End of the year #TechLetters #7 - "cyberattack attribution with politics", the problem of trust, a few breaches
and trusting trust
Welcome to the 7th letter, after much consideration I think I’ll precede all or some of these letters with some editorial/opening comment.
It’s the last letter in this year so perhaps some kind of a 2020 summary? I am skeptical of summaries and ‘list of X’. What I may add is that the single biggest event in cybersecurity this year was due to the dramatic changes in the IT/tech use landscape this year, increased remote work. Those organisations that accepted working remotely as just another mode of work were better equipped to do the transition.
Although (based on what we know) the single biggest organised cyber operation is likely the hack of many companies and institutions via SolarWind API, and looks to be unrelated to Covid-19 changes.
Supply chain risk holds much potential and this is not the last time we hear of this particular vector used to access and compromise systems. Such route of entry may bring consequences for technology, business, diplomacy, external and internal affairs, politics. So the fact of the matter is that if someone is interested in persistent access and high-returns, the supply chain is the area to go after. There is also little potential to defend. Some well-resourced actors are able to devote great resources to compromise systems that unlock access to many many more systems. No cyber norm will prevent this possibility. If States do this consistently and on a regular basis, this is the cyber norm, even.
Those coding with NodeJS are well aware of how large the ‘node_modules’ directory may become. It is not only large. This size reflects the trust dependencies towards other people’s code (or systems). Now let’s reflect on the fact that in technology, many many other systems behave quite similarly. Lots of trust are implied.
No easy fix exists to the ‘how to trust the trusted’ problem. This is kind of quite a civilisational problem. It goes beyond technology, even. What we may do is to consciously think and be aware of where are the trusted parts in our systems, what are the relationships due to them, and whether some may or may not be isolated from the rest of the sensitive parts of the system. What can we do? Mapping system dependencies is a good start. On many levels.
At the end of the day, it is a matter of design choices.
Meanwhile, in the response to the SolarWind hack in the U.S. we continued having politicians’ concerted speeches about who was the most likely culprit behind the supply chain cyberattacks, and how to respond, was it an act of war for example(hint: it was not)? Not focusing on the mentioned-suspected sources, it may make us wonder.
Is cybersecurity treated so seriously that top-level policymakers say what they think on the topic, to then more or less expecting that others (even the experts) accept it and go along?
While there is no denying that cyberattack source might end up politicised, treating the ‘attribution assertions’ from politicians may well mean taking this to the next level.
This is risky because:
“armed forces in close proximity are often at an increased risk of escalatory event”s
while
“dozens of armed forces are constantly within the virtual arm’s length, creating a constant possibility of interaction and escalation”.
Roughly though, this is where we are now, or apparently heading there.
Security
The biggest hack/cyberattack of 201X/202X - again on SolarWinds IT management systems. FireEye has an additional analysis, with the malware flow diagram.
Pay2Key. Another system breached. Cyber operation in Israel. Hacked Israeli aerospace industry. The responsible are now leaking data - also via twitter-leak-account. Where do we know this from?
ECHR loss of availability. Cyberattack on the site of European Court of Human Rights. Information provided scarce. DDoS? Anyway, they link it to a particular case.
EMA hack. European Medicines Agency offers more information: "perpetrators primarily targeted data related to COVID-19 medicines and vaccines". So that was that. The information is still scarce.
No newspaper today. Some local German press (like Morgenpost) did not show up on 24.12. Cyberattack. Ransomware.
Phishing tests? A company tried to lure their own employees and performed a “phishing test”. Problem? The problem is what they did to their employees...
“Though we cannot celebrate together during our annual Holiday Party, we want to show our appreciation and share a $650 one-time Holiday bonus!” the email read. “To ensure that you receive your one-time bonus in time for the Holidays, please select your location and fill in the details by Friday, December 18th.”
But, two days later, the company sent another email.
“You’re getting this email because you failed our recent phishing test,” the company’s chief security officer Demetrius Comeswrote. “You will need to retake the Security Awareness Social Engineering training.”
Shaming in this way is… a very controversial thing to do at real work places. It certainly may work well if the objective is to sow distrust. But is this the objective to achieve?
That’s it this time, thanks!
In case you decide to forward this letter further for any reason, I’ll leave this thingy below: