
How Hired Hackers Got “Complete Control” of Palantir - minimaxir
https://www.buzzfeed.com/williamalden/how-hired-hackers-got-complete-control-of-palantir
======
nikcub
Shaming companies for carrying out pentests is counter-productive, i'm more
interested in who is leaking against Palantir and why.

This is the third story now that William Alden has written about Palantir that
appear to be based on internal documents[0]

His profile of the company a month ago opened with:

> A trove of internal documents and insider interviews has pulled back the
> curtain on one of Silicon Valley’s most secretive and highly valued
> companies, Palantir Technologies.

There isn't much public interest in large parts of the profile nor the follow-
up stories, so it has a feeling of a disgruntled employee. A really difficult
class of threat to defend against and stop, but each additional story and leak
provides a few more bits of data that can narrow down the suspect pool.

I really hope the leaker and journalist in this case know what they're getting
themselves into - because based on the pentest report the infosec team at
Palantir appear capable of tracking the leak down.

[0]
[https://www.buzzfeed.com/williamalden?language=en](https://www.buzzfeed.com/williamalden?language=en)

[1] [https://www.buzzfeed.com/williamalden/inside-palantir-
silico...](https://www.buzzfeed.com/williamalden/inside-palantir-silicon-
valleys-most-secretive-company)

~~~
johnm1019
Surely it was the company who performed the pentest. It's the best publicity
they can get.

~~~
gchadwick
'Look at how great we are at finding security vulnerabilities. Almost matched
by our utter lack of discretion and confidentiality!'

Hardly a good advert. I would have thought a pen testing firm would make
client confidentiality an extremely high priority.

My guess is a Palantir employee who feels that due to the volume and nature of
the data they handle that it needs to publicly known their security isn't up
to scratch.

~~~
joshdickson
Well, I mean the whole point of confidentially leaking is to get something out
there without having to put your name on it. This is a great advert for them
no matter who leaked it, make no mistake about that.

------
hendzen
I don't think Palantir should be shamed for this. It's laudable that they
invested in penetration testing - better they find out this way than by an
actual APT/hacking group.

~~~
hackuser
> It's laudable that they invested in penetration testing

I don't think they should be lauded for doing their jobs and discovering they
failed at them. If your QA team discovers huge numbers of bugs, you don't laud
yourself for doing QA.

If a leading accounting firm hires an outside auditor and discovered their own
books were rotten, should they be lauded? I guess there's a silver lining in
everything.

I guess I'd be willing to trust Palantir's advice on hiring penetration
testers, but not on securing my systems.

~~~
dsacco
To play devil's advocate: there is a reasonable expectation that an
organization's accounting is legally and correctly balanced.

It is not a reasonable expectation that software, even security software or
software developed with security expertise, is secure.

~~~
homunculus
I would say you can reasonably expect that unaudited software is not secure
and that unaudited books are not legally and correctly balanced.

------
tptacek
I don't understand why we're reading this. Was it leaked? Pretty much every
big tech firm does this twice a year, but nobody releases the reports.

~~~
omonra
I would not be surprised if this is related to the Gawker debacle.

~~~
salemh
Why at all? Because Thiel is an investor in Palantir? I googled a bit to try
and something that relates Gawker and Palantir beyond that.

~~~
jblow
"... in the next phase, you too will be subject to a dose of transparency.
However philanthropic your intention, and careful the planning, the details of
your involvement will be gruesome."

[http://gawker.com/an-open-letter-to-peter-
thiel-1778991227](http://gawker.com/an-open-letter-to-peter-thiel-1778991227)

~~~
hobs
Having tried to avoid that entire story up until reading that, I remain
pitiless for gawker's position in every way and I hope it burns to the ground.

~~~
mSparks
Having had no idea what made thiel hate gawker so much, suddenly it all
becomes clear.

Holding the rich to account. How very non politically correct and
unjournalistic of them.

~~~
laingc
"Having had no idea what made thiel hate gawker so much"

How about when they publicly outed him as gay, when he wasn't out to most of
the general public?

