Ransomware: A Great Lakes of Sitting Ducks
April 29, 2021
I read “No Ransomware Silver Bullet, Crooks Out of Reach.” The explicit point in the write up is that ransomware is a big deal and there’s no fix in sight. The implicit point is that existing cyber security systems don’t work. In the sunshine of SolarWinds, I assumed there was cyber security progress. Yeah, sorry.
The write up states:
The U.S. government now deems ransomware a national security threat. The FBI has just created a task force to tackle it.
The bad actors are slick operators; for example:
Some top ransomware criminals fancy themselves software service professionals. They take pride in their “customer service,” providing “help desks” that assist paying victims in file decryption. And they tend to keep their word. They have brands to protect, after all.
What’s the fix?
Committee meetings, recommendations, legislative action – these are good ideas.
In short, there is a veritable Great Lakes filled with sitting ducks. Have you tried to herd ducks? I have. Tough work. Marketing, reports, and hearings are much easier. Quack, quack, quack.
Stephen E Arnold, April 29, 2021
Facebook: Everlasting Delight!
April 29, 2021
We are still aghast at the carelessness that allowed hackers to access user information for about a billion accounts between Facebook and LinkedIn. The Facebook breach, at least, has spawned a couple of interesting side stories. First we learned that CEO Mark Zuckerberg uses chat app Signal, a competitor to Facebook’s WhatsApp. We also found out the Facebook breach has forced “Have I Been Pwned” to rework its search functionality, at least for this particular data set.
The folks at Signal must be delighted. India Today reports that the “Leaked Phone Number of Mark Zuckerberg Reveals He Is on Signal.” While both Signal and WhatsApp boast end-to-end encryption, there have been issues with what Facebook does with the back-up files. From Facebook’s point of view, this tidbit about Zuckerberg comes at an unfortunate juncture. Writer Yasmin Ahmed points out:
“The news comes at a time when many users outraged with Facebook-owned WhatsApp’s new privacy policy are moving to seemingly safer alternatives like Signal. WhatsApp’s contentious new terms of service are slated to come into effect from May 2021. The updated privacy policy changes how Facebook can access users’ chats with business accounts.”
Oh dear. In another tangent, we are interested in this change prompted by the leak—“The Facebook Phone Numbers Are Now Searchable in Have I Been HYPERLINK “https://www.troyhunt.com/the-facebook-phone-numbers-are-now-searchable-in-have-i-been-pwned/”Pwned,” explains the security check site’s own Troy Hunt. It is good to see a site adapt its search to evolving circumstances. But why was the site not already searchable by phone number? Hunt explains:
“I’d never planned to make phone numbers searchable and indeed this User Voice idea sat there for over 5 and a half years without action. My position on this was that it didn’t make sense for a bunch of reasons:
1. Phone numbers appear far less frequently than email addresses
2. They’re much harder to parse out of most data sets (i.e. I can’t just regex them out like email addresses)
3. They very often don’t adhere to a consistent format across breaches and countries of originPlus, when the whole modus operandi of HIBP is to literally answer that question – Have I Been Pwned? – so long as there are email addresses that can be searched, phone numbers don’t add a whole lot of additional value. The Facebook data changed all that.”
Indeed. While more than 500 million phone numbers were stolen, only a few million addresses went along for the ride. Until Hunt changed the search, he writes, over 99% of the many people checking on his site received a false negative. He was able to easily parse most phone numbers from well-formatted files in the breached data and normalize their format with a country code. The caveat—this fix only applies to this breach, unless or until a similar batch of phone numbers is harvested. See the post for the technical reasons that making phone-number searches standard is unworkable for the free resource.
Cynthia Murrell, April 29, 2021
Cyber Security Quote to Note: Seeing Is Important
April 28, 2021
I read a Washington Post article with a somewhat misleading title. The main point of the write up is that the US Department of Defense began using a large block of IP addresses in January 2021. These reason for the shift from dormant holding to active use of the Internet addresses related to cyber security. That’s the explanation in the write up. In the news story there was an important statement attributed to an anonymous source (a very popular way to report “real” news). Here’s the quote:
If you can’t see it, you can’t defend it.
In my opinion this is accurate. The statement underscores what I have commented upon in this blog and in my DarkCyber bimonthly video program DarkCyber. The SolarWinds and more recent security missteps have been missed by the commercial and governmental systems designed to spot cyber attacks and malware.
