Identity Theft Made Easy: Why?

December 30, 2022

Some automobiles are lemons aka money holes, because they have defects that keep breaking. Many services are like that as well, including rental car insurance, extended warranties on electronics, and identity theft protection. Life Hacker explains why identity theft protection services are a scam in the story: “Identity Theft Protection Is Mostly Bullshit.”

Most Americans receive emails or physical letters from their place of work, medical offices, insurance agencies, etc. that their personal information was involved in a data breach. As a token of atonement, victims are given free Identity Theft Protection (ITP) aka a useless service. These services promise to monitor the Internet and Dark Web for your personal information. This includes anything from your credit cards to social security number. Identity theft victims deal with ruined credit scores and possibly stolen funds. Identity Theft Protection services seem to be a good idea, until you realize that you can do the monitoring yourself for free.

ITP services monitor credit reports, social media accounts, the Dark Web, and personal financial accounts. Some of these services such as credit reports and your financial accounts will alert you when there is suspicious activity. You can do the following for free:

“You can access your credit reports for free once a year. And you should! It’s a fast and pretty straightforward operation, and at a glance you can see if someone has opened a credit card or taken out a loan in your name. In fact, the number one best way to stop folks from stealing your identity is to freeze your credit, which prevents anyone—even if they have your personal information—from getting a new credit card or loan. While this doesn’t protect you from every single kind of fraud out there, it removes the most common vectors that identity thieves use.”

The US government also maintains a Web site to assist identity theft victims. It is wise to remember that ITP services are different from identity theft insurance. The latter is the same as regular insurance, except it is meant to help when your information is stolen.

Practice good identity hygiene by monitoring your accounts and not posting too much personal information online.

Why is identity theft like a chicken wing left on a picnic table? Careless human or indifferent maintenance worker?

Whitney Grace, December 30, 2022

Who Can See Your Kiddies?

December 20, 2022

In an alarmingly hilarious situation, iCloud users are seeing photos of strangers on their devices. What sounds like a hacker’s gaff, actually proves to be a security risk. XDA Developers investigates what is going on with iCloud in, “iCloud For Windows Users Are Reportedly Seeing Random Family Photos From Strangers.”

People buy Apple products for its better security and privacy settings than PC devices. While Apple has an iCloud app for PC users, the app is not working as well as its fellow Apple products:

“Based on the reports, the corrupted files seemingly revolve around videos shot on iPhone 13 Pro and iPhone 14 Pro models. The footage in some cases is showing a black screen with scan lines. Though, what’s more worrisome is the random content that is showing up for some users. While it’s not confirmed yet, these photos of families, children, and other private moments could potentially belong to other people’s iCloud libraries. If this is the case, then Apple could get in some serious trouble. Unfortunately, deleting the iCloud for Windows app seemingly doesn’t solve this, as the issues are being reflected on the server.”

No one is certain what is causing the bug, but Apple needs to get on the problem. Apple will probably blame the issue on PCs being inept devices and the compatibility between Macs and PCs could be the reason. Apple is not infallible and here is a lesson in humility.

Whitney Grace, December 20, 2022

Google to Microsoft: We Are Trying to Be Helpful

December 16, 2022

Ah, those fun loving alleged monopolies are in the news again. Microsoft — famous in some circles for its interesting approach to security issues — allegedly has an Internet Explorer security problem. Wait! I thought the whole wide world was using Microsoft Edge, the new and improved solution to Web access.

According to “CVE-2022-41128: Type Confusion in Internet Explorer’s JScript9 Engine,” Internet Explorer after decades of continuous improvement and its replacement has a security vulnerability. Are you still using Internet Explorer? The answer may be, “Sure you are.”

With Internet Explorer following Bob down the trail of Microsoft’s most impressive software, the Redmond crowd the Microsoft Office application uses bits and pieces of Internet Explorer. Thrilling, right?

Google explains the Microsoft issue this way:

The JIT compiler generates code that will perform a type check on the variable q at the entry of the boom function. The JIT compiler wrongly assumes the type will not change throughout the rest of the function. This assumption is broken when q is changed from d (an Int32Array) to e (an Object). When executing q[0] = 0x42424242, the compiled code still thinks it is dealing with the previous Int32Array and uses the corresponding offsets. In reality, it is writing to wherever e.e points to in the case of a 32-bit process or e.d in the case of a 64-bit process. Based on the patch, the bug seems to lie within a flawed check in GlobOpt::OptArraySrc, one of the optimization phases. GlobOpt::OptArraySrc calls ShouldExpectConventionalArrayIndexValue and based on its return value will (in some cases wrongly) skip some code.

Got that.

The main idea is that Google is calling attention to the future great online game company’s approach to software engineering. In a word or two, “Poor to poorer.”

My view of the helpful announcement is that Microsoft Certified Professionals will have to explain this problem. Google’s sales team will happily point out this and other flaws in the Microsoft approach to enterprise software.

If you can’t trust a Web browser or remove flawed code from a widely used app, what’s the fix?

Ready for the answer: “Helpful cyber security revelations that make the online ad giant look like a friendly, fluffy Googzilla. Being helpful is the optimal way to conduct business.

Stephen E Arnold, December 16, 2022

Apple, the Privacy and Security Outfit, Has a New Spin for Pix

December 16, 2022

In an alarmingly hilarious situation, iCloud users are seeing photos of strangers on their devices. What sounds like a hacker’s gaff, actually proves to be a security risk. XDA Developers investigates what is going on with iCloud in, “iCloud For Windows Users Are Reportedly Seeing Random Family Photos From Strangers.”

People buy Apple products for its better security and privacy settings than PC devices. While Apple has an iCloud app for PC users, the app is not working as well as its fellow Apple products:

“Based on the reports, the corrupted files seemingly revolve around videos shot on iPhone 13 Pro and iPhone 14 Pro models. The footage in some cases is showing a black screen with scan lines. Though, what’s more worrisome is the random content that is showing up for some users. While it’s not confirmed yet, these photos of families, children, and other private moments could potentially belong to other people’s iCloud libraries. If this is the case, then Apple could get in some serious trouble. Unfortunately, deleting the iCloud for Windows app seemingly doesn’t solve this, as the issues are being reflected on the server.”

No one is certain what is causing the bug, but Apple needs to get on the problem. Apple will probably blame the issue on PCs being inept devices and the compatibility between Macs and PCs could be the reason. Apple is not infallible and here is a lesson in humility.

Whitney Grace, December 16, 2022

Small Snowden Item: Not Rooting for US Soccer Team?

December 6, 2022

I think the answer to the question, “Is Edward Snowden rooting for the US soccer team?” is no. I read “Edward Snowden Swears Allegiance to Russia and Receives Passport, Lawyer Says”. [Note: In the spirit of capitalism, you will have to pay to view the original story.] The Bezos affiliated real news outfit said:

It’s unclear whether Snowden swore the oath of allegiance at the same time as he was granted a passport, but the two are common procedures when foreigners become Russian citizens. The text includes swearing “to protect the freedom and independence of the Russian Federation, to be loyal to Russia, to respect its culture, history and traditions,” and to promise to “perform the duties of a citizen of the Russian Federation for the good of the state and society.” Kucherena [The estimable Mr. Snowden’s legal eagle] added that Snowden’s wife, Lindsay Mills, was also undergoing the Russian citizenship application process and that the couple’s children would likely attend Russian schools, when ready.

Interesting. I assume information will surface about the forthcoming Russian film “Dinner with Vlad” starring the bold, brave bag man Mr. Snowden and the somewhat weighty Mr. Segal. The plot is, as I understand it, Vlad asks his guests about Russia’s most appealing aspect. Mr. Snowden says, “It’s the great Internet connections”, and Mr. Seagal says, “It the food.” The three stars drink Russian vodka and engage in an arm wrestling competition. Vlad wins and the three drooks head to a cover band featuring Pussy Riot tunes. Mr. Snowden and Mr. Seagal give inspired lectures during the band’s break. Males in the audience are enlisted. Females? Well, fade to black.

Stephen E Arnold, December 6, 2022

Microsoft and Security: Customers! Do Better

November 7, 2022

I have a hunch that cyber security is like Google in the early 2000s. Magic, distractions, and blather helped disguise the firm’s systems and methods for generating revenue. Now (November 4, 2022) the cyber security sector may be taking a page or two from the early Google game plan. Who can blame the cyber security vendors, all 3000 to 7000 of them in the US alone. The variance is a result of the methodology of the business analysts answering the question, “How many companies are chasing commercial, non profit, and government prospects. Either number makes it clear that cyber security is a very big business.

Now stick with me: What operating system and office software is used by about two thirds of the organizations in the United States. The answer, if I can believe the data from my research team, is close enough for horse shoes. Personally, I would peg the penetration of Microsoft software at closer to 90 percent, but let’s go with the 67 percent, plus or minus five percent. That means that cyber security vendors have to provide security for companies already obtaining allegedly secure software and services from Microsoft.

With cyber crime, breaches, zero days, etc, etc going up with dizzying speed, what’s the message I carry away? The answer is, “Cyber security is not working.”

I read “Microsoft Warns Businesses to Up Their Security Game against These Top Threats.” The article then identifies security as a problem. The solution, if I understand the article, is:

Microsoft suggests throughout the MDDR that organizations implement a number of its products into its tech stack to protect against and deal with threats, such as its Security Service Line for support throughout a ransomware attack, and Microsoft Defender for Endpoint for cloud-based protection.

If you are not familiar with MDDR the acronym stands for the Microsoft Digital Defense Report. Presumably Microsoft’s crack security experts and the best available cyber consultants crafted the methods summarized in the article.

The irony is that Microsoft’s own products and services create a large attack surface. Microsoft’s own security tools seem to have chinks, cracks, and gaps which assorted bad actors can exploit.

Net net: Perhaps Microsoft should do security better. Aren’t customers buying solutions which work and do in a way that protects business information and processes? Perhaps less writing about security and more doing security could be helpful?

Stephen E Arnold, November 7, 2022

Computer Security Procedures: Carelessness, Indifference, Poor Management or a Trifecta?

September 27, 2022

$35M Fine for Morgan Stanley after Unencrypted, Unwiped Hard Drives Are Auctioned”  raises an interesting question about security in an important company. The write up asserts:

The SEC action said that the improper disposal of thousands of hard drives starting in 2016 was part of an “extensive failure” over a five-year period to safeguard customers’ data as required by federal regulations. The agency said that the failures also included the improper disposal of hard drives and backup tapes when decommissioning servers in local branches. In all, the SEC said data for 15 million customers was exposed.

Morgan Stanley. Outstanding. If the story is accurate, the auctioning of the drives fits with the parsimonious nature of banks in my experience. Banks like to accept money; banks do not like to output money. Therefore, selling old stuff is a matter of removing the detritus, notifying the person charged with moving surplus to a vendor, and cashing the check for the end of life, zero life clutter. Standard operating procedure? Probably. Does senior management know about hardware security for old gear? My hunch is that most senior managers know about [a] cross selling, [b] sparking deals, [c] getting on a talking head financial news show, and [d] getting the biggest bonus possible. Security is well down my hypothetical list.

Net net: Security is easy to talk about. Security requires management know how and attention to business processes, not just deals and bonus payments.

Stephen E Arnold, September 27, 2022

Google and Security: The Google Play Protect Situation

September 1, 2022

Unfortunately for Android users, Google’s default app-security program is not the safest bet. A write-up at News Patrolling explores “Why Google Play Protect Fails to Identify Malicious Apps.” A few points are obvious—Google cannot help users who turn the feature off, for example, or those who install software from other sources. The company also lacks Apple’s advantage of controlling both hardware and software. That does not explain, however, why third-party tools from AhnLab to Trend Micro outperform Play Protect. Reporter Satya Prakash observes:

  • New kid on the block – As compared to other security software platforms that have been in existence for decades, Google Play Protect was launched in 2017. While it’s true that Google can hire the best security experts, it may still take some time for Google Play Protect to achieve the same level of security as offered by private software platforms. …
  • Too many apps and devices – There are around 3 million apps on Google Play and several thousands are added almost every day. Combine that with thousands of different types of smartphones, having different Android versions. Apparently, it’s a massive task to be able to fix security vulnerabilities that may be present in each of these cases.
  • Reliance on automated systems – Due to huge number of apps and devices, Google relies on automated systems to detect harmful behavior. Private security firms use the same approach, but apparently, they are doing a much better job. Hackers are constantly looking for new security vulnerabilities that can be exploited. This makes the job tougher for Google Play Protect.”

