Browse > Home / Archive by category 'Security'

DarkCyber for March 9, 2021, Now Available

March 9, 2021

This week’s DarkCyber is available on YouTube. The program includes two stories. The first is a summary of our SolarWinds’ research project. An investment firm commissioned a report to answer this question, “What are some companies that will benefit from the breach of SolarWinds’ Orion enterprise software?” The second story describes a loitering drone which has seen action in a recent hot fire skirmish.

The SolarWinds’ story comes at the breach of SolarWinds’ Orion product from a different angle. Most of the existing studies focus on what happened and what organizations are affected. Those reports fall into several broad categories: [1] Technobabble. These are explanations ignoring the obvious fact that non of the installed cyber security systems spotted the SolarWinds’ malware for more than six months, maybe more. [2] After action reports identifying issues with how SolarWinds and many other organizations software are assembled; for example, the use of open source libraries without making sure these libraries do not contain malware and managing basic security processes. [3] Academic / technical discussions of the specific types of malware used in the breach. (The reality is that the malware was based on existing exploits and used methods frequently discussed on hacker forums.)

In the course of our exploration of the hack, we learned that the existing, easily findable information provided a road map for the bad actors. Instead of lightning flashes of genius, the bad actors learned from a range of sources. We mention some of these in this video summary of portions of our research. Then we looked at SolarWinds itself. In this video summary, we provide a snapshot of the distraction factors at SolarWinds in the months leading up to the discovery of the breach. We identify the numerous balls SolarWinds’ executives were juggling. Obviously the firm’s security ball was fumbled by the juggler. The video summary identifies the types of commercial and open source software enabling the breach. One interesting finding is that Microsoft GitHub is the “home” for many useful tools. Some of these were likely to have facilitated certain functions added to existing malware. The final part of the video summary reveals the major findings of our research and analysis process.  A more comprehensive and detailed version of this summary will be presented to units of the US government in March. Some of the information will be provided to the attendees at the US 2021 National Cyber Crime Conference. The DarkCyber video summary, we believe, is useful.

There is no written report available to the public. However, if you want a comprehensive briefing about the report, please, write us at darkcyber333 at yandex dot com. There is a charge for the one hour Zoom briefing and a 30 minute question-and-answer session following the formal presentation.

The second story documents the steady advance of artificial intelligence deployed in autonomous kamikaze drones.

Kenny Toth, March 9, 2021

Written by Stephen E. Arnold · Filed Under DarkCyber, News, Security, Video | Comments Off on DarkCyber for March 9, 2021, Now Available 

Microsoft Outlook Users: Maybe Proton Mail?

March 8, 2021

I spotted another write up about the security issues with the Azure, Defender, and Office365 services. Wow, nation states and groups of allegedly China-aligned hackers are making Microsoft look worse than Jackie Smith when he dropped a game winner for the Dallas Cowboys years ago. It seems as if bad actors are trying to out do one another in exposing the vulnerabilities of the Redmond construct. Wowza.

I read “White House Warns of Active Threat Following Microsoft Outlook Breach.” The write up states:

“We can’t stress enough that patching and mitigation is not remediation if the servers have already been compromised, and it is essential that any organization with a vulnerable server take measures to determine if they were already targeted,” the White House official said.

Several observations:

  1. If I were involved in the JEDI procurement, I would not be too enthusiastic about Microsoft technology being the plumbing for the Department of Defense. Hey, I know PowerPoint is the go to tool in many DoD units, but it appears that there may be some bad actors able to get their digital paws on the PPTX attachments to Outlook email.
  2. Microsoft is fighting an after action situation. The bad actors are forcing Microsoft to rush code fixes to large, already compromised organizations. If the bad actors are indeed “inside” certain entities, the bad actors are likely to have access to these speedy fixes and be able to exploit them. Why not substitute a “real” MSFT fix with a certified malware infused fix. Sounds like something bad actors might consider.
  3. In my lecture to a group of US government cyber security professionals in 48 hours, I use the analogy of radiation poisoning for the SolarWinds’ and Microsoft Exchange breaches. Once the polonium is in the target, the fix is neither quick, simple, or ultimately likely to work.

Net net: Other bad actors will learn from these breaches and launch their own initiatives. That’s not good because there are quite a few bad actors eagers to make a mockery of US technology. I think one might characterize the Microsoft “repair after the barn burns down” as bad optics.

It’s bad something, for sure. Remember. It is the White House sounding the alarm, not an alphabet soup agency.

Stephen E Arnold, March 9, 2021

Written by Stephen E. Arnold · Filed Under Business strategy, Microsoft, News, Security | Comments Off on Microsoft Outlook Users: Maybe Proton Mail? 

Microsoft: Yeah, about Those Distributed Systems and the Wonderful Exchange Systems

March 8, 2021

I found the information about the most recently disclosed Microsoft Exchange breaches troubling. The “1,000 bad actors” comment from the Softies seemed to say:

Hey, how can a company like Microsoft defend itself against a 1,000 programmers focused on undermining out approach to building, deploying, and servicing our software?

Yep, 1,000 bad actors were allegedly needed to create the issues associated with SolarWinds and the assorted silly names attached to malware available via certain “dark” channels?

How many bad actors does it take to create issues for what is it? 20,000 or more organizations. One news service based in India did its level best to maintain an even tone in “Over 20,000 U.S. Organizations Compromised through Microsoft Flaw.” See the number? 20,000. Maybe India does not buy into a larger number; for example, Krebs on Security states: “At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software.”

Just a delta of 10,000? Hey, no big deal.

Now who pulled off this hack in the midst of the SolarWinds’ misstep? China. The country is larger than Russia which managed an estimated 18,000 compromised systems.

Okay, it is time to face up to reality:

  1. The oh-so-nifty distributed systems which rely on libraries which may or may not be secure is a big, fat sitting duck
  2. There is no quick fix. Microsoft’s rush rush patches don’t seem to be working if the sources I have reviewed are on the money
  3. Microsoft’s method of shoving software to licensees creates problems; for example, check out KIR, a tool that undoes updates which kill or impair licensees’ systems.

Who spotted the breach? Microsoft Defender, the Azure security system, Microsoft’s own security teams? Nope, allegedly an outfit call Volexity.

Exactly what was being monitored by the hundreds of super duper security sleuthers who sell threat intelligence, AI infused cyber security systems, and special entities which perform checks on crucial systems?

Pretty much checking out YouTube, sending text messages about pizza, and posting to Twitter about the perils of Facebook and Google.

The scale of the Exchange misstep is interesting.

What happens if one of the groups undermining the computer systems of the US decide to terminate the systems for finance, travel, and mobile communications?

Here’s my answer: Find a donkey and a cart. Life will change quickly and no quick patch for deeply flawed Microsoft technical processes will arrive to make everything better again.

Microsoft’s methods are the problem. And what about the 1,000 programmers? That’s Microsoft speak for flaws which a small group of focused bad actors can achieve. The only coding that takes a 1,000 people is Microsoft’s Teams unit. Those folks are adding features while core functions are stripped bare, exploited, and turned into weapons.

It will be interesting to learn what Microsoft apologists involved in the JEDI program say about this misstep.

Keep in mind. No one knows exactly how many systems have been and remain compromised by by the SolarWinds’ and the most recently revealed Exchange fumble.

What will Brad Smith say? I can hardly wait assuming that my systems are not zapped by bad actors who are surfing on shoddy solutions.

Stephen E Arnold, March 8, 2021

Written by Stephen E. Arnold · Filed Under Microsoft, News, Security | Comments Off on Microsoft: Yeah, about Those Distributed Systems and the Wonderful Exchange Systems 

Cloud or Not? Fighting Words for Sure

March 5, 2021

I read “SolarWinds Hack Pits Microsoft against Dell, IBM over How Companies Store Data.” Ah, ha, a dispute with no clear resolution. The write up suggests that some big dogs in technology will be fighting over the frightened gazelles. Will the easily frightened commercial buyers take off when the word “cloud” is voiced. Or, will the sheep-inspired animals head for the perceived security of computers in the farm house?

The write up states:

[The dispute over where to put data] pits Microsoft Corp., which is urging clients to rely on cloud-computing systems, against others including Dell Technologies Inc. and International Business Machines Corp., who argue customers want to mix the cloud with the more traditional on-premise data-storage systems in a construct called hybrid-cloud.

Do you want pickle on top of a hamburger or underneath the juicy patty? Which method? Come on. Decide.

The write up reports:

Microsoft, one of the world’s biggest cloud vendors, has said cloud services offer customers the most robust data protection. A mixed approach “creates an additional seam that organizations need to secure. A consequence of this decision is that if the on-premises environment is compromised, this creates opportunities for attackers to target cloud services,” Microsoft said in a blog post on its investigation of the hack.  The notion that the hybrid cloud is less secure is inaccurate, said Paul Cormier, chief executive of Red Hat, the business IBM acquired two years ago in part in a bet on the growing demand for hybrid cloud services. “Any software could get broken into. The cloud providers could get broken into as well,” he told The Wall Street Journal.

Plus the article points out:

Microsoft itself was a victim in the attack and had some of its source code used to write software downloaded. The hackers viewed software linked to Microsoft’s Azure cloud, the company said. Mr. Smith, at the Senate hearing on the hack on Tuesday, called for a “full examination of what other cloud services and networks the Russians have accessed.”

I don’t think any computer data are secure, but that’s just me. Here in Harrod’s Creek, professional etch secrets on lumps of boghead. Once the message has been read, one burns it. Good for secrecy, not so good for the environment.

Who will win this battle? The key is marketing. Security is a slippery fish particularly when the boats are owned by Dell, IBM, and Microsoft. The SolarWinds’ attack exploited the cloud and on premises devices. How does one spell “insider threat”? One can unplug computing devices. Put them in a locked room. Don’t let anyone enter the room. Is that a solution?

Stephen E Arnold, March 5, 2021

Written by Stephen E. Arnold · Filed Under Microsoft, News, Security | Comments Off on Cloud or Not? Fighting Words for Sure 

Email: A Vulnerable Service

March 4, 2021

Cyber security firm Barracuda counted the number of email attacks that slipped through its clients’ enterprise-wide security measures last year. New Zealand’s SecurityBrief reveals the results in, “Millions of Email Attacks Missed by Organizations’ Cyber Security Protection.” Writer Shannon Williams reports:

“In 2020, 4550 organizations used Barracuda Email Threat Scanner to scan 2,600,531 unique mailboxes and found 2,029,413 unique attacks. On average, 512 attacks were found per organization, and one out of seven mailboxes (14%) had at least one attack currently sitting inside, even if messages were scanned by an email gateway solution, the cyber security firm says. The attacks detected fall into four email threat types: phishing, scamming, extortion, and business email compromise (BEC). Of the 2,029,413 unique attacks detected, phishing was the number one threat missed by the organizations email security solutions (59%). Scamming was the second most common (39%). Extortion, at 9%, and BEC, at 8%, were less prevalent, but cybercriminals tend to send these types of attacks in smaller volumes because they are highly personalized.”

Barracuda recommends companies adopt its inbox-based Email Threat Scanner to detect attacks that slip through any broader security measures. What a surprise! Of course, since the organizations studied were already Barracuda clients, it is entirely possible at least some of them were relying on that solution and skimping on gateway-side security. Even so, the report is a reminder to take email security seriously. One could choose a product like Barracuda’s, if desired. (Or Cyren’s, to name just one competitor.) At the least, workers should learn what to look for and actively avoid opening attack emails should they land in their inboxes. And turn off preview pane, for goodness’ sake.

Founded in 2003. The firm states over 200,000 customers around the world use its software, which some say is effective, affordable, and user-friendly.

Cynthia Murrell, March 4, 2021

Written by Stephen E. Arnold · Filed Under News, Security | Comments Off on Email: A Vulnerable Service 

Breaching SolarWinds

March 4, 2021

The SolarWinds’ story continues to delight. I read “Former SolarWinds CEO Blames Intern for Solarwinds123 Password Leak.” That’s a heck of a password if I say so myself. Definitely better than admin or password.

How did the hackers breach a company providing services to thousands of clients? Here are the reasons reported by CNN:

  1. An intern fumbled the ball
  2. Brute force guessing of passwords
  3. Some other outfit created software which SolarWinds used and caught malware.

There is a fourth possibility, and it is the one which seems to be one of the more popular ways to gain access to an organization’s network. What is it? Dumpster diving? Mental telepathy? Trawling through open source code looking for credentials? (That’s a pretty good method by the way.)

Nope.

Just strike up a conversation on a social media site, a Dark Web forum, or an encrypted messaging group and [a] use social engineering to get a user name and password, [b] watch for an employee who is not happy with his or her employer, [c] threaten an employee’s mom or family, [d] phishing, or [e] pay a third party contractor writing code for SolarWinds in a far off land.

The preferred approach of bad actors is usually the easiest, simplest, and most hassle free.

Compromising a careless outfit is easy. Even organizations with buttoned up security are vulnerable.

What’s obvious is that the SolarWinds’ misstep reflects on an organizational approach to operating its business. If the company were a railroad, it is conceivable that the firm would lose freight cars, engines, and the keys to the operations office.

What’s fascinating is that the present and former CEO of SolarWinds threw an intern under the digital bus. Nothing like manning up in my opinion.

Stephen E Arnold, March 4, 2021

Written by Stephen E. Arnold · Filed Under News, Security | Comments Off on Breaching SolarWinds 

Microsoft: Back in the Security Spotlight

March 3, 2021

What giant software company with a great marketing operation is back in the spotlight? The answer may be Microsoft. I read “real” news from an outfit which is into trust “Chinese Hackers Plundered Inboxes Using Flaws in Microsoft’s Exchange Server Software.”

The write seems to be taking a slightly less enthusiastic approach to the outstanding software and services provided by the Redmond giant. The company is, as you may know, the outfit which is going to run much of the Department of Defense cloud system. That’s because the cloud is much better than on premises computing devices. The cloud is magical, which I think is a synonym for easier, but that’s just me.

I noted this statement in the trustiness article:

Microsoft’s suite of products has been under scrutiny since the hack of SolarWinds, the Texas-based software firm that served as a springboard for several intrusions across government and the private sector. In other cases, hackers took advantage of the way customers had set up their Microsoft services to compromise their targets or dive further into affected networks. Hackers who went after SolarWinds also breached Microsoft itself, accessing and downloading source code — including elements of Exchange, the company’s email and calendaring product.

The paragraph suggests that because Microsoft’s methods worked for the SolarWinds’ misstep, other bad actors are jumping into the hay stack of wild and crazy methods.

My view is that we are likely to see the feedback loop scale to some painful frequencies. Should anyone worry? Nope, those trusted permissions, the fluid code, and the big fat targets like Azure, Exchange, and Office 365 are no big deal. Right, Microsoft. It takes 1,000 engineers to fool the Softies.

Stephen E Arnold, March 3, 2021

Written by Stephen E. Arnold · Filed Under Microsoft, News, Security | Comments Off on Microsoft: Back in the Security Spotlight 

Phishing: No Big Gains in 2020

March 3, 2021

In our work for the DarkCyber video news program and the research for our lectures for law enforcement, the people assisting me have reported that phishing is a big deal. The FBI thinks so. Interpol thinks so. And my personal hunch is that some of the outfits hit by ransomware in 2020 think so.

The Proofpoint “State of the Phish” report wishes to provide some good news; to wit:

57 percent of organizations in seven countries revealed they were targets of a successful phishing attack in 2020, which is only a two percent increase over 2019.

Encouraged?

The Tech News World article “Successful Phishers Make Slim Gains in 2020” seems to be optimistic. The write up reports:

the report noted that the number of respondents who told researchers that phishing attacks resulting in data loss increased 13 percent and those leading to credential compromise jumped 11 percent.

