I was reminded today of a story about the U.S government trying to get people to use clouds because it was more secure. Then, I read a new report of an old hacking expose, Operation Cloud Hopper, by PWC and BAE, that lays out the details of how they know China is hacking clouds and service providers, and how the networks are controlled. The scale is broad and deep. They come to the obvious conclusion that when you hack a cloud, the hackers get a lot of people using that cloud, some they did not specifically go after. They fall in the Chinese lap because they use the cloud being hit.
They have some nice charts in this report that show the links to the 13th Five Year Plan and the industries they are trying to build though theft. There are also some good arrays of the C&C networks that were used. It is obvious that the Chinese have not stopped stealing information about businesses and they are not going to.
For the user of clouds and service providers like Apple, Amazon, and Microsoft, there is a good reason to do better security. We have to rely on these folks when our data is in their hands. We can't do anything about what they don't do because we have no visibility into how they control those networks and what they do internally to find people hacking their customers. Customers have no say in the service level agreements that are shoved down their throats. If I were a large business paying for services like that, I might want to know more about what is being done. Look critically at what they say about the protection standards for some of these services. Only lawyers can read half of those agreements. Get one to review yours.
They used to say that they were doing "industry best practice". That only sounds good until you recognize that it means "whatever we say is standard". Under the covers, they were not even doing basic security and separation of user data. Now that the industry has matured, maybe they can tell you what that means.
Wednesday, May 31, 2017
Buying the Philippines President
Well, there is more than one way to get over the loss of an Arbitration decision that left China with a bad taste in its mouth over the Philippines. First China ignored the action that did not meet their requirements. Second, their representative in the Philippines told President Duterte what to say about the decision - and he listened and obeyed. In the Wall Street Journal today is a story about why he did listen - billions of dollars that went to his home town , Davao, straight from China's coffers. How nice to be able to make the home town people happy with your leadership. Of course the rest of the folks in the Philippines may not like it so much, but at least your neighbors and former friends will be happy. Sound like any politicians you know?
Andrew Browne, who almost always gets it right when it comes to China's policies, outlines the buying of friendship. That is something we should be familiar with, since we always believed it was possible to do the same thing. Now we can't afford to, and China can.
Andrew Browne, who almost always gets it right when it comes to China's policies, outlines the buying of friendship. That is something we should be familiar with, since we always believed it was possible to do the same thing. Now we can't afford to, and China can.
Tuesday, May 30, 2017
North Korea and WannaCry
I have been wondering why Symantec would think that WannaCry, the infamous worm with ransomware attached, would be involved with North Korea, ore that it was the North pretending to be the Lazarus Group of hackers. I think only SC got this right in all of the reporting done on it. It reflects some of the main problems with attribution and a press that feels it has to have s story, and the accuracy of it only has to be "close enough". I remember when that was regularly followed by "for government work", but it now obviously applies to the press too.
Kaspersky Labs has a short report on the link between Lazarus and North Korea. Their report says the group is Korean and works long hours, probably the most of any group they have ever studied. That says a lot. Perhaps Lazarus is a persona used by more than one entity, and that accounts for their hard work. The code links are common between some of the attack vectors being used, and previous attacks against Sony and South Korea. My own view of this was the North Koreans were blamed, but the U.S thought China was actually behind it. The New York Times' David Sanger had a number of stories about that incident and the retaliation being planned. It was not all about North Korea, because options on routing around China's Great Firewall were also considered. It was clear the Obama White House thought it was China.
Ransomeware is not something most places associate with government attacks, but North Korea has a plausible reason for doing it since they are "looking for outside currency". China hasn't shut off their currency flow yet, so that is hardly credible. It may be more practical to think of this as a test of the kinds of attacks that might make havoc in an old computer system using stolen or no longer supported versions of an operating system. That might apply to hospitals in the U.K. But it also applies to a lot of old military systems around the world. Even the Chinese fell victim to some of that, also being infected.
At least one good thing comes of every incident like this. People who steal software and people who use unlicensed software need to rethink that strategy. Having supported software and having licenses may get you support that you can't get otherwise. There were even groups in the financial community that were using XP in some of their systems, long after it had stopped being supported. Whatever happened to due diligence on this kind of thing?
Kaspersky Labs has a short report on the link between Lazarus and North Korea. Their report says the group is Korean and works long hours, probably the most of any group they have ever studied. That says a lot. Perhaps Lazarus is a persona used by more than one entity, and that accounts for their hard work. The code links are common between some of the attack vectors being used, and previous attacks against Sony and South Korea. My own view of this was the North Koreans were blamed, but the U.S thought China was actually behind it. The New York Times' David Sanger had a number of stories about that incident and the retaliation being planned. It was not all about North Korea, because options on routing around China's Great Firewall were also considered. It was clear the Obama White House thought it was China.
Ransomeware is not something most places associate with government attacks, but North Korea has a plausible reason for doing it since they are "looking for outside currency". China hasn't shut off their currency flow yet, so that is hardly credible. It may be more practical to think of this as a test of the kinds of attacks that might make havoc in an old computer system using stolen or no longer supported versions of an operating system. That might apply to hospitals in the U.K. But it also applies to a lot of old military systems around the world. Even the Chinese fell victim to some of that, also being infected.
At least one good thing comes of every incident like this. People who steal software and people who use unlicensed software need to rethink that strategy. Having supported software and having licenses may get you support that you can't get otherwise. There were even groups in the financial community that were using XP in some of their systems, long after it had stopped being supported. Whatever happened to due diligence on this kind of thing?
Friday, May 26, 2017
A Chinese Windows 10
An interesting piece in the Wall Street Journal on Windows 10 having a Chinese version. It is interesting because it is written from Microsoft's perspective and says all the right things about this version, e.g the Chinese did not manipulate Microsoft's source code, but were allowed to observe the code in controlled spaces. This is supposed to make everything OK for you Microsoft customers who could run into a version of Windows that was produced for China and would like to know that it was safe. Microsoft says so... How would you know the difference between the Chinese version and the U.S. Version if it came pre-installed on your Lenovo computer?
Wednesday, May 24, 2017
Symantec Names More than N. Korea
The press reports would have you believe that the latest threat report from Symantec names North Korea as the harbinger of all bad things, including the bank heist at the central bank in Bangladesh. In fact, they lay out what is pretty well known in the cyber world: Russia, China, Iran and North Korea are the common elements in most of the attacks. We are in a war with these countries and the most we discover about their activities the more we realize how the attacks are taking place and what their targets might be.
They have a slick chart on page 15 that shows what I am talking about, and the report says possibly North Korea. For years, they were saying possibly China for Suckfly, but now they are clearly showing that they were right about their original speculation, even though the chart still says possibly China. Suckfly is still around using those code-signing certs to do their deed. This is the most insidious of them all because it looks legitimate to most security modules. Credit to Symantec on this because they were the first to point out where it came from.
Now, these are just countries of origin and not necessarily state sponsorship of attacks. In fact, they say possibly to those too, so there is no real conviction to their reporting on country of origin which is crucial to attribution to a state. All this points out is the ability to say for sure where an attack is coming from and who made it are becoming more difficult now that so many security evaluation groups have said how they know who was make this bad software. You only have to mention once or twice that the changes were made in a certain time zone with certain holidays taken off and the developers will stop posting on the same time and holidays. They are not stupid. So we help them by saying how we know who is doing the work on this stuff. It is the disclosure of sources and methods used in the evaluations that allows this to happen. Any intelligence service will tell you not to do that.
The main point I saw in this report was that none of the attack software has been taken out of use by any activity of any other state or company. It seems like there should be a way to disable or disrupt the software itself so it can't continue to be used, or if it is used, to track where it is coming from and its targets. Maybe these people are smarter than we are. Possibly.
They have a slick chart on page 15 that shows what I am talking about, and the report says possibly North Korea. For years, they were saying possibly China for Suckfly, but now they are clearly showing that they were right about their original speculation, even though the chart still says possibly China. Suckfly is still around using those code-signing certs to do their deed. This is the most insidious of them all because it looks legitimate to most security modules. Credit to Symantec on this because they were the first to point out where it came from.
Now, these are just countries of origin and not necessarily state sponsorship of attacks. In fact, they say possibly to those too, so there is no real conviction to their reporting on country of origin which is crucial to attribution to a state. All this points out is the ability to say for sure where an attack is coming from and who made it are becoming more difficult now that so many security evaluation groups have said how they know who was make this bad software. You only have to mention once or twice that the changes were made in a certain time zone with certain holidays taken off and the developers will stop posting on the same time and holidays. They are not stupid. So we help them by saying how we know who is doing the work on this stuff. It is the disclosure of sources and methods used in the evaluations that allows this to happen. Any intelligence service will tell you not to do that.
The main point I saw in this report was that none of the attack software has been taken out of use by any activity of any other state or company. It seems like there should be a way to disable or disrupt the software itself so it can't continue to be used, or if it is used, to track where it is coming from and its targets. Maybe these people are smarter than we are. Possibly.
Monday, May 22, 2017
Myths Persist in Cyber Security
There was an interesting piece in The Wall Street Journal today on cyber security and the need for greater emphasis among non-security people in IT. The title tells it all - All IT Jobs Are Cybersecurity Jobs.
There are a number of repeated myths in this article which reminded me of the lack of progress being made in protecting networks from state-sponsored attacks like the ones by North Korea, Russia and China.
The first, as the title suggests, is that all jobs in IT are in some way, security jobs. If only it were true. I have been hearing most of the other myths that go with this one since 1977 when I got into the business. The IT people are not the ones who started or perpetuate this myth. This was started by security professionals who know they cannot possibly know all the things they have to know to do the job without help. I met a really good Oracle developer once who told me he did not know anything about security, but he was assigned to the task of building a really secure system being used by a number of different government agencies. We spent a day learning terminology, looking at the requirements, and trying out some user stories. In the next few days he understood what was required and did the development over several months. He presented his design to senior security professionals and they were astounded by the thoroughness he showed and how the system performed. I always felt that the reason he did so well was his admission that he did not know security very well and needed to start with the basics. There are plenty of today's security professionals who need to start at the same spot. The certificates being handed out like candy, do not make people security professionals. Some of the ones being criticized by IT professionals do not know much about anything IT. They try to impose impossible requirements where they don't fit and they don't understand the consequences of what they impose on the IT people they work with. They have credentials but no experience. By the way, try getting a job with experience alone.
The second myth is that security has to be baked into every app and O/S . We tried that by requiring testing to security standards by independent labels, but found too many different apps to keep up with. How does one check to see that software is secure before it goes on the Internet? It is almost all self-tested by the very companies who sell it to us because they got tired of a system that is expensive but buyers don't necessarily want to pay the extra cost. Software vendors are not liable for anything software does when it gets sold. What incentive do they have to make sure it is right the first time? These are extremely complex systems where the interaction produces vulnerabilities, but 99% of those interactions are not tested until they reach the Internet. Then hackers get to show us the way into those systems, which are then patched and we start the process all over.
Would we like India or China building in security features to the hardware and software we use? India is about to overtake the U.S in numbers of developers. The hardware is built in China. The SDKs that many people use are already infused with traps and backdoors planted by intelligence services of some of our best friends - well, at least our biggest trading partners. There are libraries full of these kinds of things. We have traded away any chance to bake it in in the name of globalization and software reuse.
International security standards are about as vague as the ones producted in NIST because that is where most of them came from. They are cookie cutter lists of things that one can do to be secure. You decide what that is. We don't have a good definition of what it means to be secure.
We have to have systems that are safe in spite of the Internet. People in the encryption business say that can be done, but it has to start with a basic system that is produced under U.S control. The Federal government is going to have to lead an effort to do that because the marketplace is not going to buy it. It doesn't really care about security.
There are a number of repeated myths in this article which reminded me of the lack of progress being made in protecting networks from state-sponsored attacks like the ones by North Korea, Russia and China.
The first, as the title suggests, is that all jobs in IT are in some way, security jobs. If only it were true. I have been hearing most of the other myths that go with this one since 1977 when I got into the business. The IT people are not the ones who started or perpetuate this myth. This was started by security professionals who know they cannot possibly know all the things they have to know to do the job without help. I met a really good Oracle developer once who told me he did not know anything about security, but he was assigned to the task of building a really secure system being used by a number of different government agencies. We spent a day learning terminology, looking at the requirements, and trying out some user stories. In the next few days he understood what was required and did the development over several months. He presented his design to senior security professionals and they were astounded by the thoroughness he showed and how the system performed. I always felt that the reason he did so well was his admission that he did not know security very well and needed to start with the basics. There are plenty of today's security professionals who need to start at the same spot. The certificates being handed out like candy, do not make people security professionals. Some of the ones being criticized by IT professionals do not know much about anything IT. They try to impose impossible requirements where they don't fit and they don't understand the consequences of what they impose on the IT people they work with. They have credentials but no experience. By the way, try getting a job with experience alone.
The second myth is that security has to be baked into every app and O/S . We tried that by requiring testing to security standards by independent labels, but found too many different apps to keep up with. How does one check to see that software is secure before it goes on the Internet? It is almost all self-tested by the very companies who sell it to us because they got tired of a system that is expensive but buyers don't necessarily want to pay the extra cost. Software vendors are not liable for anything software does when it gets sold. What incentive do they have to make sure it is right the first time? These are extremely complex systems where the interaction produces vulnerabilities, but 99% of those interactions are not tested until they reach the Internet. Then hackers get to show us the way into those systems, which are then patched and we start the process all over.
Would we like India or China building in security features to the hardware and software we use? India is about to overtake the U.S in numbers of developers. The hardware is built in China. The SDKs that many people use are already infused with traps and backdoors planted by intelligence services of some of our best friends - well, at least our biggest trading partners. There are libraries full of these kinds of things. We have traded away any chance to bake it in in the name of globalization and software reuse.
International security standards are about as vague as the ones producted in NIST because that is where most of them came from. They are cookie cutter lists of things that one can do to be secure. You decide what that is. We don't have a good definition of what it means to be secure.
We have to have systems that are safe in spite of the Internet. People in the encryption business say that can be done, but it has to start with a basic system that is produced under U.S control. The Federal government is going to have to lead an effort to do that because the marketplace is not going to buy it. It doesn't really care about security.
Tuesday, May 16, 2017
Attribution for Malware
We have a shining example of the problems with international hacking attribution on display today, after the malware attack last week. Russia's Putin proclaims that the U.S is responsible, which has everyone scratching their heads. Some of the code looks like the same stuff used in the attacks on South Korea by North Korea, so the latter becomes the latest suspect. The way the Dark Web is selling anything and everything that looks like a hacking tool makes it easy to buy code made by almost anyone. None of the reasons given today have anything to do with who actually did this.
