On Mitigating Open-Source Vulnerabilities

May 16, 2022

Open-source software has saved countless developers from reinventing the proverbial wheel so they can instead spend their time creating new ways to use existing code. That’s great! Except for one thing: Now that open-source components make up about 90% of most applications, they pose tempting opportunities for hackers. Perhaps the juiciest targets lie in the military and intelligence communities. US counter-terrorism ops rely heavily on the likes of Palantir Technologies, a heavy user of and contributor to open-source software. Another example is the F-35 stealth fighter, which operates using millions of lines of code. A team of writers at War on the Rocks explores “Dependency Issues: Solving the World’s Open-Source Software Security Problem.” Solve it? Completely? Right, and there really is a tooth fairy. The article relates:

“The problem is that the open-source software supply chain can introduce unknown, possibly intentional, security weaknesses. One previous analysis of all publicly reported software supply chain compromises revealed that the majority of malicious attacks targeted open-source software. In other words, headline-grabbing software supply-chain attacks on proprietary software, like SolarWinds, actually constitute the minority of cases. As a result, stopping attacks is now difficult because of the immense complexity of the modern software dependency tree: components that depend on other components that depend on other components ad infinitum. Knowing what vulnerabilities are in your software is a full-time and nearly impossible job for software developers.”

So true. Still, writers John Speed Meyers, Zack Newman, Tom Pike, and Jacqueline Kazil sound optimistic as they continue:

“Fortunately, there is hope. We recommend three steps that software producers and government regulators can take to make open-source software more secure. First, producers and consumers should embrace software transparency, creating an auditable ecosystem where software is not simply mysterious blobs passed over a network connection. Second, software builders and consumers ought to adopt software integrity and analysis tools to enable informed supply chain risk management. Third, government reforms can help reduce the number and impact of open-source software compromises.”

The article describes each part of this plan in detail. It also does a good job explaining how we got so dependent on open-source software and describes ways hackers are able to leverage it. The writers submits that, by following these suggestions, entities both public and private can safely continue to benefit from open-source collaboration. If the ecosystem is made even a bit safer, we suppose that is better than nothing. After all, ditching open-source altogether seems nigh impossible at this point.

Cynthia Murrell, May 16, 2022

Some Criticism of Microsoft? Warranted or Not?

May 13, 2022

Microsoft’s LinkedIn comes out on top—in one regard, anyway. IT-Online reports, “LinkedIn the Brand Most Imitated for Phishing.” In its Brand Phishing Report for the first quarter of 2022, Check Point Research found the professional network was imitated in more than half of all phishing attempts during January, February, and March. The write-up tells us:

“Dominating the rankings for the first time ever, LinkedIn accounted for more than half (52%) of all phishing attempts during the quarter. This represents a dramatic 44% uplift from the previous quarter, where the professional networking site was in fifth position accounting for only 8% of phishing attempts. LinkedIn overtook DHL as the most targeted brand, which is now in second position and accounted for 14% of all phishing attempts during the quarter.”

Social media platforms in general jumped in popularity as phishing spots. Shipping companies like DHL, which became attractive targets with the rise in e-commerce, are now in second place. Apparently different types of companies make juicy bait for different kinds of attacks. The article quotes Check Point’s Omer Dembinsky:

“Some attacks will attempt to gain leverage over individuals or steal their information, such as those we’re seeing with LinkedIn. Others will be attempts to deploy malware on company networks, such as the fake emails containing spoof carrier documents that we’re seeing with the likes of Maersk.”

Of course, a phishing attack can only work if someone falls for it. Do not be that person. Dembinsky advises:

“The best defense against phishing threats, as ever, is knowledge. Employees in particular should be trained to spot suspicious anomalies such as misspelled domains, typos, incorrect dates and other details that can expose a malicious email or text message. LinkedIn users in particular should be extra vigilant over the course of the next few months.”

In Check Point’s list of the top ten companies to find themselves on phishing hooks, LinkedIn and DH are followed by Google (at 7%), Microsoft (6%), FedEx (6%), WhatsApp (4%), Amazon (2%), Maersk (1%), AliExpress (0.8%), and Apple (0.8%).

Cynthia Murrell, May 13, 2022

Using a VPN in India?

May 10, 2022

I read “VPN Providers Are Ordered to Store User Data for 5 or More Years in India.” The land of Khichdi is a fair piece from rural Kentucky. On the other hand, the VPN providers and crypto exchange platforms can be as near as one’s mobile phone or laptop. So what?

The write up points out:

The Indian government has published a directive that will force VPN providers and crypto exchange platforms to store user data for at least five years, even when customers have since terminated their relationship with the companies in question. Decision makers at businesses who don’t comply with the new ruling could face up to one year in prison, with it going into effect in late June 2022.

Yes, just another law. What makes this interesting is that  VPN, according to some enthusiastic promotional material, preserves one’s online privacy. That sounds like a great idea to many people.

What happens if those VPN records are reviewed prior to their deletion by the VPN providers who insist that the users’ data are not preserved? I also like the VPN vendors who suggest that logs are not preserved.

If India’s directive yields some bad actor identification and incarceration, what other countries will use India’s approach as a springboard. The abuse of some online capabilities has been friction free in some places. Russia appears to have some doubts about VPNs. China? Yep, China too.

Perhaps the days of laissez-faire will end with a reprimand from Yama?

Stephen E Arnold, May 10, 2022

Cyber Security: Oxymoron?

May 9, 2022

I read an interesting article called “Botnet That Hid for 18 Months Boasted Some of the Coolest Tradecraft Ever.” I am not sure I would have described the method as “cool,” but as some say, “Let many flowers bloom.”

The main point of the article is a sequence of actions which compromise a target without calling attention to the attack or leaving size 13 digital footprints. The diagrams provide a broad overview of the major components, but there are no code snippets. That’s a plus in my book because many cyber revelations are cookbooks with easy-to-follow recipes for dorm room cyber snacks.

What caught my attention is this statement in the excellent write up:

One of the ways the hackers maintain a low profile is by favoring standard Windows protocols over malware to move laterally. To move to systems of interest, UNC3524 used a customized version of WMIEXEC, a tool that uses Windows Management Instrumentation to establish a shell on the remote system.

I also noted:

“Once UNC3524 successfully obtained privileged credentials to the victim’s mail environment, they began making Exchange Web Services (EWS) API requests to either the on-premises Microsoft Exchange or Microsoft 365 Exchange Online environment,” the Mandiant researchers wrote. “In each of the UNC3524 victim environments, the threat actor would target a subset of mailboxes….”

With the core functionality of the Microsoft software and services the pivot on which the system and methods of the attacker pivot, what does this suggest about cyber security going forward?

My answer: There is an attack surface of significant scope. Plus, undetectable but for specialized analyses. The ball is in the hands of Microsoft. The bad actors just toss it around.

Stephen E Arnold, May 9, 2022

What Is Crazier Than Enterprise Search? Maybe Content Management Systems?

May 4, 2022

I met a content management system guru many years ago. He explained to me in a remarkably patronizing way that CMS was the future of enterprise content. The words “all” and the phrase “search is just a utility” still echo when I think of him.

He was incorrect. CMS is certainly not a replacement for an XML repository which can “point” to objects like a sales presentation which began life as a PowerPoint and then emerged as a nifty PDF for the 20 somethings in marketing.

CMS, in my view, boils down to clunky systems which allow different people with a wide range of cognitive content to create, retrieve, and do stuff with text and some art. Search remains pretty darned crazy as a market sector, but there are some open source options and a number of semi-useful cloud services. The tendency for art history majors to bandy the word “all” in chats about a CMS continues to make me laugh. Right, “all”. What about company videos on RuTube.ru? I am waiting for an answer.

There is something that CMS is quite skilled. “Vulnerable Plugins Plague the CMS Website Security Landscape” states:

According to the researchers, vulnerable plugins and extensions “account for far more website compromises than out-of-date, core CMS files,” with roughly half of website intrusions recorded by the firm’s clients occurring on a domain with an up-to-date CMS. Threat actors will often leverage legitimate — but hijacked — websites to host malware, credit card skimmers, or for the deployment of spam.

