AI Is a Rainmaker for Bad Actors
November 16, 2023
This essay is the work of a dumb dinobaby. No smart software required.
How has smart software, readily available as open source code and low-cost online services, affected cyber crime? Please, select from one of the following answers. No cheating allowed.
[a] Bad actors love smart software.
[b] Criminals are exploiting smart orchestration and business process tools to automate phishing.
[c] Online fraudsters have found that launching repeated breaching attempts is faster and easier when AI is used to adapt to server responses.
[d] Finding mules for drug and human trafficking is easier than ever because social media requests for interested parties can be cranked out at high speed 24×7.
“Well, Slim, your idea to use that new fangled smart software to steal financial data is working. Sittin’ here counting the money raining down on us is a heck of a lot easier than robbing old ladies in the Trader Joe’s parking lot,” says the bad actor with the coffin nail of death in his mouth and the ill-gotten gains in his hands. Thanks, Copilot, you are producing nice cartoons today.
And the correct answer is … a, b, c, and d.
For some supporting information, navigate to “Deepfake Fraud Attempts Are Up 3000% in 2023. Here’s Why.” The write up reports:
Face-swapping apps are the most common example. The most basic versions crudely paste one face on top of another to create a “cheapfake.” More sophisticated systems use AI to morph and blend a source face onto a target, but these require greater resources and skills. The simple software, meanwhile, is easy to run and cheap or even free. An array of forgeries can then be simultaneously used in multiple attacks.
I like the phrase “cheap fakes.”
Several observations:
- Bad actors, unencumbered by bureaucracy, can download, test, tune, and deploy smart criminal actions more quickly than law enforcement can thwart them
- Existing cyber security systems are vulnerable to some smart attacks because AI can adapt and try different avenues
- Large volumes of automated content can be created and emailed without the hassle of manual content creation
- Cyber security vendors operate in “react mode”; that is, once a problem is discovered then the good actors will develop a defense. The advantage goes to those with a good offense, not a good defense.
Net net: 2024 will be fraught with security issues.
Stephen E Arnold, November 17, 2023
SolarWinds: Huffing and Puffing in a Hot Wind on a Sunny Day
November 16, 2023
This essay is the work of a dumb humanoid. No smart software required.
Remember the SolarWinds’ misstep? Time has a way deleting memories of security kerfuffles. Who wants to recall ransomware, loss of data, and the general embarrassment of getting publicity for the failure of existing security systems? Not too many. A few victims let off steam by blaming their cyber vendors. Others — well, one — relieve their frustrations by emulating a crazed pit bull chasing an M1 A2 battle tank. The pit bull learns that the M1 A2 is not going to stop and wait for the pit bull to stop barking and snarling. The tank grinds forward, possibly over Solar (an unlikely name for a pit bull in my opinion).
The slick business professional speaks to a group of government workers gathered outside on the sidewalk of 100 F Street NW. The talker is semi-shouting, “Your agency is incompetent. You are unqualified. My company knows how to manage our business, security, and personnel affairs.” I am confident this positive talk will win the hearts and minds of the GS-13s listening. Thanks, Microsoft Bing. You obviously have some experience with government behaviors.
I read “SolarWinds Says SEC Sucks: Watchdog Lacks Competence to Regulate Cybersecurity.” The headline attributes the statement to a company. My hunch is that the criticism of the SEC is likely someone other than the firm’s legal counsel, the firm’s CFO, or its PR team.
The main idea, of course, is that SolarWinds should not be sued by the US Securities & Exchange Commission. The SEC does have special agents, but no criminal authority. However, like many US government agencies and their Offices of Inspector General, the investigators can make life interesting for those in whom the US government agency has an interest. (Tip: I will now offer an insider tip. Avoid getting crossways with a US government agency. The people may change but the “desks” persist through time along with documentation of actions. The business processes in the US government mean that people and organizations of interest can be the subject to scrutiny. Like the poem says, “Time cannot wither nor custom spoil the investigators’ persistence.”)
The write up presents information obtained from a public blog post by the victim of a cyber incident. I call the incident a misstep because I am not sure how many organizations, software systems, people, and data elements were negatively whacked by the bad actors. In general, the idea is that a bad actor should not be able to compromise commercial outfits.
The write up reports:
SolarWinds has come out guns blazing to defend itself following the US Securities and Exchange Commission’s announcement that it will be suing both the IT software maker and its CISO over the 2020 SUNBURST cyberattack.
