SolarWinds: Woulda, Coulda, Shoulda?
February 17, 2021
The SolarWinds security breach had consequences worldwide. The bad actors, supposed to be Russian operatives, hacked into systems at the Department of Homeland Security, the Treasury Department, the National Institutes of Health, the Department of Justice, and other federal agencies as well as those of some major corporations. The supply-chain attack went on for months until it was finally discovered in December; no one is sure how much information the hackers were able to collect during that time. Not only that, it is suspected they inserted hidden code that will continue to give them access for years to come.
Now ProPublica tells us the government paid big bucks to develop a system that may have stopped it, if only it had been put into place. Writers Peter Elkind and Jack Gillum report that “The U.S. Spent $2.2 Million on a Cybersecurity System that Wasn’t Implemented—and Might Have Stopped a Major Hack.” Oops. We learn:
“The incursion became the latest — and, it appears, by far the worst — in a string of hacks targeting the software supply chain. Cybersecurity experts have voiced concern for years that existing defenses, which focus on attacks against individual end users, fail to spot malware planted in downloads from trusted software suppliers. Such attacks are especially worrisome because of their ability to rapidly distribute malicious computer code to tens of thousands of unwitting customers. This problem spurred development of a new approach, backed by $2.2 million in federal grants and available for free, aimed at providing end-to-end protection for the entire software supply pipeline. Named in-toto (Latin for ‘as a whole’), it is the work of a team of academics led by Justin Cappos, an associate computer science and engineering professor at New York University. … Cappos and his colleagues believe that the in-toto system, if widely deployed, could have blocked or minimized the damage from the SolarWinds attack. But that didn’t happen: The federal government has taken no steps to require its software vendors, such as SolarWinds, to adopt it. Indeed, no government agency has even inquired about it, according to Cappos.”
Other experts also believe in-toto, which is free to use, would have been able to stop the attack in its tracks. Some private companies have embraced the software, including SolarWinds competitor Datadog. That company’s security engineer, in fact, contributed to the tools’ design and implementation. We are not sure what it will take to make the government require its vendors implement in-toto. Another major breach? Two or three? We shall see. See the write-up for more details about supply-chain attacks, the SolarWinds attack specifically, and how in-toto works.
Cynthia Murrell, February 17, 2021
Post SolarWinds: Let Smart Software Do Security
February 9, 2021
Forty-one percent of IT leaders would suggest cybersecurity pros get their resumes ready, according to a recent survey. ZDNet reports, “AI Set to Replace Humans in Cybersecurity by 2030, Says Trend Micro Survey.” Writer Eileen Brown summarizes:
“[Trend Micro’s] predictions report, Turning the Tide, forecasts that remote and cloud-based systems will be ruthlessly targeted in 2021. The research was compiled from interviews with 500 IT directors and managers, CIOs and CTOs and does not look good for their career prospects. Only 9% of respondents were confident that AI would definitely not replace their job within the next decade. In fact, nearly a third (32%) said they thought the technology would eventually work to completely automate all cybersecurity, with little need for human intervention. Almost one in five (19%) believe that attackers using AI to enhance their arsenal will be commonplace by 2025. Around a quarter (24%) of IT leaders polled also claimed that by 2030, data access will be tied to biometric or DNA data, making unauthorised access impossible. In the shorter term, respondents also predicted the following outcomes would happen by 2025. They predict that most organisations will have significantly reduced investment in property as remote working becomes the norm (22%). Nationwide 5G will have entirely transformed network and security infrastructure (21%), and security will be self-managing and automated using AI (15%). However, attackers using AI to enhance their arsenal will be commonplace (19%).”
Trend Micro’s Bharat Mistry cautions that AI is most valuable when combined with human expertise, suggesting companies not jettison their human resources so readily. Since cyberattacks will continue to be a growing concern, the report recommends companies pay close attention to security best practices and patch management programs. It is also wise to train workers on security for work performed outside the office and the importance of avoiding doing business on personal devices.
Global cybersecurity firm Trend Micro offers protection for its clients’ users, networks, and cloud environments. Founded back in 1988, the company is based in Tokyo.
One question: If flawed humans create the smart security AI, won’t that have the same blindspots?
Cynthia Murrell, February 9, 2021
US Department of Defense: Procurement Methods Zapped by JEDI
February 5, 2021
I don’t know if the information in this article is 100 percent accurate, but it is an entertaining read. Navigate to “Pentagon May Cancel JEDI Contract and Start Over.” The write up does not mention the SolarWinds’ misstep, but I have heard that some DoD work from home professionals are getting a bit of a tan. Solar radiation can be a problem. The write up states:
The Pentagon could be set to cancel the $10 billion Joint Enterprise Defense Infrastructure (JEDI) contract it awarded to Microsoft in 2019, as a legal battle with Amazon rages on. The cancellation, should it occur, could provide significant financial benefits for AWS, with the cloud provider ready to swoop in. A new memo has revealed the extent of the Pentagon’s frustration with the legal wrangling. In particular, the memo states that, should Amazon’s complaint be upheld, the entire JEDI contract may be abandoned.
Her are the operative words:
$10 billion
Legal battle
Microsoft
Amazon
JEDI
and the biggie frustration.
Amazon arrives at the party without a tan from the SolarWinds. Microsoft may have been singed or hit with some first degree burns. Oracle is a wild card because it may find a way to provide a very competitive option.
Where is the DoD now? Snagged in Covid, wrestling with leadership, adapting to the new administration, working the numbers for the remarkable F 35 alongside figures for A10s and F 15 enhanced models, and the drone of social media and talk about thousands of nano drones descending on a squad in some delightful camping areas.
If the information in the write up is accurate, perhaps a connection with the SolarWinds’ misstep may surface. But for now, its legal hassles and the thrill of many silos of systems.
Stephen E Arnold, February 5, 2021
Google Speaks But Is MIT Technology Review Delivering Useful Information or Just PR?
February 4, 2021
I read “Google Says It’s Too Easy for Hackers to Find New Security Flaws.” I assume that the Google is thrilled that its systems and methods were not directly implicated in the SolarWinds’ misstep and possibly VMWare’s and Microsoft’s. But I don’t know because the information is dribbling out at irregular intervals and in my opinion has either been scrubbed or converted to euphemism. A good example is the Reuters’ report “Exclusive: Suspected Chinese Hackers Used SolarWinds Bug to Spy on US Payroll Agency — Sources.”
The esteemed institution supported by Jeffrey Epstein and housing a expert who allegedly had ties to an American adversary’s officials reports:
Attackers are exploiting the same types of software vulnerabilities over and over again, because companies often miss the forest for the trees.
What makes this story different is that the Google is now agreeing that today’s software is easy to compromise. The write up quotes an expert who offers:
Over its six-year lifespan, Google’s team has publicly tracked over 150 major zero-day bugs, and in 2020 Stone’s team documented 24 zero-days that were being exploited—a quarter of which were extremely similar to previously disclosed vulnerabilities. Three were incompletely patched, which meant that it took just a few tweaks to the hacker’s code for the attack to continue working. Many such attacks, she says, involve basic mistakes and “low hanging fruit.”
This is news? I think it is more self congratulatory just like the late January 2021 explanation of the SolarWinds’ misstep which I discuss in the February 9, 2021 DarkCyber video program. You can view the video on this blog.
Stephen E Arnold, February 4, 2021
Security Gaffes and the Tweeter
February 2, 2021
The Next Web has some advice for those going online to discuss how a security breach has affected them—“Don’t Dox Yourself by Tweeting About Data Breaches.” Writer Ben Dickson noticed several NetGalley users doing just that following the breech of that site’s database backup file last month. He writes:
“The database in question included sensitive user information, including usernames and passwords, names, email addresses, mailing addresses, birthdays, company names, and Kindle email addresses. Unfortunately, many users took to social media and started discussing the incident without thinking about what they are putting up for everyone to see. And in their haste to be the first to tweet about the breach, many users made awful mistakes, which could further compromise their security.”
