Browse > Home / Archive by category 'Security'

Microsoft in Perspective: Forget JEDI. Think Teams Together

July 7, 2021

I received some inputs from assorted colleagues and journalistic wizards regarding JEDI. The “real” news outfit CNBC published “Pentagon Cancels $10 Billion JEDI Cloud Contract That Amazon and Microsoft Were Fighting Over.” The write up stated:

… the Pentagon is launching a new multivendor cloud computing contract.

What caused this costly, high-profile action. Was it the beavering away of the Oracle professionals? Were those maintaining the Bezos bulldozer responsible? Was it clear-thinking consultants who asked, “Wasn’t Microsoft in the spotlight over the SolarWinds’ misstep?” I don’t know.

But let’s put this in perspective. As the JEDI deal was transported to a shelf in a Department of Defense store room at the Orchard Range Training Site in Idaho, there was an important — possibly life changing — announcement from Microsoft. Engadget phrased the technology breakthrough this way: Microsoft Teams Together Mode test lets just two people start a meeting. I learned:

Together Mode uses AI-powered segmentation to put all participants in a meeting in one virtual space.

I assume that this was previously impossible under current technology like a mobile phone, an Apple device with Facetime, Zoom, and a handheld walkie talkie, a CB radio, a ham radio, FreeConference.com, or a frequently sanitized pay phone located in a convenient store parking lot near the McCarran International Airport in Las Vegas.

I have a rhetorical question, “Is it possible to print either the news story about the JEDI termination or the FAQ for Together in the midst of — what’s it called — terror printing, horror hard copy effort — wait! — I have it. It is the condition of PrinterNightmare.

I have to stop writing. My Windows 10 machine wants to reboot for an update.

Stephen E Arnold, July 7, 2021

Written by Stephen E. Arnold · Filed Under Government, Microsoft, News, Security | Comments Off on Microsoft in Perspective: Forget JEDI. Think Teams Together 

And about That Windows 10 Telemetry?

May 28, 2021

The article “How to Disable Telemetry and Data Collection in Windows 10” reveals an important fact. Most Windows telemetry is turned on by default. But the write up does not explain what analyses occur for data on the company’s cloud services or for the Outlook email program. I find this amusing, but Microsoft — despite the SolarWinds and Exchange Server missteps — is perceived as the good outfit among the collection of ethical exemplars of US big technology firms.

I read “Three Years Until We’re in Orwell’s 1984 AI Surveillance Panopticon, Warns Microsoft Boss.” Do the sentiments presented as those allegedly representing the actual factual views of the Microsoft executive Brad Smith reference the Windows 10 telemetry and data collection article mentioned above? Keep in mind that Mr. Smith believed at one time than 1,000 bad actors went after Microsoft and created the minor security lapses which affected a few minor US government agencies and sparked the low profile US law enforcement entities into pre-emptive action on third party computers to help address certain persistent threats.

I chortled when I read this passage:

Brad Smith warns the science fiction of a government knowing where we are at all times, and even what we’re feeling, is becoming reality in parts of the world. Smith says it’s “difficult to catch up” with ever-advancing AI, which was revealed is being used to scan prisoners’ emotions in China.

Now about the Microsoft telemetry and other interesting processes? What about the emotions of a Windows 10 user when the printer does not work after an update? Yeah.

Stephen E Arnold, May 28, 2021

Written by Stephen E. Arnold · Filed Under Microsoft, News, Privacy, Security | Comments Off on And about That Windows 10 Telemetry? 

What the Colonial Pipeline Affair Has Disclosed

May 21, 2021

I worked through some of the analyses of the Colonial Pipeline event. You can get the “predictive analytics” view in Recorded Future’s marketing-centric blog post “DarkSide Ransomware Gang Says It Lost Control of Its Servers & Money a Day after Biden Threat.” You can get the digital currency can be deanonymized view in the marketing-oriented “Elliptic Follows the Bitcoin Ransoms Paid by Colonial Pipeline and Other Dark Side Ransomware Victims.” You can get the marketing-oriented “Colonial Pipeline Ransomware Attack: What We Know So Far.” Please, read these after-action reports, pull out nuggets of information, and learn how well hindsight works. What’s hindsight? Here’s a definition:

the ability to understand an event or situation only after it has happened (Cambridge.org)

The definition edges close to the situation in which cyber security (not Colonial) finds itself; namely, I have seen no names of the individuals responsible. I have seen no identification of the sources of funding and support for the group responsible. I have seen no print outs illustrating the formation of the attack plan or of the log data making explicit an attack was underway.

