This is the first part, the second part is not related to this in any kind, but I just got a second confirmation from Beijing and it matters towards this as well. You see, the first part is merely for (or on) Apple. The article (at https://www-bleepingcomputer-com.cdn.ampproject.org/c/s/www.bleepingcomputer.com/news/apple/apple-find-my-network-can-be-abused-to-steal-keylogged-passwords/amp/) comes from Bleeping Computers and the text ‘Apple ‘Find My’ network can be abused to steal key-logged passwords’ seems to be worrying and it very well might be. We see graphics and we see the setting of the consumer (yet again) getting screwed over because BigTech wanted ALL the data they could get. This is not an accusation, this merely is what it is and Apple is not as innocent as many others.
Yet I thought back to around 1990. In the Netherlands someone came up with a solution named Aegon LAR and it was an awesome solution. The solution does not matter, but the approach to it does. You see, Apple had the longest of times to get a solution in place. The solution was to pair one device to a ‘master’ and THAT master alone. We could set it to daily, weekly, or even monthly. With the optional setting to send one more bleep when the power is down to 5%-15%.
It would need to be paired by the owner at the beginning and we could pair through an app to PC’s, to our mobiles (iOS or Android) and so on. So instead of getting “They integrated a key-logger with an ESP32 Bluetooth transmitter into a USB keyboard to show that it’s possible to relay passwords and other sensitive data typed on the keyboard through the Find My network via Bluetooth”, Apple had the option to create a service where EVERY Apple user had an option to relay a clear message to ONE receiver instead of someplace abusers could hijack anything you have. But I suspect that the powers that be at Apple wanted more data and now it could cost the consumer a lot more than they thought. The fact that ‘Find My Network’ could be abused is no small issue and I do expect that Apple has been on this from the start, but as I fear the need for data exceeded the need for safety as this article highlights and that is a problem and not just for Amazon, Apple, Google, IBM and Microsoft. The moment players like Huawei and Tencent Technologies SHOW the people that they are more reliable they will gain marketshare and a lot more and a lot faster than ever before. Don’t forget that the western consumer base was never given actual and explicit evidence of any Huawei transgressions. A mere settled case of 2011 was at the most given and that was not showing ay interference by the Chinese government, merely an optional oversight by Huawei.
Getting back to the Apple issue, it needs to be said that I found more voices all quoting the same voice, so there isn’t a second independent voice. It lowers reliability. I am saying that upfront, one voice is not a given but a worrying setting none the less. The larger issue that is this (at www.Heise.de) is correct, the setting is a worrying one, especially if there was a 1990 solution that could have enabled more consumer safety. My setting comes from the front of my mind and it is not tested, but at least I am trying to relate a solution, not merely state that bit one and bit zero indicate that you are either 10 or 17 years old (a byte of a joke).
Now we have a larger stage, the media at large did not touch this even as the news is more than 2 days old, so in light of all the new Apple products, was this not tested (optionally debunking Heise)? When a new device is $1,849, or perhaps even $8,699 would you not want the guarantee of consumer safety? I reckon it is much more important than seeing it in Space Black (in space no one can here you frustrate) or Silver (when you merely have golden dreams). To know and to see that YOUR safety is adamant matters and I think that Big Tech is forgetting about that part of the equation, but that could be my view as I tend to get exposed to a lot more negativity that others and the media with its approach to deafness isn’t helping any, but that could be my view on the matter.
My weekend ends in 270 minutes, how about yours? Enjoy the day you have left.
It happens, sometimes the colours get into the other colours and your white stuff is no longer white. I had my issues with myself, overlooking a red sock with my white shirts and behold, I was suddenly the owner of pink shirts. This is a problem as it is not fashionable pink, but a melee of pink shades in white shirts. The fashion looks a righteous mess. This is something we all dread, and in IT land it is not different, especially when the detergent is Microsoft.
