"One of the more chilling developments this year has been what appears to be new steps to use AI to weaponize large stolen datasets about individuals and spread targeted disinformation using text messages and encrypted messaging apps."
"a second evolving threat, namely the growing privatization of cybersecurity attacks through a new generation of private companies, akin to 21st-century mercenaries."
"As humanity raced to develop vaccines, Microsoft security teams detected three nation-state actors targeting seven prominent companies directly involved in researching vaccines and treatments for Covid-19."
"One indicator of the current situation is reflected in the federal government’s insistence on restricting through its contracts our ability to let even one part of the federal government know what other part has been attacked. Instead of encouraging a “need to share,” this turns information sharing into a breach of contract. It literally has turned the 9/11 Commission’s recommendations upside down."
> and spread targeted disinformation using text messages and encrypted messaging apps
Given there are moves to make sure end to end encrypted messengers have backdoors for authorities, isn't this kind of infomation prepared to seed association of encrypted messaging with something bad, so that in the future when there is a talk about making these apps either illegal or making sure they employ backdoors, people wouldn't be outraged?
On a more serious note though, it certainly appears this is how its going. APT41 turned out to be some private company in chengdu and APT39 I think it was some outfit in vietnam. Its pretty interesting (cool?) to think that some of these global cyber-threats are essentially just a handful of people in some non-descript office somewhere.
How will this even begin to be remediated (the broader hack that is coming to light right now)?
It seems like malicious actors had unrestricted access to almost every major computer system in the US Government, and now possibly microsoft itself as well?
How are these people ever going to be able to trust any of this equipment ever again? This just seems unbelievably catastrophic.
Also, the rest of us use products they’ve designed to be basically unsecurable against them. The feudal model of security only works if the overlords are trustworthy and competent. We’ve known they aren’t trustworthy for a long time, but this shows the other side of the coin.
The idea is that security is hard and expensive, so we serfs surrender ourselves to feudal overlords (Google, Microsoft, Facebook) in exchange for protection.
This model has been bitterly fought since the beginning. Problem is the underdogs have never had the money, and governmental support to manufacture consent in the masses.
What are the alternatives? Surely we can't design our own systems from scratch and outdo FAANGs in terms of security, and any underdog trying to change the status quo will end becoming a feudal lord itself.
Remediation and recovery for most threats involves OS/app reinstallation, perhaps restoring from backups and images. However, if your threat is a sophisticated state actor based out of Russia, it's hard to rule out that they're got hooks in your server's firmware, that they've corrupted your backups as well, etc, etc.
One wonders how Russia could exploit the systems they've penetrated. Brick every gov't system on Jan 20th? Shut down SCADA systems? It's a cybersecurity nightmare.
> Remediation and recovery for most threats involves OS/app reinstallation
Except for all those SolarWinds admins arguing that doing a simple scan and infected binary removal is enough and then moving on and anything more is "overreacting"
I feel sorry for all these people who are stuck working with such inflexible risk assessment/ITIL processes who are now trying to justify not taking any action because "SolarWinds said everything is ok"
There's obviously a contemporary movement that all your systems should be rebuildable by code, which would make getting the systems back into a trusted state (assuming you trust other layers / your code) a lot easier.
Obviously this doesn't help if your data is already messed up, if firmwares are hacked, and if your code itself hasn't had te rigour to be trusted, but it's a hell of a lot better position than "scan, remove, forget".
Am I confused about something? How is everybody not absolutely running around frantically ripping ethernet cables out of patch panels right now in every single one of these companies?
I mean...the smart controllers on the HVAC systems in these companies have to be replaced don't they? The smart locks, everything IoT, everything with a network interface in it at this point has to be assumed compromised. This seems like by far the worst cyber security incident of all time.
And my comment was also a nod to that prominent hack. The discussion back then revolved a lot around the idea that Target had done a really good job of hardening most of their network, but then allowed a smart HVAC controller onto it.
What seemed at the time like something minor (I believe it was a remote diagnostic device or something like that) is what the intruders used to gain access.
Your article seems to directly contradict the idea that any sort of IoT / "smart" device was involved:
> Fazio Mechanical Services just issued an official statement through a PR company, stating that its “data connection with Target was exclusively for electronic billing, contract submission and project management.”
We should all remember to read PR statements with the assumption they aim to be technically true but come with an intent to deceive. Because what you quoted is a weaselly statement, and it neatly avoids answering the underlying questions.
Namely: was that "exclusively" a contractual exclusion or a technically sound, enforceable exclusion? And on top of that, how was it secured? If the connection setup was breached, what was the maximum blast radius?
I'm sorry, but in this case I disagree. Whether the device was smart or not is irrelevant.
If there is a connected device in a supposedly otherwise secure network that allows traffic in or calls home, that device is an attack vector. Pure and simple. The only safe assumption is that such a thing is an insecure, unmaintainable black box that was put together by the cheapest fly-by-night contractor.
A "smart" device is worse, and guaranteed to be a dumpster fire. One should not be allowed anywhere near a secure network, regardless of its function. Printers, VoIP phones, climate control systems, ... they're all the same.
I now factorys, they replaced every PC (complete Harware, not just software) and also loaded every PLC, connected to the network, new. Such things can happen.
> Am I confused about something? How is everybody not absolutely running around frantically ripping ethernet cables out of patch panels right now in every single one of these companies?
You mean everyone should have a panic attack? As deeply terrifying this is, anyone giving in to panic would make them unfit for their job. I assure you they are very scared, but huge companies have protocols to deal with situations like this.
Why do I have this really bad feeling that the dead man switch is about to drop... based on what we know of the deployment / strategy, ‘they’ really might have every key to every castle. The only thing left to do is find out who hasn’t been affected by this.
Correct. It's been blindingly obvious for at least a decade that there is no such thing as computer security. Any computer that is connected in any way to the Internet should be considered at least semi-public. We get reminders of this weekly. Yet we continue to connect everything to the Internet. This is going to get a whole lot worse before it gets any better.
Incident response procedures exist to address this as does forensic analysis. But each org might fail at eradication (hardest phase of IR) and get reinfected. It is hard but doable imo
This is somewhat routine actually. Microsoft, and most other major tech companies, have been “hacked” many times.
Note that being hacked isn’t a binary state. What matters is what they were able to obtain. It could range from full compromise of the C-suite and domain admin, to phishing some marketing employee with no access to anything interesting. If anything, you should be afraid of companies who haven’t been hacked. It most likely means they’re either irrelevant, or they have been hacked and don’t know it yet.
This isn’t even the first time they’ve been hacked by Russians. It’s honestly not a big deal.
As someone who has been on the inside of these attacks, I’m just saying, what probably sounds earth shattering to most people is just a slightly more interesting Thursday for us. My expectations for security have been calibrated to be unfazed by yet another one. Honestly, it’s actually a little refreshing to see something slightly novel (although this isn’t actually that novel).
This is pretty obnoxious and doesn't belong on HN. Millions of people live there. If we are somehow able to leave our humanity behind, the practical fact is that would lead to widespread annihilation.
Now ask about all of the things opening source wouldn’t affect: beyond compilers, modern devices have a lot of software running in firmware which can alter data. Proving that every component involved in the process hasn’t been subverted is a massive undertaking.
It's obviously true that open source is not sufficient to good software quality, or even necessary, but it does correlate, especially for open source projects with many users.
I often read through the libraries I use in projects (if their source is available). And if I find errors or shortcomings I will write an issue about it.
"We have no indication of this," company President Brad Smith told New York Times reporter Nicole Perlroth. Perlroth said the company stood by a statement it issued on Sunday saying it had no indication of a vulnerability in any Microsoft product or cloud service in its investigations of the hacking campaign."
That’s the strongest truthful statement any company can give you. You can never be 100% sure you aren’t hacked. You can only be sure, that as far as you know, no one hacked you.
When Bloomberg implicated Apple in The Big Hack, Apple gave way stronger denials. So did Amazon.
> Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.
Exactly - Apple never said "we weren't hacked, 100% sure". They said, that all the data they have shows no evidence, plus pointed out some BS in the story.
Interesting that they only mention server. What about their employee devices, networking hardware, and every other internet connected thing? Not saying I buy this theory, but that denial leaves a lot of technically correct room to lie through their teeth.
Thats because the entirety of Bloomberg's nonsense focused on a supposed server. So there wasn't any need to disown employee devices, mobile phones, iot, etc
> That’s the strongest truthful statement any company can give you.
Oh, I agree that no company will ever make a categorical denial of something like this; I just don't think that justifies promoting a lesser denial into a categorical one.
If Microsoft's statement is honest, it certainly raises doubts about this story. What "people familiar with the matter" know more than Microsoft themselves?
Even if the information was discovered during a government or private investigation of the hacks that didn't include Microsoft, the investigators likely would have notified Microsoft immediately.
Given the SEC implications of an officer of the company lying about something that could materially affect share prices, you can certainly believe that Microsoft thinks his statements are true. Literally anyone can tell a journalist that they're "familiar with the matter". Given reuters track record on security coupled with the lack of update about Microsoft's public statement, I'm inclined to be pretty skeptical about the quality of those sources.
Don't apply to matters of national security. Seeing as solar winds supplied every branch of government and just about every company that matters in the U.S., I would imagine that there are a lot of people under gag orders, or prohibited from talking about classified Intel with people that don't have clearance. To be safe, it'd be wise to not have company officers who also hold clearances.
I am not a lawyer and merely [poorly] paraphrasing what I've heard in discussion about this legal quandary. The problem as I see it is that in order for a judge to not immediately dismiss a case the aggrieved party needs to have some evidence that these statements were made falsely. Considering the CISA opsec guidelines, there should not be a corporate paper trail detailing officials knowledge, so where and how do you get evidence that can be admitted to court? Witnesses would presumably be under similar NATSEC restrictions, have questionable custody of the evidence, or worse, they can only provide hearsay.
You mentioned gag orders, you should know there's largely no such thing in the US, outside of NSLs which don't apply here. The United States does not have an equivalent of the official secrets act in the UK. In order to be restrained from talking about national security information, you would need to have signed an NDA ahead of time.
The statement about supposed CISA opsec guidelines is equally confusing, can you please cite the specific guidance you're referring to which would keep executives in the dark? I'm pretty familiar with the guidance CISA has issued and I don't believe any such advice has ever been given.
Before an executive would talk to the media about a subject like this, they would absolutely have gotten details from their internal security team.
Reminds me of the Supermicro hardware trojan horse implant crap from a couple years ago. That story blew up but seemed to have almost no foundation at all, and was outright denied by all parties who would actually know.
It's a strong statement but it definitely leaves the door open. Given that there's so much at stake I can't imagine a different statement.
On the other hand, if you read the CISA alert[1], it's clear that (1) many industrial targets were compromised, given the ubiquity of the Orion product and the amount of time that transpired; and (2) the attackers had their merry f'ing way with MS products like AD. So at this point I think it would be more surprising if they were not compromised than if they were.
Are you saying that the attacker's skill with AD indicates that they were able to plant code in AD? Steal the source and learn vulnerabilities from it? Or just that, given that MS uses AD, they were vulnerable too?
That's still a non-denial denial, right? "We never said we weren't breached, we just said we had no indication of being breached [...]" (Not that you can really give any more information in a public forum)
Microsoft's statement confirms that they had malicious software in their environment:
“Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed. We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others.”
>The U.S. National Security Agency issued a rare “cybersecurity advisory” Thursday detailing how certain Microsoft Azure cloud services may have been compromised by hackers
I believe there is common overestimation of security of cloud providers. Microsoft Azure was just breached and that's only what we know. There might be breaches at other cloud providers we're not aware of.
Centralization creates an exponentially growing incentive for bad actors. Decentralization has been given up too soon.
It is always events like these that make me ponder if the Internet will devolve into regional Internets, which still wouldn't necessarily prevent or stop any determined attacker from performing these types of attacks. So perhaps it's never.
Its like a firewall at the edge of your network: doesn't really protect you as any attacker that can get to the other side has free reign. You need defense in depth.
By the way, a piece of pedantry apropos a recent HN article: "...the Internet will devolve into regional internets." I.e. there is one Internet that connects to essentially everything; regional networks can practice internet working but aren't the proper noun "Internet"
I typed that on my phone and it auto"corrected" to add a space in internetworking. I'll leave the error in place and just post this comment instead even though I still have time to edit it.
In order for a country to cut itself off effectively enough, it has to be (a) huge enough to replicate any service its citizens might want that is found elsewhere and (b) authoritarian enough to crush/jail/imprison/ostracize them for circumventing it.
So far even Russia hasn't managed both. I don't think any country but China can pull it off, so we're looking at worst case a Real Internet and a ChinaNet. The only other countries that will succeed will be backwater countries dooming themselves to perpetual backwater status (I can name a few but won't).
Even China has no chance at this. Western movies, music, cars, imported designer brands, etc. The upper class can't live without these things. You'll have problems with your own people once they are so connected with the outside world.
> We’ve been advised that the nature of this attack indicates that it may have been conducted by an outside nation state, but SolarWinds has not verified the identity of the attacker.
I think people are just curious to see some actual evidence that points to Russia. I don't think it is unlikely, I just haven't read anything that clearly indicates a specific nation state.
I’m usually the last person to defend our intelligence agencies. In aggregate, it seems like they’re more interested in undermining digital security than supporting it. With that being said, this sort of information would definitely risk compromising “materials and methods”.
What I mean is some technical explanation that it is Russia and how they arrived at the conclusion. Countdown to Zero Day had excellent explanations for attributing malware, I'm just wondering if there is anything out there about technical clues for this yet.
> What I mean is some technical explanation that it is Russia and how they arrived at the conclusion.
I have no specific knowledge, but essentially, most of the evidence is likely to be circumstantial, with chains of inferences from co-occurences of targets, tools, techniques, and other 'fingerprints', various bits of which may occasionally be confirmed or refuted by humint (which may or may not be reliable).
It is very unlikely that there is any single piece of info that definitively ties the attack to a particular actor (except maybe sigint), and with sufficient effort a false-flag operation can successfully lead to a mistaken conclusion, at least temporarily, but that's harder than it seems.
Any actor that tries to imitate the signature of a different actor by only using stuff from the other guy's bag of tricks is by definition only using tools that have been detected and are known; which means that countermeasures are likely to also be known and in use. Adding anything novel on top of that to increase the chances of the attack's success is incorporating a signal that WON'T be present in the chosen fall-guy's future efforts (unless previously undetected tools can be stolen from the fall-guy), which may (eventually) undermine the desired conclusion.
Figuring out whodunnit requires an essentially Bayesian approach, except the data is usually circumstantial, and priors - themselves always contingent on even earlier data - are of uncertain reliability and must when possible be tested against later assumed-reliable data from other channels for consistency (and when inconsistent, deciding whether new data trumps priors or vice-versa is a bitch).
Nevertheless, given how much data there typically is, it isn't too often that something comes along (like the discovery of a mole, which invalidates assumptions about what the opposition knows, and knows you know, etc.) to upend everything and break or reverse whole chains of inference.
So, while we might eventually find out some of the circumstantial evidence that lead to the attribution to a particular actor, we won't ever be told what other previous evidence (itself circumstantial) ties that evidence to that actor. Eg. "Toolchain X used in this attack is linked to Actor Y, but we can't tell you how we know they are linked. Sorry-not-sorry." ¯\_(ツ)_/¯
See my direct reply to you. There doesn't appear to be non-classified evidence that can attribute it (yet - at least available to FireEye/Mandiant).
But members of the US subcommittee on Cybersecurity have attributed it and asked for the evidence they saw to be declassified.
Having said that, it wouldn't surprise me if in coming days it is able to be positively attributed from non-classified sources. This attack seems very widespread, and while it seems extremely professionally done in the past we've seen how small errors make attribution possible.
Usually it's that an exploit developer reused some supporting infrastructure that has been previously seen and it can be attributed from that.
But there is a political subtext here. The red team is rooting for it to be China because it plays into a "Trump was right that China is a problem" narrative and coincides with the Hunter Biden thing and also the recent scandal about Congressman Swalwell (D-CA) having a relationship with a Chinese spy. The blue team correspondingly wants it to be not-China and thereby benefits from preemptively asserting that it was Russia.
This unfortunately makes it less likely that we'll ever know because it's hard enough to figure it out when there isn't a political motive for both sides to fudge the answer.
* Because people on this forum have enough expertise to make decisions themselves, given the evidence.
* Because in the past, when evidence has been presented, we've seen the federal intelligence community claim absolute certainty when they're actually only mostly-sure.
> Because in the past, when evidence has been presented, we've seen the federal intelligence community claim absolute certainty when they're actually only mostly-sure.
We've also seen them just fabricate things out of whole cloth, e.g. Iraq WMD.
