fired, CNN reported at the time. TikTok has maintained the app doesn’t spy on individuals, and has pointed to the steps it’s taking to hive off user information. Theo Bertram, TikTok’s vice president for public policy in Europe, tweeted on Thursday that the app does not “collect any more data than other apps.”
What’s my point? The Google Project Zero team did not know what was possible with its own code on its own devices. Who knows exactly what the TikTok app does and does not do? Who knows what latent capabilities reside within the app?
The Wall Street Journal published ” on March 19, 2023, page A-4, “DOJ Looking into TikTok’s Tracking of Journalists.” The story contained a statement attributed to a TikTok executive. The snippet I clipped whilst waiting for a third-world airline is:
TikTok’s chief executive Shou Zi Chew has said that divesting the company from its Chinese owners doesn’t offer any more protection that a multibillion-dollar plan the company has already proposed.
Now I am supposed to trust software from an allegedly China-affiliated app? What?
In the absence of sufficient information, what is a prudent path. One can compartmentalize as I do. One can stop using the software as I have for certain applications? One can filter the malicious app so that it is not available? One can install cyber defenses that monitor what’s going in and out and capture data about those flows?
The bottom-line today March 18, 2023, is that we don’t know what we don’t know. Therefore, hasta la vista TikTok.
Stephen E Arnold, March 22, 2023
Wanna Be an Old Fashioned B&E Person?
March 8, 2023
I spotted another of the info dumps which make me nervous. “Red Team, Physical Security, Covert Entry, and EDC” is another list of helpful products and tools. (EDC means every day carry.) My personal preference is that this type of information not zip around so that curious high school science club members can get some helpful ideas. What makes this list interesting is the disclaimer. Legal eagles will definitely be reluctant to take flight after reading:
Disclaimer: I am not responsible for anyone using any information in this post for any illegal activities. Getting caught with possession of burglary tools will likely land you behind bars and possibly end with a multiple felony conviction. The information in this post is for legal and authorized engagements, and to use for educational purposes only.
These types of messages are appearing with greater frequency. A good example is the message from Vaga Bond about train hopping in some interesting countries like Russia and Morocco.
If you want to see these tools, navigate to one of CosmodiumCS’s helpful YouTube videos; for example, https://www.youtube.com/watch?v=ETMHHvRrH5A.
Stephen E Arnold, March 9, 2023
Unpatchable Windows Flaw? Will Surprises Reside in Smart Software from Microsoft?
March 7, 2023
No big deal? A flaw described as “Unpatchable”? Not to worry. Okay, I will pretend not to worry, but I am worrying. Many commercial and government systems may be at risk. “Stealthy UEFI Malware Bypassing Secure Boot Enabled by Unpatchable Windows Flaw” reports:
Researchers on Wednesday [presumably March 1, 2023] announced a major cybersecurity find—the world’s first-known instance of real-world malware that can hijack a computer’s boot process even when Secure Boot and other advanced protections are enabled and running on fully updated versions of Windows.
Microsoft’s good enough engineering has produced technology which in “unpatchable.” Shouldn’t that effort be directed toward creating software which is patchable? I know. I know. People are in a hurry. There are those TikToks to watch. Plus, who wants to fool around with secure boot issues when the future is smart software.
As the Microsofties chase after the elusive “it understands human utterance” bunny rabbit, what gotchas will be tucked inside ChatGPT-inspired applications? I am not very good at predicting the future. I am not dumb enough to say, “Hey, that Microsoft smart software will be okay.” Microsoft is good at marketing. May I suggest that Microsoft is not so good at producing software that meets users’ expectations for security.
Stephen E Arnold, March 7, 2023
Identity Theft Made Easy: Why?
December 30, 2022
Some automobiles are lemons aka money holes, because they have defects that keep breaking. Many services are like that as well, including rental car insurance, extended warranties on electronics, and identity theft protection. Life Hacker explains why identity theft protection services are a scam in the story: “Identity Theft Protection Is Mostly Bullshit.”
Most Americans receive emails or physical letters from their place of work, medical offices, insurance agencies, etc. that their personal information was involved in a data breach. As a token of atonement, victims are given free Identity Theft Protection (ITP) aka a useless service. These services promise to monitor the Internet and Dark Web for your personal information. This includes anything from your credit cards to social security number. Identity theft victims deal with ruined credit scores and possibly stolen funds. Identity Theft Protection services seem to be a good idea, until you realize that you can do the monitoring yourself for free.
ITP services monitor credit reports, social media accounts, the Dark Web, and personal financial accounts. Some of these services such as credit reports and your financial accounts will alert you when there is suspicious activity. You can do the following for free:
“You can access your credit reports for free once a year. And you should! It’s a fast and pretty straightforward operation, and at a glance you can see if someone has opened a credit card or taken out a loan in your name. In fact, the number one best way to stop folks from stealing your identity is to freeze your credit, which prevents anyone—even if they have your personal information—from getting a new credit card or loan. While this doesn’t protect you from every single kind of fraud out there, it removes the most common vectors that identity thieves use.”
The US government also maintains a Web site to assist identity theft victims. It is wise to remember that ITP services are different from identity theft insurance. The latter is the same as regular insurance, except it is meant to help when your information is stolen.
Practice good identity hygiene by monitoring your accounts and not posting too much personal information online.
Why is identity theft like a chicken wing left on a picnic table? Careless human or indifferent maintenance worker?
Whitney Grace, December 30, 2022
Who Can See Your Kiddies?
December 20, 2022
In an alarmingly hilarious situation, iCloud users are seeing photos of strangers on their devices. What sounds like a hacker’s gaff, actually proves to be a security risk. XDA Developers investigates what is going on with iCloud in, “iCloud For Windows Users Are Reportedly Seeing Random Family Photos From Strangers.”
People buy Apple products for its better security and privacy settings than PC devices. While Apple has an iCloud app for PC users, the app is not working as well as its fellow Apple products:
“Based on the reports, the corrupted files seemingly revolve around videos shot on iPhone 13 Pro and iPhone 14 Pro models. The footage in some cases is showing a black screen with scan lines. Though, what’s more worrisome is the random content that is showing up for some users. While it’s not confirmed yet, these photos of families, children, and other private moments could potentially belong to other people’s iCloud libraries. If this is the case, then Apple could get in some serious trouble. Unfortunately, deleting the iCloud for Windows app seemingly doesn’t solve this, as the issues are being reflected on the server.”
No one is certain what is causing the bug, but Apple needs to get on the problem. Apple will probably blame the issue on PCs being inept devices and the compatibility between Macs and PCs could be the reason. Apple is not infallible and here is a lesson in humility.
Whitney Grace, December 20, 2022
Google to Microsoft: We Are Trying to Be Helpful
December 16, 2022
Ah, those fun loving alleged monopolies are in the news again. Microsoft — famous in some circles for its interesting approach to security issues — allegedly has an Internet Explorer security problem. Wait! I thought the whole wide world was using Microsoft Edge, the new and improved solution to Web access.
According to “CVE-2022-41128: Type Confusion in Internet Explorer’s JScript9 Engine,” Internet Explorer after decades of continuous improvement and its replacement has a security vulnerability. Are you still using Internet Explorer? The answer may be, “Sure you are.”
With Internet Explorer following Bob down the trail of Microsoft’s most impressive software, the Redmond crowd the Microsoft Office application uses bits and pieces of Internet Explorer. Thrilling, right?
Google explains the Microsoft issue this way:
The JIT compiler generates code that will perform a type check on the variable
q
at the entry of theboom
function. The JIT compiler wrongly assumes the type will not change throughout the rest of the function. This assumption is broken whenq
is changed fromd
(anInt32Array
) toe
(anObject
). When executingq[0] = 0x42424242
, the compiled code still thinks it is dealing with the previousInt32Array
and uses the corresponding offsets. In reality, it is writing to wherevere.e
points to in the case of a 32-bit process ore.d
in the case of a 64-bit process. Based on the patch, the bug seems to lie within a flawed check inGlobOpt::OptArraySrc
, one of the optimization phases.GlobOpt::OptArraySrc
callsShouldExpectConventionalArrayIndexValue
and based on its return value will (in some cases wrongly) skip some code.
Got that.
The main idea is that Google is calling attention to the future great online game company’s approach to software engineering. In a word or two, “Poor to poorer.”
My view of the helpful announcement is that Microsoft Certified Professionals will have to explain this problem. Google’s sales team will happily point out this and other flaws in the Microsoft approach to enterprise software.
If you can’t trust a Web browser or remove flawed code from a widely used app, what’s the fix?
Ready for the answer: “Helpful cyber security revelations that make the online ad giant look like a friendly, fluffy Googzilla. Being helpful is the optimal way to conduct business.
Stephen E Arnold, December 16, 2022
Apple, the Privacy and Security Outfit, Has a New Spin for Pix
December 16, 2022
In an alarmingly hilarious situation, iCloud users are seeing photos of strangers on their devices. What sounds like a hacker’s gaff, actually proves to be a security risk. XDA Developers investigates what is going on with iCloud in, “iCloud For Windows Users Are Reportedly Seeing Random Family Photos From Strangers.”
People buy Apple products for its better security and privacy settings than PC devices. While Apple has an iCloud app for PC users, the app is not working as well as its fellow Apple products:
“Based on the reports, the corrupted files seemingly revolve around videos shot on iPhone 13 Pro and iPhone 14 Pro models. The footage in some cases is showing a black screen with scan lines. Though, what’s more worrisome is the random content that is showing up for some users. While it’s not confirmed yet, these photos of families, children, and other private moments could potentially belong to other people’s iCloud libraries. If this is the case, then Apple could get in some serious trouble. Unfortunately, deleting the iCloud for Windows app seemingly doesn’t solve this, as the issues are being reflected on the server.”
No one is certain what is causing the bug, but Apple needs to get on the problem. Apple will probably blame the issue on PCs being inept devices and the compatibility between Macs and PCs could be the reason. Apple is not infallible and here is a lesson in humility.
Whitney Grace, December 16, 2022