The Stochastic Terrorism Loophole: A Hidden Dimension?
September 7, 2022
Now that’s an interesting way to describe the actions of network providers / ISPs who look like “good guys” but may have a less visible suite of services on offer. I think stochastic terrorism is information warfare designed to achieve specific goals. You may disagree, but this notion is okay for me.
I read “How Cloudflare Got Kiwi Farms Wrong.” The write up states:
Most casual web surfers may be unaware of Cloudflare’s existence. But the company’s offerings are essential to the functioning of the internet. And it provided at least three services that have been invaluable to Kiwi Farms.
That’s a fair statement … as far as it goes. I would suggest that the world of network providers / ISPs — what the source article calls infrastructure — is not well understood even by those who are the senior managers of Cloudflare-type companies. This willful unknowing produces statements like, “Senator, thank you for the question. I will get the answer to your office…” My hunch is that Cloudflare is large enough to have a plethora of apologists and explainers, PR professionals and lawyers, to make clear that Cloudflare is working overtime to be wonderful.
The cited article asserts:
… it’s notable that for all its claims about wanting to bring about an end to cyberattacks, Cloudflare provides security services to … makers of cyberattack software! That’s the claim made in this blog post from Sergiy P. Usatyuk, who was convicted of running a large DDoS-for-hire scheme. Writing in response to the Kiwi Farms controversy, Usatyuk notes that Cloudflare profits from such schemes because it can sell protection to the victims.
Is this what I call the saloon door approach? The idea is that technology like a saloon door can admit anyone who can stagger, walk, or crawl. Plus the saloon door swings both ways, just like a flow of zeros and ones.
Also, Cloudflare is visible, has many customers, and positions itself as a champion of truth, justice, and the American way. Is this a new tactic? Has the rhetorical positioning be used by other network providers / ISPs; say, for instance, Amazon, Google, Microsoft, and some others? Are there network providers and ISPs which most people know nothing about? Is there such an operation in Bulgaria, Germany, or Moldova? (Next week I will share some details with those attending my lecture to a couple of cyber professionals who are affiliated with the US government. Sorry. That information is not appropriate for my free blog about stuff that sort of intrigues me.
Let me try to share how I translated the the Silicon Valley real news essay about Cloudflare and KiwiFarms. I think the point beneath the surface of 2,000 word essay is something along the lines of:
No one understands too much about these network providers / ISPs, their business models, their customers, and their services. Wow. Wow. Wow.
May I ask a couple of questions?
Who is responsible for paying attention to the plumbing? Is it the government, the local police department’s cyber investigators, the folks at Interpol, the companies’ boards of directors, the Silicon Valley real news people, or those zapped by weaponized information and services?
I think you know the answer.
No one.
The nifty phrase stochastic terrorism loophole is a consequence of the Wild West, revenue-any-way- one-can-get-it, apologize-and-never ever-ask-for-permission mentality that is having a few trivial social consequences. How are those YouTube content creators in Russia dealing with network providers / ISPs? One could ask Bald and Bankrupt I suppose as he modifies his life in the face of IRL.
News flash: There are thousands of network providers and ISPs in North America. There are some interesting outfits in Iceland and Romania. There are countries not aligned with American processes providing plumbing, including an almost unknown outfit in northern India.
The fancy phrase makes clear that a good understanding of network services / ISPs is not part of the equipment for living. The current dust up has captured the hearts, minds, and clicks of some observers.
There’s more to learn but when one does know what one does not know, the stochastic terrorism loophole does not provide what a day time drama tried to deliver: A guiding light. Who sponsored that program anyway?
Stephen E Arnold, September 7, 2022
ISPs and Network Providers: The Big Warming
September 5, 2022
On September 14, 2022, I will be sharing some of my team’s research about ISPs and network providers. Coincidentally, the “open” information services are providing interesting — but as yet not yet rock solid information — about the ISP and network provider world. In a sense, figuring out what ISPs and network providers are doing is like looking at distant star data in the Webb space telescope data stream. There is information flowing, but making those data speak clearly is not an easy job.
I read “I Ran the Worlds Largest DDOS for Hire Empire and CloudFlare Helped.” The write up struck me as quite interesting. I circled this pass as interesting but not backed up with footnotes or cheerful hyperlinks:
As the infrastructure provider for over 20% of all www traffic traversing the internet today, CloudFlare is in a position to enforce it’s beliefs on a global scale. Most of the time this isn’t a problem, lots of nefarious websites try to take advantage of the services CloudFlare offers and are rightfully kicked off. The problems arise in a small category of websites that blur the line.
The “blur” seems to say to me: Hey, we are big and well known, and maybe some bad actors use our service.”
Here’s another sentence which may catch the attention of legal eagles:
As someone who has previously justified their actions by saying “I am not directly causing harm, the responsibility flows downstream to my end users” I can tell you it is a shaky defense at best. The situation would be different if CloudFlare was unaware of the booter websites they are offering protection to, but that is not the case. CloudFlare knows who they are protecting and chooses to continue doing so, being fully cognizant of the end result their actions will have. Let’s talk about that end result because the hypocrisy of it all stings like a slap in the face as I type this. CloudFlare is responsible for keeping booter websites online and operating, the very same websites who’s sole purpose is to fuel CloudFlare’s very own business model, selling DDoS protection.
I am no lawyer and I certainly don’t understand anything other than my dinobaby world. However, it seems as if a big company is allegedly in a position to do more to protect truth, justice, and the American way than it may be doing. Oh, the American way means operating without meaningful oversight, regulation, and the invisible ethical hand that makes stakeholders quiver with glee.
Worth watching what other ISP and network provider examples emerge as the real journalists reach their coffee shops and begin working this subject.
Stephen E Arnold, September 5, 2022
Open Source: Everyone Uses It. Now Bad Actors Know Where to Aim
September 2, 2022
Peace of mind is a valuable thing, a commodity one might think worth allocating some funds to ensure, particularly when one is engaged in permanent cyber warfare. Yet, according to BetaNews, “80 Percent of Enterprises Use Open Source Software and Nearly All Worry About Security.” A recent report from Synopsys and based on research by Enterprise Strategy Group found 80% of enterprises use open source software (OSS), and 99% of those are concerned about related security issues. Apparently one percent is not paying attention—such worry is justified because few in the IT department know what’s in the open source libraries or know how to find manipulated or rogue instructions. Reporter Ian Barker tells us:
“In response to high profile supply chain attacks 73 percent of respondents say they have increased their efforts significantly to secure their organizations’ software supply chain. Steps taken include the adoption of some form of multi-factor authentication technology (33 percent), investment in application security testing controls (32 percent), and improved asset discovery to update their organization’s attack surface inventory (30 percent). Despite those efforts, 34 percent of organizations report that their applications have been exploited due to a known vulnerability in open source software within the last 12 months, with 28 percent having suffered a previously unknown zero-day exploit found in open source software.
Pressure to improve software supply chain risk management has shone a spotlight on software Bills of Materials (SBOMs). But exploding OSS usage and lackluster OSS management has made the compilation of SBOMs complex — the ESG research shows that 39 percent of survey respondents marked this task as a challenge of using OSS. … [The study also found] 97 percent of organizations have experienced a security incident involving their cloud-native applications within the last 12 months.”
All this, and the use of open source software is expected to jump to 99% next year. It seems those who hold organizational purse strings care more about saving a few bucks than about their cybersecurity teams’ sleepless nights. If they suffer a breach, however, they may find that metaphoric purse has acquired a large hole. Just a thought, but an ounce of prevention may be warranted here.
Cheap and easy? Yep.
Cynthia Murrell, September 2, 2022
Google: Errors Are Not Possible… Mostly
August 29, 2022
In my upcoming talk for a US government law enforcement meeting, I talk about some of the issues associated with wonky smart software. I spotted a fantastic example of one quasi-alleged monopoly deals with tough questions about zippy technology.
As I understand “Google Refuses to Reinstate Man’s Account after He Took Medical Images of Son’s Groin,” an online ad company does not make errors… mostly. The article, which appeared in a UK newspaper, stated:
Google has refused to reinstate a man’s account after it wrongly flagged medical images he took of his son’s groin as child sexual abuse material…
The Alphabet Google YouTube DeepMind entity has sophisticated AI/ML (artificial intelligence/machine learning) systems which flag inappropriate content. Like most digital watch dogs, zeros and ones are flawless… mostly even though Google humans help out the excellent software. The article reports:
When the photos were automatically uploaded to the cloud, Google’s system identified them as CSAM. Two days later, Mark’s Gmail and other Google accounts, including Google Fi, which provides his phone service, were disabled over “harmful content” that was “a severe violation of the company’s policies and might be illegal”, the Times reported, citing a message on his phone. He later found out that Google had flagged another video he had on his phone and that the San Francisco police department opened an investigation into him. Mark was cleared of any criminal wrongdoing, but Google has said it will stand by its decision.
The cited article quotes a person from the US American Civil Liberty Union, offering this observation:
“These systems can cause real problems for people.”
Several observations:
- Google is confident its smart software works; thus, Google is correct in its position on this misunderstanding.
- The real journalists and the father who tried to respond to a medical doctor to assist his son are not Googley; that is, their response to the fabulous screening methods will not be able to get hired at the Alphabet Google YouTube Alphabet construct as full time employees or contractors.
- The online ad company and would be emulator or TikTok provides many helpful services. Those services allow the company to control information flows to help out everyone every single day.
- More color for this uplifting story can be found here.
Net net: Mother Google is correct… mostly. That’s why the Google timer is back online. Just click here. The company cares… mostly.
Stephen E Arnold, August 23, 2022
Albert the (Bug) Bounty Hunter
August 18, 2022
Albert Pedersen, an inquisitive scholar in Denmark, makes a hobby of prodding software for vulnerabilities. Now he has proudly collected a bounty after his second successful hunt. Gizmodo reports, “A College Student Discovered a Bug in Cloudflare Email Routing that Let You Read Any User’s Emails.” Email routing services allow users to create disposable email addresses that point back to their “real” accounts and can be valuable privacy tools. That is, if they are truly secure. Writer Lucas Ropek reports:
“Unfortunately, as demonstrated in research published Wednesday by a college student from Denmark, Cloudflare’s service had a giant bug in it. The flaw, when properly exploited, allowed any user to read—or even manipulate—other users’ emails. … The vulnerability, which Cloudflare has confirmed but says was never exploited, involved a flaw in the program’s ‘zone ownership verification’ system, meaning that it was possible for a hacker to reconfigure email routing and forwarding for email domains that weren’t owned by them. Proper manipulation of the exploit would have allowed someone with knowledge of the bug to re-route any users’ emails to their own address. It would have also allowed a hacker to prevent certain emails from being sent to the target at all. In his write-up, Pedersen notes that it’s not that difficult to find online lists of email addresses attached to Cloudflare’s service. Using one of those lists, a bad guy could have quite easily targeted anybody using the forwarding service. After discovering the exploit, Pedersen managed to reproduce it a number of times using multiple personal domains and decided to report the issue to Cloudflare’s bug bounty program.”
We are sure Cloudflare considers the bounty to be $6,000 well spent. Had the bug gone unsquashed, the repercussions may have gone well beyond the troublesome privacy issues. Bad actors could also have used it to reset passwords, gaining access to financial and other accounts. As Ropek points out, this is a good illustration of why two-factor authentication is worth the hassle. As talented as he is, the intrepid young Dane is only one person. He may not catch the next bug in time.
Cynthia Murrell, August 18, 2022
Is Google Drive — Gulp — a Hacking Tool for Bad Actors?
August 17, 2022
Russia is a near-impregnable force when it comes to hacking. Vladimir Putin’s home base is potentially responsible for influencing many events in the United States, including helping Donald Trump win his first presidential election. Russia neither confirms nor denies the roles hackers play in its and global politics. Unfortunately, Cyber Scoop shares how a common Google tool has been purloined by hackers: “Russian Hacking Unit Cozy Bears Adds Google Drive To Its Arsenal, Researchers Say.”
In what is one of the simplest ways to deliver malware, Russian hackers from the state-funded unit Cozy Bear are using Dropbox and Google Drive. Did you read that? Russian hackers are using legitimate cloud storage services, including one from one of the biggest tech giants, to deliver malware. Palo Alto Networks’ Unit 42 researchers are confounded by the delivery process, because it is hard to detect:
“This is a new tactic for this actor and one that proves challenging to detect due to the ubiquitous nature of these services and the fact that they are trusted by millions of customers worldwide,” the researchers said. “When the use of trusted services is combined with encryption, as we see here, it becomes extremely difficult for organizations to detect malicious activity in connection with the campaign.”
Russian hackers and other black hat people have used cloud storage services to deliver malware before, but using Google Drive is a new tactic. Google is a globally trusted brand that makes more people vulnerable to malware. When people see Google, they automatically trust it, so potential victims could unknowingly download malware.
Dropbox is deleting any accounts that are exploiting their services for hacking. The good news is cloud storage services want to protect users, but the bad news is they are not acting fast enough.
Whitney Grace, August 17, 2022
Google: If True, This Is a Management Moment
August 15, 2022
I read tabloids when I ride the subway in New York, Paris, or London. Nope, to Madrid’s and Moscow’s undergrounds. No thanks.
I spotted a New York Post article called “Google Execs Threaten Workers with Layoffs: There Will Be Blood on the Streets.” Wow, blood on the streets of Mountain View. Pretty exciting. I also liked the “threaten” idea. What an outstanding and sensitive management move… if accurate.
Let’s assume, just for chuckles, that the article is accurate.
I learned:
Google executives are telling their employees to shape up or ship out, warning that layoffs are coming if results don’t meet expectations. Employees who work in the Google Cloud sales department said that senior leadership told them that there will be an “overall examination of sales productivity and productivity in general.”
And, pray tell, are those expectations. More chat applications? How about some big time acquisitions that go exactly where? Motorola, hello, hello. What about a high lift project like solving death? Oh, sorry. Been there and failed at that. Maybe mending fences in Australia? Yeah, that is a good idea once the most recent fine has been paid.
The write up quote the Google top dog as saying:
… he wanted to solicit ideas from his employees on how to get “better results faster.”
Okay, that certainly opens to do to some creating thinking. Based on my attending law enforcement and intelligence conferences, the quick money comes from fraud, human trafficking, selling contraband, and possible a few weapons deals. I would toss in getting in the fulz business as another “let’s noodle that” idea.
My personal perspective is different. I think the actual term is my viewshed, but I could be wrong, a practice I have explored in my 77 years of muddling along. Here we go:
- Google embodies the management methods of what I call a “high school science club.”
- The company had been purposeful when refining its “clever” search system and obtaining inspiration from GoTo, Overture, Yahoo ad sales technology. Once achieved, the once sharp lens lost its ability to focus
- The culture of the Google in interesting. Foosball, bean bags, volleyball, and car washes complement the weird caste approach to food. Change may not come easily into this good organization.
But maybe the write up is incorrect. Google is nothing more than the best managed online advertising outfit in the world. See. Money works to explain the reality. Blood? Hmmm. Possibly an overstatement?
Stephen E Arnold, August 15, 2022
Is the New Era of Timesharing Winding Down?
August 11, 2022
What kind of question is that? Stupid for sure. The cloud is infinite. The earnings bright spots for Amazon, Google, and Microsoft are cloud revenue and services. Google wants to amp up its cloud because sitting in third place behind the dorky outfits Amazon and Microsoft is not part of the high school science club’s master plan. And Microsoft cannot cope with Amazon AWS. Accordingly Microsoft is chasing start ups in order to be in the front of the ChocoTaco line for the next big thing. And Amazon. Fancy moves like killing long-provided services like backup, making changes that will cause recoding of some applications, and thinking about ways to increase revenue from Fancy Dan billing thresholds.
The cloud is the big thing.
If the information in “Why AI and Machine Learning Are Drifting Away from the Cloud” is on the money, one of those odd ball Hegelian things may be gaining momentum. The reference is to the much loved and pretty obvious theory that sine waves operated in the biological world. I am referring to the old chestnut test question about thesis, antithesis, and synthesis. Stated another way: First there was a big computer. Then there was timesharing. Then there was the personal computer. Then there was client server. That begot the new version of the cloud. The future? Back to company-owned and controlled computers. Hegelian stuff, right?
The article presents this idea:
Cloud computing isn’t going anywhere, but some companies are shifting their machine learning data and models to their own machines they manage in-house. Adopters are spending less money and getting better performance.
Let’s follow this idea. If smart software becomes the next big thing as opposed to feeding people, the big clouds will face customer defection and maybe pushback about pricing, lock in, and restrictions on what can and cannot be done on the services. (Yep, some phishing outfits use the cloud to bedevil email users. Yes, some durable Dark Web sites host some of their data on big cloud services. Yep, some cloud services have “inspection” tools to prevent misuse which may not be as performant as the confections presented in marketing collateral.)
With more AI, perhaps there will be less cloud. Then what?
The write up points out:
Companies shifting compute and data to their own physical servers located inside owned or leased co-located data centers tend to be on the cutting edge of AI or deep-learning use, Robinson [vice president of strategic partnerships and corporate development at MLOps platform company Domino Data Lab] said. “[They] are now saying, ‘Maybe I need to have a strategy where I can burst to the cloud for appropriate stuff. I can do, maybe, some initial research, but I can also attach an on-prem workload.”
