SolarWinds: Woulda, Coulda, Shoulda?
February 17, 2021
The SolarWinds security breach had consequences worldwide. The bad actors, supposed to be Russian operatives, hacked into systems at the Department of Homeland Security, the Treasury Department, the National Institutes of Health, the Department of Justice, and other federal agencies as well as those of some major corporations. The supply-chain attack went on for months until it was finally discovered in December; no one is sure how much information the hackers were able to collect during that time. Not only that, it is suspected they inserted hidden code that will continue to give them access for years to come.
Now ProPublica tells us the government paid big bucks to develop a system that may have stopped it, if only it had been put into place. Writers Peter Elkind and Jack Gillum report that “The U.S. Spent $2.2 Million on a Cybersecurity System that Wasn’t Implemented—and Might Have Stopped a Major Hack.” Oops. We learn:
“The incursion became the latest — and, it appears, by far the worst — in a string of hacks targeting the software supply chain. Cybersecurity experts have voiced concern for years that existing defenses, which focus on attacks against individual end users, fail to spot malware planted in downloads from trusted software suppliers. Such attacks are especially worrisome because of their ability to rapidly distribute malicious computer code to tens of thousands of unwitting customers. This problem spurred development of a new approach, backed by $2.2 million in federal grants and available for free, aimed at providing end-to-end protection for the entire software supply pipeline. Named in-toto (Latin for ‘as a whole’), it is the work of a team of academics led by Justin Cappos, an associate computer science and engineering professor at New York University. … Cappos and his colleagues believe that the in-toto system, if widely deployed, could have blocked or minimized the damage from the SolarWinds attack. But that didn’t happen: The federal government has taken no steps to require its software vendors, such as SolarWinds, to adopt it. Indeed, no government agency has even inquired about it, according to Cappos.”
Other experts also believe in-toto, which is free to use, would have been able to stop the attack in its tracks. Some private companies have embraced the software, including SolarWinds competitor Datadog. That company’s security engineer, in fact, contributed to the tools’ design and implementation. We are not sure what it will take to make the government require its vendors implement in-toto. Another major breach? Two or three? We shall see. See the write-up for more details about supply-chain attacks, the SolarWinds attack specifically, and how in-toto works.
Cynthia Murrell, February 17, 2021
2021: A Year with Two Gulps of Failure
February 11, 2021
I provide additional commentary on Microsoft’s late January 2021 about the SolarWinds’ misstep. The glitch seems to be like an ink stain. Over time, it spreads: China’s alleged involvement, one third of the security penetrations not involving SolarWinds’ software, and mounting suggestions about how long the bad actors were probing and possibly implanting backdoors in government agencies, big contractors, and commercial enterprises. You can view the video on this blog’s home page on January 9, 2021. For today (Monday, January 8, 2021) I want to call attention to two items.
The first is a useful list of situations in which malware, viruses, and other bad actor actions are not detected. You can find the list in “Why Antivirus Software Fails to Detect Latest Viruses and Malwares.” What’s interesting about the article is that none of the suggestions solves the problem of the Saturday Night Live / Donald Rumsfeld quip, “You don’t know what you don’t know.”
The second is the allegedly accurate information in the ABC News’s report “Former Capitol Police Chief Steven Sund Says Entire Intelligence Community Missed Signs of Riot.” Here’s a passage the Capitol Police’s former top dog to Ms. Pelosi included in the news story:
“Having previously handled two major post-election demonstrations successfully utilizing an action plan that was based on intelligence assessments that had proven to be credible, reliable, and accurate, we reasonably assumed the intelligence assessment for Jan. 6, 2021, was also correct.”
What this means to me is that the intel was off the mark.
Perhaps the SolarWinds’ misstep is the result of several factors. Let me raise these as possibilities:
First, the software designed to identify and flag breaches did not work. Furthermore, the infrastructure in wide use for Microsoft software was the carrier of the malware. No one noticed for possibly a year or more. FireEye investigated a mobile phone access issue and came across the multi-part, multi-stage attack. The breach was not one outfit. The penetration extended to as many as 18,000 organizations. It is not clear what the bad actor did once access to this gold mine of systems was achieved.
Second, the intelligence apparatus of multiple US entities did not characterize the scale, intent, and size of the “friendly” protest at the US Capitol in early January. If the information in the ABC News’s story is accurate, the intelligence reports, like the awareness of the SolarWinds’ misstep, were wide of the mark. Maybe in someplace like Cuba or Bali, just not in the Capitol Police’s tactical planning unit’s hands?
The conclusion is that I see two types of failure with a common root cause: A certain blindness.
Marketing, threat assessment webinars, and licensing existing cyber security software won’t address these, possibly inter related problems.
Not good. Marketing explanations are much better. The fix? Another BrightTALK cyber security briefing, more Microsoft security blog posts, and more security podcasts from former government security attorneys?
Stephen E Arnold, January 11, 2021
DarkCyber for February 9, 2021, Now Available
February 9, 2021
DarkCyber is a twice-a-month video news program about the Dark Web, cyber crime, and lesser known online services. The program is produced by Stephen E Arnold. You can view the program on the Beyond Search blog or on YouTube at this link.
This week’s program features a discussion of Microsoft’s explanation of the SolarWinds’ misstep. The online explanation is a combination of forensic information with an old-fashioned, almost Balmer-esque marketing pitch. Plus, DarkCyber responds to a viewer who wanted more information about locating bad actor hackers promoting their criminal capabilities on the Dark Web. The program highlights two Dark Web services and provides information to two online resources which offer additional information. Three other stories round out the February 9, 2021, program. Allegedly some of the software stolen in the SolarWinds’ misstep (a data breach which compromised more than 18,000 companies and government organizations) is available for sale. Information about the cost of the software and how to buy are provided. Next you learn about the app tracking technology which is creating friction between Apple and Facebook. Who benefits from tracking users’ actions hundreds of times each day? DarkCyber answers this question. The final story is another signature drone news item. If you think that one drone poses a challenge, consider the difficulty of dealing with thousands of miniature weaponized drones converging on a unit or disrupting warfighting tactics under live fire.
Kenny Toth, February 9, 2021
Google Speaks But Is MIT Technology Review Delivering Useful Information or Just PR?
February 4, 2021
I read “Google Says It’s Too Easy for Hackers to Find New Security Flaws.” I assume that the Google is thrilled that its systems and methods were not directly implicated in the SolarWinds’ misstep and possibly VMWare’s and Microsoft’s. But I don’t know because the information is dribbling out at irregular intervals and in my opinion has either been scrubbed or converted to euphemism. A good example is the Reuters’ report “Exclusive: Suspected Chinese Hackers Used SolarWinds Bug to Spy on US Payroll Agency — Sources.”
The esteemed institution supported by Jeffrey Epstein and housing a expert who allegedly had ties to an American adversary’s officials reports:
Attackers are exploiting the same types of software vulnerabilities over and over again, because companies often miss the forest for the trees.
What makes this story different is that the Google is now agreeing that today’s software is easy to compromise. The write up quotes an expert who offers:
Over its six-year lifespan, Google’s team has publicly tracked over 150 major zero-day bugs, and in 2020 Stone’s team documented 24 zero-days that were being exploited—a quarter of which were extremely similar to previously disclosed vulnerabilities. Three were incompletely patched, which meant that it took just a few tweaks to the hacker’s code for the attack to continue working. Many such attacks, she says, involve basic mistakes and “low hanging fruit.”
This is news? I think it is more self congratulatory just like the late January 2021 explanation of the SolarWinds’ misstep which I discuss in the February 9, 2021 DarkCyber video program. You can view the video on this blog.
Stephen E Arnold, February 4, 2021
Come On, Man: Hackers Seeking Legal Immunity
February 3, 2021
The hacking industry is thriving and there are companies labeled private sector offensive actors (PSOAs) selling cyberweapons enabling their customers to become hackers. PSOAs are nasty bad actor groups and they are trying to gain legal immunity to avoid criminal charges. Microsoft has more details in the story, “Cyber Mercenaries Don’t Deserve Immunity.”
One of these PSOAs trying to gain legal immunity is the NSO Group. The NSO Group sells cyberweapons to governments and the company argues its afforded the same legal immunity as its customers. Microsoft President Brad Smith stated the NSO Group’s business model is dangerous. It would allow other PSOAs to skirt laws and avoid any repercussions from their cyberweapons.
The biggest worry is that PSOAs’ technology could fall into the wrong hands and be used for nefarious deeds. Another worry is that if the NSO Group is granted sovereign immunity their actions will be profit driven rather than for the common good:
“Second, private-sector companies creating these weapons are not subject to the same constraints as governments. Many governments with offensive cyber capabilities are subject to international laws, diplomatic consequences and the need to protect their own citizens and economic interests from the indiscriminate use of these weapons. Additionally, some governments – like the United States – may share high-consequence vulnerabilities they discover with impacted technology providers so the providers can patch the vulnerability and protect their customers. Private actors like the NSO Group are only incented to keep these vulnerabilities to themselves so they can profit from them, and the exploits they create are constantly recycled by governments and cybercriminals once they get into the wild.”
Human rights are another concern, because governments run by bad actors can use the cyberweapons to harm their citizens. Anyone who fights for human rights could be tracked and have their information stolen. This could ultimately lead to their deaths.
The NSO Group and PSOAs must be held to the same standards as other private companies. If their products are used by bad actors with the PSOAs’ knowledge they must be held liable.
Whitney Grace, February 3, 2021
DarkCyber for January 12, 2021, Now Available
January 12, 2021
DarkCyber is a twice-a-month video news program about online, the Dark Web, and cyber crime. You can view the video on Beyond Search or at this YouTube link.
The program for January 12, 2021, includes a featured interview with Mark Massop, DataWalk’s vice president. DataWalk develops investigative software which leapfrogs such solutions as IBM’s i2 Analyst Notebook and Palantir Gotham. In the interview, Mr. Massop explains how DataWalk delivers analytic reports with two or three mouse clicks, federates or brings together information from multiple sources, and slashes training time from months to several days.
Other stories include DarkCyber’s report about the trickles of information about the SolarWinds’ “misstep.” US Federal agencies, large companies, and a wide range of other entities were compromised. DarkCyber points out that Microsoft’s revelation that bad actors were able to view the company’s source code underscores the ineffectiveness of existing cyber security solutions.
DarkCyber highlights remarkable advances in smart software’s ability to create highly accurate images from poor imagery. The focus of DarkCyber’s report is not on what AI can do to create faked images. DarkCyber provides information about how and where to determine if a fake image is indeed “real.”
The final story makes clear that flying drones can be an expensive hobby. One audacious drone pilot flew in restricted air zones in Philadelphia and posted the exploits on a social media platform. And the cost of this illegal activity. Not too much. Just $182,000. The good news is that the individual appears to have avoided one of the comfortable prisons available to authorities.
One quick point: DarkCyber accepts zero advertising and no sponsored content. Some have tried, but begging for dollars and getting involved in the questionable business of sponsored content is not for the DarkCyber team.
Finally, this program begins our third series of shows. We have removed DarkCyber from Vimeo because that company insisted that DarkCyber was a commercial enterprise. Stephen E Arnold retired in 2017, and he is now 77 years old and not too keen to rejoin the GenX and Millennials in endless Zoom meetings and what he calls “blatant MBA craziness.” (At least that’s what he told me.)
Kenny Toth, January 12, 2021
A Tiny Clue about the Entity Interested In the SolarWinds Misstep
January 11, 2021
I read “Putin’s Disinformation Campaign claims Stunning Victory with Capital Hill Coup.” The write up points out that a study by the Berkman Klein Center for Internet & Society describes a broad campaign against the United States. The article references a Rand study which offers additional color.
However, my interpretation of the write up is that Russia may be just one facet of the “truth decay” approach. Disinformation is complemented by penetration of US networks and systems. Even if no data were exfiltrated, undermining confidence is cyber security methods is another chess move by Russia.
The buzzword is widening the fissures. Serious weakness, exploitable weakness.
Stephen E Arnold, January 11, 2021
SolarWinds Are Gusting and Blowing Hard
January 5, 2021
Many pundits have reacted to the New York Times’ story “As Understanding of Russian Hacking Grows, So Does Alarm.” Work through those analyses. What’s missing? Quite a lot, but in this short blog post I want to address one issue that has mostly ignored.
At one time, there was a list on the SolarWinds’ Web site of the outfits which had been compromised. That list disappeared. I posted “Sun Spotting in the Solar Wind” on December 23, 2020. In that post, I reported three outfits which had been allegedly compromised by the SolarWinds’ misstep (and some of the information I used as a source remains online):
City of Barrie (Canada)
Newton Public Schools (US)
Regina Public Schools (Canada).
The question is, “Why are outfits like a municipality known as part of the Greater Golden Horseshoe, Newton’s public schools, and the Regina public schools? (I’ve been to Regina in the winter. Unforgettable is it.)
My research team and I discussed the alleged exploits taking up residence in these organizations; that is, allegedly, of course, of course.
Here’s what my team offered:
- A launch pad for secondary attacks. The idea is that the original compromise was like a rat carrying fleas infected with the bubonic plague (arguably more problematic than the Rona)
- A mechanism for placing malicious code on the computing devices of administrators, instructors, and students. As these individuals thumb typed away, these high trust individuals were infecting others in their social circle. If the infections were activated, downloads of tertiary malware could take place.
- Institutions like these would connect to other networks. Malware could be placed in server nodes serving other institutions; for example, big outfits like Rogers Communications, a government ministry or two, and possibly the cloud customers of the beloved Rogers as well as BCE (Bell Canada’s parent) and Telus.
The odd ducks in the list of compromised organization, just might not be so odd after all.
That’s the problem, isn’t it? No one knows exactly when the misstep took place, what primary and downstream actions were triggered, and where subsequent rats with fleas infected with bubonic plague have go to.
Net net: It’s great to read so many words about a misstep and not have signals that the issue is understood, not even by the Gray Lady herself.
Stephen E Arnold, January 6, 2020
Telecom Security: An Oxymoron?
January 4, 2021
Two ideas: First, an unanticipated suggestion for bad actors and a reminder that the telco pros at AT&T are more like the New York Jets than the A team at the old AT&T IBM facility in Piscataway.
I read “Nashville Bombing Froze Wireless Communications, Exposed Achilles’ Heel’ in Regional Network.” USA Today is not my go to source for high technology information. One of my research team was a technology columnist, and I recall his comments about those who reviewed his write ups. Those mentioned at lunch were different from the topics my team and I discussed. Remember those Dummy books from some rolling-in-dough dead tree publisher. My recollection is that the technology write ups were simpler, edited by the estimable Gannett to TV Digest readability. It seems that USA Today pushed its content barriers with this USA Today write up about the Nashville incident included some information of use to bad actors. Here are a couple of examples:
- An injury to one’s Achilles’ heel means crippling. To a pro football player like AT&T, that’s not good.
- Single-point-of-failure. For a professional telecom like AT&T, this means zero effective redundancy, fail over, or smart route arounds. (Was the pre Judge Green AT&T built this way?)
- Three feet of water pooled where the back up generators lived. Water and generators, water and batteries – quite a one-two combo like an ailing quarterback and an ineffective but expensive offensive line.
Okay, enough already.
What do these factoids say to a person struggling for an idea to impair a major US telco? Maybe six RVs at regional centers conveniently located near fiber rich interstates? What about pulling a Quinn in front of Nashville-type facilities simultaneously with a half dozen cheap RVs?
Sound like a working idea?
The USA Today makes the idea more appealing with the statement from an AT&T professional:
Our systems are not redundant enough.
No kidding. Is it necessary, dear Gannett, to provide a roadmap for bad actors? Let’s hope the write ups in USA Today are not crafted with an eye toward readers who are looking for info between the lines. That takes more thought than making something simple.
And for the pros at the AT&T practice field, why not up your game. Less direct marketing of a failing TV venture and more of the old fashioned Ma Bell?
Stephen E Arnold, January 4, 2020
Microsoft: Information Released Like a Gentle Solar Wind
December 31, 2020
I read the New Year’s Eve missive from Microsoft, a company which tries to be “transparent, “Microsoft Internal Solorigate Investigation Update.” I am not sure, but I think the Microsoft Word spell checker does not know that SolarWinds is not spelled Solarigate. Maybe Microsoft is writing about some other security breach or prefers a neologism to end the fine year 2020?
Here’s a passage I found interesting:
Our investigation has, however, revealed attempted activities beyond just the presence of malicious SolarWinds code in our environment. This activity has not put at risk the security of our services or any customer data, but we want to be transparent and share what we’re learning as we combat what we believe is a very sophisticated nation-state actor. We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories. The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated. [Bold added to highlight intriguing statements]
To me, an old person who lives in rural Kentucky, it sure sounds as if Microsoft is downplaying:
- Malicious code within Microsoft’s systems
- The code performed “unusual activity” whatever this actually means I don’t know
- The malicious code made it to MSFT source code repositories
- Whatever happened has allegedly been fixed up.
What’s that unknown unknowns idea? Microsoft may be writing as if there are no unknown unknowns related to the SolarWinds misstep.
If you want more timely Solarigate misstep info, here’s what Microsoft suggests as a New Year’s Eve diversion:
For the up-to-date information and guidance, please visit our resource center at https://aka.ms/solorigate.
Stephen E Arnold, December 31, 2020
-
- Subscribe to Beyond Search
Feature archive
News archive
-
