DarkCyber for July 27, 2021: NSO Group Again, Making AWS Bots, How Bad Actors Scale, and Tethered Drones

July 27, 2021

The 15th DarkCyber for 2021 addresses some of the NSO Group’s market position. With more than a dozen news organizations digging into who does what with the Pegasus intelware system, the Israeli company has become the face of what some have called the spyware industry. In this program, Stephen E Arnold, author of the Dark Web Notebook, explains how bad actors scale their cyber crime operations. One thousand engineers is an estimate which is at odds with how these cyber groups and units operate. What’s the technique? Tune in to learn why Silicon Valley provided the road map for global cyber attacks. If you are curious, you can build your own software robot to perform interesting actions using the Amazon AWS system as a launch pad. The final story explains that innovation in policing can arrive from the distant pass. An 18th century idea may be the next big thing in law enforcement’s use of drones. DarkCyber is produced by Stephen E Arnold, who publishes Beyond Search. You can access the blog at www.arnoldit.com/wordpress and view the DarkCyber video at this link.

Kenny Toth, July 27, 2021

NSO Group: The Rip in the Fabric of Intelware

July 22, 2021

A contentious relationship with the “real news” organizations can be risky. I have worked at a major newspaper and a major publisher. The tenacity of some of my former colleagues is comparable to the grit one associates with an Army Ranger or Navy Seal, just with a slightly more sensitive wrapper. Journalists favored semi with it clothes, not bushy beards. The editorial team was more comfortable with laptops than an F SCAR.

Communications associated with NSO Group — the headline magnet among the dozens of Israel-based specialized software companies (an very close in group by the way)— may have torn the fabric shrouding the relationship among former colleagues in the military, government agencies, their customers, and their targets.

Whose to blame? The media? Maybe. I don’t have a dog in this particular season’s of fights. The action promises to be interesting and potentially devastating to some comfortable business models. NSO Group is just one of many firms working to capture the money associated with cyber intelligence and cyber security. The spat between the likes of journalists at the Guardian and the Washington Post and NSO Group appears to be diffusing like spilled ink on a camouflage jacket.

I noted “Pegasus Spyware Seller: Blame Our Customers Not Us for Hacking.” The main point seems to be that NSO Group allegedly suggests that those entities licensing the NSO Group specialized software are responsible for their use of the software. The write up reports:

But a company spokesman told BBC News: “Firstly, we don’t have servers in Cyprus.

“And secondly, we don’t have any data of our customers in our possession.

“And more than that, the customers are not related to each other, as each customer is separate.

“So there should not be a list like this at all anywhere.”

And the number of potential targets did not reflect the way Pegasus worked.

“It’s an insane number,” the spokesman said.

“Our customers have an average of 100 targets a year.

“Since the beginning of the company, we didn’t have 50,000 targets total.”

For me, the question becomes, “What controls exist within the Pegasus system to manage the usage of the surveillance system?” If there are controls, why are these not monitored by an appropriate entity; for example, an oversight agency within Israel? If there are no controls, has Pegasus become an “on premises” install set up so that a licensee has a locked down, air tight version of the NSO Group tools?

The second item I noticed was “NSO Says ‘Enough Is Enough,’ Will No Longer Talk to the Press About Damning Reports.” At first glance, I assumed that an inquiry was made by the online news service and the call was not returned. That happens to me several times a day. I am an advocate of my version of cancel culture. I just never call the entity again and move on. I am too old to fiddle with the egos of a younger person who believes that a divine entity has given that individual special privileges. Nope, delete.

But not NSO Group. According to the write up:

“Enough is enough!” a company spokesperson wrote in a statement emailed to news organizations. “In light of the recent planned and well-orchestrated media campaign lead by Forbidden Stories and pushed by special interest groups, and due to the complete disregard of the facts, NSO is announcing it will no longer be responding to media inquiries on this matter and it will not play along with the vicious and slanderous campaign.” NSO has not responded to Motherboard’s repeated requests for comment and for an interview.

Okay, the enough is enough message is allegedly in “writing.” That’s better than a fake message disseminated via TikTok. However, the “real journalists” are likely to become more persistent. Despite a lack of familiarity with the specialized software sector, a large number of history majors and liberal arts grads can do what “real” intelligence analysts do. Believe me, there’s quite a bit of open source information about the cozy relationship within and among Israel’s specialized software sector, the interaction of these firms with certain government entities, and public messages parked in unlikely open source Web sites to keep the “real” journalists learning, writing, and probing.