Having more traffic to monitor is a good thing. The problem is what I call the 21st century horse and barn situation. Here it is again:
Barn burned. Horses gone. Globus (Russia) retail space constructed where the hay used to be stored.
Better late than never? Yeah, sure.
Stephen E Arnold, April 28, 2021
Huawei: Dutch Treat for 5G Security
April 27, 2021
A secret report from 2010 has surfaced in the Netherlands and has been reviewed by editors at news site de Volkskrant. The document reveals that “Huawei Was Able to Eavesdrop on Dutch Mobile Network KPN,” reports the NL Times. We learn that, in 2009, KPN used Huawei tech and that six employees of the Chinese tech giant worked at its head office. Warned by security firm AIVD that this was a dicey situation, KPN hired researchers at Capgemini analyze any risks involved. We learn:
“The conclusions turned out to be so alarming that the internal report was kept secret. ‘The continued existence of KPN Mobile is in serious danger because permits may be revoked or the government and businesses may give up their confidence in KPN if it becomes known that the Chinese government can eavesdrop on KPN mobile numbers and shut down the network’, de Volkskrant quotes the report. At the time, KPN’s mobile network had 6.5 million subscribers.”
These subscribers included then Prime Minister Jan Peter Balkenende and other ministers as well as, importantly, Chinese dissidents. The write-up continues:
“The Capgemini report stated that Huawei staff, both from within KPN buildings and from China, could eavesdrop on unauthorized, uncontrolled, and unlimited KPN mobile numbers. The company gained unauthorized access to the heart of the mobile network from China. How often that happened is not clear because it was not recorded anywhere.”
Huawei assures everyone it never took advantage of this access and there is no evidence (yet) that it did so. The revelation explains why KPN has since maintained its own mobile core network and relied upon Western suppliers. Lesson learned.
Cynthia Murrell, April 27, 2021
Microsoft and LinkedIn: Ultimate Phishing Pool, er, Tool
April 26, 2021
Microsoft is buckling like an old building in Reykjavik. There was SolarWinds, then Microsoft Exchange Server, and then… The list goes on. Another issue has shaken the enterprise software company: LinkedIn phishing. (You thought I was going to comment about Windows Updates killing some gamers’ “experience”, didn’t you? Wrong.)
“Hackers Are Using LinkedIn As the Ultimate Phishing Tool” asserts:
According to MI5, the UK’s security agency, at least 10,000 citizens have been approached by state-sponsored threat actors using fake profiles on a popular social media platform. While MI5 did not specifically name the platform, the BBC claims to have learned that the platform in question is LinkedIn.
Interesting. MI5 is the UK’s domestic intelligence agency. The Box usually does not publicity and tries to sidestep the type of information disseminated in some countries; for example, in the US, intelligence agencies proactively accessed computers and took steps to reduce the risk of malware issues. By the way, those servers were running Microsoft software. Microsoft owns LinkedIn too.
Hmmm.
The article points out:
According to MI5, the LinkedIn attacks are wider in scope and directed at staff in government departments and major businesses. Once connected, the scammers try to bait the individuals by offering speaking or business opportunities, before attempting to recruit them to pass on confidential information.
Just another crack in the Microsoft LinkedIn edifice or a signal that the company can no longer manage its software, protect its “customers”, or update a consumer PC without creating problems?
Stephen E Arnold, April 26, 2021
Microsoft, SolarWinds, 1000 Malevolent Engineers, and Too Big to Fail?
April 19, 2021
“SolarWinds Hacking Campaign Puts Microsoft in Hot Seat” is an interesting “real news” story. The write up states that the breach was a two stage operation. The first stage was using SolarWinds to distribute malware. The second stage was to use that malware as a chin up bar. Bad actors’ grabbed the bar and did 20 or more pull ups. The result was marketing talk and a mini-meme about 1,000 engineers concentrating their expertise on penetrating the Microsoft datasphere.
The article quoted a cyber security expert as describing Microsoft’s systems and methods as have “systematic weaknesses.” For a company whose software is a “monoculture” with an 85 percent market share, the phrase “systematic weaknesses” is not reassuring. Not only can Microsoft release updates which kill some users’ ability to print, Microsoft can release security systems which don’t secure the software.