A couple examples include the person who announced they use the same password everywhere (!) and someone who revealed their full name by reproducing their NetGalley notification. (Her Twitter account uses a pseudonym.) To make matters worse, it appears the database stored user information unencrypted. Though NetGalley itself does not keep incredibly sensitive data like banking information, hackers have ways of twisting even the most benign information to their dastardly goals. The write-up continues:
“After the NetGalley hack, the attackers have access to a fresh list of emails and passwords. They can use this information in credential stuffing attacks, where they enter the login information obtained from a data breach on other services and possibly gain access to other, more sensitive accounts. Cross-service account hijacking is something that happens often and can even include high-profile tech executives. The attacks can also combine the data from the NetGalley breach with the billions of user account records leaked in other data breaches to create more complete profiles of their targets. So, alone, the NetGalley data breach might not look like a big deal. But … every piece of information that falls into the hands of malicious actors can become instrumental to a larger attack.”
Dickson hastens to add that people need not stop tweeting about data breeches altogether. Doing so can actually provide valuable discussion, as his closing examples illustrate. One should just be careful not to include personal details the hackers’ might add to their collection.
Cynthia Murrell, February 2, 2021
Microsoft Security: Perhaps Revenue Does Not Correlate with Providing Security?
February 1, 2021
I want to keep this brief. Microsoft makes money from the sale of security services. “Microsoft CEO Satya Nadella: There Is a Big Crisis Right Now for cybersecurity” reports:
For the first time on Tuesday, Microsoft disclosed revenue from its various security offerings as part of its quarterly earnings — $10 billion over the last 12 months. That amounts to a 40% year-over-year jump in the growing security business, making up roughly 7% of the company’s total revenue for the previous year.
Here’s a fascinating passage:
Microsoft itself was also hacked, though no customer data was breached. A Reuters report indicated that, as part of the hack of the National Telecommunications and Information Agency, Microsoft’s Office 365 software was attacked, allowing the intruders to monitor agency emails for months. Microsoft, however, said at the time that it has identified no vulnerabilities in its cloud or Office software.
Er, what?
I don’t want to rain on this financial parade but The Register, a UK online information service, published “Unsecured Azure Blob Exposed 500,000+ Highly confidential Docs from UK Firm’s CRM Customers.” Furthermore, the Microsoft security services did not spot the SolarWinds’ misstep, which appears to have relied upon Microsoft’s much-loved streaming update service. The euphemism of “supply chain” strikes me as a way to short circuit criticism of a series of technologies which are easily exploited by at least one bad actor involved in the more than 12 month undetected breach of core systems at trivial outfits like US government agencies.
Net net: Generating revenue from security does not correlate with delivering securing or engineering core services to prevent breaches. And what about the failure to detect? Nifty, eh?
The February 9, 2021, DarkCyber video program takes a look at another of Microsoft’s remarkable dance steps related to the SolarWinds’ misstep. Do si do, promenade, and roll away to a half sashay! Ouch. Better watch where you put that expensive shoe.
Stephen E Arnold, February 1, 2021
Selling Technology in a Tough Market Roasting in Solar Waves
January 13, 2021
I read a post on Hacker’s News. You may be able to locate it at this link: http://solarleaks.net/. I don’t know if this is a scam or the answer to the question “Where’s the beef?” The message states:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Happy new year! Welcome to solarleaks.net (mirror: 5bpasg2kotxllmzsv6swwydbojnfuvfb7d6363pwe5wrzhjyn2ptvdqd.onion) We are putting data found during our recent adventure for sale. [Microsoft Windows (partial) source code and various Microsoft repositories] price: 600,000 USD data: msft.tgz.enc (2.6G) link: https://mega.nz/file/1ehgSSpD#nrtzQwh-qyCaUHBXo2qQ1dNbWiyVHCvg8J0As8VjrX0
The Solar Leaks’ post then provides information about the cost of the MSFT, Cisco, and FireEye, et al software. Prices begin at $50,000 for some alleged FireEye goodies and soar to $600,000 for the Microsoft crown jewels.