James Clapper, when he was the Director o National Intelligence, had several public statements about the diffficulty of attribution from the standpoint of someone who had to be right when he spoke to the leadership of the United States. He said, among other things, it was important to know where the attack came from and who ordered it. That information does not come in a day or two. We will eventually find out because there are lots of electronic fingerprints on this one. There are a number of governments anxious to make sure they are not blamed for what happened, so you can bet there will not be full disclosure if someone is caught. These fingerprints already look Russian, but we have to remember that just because Russian gangs sell software to anybody with a pulse, they are not necessarily the ones who pull the trigger. That analogy is a variant of the gun manufacturers motto: Software does not steal.
But nobody in cyber security talks much about the second half of Clapper's comments - who ordered it. In this case, that may have more importance than the origin of the attack. If it was some under 30 something who bought the software on the Dark Web and launched this thing, not knowing the outcome, nobody is going to care except his mother and the government where he/she lives. That is not likely from what I saw. There are notifications in almost every language that a person can have on a computer screen, a place to pay "ransom" which does not seem to be well used, and not much of an attempt to release documents that were paid for. That doesn't sound like the criminals we are used to. Maybe, as some suggested, they were overwhelmed by the success of their efforts. Maybe is the operative word in attribution. Who ordered it? No maybe, no guessing, just the facts.
James Clapper, when he was the Director o National Intelligence, had several public statements about the diffficulty of attribution from the standpoint of someone who had to be right when he spoke to the leadership of the United States. He said, among other things, it was important to know where the attack came from and who ordered it. That information does not come in a day or two. We will eventually find out because there are lots of electronic fingerprints on this one. There are a number of governments anxious to make sure they are not blamed for what happened, so you can bet there will not be full disclosure if someone is caught. These fingerprints already look Russian, but we have to remember that just because Russian gangs sell software to anybody with a pulse, they are not necessarily the ones who pull the trigger. That analogy is a variant of the gun manufacturers motto: Software does not steal.
But nobody in cyber security talks much about the second half of Clapper's comments - who ordered it. In this case, that may have more importance than the origin of the attack. If it was some under 30 something who bought the software on the Dark Web and launched this thing, not knowing the outcome, nobody is going to care except his mother and the government where he/she lives. That is not likely from what I saw. There are notifications in almost every language that a person can have on a computer screen, a place to pay "ransom" which does not seem to be well used, and not much of an attempt to release documents that were paid for. That doesn't sound like the criminals we are used to. Maybe, as some suggested, they were overwhelmed by the success of their efforts. Maybe is the operative word in attribution. Who ordered it? No maybe, no guessing, just the facts.
Monday, May 15, 2017
North Korea is Not Going Quietly
At some point the world is going to say "enough" but that point does not seem to have come just yet. Part of that may be in the fact that North Korea is not threatening to lob a nuclear weapon at Bonn, London, or Moscow. If one lands in the U.S the leaders of those countries would be the first to say, "What was that?" That will be quickly followed by condemnation of what is left of North Korea and the United States.
China certainly does not seem to be helping, which is no surprise to me, but seems to be to the press. North Korea only exists because China wants it to. South Korea was ready to cozy up the the North and establish some normal relations, but that will go by the wayside now. China never did like the idea of a Korea that was joined, so this suits them. So does the belcose North making threats towards the United States. The Trump Administration can't do much about these threats and the Chinese are wondering what they will do. They won't have to wonder long if this continues. China says, "It wasn't me" while its proxy holds parades and makes threats.
So, that has led me to wonder what we can really do about all this bluster. We could undermine the North's economy. We could have talks with China about their wayward child. We could run an aircraft carrier up their way. We could have joint exercises with the South. We could isolate them in the U.N. Oh wait, we have already done those things and they are still testing missiles and promising to launch a nuclear war. Let's do a blockade. I'm sure the Chinese will cooperate....
The Chinese continue this charade because they know we can do nothing about it. They make life difficult for the U.S while keeping up their island building and expanding trade in Asia. Concentrate on those and see how long it takes them to get the North under control.
China certainly does not seem to be helping, which is no surprise to me, but seems to be to the press. North Korea only exists because China wants it to. South Korea was ready to cozy up the the North and establish some normal relations, but that will go by the wayside now. China never did like the idea of a Korea that was joined, so this suits them. So does the belcose North making threats towards the United States. The Trump Administration can't do much about these threats and the Chinese are wondering what they will do. They won't have to wonder long if this continues. China says, "It wasn't me" while its proxy holds parades and makes threats.
So, that has led me to wonder what we can really do about all this bluster. We could undermine the North's economy. We could have talks with China about their wayward child. We could run an aircraft carrier up their way. We could have joint exercises with the South. We could isolate them in the U.N. Oh wait, we have already done those things and they are still testing missiles and promising to launch a nuclear war. Let's do a blockade. I'm sure the Chinese will cooperate....