Thank goodness these CMS cannot index “all” content, which limits breach risks to some degree.

Quite an attack surface: Art history majors versus the bad actors with engineering degrees from a technical university or an enterprising coder who dropped out of school to sell his services via Aletenen.

Stephen E Arnold, May 4, 2022

App Tracking? Sure, Why Not?

May 4, 2022

Big tech companies, including Google, Facebook, and Apple, are supposed to cut back on the amount of data they collect from users via apps. Despite the lip service to users, apps are still collecting data and it appears these companies will not stop anytime soon. Daiji World explains how much data apps are still gathering in: “Apps Still tracking Users’ Data On Apple App Store.”

A University of Oxford research term investigated 1759 Apple IOS apps in the United Kingdom App Store. The team monitored these apps before and after Apple implemented new tracking policies that supposedly make it harder to track users. Unfortunately, these apps are still tracking users as well as collecting user fingerprinting. The team found hard evidence of user tracking:

“The researchers found real-world evidence of apps computing a mutual fingerprinting-derived identifier through the use of “server-side code” — a violation of Apple’s new policies and highlighting the limits of Apple’s enforcement power as a privately-owned data protection regulator. ‘Indeed, Apple itself engages in some forms of user tracking and exempts invasive data practices like first-party tracking and credit scoring from its new privacy rules,’ claimed Konrad Kollnig, Department of Computer Science, University of Oxford.”

Apple’s Privacy Nutrition Labels are also inaccurate and are in direct conflict with Apple’s marketing claims. It is a disappointment that Apple is purposely misleading its users. Enforcing user privacy laws is sporadic, and tech companies barely follow what they set for themselves. Apple has its own OS, so they have a closed technology domain that they control:

“ ‘Apple’s privacy efforts are hampered by its closed-source philosophy on iOS and the opacity around its enforcement of its App Store review policies. These decisions by Apple remain an important driver behind limited transparency around iOS privacy,” [the research team] emphasised.”

Does this come as a surprise for anyone? Nope.

Apple can d whatever it wants because it is a prime technology company and it develops everything in-house. The only way to enforce privacy laws is transparency, but Apple will not become crystal clear because it will mean the company will lose profits.

Whitney Grace, May 4, 2022

Apple and Stalking? The Privacy Outfit?

May 3, 2022

Here is a tale of unintended, though not unanticipated, consequences. Engadget tells us “Police Reports Suggest a Larger Pattern of AirTag Stalking.” A few isolated cases of bad actors using Apple AirTags to facilitate stalking or car theft have come to light since the device was released in April 2021. To learn how widespread the problem is, Motherboard requested any records mentioning the technology from dozens of police departments around the country. Writer K. Holt summarizes:

“Motherboard received 150 reports from eight police departments and found that, in 50 cases, women called the cops because they received notifications suggesting that someone was tracking them with an AirTag or they heard the device chiming. (An AirTag will chime after it has been separated from its owner for between eight and 24 hours.) Half of those women suspected the tags were planted in their car by a man they knew, such as a current or former romantic partner or their boss. The vast majority of the reports were filed by women. There was just one case in which a man made a report after suspecting that an ex was using an AirTag (which costs just $29) to stalk him. Around half of the reports mentioned AirTags in the contexts of thefts or robberies. Just one instance of AirTag-related stalking would be bad enough. Fifty reports in eight jurisdictions in eight months is a not insignificant number and there are likely other cases elsewhere that haven’t been disclosed.”

Apple was aware the product had the potential to be abused, which is why the alerts cited by victims were built into it from the start. The company has since made some tweaks to make it more obvious if its product has been slipped into one’s belongings, like chiming sooner or making those notification messages clearer. At first the notifications only worked on iOS devices, leaving Android users in the dark. An Android app has since been released, but those users must be aware of the problem, and remember to manually scan for potential AirTag-alongs, for it to be of any use. Google is reportedly working on OS-level detection, which would be some consolation.

And the bad actors? Probably beavering away.

Cynthia Murrell, May 3, 2022

UAE Earns a Spot on Global Gray List

April 26, 2022

Forget Darkmatter. This is a gray matter.