The vendor said the SEC’s lawsuit is "fundamentally flawed," both from a legal and factual perspective, and that it will be defending the charges "vigorously." A lengthy blog post, published on Wednesday, dissected some of the SEC’s allegations, which it evidently believes to be false. The first of which was that SolarWinds lacked adequate security controls before the SUNBURST attack took place.
The right to criticize is baked into the ethos of the US of A. The cited article includes this quote from the SolarWinds’ statement about the US Securities & Exchange Commission:
It later went on to accuse the regulator of overreaching and "twisting the facts" in a bid to expand its regulatory footprint, as well as claiming the body "lacks the authority or competence to regulate public companies’ cybersecurity. The SEC’s cybersecurity-related capabilities were again questioned when SolarWinds addressed the allegations that it didn’t follow the NIST Cybersecurity Framework (CSF) at the time of the attack.
SolarWinds feels strongly about the SEC and its expertise. I have several observations to offer:
- Annoying regulators and investigators is not perceived in some government agencies as a smooth move
- SolarWinds may find that its strong words may be recast in the form of questions in the legal forum which appears to be roaring down the rails
- The SolarWinds’ cyber security professionals on staff and the cyber security vendors whose super duper bad actor stoppers appear to have an opportunity to explain their view of what I call a “misstep.”
Do I have an opinion? Sure. You have read it in my blog posts or heard me say it in my law enforcement lectures, most recently at the Massachusetts / New York Association of Crime Analysts’ meeting in Boston the first week of October 2023.
Cyber security is easier to describe in marketing collateral than do in real life. The SolarWinds’ misstep is an interesting case example of reality being different from the expectation.
Stephen E Arnold, November 16, 2023
AI Makes Cyberattacks Worse. No Fooling?
November 7, 2023
This essay is the work of a dumb humanoid. No smart software required.
Why does everyone appear to be surprised by the potential dangers of cyber attacks? Science fiction writers and even the crazy conspiracy theorists with their tin foil hats predicted that technology would outpace humanity one day. Tech Radar wrote an article about how AI like ChatGPT makes cyber attacks more dangerous than ever: “AI Is Making Cyberattacks Even Smarter And More Dangerous.”
Tech experts want to know how humans and AI algorithms compare when it comes to creating scams. IBM’s Security Intelligence X-Force team accepted the challenge with an experiment about phishing emails. They compared human written phishing emails against those ChatGPT wrote. IBM’s X-Force team discovered that the human written emails had higher clicks rates, giving them a slight edge over the ChatGPT. It was a very slight edge that proves AI algorithms aren’t far from competing and outpacing human scammers.
Human written phishing scams have higher click rates, because of emotional intelligence, personalization, and ability to connect with their victims.
“All of these factors can be easily tweaked with minimal human input, making AI’s work extremely valuable. It is also worth noting that the X-Force team could get a generative AI model to write a convincing phishing email in just five minutes from five prompts – manually writing such an email would take the team about 16 hours. ‘While X-Force has not witnessed the wide-scale use of generative AI in current campaigns, tools such as WormGPT, which were built to be unrestricted or semi-restricted LLMs were observed for sale on various forums advertising phishing capabilities – showing that attackers are testing AI’s use in phishing campaigns,’ the researchers concluded.”
It’s only a matter of time before the bad actors learn how to train the algorithms to be as convincing as their human creators. White hat hackers have a lot of potential to earn big bucks as venture startups.
Whitney Grace, November 7, 2023
Cyber Security Professionals May Need Worry Beads. Good Worry Beads
November 1, 2023
This essay is the work of a dumb humanoid. No smart software required.
I read “SEC Charges SolarWinds and Its CISO With Fraud and Cybersecurity Failures.” Let’s assume the write up is accurate or — to hit today’s target for excellence — the article is close enough for horseshoes. Armed with this assumption, will cyber security professionals find that their employers or customers will be taking a closer look at the actual efficacy of the digital fences and news flows that keep bad actors outside the barn?
A very happy bad actor laughs after penetrating a corporate security system cackles in a Starbucks: “Hey, that was easy. When will these people wake up that you should not have fired me.” Thanks, MidJourney, not exactly what I wanted but good enough, the new standard of excellence.