Concerning? Not enough to alter the positive spin the editors put on the article title.

If you want to read the original report, navigate to this Proofpoint link. You will have to fill out a form so that the company can keep you informed about phish and other topics.

Stephen E Arnold, March 2, 2021

Written by Stephen E. Arnold · Filed Under News, Security | Comments Off on Phishing: No Big Gains in 2020 

SolarWinds: Microsoft Moves to Closure after Revealing 1000 Bad Actors Got in the Game

March 3, 2021

After first denying it may have been a victim of the SolarWinds hack, and that hackers may have used its software to attack others, Microsoft launched an internal investigation to be sure. It now tells us the truth is somewhere in between. Reports SiliconAngle, “Microsoft Finds SolarWinds Hackers Downloaded Code But Didn’t Mount Attacks.” Writer Duncan Riley summarizes:

“Microsoft’s researchers found was that there was no case where all repositories related to any single product or service were accessed and no access was gained to the vast majority of source code. In the event where code repositories were accessed, only a few individual files were viewed. For a small number of repositories, there was additional access including in some cases the downloading of component source code. The repositories contained code for a small subset of Azure, Intune and Exchange components. The researchers notes that search terms used by the hackers indicate that they were attempting to find secrets but were not successful as Microsoft’s development policy prohibits secrets in code, using automated tools to verify compliance.
“In terms of Microsoft tools being used to attack others, the researchers found no indication of that taking place. They further added that because of so-called defense-in-depth protections, the hackers were also not able to gain access to privileged credentials. To avoid attacks in the future, the researchers recommended that a zero-trust ‘assume breach’ philosophy be adopted as a critical part of defense as well as protecting credentials being essential.”

So they weren’t already taking those basic precautions? That does not inspire confidence. We also do not find the bit about defense-in-depth protections reassuring after the intrusion was missed for months on end. As one outside professional cited by the article notes, we must think twice about how much we trust each link in every supply chain. Including longstanding, supposedly solid players like Microsoft.

Cynthia Murrell, March 3, 2021

Written by Stephen E. Arnold · Filed Under Microsoft, News, Security | Comments Off on SolarWinds: Microsoft Moves to Closure after Revealing 1000 Bad Actors Got in the Game 

SolarWinds: What Are the Characteristics of a Buttoned Up Outfit? One Guess Only, Please

March 2, 2021

I read an allegedly accurate “real” news story called “SolarWinds Told Congress That an Intern Was Responsible for the SolarWinds123 Password Security Breach, but Experts and Documents Suggest a Bigger Issue” asserts:

Two SolarWinds CEOs told the US Congress on Friday that the now-infamous exposure of the password solarwinds123 was the result of an intern’s mistake in 2017.

Those darned interns, and they are paid well, treated with respect, and are the anchors of high technology outfits.

One former CEO and one current CEO pinned the blame on the intern. The write up says:

The username solarwinds.net and password solarwinds123 were viewable in a project on the code-sharing site GitHub, according to the researcher who found the issue and screenshots reviewed by
Insider. The researcher said those credentials would give access to a SolarWinds server handling updates to the company’s software, the process at the heart of the SolarWinds supply chain attacks.

How many bad actors did it take to locate the useful data? Probably one or two people. How did the high value information get passed around? Probably on discussion groups, via email, and on Dark Web hacker forums. How many people would it take to turn the credentials into an intelligence operation? According to a Microsoftie, around a 1,000 people. Sure enough. That sounds like a typical Microsoft team, doesn’t it?

Okay, what are the characteristics of a buttoned up outfit?

How about MBAism combined with indifference to security? This is just one possible answer to my question but a pretty good one I think.

Stephen E Arnold, March 2, 2021

Written by Stephen E. Arnold · Filed Under News, Security | Comments Off on SolarWinds: What Are the Characteristics of a Buttoned Up Outfit? One Guess Only, Please 

« Previous PageNext Page »

  • Archives

  • Recent Posts

  • Meta