It all started (at https://www.bleepingcomputer.com/news/security/stolen-microsoft-key-offered-widespread-access-to-microsoft-cloud-services/) with ‘Stolen Microsoft key offered widespread access to Microsoft cloud services’ where we are given “Redmond revealed on July 12th that the attackers had breached the Exchange Online and Azure Active Directory (AD) accounts of around two dozen organisations. This was achieved by exploiting a now-patched zero-day validation issue in the GetAccessTokenForResourceAPI, allowing them to forge signed access tokens and impersonate accounts within the targeted organisations.” I was at first cautious. There are intense haters of Microsoft and they do not throw around any kind of evidence, as such I wondered how far this went and behold, ITWire gives us (at https://itwire.com/security/danger-from-microsoft-azure-breach-still-remains,-warns-wiz-researcher.html) ‘Danger from Microsoft Azure breach still remains, warns Wiz researcher’ and here we are given “New York-based cloud security firm Wiz has warned companies and organisations affected by the recent Microsoft Azure breach that the impact of the intrusion may be much wider than reported, and could affect applications beyond those claimed by Microsoft to be impacted.” In addition we are given “Our researchers concluded that the compromised MSA key could have allowed the threat actor to forge access tokens for multiple types of Azure Active Directory applications, including every application that supports personal account authentication, such as SharePoint, Teams, OneDrive, customers’ applications that support the ‘login with Microsoft’ functionality, and multi-tenant applications in certain conditions”, I see this as an issue. The larger scope is not merely the cloud. That thing has all kinds of security issues. No, the small ‘hidden’ text becomes “The breach came to light on 13 July, with the email account of US Commerce Secretary Gina Raimondo cited as one of the more prominent accounts to have been breached” it came to light as a ‘prominent’ account was breached. So how long was this mess there? There is a reason I do not trust Microsoft and as such I do not want them anywhere near the 50 million accounts that I see coming, or the ones that follow, which will be a massive amount of accounts. Even more I reckon as I concluded a new stage in Dubai. I saw the opportunity when I investigated the Dubai Mall, the Mall of the Emirates, the Dubai Marina Mall and the Battuta Mall. There were a few more, but the setting of malls this big all in one city was something I never considered and it gave me more ideas, more options and that made me consider the interactions of my Augmented Reality IP with two other IP’s. Actually four, but that is a story for another day. What is absolutely clear is that I do not want Microsoft anywhere near it. Not with the mess they have, so either Amazon wakes up, or Tencent technologies gets it all. I never discontinued my interest in Google, but they basically took themselves of the field. No idea where Apple is, but that is not my problem at present. You see, the larger stage is the security risk that Microsoft is and it is also seen with “The news agency said Adair’s client had not forked out what Microsoft demands for its premium security suite, and hence detailed forensic data was unavailable.” Really? They are all about the forking out, all whilst their solution is like a 45 year old prostitute claiming to be a virgin? I would suggest that forking out is the least of their problems. That is even beyond the fact that the transgressions are requiring ‘detailed forensic data’ all whilst the transgressions are what the first article is implying “by exploiting a now-patched zero-day validation issue”, all whilst IT Wire implies that the damage is well beyond the ‘pretended’ scope and as such might (a speculation from my side) not be patched, not to the degree it needed to be. And anyone wonders why I do not trust Microsoft with my IP? They haven’t been able to close their barn doors, at least since 2019, optionally long before that. So your data (and my IP) would have been at risk for well over 4 years. We are also given “This isn’t a Microsoft-specific issue, if a signing key for Google, Facebook, Okta or any other major identity provider leaks, the implications are hard to comprehend. Our industry — and especially cloud service providers — must commit to a greater level of security and transparency concerning how they protect critical keys such as this one, to prevent future incidents and limit their potential impact” This might be, but I have never seen these levels of transgressions on Google Cloud or Amazon AWS, but that is merely my point of view. Then we get an interesting side “while Microsoft had ensured that Azure Active Directory applications would not longer accept forged tokens as valid, by revoking the compromised keys, the danger from the breach still remained” well, it might be, it might not be. Microsoft stated that they had the most powerful console in the world and within 2 years that Nintendo launched the weakest nextgen console of them all, they surpassed all sales records Microsoft claimed to have had, so I am not holding my breath here. The number one question is ‘Why could Microsoft not differentiate between real tokens and forged tokens?’ That would have ben my first question, but I am not seeing that here. Possibly for very valid reasons, but the missing out is a case here. So whilst some stare at “setting up application-specific backdoors”, my issue is that with every application, the change of interaction and transgressions increase. It just does. For example (a bad and debatable one), if EVERY application has a zero day issue (pure speculation) we get with 3 applications a speculative 9 zero day problems. So what happens when the average corporation has Azure and 35 applications. This implies that this customer has 42,875 risk factors. Yes, it is a speculation, yet the ITWire article gives us this with “The full impact of this incident is much larger than we Initially understood it to be”, as well as “We must learn from it and improve”, a setting that sounds nice, but consider that Azure was launched 14 years ago, if you are still learning, you have a much larger problem. In December 2020 I wrote ‘Historic view versus reality’ (at https://lawlordtobe.com/2020/12/26/historic-view-versus-reality/) there I quotes the No Such Agency giving us “National Security Agency warns hackers are forging cloud authentication information”, as such the Microsoft claim “Microsoft had ensured that Azure Active Directory applications would not longer accept forged tokens as valid” as a hollow joke. The NSA made the statement 3 years ago, as such Microsoft should have put (buggy) solutions in place to stop forged keys, but it seems they never did. Another mess they made with their own hands. Don’t take my word on this, the NSA send out warnings in 2020. Warnings that Microsoft seemingly never took to heart. Still happy with your blue cloud? I reckon it is time for people to consider Amazon AWS, Apple iCloud, Google Cloud (GCP), Oracle Cloud or wherever you will be trying to keep your data safe, as I personally see it Microsoft is not that place and with that they are scuttling yet another (what I personally like to call) a spin system, just like a washing machine trying to tumble dry your data on servers where you do not have access to them. But that might be my short sighted feel on the matter.
I saw an article at the BBC and I will get to that in a moment, but it reminded me of a situation that happened in 2010. I needed a new laptop and I was looking in a shop at their Collection of laptops. A man came to me and was trying to convince me just how amazing this laptop was. My inner demon was grinning, I get it, the man was enthusiastic, he was giving the numbers, but in all this, did he realise what he was saying? I am not doubting the man’s skills, he was doing a good job, I was however in IT and had been there for 30 years, so I have pretty much seen it all, and there it was, my little demon, on my right shoulder calling me ‘pussy’. So as the man stated ‘this laptop has a one terabyte hard-drive, can you even imagine ho much that is?’, I could not resist and my response was ‘Yup, that would fit roughly 10% of my porn collection’, his jaw dropped to the ground, his eyes almost popped, the demon inside me stated ‘Nice!’ Actually, it was not quite true, it would only fit a rough 0.32114%. It was the impact of the shock factor. You see, there is a hidden agenda there, when you (appropriately) use the technique, you get to see the real salesperson and that was what I needed. He was thrown, but he recomposed and continued giving me the goods on the laptop, I bought that laptop roughly 132 seconds later.
So today I saw ‘The Rise of extortionware’ (at https://www.bbc.com/news/technology-56570862), here I notice “where hackers embarrass victims into paying a ransom”, it is not new, it is not even novel. I will also give you the second game after the people involved get arrested, they will demand anonymity and any bleeding heart judge will comply. I state that these people will be handed the limelight so that the people that faced ransomware attacks can take their frustration out of these people. But that remains wishful thinking. So next we get “Experts say the trend towards ransoming sensitive private information could affect companies not just operationally but through reputation damage. It comes as hackers bragged after discovering an IT Director’s secret porn collection.” I have the question was it a private or a company computer? You see, sone focus on the boobies, just what the advertisers on Twitter hope for, they want the click bitches, it makes them money. It is time that we set the larger stage, you see the entire mess would be smaller if Cisco and Microsoft had done a proper job. OK, I apologise, Cisco does a proper job, but some things slip through and in combination with Microsoft exchange servers it is not slipping through, it is a cyber hole the size an iceberg created on the Titanic and we need to set a much larger stage. So when we see “Thanks God for [named IT Director]. While he was [masturbating] we downloaded several hundred gigabytes of private information about his company’s customers. God bless his hairy palms, Amen!”, it seemingly answers that he might keep it on a corporate computer, or he uses his private computer for company stuff. Yet in that same light the hacker should not be allowed any anonymity, we all get to see who the hacker is. If there is something to be learned it is see with “Hackers are now actually searching the data for information that can be weaponised. If they find anything that is incriminating or embarrassing, they’ll use it to leverage a larger pay-out. These incidents are no longer simply cyber-attacks about data, they are full-out extortion attempts” There are two sides
The station of ALWAYS ONLINE needs to change, there needs to be an evolving gateway of anti hack procedures and a stage of evolving anti hack routers and monitoring software. You think that Zoom is an option? Tom’s Guide gave us less than 2 weeks ago “More than a dozen security and privacy problems have been found in Zoom”, as well as “Zoom’s ease of use has made it easy for troublemakers to “bomb” open Zoom meetings. Information-security professionals say Zoom’s security has had a lot of holes, although most have been fixed over the past few year”, so whilst you contemplate ‘most have been fixed’, consider that not all are fixed and that is where the problem goes from somewhat to enormous. Well over 20% of the workforce works at home, has zoom meetings and that is how cyber criminals get the upper hand (as well as through disgruntled employees), a change in mindset is only a first station.
Remember that Australian? (Julian Assange) We were told that soon there would be some leaks on issues on banks (Wall Street) then it suddenly became silent, now some will say that it is a bluff, but in light of the meltdown in 2008, I am not so certain, I reckon that some have ways to show the hackers who they are and they profit by not doing that. Can I prove this? Absolutely not. It is speculation, but when you look at the timeline, my speculation makes sense.
The third side is optionally the second side as the second side might not be a real side. When we see “Hackers are now actually searching the data for information that can be weaponised. If they find anything that is incriminating or embarrassing, they’ll use it to leverage a larger pay-out. These incidents are no longer simply cyber-attacks about data, they are full-out extortion attempts”, the underlying station is ‘information that can be weaponised’ and the IT sector is helping them.
How did I get there? The cloud is not as secure as some state, and the salespeople need to take notice. Business Insider gave us about 6 months ago “70% of Companies Storing Data With Cloud Companies Hacked or Breached”, see the link we are now slowly getting presented?
In the OSI model, we see layers 3-7 (layer 8 is the user). So as some have seen the issues from Cisco, Microsoft and optionally Zoom, we see a link of issues from layer 3 through to layer 7 ALL setting a dangerous stage. Individually there is no real blame and their lawyers will happily confirm that, but when we see security flaw upon security flaw, there is a larger stage of dangers and we need to take notice. And here the dangers become a lot more interesting when we consider the Guardian yesterday when we saw “Intelligence value of SolarWinds hacking of then acting secretary Chad Wolf is not publicly known”, what else is not publicly known? How many media outlets ignored the Cisco matter, how come ZDNet is one of the few giving us “it’s not releasing patches for some of the affected devices that reached end of life” less than 8 weeks ago. Again I say Cisco did the right thing by informing its customers close to immediately, yet when we see “More than 247,000 Microsoft Exchange servers are yet to be patched against the CVE-2020-0688 post-auth remote code execution (RCE) vulnerability impacting all Exchange Server versions under support” (source: bleepingcomputers.com) as far as I can see, a lot of the media ignored it, but they will shout and repeat the dangers of Huawei, without being shown actual evidence, and I state here, that unless we make larger changes, the extortion path will evolve and become a lot larger. With 70% of cloud systems getting hacked or breached, a large chunk of the Fortune 500 will pay too much to keep quiet and who gets to pay for that? There is a rough 99.867765% chance that its board members will not, it might be speculatively, so please prove me wrong.
A stage where the needs of the consumers changes in a stage where the corporations are not ready to adjust and all whilst the IT salespeople have that golden calf that does everything and make you coffee as well. Adjustments are needed, massive adjustments are needed and we need to make them now before the cybercriminals are in control of our IT needs and that is not mere speculation, when you see flaw after flaw and too little is done as too many are the victim of its impact is a serious breach and it has been going on for some time, but now it is seemingly out in the light and too many are doing too little and as we laugh at “God bless his hairy palms, Amen!” Consider that stage, and now consider that they invade a financial institution, these are clever criminals, they do not empty your account, they merely take $1, perhaps $1 every other month, this implies that they are looking at a $16,000,000 every two months. And this is merely one bank, one in a thousand banks, some a lot bigger than the Australian Commonwealth bank and lets face it, the fact that layer 3 to layer 7 is leaky in hundreds of thousands of customers, do you really think that banks are off-limits? Do you really think that this is a simple hick-up or that the scenery is changing this quickly by people claiming that it will be fixed in no-time?
We need massive changes and we need them a lot sooner than we think.
Lawrence van Rijn - Law Lord to be 