Hegel? What’s he got to do with this rethinking of the cloud, today’s version of good old timesharing? Probably nothing. The sine wave theories are silly. Ask any Econ 101 or Poli Sci 101 student. And who does not enjoy surprise charges for cloud computing services which are tough to see through? I know I do.
Stephen E Arnold, August 11, 2022
Google Kicked Out of School in Denmark
August 11, 2022
Like its colleagues in Netherlands and Germany, the Denmark data protection authority has taken a stand against Google’s GDPR non-compliance. European secure-email firm Tutanota reports on its blog, “Denmark Bans Gmail and Co from Schools Due to Privacy Concerns.” Schools in the Helsingør Municipality have until August 3 to shift to a different cloud solution. We learn:
“In a statement published mid July, the Danish data protection agency expresses ‘serious criticism and bans … the use of Google Workspace’. Based on a risk assessment for the Helsingør Municipality, the data protection authority concluded that the processing of personal data of pupils does not meet the requirements of the GDPR and must, therefor, stop. The ban is effective immediately. Helsingør has until August 3 to delete pupil’s data and start using an alternative cloud solution. … This decision follows similar decisions by Dutch and German authorities. The issues that governmental institutions see themselves faced with has started with the invalidation of Privacy Shield back in 2020. Privacy Shield has been a data transferring agreement between the USA and the European Union and was supposed to make data transfers between the two legally possible. However, the agreement has been declared invalid by the European Court of Justice (ECJ) in 2020 due to privacy concerns. One major problem that the EU court pointed out is that data of foreigners is not protected in the USA. The protections that are there – even if limited – only apply to US citizens.”
So the NSA can gain unfettered access to the personal data of Europeans but not US citizens. We can see how authorities in the EU might have a problem with that. As the Danish agency notes, such a loophole violates rights considered fundamental in Europe. Not surprisingly, this Tutanota write-up emphasizes the advantages of a Europe-based email service like Tutanota. It is not wrong. It seems Denmark has woken up to the Google reality. Now what about Web-search tracking?
Cynthia Murrell, August 11, 2022
How about a Decade of Vulnerability? Great for Bad Actors
August 10, 2022
IT departments may be tired of dealing with vulnerabilities associated with Log4j, revealed late last year, but it looks like the problem will not die down any time soon. The Register reveals, “Homeland Security Warns: Expect Log4j Risks for ‘a Decade or Longer’.” Because the open-source tool is so popular, it can be difficult to track down and secure all instances of its use within an organization. Reporter Jessica Lyons Hardcastle tell us:
“Organizations can expect risks associated with Log4j vulnerabilities for ‘a decade or longer,’ according to the US Department of Homeland Security. The DHS’ Cyber Safety Review Board‘s inaugural report [PDF] dives into the now-notorious vulnerabilities discovered late last year in the Java world’s open-source logging library. The bugs proved to be a boon for cybercriminals as Log4j is so widely used, including in cloud services and enterprise applications. And because of this, miscreants soon began exploiting the flaws for all kinds of illicit activities including installing coin miners, stealing credentials and data, and deploying ransomware.”
Fortunately, no significant attacks on critical infrastructure systems have been found. Yet. The write-up continues:
“‘ICS operators rarely know what software is running on their XIoT devices, let alone know if there are instances of Log4j that can be exploited,’ Thomas Pace, a former Department of Energy cybersecurity lead and current CEO of NetRise, told The Register. NetRise bills itself as an ‘extended IoT’ (xIoT) security firm. ‘Just because these attacks have not been detected does not mean that they haven’t happened,’ Pace continued. ‘We know for a fact that threat actors are exploiting known vulnerabilities across industries. Critical infrastructure is no different.'”
Security teams have already put in long hours addressing the Log4j vulnerabilities, often forced to neglect other concerns. We are told one unspecified US cabinet department has spent some 33,000 hours guarding its own networks, and the DHS board sees no end in sight. The report classifies Log4j as an “endemic vulnerability” that could persist for 10 years or more. That is a long time for one cyber misstep to potentially trip up so many organizations. See the article for suggestions on securing systems that use Log4j and other open-source software.
Cynthia Murrell, August 10, 2022
-
- Subscribe to Beyond Search
Feature archive
News archive
-