In my opinion, allowing specialized software services to become public; that is, actually talk about the capabilities of surveillance and intercept systems was a very, very bad idea. But money is money and sales are sales. Incentive schemes for the owners of specialized software companies guarantee than I can spend eight hours a day watching free webinars that explain the ins and outs of specialized software systems. I won’t but some of the now ignited flames of “real” journalism will. They will learn almost exactly what is presented in classified settings. Why? Capabilities when explained in public and secret forums use almost the same slide decks, the same words, and the same case examples which vary in level of detail presented. This is how marketing works in my opinion.


1. A PR disaster is, it appears, becoming a significant political issue. This may pose some interesting challenges within the Israel centric specialized software sector. NSO Group’s system ran on cloud services like Amazon’s until AWS allegedly pushed Pegasus out of the Bezos stable.

2. A breaker of the specialized software business model of selling to governments and companies. The cost of developing, enhancing, and operating most specialized software systems keeps companies on the knife edge of solvency. The push into commercial use of the tools by companies or consumerizing the reports means government contracts will become more important if the non-governmental work is cut off. Does the world need several dozen Dark Web indexing outfits and smart time line and entity tools? Nope.

3. A boost to bad actors. The reporting in the last week or so has provided a detailed road map to bad actors in some countries about [a] What can be done, [b] How systems like Pegasus operate, [c] the inherent lack of security in systems and devices charmingly labeled “insecure by design” by a certain big software company, and [d] specific pointers to the existence of zero day opportunities in blast door protected devices. That’s a hoot at ??????? ???? “Console”.

Net net: The NSO Group “matter” is a very significant milestone in the journey of specialized software companies. The reports from the front lines will be fascinating. I anticipate excitement in Belgium, France, Germany, Israel, the United Kingdom, and a number of other countries. Maybe a specialized software Covid Delta?

Stephen E Arnold, July 22, 2021

How Do You Spell Control? Maybe Google?

July 8, 2021

The lack of a standardized format has made it difficult to manage vulnerabilities in open source software. Now, SiliconAngle reports, “Google Announces Unified Schema to Make Sharing Vulnerabilities Easier.” Writer Duncan Riley explains:

“Google LLC today announced a unified schema for describing vulnerabilities precisely to make it easier to share vulnerabilities between databases. The idea behind the unified schema is to address an issue with existing vulnerability databases where various ecosystems and organizations create their own data. As each uses its own format to describe vulnerabilities, a client tracking vulnerabilities across multiple databases must handle each separately. Because of the lack of a common standard, sharing vulnerabilities among databases is challenging. The new unified schema for describing vulnerabilities has been designed by the Google Open Source Security Team, Go Team and the broader open-source community and has been designed from the beginning for open-source ecosystems. The unified format will allow vulnerability databases, open-source users and security researchers to share tooling and consume vulnerabilities more easily across open source, providing a complete view of vulnerabilities in open source.”

Google also launched its Open Source Vulnerabilities database in February, describing it as the “first step toward improving vulnerability triage for developers and consumers of open-source software.” Originally populated with a few thousand vulnerabilities from the OSS-Fuzz project, the database is being expanded to open-source ecosystems Go, Rust, Python and DWF. These seems like moves in the right direction, but can we trust Google deliver objective, unfiltered reports? Or will it operate as it has with YouTube filtering and AI ethics staff management?

Cynthia Murrell, July 8, 2021

Microsoft in Perspective: Forget JEDI. Think Teams Together

July 7, 2021

I received some inputs from assorted colleagues and journalistic wizards regarding JEDI. The “real” news outfit CNBC published “Pentagon Cancels $10 Billion JEDI Cloud Contract That Amazon and Microsoft Were Fighting Over.” The write up stated:

… the Pentagon is launching a new multivendor cloud computing contract.

What caused this costly, high-profile action. Was it the beavering away of the Oracle professionals? Were those maintaining the Bezos bulldozer responsible? Was it clear-thinking consultants who asked, “Wasn’t Microsoft in the spotlight over the SolarWinds’ misstep?” I don’t know.

But let’s put this in perspective. As the JEDI deal was transported to a shelf in a Department of Defense store room at the Orchard Range Training Site in Idaho, there was an important — possibly life changing — announcement from Microsoft. Engadget phrased the technology breakthrough this way: Microsoft Teams Together Mode test lets just two people start a meeting. I learned:

Together Mode uses AI-powered segmentation to put all participants in a meeting in one virtual space.

I assume that this was previously impossible under current technology like a mobile phone, an Apple device with Facetime, Zoom, and a handheld walkie talkie, a CB radio, a ham radio, FreeConference.com, or a frequently sanitized pay phone located in a convenient store parking lot near the McCarran International Airport in Las Vegas.

I have a rhetorical question, “Is it possible to print either the news story about the JEDI termination or the FAQ for Together in the midst of — what’s it called — terror printing, horror hard copy effort — wait! — I have it. It is the condition of PrinterNightmare.

I have to stop writing. My Windows 10 machine wants to reboot for an update.

Stephen E Arnold, July 7, 2021

And about That Windows 10 Telemetry?

May 28, 2021

The article “How to Disable Telemetry and Data Collection in Windows 10” reveals an important fact. Most Windows telemetry is turned on by default. But the write up does not explain what analyses occur for data on the company’s cloud services or for the Outlook email program. I find this amusing, but Microsoft — despite the SolarWinds and Exchange Server missteps — is perceived as the good outfit among the collection of ethical exemplars of US big technology firms.

I read “Three Years Until We’re in Orwell’s 1984 AI Surveillance Panopticon, Warns Microsoft Boss.” Do the sentiments presented as those allegedly representing the actual factual views of the Microsoft executive Brad Smith reference the Windows 10 telemetry and data collection article mentioned above? Keep in mind that Mr. Smith believed at one time than 1,000 bad actors went after Microsoft and created the minor security lapses which affected a few minor US government agencies and sparked the low profile US law enforcement entities into pre-emptive action on third party computers to help address certain persistent threats.

I chortled when I read this passage:

Brad Smith warns the science fiction of a government knowing where we are at all times, and even what we’re feeling, is becoming reality in parts of the world. Smith says it’s “difficult to catch up” with ever-advancing AI, which was revealed is being used to scan prisoners’ emotions in China.

Now about the Microsoft telemetry and other interesting processes? What about the emotions of a Windows 10 user when the printer does not work after an update? Yeah.

Stephen E Arnold, May 28, 2021

What the Colonial Pipeline Affair Has Disclosed

May 21, 2021

I worked through some of the analyses of the Colonial Pipeline event. You can get the “predictive analytics” view in Recorded Future’s marketing-centric blog post “DarkSide Ransomware Gang Says It Lost Control of Its Servers & Money a Day after Biden Threat.” You can get the digital currency can be deanonymized view in the marketing-oriented “Elliptic Follows the Bitcoin Ransoms Paid by Colonial Pipeline and Other Dark Side Ransomware Victims.” You can get the marketing-oriented “Colonial Pipeline Ransomware Attack: What We Know So Far.” Please, read these after-action reports, pull out nuggets of information, and learn how well hindsight works. What’s hindsight? Here’s a definition:

the ability to understand an event or situation only after it has happened (Cambridge.org)

The definition edges close to the situation in which cyber security (not Colonial) finds itself; namely, I have seen no names of the individuals responsible. I have seen no identification of the sources of funding and support for the group responsible. I have seen no print outs illustrating the formation of the attack plan or of the log data making explicit an attack was underway.

The cyber security industry is a club, and the members of the club know their in-crowd has a license to send invoices. Not even IBM in its FUD days could have created a more effective way to sell products and services. These range from real time threat intelligence, to predictive reports explaining that lighting is about to strike, or smart autonomous cyber nervous systems sounding alarms.

Nope, not that I have heard.

Here are some issues which Colonial raised when I participated in a conference call with a couple of LE and intel types less than 24 hours ago:

  1. The existing threat intelligence, Dark Web scanners, and super AI infused whiz bang systems don’t work. They missed SolarWinds, Exchange Server, and now the Colonial Pipeline affair. Yikes. Don’t work? Right. Don’t work. If even one of the cyber security systems “worked”, then none of these breaches would have be possible. What did I hear in Harrod’s Creek? Crickets.
  2. In the case of Colonial, how much of the problem was related to business matters, not the unknown, undetected wizards of Dark Side? Who knows if the bad actors were the problem or if Colonial found the unpleasantness and opportunity for some breathing room for other activities? Where are the real journalists from Bloomberg, the New York Times, the Wall Street Journal, the Washington Post, et al? Yep, sources produced nothing and now the after action analyses will flow for a while.
  3. What about the specialist firms clustered in Herliya? What about the monitoring and alerting systems among Cambridge, Cheltenham, and London? What about the outfits clustered near government centers in Brussels, Berlin, and Prague? I have not heard or seen anything in the feeds I monitor. Zippo.

Let’s step back.

The current cyber security set up is almost entirely reactive. Any breach is explained in terms of China, Iran, and Russia. Some toss in Iran and North Korea. Okay, add them to the list of malefactors. That does not change the calculus of these escalating cyber breaches.

The math looks like this: 1 + 0 = 32

Let me explain:

The “1” represents a cyber breach

The “0” represents the failure of existing cyber security systems to notice and/or block the bad actor’s method

The 32 means the impact is exponential—in favor of the bad actors.

With no meaningful proactive measures working in a reliable function, the cyber security systems now in place are sitting ducks.

Some body said, “Our reaction to a situation literally has the power to change the situation itself.” Too bad this aphorism is dead wrong.

When the reactions are twisted into marketing opportunities and the fix does not work, where are we? I would suggest in a place that warrants more than sales lingo, jargon, and hand waving.

The talk about cyber security and threat intelligence sounds similar to the phrase, “Please, take off your shoes.”

Stephen E Arnold, May 21, 2021

Cyber Security: What Are You Doing?

May 20, 2021

I read “A Federal Government Left Completely Blind on Cyber attacks Looks to Force Reporting.” The write up uses a phrase for which there are a limited number of synonyms in English; namely, completely blind. There are numerous types of blindness. There’s the metaphorical blindness of William James, who coined the phrase “a certain blindness.” The wordy kin of the equally wordy Henry James means, I think, that some people just can’t “see” something. A friend says, “You will love working at Apple.” You say, “I don’t think so.” Hey, working at Apple is super, like the chaos monkeys on steroids.

Other types of blindness include losing one’s eyes; for example, Tiresias, who lost his vision seeing some interesting transformations. (Look it up.) There’s the Oedipus angle which involves breaking some Western cultural norms, ignoring inputs, and gouging out his eyes. Yep, that will do. Don’t listen, generate some inner angst, and poking one’s eyes. There are medical reasons galore. These range from protein build up, which is easily corrected today with some medical magic to truly weird stuff like nuclear radiation.

The point is that cyber security has left the US government “completely blind.” The write up says:

Lawmakers of both parties told POLITICO they are crafting legislation to mandate cyber attack reporting by critical infrastructure operators such as Colonial, along with major IT service providers and any other companies that do business with the government.

What are the “rules” now? The write up says:

No federal law or regulation requires pipeline operators to report any cybersecurity incidents to the government. Instead, suggested guidance from the Transportation Security Administration — the federal agency that oversees pipeline cybersecurity — recommends that they tell local and federal officials about significant breaches.

President Biden says, according to the article, “we have to do more than is being done now.”

Who agrees? If a commercial enterprise says, “Yo, breach”, won’t the stock or value of the brand decline. If a government agency says, “We’ve been hacked”, what happens to the security manager and his / her manager?

Are the cyber security vendors able to provide a solution? Maybe.

To sum up, lots of talk and more regulation. In the meantime, ransomware bad actors are seeing an open road, no traffic cops, and a dry, clear day. Put the pedal to the metal.

Stephen E Arnold, May 20, 2021

Security: Survey Says, Not Buttoned Up

May 18, 2021

I read “Two Thirds of CISOs Admit They’re Not Ready to Face a Cyber attack.” Who would have guessed? Executives at SolarWinds, Microsoft, or Colonial Pipelines? Yet, we needed a survey to make insecurity visible it seems. The write up reports:

The 2021 edition of Proofpoint’s Voice of the CISO report — based on a survey of more than 1,400 CISOs in 14 countries — found 66 percent of the executives acknowledged their organizations were unprepared to handle a targeted cyber attack this year. In addition, more than half the CISOs (53 percent) admitted they are more concerned about the repercussions from a cyber attack this year than they were in 2020.

First, the good news. Cyber security executives are admitting that they are in reactive mode but admitting their work has been ineffective.

Now, the bad news. Bad actors can exploit the “gap” which exists between what executives license to protect their colleagues and their employers’ assets. That means that 2021 is not just going to be worse than 2020, one of the study’s findings. The survey data points out these findings:

  • 64 percent of the survey respondents are “at risk of suffering a material cyber attack.” (Are those other 36 percent that confident?)
  • 34 percent expect email compromises
  • 27 percent anticipate ransomware. (73 percent of the sample are apparently not that nervous about ransomware. Odd because insiders and phishing deliver the goods, and the Colonial Pipeline incident makes clear that authorities can apply pressure to bad actors after the event. Predictive marketing jabber, not too helpful it seems.)

