Russian hackers got NSA material.
On Thursday the Wall Street Journal reported that Russian hackers obtained highly sensitive material from the US National Security Agency. The material is said to be related to both network attack and network defense. It was obtained from a machine belonging to a contractor on which the sensitive information had been placed (Washington Post).
The most interesting aspect of the story is that the hackers are said to have targeted the contractor after "identifying the files through the contractor's use of a popular anti-virus software made by Russia-based Kaspersky Lab." Kaspersky software has the reputation of conducting very thorough scans of the machines it protects, behavior the company touts as a feature that enables its products to provide better protection against novel threats: "We aggressively protect our users and we’re proud of it," is how Kaspersky puts it (Nota Bene).
The breach is said to have occurred in 2015, but wasn't discovered until spring of 2016. Thus NSA would have discovered the problem weeks before the ShadowBrokers began leaking what the Brokers assert are Equation Group hacking tools. It's also shortly before the summer 2016 arrest of Hal Martin, the NSA contract worker who allegedly hoarded highly classified material in a shed at his Glen Burnie, Maryland, home. The material the ShadowBrokers have leaked appear to date to 2013 or so; it's unclear whether this latest revelation is connected to either the Brokers or Mr. Martin's case, but NSA veterans say off-the-record that they're not surprised by the latest incident, and some researchers are beginning, tentatively, to "connect the dots" (Motherboard).
Implications for Kaspersky.
Binding Operational Directive 17-01 directed all US Federal agencies to get rid of Kaspersky security products from their networks, or at the very least demonstrate some very good reason why they should continue to use them (Bloomberg). Administration accounts of the ban, issued by the Department of Homeland Security, have all concentrated on Kaspersky's requirement under Russian law to cooperate with security, intelligence, and law enforcement agencies, and that indeed would seem to be sufficient grounds for booting their products from Government networks (The CyberWire). This latest development would appear to indicate that there are indeed other grounds for suspicion of Kaspersky Lab and its products.
Kaspersky has long maintained its innocence of nefarious cooperation with the Russian organs, and Eugene Kaspersky blogged his outrage at the US Congress having cancelled (before the latest revelations about an NSA penetration surfaced) his opportunity to clear his company's name by testifying on Capitol Hill (The Hill). It's possible their products may have been subverted without their knowledge (it happened to Avast earlier this year, after all) and some of the initial reactions to this latest story seem to credit that explanation (CSO). The news is still fresh and breaking, however, and we'll be following it closely. However it plays out, it's bad news indeed for the US Intelligence Community and the National Security Agency in particular.
Kaspersky researchers coincidentally delivered a major paper on the difficulties of attribution this week. It focused on the way false flag operations are carried out by intelligence services (Intercept). Other observers note a long-standing feature of Kaspersky security software: it "aggressively scans" the systems it protects. The idea is to better protect computers from unknown threats. Unfortunately in this latest NSA case, that protection may have been exploited as (in effect) reconnaissance for the Russian FSB (Forbes).
Russian semi-official media see the outcry against Kaspersky as a case of Western security services carrying water for Kaspersky's non-Russian competitors (Crime Russia). Ars Technica says whatever the outcome of the investigation may be, "the accusations almost certainly mean the end of Kaspersky as we know it." Kaspersky's delayed appearance before Congress (the House Committee on Committee on Science, Space and Technology) has been rescheduled for October 25 (TechCrunch).
HPE allowed Russian agencies to inspect ArcSight source code.
In 2016 Hewlett Packard Enterprise submitted its ArcSight security software to Russian authorities for an audit of its source code. HPE was interested in selling the product into the Russian market, and the inspection was a precondition for obtaining permission to do so. The Russian company Echelon conducted the audit under the supervision of the Federal Service for Technical and Export Control (FSTEC). The nominal purpose (and to some extent no doubt the actual purpose) of such reviews is to determine that there are no embedded spying tools in the software. The US Defense Information Systems Agency (DISA), which supervises Defense Department use of ArcSight and similar products, said that HPE didn't inform it of the audit, but also that HPE wasn't required to do so. Some observers claim the review could have revealed weaknesses in US software, thereby facilitating future attacks (Fifth Domain).
US Government representatives initially said it didn't represent a problem, since they're only concerned that the code is safe and secure, and they establish that through independent auditing. Subsequently senior officials said it was "problematic" that HPE had given the Russian government a white-box look at a sensitive tool (CNBC).
Yahoo! breach found to be three times worse than thought.
Yahoo!'s 2013 breach, already record-setting when it was believed to extend to only a cool billion user accounts, has now been determined to have affected three billion accounts—essentially everyone who ever had a Yahoo! email account. The breach was disclosed by Yahoo!'s new corporate parent, Verizon. Verizon completed its acquisition of the troubled online giant in July of this year at the knocked-down price of $4.48 billion, $335 million less than initially proposed. It was a breach discount negotiated after the hack was disclosed (CNBC).
Yahoo! has been rolled into Verizon subsidiary Oath, a media and brand-building company, which says the disclosure represented a discovery based on new evidence. They say they're working with law enforcement (Oath). They also said they'll be notifying the users who were affected (Software Testing News).
Many observers have long been baffled by the length of time it took the 2013 breach (and the 2014 breach that followed it) to come to light. They're even more baffled by how dramatically the breach had been underestimated. Observers are advising anyone still using Yahoo! for email to chuck it for an alternative as soon as possible (CSO).
Equifax breach notes.
At least some members of Congress want to give Equifax "the Kaspersky treatment," especially after it came to light at the end of September that the US Internal Revenue Service had awarded the credit bureau a $7 million contract to help it detect tax fraud (Nextgov). To be sure it's a bridge contract until a new incumbent can be brought on board, and the IRS was between the proverbial rock and a hard place, but nonetheless what the Beltway calls "the optics" are bad.
Brian Krebs has a useful rundown on why, given Equifax and Yahoo! (and others) we're all cybercrime victims now (KrebsOnSecurity).
Legislative and regulatory impact of breaches.
This tearing off of the Yahoo! scab, coming as soon as it has after major breach disclosures at Equifax, Deloitte, and the US Securities and Exchange Commission, amounts to an industry own-goal. There are many calls for increased regulation and legislation that would force swift disclosure and better privacy and identity management practices. (A lot of the wolf tickets being passed out by regulators make GDPR look practically laissez-faire.) A Congressional panel told the Equifax CEO that "I don't think we can pass a law that fixes stupid," but if we bet on form, that won't prevent Congress from trying (CSO).
A cyber shot across North Korea's virtual bow.
US Cyber Command, according to administration sources, conducted a distributed denial-of-service attack against North Korea's Reconnaissance General Bureau (the country's principal intelligence service) last week, from September 22nd to September 30th. The campaign was conducted as part of US President Trump's effort to increase pressure on Pyongyang in response to the Kim regime's continued development of high-yield nuclear weapons and the missiles necessary to deliver them (Washington Post).
The operation drew a quick response from Russia. The Russian telecommunications provider, TransTelekom, established a high-bandwidth Internet connection from Vladivostok to North Korea that became operational Sunday, immediately doubling the DPRK's paltry connectivity. The connection, apparently provided by fiber-optic cable laid across the Friendship Bridge, augments the service provided by China Unicom, hitherto Pyongyang's only link to the Internet (38 North).
While the Reconnaissance General Bureau's networks were certainly disrupted, it seems unlikely that the attack would have put much of a dent in North Korean cyberattack capability, most of which is located outside the country (Ars Technica) and devoted to bringing in revenue for the cash-strapped regime (CSO).
Cyber worries about that other proliferator-of-concern.
As US-Iranian relations continue to deteriorate from their already low level, with the nuclear modus vivendi Iran reached with the US imperiled, observers warn that America should expect an increase in Iranian cyber attacks should Tehran be declared in violation of the agreement and the pact abrogated (Foreign Policy). President Trump is said to be likely to take further steps this coming week toward determining the treaty to be not in the US national interest (Washington Post).
Former US Director of National Intelligence Clapper told and audience at the ICF CyberSci Symposium in Fairfax, Virginia, that in effect Iran had achieved cyber deterrence with respect to the US: there was no hacking back against Tehran for its 2012 attacks on the US financial sector out of concern that a response in kind would simply provoke more incidents. According to Clapper, then Treasury Secretary Timothy Geithner spoke decisively against retaliation because he feared banks would be unable to defend themselves against an Iranian counterstroke (CyberScoop).
This offers a lesson for those looking for superior cyber deterrence. Iran's got it: be able to hold the things your adversary values at such risk that it renders them unwilling to attack, or even retaliate. The cost of an exchange was apparently too high: that's the calculation one wants an adversary to make.
ISIS continues to metastasize through cyberspace.
The Caliphate has very little territory left to govern. That has driven it online, with increased howling to the many lone wolves (Foreign Policy). There are also increasing signs that, as terrorist movements so often have, ISIS is seeking to recruit adherents (and killers) still in their childhood (Foreign Policy).
Stuff said on the Internet isn't necessarily true.
But we all knew that, right? Still, it's difficult to hit the right balance of skepticism and conviction. That difficulty was briefly on display, and in its saddest possible form, at the beginning of the week when people reacted to the Las Vegas massacre without reflection and without evidence. Disposed to believe the worst about political opponents, the gunman was initially said (in Facebook and Google feeds) to be, variously, a white supremacist (utterly implausible, given the venue and the victims, unless it were some sort of far-fetched provocation), a radical socialist (on no evidence, beyond the a priori assumption that unhinged progressives would hate country-western listeners), and so on. Google and Facebook briefly elevated unreliable news channels to the top of their results, most of those pushing the socialist-killer meme (Atlantic).
This much occurs spontaneously, a kind of madness of crowds, and both Google and Facebook expressed embarrassment over their inability to filter bogus opinion from their news results (Infosecurity Magazine). It is, however, a tough problem, and it would be surprising if they reached any satisfactory resolution.
And some of that stuff said on the Internet is disinformation.
Like ISIS's claim that the Vegas gunman, Stephen Paddock, was actually a convert to Islam who had adopted the jihadist name of Abu Abdul Bar al-Amriki. No authorities take the claim seriously, saying there's no evidence for it whatsoever. ISIS, however, continued to insist that the shooter was one of its soldiers, a "brother" who became a Muslim about six months ago (Newsweek). One reason for skepticism: Paddock shot himself, which is inconsistent with martyrdom, and which ISIS glosses over. Even if the ISIS claims are completely discredited, as most expect them to be, for ISIS it's a low-risk inspiration operation: their targeted market is going to thrill to it anyway, and they're unlikely to believe what the infidel press says anyway (Independent).
NIST has some new standards.
The US National Institute of Standards and Technology is circulating new routing standards for the Internet (NIST). The Secure Inter-Domain Routing standard, published by the Internet Engineering Task Force, represents the results of a collaboration between NIST and the US Department of Homeland Security's Science and Technology Directorate. It sets out defense mechanisms for the Border Gateway Protocol (BGP) that routers use to direct data across the Internet.
More push for https ubiquity.
Google has moved to preload HSTS in the forty-five top-level domains it controls as part of its domain registrar business (Naked Security).
Patch Tuesday is coming.
Apple released an emergency patch Thursday that closes a Keychain vulnerability in MacOS (Security Week). Netgear patched some fifty bugs in routers, switches, and NAS devices (Threatpost).
The Equifax breach has driven home the importance of patch management, and so it's worth taking a look at what Patch Tuesday is likely to hold. We heard Ivanti's Chris Goettl, who predicts a significant day for Oracle in particular:
"In addition to the Microsoft Patch Tuesday activity, Oracle will issue their Oracle Critical Patch Update on the same day. They update quarterly and this is the month, so Tuesday the 17th Oracle will release updates for all their software including Java. We may see an announcement on the future of Solaris and SPARC support as well. Oracle had a major layoff of those software and hardware employees the beginning of September. Expect the usual Microsoft OS updates this month. After the huge release for Office last month (51 KB articles) and the .NET release, we’re hoping for a small number of patches beyond the regular OS updates. Mozilla just released a new major version of Firefox in the past week, so we probably will not see a new version next week. History tends to repeat itself, so we should expect an update to Adobe Flash as usual."
Industry notes.
root9B LLC, the Colorado cybersecurity firm, was sold by its financially-strapped parent holding company of the same name to a private equity group, Tracker Capital Management (Colorado Springs Gazette). That parent company, root9B Holdings, Inc., resumed trading on the Nasdaq Wednesday to deeply disappointing results, as investors exhibited little confidence in its future (Benzinga).
ForeScout has filed for a $100 million initial public offering (TechCrunch).
A new startup devoted to firmware security has raised $2.3 million. The new company, Eclypsium, was founded by Intel alumni Yuriy Bulygin and Oleksandr Bazhaniuk. The company is "venture-backed," but who the backers are is unknown (Portland Business Journal).
Enlightenment Capital has made an investment in CyberCore Technologies. The amount is not specified, but it's thought to be significant (Baltimore Business Journal).