ProPublica has a long investigative article on how the Cyber Safety Review Board failed to investigate the SolarWinds attack, and specifically Microsoft’s culpability, even though they were directed by President Biden to do so.
Maxim Weinstein • July 8, 2024 4:11 PM
Seems like a hit piece to me. The work of the CSRB so far has been generally well regarded, and the board absolutely skewered Microsoft in its most recent report. The implication that the decision not to investigate SolarWinds was driven by corporate or political interests doesn’t seem to jibe with the reasons given later in the article (i.e., timing, relevance).
Ismar • July 9, 2024 5:19 AM
I stopped reading after this:
“ The board is not independent — it’s housed in the Department of Homeland Security. Rob Silvers, the board chair, is a Homeland Security undersecretary. Its vice chair is a top security executive at Google. The board does not have full-time staff, subpoena power or dedicated funding.”
Bob • July 10, 2024 4:46 PM
Almost feels like a foreseeable and inevitable consequence of an economy designed to chase quarterly profits at the expense of all else. We’ve already breached +1.5C over pre-industrial. We’re literally destroying our planet’s ability to harbor human life because money right now. Compared to our planet’s ability to harbor human life, infosec is at least a few notches lower in importance. So if we can’t do anything about climate change due to pursuit of quarterly profits, what chance is there for literally any other problem in the world?
ResearcherZero • July 11, 2024 2:04 AM
@Clive Robinson
A very long, long time. Golden tickets, forging attacks have been around a long, long time.
Said vulnerability could have been easily fixed but was not.
A company that refuses to fix security problems it has been asked to for decades should not be given government contracts. Other cloud providers were willing to address such matters.
…There are some other vulnerabilities that need attention as well.
Plez fix…
‘https://www.cisa.gov/resources-tools/resources/secure-design-alert-eliminating-os-command-injection-vulnerabilities
https://cwe.mitre.org/top25/archive/2023/2023_stubborn_weaknesses.html
~ Throw another shrimp on the barbie.
ResearcherZero • July 11, 2024 3:32 AM
APT40 makes use of proof-of-concepts for vulnerabilities in “widely used software”, including Log4j, Atlassian Confluence and Microsoft Exchange – “within hours or days of public release”.
Exfiltrated several hundred unique username and password pairs on the compromised appliance in April 2022, as well as a number of multi-factor authentication codes and technical artifacts related to remote access sessions.
“Exfiltrated data included privileged authentication credentials that enabled the group to log in, as well as network information that would allow an actor to regain unauthorised access if the original access vector was blocked.”
‘https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/apt40-advisory-prc-mss-tradecraft-in-action
Clive Robinson • July 11, 2024 12:33 PM
@ ResearcherZero,
Re : Swing the headsman’s axe.
“A company that refuses to fix security problems it has been asked to for decades should not be given government contracts.”
Whilst I agree, there are two problems,
1, I can not think of any Silicon Valley Corp that has not done the same at some point.
2, I can not think of any WASP Government that is not beyond being bribed by Silicon Valley Corps.
Have a look at the history of the “Big Four” accountancy firms and “Arthur Andersen” in particular,
https://en.m.wikipedia.org/wiki/Arthur_Andersen
Also how UK Prime Minister Margeret Thatcher once ruled that a certain major firm were banned from government contract work… Yet purchased their way back in not long after.
Clive Robinson • July 11, 2024 5:55 PM
@ Bruce, ALL,
Re : Ease of Supply Chain attacks
You might find this an interesting 5min read,
What makes supply chain attacks particularly attractive is that they are cheap and easy to execute as they (most of the time) don’t require exploits, the attack surface is huge, they can have a large reach, with packages downloaded 1M+ times a week for example, and because they allow remote code execution on developers’ machines, the exfiltrated data and credentials can be used to reach even more targets which make them a good way to spread a worm.
https://kerkour.com/supply-chain-attacks-and-backdoored-dependencies
victor cordiano • August 9, 2024 9:12 AM
Hi Bruce,
You are totally dialed into security issues, and I admire that. What are your thoughts about how SBOMs/HBOMs help mitigate supply chain cyber attacks?
Clive Robinson • August 9, 2024 7:18 PM
@ victor cordiano,
Re : Just a list not a building plan
“What are your thoughts about how SBOMs/HBOMs help mitigate supply chain cyber attacks?”
They don’t is the quick answer.
A “Bill of Materials” is a parts list, it is not a set of plans about how to use those parts to make a product.
Back in the 1960’s the BoM got computerised and in part integrated in CAM then CAD systems over the next decades. But even in the early part of this century BoMs were not really integrated into much more than flagging up in QA systems.
And to quite a large extent that is still what BoMs do in QA systems
The use of parts be they software or hardware generally don’t get well documented, as design documents and production documents are still in many cases not “overlapping”.
Could SBoMs and HBoMs do more in this regard? The simple answer is yes but it needs them to be way way more than just parts lists. This requires efficient documentation methods to be formulated, used and maintained…
That is often seen by managment as either “non productive work” or “test team work” and they are seen as lower down the pole than the “C-team” in many companies.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Clive Robinson • July 8, 2024 2:48 PM
As the article notes,
1, “Microsoft had long known about — but refused to address — a flaw used in the hack.”
2, “The tech company’s failure to act reflected a corporate culture that prioritized profit over security and left the U.S. government vulnerable”
Not just the US Government but many US businesses and many other Governments and Businesses world wide.
Any one else have the feeling that it’s not just Microsoft but other Silicon Valley Corps and major software companies around the globe as well?
Any one else remember Oracle and how those who used their product were told investigating security faults with the code was in effect a criminal act?
It’s been argued in the past that Microsoft “made the model” by which software is produced and licensed back in the 1980’s and by the 1990’s it was a total disaster.
But the simple fact is all of the consumer and commercial software venders have to behave this way, because for various reasons a “Free Market” was allowed to become a “Race for the Bottom” without legislation or regulation ensuring “fit for market” that most other products have to abide by.
Now it would appear the software industry feels like it is now better than those large financial organisations that were,
“To large to fail”
Of the “Financial Crisis” a couple of decades back. The fall out of which we are still dealing with extraordinarily badly.
Which raises the question,
“How long in decades if evere is it going to take to sort the software industry out so that it meets the minimum of ‘Fit to Market’?”
It’s a question I’ve asked before a couple of times since this blog came into existence. And like others I’ve also pointed out some of the changes that need to be made, but here we are and nothing has changed…