Google and Identity Management
April 17, 2019
Google kills products. More than 100 since I did my last count. With that fact in mind, I read a second time “Google, Hyperledger Launch Online Identity Management Tools.” At first glance, the idea of a slightly different approach to identify management seems like a good but obvious idea. (Does Amazon have thoughts about identify management too?)
The write up explains:
Google unveiled five upgrades to its BeyondCorp cloud enterprise security service that enables identity and access management for employees, corporate partners, and customers.
Google wants to be the go to cloud provider of identity management services. Among the capabilities revealed, Google’s Android 7 and higher can be used as a two factor authentication dongle.
However, in the back of my mind is the memory of failed products and Google engineers losing interest in certain projects. No promotion, no internal buzz, then no engineers. The Google Search Appliance, for example, was not a thriller.
The idea that Google can and does lose interest in projects may provide a marketing angle Amazon can exploit. If Amazon ignores this “short attention span” issue, perhaps other companies will be less reluctant to point out that talk and a strong start are not finishing the race.
Stephen E Arnold, April 17, 2019
Microsoft: More Security Excitement
April 15, 2019
I read “Microsoft Informs Hackers Had Accessed Some Outlook Account Emails for Months.” The write up reports:
Microsoft has revealed that a hacker had access to the email addresses, folder names, and subject lines of emails, but not the content of emails or attachments of the Outlook users for three months.
That’s 90 days. Windows Defender was, I assume, on the job. The good news is that the bad actor was not able to read emails. The hacker wasn’t able “to steal login details of other personal information.” That’s good news too. Plus, Microsoft has “disabled the credentials used in the hack.”
Whoa, Nellie.
Windows Defender and presumably one or more of the companies offering super smart, super capable security services were protecting the company. I am besieged each week with requests to read white papers, participate in webinars, and get demonstrations of one of the hundreds of cyber security systems available today. These range from outfits which have former NSA, FBI, and CIA specialists monitoring their clients’ systems to companies that offer systems based on tireless artificially intelligence, proactive, predictive technology. Humans get involved only when the super system sends an alert. The idea is that every possible approach to security is available.
Microsoft can probably afford several systems and can use its own crack programmers to keep the company safe. Well, one caveat is that the programmers working on Windows 10 updates are probably not likely to be given responsibility for mission critical Microsoft security. Windows 10 updates are often of questionable quality.
A handful of questions occur to me:
- Perhaps Microsoft’s security expertise is not particularly good. Maybe on a par with the Windows 10 October 2018 update?
- Maybe Windows Defender cannot defend?
- Perhaps the over hyped, super capable cyber security systems do not work either?
Net net: With many well funded companies offering cyber security and big outfits entrusted by their customers with their data, are the emperors going to their yoga classes naked? Ugh. Horrible thought, but it may be accurate. At least put on some stretchy pants, please.
Stephen E Arnold, April 15, 2019
Forbes Raises Questions about Facebook Encryption
March 25, 2019
I am never sure if a story in Forbes (the capitalist tool) is real journalism or marketing. I was interested in a write up called “Could Facebook Start Mining Decrypted WhatsApp Messages For Ads And Counter-Terrorism?” The main point is that Facebook encryption could permit Facebook to read customers’ messages. The purpose of such access would be to sell ads and provide information to “governments or harvesters.” The write up states:
The problem is that end-to-end encryption only protects a message during transit. The sender’s device typically retains an unencrypted copy of the message, while the recipient’s device necessarily must decrypt the message to display to the user. If either of those two devices have been compromised by spyware, the messages between them can be observed in real-time regardless of how strong the underlying encryption is.
No problem with this description. Intentionally or unintentionally, the statement makes clear why compromising user devices is an important tool in some government’s investigative and intelligence toolbox. Why decrypt of the bad actor’s mobile device or computer just emails the information to a third party?
I noted this statement as well:
The messaging app itself has access to the clear text message on both the sender and recipient’s devices.
