Post SolarWinds: Enhanced Security Methods. Er, What?
January 22, 2021
I find it interesting that the SolarWinds’ security misstep has faded. I assumed (the old ass of you and me saw is applicable) that after a teeny little security breach, information technology professionals would exert a teeny little effort to make sure obvious security lapses were remediated. Was I incorrect? Absolutely, gentle reader.
I noted the Beeb’s article “Malware Found on Laptops Given Out by Government”. The “government” is the United Kingdom’s Brexit capable entity. I learned:
Some of the laptops given out in England to support vulnerable children home-schooling during lockdown contain malware….The malware, which they said appeared to be contacting Russian servers, is believed to have been found on laptops given to a handful of schools.
I love the “some” and the “handful.” Ho ho ho.
Like the SolarWinds’ misstep, numbers in which one can be confident are not readily available. What is available is the indifference organizations have to the risks and threats malware on school laptops and educational computers pose. Thinking about human trafficking and child pornography. Distasteful for sure, but these “government” computers may provide information useful for other pursuits; for example, blackmail, extortion, and parent or guardian financial information.
One source for the tolerant Beeb allegedly said:
“We believe this is not widespread.”
Right, 18,000 organizations compromised via the SolarWinds’ misstep should be ignored.
Let’s here it for security well implemented. Wait. I don’t hear any rah rah. Must be an intercepted Internet stream which does not happen in the UK.
Stephen E Arnold, January 22, 2021
Post SolarWinds: No Kidding! Cyber Threats in 2021
January 21, 2021
KnowBe4 is a cyber security company based in Clearwater, Florida. The company offers a wide range of cyber security services and information. Like other cyber security firms, its systems and analysts did not notice the SolarWinds’ misstep. From my vantage point in rural Kentucky, this could be a miscommunication, a misunderstanding on my part, or another example of the ineffectiveness of US cyber security solutions offered by “experts.”
I spotted an article written by a KnowBe4 professional called “Top IT Security Threats in 2021.” This “content strategy and evangelist” seems to operate from the KnowBe4 office in South Africa.
Yep, there are cyber security threats. The SolarWinds’ misstep and the failure of heavily promoted cyber security and threat intelligence vendors to “notice” the breach remains fresh in my mind. FireEye is thinking about the misstep as well. That company released a free cyber tool to help entities figure out if their systems are compromised. (Quick comprehension test #1: What if the tool does not locate a breach? Is the system actually secure? Take the time needed to answer this question. Hint: Think about false positives for Covid tests?)
What are the threats in 2021? KnowBe4’s “content strategy and evangelist points out:
- Phishing
- Ransomware
- Remote working
- Passwords
- Disinformation.
Comprehensive, but isn’t something missing? (Quick comprehension test #2: What’s missing?)
The SolarWinds’ misstep?
If KnowBe4-type solutions worked, wouldn’t SolarWinds be off the security radar?
I like companies which have crystal ball capabilities; that is, the outfits know before? Marketing is more important than performance maybe?
Stephen E Arnold, January 21, 2021
Does This Mean Bad Actors Are Now Riding in 10,000 SolarWinds Powered Digital Sailboats?
January 12, 2021
I read “Hackers Breaking into Networks without SolarWinds, CISA Says.” The write up states that the Cybersecurity and Infrastructure Security Agency offered:
“Specifically, we are investigating incidents in which activity indicating abuse of Security Assertion Markup Language (SAML) tokens consistent with this adversary’s behavior is present, yet where impacted SolarWinds instances have not been identified,” according to updated guidance published Jan 6. “CISA is continuing to work to confirm initial access vectors and identify any changes to the tactics, techniques, and procedures (TTPs).”
Based upon my limited understanding, is this similar to 10,000 sailboats zipping around a big lake? A couple of coast guard patrols may have difficulty monitoring the carefree scofflaws. To make matters more challenging, the sailboats are used by other people who are trespassing on government land and private property in order to join the digital rave.
To sum up, the SolarWinds’ misstep may have been the one lane road which the visitors are using to explore the great big data lake. And the party has been going on for how long? Oh, right. No one knows for sure.