The cyber security industry is a club, and the members of the club know their in-crowd has a license to send invoices. Not even IBM in its FUD days could have created a more effective way to sell products and services. These range from real time threat intelligence, to predictive reports explaining that lighting is about to strike, or smart autonomous cyber nervous systems sounding alarms.

Nope, not that I have heard.

Here are some issues which Colonial raised when I participated in a conference call with a couple of LE and intel types less than 24 hours ago:

  1. The existing threat intelligence, Dark Web scanners, and super AI infused whiz bang systems don’t work. They missed SolarWinds, Exchange Server, and now the Colonial Pipeline affair. Yikes. Don’t work? Right. Don’t work. If even one of the cyber security systems “worked”, then none of these breaches would have be possible. What did I hear in Harrod’s Creek? Crickets.
  2. In the case of Colonial, how much of the problem was related to business matters, not the unknown, undetected wizards of Dark Side? Who knows if the bad actors were the problem or if Colonial found the unpleasantness and opportunity for some breathing room for other activities? Where are the real journalists from Bloomberg, the New York Times, the Wall Street Journal, the Washington Post, et al? Yep, sources produced nothing and now the after action analyses will flow for a while.
  3. What about the specialist firms clustered in Herliya? What about the monitoring and alerting systems among Cambridge, Cheltenham, and London? What about the outfits clustered near government centers in Brussels, Berlin, and Prague? I have not heard or seen anything in the feeds I monitor. Zippo.

Let’s step back.

The current cyber security set up is almost entirely reactive. Any breach is explained in terms of China, Iran, and Russia. Some toss in Iran and North Korea. Okay, add them to the list of malefactors. That does not change the calculus of these escalating cyber breaches.

The math looks like this: 1 + 0 = 32

Let me explain:

The “1” represents a cyber breach

The “0” represents the failure of existing cyber security systems to notice and/or block the bad actor’s method

The 32 means the impact is exponential—in favor of the bad actors.

With no meaningful proactive measures working in a reliable function, the cyber security systems now in place are sitting ducks.

Some body said, “Our reaction to a situation literally has the power to change the situation itself.” Too bad this aphorism is dead wrong.

When the reactions are twisted into marketing opportunities and the fix does not work, where are we? I would suggest in a place that warrants more than sales lingo, jargon, and hand waving.

The talk about cyber security and threat intelligence sounds similar to the phrase, “Please, take off your shoes.”

Stephen E Arnold, May 21, 2021

Written by Stephen E. Arnold · Filed Under Marketing, News, Security | Comments Off on What the Colonial Pipeline Affair Has Disclosed 

Cyber Security: What Are You Doing?

May 20, 2021

I read “A Federal Government Left Completely Blind on Cyber attacks Looks to Force Reporting.” The write up uses a phrase for which there are a limited number of synonyms in English; namely, completely blind. There are numerous types of blindness. There’s the metaphorical blindness of William James, who coined the phrase “a certain blindness.” The wordy kin of the equally wordy Henry James means, I think, that some people just can’t “see” something. A friend says, “You will love working at Apple.” You say, “I don’t think so.” Hey, working at Apple is super, like the chaos monkeys on steroids.

Other types of blindness include losing one’s eyes; for example, Tiresias, who lost his vision seeing some interesting transformations. (Look it up.) There’s the Oedipus angle which involves breaking some Western cultural norms, ignoring inputs, and gouging out his eyes. Yep, that will do. Don’t listen, generate some inner angst, and poking one’s eyes. There are medical reasons galore. These range from protein build up, which is easily corrected today with some medical magic to truly weird stuff like nuclear radiation.

The point is that cyber security has left the US government “completely blind.” The write up says:

Lawmakers of both parties told POLITICO they are crafting legislation to mandate cyber attack reporting by critical infrastructure operators such as Colonial, along with major IT service providers and any other companies that do business with the government.

What are the “rules” now? The write up says:

No federal law or regulation requires pipeline operators to report any cybersecurity incidents to the government. Instead, suggested guidance from the Transportation Security Administration — the federal agency that oversees pipeline cybersecurity — recommends that they tell local and federal officials about significant breaches.

President Biden says, according to the article, “we have to do more than is being done now.”

Who agrees? If a commercial enterprise says, “Yo, breach”, won’t the stock or value of the brand decline. If a government agency says, “We’ve been hacked”, what happens to the security manager and his / her manager?

Are the cyber security vendors able to provide a solution? Maybe.

To sum up, lots of talk and more regulation. In the meantime, ransomware bad actors are seeing an open road, no traffic cops, and a dry, clear day. Put the pedal to the metal.

Stephen E Arnold, May 20, 2021

Written by Stephen E. Arnold · Filed Under News, Security | Comments Off on Cyber Security: What Are You Doing? 

Security: Survey Says, Not Buttoned Up

May 18, 2021

I read “Two Thirds of CISOs Admit They’re Not Ready to Face a Cyber attack.” Who would have guessed? Executives at SolarWinds, Microsoft, or Colonial Pipelines? Yet, we needed a survey to make insecurity visible it seems. The write up reports:

The 2021 edition of Proofpoint’s Voice of the CISO report — based on a survey of more than 1,400 CISOs in 14 countries — found 66 percent of the executives acknowledged their organizations were unprepared to handle a targeted cyber attack this year. In addition, more than half the CISOs (53 percent) admitted they are more concerned about the repercussions from a cyber attack this year than they were in 2020.

First, the good news. Cyber security executives are admitting that they are in reactive mode but admitting their work has been ineffective.

Now, the bad news. Bad actors can exploit the “gap” which exists between what executives license to protect their colleagues and their employers’ assets. That means that 2021 is not just going to be worse than 2020, one of the study’s findings. The survey data points out these findings:

  • 64 percent of the survey respondents are “at risk of suffering a material cyber attack.” (Are those other 36 percent that confident?)
  • 34 percent expect email compromises
  • 27 percent anticipate ransomware. (73 percent of the sample are apparently not that nervous about ransomware. Odd because insiders and phishing deliver the goods, and the Colonial Pipeline incident makes clear that authorities can apply pressure to bad actors after the event. Predictive marketing jabber, not too helpful it seems.)

And threat intelligence, Dark Web indexes, and “special” content available to some cyber intelligence firms are more like looking in a rear view mirror than watching what’s ahead. Of course, this is my opinion, and I am confident that the venture fund fat cyber intelligence firms will beg to disagree.

Stephen E Arnold, May 18, 2021

Written by Stephen E. Arnold · Filed Under News, Security | Comments Off on Security: Survey Says, Not Buttoned Up 

How To about Ransomware from Lawyers

May 17, 2021

Lawyers are sophisticated technologists in general. I was amazed with the advice in “Avoiding Ransomware Attacks is Not a Pipe Dream: Actionable Steps to Avoid Becoming the Next Victim.” Let’s run through the suggestions, shall we?

The first is to buy insurance. I am not sure how hedging financial losses is a way to “avoid ransomware.” If anything, insurance gives some people a false sense of security. My information comes from some individuals who suffered storm damage in Florida. Not a good sample I admit.

The second tip is to “understand what your IT provider is actually providing you.” My reaction to this brilliant chunk of “mom says” is that law firms may lack information technology professionals. I assume this dependence on outsourcing from individuals who have not read and understood the terms of their agreement with a service provider is a willing suspension of disbelief. Obviously any lawyer smart enough to buy insurance knows what an “IT provider provides.” Stellar logic.

