Hacker News new | past | comments | ask | show | jobs | submit login
How Hired Hackers Got “Complete Control” of Palantir (buzzfeed.com)
217 points by minimaxir on June 18, 2016 | hide | past | web | favorite | 78 comments

Shaming companies for carrying out pentests is counter-productive, i'm more interested in who is leaking against Palantir and why.

This is the third story now that William Alden has written about Palantir that appear to be based on internal documents[0]

His profile of the company a month ago opened with:

> A trove of internal documents and insider interviews has pulled back the curtain on one of Silicon Valley’s most secretive and highly valued companies, Palantir Technologies.

There isn't much public interest in large parts of the profile nor the follow-up stories, so it has a feeling of a disgruntled employee. A really difficult class of threat to defend against and stop, but each additional story and leak provides a few more bits of data that can narrow down the suspect pool.

I really hope the leaker and journalist in this case know what they're getting themselves into - because based on the pentest report the infosec team at Palantir appear capable of tracking the leak down.

[0] https://www.buzzfeed.com/williamalden?language=en

[1] https://www.buzzfeed.com/williamalden/inside-palantir-silico...


I don't know anyone there - and I always disclose my conflicts (usually by avoiding threads where i'm conflicted)

You implied that you were at some point an employee of Palantir here: https://news.ycombinator.com/item?id=11650520

tmpanon: judging from your comments in this thread, you're weirdly in favor of this article.

I don't doubt that Palantir has their skeletons, but having read a bit of Mitnick's stuff, this just seems like business as usual.

I'm putting my tinfoil hat on, and I think you are someone from PAL's legal/hr/compliance/counter-intelligence department.

The leaks at Palantir might not be connected to a single source, but rather a cultural issue, and thus multiple leaks. Having the special talent to track down hacking threats and actively patch problems is different from the ability to wonder whether your next information release is going to be leaked through non-technical means.

Finding the leak is going to involve assigning different truths to different individuals (like what Hollywood does with film previews), which will itself lead to more cultural issues.

No company finds leaks that way (assigning different truths). Finding leaks is a matter of looking to see who accessed which documents.

If a company sends out communication to a group of authorized employees, then presumably they all accessed the documents -- as they should have. In the case of a security test, presumably many people were made aware so that they could improve their security.

Who among those employees leaked?

You can only know by access if that information was sufficiently isolating or unique.

Not only a disgruntled employee, but also there must be an unusual motivation for the journalist/media organization.

Like you said, it's completely counterproductive and, I believe, actually not news to publish the results of an old red-team test without any information about what has been mitigated since.

Surprised nobody has mentioned yet that the company was founded by Peter Thiel, who is becoming a uniquely objectionable individual these days and has every reason to draw the intense scrutiny of investigative online media outlets.

It's buzzfeed, they go for what gets pageviews. He found an internal source that's handing him info on a silver platter for whatever reason, I doubt there's a huge motive behind this besides more ad revenue.

And breaking a story? A lot of people hate Palantir for what they do and for what they stand for, and this is a powerful way of opposing them.

Surely it was the company who performed the pentest. It's the best publicity they can get.

'Look at how great we are at finding security vulnerabilities. Almost matched by our utter lack of discretion and confidentiality!'

Hardly a good advert. I would have thought a pen testing firm would make client confidentiality an extremely high priority.

My guess is a Palantir employee who feels that due to the volume and nature of the data they handle that it needs to publicly known their security isn't up to scratch.

Well, I mean the whole point of confidentially leaking is to get something out there without having to put your name on it. This is a great advert for them no matter who leaked it, make no mistake about that.

These guys get better PR by their reputation. They know what clients they want, so they can target them directly. Buzzfeed giving them positive PR is almost negligible in its impact.

Meanwhile, if it came out that they leaked a pen test report, it would literally destroy their company. All their current clients would ditch them, they'd get sued into oblivion, and no one would trust the senior people there in the industry ever again. Would be a very dumb suicidal publicity stunt.

> Surely it was the company who performed the pentest.

Not a chance. Maybe an employee of that company did it who doesn't like Palantir but the company doing the pentests doing this on purpose is not on the table.

The upside does not begin to counter the downside (such as not having a company any more).

But you can bet they're digging very fanatically right now to figure out where the leak is.

I would imagine that if even one such incident were to occur this way, it would severely limit future business opportunities.

Or someone penetrated the pentesters

Funnily enough, I just had a reminder go off to check for your financial osint paper. Awesome interview on risky business.

I don't think Palantir should be shamed for this. It's laudable that they invested in penetration testing - better they find out this way than by an actual APT/hacking group.

> It's laudable that they invested in penetration testing

I don't think they should be lauded for doing their jobs and discovering they failed at them. If your QA team discovers huge numbers of bugs, you don't laud yourself for doing QA.

If a leading accounting firm hires an outside auditor and discovered their own books were rotten, should they be lauded? I guess there's a silver lining in everything.

I guess I'd be willing to trust Palantir's advice on hiring penetration testers, but not on securing my systems.

To play devil's advocate: there is a reasonable expectation that an organization's accounting is legally and correctly balanced.

It is not a reasonable expectation that software, even security software or software developed with security expertise, is secure.

I would say you can reasonably expect that unaudited software is not secure and that unaudited books are not legally and correctly balanced.

Why would you trust them in hiring pen testers? Their systems might have been so bad that any one attempting could have gotten in and thus firm was just lucky enough to get the contract.

Exactly. It's crappy that they are likely getting flack over this.

Chances are, it was leaked by a disgruntled employee. But the fact is that the red team started on the internal network and used tactics that would work on darn near every org these days.

Palantir is no different. The only issue is that their pentest report was leaked.

Given the nature of Palantir's business, isn't it sort of a big deal in itself that an internal report was leaked? What if the leak had been some other internal document, say one that contained customer secrets?

The leak, if that's what this is, is a big deal. The contents of the report are not.

I would love to jump on any anti-Palantir band wagons, but I agree -- if anything, they should be rewarded for actively seeking and patching vulnerabilities. It seems economically infeasible to be invulnerable to all attacks from all vectors and this is a way to strip the lowest hanging fruit.

Exactly. And has been pointed out elsewhere, pretty much every large tech firm does red-team/blue-team tests these days. It's just that we don't hear about the vulnerabilities that are found at those other firms.

I don't understand why we're reading this. Was it leaked? Pretty much every big tech firm does this twice a year, but nobody releases the reports.

Also, doesn't the headline seem a little misleading? Had I not clicked the link, I would have thought that Palantir was maliciously compromised by mercenary hackers.

Alden clearly has excellent sources inside Palantir—that much was obvious from his previous articles on them.

This is such bad PR - probably leaked maliciously.

I would not be surprised if this is related to the Gawker debacle.

Why at all? Because Thiel is an investor in Palantir? I googled a bit to try and something that relates Gawker and Palantir beyond that.

"... in the next phase, you too will be subject to a dose of transparency. However philanthropic your intention, and careful the planning, the details of your involvement will be gruesome."


Having tried to avoid that entire story up until reading that, I remain pitiless for gawker's position in every way and I hope it burns to the ground.

Having had no idea what made thiel hate gawker so much, suddenly it all becomes clear.

Holding the rich to account. How very non politically correct and unjournalistic of them.

"Having had no idea what made thiel hate gawker so much"

How about when they publicly outed him as gay, when he wasn't out to most of the general public?

Source, but don't visit it, in case you give those parasites a couple of dimes in the process: http://gawker.com/335894/peter-thiel-is-totally-gay-people

The wonders of adblock, wasting bandwidth and power while contributing a total of absolutely nothing to the companies in which you despise.

Indeed, I am kind of surprised at how many in the press are backing Gawker, after Denton straight-up threatened to use the site (and presumably others) for further blackmail. It is crazy.

You could be right. The Gawker case has left bad blood with other journalists and the press in general, including those that hate Gawker, ironically.

Publishers -- online & off -- now fear that a single lawsuit has the potential to shut them down. Many on hn have applauded the cases' outcome. Yet it presents a future where big corporations and the world's ultra wealthy can fund endless suits against hostile news outlets until they fold. That is a chilling future in exchange for being free of the drivel of horse shit Gawker and Jezebel published daily.

Bezos and other business minded press owners recognize this. Even if they aren't free speech idealists, they don't appreciate dramatic adjustments to their company valuations due to previously unforeseen external threats.

One can weave a lot of threads between Thiel, Buzzfeed, Facebook, and even Trump. May be it has nothing to do with Peter Thiel and it was just a few disgruntled employees or two.

One thing is certain, when sources complain about Thiel or his companies now and in the future, journalists are going to be paying a little more attention than they did before.

For what its worth, in regard to the original article, it doesn't strike me as particularly damning to Palantir. If a pentest fails, either you hired someone who wasn't that good, or your network is airgapped and your devices have zero external ports.

Honestly it's as if people have forgotten one of the fundamental principles of strategy and tactics. The attacker almost always has the advantage. Its true in the book of five rings, its true in the art of war, it's just a basic principle.

Now, thats not to say an adanced attacker still can't be defended against, but as a sysadmin who has seen the inside of companies from law firms to publicly traded big guys to the IT firms themselves... And that's that almost no managment has put forward the personell or the budgets or the culture needed to really secure things.

Hell, a family member of mine recently got a tour of spacex and was apalled at the security. If Musk and his money dont do it right or well, almost nobody is.

