Browse > Home / Archive by category 'Security'

Watching Hoops: Watching Microsoft Defensive Scramble

March 24, 2021

Air ball. I read “Microsoft Defender Will Automatically Prevent Exchange Server Exploits.” Technical foul! The write up contains this statement:

The tech giant warns, however, that this is just an interim mitigation meant to protect customers while they’re in the midst of implementing the comprehensive security update for Exchange it released earlier this month. 

Over and back!

The Redmond Wizards have great cheerleaders, but the opponents own the auditorium. The clock is ticking.

The Wizards’ coach is yelling at the officials. Oh, another technical foul.

Quick. Print out the play.

Wait, Microsoft Windows 10 updates broke the printer.

Whistle. Another technical foul.

Stephen E Arnold, March 24, 2021

Written by Stephen E. Arnold · Filed Under Microsoft, News, Security | Comments Off on Watching Hoops: Watching Microsoft Defensive Scramble 

Microsoft Security: An Ominous Signification

March 22, 2021

IT News published “White House Taskforce Meets over Microsoft Software Weaknesses.” The “real news” story included a statement which I placed in the predictive bucket. Here’s the prose which caught my attention:

The security holes in the widely used mail and calendaring software leave the door open to industrial-scale cyber espionage, allowing malicious actors to steal emails virtually at will from vulnerable servers or to move elsewhere in the network.

Microsoft is pretty good at issuing magic fixes; for example, “Microsoft Releases One-Click Patch for Exchange Vulnerability” reveals:

Microsoft has released a one-click patch, the Microsoft Exchange On-Premises Mitigation tool, to help customers apply new security updates in the face of the Exchange Server cyber attack.

This IT Pro article points out:

ESET research found that Microsoft Exchange servers had been targeted by “at least ten hacker groups” and that they had managed to install backdoors on more than 5,000 servers in over 115 countries.

In this context the phrase “industrial scale cyber espionage” is doubly chilling.

Now about that JEDI contract for the US Department of Defense?

Stephen E Arnold, March 22, 2021

Written by Stephen E. Arnold · Filed Under Microsoft, News, Security | Comments Off on Microsoft Security: An Ominous Signification 

Business Process Management Is The New Buzzword

March 21, 2021

How does one “fix” the SolarWinds’ misstep? BPM. GovWizely will present a webinar addressing remediation of SolarWinds’ issues on March 25, 2021. You can sign up at this url: https://www.govwizely.com/contact/. The program is free and pre-registration is required.

If you never heard about business process management (BPM) it means the practice of discovering and controlling an organization’s processes so they will align with business goals as the company evolves.  BPM software is the next phase of business intelligence software for enterprises.  CIO explains what to expect from BPM software in the article: “What Is Business Process Management? The Key To Enterprise Agility.”

BPM software maps definitions to existing processes, defines steps to carry out tasks, and tips for streamlining/improving practices.  Organizations are constantly shifting to meet their goals and BPM is software is advertised as the best way to refine and control changing environments.  All good BPM software should have the following: alignment of the firm’s resources, increase discipline in daily operations, and clarify on strategic direction.  While most organizations want flexibility they lack it:

“A company can only be as flexible, efficient, and agile as the interaction of its business processes allow. Here’s the problem: Many companies develop business processes in isolation from other processes they interact with, or worse, they don’t “develop” business processes at all. In many cases, processes simply come into existence as “the way things have always been done,” or because software systems dictate them. As a result, many companies are hampered by their processes, and will continue to be so until those processes are optimized.”

When selecting a BPM software it should be capable of integrations, analytics, collaboration, form generation, have a business rules engine, and workflow managements.

BPM sounds like the next phase of big data, where hidden insights are uncovered in unstructured data.  BPM takes these insights, then merges them with an organization’s goals.  Business intelligence improves business processes, big data discovers insights, and BPM organizes all of it.

Whitney Grace, March 21, 2021

Written by Stephen E. Arnold · Filed Under Business process, News, Security | Comments Off on Business Process Management Is The New Buzzword 

Was Super Yacht Go a Digital Victim?