The third tip is more reassuring: Understand what your “internal IT provides you.” Is there a cultural divide between the billable and the individuals who provide IT? No, it is helpful to speak with these IT professionals. For example, read the “data inventory.” Read the WISP or “written information security plan.” Know the firm’s “data breach response plan.” Know the “data retention plan.” (Absolutely. Without a copy of the information germane to a trial, how can those billable hours be counted. Perhaps keeping these data on a USB or a personal computer at one’s domicile is a great way to facilitate the “keep on billing” approach.) And, know the training plan. My goodness, it is possible that if a security training session is held at the firm, one should read about its plan. Attend? Yeah, well, maybe. One question, “Is there a Zoom or YouTube video one could watch if one is not billable?)

The final way to “avoid” ransomware is to talk with an attorney. What? I think the idea is that a firm may have its own legal counsel. But are recent hires permitted to call a firm’s legal advisors and spend the partners’ bonus money?

I am thrilled with this advice. Bad actors aware of law firms embracing this write up’s approach to security will seek a new line of work. Terrifyingly effective. Intellectually incisive. Practical. All-in-all wonderful.

Stephen E Arnold, May 17, 2021

Written by Stephen E. Arnold · Filed Under News, Security | Comments Off on How To about Ransomware from Lawyers 

Microsoft and Security: Bondo, Lead, or Duct Tape?

May 17, 2021

This round of updates will not fix all of Exchange’s vulnerabilities, but we may be getting closer to some semblance of security. The Register reports, “Microsoft Emits More Fixes for Exchange Server Plus Patches for Remote-Code Exec Holes in HTTP Stack, Visual Studio.” This release includes 55 CVE fixes for 32 MS apps and services, down from the 114 fixes released in April. Writer Thomas Claburn elaborates:

“Among the 55 CVEs identified by Microsoft, four are rated critical, 50 are rated important, and one is rated moderate. Those who recall the slew of Exchange Server fixes in March and April may experience a sense of deja vu: May brings still more Exchange Server fixes, for Exchange Server 2013 CU23, Exchange Server 2016 CU19 and CU20, and Exchange Server 2019 CU8 and CU9. The four Exchange bugs are all rated moderate; one, a security-feature bypass (CVE-2021-31207), is already publicly known. Dustin Childs, director of communications for the Zero Day Initiative, observes in an advisory that a number of Exchange bugs came out of the recent Pwn2Own exploit contest. ‘More Exchange patches are expected as not everything disclosed at the contest has been addressed,’ he said. Aware that state-sponsored miscreants have been breaking into Exchange Servers via earlier vulnerabilities, Microsoft said while it’s not aware of any active exploitation of these latest flaws, ‘our recommendation is to install these updates immediately to protect your environment.’”

Good idea. Childs points to several more vulnerabilities that warrant immediate attention in HTTP Protocol Stack, Hyper-V, Visual Studio, and Windows Wireless Networking. There are also two that depend on their victims accessing a website—an OLE Automation remote code execution vulnerability and a Scripting Engine memory corruption vulnerability. Will it be another month before Microsoft addresses these?

Cynthia Murrell, May 17, 2021

Written by Stephen E. Arnold · Filed Under News, Security | Comments Off on Microsoft and Security: Bondo, Lead, or Duct Tape? 

Who Watches? Mom or a 20-Something?

May 14, 2021

It is undeniable that COVID-19 has forever changed the work environment. In order to guarantee that telecommuting workers were being productive, organizations adopted new ways to monitor their performance. These include software that pushes the boundary between professionalism and Big Brother.

Organization heavily relied on Zoom for business meetings and calls, but that could be a thing of the past if NICE works. CFO Tech New Zealand has the details on the new employee management software: “NICE Rolls Out Agile Workforce Management For Distributed Workforces.”

NICE is a workforce engagement management (WEM) platform designed to virtually connect workforces in one location. Even thought workers can log onto a work network, engage in a Zoom conference call, or share work via the cloud it does not give them one centralized location.

It also does not allow organizations the chance to check in on their employees’ work. Before the pandemic, offices had “swivel chair assistance” or direct communication with workers. Worker engagement is at an all time low, but WEM could fix that. Here some NICE features:

“Gain visibility – understand employee activities and behaviors based on desktop analytics and workforce management (WFM) data from schedules and activities. By leveraging business-based key performance indicators (KPIs), such as average handle time (AHT), productivity and adherence, organizations can now drive team and employee focus. A holistic view of the blended office and workforce also enables better management of performance and skill gaps. Ensure performance – personalize employee coaching to meet and exceed business goals by focusing on direct data that emphasizes knowledge and gaps. This enables supervisors and managers to guide the workforce in the right direction. Share dedicated employee dashboards that provide insights to adjust their performance course. Drive engagement – boost workforce commitment and engagement by creating activities that challenge, motivate and reward employees to achieve results and support teamwork. Reward success by applying points and badges and enable their use for additional time off or related prizes.”