And threat intelligence, Dark Web indexes, and “special” content available to some cyber intelligence firms are more like looking in a rear view mirror than watching what’s ahead. Of course, this is my opinion, and I am confident that the venture fund fat cyber intelligence firms will beg to disagree.

Stephen E Arnold, May 18, 2021

How To about Ransomware from Lawyers

May 17, 2021

Lawyers are sophisticated technologists in general. I was amazed with the advice in “Avoiding Ransomware Attacks is Not a Pipe Dream: Actionable Steps to Avoid Becoming the Next Victim.” Let’s run through the suggestions, shall we?

The first is to buy insurance. I am not sure how hedging financial losses is a way to “avoid ransomware.” If anything, insurance gives some people a false sense of security. My information comes from some individuals who suffered storm damage in Florida. Not a good sample I admit.

The second tip is to “understand what your IT provider is actually providing you.” My reaction to this brilliant chunk of “mom says” is that law firms may lack information technology professionals. I assume this dependence on outsourcing from individuals who have not read and understood the terms of their agreement with a service provider is a willing suspension of disbelief. Obviously any lawyer smart enough to buy insurance knows what an “IT provider provides.” Stellar logic.

The third tip is more reassuring: Understand what your “internal IT provides you.” Is there a cultural divide between the billable and the individuals who provide IT? No, it is helpful to speak with these IT professionals. For example, read the “data inventory.” Read the WISP or “written information security plan.” Know the firm’s “data breach response plan.” Know the “data retention plan.” (Absolutely. Without a copy of the information germane to a trial, how can those billable hours be counted. Perhaps keeping these data on a USB or a personal computer at one’s domicile is a great way to facilitate the “keep on billing” approach.) And, know the training plan. My goodness, it is possible that if a security training session is held at the firm, one should read about its plan. Attend? Yeah, well, maybe. One question, “Is there a Zoom or YouTube video one could watch if one is not billable?)

The final way to “avoid” ransomware is to talk with an attorney. What? I think the idea is that a firm may have its own legal counsel. But are recent hires permitted to call a firm’s legal advisors and spend the partners’ bonus money?

I am thrilled with this advice. Bad actors aware of law firms embracing this write up’s approach to security will seek a new line of work. Terrifyingly effective. Intellectually incisive. Practical. All-in-all wonderful.

Stephen E Arnold, May 17, 2021

Microsoft and Security: Bondo, Lead, or Duct Tape?

May 17, 2021

This round of updates will not fix all of Exchange’s vulnerabilities, but we may be getting closer to some semblance of security. The Register reports, “Microsoft Emits More Fixes for Exchange Server Plus Patches for Remote-Code Exec Holes in HTTP Stack, Visual Studio.” This release includes 55 CVE fixes for 32 MS apps and services, down from the 114 fixes released in April. Writer Thomas Claburn elaborates:

“Among the 55 CVEs identified by Microsoft, four are rated critical, 50 are rated important, and one is rated moderate. Those who recall the slew of Exchange Server fixes in March and April may experience a sense of deja vu: May brings still more Exchange Server fixes, for Exchange Server 2013 CU23, Exchange Server 2016 CU19 and CU20, and Exchange Server 2019 CU8 and CU9. The four Exchange bugs are all rated moderate; one, a security-feature bypass (CVE-2021-31207), is already publicly known. Dustin Childs, director of communications for the Zero Day Initiative, observes in an advisory that a number of Exchange bugs came out of the recent Pwn2Own exploit contest. ‘More Exchange patches are expected as not everything disclosed at the contest has been addressed,’ he said. Aware that state-sponsored miscreants have been breaking into Exchange Servers via earlier vulnerabilities, Microsoft said while it’s not aware of any active exploitation of these latest flaws, ‘our recommendation is to install these updates immediately to protect your environment.’”

Good idea. Childs points to several more vulnerabilities that warrant immediate attention in HTTP Protocol Stack, Hyper-V, Visual Studio, and Windows Wireless Networking. There are also two that depend on their victims accessing a website—an OLE Automation remote code execution vulnerability and a Scripting Engine memory corruption vulnerability. Will it be another month before Microsoft addresses these?

Cynthia Murrell, May 17, 2021

Next Page »

  • Archives

  • Recent Posts

  • Meta