Pentagon Defense Department travel records data breach

Pentagon – Defense Department travel records suffered a data breach that compromised the PI and credit card data of U.S. military and civilian personnel.
— Read on

Twenty some odd years ago I worked on a proposal team to win this very contract. As a security practitioner in the 90’s, the level of security that the DoD wanted was refreshing. This was the first example of a potential client understanding the risk of metadata – that someone could potentially deduce what the DoD planned by watching non-military travel records without necessarily having access to the detail.

No one was thinking specifically about payment or personal information. It was probably assumed that other threat scenarios would cover this data, but my recollection is hazy at best.

By the way, my employer and deal partners did not win the contract.

Also on:

Chinese Supply Chain Hardware Attack

Chinese Supply Chain Hardware Attack:

Bloomberg is reporting about a Chinese espionage operating involving inserting a tiny chip into computer products made in China.

I’ve written (alternate link) this threat more generally. Supply-chain security is an insurmountably hard problem. Our IT industry is inexorably international, and anyone involved in the process can subvert the security of the end product. No one wants to even think about a US-only anything; prices would multiply many times over.

We cannot trust anyone, yet we have no choice but to trust everyone. No one is ready for the costs that solving this would entail.

(Via Schneier on Security)

The story moved since poblication last week, but Bruce’s words still hold true.

Also on:

DHS Report on Security Threats to Agriculture Industry

DHS Warns of Cybersecurity Threats to Agriculture Industry:

A new report from the U.S. Department of Homeland Security called Threats to Precision Agriculture warns against the cybersecurity risks faced by the emerging technologies being adopted by the agricultural industry. Known as “precision agriculture,” the technologies include internet of things (IoT) devices such as remote sensors and global position systems (GPS) and the communications networks that support them. These devices generate large amounts of data which is then analyzed by machine learning systems to improve crop yield and monitor the health of livestock.

(Via BleepingComputer)

The DHS report seems to be a nice primer on Precision Agriculture. The security advice, while correct, takes a basic approach that no one in the industry has proper security controls in place. I would have liked to see something talking more about protecting the supply chain, the use of penetration testing and OT monitoring, and leveraging newer technology when it comes to integrity such as blockchain.

As it stands from the security perspective, this paper doesn’t break new ground or talk about uniquely industry specific needs. The risks are legion, so more effort could have been applied.

Also on:

The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies – Bloomberg

The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources.
— Read on

I like this quote from the TV show Elementary:

Are governments capable of evil? Yes. Of corse they are. All institutions are. But they are more capable of incompetence.

Apply a bit of Occam’s Razor as well and the puzzle gets a bit less scary.

Again, the news is still forthcoming so I may well eat my words.

Also on:

TaoSecurity: Network Security Monitoring vs Supply Chain Backdoors

The limitations of this approach are worth noting. First, if the intruders never activated their backdoors, then there would be no evidence of communications with C2 servers. Hardware inspection would be the main way to deal with this problem. Second, the intruders may leverage popular Internet services for their C2. Historical examples include command and control via Twitter, domain fronting via Google or other Web sites, and other covert channels. Depending on the nature of the communication, it would be difficult, though not impossible, to deal with this situation, mainly through careful analysis. Third, traditional network-centric monitoring would be challenging if the intruders employed an out-of-band C2 channel, such as a cellular or radio network. This has been seen in the wild but does not appear to be the case in this incident. Technical countermeasures, whereby rooms are swept for unauthorized signals, would have to be employed. Fourth, it’s possible, albeit unlikely, that NSM sensors tasked with watching for suspicious and malicious activity are themselves hosted on compromised hardware, making their reporting also untrustworthy.

The remedy for the last instance is easier than that for the previous three. Proper architecture and deployment can radically improve the trust one can place in NSM sensors. First, the sensors should not be able to connect to arbitrary systems on the Internet. The most security conscious administrators apply patches and modifications using direct access to trusted local sources, and do not allow access for any reason other than data retrieval and system maintenance. In other words, no one browses Web sites or checks their email from NSM sensors! Second, this moratorium on arbitrary connections should be enforced by firewalls outside the NSM sensors, and any connection attempts that violate the firewall policy should generate a high-priority alert. It is again theoretically possible for an extremely advanced intruder to circumvent these controls, but this approach increases the likelihood of an adversary tripping a wire at some point, revealing his or her presence.

— Read on

An assessment of the Bloomberg hardware compromise report which provides insights I hinted at but are better articulated here.

I remain skeptical this happened. It seems cheaper and easier to introduce fear, uncertainty, and doubt (FUD) into the supply chain than to actually compromise it (beyond what the Chinese supply chain already does to skim money). Again, time will tell.

Also on:

The one serious MacBook Pro security flaw that nobody is talking about

The one serious MacBook Pro security flaw that nobody is talking about:

It’s the USB-C ports. Because of the USB-C ports, all MacBook Pros introduced since late 2016 are inherently unsafe. Likewise, all of the 12-inch MacBooks introduced since 2015 are inherently unsafe.

(Via Latest Topic for ZDNet in security)

Yep. The article cites several cogent references supporting the premise.

It’s funny how hardware manufacturers, including Apple, moved power to a shared data port like USB-C where I expect users cared more about disposing of the myriad proprietary power connectors. Apple, with MagSafe, designed and delivered an elegant solution. More and more vendors eschew ports in the vain pursuit of thin, and this puts customers (you and me) potentially at risk.

Also on:

Are we all suffering from data breach fatigue?

Are we all suffering from data breach fatigue?:

It could also be, as New York Times reporter Mike Isaac noted on Twitter, that the constant barrage of news about Supreme Court nominee Brett Kavanaugh and the never-ending outrage about whatever Donald Trump just tweeted tends to use up the oxygen in the media; there is little left for things like a garden variety Facebook data leak. But as Isaac and others have also pointed out, this wasn’t just a routine breach—in this case, hackers got access to the full accounts of certain users, which means they also got access to whatever other services those users had logged into using their Facebook credentials. That significantly expands the potential damage of the hack, since many people sign into other services such as Tinder and Spotify with their Facebook login (on Tuesday, Facebook said in an update that it hadn’t detected any evidence of compromised third-party logins, although its investigation is still ongoing) …

Some users threaten to delete their accounts, and it’s possible that some do, but the vast majority don’t seem to care.

(Via Columbia Journalism Review)

I’m tired of the breach news barrage and it’s my job to stay current. Other topics dominating the news outside of my immediate personal and professional needs I muffle or mute if possible.

Also on:

Global Cybersecurity Norms

Fresh off the release of its national cybersecurity strategy, the Trump administration gauged interest at the United Nations in restarting talks on global cybersecurity norms. The negotiations, which collapsed last year amid reported acrimony among the U.S., Russia and others, aim to set limits on government-backed hacking at a time when offensive operations are abundant.

At a meeting Friday with representatives of more than 20 countries, Deputy Secretary of State John J. Sullivan raised the prospect of restarting the norms dialogue at the U.N. Group of Government Experts (GGE), according to a State Department statement.  Sullivan told reporters the department hopes to reconvene the GGE “to define norms of behavior that states will abide by and, if they don’t, to impose consequences.”

Worth a read. I remain skeptical governments, especially the U.S., can achieve anything meaningful.

Also on:

Diplomacy and Defense

Diplomacy and Defense in Cyber Space:

The strength of our society rests on the strength of our IT. In a world where everything is connected—phones, cars, houses, electric grids, supermarkets, hospitals, financial systems and satellites—everything can be disrupted, if not destroyed. For several years, cyber threats have featured at the top of the risk assessments of government ministers, diplomats, intelligence officials and military leaders. What is missing in these debates is a grand strategic vision. Cyber diplomacy and cyber defense should become the bread and butter of our foreign and security policy debates.

(Via Lawfare)

The article is taken from a talk given to EU Foreign Ministers. It is geared toward the political and legal. The overuse of “cyber-” to an extent I haven’t seen in a long time removes much of the import at first glance. As it is, the presentation doesn’t say much particularly new.

However, the presentation restates some excellent points:

  • How do and which legal frameworks apply?
  • How do sovereign and international laws apply?
  • What is the role of attribution?
  • How do political and military organizations work together?

None are addressed particularly well. Far from a criticism, I like this talk because it brings these points up again without prescription.

The oddball bit, in a good way, is the section titled “Cyber Security Exercises”.

Let me be plain: I STRONGLY agree with this. I think the talk provides an excellent prescription:

What is important here is that cyber exercises should not be the playground of only the ministers of defence. Cyber security and cyber defence go beyond the military community boundaries. Thus, cyber security should also be exercised by other ministers, including the ministers of foreign affairs, as most real world crisis in the future will have cyber components, to which political and diplomatic response will be required in addition to technical response.

Yes! Ministers and Departments and every other governmental organization needs to take responsibility for their own security and not passively wait for law enforcement, military, or intelligence agencies to do it for them.

The conclusion:

As digital is the new normal, there are boundaries of acceptable state behaviour in cyberspace, just as there are everywhere else. States have to be clear about how international law obligations bind us. Each of our like-minded nations individually should be open and clear in setting out the rules it feels bound by. Staying silent means accepting that cyberspace is a grey area and a dangerous place. We must not allow that to happen – we should work together and take united steps to ensure that future generations do not question why nothing was done when so much was at stake.

As skeptical as I am about governments’ ability to do much of anything, I am open to being surprised by something that balances security, privacy, civil liberties & freedoms, and business needs.

Also on:

Notes on the Bloomberg Supermicro supply chain hack story

Notes on the Bloomberg Supermicro supply chain hack story:

Bloomberg has a story how Chinese intelligence inserted secret chips into servers bound for America. There are a couple issues with the story I wanted to address.

The story is based on anonymous sources, and not even good anonymous sources. An example is this attribution:

a person briefed on evidence gathered during the probe says

That means somebody not even involved, but somebody who heard a rumor. It also doesn’t the person even had sufficient expertise to understand what they were being briefed about.

The technical detail that’s missing from the story is that the supply chain is already messed up with fake chips rather than malicious chips. Reputable vendors spend a lot of time ensuring quality, reliability, tolerances, ability to withstand harsh environments, and so on. Even the simplest of chips can command a price premium when they are well made.

(Via Errata Security)

The truth on this story is still revealing itself. I do know that I already tire of it.

Robert Graham’s article is the strongest critique of the Bloomberg story I’ve read. My skeptical nature tends to agree with him until more facts are known.

Also on: