Yo, Amazon, Hello, Facebook, Hey, Google, Sup, IBM: Any Moonlighting Wizards on Your Payroll?

September 28, 2022

A couple of years ago, I provided those in my LE and intel lectures with the names of some online recruiting services which say things like:

Hire Silicon Valley-caliber engineers at half the cost

The number of outfits offering programmers with in-demand skills is large. Do these “remote” employees have: [a] full time jobs at big tech firms, [b] work remotely with supervision from an indifferent 20 something or Microsoft Teams-type monitoring functions, or [c] have automated a full-time job so that an eight hour work day can be used to generate income from gig work or another full-time job?

I read “Wipro Chairman Rishad Premji Fires 300 Employees for Secretly for Moonlighting.” [Note: this item appeared in India and the provider of the content can be disappeared at any time or charge for access to the full text. There’s not much I can do to ameliorate this issue.] The article states:

Wipro has terminated 300 employees found to be moonlighting with its key rivals at the same time, its Chairman Rishad Premji said on Wednesday [September 21, 2022] . Speaking at the All India Management Association (AIMA) National Management Convention, Premji termed moonlighting is a complete violation of integrity “in its deepest form”. “The reality is that there are people today working for Wipro and working directly for one of our competitors and we have actually discovered 300 people in the last few months who are doing exactly that,” the Wipro Chairman said. The company has now terminated their employment for “act of integrity violation”.

I find the action of Mr. Premji instructive. I wonder why US-based high-tech firms do not take the same action.

The point I made in my lecture is that bad actors can pass themselves off as legitimate businesses just based in some interesting city like Athens, Greece. The technical skills required are advanced and not directly connected to anything other than helping a jewelry company or online egame service implement a resilient network. The person responding to this opportunity may have requisite experience working at a big US high tech company. The person does the work and forgets about the project. However, the entity doing the hiring is a bad actor. The task completed by the US high tech engineer snaps into a larger set of work.

Should the online recruitment outfit perform more due diligence on what looks like a legitimate company selling fountain pens or plumbing equipment in another country? The answer is, “Sure.” That’s not the case. Based on our research none of the recruiters or the gig workers did much if any investigation of the hiring outfit. If a company paid the matchmaker and the gig worker, that was the proof of appropriate activity.

The reality, which I described in my lecture, is that insiders are making it easy for bad actors to learn about certain companies. Furthermore, the simple and obvious coding task is just one component in what can be an illegal online operation. The example I provided to the LE and analysts in my lecture was an online streaming service with an illegal online gambling “feature.”

I can hear the senior managers’ excuses now:

  1. “Our employees are prohibited from doing outside work.” [Yeah, but does anyone validate this assertion?]
  2. “We have a personnel department which works closely with our security team to prevent this type of insider activity.” [Yeah, but telling me this is cheaper and easier than reporting on specific data compiled to reduce this type of activity, right?]
  3. “Our contractors are moderated and subject to the same security procedures as our work-from-home full time staff? [Yeah, but does anyone really know how that contractor located in another company actually operates?]k

Net net: Mr. Premji is on the right track. FYI: WiPro was founded in 1945 and the firm took action on this matter after 77 years. Speedy indeed.

Stephen E Arnold, September 28, 2022

Cyber Security Management: Does It Work or Just Output Excuses?

September 23, 2022

It seems that cyber security is a bit of an issue at a number of organizations. Uber faces a teen and seems to say, “We’re a-okay.” A Chinese entity may have lost data about one billion people. If I poke around, I can find one or two examples of what seem to be cyber security challenges. Oh, sorry. Yes, one or two may be an understatement.

“Nearly a Third of Security Teams Lack a Management Platform for IT Secrets” suggests that there may be a problem with management. The write up states:

most security pros expect cyber attacks to intensify over the next year, some 32% surveyed lack a management platform for IT secrets, such as API keys, database passwords, and privileged credentials, posing significant security risks.

Does this mean that geared up outfits with layers of security, training programs for employees because phishing is a problem, and expensive real time flows of threat data about vectors with snappy names have a vulnerability?

Yes, some organizations have another cyber security issues with which to wrestle. Management of “information technology secrets” may pose a threat. More precisely, a failure to manage passwords and other “IT secrets” is lacking. No kidding? Poor or ineffective management. Who would have guessed that work-from-home, quiet quitters, and basic safeguards were inadequate. Wow. Insight!

The article says:

While many surprisingly report feeling prepared for attacks, security leaders admit their tech stacks lack essential tools: Some 84% are concerned about the dangers of hard-coded credentials in source code, but 25% don’t have software to remove them. And, more than one-quarter of respondents (26%) say they lack a remote connection management capability that can secure remote access to IT infrastructure.

I think this means that after many PowerPoints, trade show presentations, and big buck mergers and acquisitions, bad actors have some vulnerabilities to exploit.

Is it time perchance to rethink cyber security and the management thereof?

Nah, security is a cost center. And most executives with whom I talk are reasonably confident that their personnel, advisors, and information technology professionals are Top Guns, flying juiced up cyber gear.

Okay, no problem. That’s why storing Microsoft Teams’ tokens in plain text is such a great idea.

Stephen E Arnold, September 22, 2022

Darktrace–Thoma Bravo Deal: An Antigen Reaction?

September 21, 2022

Darktrace is one of the cyber threat detection outfits to which I pay some attention. I read “Darktrace Shares Plunge After Thoma Bravo Acquisition Falls Apart.”

The article quotes an expert as saying:

“I don’t think Thoma Bravo is backing off of Darktrace because of valuations,” he [Richard Stiennon, chief research analyst at IT-Harvest] says. “I think strategically there is not a clear market for the AI-enhanced threat hunting that Darktrace touts. The market is pretty much equal to Darktrace’s revenue today.”

My take on the deal is that the cyber threat detection and cyber threat information services are not convincing some skeptical prospects. News like the teen who compromised the Uber taxi service and the sharp rise in ransomware attacks has created some Nervous Nellies. Multi-persona phishing and old fashioned social engineer work in today’s work-from-home world. Plus, there is nothing like a bundle of cash promised to an insider who might be tempted to exchange access credentials for a new Tesla or a shopping spree at Costco.

Darktrace has done a masterful job of marketing. The Bayesian methods work reasonably well in certain use cases. Quite a chunk of change has been spent buying and marketing cyber related businesses.

One report (“Shares Plunge As US Private Equity Titan Backs Out of Darktrace Takeover“) said:

Darktrace revenue grew 45.7 per cent in the financial year to 30 June, while the customer base swelled 32.1 per cent year-over-year. However, the firm did note an accounting mishap, stating that $3.8m of revenue it had been recognising in the full year, including a portion recognised and reported in its unaudited half year results, was related to prior periods and should instead be recognised in full year 2021 results. This reallocation would reduce revenue reported this year to $415.5m from the $419.3m that was expected.

And cyber crime is at an all time high, but I am not sure any firm, including Darktrace, has cracked the code.

Stephen E Arnold, September 21, 2022

Open Source: Everyone Uses It. Now Bad Actors Know Where to Aim

September 2, 2022

Peace of mind is a valuable thing, a commodity one might think worth allocating some funds to ensure, particularly when one is engaged in permanent cyber warfare. Yet, according to BetaNews, “80 Percent of Enterprises Use Open Source Software and Nearly All Worry About Security.” A recent report from Synopsys and based on research by Enterprise Strategy Group found 80% of enterprises use open source software (OSS), and 99% of those are concerned about related security issues. Apparently one percent is not paying attention—such worry is justified because few in the IT department know what’s in the open source libraries or know how to find manipulated or rogue instructions. Reporter Ian Barker tells us:

“In response to high profile supply chain attacks 73 percent of respondents say they have increased their efforts significantly to secure their organizations’ software supply chain. Steps taken include the adoption of some form of multi-factor authentication technology (33 percent), investment in application security testing controls (32 percent), and improved asset discovery to update their organization’s attack surface inventory (30 percent). Despite those efforts, 34 percent of organizations report that their applications have been exploited due to a known vulnerability in open source software within the last 12 months, with 28 percent having suffered a previously unknown zero-day exploit found in open source software.

Pressure to improve software supply chain risk management has shone a spotlight on software Bills of Materials (SBOMs). But exploding OSS usage and lackluster OSS management has made the compilation of SBOMs complex — the ESG research shows that 39 percent of survey respondents marked this task as a challenge of using OSS. … [The study also found] 97 percent of organizations have experienced a security incident involving their cloud-native applications within the last 12 months.”

All this, and the use of open source software is expected to jump to 99% next year. It seems those who hold organizational purse strings care more about saving a few bucks than about their cybersecurity teams’ sleepless nights. If they suffer a breach, however, they may find that metaphoric purse has acquired a large hole. Just a thought, but an ounce of prevention may be warranted here.

Cheap and easy? Yep.

Cynthia Murrell, September 2, 2022

A US Government Classification Wowza!

August 30, 2022

I read “What’s in a Classified Document?” The title is interesting because it suggests that classified information is like a cook book. The contents of the cook book are “known”; that is, step-by-step information about making grilled chicken. The write up explains:

Breakdowns of the various levels of information classification are available online, but they’re not that helpful out of context.

That makes sense: No context, no or limited understanding.

The write up continues:

Most classified materials, however, just aren’t all that sexy at first glance.

I noted this statement:

Technical and scientific documents, for instance, are almost always highly valuable.

And this caught my eye:

One of the greatest risks is that an adversary will learn how we’ve discovered their secrets.

I also put a check mark by this sentence:

Finally, it’s important to understand that, in many cases, what’s classified is not a particular set of facts but what the intelligence community thinks those facts mean.

Looking at the information about secrets, I think the obvious statements are okay. The point to me is that old fashioned methods of enforcing secrecy are probably better than the methods in use today.

Unfortunately the Information wants to be free and the Sharing is caring ideas are not in line with my views. The message I take away from this write up is that beliefs, ideas, and procedures have been eroded in the last decade or so.

But I am a dinobaby. What do I know? Well, enough to point out that the apparatus of secrecy might be a useful project for someone not in the lobbying business, not a Beltway Bandit, and not an individual preparing a flight path as a consultant.

Stephen E Arnold, August 30, 2022

A Hidden Nugget about E2EE Use as a Filter

August 23, 2022

I am not a fan of Silicon Valley type “real” news. Political biases usually color the factoids. I read “Inside Facebook’s Encryption Conundrum.” [Believe it or not you may have to spit out personal info or pay to read this hyperlinked document.] I don’t care too much about Facebook’s conundrums. Mismanaged online services are poorly understood by those who live and die by social media. The goldfish does not know the water in its bowl contains amorphous scales of lead and lead phosphate.

I am going to ignore the description of the Zuckbook’s business processes and focus on what I perceive to be the nugget in the write up:

In recent conversations with Meta employees, I’ve come to understand more about what’s taking so long — and how consumer apathy toward encryption has created challenges for the company as it works to create a secure messaging app that its user base will actually use.

Translating into Beyond Search lingo yields, “People don’t know and don’t care.”

Ergo, anyone using an encrypted messaging app is signaling:

I know;

I care;

Therefore, why not monitor me?

You may have a different conclusion. I believe use of apps like Telegram provides an important signal. Apathy is a filter. Is the opposite important?

Stephen E Arnold, August 23, 2022

TikTok: Allegations of Keylogging

August 22, 2022

I am not a TikTok person; therefore, I exist in a trend free zone. Others are sucking down short videos with alacrity. I admire a company, possibly linked to China’s government, which has pioneered a next generation video editor and caused the Alphabet Google YouTube DeepMind thing to innovate via its signature “me too” method of innovation.

Now TikTok has another feature, which is an interesting allegation. “TikTok’s In-App Browser Can Monitor Your Every Click and Keystroke” asserts:

When Krause [a security researcher] dug a little deeper into what these apps’ in-app browsers really do, he’d found that TikTok does some bad things, including monitoring all of users’ keyboard inputs and taps. So, if you open a web page inside of TikTok’s app, and enter your credit card details there, TikTok can access all of those details. TikTok is also the only app, out of all the apps Krause has looked into, that doesn’t even offer an option to open the link in the device’s default browser, forcing you to go through its own in-app browser.

Let’s assume this finding is spot on. First question: Does anyone care? Second question: So what?

I don’t have answers to either question. I do, however, have several observations:

  1. Oracle, for some reason, seems to care. The estimable database company is making an effort to find information that suggests TikTok data are kept in a cupboard. Only grandma can check out who will be an easy target for psychological manipulation. No results yet, but if TikTok is a neutral service, why’s Oracle involved?
  2. A number of Silicon Valley pundits have pointed out that TikTok is no big deal. That encapsulates the “so what” issue. “Put that head in the sand and opine forward” is the rule of thumb for these insightful folks.
  3. Keyloggers are a fave of certain actors. TikTok may have found them useful for benign purposes.

Quite an allegation.

Stephen E Arnold, August 22, 2022

Albert the (Bug) Bounty Hunter

August 18, 2022

Albert Pedersen, an inquisitive scholar in Denmark, makes a hobby of prodding software for vulnerabilities. Now he has proudly collected a bounty after his second successful hunt. Gizmodo reports, “A College Student Discovered a Bug in Cloudflare Email Routing that Let You Read Any User’s Emails.” Email routing services allow users to create disposable email addresses that point back to their “real” accounts and can be valuable privacy tools. That is, if they are truly secure. Writer Lucas Ropek reports:

“Unfortunately, as demonstrated in research published Wednesday by a college student from Denmark, Cloudflare’s service had a giant bug in it. The flaw, when properly exploited, allowed any user to read—or even manipulate—other users’ emails. … The vulnerability, which Cloudflare has confirmed but says was never exploited, involved a flaw in the program’s ‘zone ownership verification’ system, meaning that it was possible for a hacker to reconfigure email routing and forwarding for email domains that weren’t owned by them. Proper manipulation of the exploit would have allowed someone with knowledge of the bug to re-route any users’ emails to their own address. It would have also allowed a hacker to prevent certain emails from being sent to the target at all. In his write-up, Pedersen notes that it’s not that difficult to find online lists of email addresses attached to Cloudflare’s service. Using one of those lists, a bad guy could have quite easily targeted anybody using the forwarding service. After discovering the exploit, Pedersen managed to reproduce it a number of times using multiple personal domains and decided to report the issue to Cloudflare’s bug bounty program.”

We are sure Cloudflare considers the bounty to be $6,000 well spent. Had the bug gone unsquashed, the repercussions may have gone well beyond the troublesome privacy issues. Bad actors could also have used it to reset passwords, gaining access to financial and other accounts. As Ropek points out, this is a good illustration of why two-factor authentication is worth the hassle. As talented as he is, the intrepid young Dane is only one person. He may not catch the next bug in time.

Cynthia Murrell, August 18, 2022

Is Google Drive — Gulp — a Hacking Tool for Bad Actors?

August 17, 2022

Russia is a near-impregnable force when it comes to hacking. Vladimir Putin’s home base is potentially responsible for influencing many events in the United States, including helping Donald Trump win his first presidential election. Russia neither confirms nor denies the roles hackers play in its and global politics. Unfortunately, Cyber Scoop shares how a common Google tool has been purloined by hackers: “Russian Hacking Unit Cozy Bears Adds Google Drive To Its Arsenal, Researchers Say.”

In what is one of the simplest ways to deliver malware, Russian hackers from the state-funded unit Cozy Bear are using Dropbox and Google Drive. Did you read that? Russian hackers are using legitimate cloud storage services, including one from one of the biggest tech giants, to deliver malware. Palo Alto Networks’ Unit 42 researchers are confounded by the delivery process, because it is hard to detect:

“This is a new tactic for this actor and one that proves challenging to detect due to the ubiquitous nature of these services and the fact that they are trusted by millions of customers worldwide,” the researchers said. “When the use of trusted services is combined with encryption, as we see here, it becomes extremely difficult for organizations to detect malicious activity in connection with the campaign.”

Russian hackers and other black hat people have used cloud storage services to deliver malware before, but using Google Drive is a new tactic. Google is a globally trusted brand that makes more people vulnerable to malware. When people see Google, they automatically trust it, so potential victims could unknowingly download malware.

Dropbox is deleting any accounts that are exploiting their services for hacking. The good news is cloud storage services want to protect users, but the bad news is they are not acting fast enough.

Whitney Grace, August 17, 2022

Quantum Supremacy Emulators: The Crypto Claim

August 16, 2022

I noted the silliness of the quantum supremacy claims first by the GOOG and then by the Red Hat dependent IBM. I pointed out that Intel claimed a quantum thing-a-ma-bob that would be a hub for certain quantum functions. Yeah, horse something, maybe ridge, maybe feathers. I mentioned in one of my blog posts or client emails that the US government aided by big wizards had developed algorithms that could not be broken by yet-to-be-invented quantum computers.

Now we have an interesting story that puts much of the quantum supremacy-type PR in a flaming dumpster. Wow, look at the dense smoke from a piddling fire.

Post Quantum Encryption Contender Is Taken Out by Single-Core PC and 1 Hour” states:

SIKE is the second NIST-designated PQC candidate to be invalidated this year. In February, IBM post-doc researcher Ward Beullens published research that broke Rainbow, a cryptographic signature scheme with its security, according to Cryptomathic, “relying on the hardness of the problem of solving a large system of multivariate quadratic equations over a finite field.”

Everyone will keep trying. Perhaps a functioning quantum computer will become available to make hunting for flaws more helpful. No, wait a minute. The super algorithm was compromised by a single core PC chugging along for one hour.

Oh, well, as long as one doesn’t look too closely some of the quantum supremacy PR sounds great. In my opinion, some of the stuff is a bit silly.

Stephen E Arnold, August 16, 2022

Next Page »

  • Archives

  • Recent Posts

  • Meta