The Chinese continue this charade because they know we can do nothing about it. They make life difficult for the U.S while keeping up their island building and expanding trade in Asia. Concentrate on those and see how long it takes them to get the North under control.
Sunday, May 14, 2017
Philippines Negotiates with China on SCS
Reuters is carrying a story today that the Philippines is prepared to negotiate with China over the South China Sea. Why not? They have already won the day in court, something China has chosen to ignore. We should remember that they not only won, they won big. The Tribunal ruled that China not only did not have a legitimate claim to the territories they invaded, they were interfering with the Exclusive Economic Zone of the Philippines - a potentially more powerful finding than the territorial claims. (An exclusive economic zone (EEZ) is a sea zone prescribed by the United Nations Convention on the Law of the Sea over which a state has special rights regarding the exploration and use of marine resources).
China splits the Philippines off from the rest of the world and negotiates with them separately. This is after telling the Philippine President what to say about the Tribunal's findings. For a strongman, he seems like a pretty thoughtful person, playing off the superpowers the way people like him have always done.
China splits the Philippines off from the rest of the world and negotiates with them separately. This is after telling the Philippine President what to say about the Tribunal's findings. For a strongman, he seems like a pretty thoughtful person, playing off the superpowers the way people like him have always done.
Saturday, May 13, 2017
Who Gets Blamed for Hospital Outages?
Blame the victim is a common way to solve an IT problem. Although in the case of this latest ransomeware going around Britains hospitals (and lots of other places) there is going to be fingerpointing at the hospitals. They may deserve some of that criticism.
Ransomeware doesn't evolve out of thin air. It uses known vulnerabilities of software which it then exploits and uses that to insert other code to do the encryption of the users files. In this case, it was a known vulnerability of Microsoft. Microsoft issued a fix for that vulnerability in March. So, we could say, "They should have updated their systems with current patches." That allows the victim to be blamed, even though that was two months ago and it takes time to get these patches out in the field, and Microsoft said in the announcement of this patch that the vulnerability was not currently being exploited. That was said even though on the Dark Web exploitation software was being sold. Surely Microsoft must follow what is being sold to exploit their vulnerabilities. One would think so. When I used to see "not currently being exploited" I put that patch on the back burner.
Some people paid the ransom, and those people are being criticized for it. These are hospitals with people potentially at risk if the diagnostic files are not recovered. They had few choices and we can't blame an Administrator for going with the one that helped the patients.
Every now and again there is an incident that arouses enough interest that governments cooperate in resolving a problem. Whoever did this should be electronically decapitated by the governments involved. The Intelligence services of our combined places can find them. This is over the edge and should prompt a call for action on the part of every Government involved. Why haven't they done it already?
Ransomeware doesn't evolve out of thin air. It uses known vulnerabilities of software which it then exploits and uses that to insert other code to do the encryption of the users files. In this case, it was a known vulnerability of Microsoft. Microsoft issued a fix for that vulnerability in March. So, we could say, "They should have updated their systems with current patches." That allows the victim to be blamed, even though that was two months ago and it takes time to get these patches out in the field, and Microsoft said in the announcement of this patch that the vulnerability was not currently being exploited. That was said even though on the Dark Web exploitation software was being sold. Surely Microsoft must follow what is being sold to exploit their vulnerabilities. One would think so. When I used to see "not currently being exploited" I put that patch on the back burner.
Some people paid the ransom, and those people are being criticized for it. These are hospitals with people potentially at risk if the diagnostic files are not recovered. They had few choices and we can't blame an Administrator for going with the one that helped the patients.
Every now and again there is an incident that arouses enough interest that governments cooperate in resolving a problem. Whoever did this should be electronically decapitated by the governments involved. The Intelligence services of our combined places can find them. This is over the edge and should prompt a call for action on the part of every Government involved. Why haven't they done it already?
Friday, May 12, 2017
Conspiracy Software
Senator Marco Rubio asked the Intelligence Chiefs yesterday if any of them had Conspiracy Software on their computers. All of them said no, a couple with a little chuckle. There was no other discussion, and no reason given for the question. I tried to find something on why he would have asked that question, but couldn't. Half the Free World knows there is something wrong with it, and the other half is looking for what that might be. That is the kind of question that we have closed sessions of Congress to cover. He can be cute there and nobody will see it.
A New Executive Order on Cyber Security
There were a couple of good things about the new Executive Order on Cyber, but the big surprise was Tom Bossert, the Cyber Advisor at Homeland Security. He is articulate, composed and can handle the press - no small feat in Washington. Generally speaking, Homeland Security was the armpit of public policy and completely devoid of any understanding of Cyber, so this guy will make some difference. A few more people like him and we could say Homeland can speak for part of the cyber business - the civil government side, at least.
One good thing came of the policy: a recognition that the Federal government is an enterprise and should be managed like a large corporate data system, policy and money management at the top, and implementation in the other parts of the enterprise. Quite a few people do not know that this idea came well before this EO but nothing was ever actually done the way it was described by the Obama Administration. They had good policy, but seldom followed any of it.
The second is the use of cloud services, something most of the agencies will benefit from. They will save money as service providers give them a better product that should be more secure than the mish-mash they have today. This is already being done in AWS, Google and internal Federal systems run by the government itself. Unlike most projects, this aspect has been going on pretty smoothly.
They are still going to use the NIST Framework which is not good policy. There are no minimum security requirements and it is still a risk-based, rather than a threat-based policy. It is a good policy for people who make policy because it covers their collective asses. They can always point to something in that mass and say, "They didn't do that part" when something bad happens. Never mind that the last 7 or 8 big hacks of government have all used basically the same attack techniques, about which nothing has been done, either technically or policy wise. That is the sign of a failed policy - and insanity - by doing the same thing over and over expecting a different result.
Another interesting thing about this is the EO wasn't published. Nice to see that not everything the White House does is available for the world to see. In the name of openness, the Obama Administration published lots of things that were dangerous to us.
One good thing came of the policy: a recognition that the Federal government is an enterprise and should be managed like a large corporate data system, policy and money management at the top, and implementation in the other parts of the enterprise. Quite a few people do not know that this idea came well before this EO but nothing was ever actually done the way it was described by the Obama Administration. They had good policy, but seldom followed any of it.
The second is the use of cloud services, something most of the agencies will benefit from. They will save money as service providers give them a better product that should be more secure than the mish-mash they have today. This is already being done in AWS, Google and internal Federal systems run by the government itself. Unlike most projects, this aspect has been going on pretty smoothly.
They are still going to use the NIST Framework which is not good policy. There are no minimum security requirements and it is still a risk-based, rather than a threat-based policy. It is a good policy for people who make policy because it covers their collective asses. They can always point to something in that mass and say, "They didn't do that part" when something bad happens. Never mind that the last 7 or 8 big hacks of government have all used basically the same attack techniques, about which nothing has been done, either technically or policy wise. That is the sign of a failed policy - and insanity - by doing the same thing over and over expecting a different result.
Another interesting thing about this is the EO wasn't published. Nice to see that not everything the White House does is available for the world to see. In the name of openness, the Obama Administration published lots of things that were dangerous to us.
Thursday, May 11, 2017
China's Long-time Sanctions Violations
There was an interesting piece in the Wall Street Journal a couple of days ago about sanctions on North Korea. China routinely avoids enforcing sanctions against places like Iran and North Korea, while voting for them in the U.N. or in separate negotiations.
The article says: "China’s Limac Corp. and North Korea’s Ryonbong General Corp. set up a joint venture in 2008 to mine tantalum, niobium and zirconium, minerals that are useful in making phones and computers but also nuclear reactors and missiles.".
China writes this off because the joint venture didn't do very much mining. In this kind of mining, it doesn't take much. These metals are good for making alloys that are much stronger than the components by themselves, so-called "superalloys".
Aside from how much it might take to make a good warhead, just the setting up of this type of agreement shows how quick the Chinese are to violate a sanctions protocol, even before the ink is dry. Next time we hear that the Chinese are supporting sanctions on North Korea for their wild shenanigans, try to remember that the likely outcome of those sanctions will be nothing. If we think the Chinese will help get the North under control - in exchange for better trade considerations for China - take that with a grain of salt. We may be trading better trade agreemeets with China for next to nothing.
The article says: "China’s Limac Corp. and North Korea’s Ryonbong General Corp. set up a joint venture in 2008 to mine tantalum, niobium and zirconium, minerals that are useful in making phones and computers but also nuclear reactors and missiles.".
China writes this off because the joint venture didn't do very much mining. In this kind of mining, it doesn't take much. These metals are good for making alloys that are much stronger than the components by themselves, so-called "superalloys".
Aside from how much it might take to make a good warhead, just the setting up of this type of agreement shows how quick the Chinese are to violate a sanctions protocol, even before the ink is dry. Next time we hear that the Chinese are supporting sanctions on North Korea for their wild shenanigans, try to remember that the likely outcome of those sanctions will be nothing. If we think the Chinese will help get the North under control - in exchange for better trade considerations for China - take that with a grain of salt. We may be trading better trade agreemeets with China for next to nothing.
Wednesday, May 10, 2017
NSA Confirms Russians in French Elections
According to several press reports, which you will have a hard time finding since they are all pushed to the back pages since the Director of the FBI was fired yesterday, Admiral Rogers said U.S intelligence had warned the French there were Russians getting information from the election in France. Since the Macron campaign said the same thing, that pretty well confirms that it was the Russians, as I said in a previous post. No surprise there.
I doubt that this is going to go over very well in any of Europe's political circles, nor are they going to forget that it was the Russians. They are overstepping their bounds, and doing it recklessly. That will come back to bite them one day. Political Warfare is recognized as a part of countries trying to sell a particular form of government over another, but this campaign of the Russians is way beyond anything we have ever seen before. They are spending a lot of time and resources on it. They must believe that it is getting them a return that makes that investment worth while, but I am still at a loss to see how.
We need to start soon collecting some allies in the cyber operations of the Russians. The first need is for a deterrent capability that is credible. The Russian activity is in-your-face and trying to undermine Democratic institutions. It has to stop. It will have repercussions long after it is over.
What makes the Russians think they can get away with it? Are they so confident in their technical ability that it makes them think they can continue to interfere in the politics of other countries without any consequences? The French are a pretty capable group in cyber operations. So are the Americans. Taking on the most capable of the world's cyber operations forces sounds like they are up for a fight. They may find out that is not a fight that is in their best interests.
I doubt that this is going to go over very well in any of Europe's political circles, nor are they going to forget that it was the Russians. They are overstepping their bounds, and doing it recklessly. That will come back to bite them one day. Political Warfare is recognized as a part of countries trying to sell a particular form of government over another, but this campaign of the Russians is way beyond anything we have ever seen before. They are spending a lot of time and resources on it. They must believe that it is getting them a return that makes that investment worth while, but I am still at a loss to see how.
We need to start soon collecting some allies in the cyber operations of the Russians. The first need is for a deterrent capability that is credible. The Russian activity is in-your-face and trying to undermine Democratic institutions. It has to stop. It will have repercussions long after it is over.
What makes the Russians think they can get away with it? Are they so confident in their technical ability that it makes them think they can continue to interfere in the politics of other countries without any consequences? The French are a pretty capable group in cyber operations. So are the Americans. Taking on the most capable of the world's cyber operations forces sounds like they are up for a fight. They may find out that is not a fight that is in their best interests.
Monday, May 8, 2017
EB-5 Visas and President Trump
So, it seems the Democrats, specifically the Clinton Familily ones, weren't the only ones taking advantage of donations from the Chinese looking for U.S citizenship on a fast track. It turns out that Jared Kushner of Kushner Companies was doing the same thing. The Wall Street Journal, Reuters and a host of others are both reporting on it today. We note the Washington Post and CNN were quick to point out the same thing, but said nothing when the investigation of Terry McAuliffe was going on in Virginia over his links to the same thing in the Hillary Clinton campaign. McAuliffe was even mentioned in the Homeland Security report on abuses of the program for trying to influence DHS to give more visas to people in Virginia. According to that report he was harassing the Deputy Director of DHS to get what he wanted. Over 90% of the EB-5 visas go to Chinese nationals who then get a green card and a fast track to citizenship that is clearly unjust.
Perhaps now we can get some bipartisan momentum to do away with this stupid program that allows rich foreign nationals to buy U.S citizenship. Once they have a green card they can donate to election campaigns in the U.S. That is all it takes to be legal. That money is going into political parties which are reluctant to give it up.
This is while people who have applied 10 years ago can still not get theirs granted. They didn't have half a million dollars to buy that piece of paper. I don't blame investors or those running these large construction projects for seeking this kind of money. It benefits both sides, but it sure doens't benefit the long line of people who have applied for citizenship and have been waiting forever.
Perhaps now we can get some bipartisan momentum to do away with this stupid program that allows rich foreign nationals to buy U.S citizenship. Once they have a green card they can donate to election campaigns in the U.S. That is all it takes to be legal. That money is going into political parties which are reluctant to give it up.
This is while people who have applied 10 years ago can still not get theirs granted. They didn't have half a million dollars to buy that piece of paper. I don't blame investors or those running these large construction projects for seeking this kind of money. It benefits both sides, but it sure doens't benefit the long line of people who have applied for citizenship and have been waiting forever.
Saturday, May 6, 2017
Macron's Campaign Hacked
Well, it is not like I didn't warn you. At the last minute in the campaign the release of thousands of hacked e-mails will create some doubt about the candidate and his theme. Only this time, it may have been too close to the actual election to do much good. People have already made up their minds, and unlike the drip-drip of the U.S campaign, this will do little good. A long drawn-out affair is better when trying to persuade an audience. Was it Russia? Of course. Maybe in their next election they can get some of their own back.
Thursday, May 4, 2017
New China Enforcement for Businesses
Well, we knew it was coming, but some companies fought it tooth and nail. The new cyber security laws in China are formally being enforced starting in June. It is an amazing intrusion into the proprietary software part of businesses operating there. The software has to be "secure and controllable" and to prove it, some companies are being required to submit source code. That part has been going on for some time. Imagine if the U.S. Government would decide to have every foreign business like SAP or Airbus submit code to NSA for review, then turn over that software to the competitors of those businesses. There are not enough lawyers to cover all the lawsuits that would take place. But, China seems to be able to get away with it because they allow access to some of China's billion potential customers.
The discussions that ought to be brought to the Boards of companies in China is whether or not the short-term profits that come from those customers are worth giving up the trade secrets in that code. Apple has certainly had that discussion already over the encryption it does for its customers. It still does not want to give that up. I'm not really concerned about the ones who fight and lose business over there. I worry about the ones that give in and don't say a word. "It's the law" they say. Do you really want to mortgage your future on assurances that the code will not be compromised to Chinese industries when China has the history of stealing anything it thinks it needs?