Exactly what does NICE do as part of its business? Does the firm provide specialized services to intelligence agencies, security, and law enforcement? That’s a good question. The answer may put these NICE workforce engagement tools in a different context.

Whitney Grace, May 14, 2021

Written by Stephen E. Arnold · Filed Under Business strategy, News, Security | Comments Off on Who Watches? Mom or a 20-Something? 

Evidence of the Unreasonable Effectiveness of Malware

May 11, 2021

I read “The Fortnite Trial Is Exposing Details About the Biggest iPhone Hack on Record.” I am less interested in the dust up between two giant commercial enterprises than the attempt Apple has made and seems to be making to cope with malware. The write up states:

Apple released emails that show that 128 million users, of which 18 million were in the U.S., downloaded apps containing malware known as XCodeGhost from the App Store.

The data are stale, dating from 2015. Perhaps more current information will emerge. Maybe there will be a chart or two, showing Apple’s progress in fighting malware. There were 4,000 malware delivering or malware infused apps. I don’t know. Details are scarce.

The write up points out:

Apple has always had a good reputation in terms of security. But the company has been reluctant to speak publicly and candidly about specific security incidents. So these emails, which were only released because of discovery in the Epic v. Apple Fortnite trial, are an interesting peek behind the curtain that show a fuller extent of the damage from this hack as well as specifics about how the company handled the hack’s fallout in real time.

Another item of interest was:

Apple also disclosed the apps that included the malicious code, some incredibly popular such as WeChat and the Chinese version of Angry Birds 2.

Some thoughts which crossed my mind.

  1. There is zero doubt in my mind that these disclosed items of data will encourage and strengthen bad actors’ confidence in the use of malware. It works.
  2. Apple appears to be trying to deal with malware, but these allegedly accurate factoids indicate that it has not been as successful as some individuals believed. Apple tried and failed, which provides a signal that a well funded, well intentioned outfit can be exploited.
  3. Malware is the Achilles’ heel for computer users. Apple’s billions cannot prevent clever bad actors from gaining access to devices.
  4. Data like these bolster comments about American online users loss of trust in their ISPs. (See, for example, “Study Shows Two-Thirds of Americans Don’t Trust Their Internet Service Providers.”

Net net: Malware is unreasonably effective in compromising security. Does this mean that cyber security systems are failing? I would offer this observation, “Sure looks like it in the first degree burns left behind by SolarWinds, Microsoft Exchange Server, et al.”

Stephen E Arnold, May 11, 2021

Written by Stephen E. Arnold · Filed Under News, Security | Comments Off on Evidence of the Unreasonable Effectiveness of Malware 

Drone Allegedly Compromises a Tesla

May 11, 2021

I read “Tesla Car Hacked Remotely from Drone via Zero click Exploit.” I am not certain about the reproducibility of this alleged hack. Nevertheless, it encapsulates the interesting security threats in today’s zippy zip environment. The write up states:

The attack, dubbed TBONE, involves exploitation of two vulnerabilities affecting ConnMan, an internet connection manager for embedded devices. An attacker can exploit these flaws to take full control of the infotainment system of a Tesla without any user interaction.

Here’s the method:

“Adding a privilege escalation exploit such as CVE-2021-3347 to TBONE would allow us [the researchers] to load new Wi-Fi firmware in the Tesla car, turning it into an access point which could be used to exploit other Tesla cars that come into the victim car’s proximity.

What about drone based attacks on a mobile phone?

Stephen E Arnold, May 11, 2021

Written by Stephen E. Arnold · Filed Under News, Security | Comments Off on Drone Allegedly Compromises a Tesla 

« Previous PageNext Page »

  • Archives

  • Recent Posts

  • Meta