Tag Archives: Hacks

April 10, 2023 · 00:55

And the lesson is?

That is at times the issue and it does at times get help from people, managers mainly that belief that the need for speed rectifies everything, which of course is delusional to say the least. So, last week there was a news flash that was speeding across the retina’s of my eyes and I initially ignored it, mainly because it was Samsung and we do not get along. But then Tom’s guide (at https://www.tomsguide.com/news/samsung-accidentally-leaked-its-secrets-to-chatgpt-three-times) and I took a closer look. The headline ‘Samsung accidentally leaked its secrets to ChatGPT — three times!’ was decently satisfying. The rest “Samsung is impressed by ChatGPT but the Korean hardware giant trusted the chatbot with much more important information than the average user and has now been burned three times” seemed icing on the cake, but I took another look at the information. You see, to all ChatGPT is seen as an artificial-intelligence (AI) chatbot developed by OpenAI. But I think it is something else. You see, AI does not exist, as such I see it as an ‘Intuitive advanced Deeper Learning Machine response system’, this is not me dissing OpenAI, this system when it works is what some would call the bees knees (and I would be agreeing), but it is data driven and that is where the issues become slightly overbearing. In the first you need to learn and test the responses on data offered. It seems to me that this is where speed driven Samsung went wrong. And Tom’s guide partially agrees by giving us “unless users explicitly opt out, it uses their prompts to train its models. The chatbot’s owner OpenAI urges users not to share secret information with ChatGPT in conversations as it’s “not able to delete specific prompts from your history.” The only way to get rid of personally identifying information on ChatGPT is to delete your account — a process that can take up to four weeks” and this response gives me another thought. Whomever owns OpenAI is setting a data driven stage where data could optionally be captured. More important the NSA and likewise tailored organisations (DGSE, DCD et al) could find the logistics of these accounts, hack the cloud and end up with TB’s of data, if not Petabytes and here we see the first failing and it is not a small one. Samsung has been driving innovation for the better part of a decade and as such all that data could be of immense value to both Russia and China and do not for one moment think that they are not all over the stage of trying to hack those cloud locations. 

Of course that is speculation on my side, but that is what most would do and we don’t need an egg timer to await actions on that front. The final quote that matters is “after learning about the security slip-ups, Samsung attempted to limit the extent of future faux pas by restricting the length of employees’ ChatGPT prompts to a kilobyte, or 1024 characters of text. The company is also said to be investigating the three employees in question and building its own chatbot to prevent similar mishaps. Engadget has contacted Samsung for comment” and it might be merely three employees. Yet in that case the party line failed, management oversight failed and Common Cyber Sense was nowhere to be seen. As such there is a failing and I am fairly certain that these transgressions go way beyond Samsung, how far? No one can tell. 

Yet one thing is certain. Anyone racing to the ChatGPT tally will take shortcuts to get there first and as such companies will need to reassure themselves that proper mechanics, checks and balances are in place. The fact that deleting an account takes 4 weeks implies that this is not a simple cloud setting and as such whomever gets access to that will end up with a lot more than they bargained for.

I see it as a lesson for all those who want to be at the starting signal of new technology on day one, all whilst most of that company has no idea what the technology involves and what was set to a larger stage like the loud, especially when you consider (one source) “45% of breaches are cloud-based. According to a recent survey, 80% of companies have experienced at least one cloud security incident in the last year, and 27% of organisations have experienced a public cloud security incident—up 10% from last year” and in that situation you are willing to set your data, your information and your business intelligence to a cloud account? Brave, stupid but brave.