Where is the best place to stash ill-gotten gains? The Cayman Islands and Switzerland come to mind, and we have to admit the US is also in the running. But there is another big contender—the United Arab Emirates. The StarTribune reports, “Anti-Money-Laundering Body Puts UAE on Global ‘Gray’ List.” Writer Jon Gambrell tells us:

“A global body focused on fighting money laundering has placed the United Arab Emirates on its so-called ‘gray list’ over concerns that the global trade hub isn’t doing enough to stop criminals and militants from hiding wealth there. The decision late Friday night by the Paris-based Financial Action Task Force [FATF] puts the UAE, home to Dubai and oil-rich Abu Dhabi, on a list of 23 countries including fellow Mideast nations Jordan, Syria and Yemen.”

Will the official censure grievously wound business in the country? Not by a long shot, though it might slightly tarnish its image and even affect interest rates. The FATF admits the UAE has made significant progress in fighting the problem but insists more must be done. Admittedly, the task was monumental from the start. We learn:

“The UAE long has been known as a place where bags of cash, diamonds, gold and other valuables can be moved into and through. In recent years, the State Department had described ‘bulk cash smuggling’ as ‘a significant problem’ in the Emirates. A 2018 report by the Washington-based Center for Advanced Defense Studies, relying on leaked Dubai property data, found that war profiteers, terror financiers and drug traffickers sanctioned by the U.S. had used the city-state’s boom-and-bust real estate market as a safe haven for their money.”

Is the government motivated to change its country’s ways? Yes, according to a statement from the Emirates’ Executive Office of Anti-Money Laundering and Countering the Financing of Terrorism. That ponderously named body promises to continue its efforts to thwart and punish the bad actors. The country’s senior diplomat also chimed in on Twitter, pledging ever stronger cooperation with global partners to address the issue.

Cynthia Murrell, April 26, 2022

The Patching Play

April 25, 2022

I read “Patching Is Security Industry’s ‘Thoughts and Prayers’: Ex-NSA Man Aitel.” The former leader of ImmunitySec asserts that patching delivers a false sense of security. Other industry experts believe that patching has some value. Both are correct. In my opinion, both are missing an important aspects of patching software and systems to keep bad actors at bay.

What’s my view?

Patching — real or pretend — is a launch pad for marketing. A breach occurs and vendors have an opportunity to explain what steps have been taken to protect the software and services, partners, customers, and in some cases the vendors themselves. Wasn’t it Solar something?

Microsoft explained that bad actors marshaled a team of 1,000 programmers. That’s marketing because the bad actors were in that case countries, not disgruntled 40 years olds in a coffee shop.

The name of the game is cat and mouse. The bad actors find a flaw, exploit it, or sell it. The good actors respond the the issue and issue an alleged patch. The PR machines, which is like Jack Benny’s Maxwell with a transplanted Tesla electric motor fires up.

Will the wheels fall off? Haven’t they?

Stephen E Arnold, April 25, 2022

Microsoft: A Consistently Juicy Target

April 25, 2022

I am perched in Washington, DC, checking news flows. What did I spy this morning (April 24, 2022)? This article caught my eye: “Microsoft Exchange Servers Are Being Infected with Ransomware.” Is this a remembrance from times past? The story asserts as actual factual (but who knows anymore?):

In the attack the team studied, Hive commenced its assault via the exploitation of ProxyShell, a collection of Microsoft Exchange Server vulnerabilities (and critical ones at that) that provide a way for attackers to remotely execute code. Microsoft reportedly patched this problem in 2021.

The key phrase in this allegedly accurate write up is “Microsoft reported patched this problem in 2021.”

Several observations:

  • Yo Windows Defender and the other Microsoft security systems, “What’s shaken’?”
  • What’s with the “reportedly”? If the write up is accurate, the problem was fixed.
  • How many thousands of bad actors are involved in this problem? Probably quite a few because this is CaaS, crime as a service.

Net net: Microsoft may be faced with security problems for which there is no reliable remediation. PR, however, is quite easy to deploy.

Stephen E Arnold, April 25, 2022

Next Page »

  • Archives

  • Recent Posts

  • Meta