What’s important, however, is the post-SolarWinds’ misstep marketing environment. Sales professionals of products that provide enhanced cyber security, threat alerts, and the assorted jargon enhanced assertions have to close deals.
Just in time is a helpful write up from Entrepreneur Magazine called “8 Psychological Tricks to Increase Conversion Rates for SaaS Startups.” That’s on time and on target.
I am tempted to summarize the ideas with references to Machiavelli, Al Capone, and high school lovers promising to be together forever. But I will not. I will highlight three of the ideas, and you can pony up some cash to read the full entrepreneurial check list yourself.
Suggestion 1:
Offer fewer choices.
Okay, Amazon, Microsoft, and others offering secure cloud environments, are you listening? Fewer choices. The point of offering choices is to create an opportunity to confuse a customer and allow MBAs with spreadsheet fever to cook up pricing options guaranteed to lead to big surprises when the system is up and running. Cross that threshold and beyond the invoice! Outstanding.
Suggestion 2:
Introduce a third product.
You have to read the article to appreciate the wonderfulness of offering a print subscription, a digital subscription, and a com9bo subscription or an option that forces the “brain to focus on the two closest options.” I am confident that this is backed by an MBA-type book called “Thinking Slow and Slower.”
Suggestion 3:
Increase quantities rather than reduce the price.
Ah, yes, buy five packages of cookies and get an extra 20 percent discount. That’s okay, but I don’t have any place to put extra bags of cookies in my one bedroom trailer parked in Sunrise Acres in Bullet County, Kentucky. More, more, more. Yes, bullet proof. No pun intended.
With cyber security delivered via the cloud in the great SaaS approach, the trick to making sales is to shift from professional sales person to a street hustler offering “original” watches as tourists exit the bus from a tour of the Forbidden City.
What about clarity, factual information, and services which work, well, maybe just mostly work.
Good enough.
Stephen E Arnold, January 13, 2021
SolarWinds Are Gusting and Blowing Hard
January 5, 2021
Many pundits have reacted to the New York Times’ story “As Understanding of Russian Hacking Grows, So Does Alarm.” Work through those analyses. What’s missing? Quite a lot, but in this short blog post I want to address one issue that has mostly ignored.
At one time, there was a list on the SolarWinds’ Web site of the outfits which had been compromised. That list disappeared. I posted “Sun Spotting in the Solar Wind” on December 23, 2020. In that post, I reported three outfits which had been allegedly compromised by the SolarWinds’ misstep (and some of the information I used as a source remains online):
City of Barrie (Canada)
Newton Public Schools (US)
Regina Public Schools (Canada).
The question is, “Why are outfits like a municipality known as part of the Greater Golden Horseshoe, Newton’s public schools, and the Regina public schools? (I’ve been to Regina in the winter. Unforgettable is it.)
My research team and I discussed the alleged exploits taking up residence in these organizations; that is, allegedly, of course, of course.
Here’s what my team offered:
- A launch pad for secondary attacks. The idea is that the original compromise was like a rat carrying fleas infected with the bubonic plague (arguably more problematic than the Rona)
- A mechanism for placing malicious code on the computing devices of administrators, instructors, and students. As these individuals thumb typed away, these high trust individuals were infecting others in their social circle. If the infections were activated, downloads of tertiary malware could take place.
