Cloud or Not? Fighting Words for Sure
March 5, 2021
I read “SolarWinds Hack Pits Microsoft against Dell, IBM over How Companies Store Data.” Ah, ha, a dispute with no clear resolution. The write up suggests that some big dogs in technology will be fighting over the frightened gazelles. Will the easily frightened commercial buyers take off when the word “cloud” is voiced. Or, will the sheep-inspired animals head for the perceived security of computers in the farm house?
The write up states:
[The dispute over where to put data] pits Microsoft Corp., which is urging clients to rely on cloud-computing systems, against others including Dell Technologies Inc. and International Business Machines Corp., who argue customers want to mix the cloud with the more traditional on-premise data-storage systems in a construct called hybrid-cloud.
Do you want pickle on top of a hamburger or underneath the juicy patty? Which method? Come on. Decide.
The write up reports:
Microsoft, one of the world’s biggest cloud vendors, has said cloud services offer customers the most robust data protection. A mixed approach “creates an additional seam that organizations need to secure. A consequence of this decision is that if the on-premises environment is compromised, this creates opportunities for attackers to target cloud services,” Microsoft said in a blog post on its investigation of the hack. The notion that the hybrid cloud is less secure is inaccurate, said Paul Cormier, chief executive of Red Hat, the business IBM acquired two years ago in part in a bet on the growing demand for hybrid cloud services. “Any software could get broken into. The cloud providers could get broken into as well,” he told The Wall Street Journal.
Plus the article points out:
Microsoft itself was a victim in the attack and had some of its source code used to write software downloaded. The hackers viewed software linked to Microsoft’s Azure cloud, the company said. Mr. Smith, at the Senate hearing on the hack on Tuesday, called for a “full examination of what other cloud services and networks the Russians have accessed.”
I don’t think any computer data are secure, but that’s just me. Here in Harrod’s Creek, professional etch secrets on lumps of boghead. Once the message has been read, one burns it. Good for secrecy, not so good for the environment.
Who will win this battle? The key is marketing. Security is a slippery fish particularly when the boats are owned by Dell, IBM, and Microsoft. The SolarWinds’ attack exploited the cloud and on premises devices. How does one spell “insider threat”? One can unplug computing devices. Put them in a locked room. Don’t let anyone enter the room. Is that a solution?
Stephen E Arnold, March 5, 2021
Email: A Vulnerable Service
March 4, 2021
Cyber security firm Barracuda counted the number of email attacks that slipped through its clients’ enterprise-wide security measures last year. New Zealand’s SecurityBrief reveals the results in, “Millions of Email Attacks Missed by Organizations’ Cyber Security Protection.” Writer Shannon Williams reports:
“In 2020, 4550 organizations used Barracuda Email Threat Scanner to scan 2,600,531 unique mailboxes and found 2,029,413 unique attacks. On average, 512 attacks were found per organization, and one out of seven mailboxes (14%) had at least one attack currently sitting inside, even if messages were scanned by an email gateway solution, the cyber security firm says. The attacks detected fall into four email threat types: phishing, scamming, extortion, and business email compromise (BEC). Of the 2,029,413 unique attacks detected, phishing was the number one threat missed by the organizations email security solutions (59%). Scamming was the second most common (39%). Extortion, at 9%, and BEC, at 8%, were less prevalent, but cybercriminals tend to send these types of attacks in smaller volumes because they are highly personalized.”
Barracuda recommends companies adopt its inbox-based Email Threat Scanner to detect attacks that slip through any broader security measures. What a surprise! Of course, since the organizations studied were already Barracuda clients, it is entirely possible at least some of them were relying on that solution and skimping on gateway-side security. Even so, the report is a reminder to take email security seriously. One could choose a product like Barracuda’s, if desired. (Or Cyren’s, to name just one competitor.) At the least, workers should learn what to look for and actively avoid opening attack emails should they land in their inboxes. And turn off preview pane, for goodness’ sake.
Founded in 2003. The firm states over 200,000 customers around the world use its software, which some say is effective, affordable, and user-friendly.
Cynthia Murrell, March 4, 2021
Breaching SolarWinds
March 4, 2021
The SolarWinds’ story continues to delight. I read “Former SolarWinds CEO Blames Intern for Solarwinds123 Password Leak.” That’s a heck of a password if I say so myself. Definitely better than admin or password.
How did the hackers breach a company providing services to thousands of clients? Here are the reasons reported by CNN:
- An intern fumbled the ball
- Brute force guessing of passwords
- Some other outfit created software which SolarWinds used and caught malware.
There is a fourth possibility, and it is the one which seems to be one of the more popular ways to gain access to an organization’s network. What is it? Dumpster diving? Mental telepathy? Trawling through open source code looking for credentials? (That’s a pretty good method by the way.)
Nope.
Just strike up a conversation on a social media site, a Dark Web forum, or an encrypted messaging group and [a] use social engineering to get a user name and password, [b] watch for an employee who is not happy with his or her employer, [c] threaten an employee’s mom or family, [d] phishing, or [e] pay a third party contractor writing code for SolarWinds in a far off land.
The preferred approach of bad actors is usually the easiest, simplest, and most hassle free.
Compromising a careless outfit is easy. Even organizations with buttoned up security are vulnerable.
What’s obvious is that the SolarWinds’ misstep reflects on an organizational approach to operating its business. If the company were a railroad, it is conceivable that the firm would lose freight cars, engines, and the keys to the operations office.
What’s fascinating is that the present and former CEO of SolarWinds threw an intern under the digital bus. Nothing like manning up in my opinion.
Stephen E Arnold, March 4, 2021
Microsoft: Back in the Security Spotlight
March 3, 2021
What giant software company with a great marketing operation is back in the spotlight? The answer may be Microsoft. I read “real” news from an outfit which is into trust “Chinese Hackers Plundered Inboxes Using Flaws in Microsoft’s Exchange Server Software.”
The write seems to be taking a slightly less enthusiastic approach to the outstanding software and services provided by the Redmond giant. The company is, as you may know, the outfit which is going to run much of the Department of Defense cloud system. That’s because the cloud is much better than on premises computing devices. The cloud is magical, which I think is a synonym for easier, but that’s just me.
I noted this statement in the trustiness article:
Microsoft’s suite of products has been under scrutiny since the hack of SolarWinds, the Texas-based software firm that served as a springboard for several intrusions across government and the private sector. In other cases, hackers took advantage of the way customers had set up their Microsoft services to compromise their targets or dive further into affected networks. Hackers who went after SolarWinds also breached Microsoft itself, accessing and downloading source code — including elements of Exchange, the company’s email and calendaring product.
The paragraph suggests that because Microsoft’s methods worked for the SolarWinds’ misstep, other bad actors are jumping into the hay stack of wild and crazy methods.
My view is that we are likely to see the feedback loop scale to some painful frequencies. Should anyone worry? Nope, those trusted permissions, the fluid code, and the big fat targets like Azure, Exchange, and Office 365 are no big deal. Right, Microsoft. It takes 1,000 engineers to fool the Softies.
Stephen E Arnold, March 3, 2021
Phishing: No Big Gains in 2020
March 3, 2021
In our work for the DarkCyber video news program and the research for our lectures for law enforcement, the people assisting me have reported that phishing is a big deal. The FBI thinks so. Interpol thinks so. And my personal hunch is that some of the outfits hit by ransomware in 2020 think so.
The Proofpoint “State of the Phish” report wishes to provide some good news; to wit:
57 percent of organizations in seven countries revealed they were targets of a successful phishing attack in 2020, which is only a two percent increase over 2019.
Encouraged?
The Tech News World article “Successful Phishers Make Slim Gains in 2020” seems to be optimistic. The write up reports:
the report noted that the number of respondents who told researchers that phishing attacks resulting in data loss increased 13 percent and those leading to credential compromise jumped 11 percent.
Concerning? Not enough to alter the positive spin the editors put on the article title.
If you want to read the original report, navigate to this Proofpoint link. You will have to fill out a form so that the company can keep you informed about phish and other topics.