The article include this statement:
And remember, many security professionals note, Microsoft was itself compromised by the SolarWinds intruders, who got access to some of its source code — its crown jewels. Microsoft’s full suite of security products — and some of the industry’s most skilled cyber-defense practitioners — had failed to detect the ghost in the network. It was alerted to its own breach by FireEye, the cybersecurity firm that first detected the hacking campaign in mid-December.
I noted that the write up does not point out that none of the cyber security firms’ breach detection solutions noted the SolarWinds’ misstep. That seems important to me, but obviously not to the “real” cyber security professionals.
The US government does not want Microsoft to fail. “NSA and FBI Move to Help Microsoft with Its Exchange Server Vulnerabilities” reports:
It is not just the NSA finding and telling Microsoft about problems with Exchange. The FBI is also concerned with the number of unpatched Exchange servers. In a rare move, the FBI sought and was granted a warrant to patch any unfixed exchange servers it found remotely.
If a Windows update creates a problem for you, perhaps a helpful professional affiliated with a government agency will assist in resolving your problem?
Stephen E Arnold, April 19, 2021
Microsoft Gets Some Help
April 14, 2021
I want to keep this item brief. Here’s the headline which caught my attention:
The DoJ statement says:
Throughout March, Microsoft and other industry partners released detection tools, patches and other information to assist victim entities in identifying and mitigating this cyber incident. Additionally, the FBI and the Cybersecurity and Infrastructure Security Agency released a Joint Advisory on Compromise of Microsoft Exchange Server on March 10. Despite these efforts, by the end of March, hundreds of web shells remained on certain United States-based computers running Microsoft Exchange Server software.
Here’s a partial fix as explained in the DoJ write up:
This court-authorized operation to copy and remove malicious web shells from hundreds of vulnerable computers shows our commitment to use any viable resource to fight cyber criminals. We will continue to do so in coordination with our partners and with the court to combat the threat until it is alleviated, and we can further protect our citizens from these malicious cyber
breaches.”
Interesting. To the reader of this blog who did not find my Microsoft Bob security T shirt amusing I would say, “What about a Microsoft Bob security baseball cap?” The Microsoft softball team appears to need some professional players to be competitive in this season’s games.
Stephen E Arnold, April 14, 2021
Apple: Two Cores Inside One Juicy Delight
April 12, 2021
I am not sure whom to believe. Tim Apple, the spokesperson for security and privacy, or a “senior Apple engineer named Eric Friedman. Mr. Friedman has insight into Apple’s actual app review process. The orange newspaper’s story “Apple Engineer Likened App Store Security to Butter Knife in a Gunfight” stated:
Apple’s process of reviewing new apps for the App Store to “more like the pretty lady who greets you . . . at the Hawaiian airport than the drug-sniffing dog”. He added that Apple was ill-equipped to “deflect sophisticated attackers”.
The real world approach is different from the super diligent method cultivated in the apple orchard.
The issue is important because some people like little old me have purchased super duper Apple app store apps. A go round with video recording apps produced mostly failure. Did I care? A little. Did Apple care? Ho ho ho.
But the game outfit Epic (maker of Fortnite) does care and apparently has the cash to take the nemesis of Facebook and Intel to court. I circled in apple red marker this statement in the write up:
Apple acknowledged various forms of malware on the App Store, but cited data from 2018 showing that the iPhone platform “accounted for just 0.85% of malware infections,” whereas Android accounted for 47.2 per cent of infections and Windows and PC accounted for 35.8 per cent.
That’s outstanding. Why are any malware centric apps in the Apple app store? Microsoft points to 1,000 engineers working tirelessly to keep the Azure crowd on its toes. Microsoft unfortunately is not able to make its product secure. Neither is Google. And, it seems, Apple drops the basket of Belle de Boskoops in the space ship’s Fraud Engineering Algorithms and Risk (Fear) office too.
I am not sure if these comments in the write up are Johnny Appleseed approved or faux Crimson Delights:
According to Epic, the chief of meditation app Headspace referred to “egregious theft” on the App Store, with copycat apps repeatedly springing up after allegedly stealing its intellectual property. “Shockingly, Apple [is] approving these apps, and when the users buy the apps they are left with nothing but some scammy chat rooms in the background,” he wrote to Apple, according to Epic.
Interesting. One big Apple with two different cores. Which is the real one? Worth watching.
Stephen E Arnold, April 12, 2021
PS. Here in Kentucky, the catchphrase phrase is “don’t bring a knife to a gunfight.” But plastic butter knife? No. No. No. Pack the correct equipment shown in the table below:
| Crocodile Dundee knife possibly based on a Kentucky model used by Davy Crockett down yonder from Harrod’s Creek |  |
| Plastic butter knife with silver Mylar wrap |  |
| Kentucky weapon for a real gun fight |  |
Observation: Knives won’t work when one confronts a Fort Knox tank.
Microsoft: Bob Security Captures Headlines
April 9, 2021
Sleeper code. Yep, malware injected into thousands of servers could wake up and create some interesting challenges for the JEDI contractors with Microsoft T Shirts. Here’s my design suggestion for the security experts’ team:
Do you remember the tag line for Bob, a stellar graphical interface for Microsoft Windows? No. Let me highlight one of the zippier marketing statements:
Hard working, easy going software everyone will use.
Who knew that the “everyone” would include bad actors. Plus there are two other security related items to entice cyber professionals.
First, “Windows 10 Hacked Again at Pwn2Own, Chrome, Zoom Also Fall” includes this statement:
The first to demo a successful Windows 10 exploit on Wednesday and earn $40,000 was Palo Alto Networks’ Tao Yan who used a Race Condition bug to escalate to SYSTEM privileges from a normal user on a fully patched Windows 10 machine. Windows 10 was hacked a second time using an undocumented integer overflow weakness to escalate permissions up to NT Authority\SYSTEM by a researcher known as z3r09. This also brought them $40,000 after escalating privileges from a regular (non-privileged) user. Microsoft’s OS was hacked a third time during day one of Pwn2Own by Team Viettel, who escalated a regular user’s privileges to SYSTEM using another previously unknown integer overflow bug.
The statements suggest that either the OS is deliberately flawed in order to allow certain parties unfettered access to user computers or that Microsoft is focusing on moving Paint to the outstanding Microsoft online store.
Second, I spotted “Hackers Scraped Data from 500 Million LinkedIn Users about Two Thirds of the Platform’s Userbase and Posted It for Sale Online.” (Editor’s note: Data is plural, but let’s not get distracted, shall we?) The article reports:
The data includes account IDs, full names, email addresses, phone numbers, workplace information, genders, and links to other social media accounts.
Useful to some I assume.
Net net: I wonder if a Bob baseball cap is available in the Microsoft store?
I would wear one with pride during my upcoming National Cyber Crime Conference lecture.
Stephen E Arnold, April 9, 2021
Facebook Security: Fodder for Testimony?
April 9, 2021
Who knows if this is true? “533 Million Facebook Users’ Phone Numbers Leaked on Hacker Forum.” The write up states:
The mobile phone numbers and other personal information for approximately 533 million Facebook users worldwide has been leaked on a popular hacker forum for free. The stolen data first surfaced on a hacking community in June 2020 when a member began selling the Facebook data to other members.
If true, the revelation is a nice complement to a series of outstanding achievements by the centralized, big tech, really smart managers at super important companies. Examples include:
- Twitter’s senior manager spoofing elected officials
- Microsoft’s Exchange Server misstep when Windows Defender was on the job sort of
- Amazon’s brilliant Twitter campaign about workers’ inexplicable need to take breaks
- Google’s staunch defense of employees who grouse with assurances of continued employment.
Now Mr. Zuckerberg’s digital nation and its outstanding security.
How did this happen? The write up asserts:
According to Alon Gal, CTO of cybercrime intelligence firm Hudson Rock, it is believed that threat actors exploited in 2019 a now-patched vulnerability in Facebook’s “Add Friend” feature that allowed them to gain access to member’s phone numbers.
I envision Mr. Zuckerberg answering this question under oath in an upcoming Congressional hearing:
Senator X: Mr. Zuckerberg, what the heck happened? I have a teen age grand daughter. Are you protecting her?
Mr. Zuckerberg: Senator, thank you for that question. At Facebook, we take every possible precaution to guard our user’s identify. I will look into this matter and provide a report written by an Amazon PR person whom we just hired, and assign the former head of Microsoft security also a new hire to investigate this matter. Early reports suggest that the 1,000 criminals attacking Microsoft were supplemented with an additional 2,000 bad actors to breach our highly secure system.
Plus, the loss of data affected a mere 533 million users. Trivial. It is old news too.
Stephen E Arnold, April 9, 2021
-
- Subscribe to Beyond Search
Feature archive
News archive
-
