Despite Acronyms, Ineffective Cyber Security Persists

May 7, 2021

I want to be brief. I read “XDR defined: Giving Meaning to Extended Detection and Response.” The write up is a commercial for a forthcoming flurry of fuzzy reports from assorted mid-tier consultants. Some of the big blue chips are embroiled in management dust ups and legal matters related to opiate marketing. So the mid-tier crowd has a chance to sell reports and billable consulting hours. Furthermore some vendors of cyber security products and services will rush to the party.

The article is about the outfit doing business as Forrester. I learned:

Forrester has released research on what XDR is, what XDR isn’t, and what clients need to look for when evaluating XDR solutions. This research is a rigorous breakdown of what to expect from XDR solutions based on interviews and survey results from XDR end users and over 40 security vendors.

Well, what is XDR in the current environment of SolarWinds, Microsoft Exchange Server, and assorted breaches involving Facebook and dozens of other outfits? XDR is shorthand for extended detections and response.

The hitch in the git-along is that cyber breaches are a today problem. Presumably many firms have one, two or three cyber security solutions, threat intelligence updates, and smart software like the high profile, yet debate sparking Darktrace.

From my point of view, existing cyber security solutions did not work for the months which the bad actors had to exploit SolarWinds. Then the Microsoft Exchange Server issue. These have been followed by VPN exploits, wonky partners with ties to ever cozy bears, and assorted database thefts.

The fix is an acronym and a report?

I don’t want to be skeptical, but the problem is that marketing is now more important than delivering cyber security information and solutions that prevent breaches. As a point of fact, the compromised systems in the US Federal government and an unknown number of organizations are now compromised. Do we have a cyber security system capable of dealing with the sophisticated exploits used by adversaries.

The answer is, No, not XDR.

Stephen E Arnold, May 7, 2021

Russia Keeps Backdoor Into US Security Networks

May 5, 2021

Russia and the US keep each other at arm’s length. While the two countries might not officially be at war, each are wary of what the other does behind closed doors. In March, the US Department of Homeland Security was hacked in what is now called the SolarWinds hack. US authorities believe it was Russia’s doing and, according to Engadget, they kept a back door open: “Report: Russia ‘Likely’ Kept Access To US Networks After SolarWinds Hack.”

Despite the US bolstering their firewalls and security systems in the wake of the SolarWinds hack, Russia’s SVR intelligence agency could still have access to them. Deputy National Security Director Anne Neuberger did not directly state that Russia still has access to the systems, but did say blaming Russia for the hacks was not going to prevent future attacks.

Russia has hacked US systems for years:

“A continued presence in American networks is consistent with history. Russia continued to mount cyber attacks against the US after the Obama administration imposed sanctions in late 2016, targeting politicians and other systems during the 2018 midterms and beyond. Even if the US successfully dislodged Russia from government systems, there was a good chance it would find another security hole.”

While the US has a robust digital security system with robust minds operating it, Russia has their own equivalent. Each country will continue to attack the other in order to have an edge in this post-Cold War world.

Whitney Grace, May 5, 2021

Amazing Moments in Cyber Security: The SolarWinds Awards

May 5, 2021

Believe it or not.

In a gem of an understatement, SolarWinds’ Sojung Lee called 2020 a “challenging year.” Lee made this assessment at his company’s recent APJ Q2 Virtual Partner Briefing where, as ChannelLife reports, “SolarWinds Celebrates Channel Partners in APJ Channel Awards.” Yes, that company gives out awards. We’re told:

“The awards recognize SolarWinds’ partners and distributors for their achievements in delivering services and expertise to customers. SolarWinds Asia Pacific and Jap vice president sales, Sojung Lee, says that 2020 was a challenging year but SolarWinds partners remained resilient.”

Resilient—yes, they would have to be. Readers can navigate to the brief write-up for the list of recipients, if curious. We just find it remarkable this list even exists at this point in time. What about these “winners’” security? We don’t know and maybe SolarWinds does not either. Sales, not security, could be job one.

Cynthia Murrell, May 5, 2021

How Are Those Cyber Security Vendors Performing? (Yes, That Is the Correct Word)

April 30, 2021

This sounds like old news. This is really new news. The trust outfit Thomson Reuters published “U.S. Government Probes VPN Hack within Federal Agencies, Races to Find Clues.” The main idea is that despite the amped up cyber security efforts, another somewhat minor issue has been discovered. The trust outfit reports:

The new government breaches involve a popular virtual private network (VPN) known as Pulse Connect Secure, which hackers were able to break into as customers used it. More than a dozen federal agencies run Pulse Secure on their networks, according to public contract records.

What’s up with VPNs? Here’s the trusted news source’s slick prose answering this question:

The use of VPNs, which create encrypted tunnels for connecting remotely to corporate networks, has skyrocketed during the COVID-19 pandemic. Yet with the growth in VPN usage so too has the associated risk.

Some questions:

  1. Do existing cyber security systems ignore VPN traffic?
  2. Do existing monitoring systems provided by vendors like Microsoft have a “certain blindness”?
  3. In the aftermath of the SolarWinds and Microsoft Exchange Server stubbed toes, have systems been enhanced to deal with threats which appear to operate in an undetectable manner?

Answers? No good ones its seems. Ads and speeches. Oh, yeah! Marketing is performance art.

Stephen E Arnold, April 30, 2021, 942 am US Eastern

Ransomware: A Great Lakes of Sitting Ducks

April 29, 2021

I read “No Ransomware Silver Bullet, Crooks Out of Reach.” The explicit point in the write up is that ransomware is a big deal and there’s no fix in sight. The implicit point is that existing cyber security systems don’t work. In the sunshine of SolarWinds, I assumed there was cyber security progress. Yeah, sorry.

The write up states:

The U.S. government now deems ransomware a national security threat. The FBI has just created a task force to tackle it.

The bad actors are slick operators; for example:

Some top ransomware criminals fancy themselves software service professionals. They take pride in their “customer service,” providing “help desks” that assist paying victims in file decryption. And they tend to keep their word. They have brands to protect, after all.

What’s the fix?

Committee meetings, recommendations, legislative action – these are good ideas.

In short, there is a veritable Great Lakes filled with sitting ducks. Have you tried to herd ducks? I have. Tough work. Marketing, reports, and hearings are much easier. Quack, quack, quack.

Stephen E Arnold, April 29, 2021

Facebook: Everlasting Delight!

April 29, 2021

We are still aghast at the carelessness that allowed hackers to access user information for about a billion accounts between Facebook and LinkedIn. The Facebook breach, at least, has spawned a couple of interesting side stories. First we learned that CEO Mark Zuckerberg uses chat app Signal, a competitor to Facebook’s WhatsApp. We also found out the Facebook breach has forced “Have I Been Pwned” to rework its search functionality, at least for this particular data set.

The folks at Signal must be delighted. India Today reports that the “Leaked Phone Number of Mark Zuckerberg Reveals He Is on Signal.” While both Signal and WhatsApp boast end-to-end encryption, there have been issues with what Facebook does with the back-up files. From Facebook’s point of view, this tidbit about Zuckerberg comes at an unfortunate juncture. Writer Yasmin Ahmed points out:

“The news comes at a time when many users outraged with Facebook-owned WhatsApp’s new privacy policy are moving to seemingly safer alternatives like Signal. WhatsApp’s contentious new terms of service are slated to come into effect from May 2021. The updated privacy policy changes how Facebook can access users’ chats with business accounts.”

Oh dear. In another tangent, we are interested in this change prompted by the leak—“The Facebook Phone Numbers Are Now Searchable in Have I Been  HYPERLINK “https://www.troyhunt.com/the-facebook-phone-numbers-are-now-searchable-in-have-i-been-pwned/”Pwned,” explains the security check site’s own Troy Hunt. It is good to see a site adapt its search to evolving circumstances. But why was the site not already searchable by phone number? Hunt explains:

“I’d never planned to make phone numbers searchable and indeed this User Voice idea sat there for over 5 and a half years without action. My position on this was that it didn’t make sense for a bunch of reasons:

1. Phone numbers appear far less frequently than email addresses
2. They’re much harder to parse out of most data sets (i.e. I can’t just regex them out like email addresses)
3. They very often don’t adhere to a consistent format across breaches and countries of origin

Plus, when the whole modus operandi of HIBP is to literally answer that question – Have I Been Pwned? – so long as there are email addresses that can be searched, phone numbers don’t add a whole lot of additional value. The Facebook data changed all that.”

Indeed. While more than 500 million phone numbers were stolen, only a few million addresses went along for the ride. Until Hunt changed the search, he writes, over 99% of the many people checking on his site received a false negative. He was able to easily parse most phone numbers from well-formatted files in the breached data and normalize their format with a country code. The caveat—this fix only applies to this breach, unless or until a similar batch of phone numbers is harvested. See the post for the technical reasons that making phone-number searches standard is unworkable for the free resource.

Cynthia Murrell, April 29, 2021

Cyber Security Quote to Note: Seeing Is Important

April 28, 2021

I read a Washington Post article with a somewhat misleading title. The main point of the write up is that the US Department of Defense began using a large block of IP addresses in January 2021. These reason for the shift from dormant holding to active use of the Internet addresses related to cyber security. That’s the explanation in the write up. In the news story there was an important statement attributed to an anonymous source (a very popular way to report “real” news). Here’s the quote:

If you can’t see it, you can’t defend it.

In my opinion this is accurate. The statement underscores what I have commented upon in this blog and in my DarkCyber bimonthly video program DarkCyber. The SolarWinds and more recent security missteps have been missed by the commercial and governmental systems designed to spot cyber attacks and malware.

Having more traffic to monitor is a good thing. The problem is what I call the 21st century horse and barn situation. Here it is again:

Barn burned. Horses gone. Globus (Russia) retail space constructed where the hay used to be stored.

Better late than never? Yeah, sure.

Stephen E Arnold, April 28, 2021

Huawei: Dutch Treat for 5G Security

April 27, 2021

A secret report from 2010 has surfaced in the Netherlands and has been reviewed by editors at news site de Volkskrant. The document reveals that “Huawei Was Able to Eavesdrop on Dutch Mobile Network KPN,” reports the NL Times. We learn that, in 2009, KPN used Huawei tech and that six employees of the Chinese tech giant worked at its head office. Warned by security firm AIVD that this was a dicey situation, KPN hired researchers at Capgemini analyze any risks involved. We learn:

“The conclusions turned out to be so alarming that the internal report was kept secret. ‘The continued existence of KPN Mobile is in serious danger because permits may be revoked or the government and businesses may give up their confidence in KPN if it becomes known that the Chinese government can eavesdrop on KPN mobile numbers and shut down the network’, de Volkskrant quotes the report. At the time, KPN’s mobile network had 6.5 million subscribers.”

These subscribers included then Prime Minister Jan Peter Balkenende and other ministers as well as, importantly, Chinese dissidents. The write-up continues:

“The Capgemini report stated that Huawei staff, both from within KPN buildings and from China, could eavesdrop on unauthorized, uncontrolled, and unlimited KPN mobile numbers. The company gained unauthorized access to the heart of the mobile network from China. How often that happened is not clear because it was not recorded anywhere.”

Huawei assures everyone it never took advantage of this access and there is no evidence (yet) that it did so. The revelation explains why KPN has since maintained its own mobile core network and relied upon Western suppliers. Lesson learned.

Cynthia Murrell, April 27, 2021

Microsoft and LinkedIn: Ultimate Phishing Pool, er, Tool

April 26, 2021

Microsoft is buckling like an old building in Reykjavik. There was SolarWinds, then Microsoft Exchange Server, and then… The list goes on. Another issue has shaken the enterprise software company: LinkedIn phishing. (You thought I was going to comment about Windows Updates killing some gamers’ “experience”, didn’t you? Wrong.)

Hackers Are Using LinkedIn As the Ultimate Phishing Tool” asserts:

According to MI5, the UK’s security agency, at least 10,000 citizens have been approached by state-sponsored threat actors using fake profiles on a popular social media platform.  While MI5 did not specifically name the platform, the BBC claims to have learned that the platform in question is LinkedIn.

Interesting. MI5 is the UK’s domestic intelligence agency. The Box usually does not publicity and tries to sidestep the type of information disseminated in some countries; for example, in the US, intelligence agencies proactively accessed computers and took steps to reduce the risk of malware issues. By the way, those servers were running Microsoft software. Microsoft owns LinkedIn too.

Hmmm.

The article points out:

According to MI5, the LinkedIn attacks are wider in scope and directed at staff in government departments and major businesses. Once connected, the scammers try to bait the individuals by offering speaking or business opportunities, before attempting to recruit them to pass on confidential information.

Just another crack in the Microsoft LinkedIn edifice or a signal that the company can no longer manage its software, protect its “customers”, or update a consumer PC without creating problems?

Stephen E Arnold, April 26, 2021

Microsoft, SolarWinds, 1000 Malevolent Engineers, and Too Big to Fail?

April 19, 2021

SolarWinds Hacking Campaign Puts Microsoft in Hot Seat” is an interesting “real news” story. The write up states that the breach was a two stage operation. The first stage was using SolarWinds to distribute malware. The second stage was to use that malware as a chin up bar. Bad actors’ grabbed the bar and did 20 or more pull ups. The result was marketing talk and a mini-meme about 1,000 engineers concentrating their expertise on penetrating the Microsoft datasphere.

The article quoted a cyber security expert as describing Microsoft’s systems and methods as have “systematic weaknesses.” For a company whose software is a “monoculture” with an 85 percent market share, the phrase “systematic weaknesses” is not reassuring. Not only can Microsoft release updates which kill some users’ ability to print, Microsoft can release security systems which don’t secure the software.

The article include this statement:

And remember, many security professionals note, Microsoft was itself compromised by the SolarWinds intruders, who got access to some of its source code — its crown jewels. Microsoft’s full suite of security products — and some of the industry’s most skilled cyber-defense practitioners — had failed to detect the ghost in the network. It was alerted to its own breach by FireEye, the cybersecurity firm that first detected the hacking campaign in mid-December.

I noted that the write up does not point out that none of the cyber security firms’ breach detection solutions noted the SolarWinds’ misstep. That seems important to me, but obviously not to the “real” cyber security professionals.

The US government does not want Microsoft to fail. “NSA and FBI Move to Help Microsoft with Its Exchange Server Vulnerabilities” reports:

It is not just the NSA finding and telling Microsoft about problems with Exchange. The FBI is also concerned with the number of unpatched Exchange servers. In a rare move, the FBI sought and was granted a warrant to patch any unfixed exchange servers it found remotely.

If a Windows update creates a problem for you, perhaps a helpful professional affiliated with a government agency will assist in resolving your problem?

Stephen E Arnold, April 19, 2021

Next Page »

  • Archives

  • Recent Posts

  • Meta