Schneier on Security

Fed.up • March 4, 2021 7:04 PM

@ Kurt

The hosted version has been acknowledged to be compromised (links fractured)

ht tps://thehackernews.com/2021/02/solarwinds-hackers-stole-some-source.html

Authenticator is 2FA
Intune is mobile device management

using BYOD to authenticate onto corporate or government networks is a bad idea IMHO
It’s a violation of all AUP’s, NIST 800-53

I wonder if this attack began with apps? There was an article on Bleeping Computer about a data dump of LinkedIn passwords found on the dark web and that it might be associated with this attack. The author surmised it might be the genesis of the compromised credentials.

How many users repeat use of passwords? It wasn’t only SW that does this.

Most of my employers banned social media including LI on work issued equipment. But then migrated to 0365 and never assessed the security ramifications of Authenticator on BYOD. How can anyone think that installing corporate tooling on employee devices will ever be safe, no matter how much scraping Microsoft performs? When Microsoft or LinkedIn is scraping BYOD data that means others are too. A compromised employee is a compromised employer.

What Microsoft fails to recognize is that most of their customers have outsourced Exchange so they have no ability to get to Zero Trust, even though Microsoft claims it is the solution to this attack.

Last September Microsoft announced they will no longer be selling on-prem licenses. They also recently announced exchange server will become passwordless. This seems like the Windows 10 upgrade where no one had a choice in the matter.

ht tps://en.wikipedia.org/wiki/Racketeer_Influenced_and_Corrupt_Organizations_Act

Fed.up • March 4, 2021 7:28 PM

@ Clive

I am in agreement with you on LI and Krebs.

I visit Krebs site when I want info on Microsoft patches. But sometimes the comments are very helpful as in this case.

One thought about LI. They likely have a lot of metrics. They surely know what constitutes normal attrition at all types of companies. I bet they can tell when a company has crappy Cybersecurity. Because Cybersecurity turnover is a regulatory measure that indicates elevated risk. When companies won’t address vulnerabilities talented cyber employees move to a new job rather than risk their resume.

Fed.up • March 5, 2021 6:35 PM

@ Clive

I wish I could have a cup of tea with you one day. I know we would have a lot to talk about.

I cannot engage here on that topic as much as I would love to right now.

But I will say this, social media is one of the vectors of this attack.

The Cisco/Microsoft attack was a cookie attack.

But we don’t know which app on the phone was throwing those cookies. It is likely more than one app. It is also likely very popular.

I don’t even have email on my phone. No apps. Just voice/text.

Cheers!

Fed.up • March 6, 2021 11:21 AM

@ Clive (links fractured)

For your reading pleasure. Chris Krebs was formerly the Cybersecurity Director of the Dept of Homeland Security. The top US Cyber official. He previously worked for Microsoft. Here’s a few of his tweets about the Microsoft attack yesterday:

It will turn into Ransomware:
ht tps://twitter.com/C_C_Krebs/status/1368004412959043591

It is caused by “contractors gone wild”. Biden cannot handle this.
ht tps://twitter.com/C_C_Krebs/status/1368004411545579525

The solution is to move to the cloud
ht tps://twitter.com/C_C_Krebs/status/1368004403748343808

It was caused by customers hosting Exchange and it is wrong to do that. Retweets China now owns them
ht tps://twitter.com/C_C_Krebs/status/1368004401705717768

QUESTION:
Is this another watershed attack like 9/11? Surely there are lots of whistleblowers who tried to prevent this. Prior to 9/11 the FBI had a lot of whistleblower tips that they ignored and repressed. Congress investigated and wanted to shut down the FBI (report linked below). The compromise was to create the Department of Homeland Security under which the FBI would be contained and reined in. So here we are 20 years later going through yet another massive attack that has the potential to destroy our country and then like now it was perpetrated by those we trusted and called our friends. The Head of the FBI then was Robert Mueller and here’s his 2002 report. ht tps://archives.fbi.gov/archives/news/testimony/fbi-reorganization

MICROSOFT and CHINA:
China is the big get. American companies always think they are terminally unique and China will let them make big money. But it never happens. Even Jack Ma got smacked down and ANT group was just valued at $0 by China after the USA investors (Silver Lake and friends) threw $10 Billion at it. Now that money is poof – gone.
ht tps://www.ft.com/content/f0950778-450e-4ef2-804d-7e16946ac4c0

Even so, it appears that Microsoft is betting on China and perhaps they even cut a backroom deal to hand over a gutted USA? Yesterday Microsoft announced that are in a joint venture with a Chinese Gov’s 21Vianet to build out cloud infrastructure and Azure in China. China’s cloud is already dominated by Alibaba, Tencent and Baidu.
ht tps://www.msn.com/en-us/money/other/microsoft-is-opening-a-new-azure-cloud-computing-region-in-china/ar-BB1ehBiv

China’s 21Vianet is listed on Nasdaq so they will be using American money to fund this Chinese project. Meanwhile Chinese companies trading on US Exchanges do not provide any audited financial statements. We have no insight into their profit or income, no where our investment goes. In the past few months this stock has surged from $5 to $40 p/s ht tps://finance.yahoo.com/quote/VNET/key-statistics?p=VNET

Last year Google abandoned China for the 2nd time because they recognize they will never make money there. ht tps://www.zdnet.com/article/google-abandons-plans-to-provide-cloud-services-in-china/

Also yesterday Bloomberg identified the “Peace Cable” as an additional source of stress of the USA. Going forward the USA may have difficulty communicating with the Middle East. It certainly strains our already strained relationship with France. ht tps://www.bloomberg.com/news/articles/2021-03-05/china-s-peace-cable-in-europe-raises-tensions-with-the-u-s

I find it so offensive that China fund their country’s infrastructure with American pension and mutual fund money on Nasdaq and NYSE. I’d rather US Institutions invest in fossil fuels and Smith and Wesson — at least that’s profitable and they do business in the USA.

American cultural norms make Americans different, not better. That’s why American tourists always stand out wherever they go. Each country has a cultural norm. In some countries it is okay to cut off women’s heads or rape children. Women have no rights. And in some countries the only way to get ahead is to game the system. Darwinism. But Americans always make the mistake of thinking that other countries want to embrace our cultural norms when their people come here to work or do business with us from afar. That is never the case. American Exceptionalism that you/Clive spoke about is really just ignorance and bias. ht tps://nypost.com/2021/03/04/biden-tells-nasa-engineer-indian-americans-are-taking-over-the-country/

I think Chris Krebs is correct that Biden may not have the backbone for what he needs to do.

ht tps://www.nytimes.com/interactive/2019/03/10/technology/internet-cables-oceans.html