March 16, 2021

Modern yachts are connected to the Internet. I know very little about the specialized systems used to monitor these vessels. One interesting idea was articulated by eSysman Super Yachts via his YouTube video for March 12, 2021. You can view the program at this link. The point which snagged my attention was the observation that the boat’s controls behaved in an unusual manner. Furthermore, according to statements reported by media, the captain was unable to implement a manual override. When the helm’s instructions were not processed, no alarms sounded.  Consequently the captain had to decide whether to crash into a bridge or into a pier. The captain choose the pier. No one was injured and the boat can be repaired.

The key question: Have cyber criminals compromised super yachts’ computerized control systems?

No answers yet. But in the “wake” of SolarWinds and Exchange missteps, the possibility must be considered. Odysseus thought he had problems, but he was dealing with more tractable gods, not digital monsters.

Stephen E Arnold, March 16, 2021

Written by Stephen E. Arnold · Filed Under DarkCyber, News, Security | Comments Off on Was Super Yacht Go a Digital Victim? 

Cybersecurity Giant Vendor Fail Is Official: No Easy Fix

March 15, 2021

The marketing claims were hot air, it seems. The New York Times reports “White House Weighs New Cybersecurity Approach after Failure to Detect Hacks.” Let me be clear. Organizations spending money for advanced, artificially intelligent, and proactive methods for dealing with cyber attacks face some difficult circumstances. First, the cash is gone. Second, the fix is neither quick nor easy. Third, boards of directors and those with oversight will ask difficult questions to which there are no reassuring answers; for example, “What information has been lost exactly?”

The answer: “No one knows.”

The NYT states:

… The hacks were detected long after they had begun not by any government agency but by private computer security firms.

Let’s be clear. The SolarWinds’ misstep was detected because a single human chased down an anomaly related to allowing access to a single mobile phone.

Several observations are warranted:

  1. Cybersecurity vendors have been peddling systems which don’t work
  2. Companies are licensing these systems and assuming that their data are protected. The assumption is flawed and reflects poorly on the managers making these decisions.
  3. The lack of information about the inherent flaws in the Microsoft software build and updating processes, the mechanisms for generating “on the fly” builds of open source enabled code, and the indifference of developers to verifying that library code is free from malicious manipulation underscores systemic failures.

Remediating the issue will take more than BrightTALK security videos, more than conference presentations filled with buzzwords and glittering generalities, and more than irresponsible executives chasing big paydays.

The failure in technical education coupled with the disastrous erosion of responsible engineering practices has created “intrusions.”

Yes, intrusions and other impacts as well.

Stephen E Arnold, March 15, 2021

Written by Stephen E. Arnold · Filed Under DarkCyber, News, Security | Comments Off on Cybersecurity Giant Vendor Fail Is Official: No Easy Fix 

Insider Threat Info

March 15, 2021

Few people want to talk about trust within an organization. Even fewer bring up blackmail, outright dumbness, or selling secrets for cash. These topics do require discussion. Where organizations are at this moment is in a very tough spot.

Cyber security vendors will email white papers, give Zoom pitches, and accept money for licenses to software which managed to miss the antics of the SolarWinds’ bad actors for — what was it — six months, a year, maybe almost two years. Yeah.

Executives will turn cyber security over to a team, a new hire, a consultant or two (McKinsey & Co. has some specialists awaiting your call), and one or more information technology employees. Did I leave anyone out? Oh, right, senior management. Well, those men and women are above the fray because security….

The trade publications will comment, quote, explain, and create nifty diagrams. I use a couple of these in my cyber crime lectures. They add color, but not much information. Oh, well, arts and crafts are important.

The allegedly responsible parties dodge those digital balls flung by fast twitch bad actors.

Articles like “What Are Insider Threats in Cyber Security” are, therefore, helpful. In a few hundred words an outfit called News Patrolling offered some helpful information. For example, I found this passage on point:

the human factor is often the most difficult to control and predict when it comes to data security and protection.

The write up provides a run down of insider threat “types”; for example, the turncloak, the pawn, and the collusionist. Some are left out like those I identified; for instance, the dumb ones. The catalog of insider attack types is acceptable, but some types are omitted; for example, people who sell data on in an encrypted Telegram group or the person who throws away high value trash unwittingly or as a new age brush drop.

Nevertheless, this is a useful write up to discuss with colleagues. Maybe the conversation should be held in a Starbuck’s in Silicon Valley. Loud talking is okay.

Stephen E Arnold, March 15, 2021

Written by Stephen E. Arnold · Filed Under News, Security | Comments Off on Insider Threat Info 

Microsoft Exchange After Action Action: Adulting or Covering Up?

March 12, 2021

I read “Researcher Publishes Code to Exploit Microsoft Exchange Vulnerabilities on GitHub.” The allegedly accurate “real” news report states:

On Wednesday, independent security researcher Nguyen Jang published on GitHub a proof-of-concept tool to hack Microsoft Exchange servers that combined two of those vulnerabilities. Essentially, he published code that could be used to hack Microsoft customers, exploiting a bug used by Chinese government hackers—on an open-source platform owned by Microsoft.

What happened?

Microsoft, took down the hacking tool.  “GitHub took down it,” the researcher told Motherboard in an email. “They just send [sic] me an email.” On Thursday, a GitHub spokesperson confirmed to Motherboard that the company removed the code due to the potential damage it could cause.

Interesting.

Two questions crossed my mind:

  1. Is Microsoft showing more management responsibility with regard to the data posted on GitHub? Editorial control is often useful, particularly when the outputting mechanism provides a wealth of information and code. Some of these items can be used to create issues. Microsoft purchased GitHub and may now be forced to take a more adult view of the service.
  2. Is Microsoft covering up the flaws in its core processes? After reading Microsoft’s explanations of the Solarwinds’ misstep, the injection of marketing spin and intriguing rhetoric about responsibility open the door to a bit of Home Depoting; that is, paint, wood panel, and bit of carpet make an an ageing condo look better.

Worth watching both the breaches which are concerning and the GitHub service which can cause some individuals’ brows to furrow.

Stephen E Arnold, March 12, 2021

Written by Stephen E. Arnold · Filed Under Business strategy, Microsoft, News, Open source, Security | Comments Off on Microsoft Exchange After Action Action: Adulting or Covering Up? 

Microsoft: Stunned by Its Own Insecure Petard?

March 12, 2021

I read “10 Key Microsoft Ignite Takeaways for CIOs.” Marketing fluff except for one wild and crazy statement. Here’s the passage I found amusing:

By midyear, enterprises will also be able to control in which datacenter Microsoft stores documents shared through Teams, group by group or even for individual users, making it more useful in some regulated industries or where there are concerns about the security of data. These controls will mirror those available for Exchange and SharePoint. There will also be an option to make end-to-end-encrypted one-to-one voice or video calls, that CIOs can enable on a per-employee basis, and to limit meeting attendance only to invited participants. A future update could see the addition of end-to-end encrypted meetings, too. For companies that are centralizing their investment in such collaboration, McQuire said, “Security is arguably the number one selection criterion.”

Assume this number one selection criterion is on the money. What’s the Microsoft security posture with SolarWinds and the Exchange breaches?

That petard packs quite a wallop, and it is not from marketing hoohah. There’s nothing like a marketing oriented conference to blow smoke to obfuscate the incredible security issues Microsoft has created. But conferences and marketing talk are easier than remediating the security problems.

Stephen E Arnold, March 12, 2021

Written by Stephen E. Arnold · Filed Under Microsoft, News, Security | Comments Off on Microsoft: Stunned by Its Own Insecure Petard? 

Quantum Computing: The Solution to SolarWinds and Microsoft Security Gaps

March 12, 2021

I am an optimist. I have been waking up with the idea that life is good and my work might make the world a slightly better place. However, I don’t put much trust in unicorns (nifty horses with a long pointy horn or the Silicon Valley type), fairies, or magical mermaids. When new technology comes along, I view the explanations of the technology’s wonders with skepticism. Mobile phones are interesting, but the phone has been around for a while. Shrinking chips make it possible to convert the “phone” into a general purpose thumbtyping machine. Nifty, but still a phone on steroids.

I thought about the human tendency to grasp for silver bullets. This characteristic runs through Jacques Ellul’s book The Technology Bluff. Its decades-old explanations and analyses are either unknown or ignored by many informed individuals. My hunch is that the Murdoch-owned Wall Street Journal assumes that its writers are responsible for understanding certain topics.

I read “Effective Cybersecurity Needs Quantum Computing.” Perhaps I should send a copy of Dr. Ellul’s book? But why? It’s not like the hippy dippy books included in the Murdoch book reviews. Dr. Ellul likes interesting words; for example, Mancipium. Does Mr. Murdoch’s oldest son know the meaning of the word? He should he lives in a mancipum-infused environment.

The essay asserts that a new and essentially unworkable technology will deal with the current cybersecurity challenges. How many years will be required to covert baby step lab experiments into a scalable solution to the business methods employed at outfits like SolarWinds and Microsoft? One, maybe five, or a more realistic 25 years?

The problems caused by flawed, short cut riddled, and uninformed approaches to coding, building, deploying, and updating enterprise software are here-and-now puzzles. For a point of reference, the White House sounded an alarm that a really big problem exists and poses threats today.

Sure, let’s kick back and wait for the entities of nifty technology to deliver solutions. IBM, Google, and other firms are beavering away on the unicornesque quantum computing. That’s fine, but to covert expensive, complex research and development projects into a solution for the vulnerability of that email you sent a few minutes ago is just off the wall. Sure, there may be a tooth fairy or a wizard with a magic wand, but that’s not going to be the fix quantum computing allegedly will deliver.

The WSJ essay states:

The extraordinary sensitivity of qubits reveals interference instantly and unfailingly. They would alert us when hackers read, copy or corrupt transmitted files.

Sure, if someone pays attention. I want to point out that exactly zero of the cybersecurity systems monitoring the SolarWinds’ misstep sounded an alarm. Hooking these systems into a quantum system will result in what, another two to five years of development. Walking by today’s quantum computers and waving an iPhone close to a component can create some excitement. Why? Yep, sensitivity. But why worry about trivial details.

The Murdocher does admit that quantum computers are years away, there is zero value in kicking today’s security disasters down the road like a discard can of Pabst Blue Ribbon beer. Funding is fine. Conflating the current radiation poisoning of digital systems with quantum computing is like waiting for an Uber or Lyft driver to come by in a chariot pulled by a unicorn.

Stephen E Arnold, March 12, 2021

Written by Stephen E. Arnold · Filed Under News, Security, Technology, Uncategorized | Comments Off on Quantum Computing: The Solution to SolarWinds and Microsoft Security Gaps 

Apple: Yep, the Secure System

March 12, 2021

One of the best things about Apple products are their resistance to viruses and malware. However, when a bad actor sinks their coding fangs into the Mac OS and figures out how to corrupt the software, cyber security professionals pay attention. Ars Technica reports that, “New Malware Found On 30,000 Macs Has Security Pros Stumped.”

The downloaded malware has yet to do anything nefarious other than ping a control server to check for new commands. Security experts believe that there could be an ultimate end action, but it has not happened yet. The malware also has a self-destruction capability, usually that action is reserved for stealth software. It also runs on the new M1 chip and uses the macOS Installer JavaScript API for commands. Red Canary researchers call the new malware “Silver Sparrow.”

Developers are skeptical about Silver Sparrow’s end purpose, but are impressed that it broke through Apple’s legendary defenses:

“An Apple spokesperson provided a comment on the condition they not be named and the comment not be quoted. The statement said that after finding the malware, Apple revoked the developer certificates. Apple also noted there’s no evidence of a malicious payload being delivered. Last, the company said it provides a variety of hardware and software protections and software updates and that the Mac App Store is the safest venue to obtain macOS software.

Among the most impressive things about Silver Sparrow is the number of Macs it has infected. Red Canary researchers worked with their counterparts at Malwarebytes, with the latter group finding Silver Sparrow installed on 29,139 macOS endpoints as of Wednesday. That’s a significant achievement.”

Apple thankfully caught the malware before any damage was done, but it proves that Mac are not invincible and dedicated hackers can penetrate the OS. Will Apple start peddling virus protection software and add an exorbitant price tag?

Whitney Grace, March 12, 2021

Written by Stephen E. Arnold · Filed Under News, Security | 2 Comments 

« Previous PageNext Page »

  • Archives

  • Recent Posts

  • Meta