The discussions that ought to be brought to the Boards of companies in China is whether or not the short-term profits that come from those customers are worth giving up the trade secrets in that code. Apple has certainly had that discussion already over the encryption it does for its customers. It still does not want to give that up. I'm not really concerned about the ones who fight and lose business over there. I worry about the ones that give in and don't say a word. "It's the law" they say. Do you really want to mortgage your future on assurances that the code will not be compromised to Chinese industries when China has the history of stealing anything it thinks it needs?
Tuesday, May 2, 2017
When Hamas Declared War
I find it interesting that the newspapers of yesterday were touting the Hamas declaration that they no longer would seek the destruction of Israel. When a political group like this decides to announce that their intention is to destroy another country, that is a declaration of war. Nine years later they were in power through elections in Palestine, showing the people living there had some agreement with their intention. So, when Hamas decides to revise its position, the credibility of their current statement has to be a little suspect.
Two years ago, the United Nations accused Hamas of firing 4800 rockets and 1700 mortar rounds into Israeli territory. Amnesty International accused Hamas of indiscriminate attacks on civilians because the rockets are so inaccurate that they killed Palastinians and Israelis alike. A 50-day war kicked off and Amnesty says Israel committed some war crimes themselves during that time by destroying houses and schools were they thought Hamas was hiding out. There is enough resentment on both sides to preserve a war footing for considerably more time.
So, should we rejoice at the revision of a charter calling for the destruction of a state? In diplomatic circles it is "progress" that should not be ignored, but I don't think Israel is going to stop patrols along the border. Let's see if the Hamas actions speak as loud as their words.
Two years ago, the United Nations accused Hamas of firing 4800 rockets and 1700 mortar rounds into Israeli territory. Amnesty International accused Hamas of indiscriminate attacks on civilians because the rockets are so inaccurate that they killed Palastinians and Israelis alike. A 50-day war kicked off and Amnesty says Israel committed some war crimes themselves during that time by destroying houses and schools were they thought Hamas was hiding out. There is enough resentment on both sides to preserve a war footing for considerably more time.
So, should we rejoice at the revision of a charter calling for the destruction of a state? In diplomatic circles it is "progress" that should not be ignored, but I don't think Israel is going to stop patrols along the border. Let's see if the Hamas actions speak as loud as their words.
Monday, May 1, 2017
SWIFT's Makeover Slow in Coming
Although it is an old story now, the hacker penetration of a small part of the The Society for Worldwide Interbank Financial Telecommunication (SWIFT) was big news in 2013 when a Somali bank was hit.
When I first started in cyber security we looked to SWIFT as the gold standard for how to keep a system secure. It had two things going for it (1) Incentive: it was the transfer of money and money was always a target (2) Good Policy: policy that was followed with high standards. Thefts from banks in India, Equador, and Vietnam leave that confidence shaken This is, of course, on top of the $81 million in Bangladesh central bank.
I repeat this comment from my previous post: "A senior Sonali Bank official said the bank had informed Swift about the breach of its system in June 2013. Abu Muhammad Mustafa Kamal, secretary of the Anti-Corruption Commission, which investigated the Sonali Bank theft, said his agency “hadn’t been asked” to share information on the incident. The investigation found that the passwords of the Swift server were hacked, he said." That is not the way SWIFT is supposed to work. It means there are a lot more thefts that have gone undetected, or unreported. Somebody is making billions off of this and it isn't SWIFT.
When I first started in cyber security we looked to SWIFT as the gold standard for how to keep a system secure. It had two things going for it (1) Incentive: it was the transfer of money and money was always a target (2) Good Policy: policy that was followed with high standards. Thefts from banks in India, Equador, and Vietnam leave that confidence shaken This is, of course, on top of the $81 million in Bangladesh central bank.
I repeat this comment from my previous post: "A senior Sonali Bank official said the bank had informed Swift about the breach of its system in June 2013. Abu Muhammad Mustafa Kamal, secretary of the Anti-Corruption Commission, which investigated the Sonali Bank theft, said his agency “hadn’t been asked” to share information on the incident. The investigation found that the passwords of the Swift server were hacked, he said." That is not the way SWIFT is supposed to work. It means there are a lot more thefts that have gone undetected, or unreported. Somebody is making billions off of this and it isn't SWIFT.
SWIFT has been slow to clamp down on internal security of banks. It took 4 years to get out the current policies and start to put some teeeth into the policy, going through regulators to do it. It is a huge system, but this is real money here. You would think they could move faster than that.
From the technical side, they are instituting two-factor authentication, which has been around long enough that my wife has figured out how to do it. This is not exactly rocket science, nor state of the art security. It reminds of a class I did for some of the seniors at IRS. I showed them some statistics on virus software for people who never knew they had a virus in their system, and ones that knew they had one. Guess which ones had virus software installed? The enterprise should be installing it for everyone and not allowing it to be a personal decision. One would think SWIFT would be ahead of the curve and not catching up.
Subscribe to:
Posts (Atom)