I've basically told people who run windows systems for business they're already comprimised most likely, and the best thing to do is to be doing hids and good log analysis so you catch it when it happens quickly... but you probably arent going to stop any kind of semi-advanced attacker.

So to be frank, it completely makes sense to me that a company like Palantir would be massively vulnerable from thr inside. The edge of the sword they live on cuts both ways. These days, its about response time and forensic afteraction.

"When Palantir’s information security employees finally discovered the intruders, they “provided a rapid network response in which they identified and mitigated” the “majority” of the red team’s actions within days, the report says. Compared with other large companies, this defensive response was unusually robust, the industry source said, based on a reading of the report."

The red team also had the big benefit that there would be no legal ramifications if/when they were discovered. That no doubt encouraged them to take bigger risks, and consequently get further, than a malicious hacker would.

Do you honestly think that state sponsored hackers care about the legal ramifications of being discovered?

In some cases, they do care very much. Just not from a legal standpoint.

Many nation states prefer not to be detected when conducting espionage. And if they are detected, they really prefer to not have the attack be attributed to their country. At the very least, they want some plausible deniability; ideally full-on anonymity or framing, if they can.

Sometimes they really don't care if the source of the attack is known. It depends on the political rationale behind it. But when they do care, they're definitely at more of a disadvantage than a hired red team. The red team has no real anxiety over whether they're caught or attributed, and can act more quickly and aggressively.

I think that if a state desires to engage in a cyberattack, there's really no way you can pinpoint it back, because there's no evidence to show why a hacker on a Chinese IP is associated with the Chinese government -- unless you're depending on sloppiness. It could be a private industrially motivated actor, it could be the actions of someone looking to embarrass the Chinese government, or it could be some nationalist.

The US can say "shame on you" because they feel they have enough evidence to support a narrative, and China will say, "How can you engage in such irresponsible rhetoric?" The Chinese government will condemn rogue criminals and perform a cursory investigation and that will be the end of it. And then all countries and all companies in the world continue operating as usual.

No political consequences. All nations understand it.

There are many different kinds of indicators left behind in attacks, even very sophisticated attacks. Way more than just IP addresses. The entire recon, infection, exfiltration, pivoting, and C&C chain can leave hundreds or thousands of host-based, network-based, and identity-based indicators behind.

Of course, those indicators can be intentionally or unintentionally misleading or ambiguous. But by finding a dozen or more consistent IOCs/TTPs without any inconsistent ones, combined with a motive, often you can start making some possible accusations. Those assumptions will often remain unproven, but keep in mind government APT groups are still run by humans, and humans can always be sloppy.

Also, in some cases one state may have so thoroughly compromised another that they could find explicit evidence that an attack was ordered.

Wow, this is sobering.

I've certainly heard it said that if you're a big tech company, you are already infiltrated by state-sponsored hackers. But since I've never seen one of these red-team reports, this synopsis provides a lot of color on how people can get around inside the network, once they get in, that I wasn't aware of (obviously I don't work in opsec).

Too bad for Palantir that this got leaked, but perhaps it can be instructive for many of us.

The truth is that when reputable information security specialists are engaged to perform a no holds barred internal network penetration test or red teaming exercise for a client, they will gain full administrative access of the network in more than 9 out of 10 cases. There are well known and documented techniques for escalating privileges and traversing through a network. This is just the reality if you operate a typical Windows corporate network of a sufficient size.

In the past, companies mostly just accepted this risk and focused on protecting their network perimeter. Over time, this attitude has shifted and organisations now recognise the insider threat (e.g. a rogue employee/contractor or an external attacker who has already breached the perimeter).

How does Palantir's response stack up?

Having read the article, I'm not sure whether to read it as: "The extent to which the red team was able to exploit the network is a sign that Palantir's network security is bad" or, "Despite Palantir following best practices and having a lot of smart people on their security team, the red team was still able to do a lot, which bodes really badly for other companies that don't have the same internal resources"?

According to the report (and I'm never sure how far one can trust leaked documents simply because you don't get the full context) the intrusion was not noticed until the intruders reached one compromised laptop that had non-standard software installed on it (LittleSnitch) that tripped an alarm when the intruders tried to upload a screen shot.

Perhaps best practices might include more and more varied trip wire software of this nature?

Disclaimer: I'm a civilian. My exposure to infosec begins and ends with being careful about email and USB drives.

"Our systems and our customers’ information were never at risk.", their pr team is clueless. Security is not binary.

The fact that they had a specific team test their security is already evidence they aren't clueless.

Clueless would be refusing to have teams test your security.

I didn't say they were clueless. I said their pr is clueless. Some pr person said "there is no risk" relating to it security of a large organization. That is obviously false, and clueless.