Stephen E Arnold, January 14, 2021
DarkCyber for January 12, 2021, Now Available
January 12, 2021
DarkCyber is a twice-a-month video news program about online, the Dark Web, and cyber crime. You can view the video on Beyond Search or at this YouTube link.
The program for January 12, 2021, includes a featured interview with Mark Massop, DataWalk’s vice president. DataWalk develops investigative software which leapfrogs such solutions as IBM’s i2 Analyst Notebook and Palantir Gotham. In the interview, Mr. Massop explains how DataWalk delivers analytic reports with two or three mouse clicks, federates or brings together information from multiple sources, and slashes training time from months to several days.
Other stories include DarkCyber’s report about the trickles of information about the SolarWinds’ “misstep.” US Federal agencies, large companies, and a wide range of other entities were compromised. DarkCyber points out that Microsoft’s revelation that bad actors were able to view the company’s source code underscores the ineffectiveness of existing cyber security solutions.
DarkCyber highlights remarkable advances in smart software’s ability to create highly accurate images from poor imagery. The focus of DarkCyber’s report is not on what AI can do to create faked images. DarkCyber provides information about how and where to determine if a fake image is indeed “real.”
The final story makes clear that flying drones can be an expensive hobby. One audacious drone pilot flew in restricted air zones in Philadelphia and posted the exploits on a social media platform. And the cost of this illegal activity. Not too much. Just $182,000. The good news is that the individual appears to have avoided one of the comfortable prisons available to authorities.
One quick point: DarkCyber accepts zero advertising and no sponsored content. Some have tried, but begging for dollars and getting involved in the questionable business of sponsored content is not for the DarkCyber team.
Finally, this program begins our third series of shows. We have removed DarkCyber from Vimeo because that company insisted that DarkCyber was a commercial enterprise. Stephen E Arnold retired in 2017, and he is now 77 years old and not too keen to rejoin the GenX and Millennials in endless Zoom meetings and what he calls “blatant MBA craziness.” (At least that’s what he told me.)
Kenny Toth, January 12, 2021
A Tiny Clue about the Entity Interested In the SolarWinds Misstep
January 11, 2021
I read “Putin’s Disinformation Campaign claims Stunning Victory with Capital Hill Coup.” The write up points out that a study by the Berkman Klein Center for Internet & Society describes a broad campaign against the United States. The article references a Rand study which offers additional color.
However, my interpretation of the write up is that Russia may be just one facet of the “truth decay” approach. Disinformation is complemented by penetration of US networks and systems. Even if no data were exfiltrated, undermining confidence is cyber security methods is another chess move by Russia.
The buzzword is widening the fissures. Serious weakness, exploitable weakness.
Stephen E Arnold, January 11, 2021
Cyber Security: An Oxymoron Maybe?
January 8, 2021
AI neural networks are only as smart as they are programmed and the technology is still in its infancy. In other words, AI neural networks are biased and make mistakes. This is not a problem now, especially when many AI neural networks are in the experimental stage; however, as the technology advances says we need to discuss future problems now in, “The Inevitable Symbiosis Of Cybersecuriity And AI.”
AI neural networks, like other technology, is hackable. The problem Hacker Noon brings up is that companies that rely on AI to power their products and services, such as Tesla’s self-driving algorithm, are ready to launch them to the public. Are these companies aware of vulnerabilities in their algorithms and actively resolving them or are they ignoring them?
AI engineers are happy to discuss how AI is revolutionizing cybersecurity, but there is little about how the cybersecurity is or could improve AI. Cybersecurity companies are not applying their algorithms to find vulnerabilities. Complacency is the enemy of AI safety:
“Moreover, there are still few use cases where it is paramount to guarantee the AI algorithms have no life-threatening vulnerabilities. But as AI takes over more and more tasks such as driving, flying, designing drugs to treat illnesses and so on, AI engineers will need to also learn the craft of, and be, cybersecurity experts.
I want to emphasize that the responsibility of engineering safer AI algorithms cannot be delegated to an external cybersecurity firm. Only the engineers and researchers designing the algorithms have the intimate knowledge necessary to deeply understand what and why vulnerabilities exists and how to effectively and safely fix them.”
Cyber security: An oxymoron?
Whitney Grace, January 8, 2021
DarkTrace: A Controversial View
January 6, 2021
I spotted that a post about Darktrace had been removed from Reddit. I became curious because the comment thread was on Reddit when I checked today (January 4, 2021). I located the original Darktrace post on the Archive.org site at this link. This content may be disappeared, and some of the points run counter to the rah rah write ups about the company. Here are some of the factoids and assertions which caught my attention:
- A Darktrace initial public offering is likely to take place in the near future
- 10 members of the Darktrace executive team allegedly had ties to Autonomy, the search and content management vendor acquired by HP
- Michael Lynch is part of an investment firm which funded Darktrace
- Goldman Sachs snubbed the Darktrace float.
None of the information in the Reddit post struck me as controversial. The data appear to come from a variety of open sources, including the Darktrace Web site, news reports, LinkedIn biographies, and public documents.
Why did I chase down the original post? The removal of the information from the threat sparked a number of interesting Reddit comments about Darktrace, the company’s business tactics, and the cyber security sector.
With the SolarWinds’ misstep still in the news cycle, it strikes me that cyber security related posts provide additional color about the products and services some of the higher profile vendors are offering.
Reddit obviously does not agree.
Stephen E Arnold, January 6, 2021
Greed, Security, and MBAs: Compromising Security for Yachts, Snazzy Cars, and Big Houses?
January 5, 2021
I read “How to Get Rich Sabotaging Nuclear Weapons Facilities.” The title is snappy. The blend of sabotage, nuclear weapons, and money is a spicy blend. I have been critical of cyber security firms’ marketing. I’ve mentioned their lingo, the nifty exhibits at law enforcement and intelligence conferences, and the endless reports about data for sale on the Dark Web.
I admit that I have focused on the flashier side of the business. I leave the specifics of repurposing open source software wrapped in scripts to others. I also have not linked obvious financial plays like the sale of 4iQ to Alto Analytics or the Recorded Future tie up with Insight Partners or any of the other mergers and roll ups emerging from the cyber security gold rush.
Why? I have been commenting about the craziness of MBAs for years, and — guess what? — no one cares. When I worked for some archetypal MBAs at assorted financial institutions, to a person the individuals agreed. I recall one flashy MBA as saying to me, “That’s right. I want money. Lots of money.” That fine individual asked me to pay for lunch because he left his wallet in his desk.
The write up about sabotage and nuclear weapons seems to be getting traction. In the aftermath of the SolarWinds’ misstep, this passage has more meaning to the average thumb typer and social media maven:
Cybersecurity is a very weird area, mostly out of sight yet potentially very deadly. Anonymous groups can turn off power plants, telecom grids, or disrupt weapons labs, as Israel did when it used a cyber-weapon to cripple Iranian nuclear facilities in 2010. Bank regulators have to now consult with top military leaders about whether deposit insurance covers incidents where hackers destroy all bank records, and what that would mean operationally. It’s not obvious whether this stuff is war or run-of-the-mill espionage, but everyone knows that the next war will be chock full of new tactics based on hacking the systems of one’s adversary, perhaps using code placed in those systems during peacetime.
The high-flying SolarWinds sparked this comment:
SolarWinds didn’t bother to hire a senior official to focus on security until 2017, and then only after it was forced to do so by European regulations. Even then, SolarWinds CEO, Kevin Thompson, ignored the risk. As the New York Times noted, one security “adviser at SolarWinds, said he warned management that year that unless it took a more proactive approach to its internal security, a cybersecurity episode would be “catastrophic.”
What was the root cause? The write up points the finger at a roll up specialist called Bravo. I learned:
After its IPO, SolarWinds followed Ellison’s advice, became a merger machine, buying a dozen companies from 2011-2014, including Pingdom, Confio and N-Able Technologies. In 2015, Thoma Bravo Partners (along with Silver Lake) bought the company, and loaded it up with $2 billion of debt to finance the purchase. (Yes, this was one of those purchases in which the private equity buyer bought the company with the company’s own money.) Under Bravo’s control, SolarWinds engaged in more mergers, buying companies who made threat monitoring software, email security, database performance monitoring, and IT support firms. SolarWinds sought to become a one-stop-shop in its niche, not particular good at quality, but with everything a customer might need. Of course, the Federal Trade Commission and the European Competition Commission allowed these deals; just a month before the hack was revealed, the FTC approved yet another acquisition by SolarWinds.