Stephen E Arnold, March 2, 2021
SolarWinds: Microsoft Moves to Closure after Revealing 1000 Bad Actors Got in the Game
March 3, 2021
After first denying it may have been a victim of the SolarWinds hack, and that hackers may have used its software to attack others, Microsoft launched an internal investigation to be sure. It now tells us the truth is somewhere in between. Reports SiliconAngle, “Microsoft Finds SolarWinds Hackers Downloaded Code But Didn’t Mount Attacks.” Writer Duncan Riley summarizes:
“Microsoft’s researchers found was that there was no case where all repositories related to any single product or service were accessed and no access was gained to the vast majority of source code. In the event where code repositories were accessed, only a few individual files were viewed. For a small number of repositories, there was additional access including in some cases the downloading of component source code. The repositories contained code for a small subset of Azure, Intune and Exchange components. The researchers notes that search terms used by the hackers indicate that they were attempting to find secrets but were not successful as Microsoft’s development policy prohibits secrets in code, using automated tools to verify compliance.
“In terms of Microsoft tools being used to attack others, the researchers found no indication of that taking place. They further added that because of so-called defense-in-depth protections, the hackers were also not able to gain access to privileged credentials. To avoid attacks in the future, the researchers recommended that a zero-trust ‘assume breach’ philosophy be adopted as a critical part of defense as well as protecting credentials being essential.”
So they weren’t already taking those basic precautions? That does not inspire confidence. We also do not find the bit about defense-in-depth protections reassuring after the intrusion was missed for months on end. As one outside professional cited by the article notes, we must think twice about how much we trust each link in every supply chain. Including longstanding, supposedly solid players like Microsoft.
Cynthia Murrell, March 3, 2021
SolarWinds: What Are the Characteristics of a Buttoned Up Outfit? One Guess Only, Please
March 2, 2021
I read an allegedly accurate “real” news story called “SolarWinds Told Congress That an Intern Was Responsible for the SolarWinds123 Password Security Breach, but Experts and Documents Suggest a Bigger Issue” asserts:
Two SolarWinds CEOs told the US Congress on Friday that the now-infamous exposure of the password solarwinds123 was the result of an intern’s mistake in 2017.
Those darned interns, and they are paid well, treated with respect, and are the anchors of high technology outfits.
One former CEO and one current CEO pinned the blame on the intern. The write up says:
The username solarwinds.net and password solarwinds123 were viewable in a project on the code-sharing site GitHub, according to the researcher who found the issue and screenshots reviewed by
Insider. The researcher said those credentials would give access to a SolarWinds server handling updates to the company’s software, the process at the heart of the SolarWinds supply chain attacks.
How many bad actors did it take to locate the useful data? Probably one or two people. How did the high value information get passed around? Probably on discussion groups, via email, and on Dark Web hacker forums. How many people would it take to turn the credentials into an intelligence operation? According to a Microsoftie, around a 1,000 people. Sure enough. That sounds like a typical Microsoft team, doesn’t it?
Okay, what are the characteristics of a buttoned up outfit?
How about MBAism combined with indifference to security? This is just one possible answer to my question but a pretty good one I think.
Stephen E Arnold, March 2, 2021
US Senator Throws Penalty Flag at Microsoft
February 26, 2021
JEDI foul? I am not sure. The bright yellow flag has been lofted and it is beginning its descent. One player has a look of disbelief, “A foul. You think I did a chop block?” That’s the image that went through my mental machinery as I read “US Senator claims Microsoft Failed to Fix Cloud Holes before SolarWinds Hack.”
The write up asserts:
Microsoft Corp’s failure to fix known problems with its cloud software facilitated the massive SolarWinds hack that compromised at least nine federal government agencies, according to security experts and the office of US Senator Ron Wyden. A vulnerability first publicly revealed by researchers in 2017 allows hackers to fake the identity of authorized employees to gain access to customers’ cloud services. The technique was one of many used in the SolarWinds hack.
The year 2017. I recall that was the time the DarkCyber research team began yammering about use of the wonderful Microsoft software update system, access control policies, and business processes to allow estimable Microsoft-friendly software to run. The idea was seamless, smooth, quick, and flawless interaction among users, software, the cloud, and assorted components. Fast. Efficient. Absolutely.
The elected official is quoted as saying:
The federal government spends billions on Microsoft software. It should be cautious about spending any more before we find out why the company didn’t warn the government about the hacking technique that the Russians used, which Microsoft had known about since at least 2017.