The write up suggests that the answer may be a less than quiet yes. I noted this statement in the write up:
According to the complaint filed by the SEC, Austin, Texas-based SolarWinds and Brown [top cyber dog at SolarWinds] are accused of deceiving investors by overstating the company’s cybersecurity practices while understating or failing to disclose known risks. The SEC alleges that SolarWinds misled investors by disclosing only vague and hypothetical risks while internally acknowledging specific cybersecurity deficiencies and escalating threats.
The shoe hit the floor, if the write up is on the money:
A key piece of evidence cited in the complaint is a 2018 internal presentation prepared by a SolarWinds engineer [an employee who stated something senior management does not enjoy knowing] that was shared internally, including with Brown. The presentation stated that SolarWinds’ remote access setup was “not very secure” and that exploiting the vulnerability could lead to “major reputation and financial loss” for the company. Similarly, presentations by Brown in 2018 and 2019 indicated concerns about the company’s cybersecurity posture.
From my point of view, there are several items to jot down on a 4×6 inch notecard and tape on the wall:
- The “truth” is often at odds with what senior managers want to believe, think they know, or want to learn. Ignorance is bliss, just not a good excuse after a modest misstep.
- There are more companies involved in the foul up than the news sources have identified. Far be it from me to suggest that highly regarded big-time software companies do a C minus job engineering their security. Keep in mind that most senior managers — even at high tech firms — are out of the technology loop no matter what the LinkedIn biography says or employees believe. Accountants and MBA are good at some things, bad at others. Cyber security is in the “bad” ledger.
- The marketing collateral for most cyber security, threat intelligence services, and predictive alerting services talks about a sci-fi world, not the here and now of computer science students given penetration assignments from nifty places like Estonia and Romania, among others. There are disaffected employees who want to leave their former employers a digital hickey. There are developers, hired via a respected gig matcher, who will do whatever an anonymous customer requires for hard cash or a crypto payment. Most companies have no idea how or where the problem originates.
- Think about insider threats, particularly when insiders include contractors, interns, employees who are unloved, or consulting firm with a sketchy wizard gathering data inside of a commercial operation.
Sure, cyber security just works. Yeah, right. Maybe this alleged action toward a security professional will create some discomfort and a few troubled dreams. Will there be immediate and direct change? Nope. But the PowerPoint decks will be edited. The software will not be fixed up as quickly. That’s expensive and may not be possible with a cyber security firm’s current technical staff and financial resources.
Stephen E Arnold, November 1, 2023
Quantum Security? Yep, Someday
October 24, 2023
![Vea4_thumb_thumb_thumb_thumb_thumb_t[2]](https://arnoldit.com/wordpress/wp-content/uploads/2023/10/Vea4_thumb_thumb_thumb_thumb_thumb_t2-27.gif "Vea4_thumb_thumb_thumb_thumb_thumb_t[2]")
Note: This essay is the work of a real and still-alive dinobaby. No smart software involved, just a dumb humanoid.
How is this for a brilliant statistical item: “61% of Firms Worry They Are Unprepared for Security Risks in Quantum Era.”
The write up reports with apparent seriousness:
Some 61% have expressed concern their organization is not and will not be prepared to handle security implications that may surface in a post-quantum computing future, according to a survey conducted by Ponemon Institute. Commissioned by DigiCert, the study polled 1,426 IT and cybersecurity professionals who have knowledge of their company’s approach to post-quantum cryptography. Among them were 605 from the US, 428 in EMEA, and 393 across Asia-Pacific.
Apparently some people missed one of the largest security lapses since 9/11. Israel’s high profile smart cyber security capabilities was on leave. The result is what is labeled as the Israel Hamas war. If the most sophisticated cyber security outfits in Tel Aviv cannot effectively monitor social media, the Web, and intercepted signals for information about an attack more than a year in planning, what about the average commercial operation? What about government agencies? What about NGOs?
Boo, I am the quantum bully. Are you afraid yet? Thanks, MidJourney. Terrible cartoon but close enough for horse shoes.
Yet I am to accept that 61 percent of the survey sample is concerned about quantum compromises? My hunch is that the survey sample respondent checked a box. The other survey questions did not ferret out data about false belief that current technology makes these folks vulnerable.
I don’t know where the error has spread. Was it the survey design? The sample selection? The interpretation of the data? The lax vetting of the survey results by ZDNet? Or, maybe a Fiverr.com contractor doing the work for a couple of hundred dollars?
Quantum when today’s vanilla services fail? Wow, some people are thinking about the future, assuming today is peachy keen in the cyber security department. Marketers are amazing when the statement, “Let’s do a survey,” and off to the races and lunch the folks go.