Source, but don't visit it, in case you give those parasites a couple of dimes
in the process: [http://gawker.com/335894/peter-thiel-is-totally-gay-
people](http://gawker.com/335894/peter-thiel-is-totally-gay-people)

~~~
jacoblambda
The wonders of adblock, wasting bandwidth and power while contributing a total
of absolutely nothing to the companies in which you despise.

------
arca_vorago
Honestly it's as if people have forgotten one of the fundamental principles of
strategy and tactics. The attacker almost always has the advantage. Its true
in the book of five rings, its true in the art of war, it's just a basic
principle.

Now, thats not to say an adanced attacker still can't be defended against, but
as a sysadmin who has seen the inside of companies from law firms to publicly
traded big guys to the IT firms themselves... And that's that almost no
managment has put forward the personell or the budgets or the culture needed
to really secure things.

Hell, a family member of mine recently got a tour of spacex and was apalled at
the security. If Musk and his money dont do it right or well, almost nobody
is.

I've basically told people who run windows systems for business they're
already comprimised most likely, and the best thing to do is to be doing hids
and good log analysis so you catch it when it happens quickly... but you
probably arent going to stop any kind of semi-advanced attacker.

So to be frank, it completely makes sense to me that a company like Palantir
would be massively vulnerable from thr inside. The edge of the sword they live
on cuts both ways. These days, its about response time and forensic
afteraction.

"When Palantir’s information security employees finally discovered the
intruders, they “provided a rapid network response in which they identified
and mitigated” the “majority” of the red team’s actions within days, the
report says. Compared with other large companies, this defensive response was
unusually robust, the industry source said, based on a reading of the report."

~~~
muglug
The red team also had the big benefit that there would be no legal
ramifications if/when they were discovered. That no doubt encouraged them to
take bigger risks, and consequently get further, than a malicious hacker
would.

~~~
snarf
Do you honestly think that state sponsored hackers care about the legal
ramifications of being discovered?

~~~
meowface
In some cases, they do care very much. Just not from a legal standpoint.

Many nation states prefer not to be detected when conducting espionage. And if
they are detected, they really prefer to not have the attack be attributed to
their country. At the very least, they want some plausible deniability;
ideally full-on anonymity or framing, if they can.

Sometimes they really don't care if the source of the attack is known. It
depends on the political rationale behind it. But when they do care, they're
definitely at more of a disadvantage than a hired red team. The red team has
no real anxiety over whether they're caught or attributed, and can act more
quickly and aggressively.

~~~
threatofrain
I think that if a state desires to engage in a cyberattack, there's really no
way you can pinpoint it back, because there's no evidence to show why a hacker
on a Chinese IP is associated with the Chinese government -- unless you're
depending on sloppiness. It could be a private industrially motivated actor,
it could be the actions of someone looking to embarrass the Chinese
government, or it could be some nationalist.

The US can say "shame on you" because they feel they have enough evidence to
support a narrative, and China will say, "How can you engage in such
irresponsible rhetoric?" The Chinese government will condemn rogue criminals
and perform a cursory investigation and that will be the end of it. And then
all countries and all companies in the world continue operating as usual.

No political consequences. All nations understand it.

~~~
meowface
There are many different kinds of indicators left behind in attacks, even very
sophisticated attacks. Way more than just IP addresses. The entire recon,
infection, exfiltration, pivoting, and C&C chain can leave hundreds or
thousands of host-based, network-based, and identity-based indicators behind.

Of course, those indicators can be intentionally or unintentionally misleading
or ambiguous. But by finding a dozen or more consistent IOCs/TTPs without any
inconsistent ones, combined with a motive, often you can start making some
possible accusations. Those assumptions will often remain unproven, but keep
in mind government APT groups are still run by humans, and humans can always
be sloppy.

Also, in some cases one state may have so thoroughly compromised another that
they could find explicit evidence that an attack was ordered.

------
ScottBurson
Wow, this is sobering.

I've certainly heard it said that if you're a big tech company, you are
already infiltrated by state-sponsored hackers. But since I've never seen one
of these red-team reports, this synopsis provides a lot of color on how people
can get around inside the network, once they get in, that I wasn't aware of
(obviously I don't work in opsec).

