If you choose believe the writings of Mandiant, you’re under the impression that “Chinese hackers are hellbent on taking over every large corporation in the United States.” If you choose to follow the writings of McAfee[2], you’re under the impression that “Chinese hackers only wanted Google’s secret sauce” – their source code. If you choose to follow Damballa’s writings[3], the attackers who penetrated Google are amateur script kiddies. Take your pick, there is no lack of speculation.
read more…
Many security professionals have sent me irrate comments via e-mail like: “You’re insane! You can’t block China!”; “How long have you been in security! You can’t block a whole country!” These remarks come in response to my writings concerning “cyberwarfare“, “China” and similar themes. In today’s blog entry, I bring to you: “Advanced Persistent Errata – Defending The Castle;” in other words, “Blocking ANYONE you damn well choose to block.” Security managers will recognize some of these themes specifically as ISO27002 11.4.4, as well as other controls listed in ISO27002 (11.1.1, 11.4.1, 11.4.6, and don’t forget the mentions of ISO 18028-1:2006, ISO 18028-2:2006, ISO 18028-3:2005, ISO 18028-4:2005, ISO 18028-5:2006.) Enough about the numbering for now, as it can become headache inducing.
read more…
Over at Forbes they posted an article[1] documenting how “dozens of defense contractors” for the United States government were compromised and have been getting compromised since 2003. Since the article mentions the year, I’ll use that same year as a starting point; however, other articles point to infiltration much earlier. After reading much of the same, I pose the question: “What keeps going wrong and why don’t they just minimize the compromise?” There will be those in many large companies – especially those in the defense industry – who will spurt “we can’t! It’s too sophisticated! You don’t know Jack!” It’s to IT professionals making those wild claims (we can’t) that I say: “You shouldn’t be in this industry.”
read more…
Security professionals, industry heavyweights, forensics experts and others in the security realm are expounding many differing views of APT, which is becoming a more known buzzword thanks to media outlets (we’re no better). Many of these views are often confusing, and the fact that many in the industry aren’t privy to the full scope of an “APT” based attack is not helpful either. When I wrote the article “Defending Against the Advanced Persistent Threat”, it was based on publicly available information. Many professionals took shots at how I called it (I said that it was nothing new to see, so move along), and I still hold my ground when it comes to my views: There is nothing advanced here, so move along. Security professionals are highly competitive and rather than take cheap shots or call names, I will pick up from where I left off.
read more…
Wired has written a detailed report [1] on Mandiant’s findings in response to the hacks that targeted Google and other major companies and the report is both interesting and questionable. I have no reservations about the levels of expertise coming out of Mandiant or their findings; I do however, have reservations about the explanations and interpretation of what was summarized in the Wired article.
read more…
US government officials have demanded an investigation into the compromise of 52 government related websites being housed “in the cloud”. According to an article: “the hackers may have gained access through the content management system of third-party vendor GovTrends, although it cannot confirm this until more information is made available. It appears, however, that all the hacked websites are maintained through GovTrends. Joomla CMS, but not all House websites managed through this service, were victims of the attack.” [1] While Congress fiddles around demanding answers to “what happened?“, I sit wondering why a more specific question isn’t asked: “Why did it happen?“ Not “why did the compromise happen?”, but “why in the world did the government get suckered into the cloud?”
read more…
Cloud security enthusiasts and evangelists will be quick to downplay the significance of the latest “cloud compromise” news: “Hackers deface 49 Congressional House websites after State of the Union” Whatever any of them say, the reality is what it is – government data does not belong on the cloud, period. “Shortly after the President completed his State of the Union speech, a well-known group of Brazilian hackers, Red Eye Crew, apparently had their own comments to make. Unfortunately, they decided to voice their Obama-directed profanities on House Congressional members’ websites. The same hackers had previously broken into sites for the U.S. Department of Transportation, the U.S. Department of Agriculture and NASA. Apparently all sites were hosted and managed by GovTrends, an Alexandria, Va.-based Web services provider. Likewise, 18 of the 49 hacked sites experienced similar attacks less than a year ago, through vulnerability with the same vendor.”
read more…
TMCNET posted a pseudo-interesting document this morning entitled “Cloud Security Recommendations” and, in an investigative and logical fashion, I decided to analyze what was said by TMCNET and what is being said by others in the industry. I hereby introduce the “Top 10 Ways To Waste Corporate Money on Cloud Computing Security Assessments.”
read more…
People from all walks of life including influential decision makers are quickly firing off ye ole “Blame Microsoft” rants this week after another debacle involving Google and China. The debacle involved so-called State Sponsored (from China) “hacktivities” to compromise Gmail accounts. The attacks were – as we’re told – targeted towards Internet Explorer version 6 (IE6). I’m curious to know why someone is even bringing Microsoft into this mix. I say, blame those still using IE6. There certainly is a lot of controversy surrounding China’s “hacktivities” [1,2,3] and security theater [4] in the past so this won’t be discussed right now. What I will discuss for a few paragraphs, is pure common sense for a little bit.
read more…
It was inevitable that someone with their head in the clouds would respond to our initial article “Want Some Fake Fries With That Vapor Shake.” To our liking, the folks at ‘Secure Cloud Review’ [1] have done so. While it wouldn’t be in anyone’s best interest to play the blame-game, as a colleague of mine asked, I too shall ask: Exactly what point is their article trying to make?
read more…