Stephen E Arnold, October 24, 2023
AI Cybersecurity: Good News and, of Course, Bad News
October 23, 2023
This essay is the work of a dumb humanoid. No smart software required.
Life, like a sine wave, is filled with ups and downs. Nothing strikes me like the ups and downs of AI: Great promise but profits, not yet. Smart cyber security methods? Same thing. Ups and downs. Good news then bad news. Let’s look at two examples.
First, the good news. “New Cyber Algorithm Shuts Down Malicious Robotic Attack” reports:
Researchers have designed an algorithm that can intercept a man-in-the-middle (MitM) cyberattack on an unmanned military robot and shut it down in seconds. The algorithm, tested in real time, achieved a 99% success rate.
Is this a home run. 99 percent success rate. Take that percentage, some AI, and head to a casino or a facial recognition system. I assume I will have to wait until the marketers explain this limited test.
“Hello, we are the team responsible for infusing AI into cyber security safeguards. We are confident that our technology will have an immediate, direct impact on protecting your organization from threats and bad actors,” says Mary, a lawyer and MBA. I believe everything lawyers and MBAs say, even more than Tom, the head of marketing, or Ben, the lead developer who loves rock climbing and working remotely. Thanks, Bing Dall-e. You understand the look and feel of modern cyber security teams.
Okay, the bad news. A cyber security outfit named Okta was unable to secure itself. You can the allegedly real details from “Okta’s Stock Slumps after Security Company Says It Was Hacked.” The write up asserts:
Okta, a major provider of security technology for businesses, government agencies and other organizations, said Friday that one of its customer service tools had been hacked. The hacker used stolen credentials to access the company’s support case management system and view files uploaded by some customers, Okta Chief Security Officer David Bradbury disclosed in a securities filing. Okta said that system is separate from its main client platform, which was not penetrated.
Yep, the “main client platform” is or was secure.
Several observations:
- After Israel’s sophisticated cyber systems failed to detect planning and preparing for a reasonably large scale attack, what should I conclude about sophisticated cyber security systems? My initial conclusion is that writing marketing collateral is cheaper and easier then building secure systems.
- Are other cyber security firms’ systems vulnerable? I think the answer may be, “Yes, but lawyer and MBA presidents are not sure how and where?”
- Are cost cutting and business objectives more important than developing high reliability cyber security systems? I would suggest, “Yes. What companies say about their products and services is often different from that which is licensed to customers?
Net net: Cyber security may be a phrase similar to US telecommunications’ meaning of “unlimited.”
Stephen E Arnold, October 27, 2023
Video Analysis: Do Some Advanced Systems Have Better Marketing Than Technology?
October 16, 2023
![Vea4_thumb_thumb_thumb_thumb_thumb_t[2]](https://arnoldit.com/wordpress/wp-content/uploads/2023/10/Vea4_thumb_thumb_thumb_thumb_thumb_t2-19.gif "Vea4_thumb_thumb_thumb_thumb_thumb_t[2]")
Note: This essay is the work of a real and still-alive dinobaby. No smart software involved, just a dumb humanoid.
I am tempted to list some of the policeware and intelware companies which tout video analysis capabilities. If we narrow our focus to Israel, there are a number of companies which offer software and systems that can make sense of video data. Years ago, I attended a briefing and the company (which I will not name) showed that its system could zip through a 90 minute video of a soccer (football) match and identify the fouls and the goals. Like most demonstrations, the system worked perfectly. In actual real world situations, the system did not work. Video footage is a problem, but there are companies which assert their developers’ confection.
Aggressive bunnies get through the farmer’s fence. The smart surveillance cameras emit a faint beep. The bunnies are having a great time. The farmer? Not so much. Thank you, MidJourney. You do a nice bunny.
Here’s the results of the query “video analysis Israel.” Notice that I am not including the name of a company nor a specific country. Google returned ads and video thumbnails and this result:
The cited article is from Israel21c 2013 write up “Israel’s Top 12 Video Surveillance Advances.” The cited article reports as actual factual:
Combing such vast amounts of material [from the Boston Marathon bombing in 2013] would have taken months, or even years in the past, but with new video analytics technologies developed by Israel’s BriefCam, according to the publication IsraelDefense, it took authorities just a few days to identify and track Tamerlan and Dzhokhar Tsarneav, the two main suspects in the attack which killed three, and wounded 183. Within five days one of the terrorists was dead, the other arrested after a 22-hour manhunt.
