Browse > Home / Archive by category 'Security'

Microsoft and LinkedIn: Ultimate Phishing Pool, er, Tool

April 26, 2021

Microsoft is buckling like an old building in Reykjavik. There was SolarWinds, then Microsoft Exchange Server, and then… The list goes on. Another issue has shaken the enterprise software company: LinkedIn phishing. (You thought I was going to comment about Windows Updates killing some gamers’ “experience”, didn’t you? Wrong.)

Hackers Are Using LinkedIn As the Ultimate Phishing Tool” asserts:

According to MI5, the UK’s security agency, at least 10,000 citizens have been approached by state-sponsored threat actors using fake profiles on a popular social media platform.  While MI5 did not specifically name the platform, the BBC claims to have learned that the platform in question is LinkedIn.

Interesting. MI5 is the UK’s domestic intelligence agency. The Box usually does not publicity and tries to sidestep the type of information disseminated in some countries; for example, in the US, intelligence agencies proactively accessed computers and took steps to reduce the risk of malware issues. By the way, those servers were running Microsoft software. Microsoft owns LinkedIn too.

Hmmm.

The article points out:

According to MI5, the LinkedIn attacks are wider in scope and directed at staff in government departments and major businesses. Once connected, the scammers try to bait the individuals by offering speaking or business opportunities, before attempting to recruit them to pass on confidential information.

Just another crack in the Microsoft LinkedIn edifice or a signal that the company can no longer manage its software, protect its “customers”, or update a consumer PC without creating problems?

Stephen E Arnold, April 26, 2021

Written by Stephen E. Arnold · Filed Under Microsoft, News, Security | Comments Off on Microsoft and LinkedIn: Ultimate Phishing Pool, er, Tool 

Microsoft, SolarWinds, 1000 Malevolent Engineers, and Too Big to Fail?

April 19, 2021

SolarWinds Hacking Campaign Puts Microsoft in Hot Seat” is an interesting “real news” story. The write up states that the breach was a two stage operation. The first stage was using SolarWinds to distribute malware. The second stage was to use that malware as a chin up bar. Bad actors’ grabbed the bar and did 20 or more pull ups. The result was marketing talk and a mini-meme about 1,000 engineers concentrating their expertise on penetrating the Microsoft datasphere.

The article quoted a cyber security expert as describing Microsoft’s systems and methods as have “systematic weaknesses.” For a company whose software is a “monoculture” with an 85 percent market share, the phrase “systematic weaknesses” is not reassuring. Not only can Microsoft release updates which kill some users’ ability to print, Microsoft can release security systems which don’t secure the software.

The article include this statement:

And remember, many security professionals note, Microsoft was itself compromised by the SolarWinds intruders, who got access to some of its source code — its crown jewels. Microsoft’s full suite of security products — and some of the industry’s most skilled cyber-defense practitioners — had failed to detect the ghost in the network. It was alerted to its own breach by FireEye, the cybersecurity firm that first detected the hacking campaign in mid-December.

I noted that the write up does not point out that none of the cyber security firms’ breach detection solutions noted the SolarWinds’ misstep. That seems important to me, but obviously not to the “real” cyber security professionals.

The US government does not want Microsoft to fail. “NSA and FBI Move to Help Microsoft with Its Exchange Server Vulnerabilities” reports:

It is not just the NSA finding and telling Microsoft about problems with Exchange. The FBI is also concerned with the number of unpatched Exchange servers. In a rare move, the FBI sought and was granted a warrant to patch any unfixed exchange servers it found remotely.

If a Windows update creates a problem for you, perhaps a helpful professional affiliated with a government agency will assist in resolving your problem?

Stephen E Arnold, April 19, 2021

Written by Stephen E. Arnold · Filed Under Microsoft, News, Security | Comments Off on Microsoft, SolarWinds, 1000 Malevolent Engineers, and Too Big to Fail? 

Microsoft Gets Some Help

April 14, 2021

I want to keep this item brief. Here’s the headline which caught my attention:

Justice Department Announces Court-Authorized Effort to Disrupt Exploitation of Microsoft Exchange Server Vulnerabilities

The DoJ statement says:

Throughout March, Microsoft and other industry partners released detection tools, patches and other information to assist victim entities in identifying and mitigating this cyber incident. Additionally, the FBI and the Cybersecurity and Infrastructure Security Agency released a Joint Advisory on Compromise of Microsoft Exchange Server on March 10. Despite these efforts, by the end of March, hundreds of web shells remained on certain United States-based computers running Microsoft Exchange Server software.