It's generally best to read "according to sources in the intelligence community" as "according to professional liars who are aware you have no way of verifying anything they tell you."
Also keep in mind that revealing real classified intelligence to the media is a federal crime but making stuff up is totally legal.
Are they? Asking for evidence in support of attribution does not imply that the asked doubts the case any more than my looking up changes in listed causes of death this year implies I doubt the deadliness of Covid-19.
I like the idea of innocent until proven guilty. Russia is guilty of a lot of things and their horrible reputation is well-deserved, but pinning any hack on them because I don't like them is moronic.
Try pinning a hack on them because it is something they are very good at doing and have a recent history of doing. It works a lot better and is at least somewhat based on facts.
You don't "try pinning". You find proof. Again, accusing someone of something without proof solely because they have a history of doing it is moronic and downright retarded.
I'm not yet done with all comments, but so far I've not seen anyone defending Russia, just asking for evidence or at least indicators. Proper attribution of hacks isn't exactly a trivial and foolproof thing.
There is a big asymmetry here: On the one hand this whole "cyberattack" boils down to a) the password for the build server being <companyname>123 and b) publishing said password on github. The customers, federal agencies including intelligence, failed to find this for a year, which simply is gross incompetence. I mean really: Did the agencies integrate this software into their critical systems without any checks?
Yet these agencies are at the same time so competent that they can reliably attribute usage of the password (this wasn't even a hack) to the Russian government within days?
Edit: It is of course quite possible to be Russia, but hacking is comparatively cheap, so the list of possible culprits is larger than just Russia and China. It could also be way more than just one country, as the password was public for everyone to use for almost a year.
There are people who are working on the case saying things like "this looks like Russia" and those are the front line people. They know wtf they're talking about because they're the ones looking through the evidence while some officials pace back and forth while they write their statements and get paid 20x as much.
At this point, any evidence pointing to Russia will be met with responses like "I'm still waiting for evidence that Russia is behind this," or "I need to see this quote unquote evidence myself..."
I gotta admit though, they have apparently really honed their English grammar. Can't use that technique to detect them anymore.
> They know wtf they're talking about
because they're the ones looking through the evidence
Show me it then.
> I gotta admit though, they have apparently really honed their English grammar.
Maybe that's because what you're insinuating is false and you refuse to believe it? Also, you've still not outwardly said what you are insinuating. You're still beating around the bush. So I'll say it for you: "anyone who asks for evidence is a Russian shill." That's what you're getting at, right?
Yes, that's what I'm getting at. I thought it was clear.
The first story on HN about this linked to an article which said that investigators saw what looked like them to be clearly "Russian" in the techniques used, based on their own previous experience.
I will trust a reporter over a random HN commenter any day of any year.
There's a difference between resisting and wondering if there's some evidence to look at. I mean if I was a sophisticated attacker (and this attack looks sophisticated enough at first glance) it would be my first idea to make it look like the attack is coming from Russia or China to cover my tracks.
We're not. It's just that in order for some kind of retaliation to take form states will need hard evidence about Russia's involvement. Whether the evidence exists and it's not leaked to the press, or doesn't exist at all is anybody's guess.
The perception is that Democrats and liberals blame Russia, so the contrarian position is the opposite. See any thread on Trump, Assange, Election Fraud, and old threads on Litvinenko to see this contrarianism flaring up
The GOP and right wing types traditionally pulled a hard line against Russia and Russian interest. Then that softened — remember George W Bush “staring into Putin’s soul.” Conservatives picked up an infatuation of sorts with Russia early in the Obama administration. Talk radio personalities took a shine to Mr. Putin because Russia allowed transit of US troops and supplies on Russian railways to Uzbekistan, for example. Policy positions on Syria we’re strange.
It flipped to obsequiousness mysteriously in 2017. Anything critical of Russia suddenly became a tangle of whataboutisms and other nonsense. Old hawks now roost as Russia doves. Senators who are ok with child separation want pardons for Edward Snowden.
I wouldn't say the trend on HN is necessarily partisan, but more from the kind of people who voted for Trump because they (for some absolutely bizarre reason, but that's besides the point) believe in the "Donald the dove" thing. You see the talking points amongst the hard-left, bizarrely, i.e. I have no illusions that the CIA gets up to much better, but drawing moral equivalency between the KGB (in a new suit) and the US Government is a common theme on some HN threads and it's absolutely bizarre (One gains new perspective when Novichok is used within a few miles of your house)
This is partly why I find the "no politics" rule on hackernews absolutely hilarious sometimes because it's such an insight into the American psyche where everything is political but also in denial that politics is anything other than a catch-all term for anything involving people, power and any end result other than sex or violence.
I’d argue that forums catering to engineers and tech people tend to skew towards a libertarian or sometimes nihilist philosophy.
The stuff that attracts folks to Trumpism, UFOs or other weird things of the ilk that make little sense appeals to that philosophy. We like mysteries and inside knowledge. We don’t always have the answers, but we know the problems that nobody else understands.
It’s an easy thing for propagandists to exploit. UFOs have been used to conceal weapons programs in plain sight. (In my home area, tomahawk missile testing in the 80s was often linked to that). Now anyone with a little money can mobilize an army of bots and idiots to push any message.
I am from Brazil, "Donald the dove" is not a bizarre thing, from what I saw except his antagonism against Iran, he been trying to stop wars.
He is the first president in the past 40, 50 years I think, that didn't start any conflict.
Also he been trying to pull out troops, to the point officials lied to him about troop movements to prevent him from pulling more troops (O.o I am surprised people will let that one fly...)
Biden on the other hand already appointed as secretary of defense a guy on the board of Raytheon...
I mean this is the beginning of what seems like a massive, probably international effort, to figure out what happened and who's responsible. Russia is known to be involved in state sponsored cyber intrusions, so it's natural the initial speculation would gravitate in their direction; But it could very well be from within the US borders, or some other nation entirely. That's what the investigation(s) will try to figure out.
From now until that day, I will simply assume nothing.
> Does anybody have any details on the Russia attribution?
FireEye (who discovered the SolarWinds breach when investigating their own breach) have said they are currently unable to attribute it[1]:
"While some have attributed the attack to a state-sponsored Russian group known as APT 29, or Cozy Bear, FireEye had not yet seen sufficient evidence to name the actor [FireEye subsidary VP Carmakal] said"
However US Subcommittee on CyberSecurity member Senator Richard Blumenthal said about it:
"Stunning. Today’s classified briefing on Russia’s cyberattack left me deeply alarmed, in fact downright scared. Americans deserve to know what's going on. Declassify what’s known & unknown"[2]
Having done some work in this field, attribution is definitely possible and fairly reliable with enough data, but releasing that data is usually not done because it shows what data sources you have access to.
I'd be relatively confident that there is classified sources showing it is at least probable[3] that the source is Russian if subcommittee members are tweeting that.
I wonder when we will hear the news that all major clouds have been breached and data has been leaking for months/years...would be interesting to see. My wet dream is that people ditch the cloud to hold their own infrastructures.
The continued popularity of windows on corporate machines (especially dev machines) is the greatest evidence that the software market is completely incapable of judging software.
I think this Solar Wind scandal (with all the "our file doesn't match the checksum? Just install anyway" competency level) is greater...
But anyway, the largest problem isn't even Windows, it's AD. Every corporate bases its entire access control in a baroque undocumented extension of a bad protocol with its security frozen at late 2000's years (upgraded by force a decade ago, because 90's security was too ugly). It's just insane.
I’m hesitant to blame anyone before we understand the full scope. “Breached into Microsoft” could mean they hacked into a guest public WiFi access point.
I really doubt it, all these hacks come and fade from the news cycle and nothing happens. The more I think about it the more I am convinced that until there's a large body of crime that the news cycle can point to and be outraged about, nothing substantial will be done. The hack occurred and nobody knows if anything was taken or if it was just information that was collected. It will take months for a conclusive investigation.
So far negligence in cybersecurity hasn't resulted in anything spectacularly failing like a giant explosion or a building collapsing and hundreds or thousands of people dying. Until something horrific like that happens there won't be pressure or political will to exert the appropriate measures that responsible governance should put in place.
There has to be a public narrative along the lines of your argument for it to work. I don't mind bringing it up now that you've said it because it is 100% correct.
If you're a cybersecurity consultant, you can practically dictate your salary at this point. What's $3,000/hour to the government or a Fortune 500 to recover from a cyberattack like this?
There must be a lot of all nighters behind the scenes.