The write up points out that Microsoft does not agree with the senator’s observations. In the subsequent testimony (you can view it at this link), one of the top dog Microsoft professionals pointed out “only about 15 percent of the victims in the Solar Winds campaign were hurt via Golden SAML.” SAML is a a security assertion markup language. The golden part? Maybe it is the idea that a user or process signs on. If okayed somewhere in the system, the user or process is definitely okay again. Fast. Efficient.
The “golden” it turns out is a hack. Get into the SAML approved system, and bingo. Users, processes, whatever are good to go. Get administrator credentials and become an authorizing and verifying service and the bad actor owns the system. The idea is that a bad actor can pump out green light credentials and do many interesting things. Hey, being authorized and trusted is a wonderful thing, right?
Back to JEDI? Is the senator confident that the Department of Defense has not been compromised? What happens if the JEDI system is penetrated by foreign actors as the DoD wide system is being assembled, deployed, and operated? Does the vulnerability still exist in live systems?
These are good questions? I am not sure the answers are as well crafted.
Stephen E Arnold, February 27, 2021
What’s a Golden SAML?
Microsoft Concludes SolarWinds Hack Internal Investigation
February 26, 2021
After first denying it may have been a victim of the SolarWinds hack, and that hackers may have used its software to attack others, Microsoft launched an internal investigation to be sure. It now tells us the truth is somewhere in between. Reports SiliconAngle, “Microsoft Finds SolarWinds Hackers Downloaded Code But Didn’t Mount Attacks.” Writer Duncan Riley summarizes:
“Microsoft’s researchers found was that there was no case where all repositories related to any single product or service were accessed and no access was gained to the vast majority of source code. In the event where code repositories were accessed, only a few individual files were viewed. For a small number of repositories, there was additional access including in some cases the downloading of component source code. The repositories contained code for a small subset of Azure, Intune and Exchange components. The researchers notes that search terms used by the hackers indicate that they were attempting to find secrets but were not successful as Microsoft’s development policy prohibits secrets in code, using automated tools to verify compliance.
We noted:
“In terms of Microsoft tools being used to attack others, the researchers found no indication of that taking place. They further added that because of so-called defense-in-depth protections, the hackers were also not able to gain access to privileged credentials. To avoid attacks in the future, the researchers recommended that a zero-trust ‘assume breach’ philosophy be adopted as a critical part of defense as well as protecting credentials being essential.”
So they weren’t already taking those basic precautions? That does not inspire confidence. We also do not find the bit about defense-in-depth protections reassuring after the intrusion was missed for months on end. As one outside professional cited by the article notes, we must think twice about how much we trust each link in every supply chain. Including longstanding, supposedly solid players like Microsoft.
Cynthia Murrell, February 26, 2021
Facebook Found Lax in Enforcement of Own Privacy Rules
February 26, 2021
Facebook is refining its filtering AI for app data after investigators at New York’s Department of Financial Services found the company was receiving sensitive information it should not have received. The Jakarta Post reports, “Facebook Blocks Medical Data Shared by Apps.” Facebook regularly accepts app-user information and feeds it to an analysis tool that helps developers improve their apps. It never really wanted responsibility for safeguarding medical and other sensitive data, but did little to block it until now. The write-up quotes state financial services superintendent Linda Lacewell:
“Facebook instructed app developers and websites not to share medical, financial, and other sensitive personal consumer data but took no steps to police this rule. By continuing to do business with app developers that broke the rule, Facebook put itself in a position to profit from sensitive data that it was never supposed to receive in the first place.”
Facebook is now stepping up its efforts to block sensitive information from reaching its databases. We learn:
“Facebook created a list of terms blocked by its systems and has been refining artificial intelligence to more adaptively filter sensitive data not welcomed in the analytics tool, according to the report. The block list contains more than 70,000 terms, including diseases, bodily functions, medical conditions, and real-world locations such as mental health centers, the report said.”
A spokesperson says the company is also “doing more to educate advertisers on how to set-up and use our business tools.” We shall see whether these efforts will be enough to satisfy investigators next time around.
Cynthia Murrell, February 26, 2021
-
- Subscribe to Beyond Search
Feature archive
News archive
-
