DarkCyber for November 30, 2021: Sean Brizendine, SecureX
November 30, 2021
This DarkCyber program features an interview with Sean Brizendine. He is one of the founders of SecureX, where he serves as the director of Blockchain technology. The interview covers:
- SecureX’s secret sauce in the crypto currency and services market
- How open source software fits into the company’s technology portfolio
- How the products and services further the capabilities of Web 3.0, distributed computing, and enhanced online security.
Mr. Brizendine is a certified Certified IIB Council Blockchain Professional & EC Council Online University Lecturer covering Blockchain in their Cyber Talk Webinar Series.
You can view the 11 minute interview on YouTube at this link.
Kenny Toth, November 30, 2021
An Epidemic of Whistle Blowing?
October 22, 2021
Are organizations prepared for an epidemic of whistle blowing?
This question struck me as I read “How One Facebook Worker Unfriended the Giant Social Network.” Here’s the statement in the article which caught my attention:
“There has just been a general awakening amongst workers at the tech companies asking, `What am I doing here?’” said Jonas Kron of Trillium Investment Management, which has pushed Google to increase protection for employees who raise the alarm about corporate misdeeds. “When you have hundreds of thousands of people asking that question, it’s inevitable you’ll get more whistleblowing,” he said.
The comment touched upon two issues which I don’t think have been resolved.
The first is the “awakening.” The idea that workers are “woke” is interesting. My reaction is that the flood of information about social unraveling, breakdowns in what were supposed to be reliable services, and the waves of disturbing news have broken down the “I’m entitled” Drosophila in these folks’ brains. Woke is not a good word. I think something along the lines “I understand now” is more accurate.
The second is the statement that a particular individual who allegedly “has pushed Google to increase protection for employees who raise the alarm about corporate misdeeds.” Okay, that’s interesting. How is that working out for those of the Timnit Gebru ilk?
Net net: Whistle blowers can present different reasons for their actions. The write up makes clear that the “cult of me” is alive and well. Some “me’s” are into dumping documents and information which are confidential. These actions take place even though the person has signed an agreement to keep an organization’s data secret. Guess that piece of paper is not working too well, right? Plus, an investment professional urging the Google to alter its DNA is a helpful endorsement of an individual’s valiant effort to induce change and get some good vibes for the action. Whistle blowing may be little more than an extension of an individual’s need to be the nail that sticks up.
Stephen E Arnold, October 22, 2021
Human Editors and Subject Matter Experts? Dinosaurs but Just from a Previous Era
October 15, 2021
I read “Bugs in our Pockets: The Risks of Client-Side Scanning.” The embargo is amusing, and it underscores the issues related to confidential information and the notion of information wants to be free. Amusing, maybe not?
The write up looks a bit like a paper destined for a pay-to-play publisher or an outfit which cultivates a cabal-like approach to publishing. (Hello, ACM?) The paper includes 13 authors, and I suppose the idea is to convey consensus or a lead author who wishes to keep his or her head below the concrete bunker in order to avoid direct hits from those who don’t agree with the write up.
I neither agree nor disagree. I interpreted the write up as:
- A clever bit of SEO, particularly the embargo and the availability of the paper to certain saucy online information services
- A way to present some entities, although with the titles and email contacts favored by some link hunters
- A technical bit of push back for assorted government mumbling about privacy, security, and another assault on personal freedoms.
Yep, the sky is falling.
Please, read the paper. One business executive allegedly said, “There is no return to normal. Today’s environment is the new normal.”
Is it possible this paper triggers Apple TV or YouTube to cue 1973 hit “The Way We Were”?
Stephen E Arnold, October 15, 2021
DarkCyber for September 21, 2021 Now Available
September 21, 2021
DarkCyber for September 21, 2021, reports about the Dark Web, cyber crime, and lesser known Internet services. The program is produced every two weeks. This is the 19th show of 2021. There are no sponsored stories nor advertisements. The program provides basic information about subjects which may not have been given attention in other forums. The program is available at this link.
This week’s program includes five stories.
First, we provide information about two online services which offer content related to nuclear weapons. Neither source has been updated for a number of months. If you have an interest in this subject, you may want to examine the information in the event it is disappeared.
Second, you will learn about Spyfone. DarkCyber’s approach is to raise the question, “What happens when specialized software once considered “secret” by some nation states becomes available to consumers.
Third, China has demonstrated its control of certain online companies; for example, Apple. The country can cause certain applications to be removed from online stores. The argument is that large US companies, like a French bulldog, must be trained in order stay in the Middle Kingdom.
Fourth, we offer two short items about malware delivered in interesting ways. The first technique is put malicious code in a video card’s graphics processing unit. The second summarizes how “free” games have become a vector for compromising network security.
The final story reports that a Russian manufacturer of drones is taking advantage of a relaxed policy toward weapons export. The Russian firm will produce Predator-like drones in countries which purchase the unmanned aerial vehicles. The technology includes 3D printing, specialized software, and other advanced manufacturing techniques. The program includes information about they type of kinetic weapons these drones can launch.
DarkCyber is produced by Stephen E Arnold and his DarkCyber research team. You can download the program from the Beyond Search blog or from YouTube.
Kenny Toth, September 21, 2021
T-Mobile Security: A Quote to Note
September 1, 2021
“T-Mobile Hacker Found Weakness” is a summary of the all-too-familiar story of a big company, indifference, security hand waving, and an alleged breach of alleged customers. Please, read the original “real” news story. No payee; no viewee, however. I want to highlight what I think is the most important direct quote in the write up; to wit:
Their security is awful.
That’s pretty juicy.
Wait, please. One more gem is tucked into the write up. Here’s that statement:
On August 13, the security research firm Unit221B LLC reported to T-Mobile that an account was attempting to sell T-Mobile customer data, according to the security firm.
What this statement, if accurate, suggests that the hundreds of high end, proactive threat detection systems did not spot this breach and offer of customer data.
One firm did. And what about other cyber security experts?
My hunch is that if the statements in the article are on the money, it may be time to entertain this question: Why don’t high end cyber security systems work?
Stephen E Arnold, September 1, 2021
Microsoft: Maybe ESET-Type Companies Are a Problem?
August 12, 2021
Microsoft security may have a problem other than bad actors compromising systems. The news cycle has moved forward, but I still chuckle at the SolarWinds’ misstep. How many super duper cyber solutions failed to detect the months long compromise of core Windows processes? I don’t know, and my hunch is that whoever knows does not want to talk about the timeline. That’s understandable.
I read “IISpy: A Complex Server?Side Backdoor with Anti?Forensic Features.” The source appears to be We Live Security which is reporting about an ESET research finding. (I find it interesting that cyber security researchers report interesting things that other cyber security vendors appear not to report or possibly know about. Interesting or a signal that cyber security systems are not particularly effective when new methods poke through a secured system, saying, “Surprise!)
The write up states:
According to ESET telemetry, this backdoor has been active since at least July 2020, and has been used with Juicy Potato (detected as Win64/HackTool.JuicyPotato by ESET security solutions), which is a privilege escalation tool. We suspect the attackers first obtain initial access to the IIS server via some vulnerability, and then use Juicy Potato to obtain the administrative privileges that are required to install IISpy as a native IIS extension. According to our telemetry, IISpy affects a small number of IIS servers located in Canada, the USA and the Netherlands – but this is likely not the full picture, as it is still common for administrators to not use any security software on servers, and thus our visibility into IIS servers is limited.
If the affected server is the exact one the bad actor wants, numbers may not be germane. Also, does the phrase “not the full picture” indicate that the cyber researchers are not exactly what’s going on?
Interesting questions from my point of view.
If I step back, what’s my observation:
Perhaps cyber security is in a quite pitiful state. If this is accurate, why would the US government offer Amazon AWS another $10 billion deal? Microsoft will contest this important award. You can read the Microsoft News story “Microsoft Challenges the Government’s Decision to Award Amazon a NSA Cloud-Computing Contract, Which Could Be Worth $10 Billion” to get a sense about the disconnect between selling and addressing what may be fundamental security issues.
Would that money, time, and effort be better invested in addressing what seems to be another troubling security issue?
The answer to this question would be in my opinion a true juicy potato.
Stephen E Arnold, August 12, 2021
New Malware MosaicLoader Takes Unusual Attack Vector
August 5, 2021
ZDNet warns us about some micro targeting from bad actors in, “This Password-Stealing Windows Malware is Distributed Via Ads in Search Results.” The malware was first identified by Bitdefender, which named it MosaicLoader. The security experts believe a new group is behind these attacks, one not tied to any known entities. Writer Danny Palmer tells us:
“MosaicLoader can be used to download a variety of threats onto compromised machines, including Glupteba, a type of malware that creates a backdoor onto infected systems, which can then be used to steal sensitive information, including usernames and passwords, as well as financial information. Unlike many forms of malware, which get distributed via phishing attacks or unpatched software vulnerabilities, MosaicLoader is delivered to victims via advertising. Links to the malware appear at the top of search results when people search for cracked versions of popular software. Automated systems used to buy and serve advertising space likely means that nobody in the chain – aside from the attackers – know the adverts are malicious at all. The security company said that employees working from home are at higher risk of downloading cracked software. ‘Most likely, attackers are purchasing adverts with downstream ad networks – small ad networks that funnel ad traffic to larger and larger providers. They usually do this over the weekend when manual ad vetting is impacted by the limited staff on call,’ Bogdan Botezatu, director of threat research and reporting at Bitdefender, told ZDNet.”
Antivirus software might catch MosaicLoader—if users have not disabled it because they are downloading illegally cracked software. Oops. Once downloaded, the malware can steal usernames and passwords, farm out crypto currency mining, and install Trojan software through which malefactors can access the machine. Users should be safe if they do not attempt to download pirated software. Sometimes, though, such software does a good job of posing as legitimate. Palmer advises readers to avoid being duped by navigating away if instructed to disable antivirus software before downloading any program. That is always good advice.
Cynthia Murrell, August 5, 2021
DarkCyber for July 27, 2021: NSO Group Again, Making AWS Bots, How Bad Actors Scale, and Tethered Drones
July 27, 2021
The 15th DarkCyber for 2021 addresses some of the NSO Group’s market position. With more than a dozen news organizations digging into who does what with the Pegasus intelware system, the Israeli company has become the face of what some have called the spyware industry. In this program, Stephen E Arnold, author of the Dark Web Notebook, explains how bad actors scale their cyber crime operations. One thousand engineers is an estimate which is at odds with how these cyber groups and units operate. What’s the technique? Tune in to learn why Silicon Valley provided the road map for global cyber attacks. If you are curious, you can build your own software robot to perform interesting actions using the Amazon AWS system as a launch pad. The final story explains that innovation in policing can arrive from the distant pass. An 18th century idea may be the next big thing in law enforcement’s use of drones. DarkCyber is produced by Stephen E Arnold, who publishes Beyond Search. You can access the blog at www.arnoldit.com/wordpress and view the DarkCyber video at this link.
Kenny Toth, July 27, 2021
NSO Group: The Rip in the Fabric of Intelware
July 22, 2021
A contentious relationship with the “real news” organizations can be risky. I have worked at a major newspaper and a major publisher. The tenacity of some of my former colleagues is comparable to the grit one associates with an Army Ranger or Navy Seal, just with a slightly more sensitive wrapper. Journalists favored semi with it clothes, not bushy beards. The editorial team was more comfortable with laptops than an F SCAR.
Communications associated with NSO Group — the headline magnet among the dozens of Israel-based specialized software companies (an very close in group by the way)— may have torn the fabric shrouding the relationship among former colleagues in the military, government agencies, their customers, and their targets.
Whose to blame? The media? Maybe. I don’t have a dog in this particular season’s of fights. The action promises to be interesting and potentially devastating to some comfortable business models. NSO Group is just one of many firms working to capture the money associated with cyber intelligence and cyber security. The spat between the likes of journalists at the Guardian and the Washington Post and NSO Group appears to be diffusing like spilled ink on a camouflage jacket.
I noted “Pegasus Spyware Seller: Blame Our Customers Not Us for Hacking.” The main point seems to be that NSO Group allegedly suggests that those entities licensing the NSO Group specialized software are responsible for their use of the software. The write up reports:
But a company spokesman told BBC News: “Firstly, we don’t have servers in Cyprus.
“And secondly, we don’t have any data of our customers in our possession.
“And more than that, the customers are not related to each other, as each customer is separate.
“So there should not be a list like this at all anywhere.”
And the number of potential targets did not reflect the way Pegasus worked.
“It’s an insane number,” the spokesman said.
“Our customers have an average of 100 targets a year.
“Since the beginning of the company, we didn’t have 50,000 targets total.”
For me, the question becomes, “What controls exist within the Pegasus system to manage the usage of the surveillance system?” If there are controls, why are these not monitored by an appropriate entity; for example, an oversight agency within Israel? If there are no controls, has Pegasus become an “on premises” install set up so that a licensee has a locked down, air tight version of the NSO Group tools?
The second item I noticed was “NSO Says ‘Enough Is Enough,’ Will No Longer Talk to the Press About Damning Reports.” At first glance, I assumed that an inquiry was made by the online news service and the call was not returned. That happens to me several times a day. I am an advocate of my version of cancel culture. I just never call the entity again and move on. I am too old to fiddle with the egos of a younger person who believes that a divine entity has given that individual special privileges. Nope, delete.
But not NSO Group. According to the write up:
“Enough is enough!” a company spokesperson wrote in a statement emailed to news organizations. “In light of the recent planned and well-orchestrated media campaign lead by Forbidden Stories and pushed by special interest groups, and due to the complete disregard of the facts, NSO is announcing it will no longer be responding to media inquiries on this matter and it will not play along with the vicious and slanderous campaign.” NSO has not responded to Motherboard’s repeated requests for comment and for an interview.
Okay, the enough is enough message is allegedly in “writing.” That’s better than a fake message disseminated via TikTok. However, the “real journalists” are likely to become more persistent. Despite a lack of familiarity with the specialized software sector, a large number of history majors and liberal arts grads can do what “real” intelligence analysts do. Believe me, there’s quite a bit of open source information about the cozy relationship within and among Israel’s specialized software sector, the interaction of these firms with certain government entities, and public messages parked in unlikely open source Web sites to keep the “real” journalists learning, writing, and probing.
In my opinion, allowing specialized software services to become public; that is, actually talk about the capabilities of surveillance and intercept systems was a very, very bad idea. But money is money and sales are sales. Incentive schemes for the owners of specialized software companies guarantee than I can spend eight hours a day watching free webinars that explain the ins and outs of specialized software systems. I won’t but some of the now ignited flames of “real” journalism will. They will learn almost exactly what is presented in classified settings. Why? Capabilities when explained in public and secret forums use almost the same slide decks, the same words, and the same case examples which vary in level of detail presented. This is how marketing works in my opinion.
Observations:
1. A PR disaster is, it appears, becoming a significant political issue. This may pose some interesting challenges within the Israel centric specialized software sector. NSO Group’s system ran on cloud services like Amazon’s until AWS allegedly pushed Pegasus out of the Bezos stable.
2. A breaker of the specialized software business model of selling to governments and companies. The cost of developing, enhancing, and operating most specialized software systems keeps companies on the knife edge of solvency. The push into commercial use of the tools by companies or consumerizing the reports means government contracts will become more important if the non-governmental work is cut off. Does the world need several dozen Dark Web indexing outfits and smart time line and entity tools? Nope.
3. A boost to bad actors. The reporting in the last week or so has provided a detailed road map to bad actors in some countries about [a] What can be done, [b] How systems like Pegasus operate, [c] the inherent lack of security in systems and devices charmingly labeled “insecure by design” by a certain big software company, and [d] specific pointers to the existence of zero day opportunities in blast door protected devices. That’s a hoot at ??????? ???? “Console”.
Net net: The NSO Group “matter” is a very significant milestone in the journey of specialized software companies. The reports from the front lines will be fascinating. I anticipate excitement in Belgium, France, Germany, Israel, the United Kingdom, and a number of other countries. Maybe a specialized software Covid Delta?
Stephen E Arnold, July 22, 2021
How Do You Spell Control? Maybe Google?
July 8, 2021
The lack of a standardized format has made it difficult to manage vulnerabilities in open source software. Now, SiliconAngle reports, “Google Announces Unified Schema to Make Sharing Vulnerabilities Easier.” Writer Duncan Riley explains:
“Google LLC today announced a unified schema for describing vulnerabilities precisely to make it easier to share vulnerabilities between databases. The idea behind the unified schema is to address an issue with existing vulnerability databases where various ecosystems and organizations create their own data. As each uses its own format to describe vulnerabilities, a client tracking vulnerabilities across multiple databases must handle each separately. Because of the lack of a common standard, sharing vulnerabilities among databases is challenging. The new unified schema for describing vulnerabilities has been designed by the Google Open Source Security Team, Go Team and the broader open-source community and has been designed from the beginning for open-source ecosystems. The unified format will allow vulnerability databases, open-source users and security researchers to share tooling and consume vulnerabilities more easily across open source, providing a complete view of vulnerabilities in open source.”
Google also launched its Open Source Vulnerabilities database in February, describing it as the “first step toward improving vulnerability triage for developers and consumers of open-source software.” Originally populated with a few thousand vulnerabilities from the OSS-Fuzz project, the database is being expanded to open-source ecosystems Go, Rust, Python and DWF. These seems like moves in the right direction, but can we trust Google deliver objective, unfiltered reports? Or will it operate as it has with YouTube filtering and AI ethics staff management?
Cynthia Murrell, July 8, 2021
-
- Subscribe to Beyond Search
Feature archive
News archive
-