Here’s a partial fix as explained in the DoJ write up:

This court-authorized operation to copy and remove malicious web shells from hundreds of vulnerable computers shows our commitment to use any viable resource to fight cyber criminals. We will continue to do so in coordination with our partners and with the court to combat the threat until it is alleviated, and we can further protect our citizens from these malicious cyber breaches.”

Interesting. To the reader of this blog who did not find my Microsoft Bob security T shirt amusing I would say, “What about a Microsoft Bob security baseball cap?” The Microsoft softball team appears to need some professional players to be competitive in this season’s games.

Stephen E Arnold, April 14, 2021

Written by Stephen E. Arnold · Filed Under Government, News, Security | Comments Off on Microsoft Gets Some Help 

Apple: Two Cores Inside One Juicy Delight

April 12, 2021

I am not sure whom to believe. Tim Apple, the spokesperson for security and privacy, or a “senior Apple engineer named Eric Friedman. Mr. Friedman has insight into Apple’s actual app review process. The orange newspaper’s story “Apple Engineer Likened App Store Security to Butter Knife in a Gunfight” stated:

Apple’s process of reviewing new apps for the App Store to “more like the pretty lady who greets you . . . at the Hawaiian airport than the drug-sniffing dog”. He added that Apple was ill-equipped to “deflect sophisticated attackers”.

The real world approach is different from the super diligent method cultivated in the apple orchard.

The issue is important because some people like little old me have purchased super duper Apple app store apps. A go round with video recording apps produced mostly failure. Did I care? A little. Did Apple care? Ho ho ho.

But the game outfit Epic (maker of Fortnite) does care and apparently has the cash to take the nemesis of Facebook and Intel to court.  I circled in apple red marker this statement in the write up:

Apple acknowledged various forms of malware on the App Store, but cited data from 2018 showing that the iPhone platform “accounted for just 0.85% of malware infections,” whereas Android accounted for 47.2 per cent of infections and Windows and PC accounted for 35.8 per cent.

That’s outstanding. Why are any malware centric apps in the Apple app store? Microsoft points to 1,000 engineers working tirelessly to keep the Azure crowd on its toes. Microsoft unfortunately is not able to make its product secure. Neither is Google. And, it seems, Apple drops the basket of  Belle de Boskoops in the space ship’s Fraud Engineering Algorithms and Risk (Fear) office too.

I am not sure if these comments in the write up are Johnny Appleseed approved or faux Crimson Delights:

According to Epic, the chief of meditation app Headspace referred to “egregious theft” on the App Store, with copycat apps repeatedly springing up after allegedly stealing its intellectual property.  “Shockingly, Apple [is] approving these apps, and when the users buy the apps they are left with nothing but some scammy chat rooms in the background,” he wrote to Apple, according to Epic.

Interesting. One big Apple with two different cores. Which is the real one? Worth watching.

Stephen E Arnold, April 12, 2021

PS. Here in Kentucky, the catchphrase phrase is “don’t bring a knife to a gunfight.” But plastic butter knife? No. No. No. Pack the correct equipment shown in the table below:

Crocodile Dundee knife possibly based on a Kentucky model used by Davy Crockett down yonder from Harrod’s Creek image
Plastic butter knife with silver Mylar wrap image
Kentucky weapon for a real gun fight image

Observation: Knives won’t work when one confronts a Fort Knox tank.

Written by Stephen E. Arnold · Filed Under News, Security | Comments Off on Apple: Two Cores Inside One Juicy Delight 

Microsoft: Bob Security Captures Headlines

April 9, 2021

Sleeper code. Yep, malware injected into thousands of servers could wake up and create some interesting challenges for the JEDI contractors with Microsoft T Shirts. Here’s my design suggestion for the security experts’ team:

image

Do you remember the tag line for Bob, a stellar graphical interface for Microsoft Windows? No. Let me highlight one of the zippier marketing statements:

Hard working, easy going software everyone will use.

Who knew that the “everyone” would include bad actors. Plus there are two other security related items to entice cyber professionals.

First, “Windows 10 Hacked Again at Pwn2Own, Chrome, Zoom Also Fall” includes this statement:

The first to demo a successful Windows 10 exploit on Wednesday and earn $40,000 was Palo Alto Networks’ Tao Yan who used a Race Condition bug to escalate to SYSTEM privileges from a normal user on a fully patched Windows 10 machine. Windows 10 was hacked a second time using an undocumented integer overflow weakness to escalate permissions up to NT Authority\SYSTEM by a researcher known as z3r09. This also brought them $40,000 after escalating privileges from a regular (non-privileged) user. Microsoft’s OS was hacked a third time during day one of Pwn2Own by Team Viettel, who escalated a regular user’s privileges to SYSTEM using another previously unknown integer overflow bug.

The statements suggest that either the OS is deliberately flawed in order to allow certain parties unfettered access to user computers or that Microsoft is focusing on moving Paint to the outstanding Microsoft online store.

Second, I spotted “Hackers Scraped Data from 500 Million LinkedIn Users about Two Thirds of the Platform’s Userbase and Posted It for Sale Online.” (Editor’s note: Data is plural, but let’s not get distracted, shall we?) The article reports:

The data includes account IDs, full names, email addresses, phone numbers, workplace information, genders, and links to other social media accounts.

Useful to some I assume.

Net net: I wonder if a Bob baseball cap is available in the Microsoft store?

image

I would wear one with pride during my upcoming National Cyber Crime Conference lecture.

Stephen E Arnold, April 9, 2021

Written by Stephen E. Arnold · Filed Under Microsoft, Security | 3 Comments 

Facebook Security: Fodder for Testimony?

April 9, 2021

Who knows if this is true? “533 Million Facebook Users’ Phone Numbers Leaked on Hacker Forum.” The write up states:

The mobile phone numbers and other personal information for approximately 533 million Facebook users worldwide has been leaked on a popular hacker forum for free. The stolen data first surfaced on a hacking community in June 2020 when a member began selling the Facebook data to other members.

If true, the revelation is a nice complement to a series of outstanding achievements by the centralized, big tech, really smart managers at super important companies. Examples include:

  • Twitter’s senior manager spoofing elected officials
  • Microsoft’s Exchange Server misstep when Windows Defender was on the job sort of
  • Amazon’s brilliant Twitter campaign about workers’ inexplicable need to take breaks
  • Google’s staunch defense of employees who grouse with assurances of continued employment.

Now Mr. Zuckerberg’s digital nation and its outstanding security.

How did this happen? The write up asserts:

According to Alon Gal, CTO of cybercrime intelligence firm Hudson Rock, it is believed that threat actors exploited in 2019 a now-patched vulnerability in Facebook’s “Add Friend” feature that allowed them to gain access to member’s phone numbers.

I envision Mr. Zuckerberg answering this question under oath in an upcoming Congressional hearing:

Senator X: Mr. Zuckerberg, what the heck happened? I have a teen age grand daughter. Are you protecting her?

Mr. Zuckerberg: Senator, thank you for that question. At Facebook, we take every possible precaution to guard our user’s identify. I will look into this matter and provide a report written by an Amazon PR person whom we just hired, and assign the former head of Microsoft security also a new hire to investigate this matter. Early reports suggest that the 1,000 criminals attacking Microsoft were supplemented with an additional 2,000 bad actors to breach our highly secure system.

Plus, the loss of data affected a mere 533 million users. Trivial. It is old news too.

Stephen E Arnold, April 9, 2021

Written by Stephen E. Arnold · Filed Under Facebook, News, Security | Comments Off on Facebook Security: Fodder for Testimony? 

GitHub: Amusing Security Management

April 8, 2021

I got a kick out of “GitHub Investigating Crypto-Mining Campaign Abusing Its Server Infrastructure.” I am not sure if the write up is spot on, but it is entertaining to think about Microsoft’s security systems struggling to identify an unwanted service running in GitHub. The write up asserts:

Code-hosting service GitHub is actively investigating a series of attacks against its cloud infrastructure that allowed cybercriminals to implant and abuse the company’s servers for illicit crypto-mining operations…

In the wake of the SolarWinds’ and Exchange Server “missteps,” Microsoft has been making noises about the tough time it has dealing with bad actors. I think one MSFT big dog said there were 1,000 hackers attacking the company.

The main idea is that attackers allegedly mine cryptocurrency on GitHub’s own servers.

This is post SolarWinds and Exchange Server “missteps”, right?

What’s the problem with cyber security systems that monitoring real time threats and uncertified processes?

Oh, I forgot. These aggressively marketed cyber systems still don’t work it seems.

Stephen E Arnold, April 8, 2021

Written by Stephen E. Arnold · Filed Under Microsoft, Natural language processing, News, Security | Comments Off on GitHub: Amusing Security Management 

Facebook and Microsoft: Communing with the Spirit of Security

April 7, 2021

Two apparently unrelated actions by bad actors. Two paragons of user security. Two. Count ‘em.

The first incident is summarized in “Huge Facebook Leak That Contains Information about 500 Million People Came from Abuse of Contacts Tool, Company Says.” The main point is that flawed software and bad actors were responsible. But 500 million. Where is Alex Stamos when Facebook needs guru-grade security to zoom into a challenge?

The second incident is explained in “Half a Billion LinkedIn Users Have Scraped Data Sold Online.” Microsoft, the creator of the super useful Defender security system, owns LinkedIn. (How is that migration to Azure coming along?) Microsoft has been a very minor character in the great works of 2021. These are, of course, The Taming of SolarWinds and The Rape of Exchange Server.

Now what’s my point. I think when one adds 500 million and 500 million the result is a lot of people. Assume 25 percent overlap. Well, that’s still a lot of people’s information which has taken wing.

Indifference? Carelessness? Cluelessness? A lack of governance? I would suggest that a combination of charming personal characteristics makes those responsible individuals one can trust with sensitive information.

Yep, trust and credibility. Important.

Stephen E Arnold, April 7, 2021

Written by Stephen E. Arnold · Filed Under Facebook, Microsoft, News, Security | Comments Off on Facebook and Microsoft: Communing with the Spirit of Security 

DarkCyber for April 6, 2021, Now Available

April 6, 2021

DarkCyber is a twice-a-month video news program about the Dark Web, cyber crime, and lesser known Internet services. You can view the program at this link.

This program covers five stories:

  1. Banjo, founded by a controversial figure, has been given an overhaul. There’s new management and a new name. The challenge? Turn the off tune Banjo into a sweet revenue song.
  2. The Dark Web is not a hot bed of innovation. In fact, it’s stagnant, and law enforcement has figured out its technology and is pursuing persons of interest. A “new” Dark Web-like datasphere is now emerging. Robust encrypted messaging apps allow bad actors to make deals, pay for goods and services, and locate fellow travelers more easily and quickly than ever before.
  3. User tracking is a generator of high value information. Some believe that user tracking is benign or nothing about which to worry. That’s not exactly the situation when third-party and primary data are gathered, cross-correlated, and analyzed. Finding an insider who can be compromised has never been easier.
  4. New cyber crime reports are flowing in the aftermath of the Solarwinds’ and Microsoft Exchange Server fiascos. What’s interesting that two of these reports reveal information which provides useful insight into what the bad actors did to compromise thousands of systems.
  5. The final story reports about the world’s first drone which makes it possible for law enforcement and intelligence operatives to conduct a video conference with a bad actor near the drone. The innovative device can also smash through tempered glass to gather information about persons of interest.

DarkCyber is produced by Stephen E Arnold. The program is a production of Beyond Search and Arnold Information Technology. Mr. Arnold is the author of CyberOSINT and The Dark Web Notebook. He will be lecturing at the 2021 National Cyber Crime Conference.

Kenny Toth, April 6, 2021

Written by Stephen E. Arnold · Filed Under Dark Web, DarkCyber, News, Profile, Security, Video | Comments Off on DarkCyber for April 6, 2021, Now Available 

Solarwinds: Making Security a Priority. After the Barn Burned and Running in the Crime Derby

March 31, 2021

I read a remarkable write up called “SolarWinds CEO Gives Chief Security Officer Authority and Air Cover to Make Software Security a Priority.” The article is notable for the information omitted. Here’s a passage I noted:

He created a cybersecurity committee for the board that includes him and two sitting board members. He also said that he has given the company’s chief security officer the power to stop any software release if necessary to address security concerns.

A security committee. Will the group produce a security solution which is elegant, effective, and able to restore trust?

The write up identifies the causes of security breaches. These are managerial missteps. Obviously SolarWinds believes a committee is the optimal way to deal with wonky management by those with an eye of the bottom line, bonuses, and a responsibility-free tenure as top dog.

The technical causes are not really causes. Sorry, but phishing is not a cause. Phishing is a method implemented because employees have inadequate training and the organizations employing these people drop the ball in setting up a defensible perimeter.

Why is this remarkable? Misdirection, blame shifting, and a belief a committee can overcome MBA thinking, compensation incentives, and what I call a high school science club sense of exceptionalism.

Stephen E Arnold, March 31, 2021

Written by Stephen E. Arnold · Filed Under News, Security | Comments Off on Solarwinds: Making Security a Priority. After the Barn Burned and Running in the Crime Derby 

« Previous PageNext Page »

  • Archives

  • Recent Posts

  • Meta