- Institutions like these would connect to other networks. Malware could be placed in server nodes serving other institutions; for example, big outfits like Rogers Communications, a government ministry or two, and possibly the cloud customers of the beloved Rogers as well as BCE (Bell Canada’s parent) and Telus.
The odd ducks in the list of compromised organization, just might not be so odd after all.
That’s the problem, isn’t it? No one knows exactly when the misstep took place, what primary and downstream actions were triggered, and where subsequent rats with fleas infected with bubonic plague have go to.
Net net: It’s great to read so many words about a misstep and not have signals that the issue is understood, not even by the Gray Lady herself.
Stephen E Arnold, January 6, 2020
About Those Insider Threat Security Systems
January 1, 2021
Fortinet published a report about insider threats. You can get a copy at this link. The document reveals the trends and challenges facing organizations from insider threats; that is, someone inside an organization helps a bad actor access off-limits systems and services. One statistic jumped out at me: About 70 percent of the companies in the 2019 survey “feel moderately to extremely vulnerable to insider attacks.”
What about 2020? The Hollywood trade publication Variety published “Ticketmaster Will Pay $10 Million Fine to Settle Federal Charges It Hacked Rival’s System.” Hollywood. Companies brokering tickets in the time of Covid. I learned:
Ticketmaster agreed to pay a $10 million criminal fine to avoid prosecution over charges that it illegally accessed systems of a startup rival to steal proprietary info in an attempt to “choke off” the smaller company’s business, federal authorities said.
How did Ticketmaster compromise the target? Hacking, crimeware as a service, Fancy Dan penetration testing tools?
The answer? Read it for yourself:
A former employee of ticketing firm CrowdSurge (which later merged with Songkick) who had joined Live Nation shared URLs with Ticketmaster employees that provided access to draft ticketing web pages that Songkick had built in an attempt to “steal back” one of Songkick’s top artist clients, federal prosecutors said. Ticketmaster, owned by Live Nation Entertainment, said in a statement that in 2017 it fired both Zeeshan Zaidi, former head of Ticketmaster’s artist services division, and the former CrowdSurge exec, Stephen Mead, “after their conduct came to light.”
How do AI infused insider trading systems work? It seems that hiring an employee from a company with interesting ways of dealing with former employees’ access rights is simple.
Companies create their own insider threat issues. No software smart or dumb can prevent problems caused by lazy, incompetent, or distracted organizations’ staff.
Stephen E Arnold, January 1, 2021
Microsoft: Information Released Like a Gentle Solar Wind
December 31, 2020
I read the New Year’s Eve missive from Microsoft, a company which tries to be “transparent, “Microsoft Internal Solorigate Investigation Update.” I am not sure, but I think the Microsoft Word spell checker does not know that SolarWinds is not spelled Solarigate. Maybe Microsoft is writing about some other security breach or prefers a neologism to end the fine year 2020?
Here’s a passage I found interesting:
Our investigation has, however, revealed attempted activities beyond just the presence of malicious SolarWinds code in our environment. This activity has not put at risk the security of our services or any customer data, but we want to be transparent and share what we’re learning as we combat what we believe is a very sophisticated nation-state actor. We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories. The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated. [Bold added to highlight intriguing statements]
To me, an old person who lives in rural Kentucky, it sure sounds as if Microsoft is downplaying:
- Malicious code within Microsoft’s systems
- The code performed “unusual activity” whatever this actually means I don’t know
- The malicious code made it to MSFT source code repositories
- Whatever happened has allegedly been fixed up.
What’s that unknown unknowns idea? Microsoft may be writing as if there are no unknown unknowns related to the SolarWinds misstep.
If you want more timely Solarigate misstep info, here’s what Microsoft suggests as a New Year’s Eve diversion:
For the up-to-date information and guidance, please visit our resource center at https://aka.ms/solorigate.
Stephen E Arnold, December 31, 2020
-
- Subscribe to Beyond Search
Feature archive
News archive
-