BriefCam is now owned by Canon, the Japanese camera maker. Imagine the technical advances in the last 10 years.
I don’t know if Israel had a BriefCam system at its disposal in the last six months. My understanding is that the Israel Defense Force and related entities have facial recognition systems. These can work on still pictures as well as digital video.
Why is this important?
The information in the San Francisco Chronicle article “Hamas Practiced in Plain Sight, Posting Video of Mock Attack Weeks Before Border Breach” asserts:
A slickly produced two-minute propaganda video posted to social media by Hamas on Sept. 12 shows fighters using explosives to blast through a replica of the border gate, sweep in on pickup trucks and then move building by building through a full-scale reconstruction of an Israeli town, firing automatic weapons at human-silhouetted paper targets. The Islamic militant group’s live-fire exercise dubbed operation “Strong Pillar” also had militants in body armor and combat fatigues carrying out operations that included the destruction of mock-ups of the wall’s concrete towers and a communications antenna, just as they would do for real in the deadly attack last Saturday.
If social media monitoring systems worked, the video should have been flagged and routed to the IDF. If the video analysis and facial recognition systems worked, an alert to a human analyst could have sparked a closer look. It appears that neither of these software-intermediated actions took place and found their way to a human analyst skilled in figuring out what the message payload of the video was. Who found the video? Based on the tag line to the cited article, the information was located by reporters for the Associated Press.
What magical research powers did the AP have? None as it turns out. The article reports:
The Associated Press reviewed more than 100 videos Hamas released over the last year, primarily through the social media app Telegram. Using satellite imagery, the AP was able to verify key details, as well as identify five sites Hamas used to practice shooting and blowing holes in Israel’s border defenses. The AP matched the location of the mocked-up settlement from the Sept 12 video to a patch of desert outside Al-Mawasi, a Palestinian town on the southern coast of the Gaza Strip. A large sign in Hebrew and Arabic at the gate says “Horesh Yaron,” the name of a controversial Israeli settlement in the occupied Palestinian West Bank.
I don’t want to be overly critical of tools like BriefCam or any other company. I do want to offer several observations from my underground office in rural Kentucky:
- The Hamas attack was discernable via humans who were paying attention. Were people in the IDF and related agencies paying attention? Apparently something threw a wrench in a highly-visible, aggressively marketed intelligence capability, right?
- What about home grown video and facial recognition systems? Yes, what about them. My hunch is that the marketing collateral asserts some impressive capabilities. What is tough to overlook is that for whatever reason (human or digital), the bunny got through the fence and did damage to some precious, fragile organic material.
- Are other policeware and intelware vendors putting emphasis on marketing instead of technical capabilities? My experience over the last half century says, “When sales slow down and the competition heats up, marketing takes precedence over the actual product.”
Net net: Is it time for certification of cyber security technology? Is it time for an external audit of intelligence operations? The answer to both questions, I think, is, “Are you crazy?”
Stephen E Arnold, October 16, 2023
xx
xx
xx
Need Free Data? Two Thousand Terabytes Are Available
October 2, 2023
Note: This essay is the work of a real and still-alive dinobaby. No smart software involved, just a dumb humanoid.
I read “Censys Reveals Open Directories Share More Than 2,000 TB of Unprotected Data.” What’s an open directory? According to the champion of redactions the term refers to lists of direct links to files. True?
The article reports:
These open directories could leak sensitive data, intellectual property or technical data and let an attacker compromise the entire system.
Why do these “lists” exist? Laziness, lack of staff who know what to do, and forgetting how an intern configured a server years ago?
The article states:
Why don’t search engines prohibit people from seeing those open directories? Censys researchers told TechRepublic that “while this may initially sound like a reasonable approach, it’s a bandage on the underlying issue of open directories being exposed on the internet in the first place.
Are open directories a good thing? I think it depends on one’s point of view. Why are bad actors generally cheerful these days? Attack surfaces are abundant and management floats above such hard-to-grasp details about online systems and services. Hey, what time is lunch?
Stephen E Arnold, October 2, 2023
Malware: The NSO Group and a Timeline
September 8, 2023
Note: This essay is the work of a real and still-alive dinobaby. No smart software involved, just a dumb humanoid.
A flurry of NSO Group news appeared in my newsfeeds this morning. Citizen Labs issued an advisory. You can find that short item in “BLASTPASSNSO Group iPhone Zero-Click, Zero-Day Exploit Captured in the Wild.” Recorded Future, a cyber security company, published “Apple Discloses Zero-Days Linked.” Variants of these stories are percolating, including British tabloid newspapers like The Metro. One message comes through: Update your iPhones.
The information makes clear that a vulnerability “path” appears to be blocked. That’s good news. The firm which allegedly discovered the way into user mobile devices is the NSO Group. The important fact, at least for me, is that this organization opened its doors for business in 2010. The origin story, if one believes the information once can find using a free Web search engine, is that the company evolved from a mobile phone repair business. After repairing and tinkering, the founder set up a company to assist government agencies in obtaining information from mobile devices believed to be used by bad actors. Agree or disagree, the origin story is interesting.
What’s important for me is that the time between the company’s start up and the “good news” about addressing a vulnerability in certain devices has been a decade, maybe more. I don’t have an opinion about whether the time window could have been closed more quickly. What’s important to me is that the information is diffusing quickly. On one hand, that’s beneficial to those concerned about the security of their devices. On the other hand, that’s the starter’s gun for bad actors to deploy another hard-to-spot exploit.
I have several observation about this vulnerability:
- The challenge to those who create hardware and software is to realize that security issues are likely to exist. Those who discover these and exploit them, blindside the company. The developers have to reverse engineer the exploit and then figure out what their colleagues missed. Obviously this is a time consuming and difficult process. Perhaps 10 years is speedy or slow. I don’t know. But an error made many years ago can persist and affect millions of device owners.
- The bad actor acts and the company responsible for chasing down the flaw reacts. This is a cat-and-mouse game. As a result, the hardware and software developers are playing defense. The idea that a good defense is better than a good offense may not be accurate. Those initial errors are, by definition, unknown. The gap between the error and the exploit allows bad actors to do what they want. Playing defense allows the offense time to gear up something new. The “good guys” are behind the curve in this situation.
- The fact that the digital ecosystem is large means that the opportunity for mischief increases. In my lectures, I like to point out that technology yields benefits, but it also is an enabler of those who want to do mischief.
Net net: The steady increase in cyber crime and the boundary between systems and methods which are positive and negative becomes blurred. Have we entered a stage in technical development in which the blurred space between good and bad has become so large that one cannot tell what is right or wrong, correct or incorrect, appropriate or inappropriate? Are we living in a “ghost Web” or a “shadow land?”
Stephen E Arnold, September 8, 2023
Surprised? Microsoft Drags Feet on Azure Security Flaw
September 5, 2023
Note: This essay is the work of a real and still-alive dinobaby. No smart software involved, just a dumb humanoid.
Microsoft has addressed a serious security flaw in Azure, but only after being called out by the cybersecurity firm that found the issue. It only took several months. Oh, and according to that firm, the “fix” only applies to new applications despite Microsoft’s assurances to the contrary. “Microsoft Fixes Flaw After Being Called Irresponsible by Tenable CEO,” Bleeping Computer reports. Writer Sergiu Gatlan describes the problem Tenable found within the Power Platform Custom Connectors feature:
“Although customer interaction with custom connectors usually happens via authenticated APIs, the API endpoints facilitated requests to the Azure Function without enforcing authentication. This created an opportunity for attackers to exploit unsecured Azure Function hosts and intercept OAuth client IDs and secrets. ‘It should be noted that this is not exclusively an issue of information disclosure, as being able to access and interact with the unsecured Function hosts, and trigger behavior defined by custom connector code, could have further impact,’ says cybersecurity firm Tenable which discovered the flaw and reported it on March 30th. ‘However, because of the nature of the service, the impact would vary for each individual connector, and would be difficult to quantify without exhaustive testing.’ ‘To give you an idea of how bad this is, our team very quickly discovered authentication secrets to a bank. They were so concerned about the seriousness and the ethics of the issue that we immediately notified Microsoft,’ Tenable CEO Amit Yoran added.”
Yes, that would seem to be worth a sense of urgency. But even after the eventual fix, this bank and any other organizations already affected were still vulnerable, according to Yoran. As far as he can tell, they weren’t even notified of the problem so they could mitigate their risk. If accurate, can Microsoft be trusted to keep its users secure going forward? We may have to wait for another crop of interns to arrive in Redmond to handle the work “real” engineers do not want to do.
Cynthia Murrell, September 5, 2023
-
- Subscribe to Beyond Search
Feature archive
News archive
-