If I understand the assertion, Facebook can read the messages sent by its encrypted service.
The write up asserts:
As its encrypted applications are increasingly used by terrorists and criminals and to share hate speech and horrific content, the company will come under further pressure to peel back the protections of encryption.
Even if Facebook wants to leave encrypted information in unencrypted form, outside pressures may force Facebook to just decrypt and process the information.
The conclusion of the write up is interesting:
Putting this all together, it is a near certainty that Facebook did not propose its grand vision of platform-wide end-to-end encryption without a clear plan in place to ensure it would be able to continue to monetize its users just as effectively as in its pre-encryption era. The most likely scenario is a combination of behavioral affinity inference through unencrypted metadata and on-device content mining. In the end, as end-to-end encryption meets the ad-supported commercial reality of Facebook, it is likely that we will see a dawn of a new era of on-device encrypted message mining in which Facebook is able to mine us more than ever under the guise of keeping us safe.
Speculation? Part of the capitalist toolkit it seems. Is there a solution? The write up just invokes Orwell. Fear, uncertainty, doubt. Whatever sells. But news?
Stephen E Arnold, March 25, 2019
Juicy Target: Big Cloudy Agglomerations of Virtual and Tangible Gizmos
March 9, 2019
Last week I had a call about the vulnerability of industrial facilities. The new approach is to push certain control, monitoring, and administrative systems to the cloud. The idea is that smart milling machines, welders, and similar expensive equipment can push their data to the “cloud.” The magic in the cloud then rolls up the data, giving the manufacturing outfit a big picture view of the individual machines in multiple locations. Need a human to make sure the industrial robots are working happily? Nope. Just look at a “dashboard.” If a deity were into running a chemical plant or making automobiles, the approach is common sense.
I read “Citrix Hacked and Didn’t Know Until FBI Alert.” The FBI is capable, but each week I receive email from companies which perform autonomous, proactive monitoring to identify, predict, and prevent breaches.
The write up points out
The firm attributed the attack to an Iranian group called “IRIDIUM” and says it made off with “at least 6 terabytes of sensitive data stored in the Citrix enterprise network, including e-mail correspondence, files in network shares and other services used for project management and procurement.”
The article buries this statement deep in the report:
The breach disclosure comes just three days after Citrix updated its SD-WAN offering to help enterprises to administer user-centric policies and connect branch employees to applications in the cloud with greater security and reliability. The product is intended to simplify branch networking by converging WAN edge capabilities and defining security zones to apply different policies for different users.
What’s the implication?
Forget Go to My PC vulnerabilities. Old news. The bad actors may have the opportunity to derail certain industrial and manufacturing processes. What happens when a chemical plant gets the wrong instructions.
Remember the Port of Texas City mishap? A tragic failure. Accidental.
But Citrix style breaches combined with “we did not know” may presage intentional actions in the future.
Yep, cloudy with a chance of pain.
Stephen E Arnold, March 9, 2019
Simple Ways Intelligence is Fighting Cyber Crimes
March 8, 2019
Our world has never been more technologically advanced, that’s a fact. That also means that the digital threats have never been more dire, right? Yes and no, according to one source, who says that the technology might change but humans never do. We learned more from a recent CNBC story, “Google Infosec Head Heather Adkins: Ignore Scare Stories.”
According to the story:
“Adkins said sometimes the marketplace suffers from a “proliferation of cybersecurity professionals” offering conflicting advice on passwords, antivirus software, safety practices and so on…But the best rules for individuals looking to secure their personal information are the classics, Adkins said…Keep your software up to date, and don’t re-use the same password.”
This and many other examples show that good old fashioned foresight and detective work can still help fight cybercrime, even in this world of machine learning and nanotech. As Adkins says, let’s look forward in regards to security, but also not forget our past.
However, fear, uncertainty, and doubt sell—particularly to some executives uncomfortable with today’s business environment.
Patrick Roland, March 8, 2019
SIM Swapping: Trust Google?
