Solarwinds hack by Russia can’t be understated

While America has been reading news articles about tweets our adversaries have been busy.

Busy since March 2020.

Not my first rodeo, and given hackers are incredibly patient and typically play the “long game”, reported breaches in my experience are frequently off by two years or greater. So I’d guess 2018 ish for the initial entry point.

Regardless, SUNBURST, dug deep with APT into places that shouldn’t even be possible. Like the power grid.

https://theintercept.com/2020/12/24/solarwinds-hack-power-infrastructure/

“to gain access into the 15 electric, oil, gas, and manufacturing entities that were infected with the software. But Lee notes that it may not be possible to uncover such activity if the attackers did access them and burrow further into the industrial control networks, because critical infrastructure entities generally don’t do extensive logging and monitoring of their control system networks.“

and

“In these ICS networks, most organizations don’t have the data and visibility to actually look for the breach,” says Lee. “So they might determine if they are compromised, but … almost none of them have network logs to … determine if there is follow-on activity [in their network].”

In other words, we don’t know.

The Solarwinds hack is so bad… that in response … the United States will do nothing.

Why?

Because when you own department of homeland security, and the treasury, among 18,000 other organizations are compromised, You have been epically pwned.

it means your adversaries totally own you. They have surely added back doors and more back doors and more back doors into the systems as well as “sleepers” like some subcontractor’s laptop used once a year to service a particular piece of hardware.

Meanwhile we are using AI/ML bots to automate trading on the stock markets. They all have triggers, “if this / then that”, if bond yields hit x percent up or down, if company y changes their guidance up or down by y percent, sell all. Crash.

In other words, those of us in the devops and infosec world, hackers, know if an adversary has infiltrated even half this far, its game over. Yank and replace. “Game over dude.”

We have one option in the short term; capitulate. Concede. Because you can’t “rip and replace” everything simultaneously across an unknown number of compromised networks simultaneously when you can’t even identify them. And with APTs in place possibly down to the Silicon chip level, that are just lying in wait, even rip and replace will just get reinfected.

Stuxnet was the greatest malware/hack ever written. The US wrote it. We created Pandora’s box. We reimagined hell. Then left the lid open. The NSA got hacked and our own code has been “reflected” back on us. Since somewhere between 2012 and 2014 initially by my estimation.

All of the stuxnet code and more is now widely available to download for free on the dark web. You could do it today. Fire up VMWare fusion, kali linux, metasploit and an external wifi adapter and your are good to go. Or just use a raspi.

Officially I think notPETYA is still “the most expensive hack in history.” (get it? “think not”? but I digress….)

Unofficially? The Solarwinds hack is the Anvil dropped on the camel’s back that has broken it and brought it to its knees.

Solarwinds will shatter the geopolitical and monetary policy of the United States and the world.

Get your COVID vaccine. Get some popcorn. Watch your 401k and pension funds knowing that one or two edits and they go to zero. And try to wrap your brain around the fact that our military power is second only to financial power, and we are losing that. Any monetary power we have left is because they allow it.

Maybe buy some Bitcoin?

Take some anti anxiety meds. And pull out your Boy Scout handbook and practice setting up that old tent. (Just be careful where you put it in case the upstream dam and levees gates suddenly open up.

And if there is a “deep state”, maybe look externally instead of internally.

Happy 2020.

UPDATE: Further publicly released details available here:
https://us-cert.cisa.gov/ncas/alerts/aa20-352a

NSA tools release to Dark Web Date 2014 (likely earlier imho)

Kaspersky tools removal update. But keep reading – it gets better:

http://www.mcclatchydc.com/news/politics-government/congress/article180707721.html

Now for the punchline – They’ve documented that Kaspersky, a Russian company close to Putin, was hacked by Israel. Kaspersky security researchers have confirmed the NSA hacking tools existence when they discovered it in the spring of 2014. The article;

http://www.businessinsider.com/russia-kaspersky-lab-nsa-spy-us-computer-2017-10

In a statement, the company (Kaspersky) said it stumbled on the (NSA) code a year earlier than the recent newspaper reports had it (ed: Comey stated summer 2015), in 2014. It said logs showed that the consumer version of Kaspersky’s popular product had been analyzing questionable software from a U.S. computer and found a zip file that was flagged as malicious.

And it further states, again from the article:

Kaspersky’s Equation Group report was one of its most celebrated findings, since it indicated that the group could infect firmware on most computers. That gave the NSA almost undetectable presence.

Kaspersky later responded via email to a question by Reuters to confirm that the company had first discovered the so-called Equation Group programs in the spring of 2014.

So a Russian antivirus software found a zip file with NSA hacking tools in 2014. Hacking tools that target Microsoft and other business software, again, in the Spring of 2014. Confirmed by Israeli Security researchers who hacked Kaspersky.

Now, what they found was a compressed, portable, easily emailed or traded via email even as nobody else had the signatures to detect. A zip file.

A zip file.

For those unfamiliar with the industry, by the time an exploit is being traded in a 7 z it’s long been in the wild. That is the commodity phase of the economic curve.

The economics of the dark web have been researched and are well documented (hint: look at DEFCON and Blackhat presos from a few years back.)

If you are a reporter or security researcher – keep digging. Basic economics say it had to have been being traded early 2013 for high bids with a quick pricing decline as is typical with shrink wrap software.

It remained unpatched. Every company using common business software was, and probably still is, an open book. A trivial metasploit script and your movies, your directional drilling tech, your seismic data, patents, medical history, your porn habit, email, fb, you name it, was and probably still is wide open.

Bottom line: My opinin is the timeline of the NSA hacking tools being released is 2013. If not earlier. (But I’ll stick with my mid-2013 estimated release to the wildebeasts estimate.) NSA let them into the wild as discovered by Russians (current media puts this at 2014) who were then hacked by our allies Israel. Israel then reported this to the US.

And we did nothing. Think about it.

Just add that up and you get Russia hacking US companies and associations using our own tools paid for by YOU. NSA hacking tools discovered and reported to the US by our allies in Israel. 2014 or earlier.

What did NOT happen was responsible reporting to vendors like Microsoft who only patched it when the Shadow Brokers released it on github in 2017.  Thus from 2014 (or earlier), our allies, our foes, and our own security agencies did nothing to protect US intellectual property, infrastructure, companies, jobs, and people.

Noodle that one.

…. this story will continue to unfold. And if you are an investigative journalist, maybe ask around the community politely regarding who’s zoo had the code and when.

Update;  http://www.theregister.co.uk/2017/10/25/kaspersky_nsa_keygen_backdoor_office/

thinking men think, and therefore change their minds

Man is not a rational animal, he is a rationalizing animal. – Robert Heinlein

Leadership, I frequently say, is about “making good decisions with limited information.” Not perfect decisions. But good decisions. You don’t have a choice in business: move quickly or die. And unlike CEOs on Wall Street, the small business CEO’s worst nightmare is to fail their employees and customers. I am not afraid of risk or failure as an individual, but I do have obligations and those must be met and that requires leadership during trying times.

There are three major factors that make leadership decisions difficult:

  1. Speed – you must make a decision and you never have enough information.
  2. Pressure – the pressure to make the right call, and make it now, is intense.
  3. Commitment – even if only 51% sure about a decision, commit 100%.

I suspect politicians face the same deadly  triad  when making decisions. And worse than letting their employees and family down, politicians risk being pilloried in the media,  dragged through the hot coals of a PR disaster, and destroying the empire! Why anyone would want to be a politician is beyond me.

So it was with some relief this weekend when I read the letter to the editor in the Houston Chronicle by Charles Hamilton of Spring Texas titled “Thinking Men Think.” It was like someone with common sense finally stepped into the room. From his letter:

Regarding “Let’s give Romney time to sort out his positions” (Page B9, Friday),  Gail Collins  inaccurately notes a presidential nonqualifying trait in  Mitt Romney‘s “not giving a fig” about undocumented workers clipping his lawn.

and

Non-objectively, she does not compare Obama’s many flip-flops (e.g., closing Guantanamo) with Mitt’s (e.g.,  abortion)…

Thinking men think. Man’s judgment of other men’s motives is often  flawed.

Politician’s disparage each other to get elected because we the electorate remember bad stuff better. Witness the oft quoted  and paraphrased “you get 10 bad reviews from an angry customer versus 1 recommendation from a happy customer.” Witness “if it bleeds it leads.” Witness Perez Hilton, the Drudge Report, etc… WE have trained the media and the politicians to feed us disparaging remarks about each other.

And the worst of those sound-byte-disparagements  is she “s/he flip-floped on issue _____.” What does that mean in poli-parlance? It is slang for “the politician changed their position” with an implied “you can’t trust them.”

The White Houseflip-flopping,” by the media, is consistent with the actions of a rational human being. Feel free to ponder “what” changed. Be it pandering to the left or right. But SOMETHING changed in the politician’s world-view to have them  logically  take a new position.    The broad definition of flip-flopper can be painted on President Obama as well as on candidates Mitt Romney and Newt Gingrich. And how does this help move us forward? It doesn’t.

Look, we all benefit from a healthy Presidential Election. Let’s talk about the issues in the primary and in the general election. But if you hear someone say “he is a flip-flopper” the person who is speaking is not thinking with  acuity. Don’t we deserve a leader smart enough to move with the cheese?

As Charles’ said – “Thinking men think.” And thank God for that!

(this is a cross post – to comment please comment on the chron.com version here.)

ensure that every convoy has ground security and air cover

“In Iraq, a U.S. military spokesman says every step in the withdrawal is a “deliberate operation in which we collect intelligence, coordinate with the Iraqi Security Forces, clear routes and ensure that every convoy has ground security and air cover.””

CNN

We want our troops home SAFE! And on Thanksgiving I give thanks to those who have served. Thank you!

I get why people are so angry

“I get why people are so angry at seeing Christmas commercials and why petitions are starting left and right and why regular, educated, hard-working Americans are taking to the streets to occupy and lend their voices to the movement.

These people are normal. They have kids and dogs and jobs that they’ve held for 17 years. They work in the lowest-paid but highest-required degree social institutions and donate money to social injustice to help other people. They take care of their sick parents. They help other people when they can by sending them to community organizations or by just paying a light bill. They do the best they know how to do. They never think they were going to end up here.

At least I didn’t think I would.”

(source)

Chron Post: Millennials head under a rock

The Chron.com started a new blog called The List and asked me to guest blog post. My first (and only) post so far is titled:

old-glory-by-eschipul1Chron Post: Millennials head under a rock

The GI generation, by all accounts, appears to have raised one of the biggest groups of spoiled kids our country has ever seen. The Baby Boomers. And the Boomers are burying the Millennial generation and their grandkids in debt and chaos. Pretending deficit spending isn’t just a deferred tax increase (it is). And that seems wrong to this Gen X’er..

In the book GENERATIONS, The History of America’s Future, the authors describe the Boomers as:

The Boomers, who came to college after Eisenhower and before the Carter malaise of 1979. These were the babies of optimism and hubris, Beaver Cleaver and Musketeers, the post-Sputnik high school kids whose SAT scores declined for seventeen straight years, student strikers, flower-child hippies and draft resisters. – pg 30

(read the full post on Millennials and the Baby Boomers on Chron.com here.)