Happily, there are many stronger alternatives as tested by AV-Test. Their list is worth a look-see for Android users who care about security. A comparison to last year’s results shows Play Protect has actually improved a bit. Perhaps someday it will perform as well in its own app store as its third-party competition.

Cynthia Murrell, September 1, 2022

How about a Decade of Vulnerability? Great for Bad Actors

August 10, 2022

IT departments may be tired of dealing with vulnerabilities associated with Log4j, revealed late last year, but it looks like the problem will not die down any time soon. The Register reveals, “Homeland Security Warns: Expect Log4j Risks for ‘a Decade or Longer’.” Because the open-source tool is so popular, it can be difficult to track down and secure all instances of its use within an organization. Reporter Jessica Lyons Hardcastle tell us:

“Organizations can expect risks associated with Log4j vulnerabilities for ‘a decade or longer,’ according to the US Department of Homeland Security. The DHS’ Cyber Safety Review Board‘s inaugural report [PDF] dives into the now-notorious vulnerabilities discovered late last year in the Java world’s open-source logging library. The bugs proved to be a boon for cybercriminals as Log4j is so widely used, including in cloud services and enterprise applications. And because of this, miscreants soon began exploiting the flaws for all kinds of illicit activities including installing coin miners, stealing credentials and data, and deploying ransomware.”

Fortunately, no significant attacks on critical infrastructure systems have been found. Yet. The write-up continues:

“‘ICS operators rarely know what software is running on their XIoT devices, let alone know if there are instances of Log4j that can be exploited,’ Thomas Pace, a former Department of Energy cybersecurity lead and current CEO of NetRise, told The Register. NetRise bills itself as an ‘extended IoT’ (xIoT) security firm. ‘Just because these attacks have not been detected does not mean that they haven’t happened,’ Pace continued. ‘We know for a fact that threat actors are exploiting known vulnerabilities across industries. Critical infrastructure is no different.'”

Security teams have already put in long hours addressing the Log4j vulnerabilities, often forced to neglect other concerns. We are told one unspecified US cabinet department has spent some 33,000 hours guarding its own networks, and the DHS board sees no end in sight. The report classifies Log4j as an “endemic vulnerability” that could persist for 10 years or more. That is a long time for one cyber misstep to potentially trip up so many organizations. See the article for suggestions on securing systems that use Log4j and other open-source software.

Cynthia Murrell, August 10, 2022

What Microsoft Wants: Identity System and Data for Good Purposes Of Course

June 28, 2022

Microsoft wants its new Verified ID program to move beyond social media platforms. According to Error! Hyperlink reference not valid. in the article, “Microsoft Wants Everything To Come With Its Verified Check Mark,” Microsoft wants Verified ID to validate more personal information and it is starting with verifying credentials.

Verified ID would allow people to get digital credentials that prove where they graduated, their jobs, where they bank, and if they are in good health. Microsoft says Verified ID would be good for people who need to quickly share their personal information, such as job applications. Verified ID uses blockchain-based decentralized identity standards. Microsoft plans to release its Entry Verified ID, its official name, in August. The name for Microsoft’s identity product line is Entra.

Ankur Patel is a Microsoft principal program manager for digital identity and he believes Entry Verified ID will be mainstream in three years:

“In the first year, it’s likely that Verified ID will be used by organizations in tandem with existing verification methods, both digital and analog, with a portion of their users, according to Patel. Wider adoption will depend, in part, on making sure that the service itself hasn’t “done harm,” he acknowledged.

One potential risk is that individuals might inadvertently share sensitive information with the wrong parties using the system, Patel said. ‘In the physical world, when you’re presenting these kinds of things, you’re careful — you don’t just give your birth certificate to anybody,’ he said. Microsoft is aiming to limit the issues in its own digital wallets with features meant to protect against this type of accidental exposure, Patel said.”

Microsoft wants to verify everyone’s information, but what about guaranteeing that its own products are real?

Whitney Grace, June 28, 2022

Next Page »

  • Archives

  • Recent Posts

  • Meta