• Home
• About
• Writers
• Landscape
• Wizards Index
• Fraud
• Wanna Be Like Larry?

Computer Security Procedures: Carelessness, Indifference, Poor Management or a Trifecta?

“$35M Fine for Morgan Stanley after Unencrypted, Unwiped Hard Drives Are Auctioned”  raises an interesting question about security in an important company. The write up asserts:

The SEC action said that the improper disposal of thousands of hard drives starting in 2016 was part of an “extensive failure” over a five-year period to safeguard customers’ data as required by federal regulations. The agency said that the failures also included the improper disposal of hard drives and backup tapes when decommissioning servers in local branches. In all, the SEC said data for 15 million customers was exposed.

Morgan Stanley. Outstanding. If the story is accurate, the auctioning of the drives fits with the parsimonious nature of banks in my experience. Banks like to accept money; banks do not like to output money. Therefore, selling old stuff is a matter of removing the detritus, notifying the person charged with moving surplus to a vendor, and cashing the check for the end of life, zero life clutter. Standard operating procedure? Probably. Does senior management know about hardware security for old gear? My hunch is that most senior managers know about [a] cross selling, [b] sparking deals, [c] getting on a talking head financial news show, and [d] getting the biggest bonus possible. Security is well down my hypothetical list.

Net net: Security is easy to talk about. Security requires management know how and attention to business processes, not just deals and bonus payments.

Stephen E Arnold, September 27, 2022

Google and Security: The Google Play Protect Situation

Unfortunately for Android users, Google’s default app-security program is not the safest bet. A write-up at News Patrolling explores “Why Google Play Protect Fails to Identify Malicious Apps.” A few points are obvious—Google cannot help users who turn the feature off, for example, or those who install software from other sources. The company also lacks Apple’s advantage of controlling both hardware and software. That does not explain, however, why third-party tools from AhnLab to Trend Micro outperform Play Protect. Reporter Satya Prakash observes:

• New kid on the block – As compared to other security software platforms that have been in existence for decades, Google Play Protect was launched in 2017. While it’s true that Google can hire the best security experts, it may still take some time for Google Play Protect to achieve the same level of security as offered by private software platforms. …
• Too many apps and devices – There are around 3 million apps on Google Play and several thousands are added almost every day. Combine that with thousands of different types of smartphones, having different Android versions. Apparently, it’s a massive task to be able to fix security vulnerabilities that may be present in each of these cases.
• Reliance on automated systems – Due to huge number of apps and devices, Google relies on automated systems to detect harmful behavior. Private security firms use the same approach, but apparently, they are doing a much better job. Hackers are constantly looking for new security vulnerabilities that can be exploited. This makes the job tougher for Google Play Protect.”

Happily, there are many stronger alternatives as tested by AV-Test. Their list is worth a look-see for Android users who care about security. A comparison to last year’s results shows Play Protect has actually improved a bit. Perhaps someday it will perform as well in its own app store as its third-party competition.

Cynthia Murrell, September 1, 2022

How about a Decade of Vulnerability? Great for Bad Actors

IT departments may be tired of dealing with vulnerabilities associated with Log4j, revealed late last year, but it looks like the problem will not die down any time soon. The Register reveals, “Homeland Security Warns: Expect Log4j Risks for ‘a Decade or Longer’.” Because the open-source tool is so popular, it can be difficult to track down and secure all instances of its use within an organization. Reporter Jessica Lyons Hardcastle tell us:

“Organizations can expect risks associated with Log4j vulnerabilities for ‘a decade or longer,’ according to the US Department of Homeland Security. The DHS’ Cyber Safety Review Board‘s inaugural report [PDF] dives into the now-notorious vulnerabilities discovered late last year in the Java world’s open-source logging library. The bugs proved to be a boon for cybercriminals as Log4j is so widely used, including in cloud services and enterprise applications. And because of this, miscreants soon began exploiting the flaws for all kinds of illicit activities including installing coin miners, stealing credentials and data, and deploying ransomware.”

Fortunately, no significant attacks on critical infrastructure systems have been found. Yet. The write-up continues:

“‘ICS operators rarely know what software is running on their XIoT devices, let alone know if there are instances of Log4j that can be exploited,’ Thomas Pace, a former Department of Energy cybersecurity lead and current CEO of NetRise, told The Register. NetRise bills itself as an ‘extended IoT’ (xIoT) security firm. ‘Just because these attacks have not been detected does not mean that they haven’t happened,’ Pace continued. ‘We know for a fact that threat actors are exploiting known vulnerabilities across industries. Critical infrastructure is no different.'”

Security teams have already put in long hours addressing the Log4j vulnerabilities, often forced to neglect other concerns. We are told one unspecified US cabinet department has spent some 33,000 hours guarding its own networks, and the DHS board sees no end in sight. The report classifies Log4j as an “endemic vulnerability” that could persist for 10 years or more. That is a long time for one cyber misstep to potentially trip up so many organizations. See the article for suggestions on securing systems that use Log4j and other open-source software.

Cynthia Murrell, August 10, 2022

What Microsoft Wants: Identity System and Data for Good Purposes Of Course

Microsoft wants its new Verified ID program to move beyond social media platforms. According to Error! Hyperlink reference not valid. in the article, “Microsoft Wants Everything To Come With Its Verified Check Mark,” Microsoft wants Verified ID to validate more personal information and it is starting with verifying credentials.

Verified ID would allow people to get digital credentials that prove where they graduated, their jobs, where they bank, and if they are in good health. Microsoft says Verified ID would be good for people who need to quickly share their personal information, such as job applications. Verified ID uses blockchain-based decentralized identity standards. Microsoft plans to release its Entry Verified ID, its official name, in August. The name for Microsoft’s identity product line is Entra.

Ankur Patel is a Microsoft principal program manager for digital identity and he believes Entry Verified ID will be mainstream in three years:

“In the first year, it’s likely that Verified ID will be used by organizations in tandem with existing verification methods, both digital and analog, with a portion of their users, according to Patel. Wider adoption will depend, in part, on making sure that the service itself hasn’t “done harm,” he acknowledged.

One potential risk is that individuals might inadvertently share sensitive information with the wrong parties using the system, Patel said. ‘In the physical world, when you’re presenting these kinds of things, you’re careful — you don’t just give your birth certificate to anybody,’ he said. Microsoft is aiming to limit the issues in its own digital wallets with features meant to protect against this type of accidental exposure, Patel said.”

Microsoft wants to verify everyone’s information, but what about guaranteeing that its own products are real?

Whitney Grace, June 28, 2022

Follina, Follina, Making Microsofties Cry

I read “China-Backed Hackers Are Exploiting Unpatched Microsoft Zero-Day.” According to the estimable Yahoo News outfit:

China-backed hackers are exploiting an unpatched Microsoft Office zero-day vulnerability, known as “Follina”, to execute malicious code remotely on Windows systems…. The flaw, which affects 41 Microsoft products including Windows 11 and Office 365, works without elevated privileges, bypasses Windows Defender detection, and does not need macro code to be enabled to execute binaries or scripts.

Ah, ha, Windows 11. The trusted protection thing? Yeah, well. The write up added some helpful time information:

The Follina zero-day was initially reported to Microsoft on April 12, after Word documents – which pretended to be from Russia’s Sputnik news agency offering recipients a radio interview – were found abusing the flaw in the wild. However, Shadow Chaser Group’s crazyman, the researcher who first reported the zero-day, said Microsoft initially tagged the flaw as not a “security-related issue”. The tech giant later informed the researcher that the “issue has been fixed,” but a patch does not appear to be available.

Bob Dylan’s song makes this latest security issue easy to remember:

Follina, Follina
Girl, you’re on my mind
I’m a-sittin down thinkin of you
I just can’t keep from crying

Big sobs, not sniffles.

Stephen E Arnold, June 6, 2022

Netgear: A Pioneer in What Might Be Called Baked In Insecurity

Computer security is an essential component for anyone using the Internet, because hackers target companies and individuals with scams and ransomware as well as steal personal information and intellectual property. As remote work becomes more common, the need for enhanced digital security increases. Companies that build hardware and software for Internet access are challenged to build robust and secure products. They also stand behind their products’ quality, but in a recent case networking equipment manufacturer Netgear admitted a flaw. Forbes reports the details in, “Netgear Says It Can’t Fix Multiple Vulnerabilities On Two Of Its Routers For Homeworkers.”

Netgear described the BR200 and BR500 models as secure routers for at-home workers connecting to their corporate networks. Unfortunately, these routers have exploitable security vulnerabilities and they cannot be fixed. Netgear will replace the defective models with a free or discounted router. The problem is minuscule, but all it takes is one crack to bring down a dam:

“The vulnerability of these two routers means there could be a security breach if a user is visiting a suspicious website and clicking on a malicious link while they have the router’s built-in web interface for adjusting the router’s settings. Frankly, that’s pretty unlikely to happen but with computer security, no matter how minuscule the threat might be, it must be taken seriously. The hacker only has to get lucky once.”

It is wonderful that Netgear admitted the mistake and is working with its customers to resolve the issue. Netgear also released a list of precautions BR200 and BR500 owners could use to prevent the hack if they wish to keep the router.

We wish more companies would own up to mistakes like Netgear. Politicians could certainly learn a thing or two from Netgear. Could Microsoft garner a fresh insight? Maybe?

Whitney Grace, May 31, 2022

DuckDuckGo: A Duck May Be Plucked

Metasearch engines are not understood by most Internet users. Here’s my simplified take: A company thinks it can add value to the results output from an ad-supported search engine. Maybe the search engine is a for-fee outfit? Either way, the metasearch systems gets the okay to send queries and get results. The results stream back to the metasearch outfit and the value-adding takes place.

One of the better metasearch systems was the pre-IBM Vivisimo. This outfit sent out queries to an ad-supported search engine, accepted the results, and then clustered them. The results appeared to the Vivisimo user as a results list with some folders in a panel. The idea was that the user could scan the folders and the results list. The user could decide to click on a folder and see what results it contained or just click on a link. The magic, as I understood it, was that the clustering took place in near real time. Plus, the query on the original Vivisimo pre-IBM system could send the user’s query to multiple Web search engines. The results from each search system would be de-duplicated. An interesting factoid from the 2000s is that search systems returned overlapping results 70 percent of more of the time. Dumping the duplicates was helpful. There were other interesting metasearch systems as well, but I am just using Vivisimo as an example of a pretty good one.

Privacy, like security, is a tricky concept to explain.

Using privacy to sell a free Web search system raises a number of questions; for example:

1. What’s privacy in the specific context of the metasearch engine mean?
2. Where is the money coming from to keep the lights on at the metasearch outfit?
3. What about log files?
4. What about legal orders to reveal data about users?
5. What’s the quid pro quo with the search engine or engines whose results the metasearch system uses?
6. What part of the search chain captures data, inserts trackers, bugs, cookies, etc. into the user’s query?

None of these questions catch the attention of the real news folks nor do most users know what the questions require to answer. The metasearch engines typically do not become chatty Cathies when someone like me shows up to gather information about metasearch systems. I recall the nervousness of the New York City wizard who cooked up Ixquick and the evasiveness of the owner of the Millionshort services.

Now we come to the the notion that a duck can be plucked. My hunch is that plucking a duck is a messy affair both duck and duck plucker.

“DuckDuckGo Browser Allows Microsoft Trackers Due to Search Agreement” presents information which appears to suggest that the “privacy” oriented DuckDuckGo metasearch system is not so private as some believed. The cited article states:

The privacy-focused DuckDuckGo browser purposely allows Microsoft trackers on third-party sites due to an agreement in their syndicated search content contract between the two companies.

You can read the cited article to get more insight into the assertion that DuckDuck has been pluck plucked in the feathered hole of privacy.

Am I surprised? No. Search is without a doubt one of the most remarkable business segments for soft fraud. How do I know? My partners and I created The Point in 1994, and even though you don’t remember it, I sure remember what I learned about finding information online. Lycos (CMGI) bought our curated search business, and I wrote several books about search. You know what? No one wants to think about search and soft fraud. Maybe more people should?

Net net: Free comes at a cost. One does not know what one does not know.

Stephen E Arnold, May 25, 2022

True or False: Google and Dangerous Functionality

I want to be clear: I cannot determine if security-related announcements are PR emissions, legitimate items of data, or clickbait craziness. I am on the fence with the information is “Google Cloud Apparently Has a Security Issue Even Firewalls Can’t Stop.”

The write up presents as real news:

A misconfiguration in Google Cloud Platform has been found which could give threat actors full control over a target virtual machine (VM) endpoint…

These virtual machines are important cogs in some bad actors machinery. Sure, legitimate outfits rely on the Google for important work as well. Therefore, the announcement points some bad actors toward a new opportunity to poke around and outfits engaged in ethically informed activities to batten down their digital hatches.

The write up points out that the Google agreed that “misconfiguration could bypass firewall settings.”

And the Google, being Googley, semi-agrees. Does this mean that the Google Cloud is just semi-vulnerable?

Stephen E Arnold, May 13, 2022

Ethical Behavior and the Ivy League: Redefinition by Example

First, MIT and its dalliance with the sophisticated Jeffrey Epstein. Then there was Harvard and its indifference to an allegation of improper interpersonal behavior. Sordid details abound in this allegedly accurate report. Now Yale. The bastion of “the dog”, the football game, Skull and Bones, etc., etc.

