• Sc chevron_right

    Microsoft Signing Key Stolen by Chinese / Schneier · Sunday, 6 August - 17:05 · 1 minute

A bunch of networks, including US Government networks , have been hacked by the Chinese. The hackers used forged authentication tokens to access user email, using a stolen Microsoft Azure account consumer signing key. Congress wants answers . The phrase “ negligent security practices ” is being tossed about—and with good reason. Master signing keys are not supposed to be left around, waiting to be stolen.

Actually, two things went badly wrong here. The first is that Azure accepted an expired signing key, implying a vulnerability in whatever is supposed to check key validity. The second is that this key was supposed to remain in the the system’s Hardware Security Module—and not be in software. This implies a really serious breach of good security practice. The fact that Microsoft has not been forthcoming about the details of what happened tell me that the details are really bad.

I believe this all traces back to SolarWinds . In addition to Russia inserting malware into a SolarWinds update, China used a different SolarWinds vulnerability to break into networks. We know that Russia accessed Microsoft source code in that attack. I have heard from informed government officials that China used their SolarWinds vulnerability to break into Microsoft and access source code, including Azure’s.

I think we are grossly underestimating the long-term results of the SolarWinds attacks. That backdoored update was downloaded by over 14,000 networks worldwide. Organizations patched their networks, but not before Russia—and others—used the vulnerability to enter those networks. And once someone is in a network, it’s really hard to be sure that you’ve kicked them out.

Sophisticated threat actors are realizing that stealing source code of infrastructure providers, and then combing that code for vulnerabilities, is an excellent way to break into organizations who use those infrastructure providers. Attackers like Russia and China—and presumably the US as well—are prioritizing going after those providers.

News articles .

  • chevron_right

    Chinese state hackers infect critical infrastructure throughout the US and Guam / ArsTechnica · Wednesday, 24 May - 23:11

Chinese state hackers infect critical infrastructure throughout the US and Guam

Enlarge (credit: | Getty Images)

A Chinese government hacking group has acquired a significant foothold inside critical infrastructure environments throughout the US and Guam and is stealing network credentials and sensitive data while remaining largely undetectable, Microsoft and governments from the US and four other countries said on Wednesday.

The group, tracked by Microsoft under the name Volt Typhoon, has been active for at least two years with a focus on espionage and information gathering for the People’s Republic of China, Microsoft said . To remain stealthy, the hackers use tools already installed or built into infected devices that are manually controlled by the attackers rather than being automated, a technique known as "living off the land." In addition to being revealed by Microsoft, the campaign was also documented in an advisory jointly published by:

• US Cybersecurity and Infrastructure Security Agency (CISA)
• US Federal Bureau of Investigation (FBI)
• Australian Cyber Security Centre (ACSC)
• Canadian Centre for Cyber Security (CCCS)
• New Zealand National Cyber Security Centre (NCSC-NZ)
• United Kingdom National Cyber Security Centre (NCSC-UK)

Read 7 remaining paragraphs | Comments

  • chevron_right

    Ex-Ubiquiti engineer behind “breathtaking” data theft gets 6-year prison term / ArsTechnica · Thursday, 11 May - 17:59

Ex-Ubiquiti engineer behind “breathtaking” data theft gets 6-year prison term

Enlarge (credit: SOPA Images / Contributor | LightRocket )

An ex-Ubiquiti engineer, Nickolas Sharp, was sentenced to six years in prison yesterday after pleading guilty in a New York court to stealing tens of gigabytes of confidential data, demanding a $1.9 million ransom from his former employer, and then publishing the data publicly when his demands were refused.

Sharp had asked for no prison time, telling United States District Judge Katherine Polk Failla that the cyberattack was actually an "unsanctioned security drill" that left Ubiquiti "a safer place for itself and for its clients,” Bloomberg reported . In a court document , Sharp claimed that Ubiquiti CEO Robert Pera had prevented Sharp from "resolving outstanding security issues," and Sharp told the judge that this led to an "idiotic hyperfixation" on fixing those security flaws.

However, even if that was Sharp's true motivation, Failla did not accept his justification of his crimes, which include wire fraud, intentionally damaging protected computers, and lying to the FBI.

Read 18 remaining paragraphs | Comments

  • Sc chevron_right

    PIPEDREAM Malware against Industrial Control Systems / Schneier · Tuesday, 9 May - 15:24

Another nation-state malware , Russian in origin:

In the early stages of the war in Ukraine in 2022, PIPEDREAM, a known malware was quietly on the brink of wiping out a handful of critical U.S. electric and liquid natural gas sites. PIPEDREAM is an attack toolkit with unmatched and unprecedented capabilities developed for use against industrial control systems (ICSs).

The malware was built to manipulate the network communication protocols used by programmable logic controllers (PLCs) leveraged by two critical producers of PLCs for ICSs within the critical infrastructure sector, Schneider Electric and OMRON.

CISA advisory . Wired article .

  • Sc chevron_right

    Security and Cheap Complexity / Schneier · Friday, 26 August, 2022 - 12:19 · 1 minute

I’ve been saying that complexity is the worst enemy of security for a long time now. ( Here’s me in 1999.) And it’s been true for a long time.

In 2018, Thomas Dullien of Google’s Project Zero talked about “cheap complexity.” Andrew Appel summarizes :

The anomaly of cheap complexity. For most of human history, a more complex device was more expensive to build than a simpler device. This is not the case in modern computing. It is often more cost-effective to take a very complicated device, and make it simulate simplicity, than to make a simpler device. This is because of economies of scale: complex general-purpose CPUs are cheap. On the other hand, custom-designed, simpler , application-specific devices, which could in principle be much more secure, are very expensive.

This is driven by two fundamental principles in computing: Universal computation , meaning that any computer can simulate any other; and Moore’s law , predicting that each year the number of transistors on a chip will grow exponentially. ARM Cortex-M0 CPUs cost pennies, though they are more powerful than some supercomputers of the 20th century.

The same is true in the software layers. A (huge and complex) general-purpose operating system is free, but a simpler, custom-designed, perhaps more secure OS would be very expensive to build. Or as Dullien asks, “How did this research code someone wrote in two weeks 20 years ago end up in a billion devices?”

This is correct. Today, it’s easier to build complex systems than it is to build simple ones. As recently as twenty years ago, if you wanted to build a refrigerator you would create custom refrigerator controller hardware and embedded software. Today, you just grab some standard microcontroller off the shelf and write a software application for it. And that microcontroller already comes with an IP stack, a microphone, a video port, Bluetooth, and a whole lot more. And since those features are there, engineers use them.

  • Sc chevron_right

    Mudge Files Whistleblower Complaint against Twitter / Schneier · Wednesday, 24 August, 2022 - 21:54

Peiter Zatko, aka Mudge, has filed a whistleblower complaint with the SEC against Twitter, claiming that they violated an eleven-year-old FTC settlement by having lousy security. And he should know; he was Twitter’s chief security officer until he was fired in January.

The Washington Post has the scoop (with documents) and companion backgrounder . This CNN story is also comprehensive.

EDITED TO ADD: Another news article . Slashdot thread .