> “A number of MSPs have been affected, and naming them would have potential commercial consequences for them, putting them at an unfair disadvantage to their competitors,” she said.
Wait, what? These companies got repeatedly hacked, were apparently not able to re-secure the network, allowed themselves to be used as a springboard for further attacks to their customers, and then covered it up. And letting this be known would be an "unfair disadvantage"?
Given this market, anyone developing high-security solutions has to loose money on them constantly or charge exorbitant prices to recover their investment. Pretty much only Defense and regulated sectors will buy those. So, the number of high-security products goes down or stays minimum while easily-hacked garbage grows in number. That's all people see to the point that many buyers don't even know something better is possible. Situation keeps reenforcing itself with the buyers all getting what they're paying for or not guarding against.
So, I blame them as much as the attackers if not more than the attackers when it's the same preventable stuff happening. Especially the times it didn't cost extra or what they bought cost more than secure stuff.
Which ones? Are any open-source?
Not open source given only proprietary sector made high-assurance security most of the time. There are some groups that open-sourced stuff after the fact. One whose methods some might emulate is Muen separation kernel. They use SPARK Ada to prove it can't have all kinds of problems. It's also smaller than most things like it.
Perhaps a more apt analogy would be your house is burgled while you are away, do the authorities have an obligation to tell everyone in the neighborhood or just you?
And that wasn't even the comparable situation. From the article it looks like IBM was continually responding to an evolving attack and very deep and extensive penetration.
Maybe, possible, at worst, IBM was arguably negligent here but it's still Chinas fault the situation occured.
All while working behind the scenes trying to make a Chinese controlled Google (Dragonfly) for China, complete with the censorship tools that any government that wants to control its people would love? Several large American companies seem to be chomping at the bit to do these types of projects and help repressive governments in order to profit, until the light of truth gets shown on them... Or were you referring to the time when they were already in China and pulled out over censorship issues?
I'm not even sure why China needs google, they've already stolen the source code years ago. Maybe they're after updates to the algorithms.
> In a blog post, Google chief legal officer David Drummond said hackers stole the source code that powers Google’s vaunted search engine and also targeted the e-mail accounts of activists critical of China’s human rights abuses.
The focus on Google's dragonfly is strange because it never came to fruition, yet other major tech companies like Apple, Facebook, Microsoft, and Amazon are already operating in China and currently giving similar concessions to the Chinese government.
Sure, no action is ever representative of an entire company - there are always exceptions, but in this case, the CEO and other senior leadership were both behind the project AND behind hiding it from others - you can't paint it as a rogue operation from "one APAC director".
Just because it's a part of their "brand" doesn't mean they "are" that thing. Caveat surfor.
Look to what happen to ZTE when US threw sanctions at them.
Give it 5 years. See if Google are just waiting for things to "cool down" before going back at it.
So yea, already happened, will probably happen again.
Influencing elections and referendums, assassinating people abroad, hostile acquisition of parts of a country, widespread cheating at sport, assassinating opposition members etc.
That is no way limited to Russia.
And Russia is far more aggressive than other country. Even today we had Putin telling UK's government in a press conference to respect Brexit which directly helps Russia by weakening the EU/NATO.
Or the methods used so others can try to protect themselves.
Call it what you want but, even with a lot of grey in between, these things are real and material.
That said, I suggest the number of stories appearing in the press as of late might be part of a steady leak of information from US authorities as part of their strategy to put pressure on China during trade negotiations.
How will others know I'm intellectually superior to them, unless I express some edgy contrarian view?!
edit: I was responding to "harvesting their organs when they die in incarceration" -- this sounds like it's a natural death.
> For many years, it has been known that China uses execution vans, kind of like specially outfitted ambulances, to more efficiently carry out its exceedingly large number of executions. The method of killing in these vans is lethal injection, which has been slowly but surely replacing the firing squad as China’s preferred means of execution, and both lethal injection and the vans are believed to facilitate the widespread practice of harvesting organs of the executed prisoners, an unbelievably appalling practice.
China is making strategic practices of lying and cheating on every level, from small biz to strategic military issues, and they are vertically integrating all of it.
At the small biz level, it is well known among anyone that if you let any IP visible to a Chinese partner, you should have the full expectation that it will be in your competitor's hands within hours, and you can expect to see your products being sold out the back door.
At the larger biz level, it is a standard practice to demand that key IP is turned over to required Chinese 'partners' as a condition of doing business in the country.
Backdoors have been engineered into both consumer and military hardware.
China has been hacking everything from the US Office of Personnel Mgt (stealing info on every USG employee, including highly classified info on intel agents, & info on everyone that could be used to compromise them), to major and minor companies, to private citizens.
China is continually and as a matter of policy expanding into and encroaching upon its neighbors from Tibet in the 1950s to the '9-dashed-line' in pacific waters today.
I know many perfectly honorable Chinese people, and there are probably more of them than the entire population of the US. But, to regard official or business China as anything better than anything but a thief who will stab you in the back at the first opportunity is to be a fool.
We in the west thought that we were exploiting China's cheap labor. Meanwhile, China was exploiting our myopic weakness for short term profits to seek massive strategic business and military advantage. This will go down in history as one of the greatest geopolitical blunders of all time.
Aanyway for the money we all go.
But its easier to blame China, so let's do that.
The victims here had an obligation to those they worked with to take reasonable measures to prevent and mitigate this sort of thing. Just because something bad happened to them doesn't relieve them of this obligation.
It's possible for more than one party involved to be in the wrong. Just because the victims screwed up doesn't mean the perpetrator is somehow morally cleared. Nor does the perpetrator clear the victims of their carelessness.
Edit: Since apparently people are taking this to mean I think companies should withstand a dedicated attack by China, I've gone wrong somewhere. I don't mean that. I was talking about responsibility. They can both be responsible and not be negligent. What I expect is them to help clean up afterwards. Just because they failed in an understandable way doesn't mean they get to avoid taking actions to ensure the damage is minimized.
Almost all companies simply do not have the capabilities to defend against state sponsored attacks and are already taking reasonable measures to prevent and mitigate. When you have undisclosed exploits being used against third party vendor hardware to attack the company what can you reasonably do ?
It doesn't mean they get to clean their hands of the whole thing either. They failed, and that's fine as long as they weren't being negligent. But they are still responsible for doing what they can to minimize the damage. That means, for one, informing those impacted about what is known.
So, just to be super explicit. I don't expect a business to withstand a nation-state attack. I do however expect them to do what they can to minimize the damage afterwards.
In this case it was spearphishing infected .docs. If corp security can't deal with that, they've got bigger problems.
If, what you are saying is reality, what consequences can it have and what legal recourse can a client (corporation or private) expect in such cases? Who can be hold as responsible if sensitive data disappears? Does it need a new type of contracts when subscribing to a service?
Oh wait you can't. Which is why we had to turn to our government intelligence services to provide assistance.
So stop pretending like companies can defend against state sponsors who are buying 0-days for $100k+ like it's candy.
I described what I learned about how high-assurance security builds stuff here:
As I often said, compare anything from security market advertised as secure against stuff on that list. If they're missing something, they're probably insecure. Now, I'm still not saying you can stop nation states and all 0-days. I am saying that most of the $100k 0-days are preventable with architectures like above with apps in safe languages with guards separating trusted things from untrusted things. Ada has also been around a long time with Rust getting popular now.
What makes most companies not use stuff like that isn't that level of security being unachievable: they just don't want to for management's reasons which range from arbitrary to sound practices in a profit-focused environment.
"I don't believe you." You can't just change the organization, culture, and procedures of a company just by throwing money at consultants.
That's like saying a big family can solve their feuds and mental illnesses just by writing a check to team of group therapists and lawyers.
Security is hard. So hard that no matter what amount of money you spend you will still be vulnerable, but maybe a bit less so. There are no absolutes in this.
> according to the indictment, it was a few spearphishing emails with .docs attached, followed by keylogger and other malware installation.
Junior Sysadmins straight out of a bootcamp can negate that.
But they have a duty after the fact as well, to ensure the damage is minimized. That includes actually telling those potentially impacted what is known, etc.
IBM is not to blame for the initial attack. But any further attacks that result from their silence can have a good share of blame laid at their feet.
Now, there may be a wrinkle. When discussing nation-state grade actors, there's a very real possibility that they may attack in ways that cannot reasonably have been protected against by most private-sector security programs.
What are we to think, to do, to expect in such a scenario? To what extent should be expect any company, even a large and wealthy one, to successfully fend off the full might of a large and powerful nation-state's offensive information security apparatus?
Again, you're absolutely and unquestionably right. Companies can, should, and must take reasonable measures to protect the basic human rights of security and privacy. There just might be some room for subtlety when considering what reasonable measures can accomplish.
What I was trying to say was that that doesn't relieve them of their responsibilities to minimize the damage afterwards.
Just because they can't be expected to win doesn't mean they should be able to wash their hands of the whole affair without trying to help.
More to the point, in what ways are the companies allegedly breached failing to live up to their responsibilities to help minimize the damage of a breach? What should they do in a scenario where investigations may be ongoing and potentially involving law enforcement?
Not sure how on earth people expect companies to defend against that.
You mentioned Cisco in another comment. Why buy Cisco if their stuff is known to be insecure or not proven secure? If not knowing high-security, I'd consider genua just cuz they use OpenBSD at the core. There were two others using INTEGRITY RTOS, one Sentinel's HYDRA and another discontinued, with both having few buyers. There's still going to be attacks but way less of them choking attackers further year after year. Hell, even leaks in CPU's were found from 1992-1995 using these same methods as LOCK et al in VAX VMM. We knew then with companies and security folks just ignoring them because those high-performance, lower-cost CPU's let us do some awesome stuff, right?
We're not getting hit because of ridiculous resources opponents put into 0-days: we're getting hit because of ridiculous resources put into known-insecure components and methods after people with those resources ignore stuff that works, often letting it die off. Totally, different problem. When phrased that way, one starts thinking maybe they should be regulated to use what works or liable for some of these decisions for ignoring what works using what's high-risk. I favor regulation after seeing positive results in TCSEC and DO-178B markets in terms of assurance activities.
And all it took was meaningless buzzwords which almost all enterprise companies at least do already. It doesn't make one iota of difference when your vendor equipment or services are compromised.
Car thief crashes car into crowd of people.
Crowd of people sue you for damages because you didn't make your garage secure enough? Why didn't you hire a 24/7 security service to protect your property to decrease risk?
I think it’s more than fair to say that reams of personal info stored by companies is such an attractive nuisance.
I get that it's liberating to disclaim responsibility for the consequences of anything we do, but that isn't how the world works. At some point (however far) you are held responsible for your negligence.
Or, how about they explicitly tell their customers that they can’t keep their data safe and might be a target of an attack that harms the customer?
I’m ok with either option.
There is an implicit expectation/contract that if a company is collecting your data it will keep it safe. If it’s not going to do that and will not do anything afterwards to repair any damages caused then they should just delete it after using that data or, advertise they can’t keep it safe and let the customer decide.
This means it is notoriously complex and nuanced, but it's not going to be overturned by boolean strawmen.
Edit: Moral of the story, since perhaps it's not obvious to all, is secure your dangerous property, cars, guns, band saws, computer networks, or otherwise.
You want to explain how you defend against that ?
1. Put valuables in a low-rated safe whose door opener is network accessible and itself low-rated.
2. Whose alarms suck at identifying and responding to actual breaches by even the most common methods.
3. A thief breaking in who uses the most common methods that the safemaker or company didn't try to stop. They did spend a fortune on unrelated stuff.
4. Various designs and implementations that weren't using methods that often prevent or detect backdoor attempts in favor of methods that let backdoors slip through.
Also, this is a company that makes billions in profits a year. They have the money to both develop and build highly-secure systems, including safes. They keep not doing that or not using what high-security they build. They keep using low-security stuff year after year after year. They could defend against those problems by doing more of what works and not using low-rated, often-vulnerable stuff for protecting secrets. Just a hunch on my part. ;)
But if you know that people steal packages off of porches in your neighborhood, and you leave a package out there for weeks, you're at least being pretty unwise. You're not morally at fault, but pragmatically, yes, you kind of are.
[Edit: That is, your actions are not well-suited for the kind of world that we actually live in, and that you know that we live in.]
You could have set up a different causal chain that would have prevented the theft. Of course that doesn't mean that society can't blame (and punish) the thief.
This is like defending a teacher who left a loaded gun on their desk because they are the victim of theft.
In this case, according to the indictment, it was a few spearphishing emails with .docs attached, followed by keylogger and other malware installation. The companies should be held responsible for being silly in this case.
Personally, yeah companies need to be held to a higher standard against hackers, but if we're going to be realistic, we only expect they could do it because it's IBM and they have a lot of money. What about all the other companies? Rhetorically, what are we going to do about this issue? There's been decades of fairly basic confidence schemes and "hacks" and all the corporate training in the world isn't making a dent in people trusting strangers and running malicious files.
I'm starting to believe that at some point we should start fining people for lack of protection.
FOR IMMEDIATE RELEASE
Thursday, December 20, 2018
Two Chinese Hackers Associated With the Ministry of State Security Charged with Global Computer Intrusion Campaigns Targeting Intellectual Property and Confidential Business Information
> Both IBM and HPE declined to comment on the specific claims made by the sources.
> DXC Technology declined to comment, saying in a statement that it does not comment on reports about specific cyber events and hacking groups.
> Reuters was unable to confirm the names of other breached technology firms or identify any affected clients.
I wonder why the title of the article sounds so certain while it seems none of the claims are confirmed
"None of the claims are confirmed" is probably due to IBM (etc) having an aggressive legal attitude + plenty of lawyers.
eg If you try and force them to contact their customers, you're in for a long, drawn out legal process with a less than 100% chance of getting a decent result for their customers.
The Chinese government has routinely stooped to using coercion such as blackmail and kidnapping of family members to control its citizens. It's really not comparable.
Lo and behold, it was a public IP.
As in, this old-ass printer, sitting at an HP office, was sitting on the Internet. And it was connected to the office network.
Really blew my mind.
The office was very old, and there were things laying around the hallways that seemed to have been untouched for 20 or even 40 years. So I'm guessing that workhorse of a printer had been chugging away for decades, and was configured long before anyone had thought about information security.
Also, if this sounds too crazy to be possible, you can test this for yourself. If you do a Google search on the welcome page of an HP printer, you will find hundreds with public IP addresses.
IP exposed to the internet, or an IP from the public range?
HP has 2 /8s. Lots of things got public IPs in there since they can hand them out like candy. It doesn't mean though that they're available from the internet.
The big question is whether you could exploit that to get to the rest of the facility.
This particular facility was acquired by HP, so who knows how they set it up.
As lousy as that sounds from your description (eg a valid globally routable IP), it would be very surprising if the printer (or even the office space) was accessible from outside HP.
Firewalls (and more) are a thing. ;)
> Also, if this sounds too crazy to be possible, you can test this for yourself. If you do a Google search on the welcome page of an HP printer, you will find hundreds with public IP addresses.
Yeah. Certainly says something about the competence of some places. :(
Relatedly, it sounds like Shodan might be of interest:
We were like, wait, if it's not allowed, they why was I able to? And why did it take 3 months?! They backed down and we laughed over beers.
I'd be surprised if IBM even has the visibility into the situation... because that's just one of the war stories.
You don't declare war on a nuclear power, ever. That kills us all.
How effectively and stringently that ban is enforced might be open to question, but to say that the Chinese government has done "next to nothing" is hyperbolic.
It's quite the opposite in terms of how the US has treated them. In terms of actual behavior, China has never had a better friend in its modern history than the US. The US helped China vs the Empire of Japan, which had done unimaginably horrible things to China. The US kept the Soviets from nuking China in 1969. The US invested trillions of dollars into China's economy over decades. We've treated them more than fair, we've worked with them as traders, we've tolerated their aggressive hacking and anti-WTO trade practices for nearly two decades. The US is the sole reason China got into the WTO. We've gone out of our way to try to respect their sensitivities toward Taiwan for decades. The US didn't seek to conquer China, or annex parts of China, or invade China, or turn them into a colony of a superpower. We traded with them and they've successfully built the world's second largest economy on the back of it.
Disparate effects are the new norm. There very well may be lives threatened.
death by a thousand cuts
2. The judicative should viciously go after the largest hostile actor, including state actors, they can get a hold of.
3. And lastly, politics should go after China. Every week there is a new story how China stole IP, hacked something or showed hostile behavior
Compared with their rethoric and genocidial tendencies, it should become clear to every state that China is not an ally to anyone but the CCP, and no Chinese firm is at the end not owned by the CCP.
The harshest consequences that are reasonable are approrpriate at this point, or Chinas behavior will just get worse
Appeasement does not work anymore.
... this still has to go in front of a judge of course but it's not like they're claiming there's no evidence.