“A Former Yale Employee Admits She Stole $40 Million in Electronics from the University” makes clear that auditing, resource management, and personnel supervision are not the esteemed institution greatest strengths.

I gave a talk at Yale a decade ago. The subject was Google, sparked because one of the Yale brain trust found my analysis interesting. Strange, I thought, at the time. No one else cares about my research about Google’s systems and methods. I showed up and was greeted as though I was one of the gang. (I wasn’t.)

At dinner someone asked me, “Where did you get your PhD?” I replied with my standard line: “I don’t have a PhD. I quit to take a job at Halliburton Nuclear.” As you might imagine, the others at the dinner were not impressed.

I gave my lecture and no one — absolutely none of the 100 people in the room — asked a question. No big deal. I am familiar with the impact some of my work has elicited. One investment banker big wheel threw an empty Diet Pepsi can at me after I explained how the technology of CrossZ (a non US analytics company) preceded in invention the outfit the banked just pumped millions into. Ignorance is bliss. Same at Yale during and after my lecture.

Has Yale changed? Seems to be remarkably consistent: Detached from the actions of mere humans, convinced of a particular world view, and into the zeitgeist of being of Yale.

But $40 million?

An ethical wake up call? Nope, hit the snooze button.

Stephen E Arnold, April 5, 2022

Microsoft Help Files: Truly Helpful?

We are approaching April Fools’ Day. One company reliably provides a clever way to make me laugh. CHM? Do you know what the acronym means? No. It is a short hand way to say Compiled HTML Help file. CHH becomes CHM. Makes perfect sense to a Softie.

The tickled ribs result from bad actors using the CHM files to deliver malware.  You can read the explanation and inspiration for bad actors in “Microsoft Help Files Disguise Vidar Malware.”

The write up states:

… the .ISO file contains a .CHM file named “pss10r.chm.” Towards the end of the file’s code is a snippet of HTML application (HTA) code containing JavaScript  that covertly triggers a second file, “app.exe.” This is, in fact, Vidar malware. “One of the objects unpacked from the .CHM is the HTML file ‘PSSXMicrosoftSupportServices_HP05221271.htm’ —  the primary object that gets loaded once the CHM pss10r.chm is opened,” according to the Trustwave writeup. “This HTML has a button object which automatically triggers the silent re-execution of the .CHM “pss10r.chm” with mshta.” Mshta is a Windows binary used for executing HTA files.

With the preliminaries out of the way the malware payload downloads, does some house cleaning, and phones home.

Microsoft, the go to solution for compromising security? Maybe. And what about Defender? What about the super smart cyber security systems from big name vendors. Yeah, how about those defenses?

Now we know there is one thing worse than the informational content of Microsoft help files.

Want to guess?

The Register reports that “Microsoft Azure developers targeted by 200 data stealing npm packages.” Not familiar with npm? NPM is a software registry and contains more than 750,000 code packages. Some open source developers use npm to share software. What if an npm code package has been modified so that malicious actions are included?

Yeah.

Stephen E Arnold, March 28, 2022

« Previous Page — Next Page »

• 

• Search the site

•  

  Subscribe to Beyond Search

  • 
  • 
   
  • 
   
  
  Feature archive
  News archive
   
  
  
  Stephen E. Arnold monitors search, content processing, text mining and related topics from his high-tech nerve center in rural Kentucky. He tries to winnow the goose feathers from the giblets. He works with colleagues worldwide to make this Web log useful to those who want to go "beyond search". Contact him at sa [at] arnoldit.com. His Web site with additional information about search is arnoldit.com.

• Categories

  • 3D-Printing
  • Acquisition
  • Advertising
  • Aggregation
  • AI
  • Alexa
  • algorithms
  • Amazon
  • Amazonia
  • Analytics
  • Appliance
  • Applications
  • Audio
  • Augmented Reality
  • Big data
  • Bing
  • Bitcoin
  • Bitext
  • Book review
  • Business intelligence
  • Business process
  • Business strategy
  • Censorship
  • Cloud computing
  • Company Profile
  • Conferences
  • Connectors
  • Consulting
  • Consumer
  • Content processing
  • Copyright
  • Corporate Concerns
  • Cost
  • Crawl
  • Crowdfunding
  • cryptocurrency
  • Customer support
  • Cyber OSINT
  • cybercrime
  • cybersecurity
  • Dark Web
  • DarkCyber
  • Data
  • Data mining
  • Database
  • Deepfakes
  • Digital Assistant
  • Digital Library
  • E2EE
  • ECommerce
  • EDiscovery
  • Editorial opinion
  • Education
  • Emoticons
  • Enterprise
  • Enterprise search
  • Entity extraction
  • Ethics
  • Facebook
  • Faceted search
  • Factualities
  • Feature
  • Federated search
  • Financial
  • Google
  • Governance
  • Government
  • Hackers
  • healthcare
  • IBM Watson
  • Image search
  • Indexing
  • Infrastructure
  • Innovation
  • Integration
  • intelware
  • Interface
  • Internet
  • Interview
  • Investment
  • law enforcement
  • Legal matters
  • Library automation
  • Management
  • Marketing
  • Mathematics
  • Metadata
  • Microsoft
  • Mobile
  • Natural language processing
  • News
  • NGIA
  • Online (general)
  • Open Access
  • Open source
  • OSINT
  • Osint Radar
  • Overflight
  • Palantir
  • Patents
  • Personnel
  • Podcast
  • Policeware
  • Portals
  • Predictive coding
  • Privacy
  • Profile
  • Publishing
  • Quotation
  • Real time search
  • Reference tool
  • Rich media
  • Robot Writer
  • Search
  • Search enabled applications
  • search engine
  • Search quality
  • Security
  • Semantic
  • Sentiment analysis
  • SEO
  • SharePoint
  • Short Honks
  • Smart Technology
  • Social
  • Social Media
  • software
  • Statistics
  • Taxonomy
  • Technology
  • Text analytics
  • Text processing
  • Tools
  • Tor
  • Training
  • Translation
  • Twitter
  • Uncategorized
  • Unstructured Data
  • User experience
  • User Interface
  • Vertical search
  • Video
  • visualization
  • Voice search
  • Voice technology
  • Web 3
  • Web Services
  • Webinar
  • Windows
  • Work flow
  • XML
  • Yahoo

• Archives

  Archives Select Month July 2024 June 2024 May 2024 April 2024 March 2024 February 2024 January 2024 December 2023 November 2023 October 2023 September 2023 August 2023 July 2023 June 2023 May 2023 April 2023 March 2023 February 2023 January 2023 December 2022 November 2022 October 2022 September 2022 August 2022 July 2022 June 2022 May 2022 April 2022 March 2022 February 2022 January 2022 December 2021 November 2021 October 2021 September 2021 August 2021 July 2021 June 2021 May 2021 April 2021 March 2021 February 2021 January 2021 December 2020 November 2020 October 2020 September 2020 August 2020 July 2020 June 2020 May 2020 April 2020 March 2020 February 2020 January 2020 December 2019 November 2019 October 2019 September 2019 August 2019 July 2019 June 2019 May 2019 April 2019 March 2019 February 2019 January 2019 December 2018 November 2018 October 2018 September 2018 August 2018 July 2018 June 2018 May 2018 April 2018 March 2018 February 2018 January 2018 December 2017 November 2017 October 2017 September 2017 August 2017 July 2017 June 2017 May 2017 April 2017 March 2017 February 2017 January 2017 December 2016 November 2016 October 2016 September 2016 August 2016 July 2016 June 2016 May 2016 April 2016 March 2016 February 2016 January 2016 December 2015 November 2015 October 2015 September 2015 August 2015 July 2015 June 2015 May 2015 April 2015 March 2015 February 2015 January 2015 December 2014 November 2014 October 2014 September 2014 August 2014 July 2014 June 2014 May 2014 April 2014 March 2014 February 2014 January 2014 December 2013 November 2013 October 2013 September 2013 August 2013 July 2013 June 2013 May 2013 April 2013 March 2013 February 2013 January 2013 December 2012 November 2012 October 2012 September 2012 August 2012 July 2012 June 2012 May 2012 April 2012 March 2012 February 2012 January 2012 December 2011 November 2011 October 2011 September 2011 August 2011 July 2011 June 2011 May 2011 April 2011 March 2011 February 2011 January 2011 December 2010 November 2010 October 2010 September 2010 August 2010 July 2010 June 2010 May 2010 April 2010 March 2010 February 2010 January 2010 December 2009 November 2009 October 2009 September 2009 August 2009 July 2009 June 2009 May 2009 April 2009 March 2009 February 2009 January 2009 December 2008 November 2008 October 2008 September 2008 August 2008 July 2008 June 2008 May 2008 April 2008 March 2008 February 2008 January 2008 November 5

• Recent Posts

  • Silicon Valley Streetbeefs
  • If Math Is Running Out of Problems, Will AI Help Out the Humans?
  • How Can Creatives Survive AI Disruptions?
  • Google and Third-Party Cookies: The Writing Is on the Financial Projection Worksheet
  • The Simple Fix: Door Dash Some Diversity in AI

• Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org