What happened?
The misstep. The write up points out:
But in some ways it’s not that complex; the problem isn’t that Russians are good at hacking and U.S. defenses are weak, it’s that financiers in America make more money by sabotaging key infrastructure than by building it.
The root cause, therefore, is that which generates revenue in an environment in which regulators are asleep at the switch, MBAs plot their next big deal, and those who assume that whiz bang, smart security systems actually work.
Stephen E Arnold, January 5, 2021
SolarWinds Are Gusting and Blowing Hard
January 5, 2021
Many pundits have reacted to the New York Times’ story “As Understanding of Russian Hacking Grows, So Does Alarm.” Work through those analyses. What’s missing? Quite a lot, but in this short blog post I want to address one issue that has mostly ignored.
At one time, there was a list on the SolarWinds’ Web site of the outfits which had been compromised. That list disappeared. I posted “Sun Spotting in the Solar Wind” on December 23, 2020. In that post, I reported three outfits which had been allegedly compromised by the SolarWinds’ misstep (and some of the information I used as a source remains online):
City of Barrie (Canada)
Newton Public Schools (US)
Regina Public Schools (Canada).
The question is, “Why are outfits like a municipality known as part of the Greater Golden Horseshoe, Newton’s public schools, and the Regina public schools? (I’ve been to Regina in the winter. Unforgettable is it.)
My research team and I discussed the alleged exploits taking up residence in these organizations; that is, allegedly, of course, of course.
Here’s what my team offered:
- A launch pad for secondary attacks. The idea is that the original compromise was like a rat carrying fleas infected with the bubonic plague (arguably more problematic than the Rona)
- A mechanism for placing malicious code on the computing devices of administrators, instructors, and students. As these individuals thumb typed away, these high trust individuals were infecting others in their social circle. If the infections were activated, downloads of tertiary malware could take place.
- Institutions like these would connect to other networks. Malware could be placed in server nodes serving other institutions; for example, big outfits like Rogers Communications, a government ministry or two, and possibly the cloud customers of the beloved Rogers as well as BCE (Bell Canada’s parent) and Telus.
The odd ducks in the list of compromised organization, just might not be so odd after all.
That’s the problem, isn’t it? No one knows exactly when the misstep took place, what primary and downstream actions were triggered, and where subsequent rats with fleas infected with bubonic plague have go to.
Net net: It’s great to read so many words about a misstep and not have signals that the issue is understood, not even by the Gray Lady herself.
Stephen E Arnold, January 6, 2020
Microsoft: Information Released Like a Gentle Solar Wind
December 31, 2020
I read the New Year’s Eve missive from Microsoft, a company which tries to be “transparent, “Microsoft Internal Solorigate Investigation Update.” I am not sure, but I think the Microsoft Word spell checker does not know that SolarWinds is not spelled Solarigate. Maybe Microsoft is writing about some other security breach or prefers a neologism to end the fine year 2020?
Here’s a passage I found interesting:
Our investigation has, however, revealed attempted activities beyond just the presence of malicious SolarWinds code in our environment. This activity has not put at risk the security of our services or any customer data, but we want to be transparent and share what we’re learning as we combat what we believe is a very sophisticated nation-state actor. We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories. The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated. [Bold added to highlight intriguing statements]
To me, an old person who lives in rural Kentucky, it sure sounds as if Microsoft is downplaying:
- Malicious code within Microsoft’s systems
- The code performed “unusual activity” whatever this actually means I don’t know
- The malicious code made it to MSFT source code repositories
- Whatever happened has allegedly been fixed up.
What’s that unknown unknowns idea? Microsoft may be writing as if there are no unknown unknowns related to the SolarWinds misstep.
If you want more timely Solarigate misstep info, here’s what Microsoft suggests as a New Year’s Eve diversion:
For the up-to-date information and guidance, please visit our resource center at https://aka.ms/solorigate.
Stephen E Arnold, December 31, 2020