Too bad for Palantir that this got leaked, but perhaps it can be instructive
for many of us.

~~~
amjo324
The truth is that when reputable information security specialists are engaged
to perform a no holds barred internal network penetration test or red teaming
exercise for a client, they will gain full administrative access of the
network in more than 9 out of 10 cases. There are well known and documented
techniques for escalating privileges and traversing through a network. This is
just the reality if you operate a typical Windows corporate network of a
sufficient size.

In the past, companies mostly just accepted this risk and focused on
protecting their network perimeter. Over time, this attitude has shifted and
organisations now recognise the insider threat (e.g. a rogue
employee/contractor or an external attacker who has already breached the
perimeter).

------
leroy_masochist
How does Palantir's response stack up?

Having read the article, I'm not sure whether to read it as: "The extent to
which the red team was able to exploit the network is a sign that Palantir's
network security is bad" or, "Despite Palantir following best practices and
having a lot of smart people on their security team, the red team was still
able to do a lot, which bodes really badly for other companies that don't have
the same internal resources"?

~~~
rando289
"Our systems and our customers’ information were never at risk.", their pr
team is clueless. Security is not binary.

~~~
argonaut
The fact that they had a specific team test their security is already evidence
they aren't clueless.

Clueless would be refusing to have teams test your security.

~~~
rando289
I didn't say they were clueless. I said their pr is clueless. Some pr person
said "there is no risk" relating to it security of a large organization. That
is obviously false, and clueless.

------
swingbridge
Every major company performs these sorts of "red team" tests and virtually no
major company passes with flying colors... so it's not surprising that
Palintir has its fair share of issues. What is surprising is that all this
stuff leaks out about Palinitr while other companies manage to keep things
under tighter wraps.

------
utefan001
This recent post from microsoft describes how to mitigate some of the risk
that got Palantir.

[https://blogs.technet.microsoft.com/johnromsft/2016/06/14/wh...](https://blogs.technet.microsoft.com/johnromsft/2016/06/14/why-
you-should-use-rdp-restrictedadmin/)

"I can’t stress how important this change is – an administrator who connects
using “normal” RDP exposes his or her credentials to the remote system with
every connection. RDPRA, on the other hand, ensures that credentials aren’t
exposed to the attacker on the remote computer being managed."

------
SCHiM
> A Palantír is a dangerous tool, Saruman. They are not all accounted for, the
> lost Seeing Stones. We do not know who else may be watching!

It's weird that this story is considered newsworthy. I skimmed over the
article and it looks about normal for the industry. As sad as it sounds, they
aren't doing much worse than many other companies out there.

------
kriro
What is the standard measures taken to protect against spear phishing? Mostly
educating users and trying to filter out the mails?

Palantir basically started the red team in a position where they had
successfully spear phished someone and that seems to be common practice. Is
trying to protect against it just a waste of time and should the resources be
invested into proper segmentation to protect against the successful spear phis
case? Or are people usually 80/20ing this and taking anti spear phish measures
but only to an extend that covers a lot of ground at relatively low cost/time?

~~~
bobedybobbob
Phishing is generally 1. run a command or 2. give me your credentials. To
prevent these you need good solid technical controls like U2F for password
based authentication (which is origin bound). Similarly binary whitelisting
will prevent most users from running rogue executables.

------
jacquesm
So, who will take the bet that it was only the red team doing the pentest that
managed to get this level of access?

The one saving grace here is that the red team had to be 'let in', in other
words, they started from a position that is substantially different from being
a complete outsider.

It also makes you wonder what else was leaked besides the report.

------
bobedybobbob
With time, creativity and motivation a good offensive security team will
always win. All we can do as defenders is to find ways to raise the cost of
such an attack.

A bit disappointed they seem to have started on the internal network rather
then coming in from the outside :)

------
nerdponx
What a ridiculous clickbait title

------
Bromskloss
What does Palantir do, really?

------
graycat
Gee, we have to wonder if some good anomaly detection

[https://news.ycombinator.com/item?id=11880593](https://news.ycombinator.com/item?id=11880593)

would have detected that intrusion?