Two kinds of people - those who've been hacked and those who say they haven't.

Were never at risk as a result of this pentest. Obviously, there is still a risk of data loss... but that risk is present among nearly every company on Earth.

Every major company performs these sorts of "red team" tests and virtually no major company passes with flying colors... so it's not surprising that Palintir has its fair share of issues. What is surprising is that all this stuff leaks out about Palinitr while other companies manage to keep things under tighter wraps.

This recent post from microsoft describes how to mitigate some of the risk that got Palantir.


"I can’t stress how important this change is – an administrator who connects using “normal” RDP exposes his or her credentials to the remote system with every connection. RDPRA, on the other hand, ensures that credentials aren’t exposed to the attacker on the remote computer being managed."

> A Palantír is a dangerous tool, Saruman. They are not all accounted for, the lost Seeing Stones. We do not know who else may be watching!

It's weird that this story is considered newsworthy. I skimmed over the article and it looks about normal for the industry. As sad as it sounds, they aren't doing much worse than many other companies out there.

What is the standard measures taken to protect against spear phishing? Mostly educating users and trying to filter out the mails?

Palantir basically started the red team in a position where they had successfully spear phished someone and that seems to be common practice. Is trying to protect against it just a waste of time and should the resources be invested into proper segmentation to protect against the successful spear phis case? Or are people usually 80/20ing this and taking anti spear phish measures but only to an extend that covers a lot of ground at relatively low cost/time?

Phishing is generally 1. run a command or 2. give me your credentials. To prevent these you need good solid technical controls like U2F for password based authentication (which is origin bound). Similarly binary whitelisting will prevent most users from running rogue executables.

So, who will take the bet that it was only the red team doing the pentest that managed to get this level of access?

The one saving grace here is that the red team had to be 'let in', in other words, they started from a position that is substantially different from being a complete outsider.

It also makes you wonder what else was leaked besides the report.

With time, creativity and motivation a good offensive security team will always win. All we can do as defenders is to find ways to raise the cost of such an attack.

A bit disappointed they seem to have started on the internal network rather then coming in from the outside :)



Ha! ... quick turn around by Fortune, http://fortune.com/2016/06/18/palantir-hack-buzzfeed/

Bizarre to watch a company move like that ... a bit unnerving in an Enders-Game sort of way. Information manipulation, and suddenly you wonder who's wagging the dog.

Before I read the Fortune article, their remarks were pretty much my initial reaction to the article. Any company that hires sufficiently good pentesters is going to get breached, even an infosec company. I would bet NSA probably does pretty poorly, even to this day, on their annual pentests.

This isn't really news. A company that successfully fends off multiple independent pentests would be news. I've worked for a company that actually did quite well on one pentest, but the testers were pretty terrible.

You haven't actually commented on the actual content of the Buzzfeed article or the Fortune article, but instead have decided to go the route of putting forth FUD about sockpuppets and media manipulation.


How do you know Buzzfeed's source isn't a competitor with an axe to grind? You don't. So this almost-unfalsifiable FUD is useless.


How do you know Buzzfeed's source isn't a disgruntled employee with an axe to grind? So this almost-unfalsifiable FUD is useless.

Except that the Fortune article has the benefit of being 100% correct.

It's like a scene out of a Silicon Valley episode.

> Palantir does an incredibly comprehensive job with PR and damage control

Those are just two more aspects of controlling information.

> the assertion here is that Palantir being unable to defend its own networks against a fairly rudimentary and mundane attack throws its entire business offering around cybersecurity into question

I think you're right. I would imagine this will prompt some tough questions both within their existing customer franchise and in pitches for new business.

Here's how Palantir describe their company cybersecurity platform on their own website[0]:

> With Palantir, your enterprise can finally detect advanced threats that lie hidden within your data. All of it. Structured network logs from proxy to IDS, VPN, anti-virus, DLP, DNS queries, malware tools, and application logs. Contextual data like email, print logs, facility access logs, internal chat logs, and human resources data. Open source and third party data. Our technology integrates it all into a single environment, and separates actionable signal from the noise so you can protect your network.

So the obvious question if you're the CEO or CISO of a company that does or is considering doing business with Palantir is, "You guys have unfettered access to your own network -- you can deploy your own cyber solutions without any restraints whatsoever. And yet you couldn't detect these intruders on your own system?"

Importantly, I'm not sure this would be a fair criticism -- it sounds like the white hat hackers they hired were very very good at covering their tracks -- but there's no doubt this leak is going to result in some tough conversations.

[0]: https://www.palantir.com/solutions/cyber/

What a ridiculous clickbait title

What does Palantir do, really?

Gee, we have to wonder if some good anomaly detection


would have detected that intrusion?

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact