Microsoft: Technical Excellence Translates to More Excellencerness
February 18, 2021
I found the Microsoft explanation of the SolarWinds’ misstep interesting. CBS circulated some of the information in the interview in “SolarWinds: How Russian Spies Hacked the Justice, State, Treasury, Energy and Commerce Departments.” The point that Windows’ security systems did not detect the spoofing, modifying, and running of Microsoft software was skipped over in my opinion. I loved this statement by Brad Smith, one of the senior executives at the Redmond giant:
When we analyzed everything that we saw at Microsoft, we asked ourselves how many engineers have probably worked on these attacks. And the answer we came to was, well, certainly more than 1,000.
Then failing to detect the breach which seems to have exploited the fascinating Microsoft software update methods:
I think that when you look at the sophistication of this attacker there’s an asymmetric advantage for somebody playing offense.
Okay, “certainly.” Okay, 1,000.
What if SolarWinds’ misstep was not the largest and most sophisticated hack? Is it possible that an insider or a contractor working from home in another country provided the credentials? What if piggybacking on the wild and wonderful Windows’ update system and method was a cottage industry among some bad actors? What if the idea for the malware was a result of carelessness and assumptions about the “security” of how Microsoft and its partners conducted routine business? What if the bad actors used open source software and some commercial reverse engineering tools, information on hacker forums, and trial and error? Does one need a 1,000 engineers? Microsoft may need that many engineers, but in my experience gained in rural Kentucky, a handful of clever individuals could have made the solar fires burn more brightly. Who can manage 1,000 hackers? I am not sure nation states can get 1,000 cyber warriors to a single conference center at one time or get most to read their email, file reports, and coordinate their code. Some may suggest Russia, China, North Korea, or Iran can do these managerial things in a successful way. Not I. The simplest explanation is often the correct one. Insider, opportunism, and a small team makes more sense to me.
Let me shift gears.
What about the spoofing, modifying, and running of Microsoft software for months, maybe a year, maybe more without detecting the intrusion?
I noted “A Vulnerability in Windows Defender Went Unnoticed for 12 Years.” That write up asserts:
A critical bug in Windows Defender went undetected by both attackers and defenders for some 12 years, before finally being patched last fall. The vulnerability in Microsoft’s built-in antivirus software could have allowed hackers to overwrite files or execute malicious code—if the bug had been found. Let’s be clear—12 years is a long time when it comes to the life cycle of a mainstream operating system, and it’s a heck of a long time for such a critical vulnerability to hide.
Sure, let’s be clear. Microsoft talks security. It issues techno-marketing posts like its late January explanation of the SolarWinds’ misstep which I reported on in the DarkCyber video news program on February 9, 2021.
But perhaps more pointed questions should be asked. I don’t want to know about Team featuritis. I don’t want to know why I should not install certain Windows 10 updates or accept updates like the mandatory update KB4023057. I don’t want to know about folding mobile phones. Nope. None of those things.
I want TV interviewers, CBS “real news” writers, and Microsoft to move beyond marketing chatter, hollow assurances, and techno-babble. Oh, I forgot. The election, Covid, and the Azure cloud JEDI thing. I, like others, need their priorities readjusted.
How many employees and partners told Brad Smith, “You were great in the 60 Minutes interview? Lots I would wager.
Stephen E Arnold, February 18, 2021
SolarWinds: Woulda, Coulda, Shoulda?
February 17, 2021
The SolarWinds security breach had consequences worldwide. The bad actors, supposed to be Russian operatives, hacked into systems at the Department of Homeland Security, the Treasury Department, the National Institutes of Health, the Department of Justice, and other federal agencies as well as those of some major corporations. The supply-chain attack went on for months until it was finally discovered in December; no one is sure how much information the hackers were able to collect during that time. Not only that, it is suspected they inserted hidden code that will continue to give them access for years to come.
Now ProPublica tells us the government paid big bucks to develop a system that may have stopped it, if only it had been put into place. Writers Peter Elkind and Jack Gillum report that “The U.S. Spent $2.2 Million on a Cybersecurity System that Wasn’t Implemented—and Might Have Stopped a Major Hack.” Oops. We learn:
“The incursion became the latest — and, it appears, by far the worst — in a string of hacks targeting the software supply chain. Cybersecurity experts have voiced concern for years that existing defenses, which focus on attacks against individual end users, fail to spot malware planted in downloads from trusted software suppliers. Such attacks are especially worrisome because of their ability to rapidly distribute malicious computer code to tens of thousands of unwitting customers. This problem spurred development of a new approach, backed by $2.2 million in federal grants and available for free, aimed at providing end-to-end protection for the entire software supply pipeline. Named in-toto (Latin for ‘as a whole’), it is the work of a team of academics led by Justin Cappos, an associate computer science and engineering professor at New York University. … Cappos and his colleagues believe that the in-toto system, if widely deployed, could have blocked or minimized the damage from the SolarWinds attack. But that didn’t happen: The federal government has taken no steps to require its software vendors, such as SolarWinds, to adopt it. Indeed, no government agency has even inquired about it, according to Cappos.”
Other experts also believe in-toto, which is free to use, would have been able to stop the attack in its tracks. Some private companies have embraced the software, including SolarWinds competitor Datadog. That company’s security engineer, in fact, contributed to the tools’ design and implementation. We are not sure what it will take to make the government require its vendors implement in-toto. Another major breach? Two or three? We shall see. See the write-up for more details about supply-chain attacks, the SolarWinds attack specifically, and how in-toto works.
Cynthia Murrell, February 17, 2021
Data Security: Clubhouse Security and Data Integrity Excitement?
February 15, 2021
Here in rural Kentucky “clubhouse” means a lower cost shack where some interesting characters gather. There are many “clubs” in rural Kentucky, and not many of them are into the digital flow of Silicon Valley. Some of those “members” do love the tweeter and similar real time, real “news” systems.
Imagine my surprise when I read Stanford Internet Observatory’s report from its Cyber Policy Center “Clubhouse in China: Is the Data Safe?” I thought that the estimable Stanford hired experts who knew that “data” is plural. Thus the headline from the highly intellectual SIPCPC would have written the headline “Clubhouse in China: Are the Data Safe?” (Even some of the members of the Harrod’s Creek moonshine club know that subject-verb agreement is preferred even for graduates of the local skill high school.
Let’s overlook the grammar and consider the “real” information in the write up. The write up has six authors. That’s quite a team.
The SIPCPC determined that Clubhouse uses software and services from a company based in Shanghai. The question is, “Does the Chinese government have access to the data flowing in the Clubhouse super select and awfully elite “conversations”?
The answer it turns out is, “Huh. What?”
Clubhouse was banned by the Chinese government. SIPCPC (I almost typed CCP but caught myself) and the response from the Clubhouse dances around the issue. There are assurances that Clubhouse is going to be more strong.
The only problem is that the SIPCPC and the Clubhouse write up skirt such topics as:
- Implications of the SolarWinds’ misstep which operated for month prior to detection and there are zero indicators reporting that the breach and its malware have been put in the barn.
- Intercept technology within data centers in many countries make it possible to capture information (bulk and targeted)
- The decision to rely on Agora raises interesting implications about the judgment of the Clubhouse management team.
Net net: Interesting write up which casts an interesting light on the SIPCPC findings and the super zippy Clubhouse. If one cannot get subject verb agreement correct, what other issues have been ignored?
Stephen E Arnold, February 15, 2021
2021: A Year with Two Gulps of Failure
February 11, 2021
I provide additional commentary on Microsoft’s late January 2021 about the SolarWinds’ misstep. The glitch seems to be like an ink stain. Over time, it spreads: China’s alleged involvement, one third of the security penetrations not involving SolarWinds’ software, and mounting suggestions about how long the bad actors were probing and possibly implanting backdoors in government agencies, big contractors, and commercial enterprises. You can view the video on this blog’s home page on January 9, 2021. For today (Monday, January 8, 2021) I want to call attention to two items.
The first is a useful list of situations in which malware, viruses, and other bad actor actions are not detected. You can find the list in “Why Antivirus Software Fails to Detect Latest Viruses and Malwares.” What’s interesting about the article is that none of the suggestions solves the problem of the Saturday Night Live / Donald Rumsfeld quip, “You don’t know what you don’t know.”
The second is the allegedly accurate information in the ABC News’s report “Former Capitol Police Chief Steven Sund Says Entire Intelligence Community Missed Signs of Riot.” Here’s a passage the Capitol Police’s former top dog to Ms. Pelosi included in the news story:
“Having previously handled two major post-election demonstrations successfully utilizing an action plan that was based on intelligence assessments that had proven to be credible, reliable, and accurate, we reasonably assumed the intelligence assessment for Jan. 6, 2021, was also correct.”
What this means to me is that the intel was off the mark.
Perhaps the SolarWinds’ misstep is the result of several factors. Let me raise these as possibilities:
First, the software designed to identify and flag breaches did not work. Furthermore, the infrastructure in wide use for Microsoft software was the carrier of the malware. No one noticed for possibly a year or more. FireEye investigated a mobile phone access issue and came across the multi-part, multi-stage attack. The breach was not one outfit. The penetration extended to as many as 18,000 organizations. It is not clear what the bad actor did once access to this gold mine of systems was achieved.
Second, the intelligence apparatus of multiple US entities did not characterize the scale, intent, and size of the “friendly” protest at the US Capitol in early January. If the information in the ABC News’s story is accurate, the intelligence reports, like the awareness of the SolarWinds’ misstep, were wide of the mark. Maybe in someplace like Cuba or Bali, just not in the Capitol Police’s tactical planning unit’s hands?
The conclusion is that I see two types of failure with a common root cause: A certain blindness.
Marketing, threat assessment webinars, and licensing existing cyber security software won’t address these, possibly inter related problems.
Not good. Marketing explanations are much better. The fix? Another BrightTALK cyber security briefing, more Microsoft security blog posts, and more security podcasts from former government security attorneys?
Stephen E Arnold, January 11, 2021
DarkCyber for February 9, 2021, Now Available
February 9, 2021
DarkCyber is a twice-a-month video news program about the Dark Web, cyber crime, and lesser known online services. The program is produced by Stephen E Arnold. You can view the program on the Beyond Search blog or on YouTube at this link.
This week’s program features a discussion of Microsoft’s explanation of the SolarWinds’ misstep. The online explanation is a combination of forensic information with an old-fashioned, almost Balmer-esque marketing pitch. Plus, DarkCyber responds to a viewer who wanted more information about locating bad actor hackers promoting their criminal capabilities on the Dark Web. The program highlights two Dark Web services and provides information to two online resources which offer additional information. Three other stories round out the February 9, 2021, program. Allegedly some of the software stolen in the SolarWinds’ misstep (a data breach which compromised more than 18,000 companies and government organizations) is available for sale. Information about the cost of the software and how to buy are provided. Next you learn about the app tracking technology which is creating friction between Apple and Facebook. Who benefits from tracking users’ actions hundreds of times each day? DarkCyber answers this question. The final story is another signature drone news item. If you think that one drone poses a challenge, consider the difficulty of dealing with thousands of miniature weaponized drones converging on a unit or disrupting warfighting tactics under live fire.
Kenny Toth, February 9, 2021
Google Speaks But Is MIT Technology Review Delivering Useful Information or Just PR?
February 4, 2021
I read “Google Says It’s Too Easy for Hackers to Find New Security Flaws.” I assume that the Google is thrilled that its systems and methods were not directly implicated in the SolarWinds’ misstep and possibly VMWare’s and Microsoft’s. But I don’t know because the information is dribbling out at irregular intervals and in my opinion has either been scrubbed or converted to euphemism. A good example is the Reuters’ report “Exclusive: Suspected Chinese Hackers Used SolarWinds Bug to Spy on US Payroll Agency — Sources.”
The esteemed institution supported by Jeffrey Epstein and housing a expert who allegedly had ties to an American adversary’s officials reports:
Attackers are exploiting the same types of software vulnerabilities over and over again, because companies often miss the forest for the trees.
What makes this story different is that the Google is now agreeing that today’s software is easy to compromise. The write up quotes an expert who offers:
Over its six-year lifespan, Google’s team has publicly tracked over 150 major zero-day bugs, and in 2020 Stone’s team documented 24 zero-days that were being exploited—a quarter of which were extremely similar to previously disclosed vulnerabilities. Three were incompletely patched, which meant that it took just a few tweaks to the hacker’s code for the attack to continue working. Many such attacks, she says, involve basic mistakes and “low hanging fruit.”
This is news? I think it is more self congratulatory just like the late January 2021 explanation of the SolarWinds’ misstep which I discuss in the February 9, 2021 DarkCyber video program. You can view the video on this blog.
Stephen E Arnold, February 4, 2021
The SolarWinds Misstep: Who Else Walked Off the Cliff?
February 2, 2021
“Hack Said to Extend Beyond SolarWinds” is a troubling “real” news story. The idea that bad actors may have gained access to commercial and government servers for more than a year was troubling. According to the write up, the data breach has another dimension:
Close to a third of the victims didn’t run the SolarWinds Corp. software initially considered the main avenue of attack for the hackers…
What was the shared point of vulnerability?
The write up dances around the topic, but DarkCyber believes that Microsoft software is the common factor for the breaches, a fact presented at the end of the article:
Mr. Wales [US government cyber security wizard] said his [Cyber Security and Infrastructure] agency isn’t aware of cloud software other than Microsoft’s targeted in the attack.
The Wall Street Journal article reporting a government official’s public statement is located behind a paywall.
Is Microsoft capable of providing cloud and desktop services which are secure. Will a rock band craft a TikTok video based on a remake of the Platters’ hit song the Great Pretender modified to the Great Defender?
Yes I’m the great defender
Just laughin’ and gay like a clown
I seem to be what I’m not, you see
I’m showing my code like a crown
Pretending that JEDI’s still around.
Apologies to Buck Ram.
Stephen E Arnold, February 2, 2021
Post SolarWinds: Enhanced Security Methods. Er, What?
January 22, 2021
I find it interesting that the SolarWinds’ security misstep has faded. I assumed (the old ass of you and me saw is applicable) that after a teeny little security breach, information technology professionals would exert a teeny little effort to make sure obvious security lapses were remediated. Was I incorrect? Absolutely, gentle reader.
I noted the Beeb’s article “Malware Found on Laptops Given Out by Government”. The “government” is the United Kingdom’s Brexit capable entity. I learned:
Some of the laptops given out in England to support vulnerable children home-schooling during lockdown contain malware….The malware, which they said appeared to be contacting Russian servers, is believed to have been found on laptops given to a handful of schools.
I love the “some” and the “handful.” Ho ho ho.
Like the SolarWinds’ misstep, numbers in which one can be confident are not readily available. What is available is the indifference organizations have to the risks and threats malware on school laptops and educational computers pose. Thinking about human trafficking and child pornography. Distasteful for sure, but these “government” computers may provide information useful for other pursuits; for example, blackmail, extortion, and parent or guardian financial information.
One source for the tolerant Beeb allegedly said:
“We believe this is not widespread.”
Right, 18,000 organizations compromised via the SolarWinds’ misstep should be ignored.
Let’s here it for security well implemented. Wait. I don’t hear any rah rah. Must be an intercepted Internet stream which does not happen in the UK.
Stephen E Arnold, January 22, 2021
Post SolarWinds: No Kidding! Cyber Threats in 2021
January 21, 2021
KnowBe4 is a cyber security company based in Clearwater, Florida. The company offers a wide range of cyber security services and information. Like other cyber security firms, its systems and analysts did not notice the SolarWinds’ misstep. From my vantage point in rural Kentucky, this could be a miscommunication, a misunderstanding on my part, or another example of the ineffectiveness of US cyber security solutions offered by “experts.”
I spotted an article written by a KnowBe4 professional called “Top IT Security Threats in 2021.” This “content strategy and evangelist” seems to operate from the KnowBe4 office in South Africa.
Yep, there are cyber security threats. The SolarWinds’ misstep and the failure of heavily promoted cyber security and threat intelligence vendors to “notice” the breach remains fresh in my mind. FireEye is thinking about the misstep as well. That company released a free cyber tool to help entities figure out if their systems are compromised. (Quick comprehension test #1: What if the tool does not locate a breach? Is the system actually secure? Take the time needed to answer this question. Hint: Think about false positives for Covid tests?)
What are the threats in 2021? KnowBe4’s “content strategy and evangelist points out:
- Phishing
- Ransomware
- Remote working
- Passwords
- Disinformation.
Comprehensive, but isn’t something missing? (Quick comprehension test #2: What’s missing?)
The SolarWinds’ misstep?
If KnowBe4-type solutions worked, wouldn’t SolarWinds be off the security radar?
I like companies which have crystal ball capabilities; that is, the outfits know before? Marketing is more important than performance maybe?
Stephen E Arnold, January 21, 2021
Does This Mean Bad Actors Are Now Riding in 10,000 SolarWinds Powered Digital Sailboats?
January 12, 2021
I read “Hackers Breaking into Networks without SolarWinds, CISA Says.” The write up states that the Cybersecurity and Infrastructure Security Agency offered:
“Specifically, we are investigating incidents in which activity indicating abuse of Security Assertion Markup Language (SAML) tokens consistent with this adversary’s behavior is present, yet where impacted SolarWinds instances have not been identified,” according to updated guidance published Jan 6. “CISA is continuing to work to confirm initial access vectors and identify any changes to the tactics, techniques, and procedures (TTPs).”
Based upon my limited understanding, is this similar to 10,000 sailboats zipping around a big lake? A couple of coast guard patrols may have difficulty monitoring the carefree scofflaws. To make matters more challenging, the sailboats are used by other people who are trespassing on government land and private property in order to join the digital rave.
To sum up, the SolarWinds’ misstep may have been the one lane road which the visitors are using to explore the great big data lake. And the party has been going on for how long? Oh, right. No one knows for sure.
Stephen E Arnold, January 14, 2021
-
- Subscribe to Beyond Search
Feature archive
News archive
-