Enjoy the day

Leave a comment

Filed under IT, Science

Tagged as , , , , , ,

October 28, 2022 · 03:36

Two linked events showing trouble

Yes, that I how it started for me today. It all links back to the Optus failures and a few other matters, but cybersecurity is at the heart of it. Initially I saw the second article, but I will get back to that later. First we look at ‘Sydney teenager accused of using Optus data breach to blackmail indicates guilty plea in court’ (at https://www.abc.net.au/news/2022-10-27/teenager-accused-of-using-optus-data-breach-to-blackmail-court/101584078), a simple deception. Yet one with a few sides. The first part “Australian Federal Police (AFP) charged Dennis Su with two offences earlier this month, claiming he sent text messages to 93 Optus customers demanding they transfer $2,000 to a bank account” sets the guilty party up, but in more ways when we consider part two “The charges were laid after a bank account belonging to a juvenile, which Mr Su allegedly used, was identified”, so he used a third parties account and wholly Moses, it is apparently of a minor. How the bough breaks! Well it actually doesn’t break. It seems that there was a serious amount of thoughts and planning here. Well, for some it is not a serious amount, but he had to know what was planned and he got a minor to be the front to some parts. It all refers not to the second article that as the first on my eye sight. It was ‘Medibank and Optus hacks spark warning over identity theft risks from former victims’ (at https://www.abc.net.au/news/2022-10-27/identity-theft-warning-after-optus-medibank-hack/101576992). Here we get “The first thing the victim knew about her identity being hacked was when a man turned up on her parents’ doorstep asking for the sexual services he’d paid for online.” It is the start of a new steeple chase. When we consider “Former identity theft victims have shared how their details were used to steal luxury vehicles, take out personal loans in their name and hock fake goods online, because criminals got hold of the kinds of information millions of Australians are believed to have had compromised in the latest Medibank and Optus hacks” and this is not nearly the end of this. When we see “While living in Melbourne, she sent a photo of her licence to a real estate agent applying for a lease, and that image was somehow then uploaded into a gallery of property photos featured on that agent’s website” especially in the Australian housing market, can we please remove this bozo’s character from the housing market? How can anyone be stupid enough to ‘upload’ identity details? There is an unacceptable lack of common cyber sense in Australia. It goes from the big banks to the most stupid of housing players. They have no idea what they are doing and the excuse ‘we made a boo-boo’ just doesn’t play here. First Optus, then Medibank and that list keeps on growing. That is accelerated by alleged cowboy institutes that make money offering cyber degrees. Australia has a serious problem and it needs to be dealt with starting with a lot better protection regarding ID’s and identity documents.  

And we do not blame Google here, but “Probably the most shocking and stressful part was just seeing my licence there on Google for anyone to use” should be seen as evidence that a much larger issue is in play. When we see newspapers give us “The federal government has promised to dedicate millions of dollars to “investigate and respond” to the massive cyber attack which rocked Optus” which according to some amounts to $6,000,000 over two years. I reckon that in two years the problem will be a lot larger and two years to investigate what I in part did in 5 minutes is a joke. Something needs to be done NOW and lets start by holding corporations accountable to cyber security and lets make sure that a certain housing agent is an Uber driver in 48 hours and not a housing agent any more. Yes, I agree that I am overreacting, but uploading ID details? To a photo gallery? I think we hit rock bottom on the village idiot scale and that needs to be addressed well within 2 years, within 48 hours be more likely. I think that my optional IP move to Canada might be a good thing. It is not out of the question that these players will set my IP on a server with a connected router that still has the password ‘Cisco123’, that could be how my luck goes and I have seen enough bad luck to last me a lifetime. 

As I see it Australia has a lot of problems, not in the least the larger absence of Common Cyber Sense, I raised that in ‘The Bully’s henchman’ (at https://lawlordtobe.com/2020/01/31/the-bullys-henchman/) which I wrote on January 31st 2020, almost 3 years ago, it is that much of a failure and if I raised it then, it was already an issue. As such we see a failure that surpasses 3 years and now they want to debate it for two more years? These people are out of their flipping minds!

Leave a comment

Filed under IT, Law, Media, Politics, Science

Tagged as , , , , , , , , , , ,

June 29, 2019 · 13:18

Wrong way intersection?

We all look at times, we look in the direction that we are going we look at where we want to be, in this we are all alike and for the most, we stop to look where we were, what we passed and where we came from. These are natural moments. So what is natural on focussing on Huawei, especially the accusations by Finite State, a Matt Wyckhouse undertaking. I have a few issues here. You see, when a person hides behind statements like: “‘The Finite State report was highly critical of Huawei, claiming that the Chinese company’s “devices quantitatively pose a high risk to their users. In virtually all categories we examined, Huawei devices were found to be less secure than those from other vendors making similar devices.” According to Finite State, this included potential backdoors. “Out of all the firmware images analyzed, 55% had at least one potential backdoor,” Finite State reported. “These backdoor access vulnerabilities allow an attacker with knowledge of the firmware and/or with a corresponding cryptographic key to log into the device.”“, when the bla bla is surrounding “Out of all the firmware images analyzed, 55% had at least one potential backdoor“, a percentage with ‘potential backdoor‘, you should optionally be regarded as a hack giving a hatchet job, plain and simple. A real cyber security firm will give us: “These are the clear backdoors found“, there is no percentage, and it will be presented as evidence plain and simple. That is how this works; let’s face it, Columbus Ohio is not really Silicon Valley, is it? (there is a plot twist, read on please)

And when TechRadar gives us: ‘Huawei’s telecom equipment is more likely to have flaws than rivals’ claims report‘, my question becomes based on what evidence? When it is linked to: “when compared to similar equipment manufactured by its rivals Juniper and Arista“, why are they dependable? Or perhaps only the NSA has those backdoors? There is a disgusting amount of bias coming out of the mouths from those who should stay absolutely neutral, and it gets to be worse.

Twenty four

It is like a real time drama with Kiefer Sutherland, less than 24 hours ago, Cisco gave us: “Cisco issued three “critical” security warnings for its DNA Center users – two having a Common Vulnerability Scoring System rating of 9.8 out of 10“, which is really really bad and the rest of the media ignores it completely. So when we get: “In one advisory Cisco said a vulnerability in the web-based management interface of DCNM could let an attacker obtain a valid session cookie without knowing the administrative user password by sending a specially crafted HTTP request to a specific web servlet that is available on affected devices. The vulnerability is due to improper session management on affected DCNM software” there is a much larger story, especially as Cisco is working to remove a few severe failings in its own system, which are unlikely to be removed for a few more months, all leading to larger issues, but the media is seemingly more interested in spouting anti-Huawei materials and not interested in warning optional victims, how does that go over to you?

TechRadar also gives us: “Finite State makes big claims in its report but until it is publicly released, we won’t know for sure if its findings are accurate. However, now that the news is out, further investigation into its legitimacy will likely be carried out by the media, world governments and of course by Huawei itself“, a relatively unknown company in the middle of nowhere; that is how it reads to me and I will happily have my serve of humble pie when they are proven to be correct, yet that public release is likely to find delays to maximise on fear, all whilst Cisco is evading the limelight by media friends. This is not entirely correct from my side, Cisco has been warning all kinds of parties since they were found and that is a noble thing, yet the media does not hand out that reality to the larger media does it? (They had not responsibility to do so)

I have a second issue, this is supposed to be a ‘for profit‘ venture and that is fine, they have been around for 2 years, yet we now see: “the security report was done pro-bono as the company believed making this information public was the best way to inform policy makers of the security issues in Huawei’s equipment“, so this report requiring a massive amount of hours and testing if we go by: ‘all the firmware images analysed‘, the (initial) absence of numbers is also debatable here, so in all this time and resources required, this report was done pro-bono? Is (like it goes in deceptive conduct) merely a pro-bono report, or are they servicing Juniper and/or Arista? Is that not a valid question?

I find the setting debatable from the mere TechRadar point of view. From my point of view, well known cyber experts have looked at Huawei and none of them have given any clear indication that there was a clear and present danger with anything that Huawei has, they had shown previous issues and they had been dealt with, so unless Finite State gives the golden bullet with clear evidence, than the future of Finite State might not be that bright. Can we expect anything form a cyber-firm that facilitates for others? Well, yes but those are not known as Cyber Experts, they are merely digital marketing firms and the method used implies that they are not very good at what they do.

So I can jump in there and show them how to do it, as long as it comes with 300 W Spring St #1904 as a stating bonus (we all have our price), it is 2 blocks from the Ohio FBI office, as well as a nice view of the Scioto River (good for enjoying coffee in the morning). Would I compromise? Optionally, but do you want to have faith in someone who compromises, or someone telling you how it is at a price? I get it, at times there is a tactical reason to do things pro-bono, sometimes it brings in the larger fish, yet in this case, when the floor falls from under them, in the way it was presented, do you have faith in them looking towards keeping you safe? Is that really the security you want to bank on?

Cisco has issue, yet they came forward (almost) immediately telling us how it is, the fact that the media is treating them darling and keeping them out of the media to the largest degree is not a crime, it places merely question marks on the integrity of the media, and how much credibility do they really have?

There is a larger concern and it is a serious one, the media has set the stage that less and less information is trusted, especially in fields where trust is essential. It changes the game, but how is not to be told, we cannot tell, yet there is every concern that Europe, Asia and India are less and less likely willing to trust US equipment. There has been clear indicators that 5G evolution did not give rise to trust, the fact that so called pro-bono work is working out is also not a given, until there are clear trustworthy sources showing all that Finite State had indeed the silver bullet, things can only go worse for many over the long term and that has been proven in several ways offer the last decade. It is not that I want.

Let’s not start kidding around here, the report is damning, there is no doubt. When we look past the TechRadar hype created and take a serious look at the paper (at the end), we get 55 pages of tech heaven, all jetlagged turbo text, with all the hypes that any techie get off on.

When a firm gives us: “Across the firmware tested, there were 8,826 observations of vulnerabilities with a CVSS score of 10.0, the maximum severity level, indicating serious flaws in the systems“, it better come with backing, and the source of the data, as well as the firmware better be verifiable, from my point of view, any discrepancy shown and Finite State becomes liable. Even when we see: “Our automated system analyzed more than 1.5 million files embedded within 9,936 firmware images supporting 558 different products within Huawei’s enterprise networking product lines“, the sources are not given to us (as far as I saw). The appendix does give us the hardware list and it is a huge list, so now that the die is cast we will have to see what happens next, not merely to Huawei and Finite State, large names have stated on the record that no issues had been found, they will be in equal measure get judged if the scrutiny on the Final State paper holds up, no matter how this goes, there is a shit storm coming and it will impact at least one party, yet how large it will be cannot be stated at present, the claims are too loud and if the scrutiny breaks the paper it might be the end of Finite State and its board of directors before they got decently started, should they make it, the opposition is a lot larger and it gets to be a lot uglier for many players involved.

The paper also gives clear premises, for one there is: “It is common for embedded devices to ship with a default password enabled for the primary account, “root” in this case, as long as the password can be changed and is documented as part of the standard operating procedure of the device.” OK, that is fair enough, but there is a second part, how many consumer get told on how to change that? And how does that compare to issues found with Sprint, T-Mobile and Verizon as documented parts that show users how to do that. Is that not equally important? In the end I can debate all the parts until I look like a failed auto asphyxiation attempt, yet the scrutiny from me has little to no value, it is the response of Huawei and the other players that now becomes the part, because these expert making 1000% or more of what I make will not be allowed the ‘Oops!’ or ‘That was not part of our investigation’ excuse, in that way whatever comes next will get ugly fast and in light of my initial exposure of anti-Huawei goons, I have an equal responsibility to take this to the next level, no matter how it goes, because that too is part of accountability. No matter how we slice it, Finite State has given us something serious to look at (one of the very first to do so), so now we look at the boffins at MiT and Stanford on what they make of it, and if the technical dudes at DARPA decide to wake up for this one, that would be nice too.

I look forward to round two, because it will be a beauty to watch on hundreds of channels all over the planet, this would make for great TV (and optionally ten times better than anything the Kardashians can show) so I’ll get the popcorn for this one.

https://finitestate.io/wp-content/uploads/2019/06/Finite-State-SCA1-Final.pdf

Finite-State-SCA1-Final

 

Leave a comment

Filed under Finance, IT, Law, Military, Politics, Science

Tagged as , , , , , , , , , , , , , , ,