Not actually true. Many companies now buy cyberinsurance, and so the underwriters are now using their clout to putting pricing pressure on consultants. And, with some possible exceptions in the DIB, it’s not really clear that this hack by a nation state has really caused any loss to victim organizations. Without loss, the insurance claims will
be low/nonexistent, and the companies will try to get by on the cheap.
Uncle Sam will need to do better but Uncle Sam has lots of contractors and doesn’t pay full fare.
Goes to show that you are only as secure as your weakest dependency. Allow and trust software into your organization built by a system protected by an obvious single factor password (which you didn't know about or ask) and no matter what else you did you are screwed.
I worked at a healthcare company that stored its production credentials (with no login auditing) in a plain text file accessible by half the employees and contractors and when I complained that this was dumb (and violated HIPAA) was told "we passed our audits and we trust our employees".
I am not surprised, it's a dirty little secret in the software industry that we employ a lot of Russian and other potentially vulnerable Eastern European software contractors. Not to blame anyone specifically, I mean the threat could equally come from India or China. Or even a direct hack. It could also be an insider threat from an American as well. Since software development is a complicated profession, it takes a lot of intelligent oversight to ensure that critical paths are secure; especially as we migrate to cloud and site wide solutions.
What are you looking for, a confession? This is information shared by people involved in investigating and remediating this attack, if the investigators share the smoking guns they show their hand to the attacker.
There are what, three countries capable of an attack of this magnitude? China, Russia, and Israel? I wouldn't rule out a clandestine non-governmental operation, but that is unprecedented at this scale.
I'm looking for evidence that would make me believe the attackers were indeed Russian-backed. So far we've seen no evidence, which means we have to take what the government sayhs at face value, and I'm sure I don't need to spell out why that's problematic.
Just because it's hard to find/provide evidence doesn't mean we blindly have to accept what we're told.
I'm not arguing that you accept attribution blindly.
That being said, asking for attribution with evidence right now is absurd. No one, except the attackers, knows the full depth or breadth of the attack. To make a positive id at this moment, and explain how investigators are attributing responsibility is reckless. Asking for evidence behind attribution at this time is essentially flamebait. If you doubt the attribution it may be better to question the record of those making these accusations and what they stand to gain by making them.
Expand your reasoning please. Fire eye was compromised as well, which doesn't bode well for their trust. Also there's no opportunity for "buying the dip" currently as FEYE performance have been poor throughout the past several years?
True, but just static analysis of private source code is likely to discover several vulnerabilities, forget about experts looking for them in the source code. How many companies even do security based static code analysis using state of the art tools?
And why having the confidence to open source your code is good for your customers. At very least it's pressure not to fix that bug tomorrow rather than after lunch.
not only that but internal projects that one can glean information from just by knowing or seeing their existence and how they are constructed. or for yet unreleased things.. I'm surprised the few comments in this thread don't consider these sorts of things
but what does that have to do with me not wanting hackers to know what type of projects power my company, or unreleased things we're building? a whole slew of things that i would not want people seeing...thats why the repo is _private_
> Still, another person familiar with the matter said the Department of Homeland Security (DHS) does not believe Microsoft was a key avenue of fresh infection.
Thoughts on this? It seems unlikely to me that someone who compromises literally the enterprise desktop OS manufacturer isn't going to take advantage of the situation.
Given that lots of people are reporting very similar compromises, traced back to a confirmed supply chain compromise, with similar TTPs and a uniformly very high level of tradecraft sophistication, I'd say the former. And that statement is how.
https://blogs.microsoft.com/on-the-issues/2020/12/17/cyberat...
"One of the more chilling developments this year has been what appears to be new steps to use AI to weaponize large stolen datasets about individuals and spread targeted disinformation using text messages and encrypted messaging apps."
"a second evolving threat, namely the growing privatization of cybersecurity attacks through a new generation of private companies, akin to 21st-century mercenaries."
"As humanity raced to develop vaccines, Microsoft security teams detected three nation-state actors targeting seven prominent companies directly involved in researching vaccines and treatments for Covid-19."
"One indicator of the current situation is reflected in the federal government’s insistence on restricting through its contracts our ability to let even one part of the federal government know what other part has been attacked. Instead of encouraging a “need to share,” this turns information sharing into a breach of contract. It literally has turned the 9/11 Commission’s recommendations upside down."