March 2, 2019
Anyone holding crypto currency should be aware by now of SIM swapping, a hacking technique that involves tricking telecom companies into redirecting the victim’s phone number to the attacker’s device. Now, The Next Web tells us, “Google’s Head of Account Security Has Fix for Crypto currency SIM-Swapping.” Note that the fix involves a physical device, not just a download. Writer David Canellis explains:
“An overt reliance on SMS-based two-factor authentication (2FA) systems has only compounded the problem. While these are regarded as an upgrade to traditional verification methods like usernames and passwords, SMS-based 2FA presents cybercriminals with a clear attack vector. If hackers can take control of a phone number, it would be them who receive the special codes, allowing instant access to sensitive information.
We also noted:
“Google is one of many tech giants to present a solution. It released its Titan Keys last August, a $50 set of hardware devices that cryptographically ties particular devices to accounts, effectively keeping anyone without a registered device at bay. Users connect the Key to a device, such as a laptop or a smartphone, and sign into the account they wish to protect. This can be done via USB, NFC, or Bluetooth. A button then is pressed on the Key which will cryptographically register the device to a user account. It’s not exactly necessary to carry around the Keys, but users will need to have at least one handy to sign in. Purchasers of Titan Keys can also enroll in Google’s Advanced Protection Platform, which provides a supplementary bundle of security measures.”
Canellis notes that crypto currency makes for a tempting target. While typical attacks net hackers a fraction of a cent per victim, a bad actor can make thousands of dollars from one successful attack. The Titan Keys work because they cut out the telecoms—there is no one for hackers to bamboozle. Navigate to the source article for more information on the device and how it works. Canellis observes what could be taken as a warning—today’s world of online banking and mobile apps makes for a less secure banking environment than we older folks grew up with.
Whom do we trust? Google? Another third party?
Cynthia Murrell, March 2, 2019
VPNs Possibly Aid Chinese Intelligence
February 18, 2019
China’s military and intelligence might has grown by leaps and bounds. By some estimates, it leads the world in many categories of defense. While there’s no conclusive evidence, the amount of information being harvested by Chinese online companies is staggering and could prove a connection, as we discovered in a recent Tech In Asia story, “Facebook’s Research App Isn’t The Only VPN To Mine User Data.”
According to the story:
“VPNs are supposed to help you protect your data. But the Facebook flap shows that there’s one party that has full access to everything you’re doing: the VPN provider itself. And it’s a concern with several Chinese-owned VPNs, which reportedly send data back to China.”
With enormous streams of data flowing back to China and the potential for it to be used by intel communities, it’s no shock that the Pentagon recently began revising its artificial intelligence strategy. This comes because China and Russia, specifically, are beginning to chip away at America’s technological edge. It’s exciting to see the US intelligence community take a greater stake on AI and its related strains. We hope this is the beginning of a boom in the industry.
Patrick Roland, February 18, 2019
Zerodium Boosts Payouts for Zero Day Exploits to US$2 Million
January 14, 2019
The Hacker News reported that Zerodium will pay up to $2 million for an iPhone zero day exploit. The idea is that the market for iPhone hacks is robust even if Apple is struggling to hits its internal sales targets. The write up states:
Zerodium—a startup by the infamous French-based company Vupen that buys and sells zero-day exploits to government agencies around the world—said it would now pay up to $2 million for remote iOS jailbreaks and $1 million for exploits that target secure messaging apps.
The big payout is for a remote hack which jailbreaks an iPhone. The idea is that an entity can access an iPhone remotely and perform actions on that iPhone with having direct physical access to the device. The approach is known as a “zero click” exploit; that is, no user interaction required.
The company is also offering a payout of $1 million for WhatsApp exploits.
The reason? Hacker News explains:
The hike in the price is in line with demand and the tougher security of the latest operating systems and messaging apps, as well as to attract more researchers, hackers and bug hunters to seek complex exploit chains.
DarkCyber anticipates more price increases as bad actors shift to encrypted messaging for certain types of communications and transactions.
Stephen E Arnold, January 14, 2019
Data Protection: Many Vendors, Many Incidents
January 4, 2019
This is one of our DarkCyber news items.
Search engines are getting smarter and better, especially since they began to incorporate social media in their indexing. It is harder than ever to protect personal information, then there is the rising Dark Web fear. While there are services out there that say they can monitor the Dark Web and the vanilla Web to protect your information there are things you can do to protect yourself. TechRadar shares some tips in the article, “AI And The Next Generation Of Search Engines.”
The article focuses on Xiliab’s Frank Cha, who works on South Korea’s largest AI developer. Xiliab recently developed the DataXchain data trading platform that is described as the search engine of the future. Cha explained why DataXchain is the search engine of the future:
“Dataxchain engine is the next generation of data trading engine which enables not only data processing such as automatic data collection, classification, tagging, and curation but also enables data transactions. These transactions are directly applied to human development without human intervention by pre-processing data matching and deep learning engine. These trials can be accessed to the implicit knowledge through the intervention of people that the traditional search engine already had.”
Cha stresses the biggest challenge with DataXchain is creating connections with clients. He said, “When this connection becomes a chain, we will be able to exchange value for private data of each individual or organization and it will bring innovation to sophisticated AI in dataXchain…”
It is also being for national defense, which can be translated into protecting an individual’s data without changing the algorithm.
It is a basic interview without much meat about how to protect your data. Defensive forces can use the same algorithm as regular people, but that does not sound reassuring. How about speaking in layman’s terms?
With many competitors why are their so many successful breaches?
Whitney Grace, January 4, 2019
About Those VPNs
December 26, 2018
News and chatter about VPNs are plentiful. We noted a flurry of stories about Chinese ownership of VPNs. We receive incredible deals for VPNs which are almost too good to be true. We noted this write up from AT&T (a former Baby Bell) and its Alienvault unit: “The Dangers of Free VPNs.”
The idea behind a VPN is hiding traffic from those able to gain access to that traffic. But there is a VPN provider in the mix. From that classic man in the middle position, the VPN may not be as secure as the user thinks.
The AT&T Alienvault viewpoint is slightly different: VPNs are the cat’s pajamas as long as the VPN is AT&T’s.
We learned from the write up:
Technically, VPN providers have the capacity to see everything you do while connected. If it really wanted to, a VPN company could see what videos you watched, read emails you send, or monitor your search history.
The write up points out without reference to lawful intercept orders, national security letters, and the ho hum everyday work in cheerful Ashburn, Virginia:
Thankfully, reputable providers don’t do this. A good provider shouldn’t take any logs of your activity, which means that although they could theoretically access your data, they discard it instead. These “no-log” companies don’t keep copies of your data, so even if they get subpoenaed by a government agency, they have no data that they can hand over. VPN providers may take different types of logs, so you need to be careful when reading the fine print of any potential provider. These logs can include your traffic, DNS requests, timestamps, bandwidth and IP address.
The write up includes a “How do I love thee” approach to the dangers of free VPNs.
Net net: Be scared. Just navigate to this link. AT&T provides VPN service with the goodness one expects.
By the way, note the reference to “logs.” Many gizmos in a data center offering VPN services maintain logs. Processing these auto generated files can yield quite useful information. Perhaps that’s why there are free and low cost services.
Zero logs strikes Beyond Search as something that is easy to say but undesirable and possibly difficult to achieve.
Are VPNs secure? Is Tor?
In January 2019, Beyond Search will cover more dark cyber related content. More news is forthcoming. Let’s face it enterprise search is a done deal. The Beyond Search goose is migrating to search related content plus adjacent issues like AT&T promoting its cheerful, unmonitored, we’re really great approach to online.
Stephen E Arnold, December 26, 2018
-
- Subscribe to Beyond Search
Feature archive
News archive
-
