Posts

UNSECURITY Episode 121 Show Notes

Happy Tuesday! It’s time to get ready for another episode (#121) of the UNSECURITY Podcast!

Not sure if you caught it last week, but there was an open U.S. Senate hearing on Tuesday (2/23). The hearing was titled “Hearing on the Hack of U.S. Networks by a Foreign Adversary” and lasted about two and a half hours. The hearing was about the events surrounding the SolarWinds Orion Hack, and what we can do to prevent (or at least reduce the likelihood of) similar events in the future. Witnesses included some well-known people in our industry:

  • Kevin Mandia, CEO of FireEye
  • Sudhakar Ramakrishna, CEO of Solarwinds
  • Brad Smith, President of Microsoft
  • George Kurtz, President and CEO of CrowdStrike

This hearing was a big deal because U.S. policymakers are trying to figure out what to do, and how “to make sure this doesn’t happen again.” If policy makers draft policy based solely on what these witnesses said, we might be in some serious trouble!

There were some really interesting things said during the hearing, and we’re going to share our thoughts on today’s show.

So, let’s do this! These are the notes for episode 121 of the UNSECURITY Podcast.


SHOW NOTES – Episode 121 – Tuesday March 1st, 2021

Opening

[Evan] Welcome listeners! Thanks for tuning into this episode of the UNSECURITY Podcast. This is episode 121, the date is March 2nd, 2021, and joining me as usual is my good friend, Brad Nigh. Good morning Brad!

Quick Catching Up

  • What’s new?
    • Working on S2Org r3, IR assessment, and other things.
    • The Gray Matter Society
    • Who would make a good guest next week?
  • Anything else new at FRSecure and/or SecurityStudio?

The Meat

Open Hearing: Hearing on the Hack of U.S. Networks by a Foreign Adversary – https://www.intelligence.senate.gov/hearings/open-hearing-hearing-hack-us-networks-foreign-adversary

  • Kevin Mandia’s Opening Statement – https://www.intelligence.senate.gov/sites/default/files/documents/os-kmandia-022321.pdf
  • Sudhakar Ramakrishna’s Opening Statement – https://www.intelligence.senate.gov/sites/default/files/documents/os-sramakrishna-022321.pdf
  • Brad Smith’s Opening Statement – https://www.intelligence.senate.gov/sites/default/files/documents/os-bsmith-022321.pdf
  • George Kurtz’s Opening Statement – https://www.intelligence.senate.gov/sites/default/files/documents/os-gkurtz-022321.pdf
  • The hearing went ~2 1/2 hours, did you make it through it all?
  • So, Amazon Web Services didn’t show up. They haven’t been forthcoming or helpful
  • An interesting Q&A (starting at 1:22:08) from Senator Wyden (D-OR)
    • Senator Wyden: The impression that the American people might get from this hearing is that the hackers are such formidable adversaries that there was nothing that the American government or our biggest tech companies could have done to protect themselves. My view is that message leads to privacy violating laws and billions of more taxpayer funds for cybersecurity. Now it might be embarrassing, but the first order of business has to be identifying where well-know cybersecurity measures could have mitigated the damage caused by the breach. For example, there are concrete ways for the government to improve its ability to identify hackers without resorting to warrantless monitoring of the domestic internet. So, my first question is about properly configured firewalls. Now the initial malware in SolarWinds Orion software was basically harmless. It was only after that malware called home that the hackers took control, and this is consistent with what the Internal Revenue Service told me. Which is while the IRS installed Orion, their server was not connected to the Internet, and so the malware couldn’t communicate with the hackers. So, this raises the question of why other agencies didn’t take steps to stop the malware from calling home. So, my question will be for Mr. Ramakrishna, and I indicated to your folks I was going to ask this. You stated that the back door only worked if Orion had access to the internet, which was not required for Orion to operate. In your view, shouldn’t government agencies using Orion have installed it on servers that were either completely disconnected from the internet, or were behind firewalls that blocked access to the outside world?
    • Mr. Ramakrishna: Thanks for the question Senator Wyden. It is true that the Orion platform software does not need connectivity to the internet for it to perform its regular duties, which could be network monitoring,  system monitoring, application monitoring on premises of our customers.
    • Senator Wyden: Yeah, it just seems to me what I’m asking about is network security 101, and any responsible organization wouldn’t allow software with this level of access to internal systems to connect to the outside world, and you basically said almost the same thing. My question then, for all of you is, the idea that organizations should use firewalls to control what parts of their networks are connected to the outside world  is not exactly brand new. NSA recommends that organizations only allow traffic that is required for operational tasks, all other traffic ought to be denied. And NIST, the standards and technology group recommends that firewall policies should be based on blocking all inbound and outbound traffic with exceptions made for desired traffic. So, I would like to go down the row and ask each one of you for a “yes” or “no” answer whether you agree with the firewall advice that would really offer a measure of protection from the NSA and NIST. Just yes or no, and ah, if I don’t have my glasses on maybe I can’t see all the name tags, but let’s just go down the row.
    • Mr. Mandia: And I’m gonna give you the “it depends”. The bottom line is this, we do over 6oo red teams a year, firewalls have never stopped one of them. A firewall is like having a gate guard outside a New York City apartment building, and they can recognize if you live there or not, and some attackers are perfectly disguised as someone who lives in the building and walks right by the gate guard. It’s ah, in theory, it’s a sound thing, but it’s academic. In practice it is operationally cumbersome.
    • Senator Wyden: I don’t want to use up all my time. We’ll say that your response to NSA and the National Institute of Standards is “it depends”. Let’s just go down the row.
    • Mr. Ramakrishna: So my answer Senator is “yes”. Do standards such as NIST 800-53 and others that define specific guidelines and rules.
    • Senator Wyden: Very good.
    • Mr. Smith: I’m squarely in the “it depends” camp.
    • Senator Wyden: OK.
    • Mr. Smith: For the same reasons that Kevin said.
    • Senator Wyden: OK, I think we have one other person, don’t we?
    • Mr. Kurtz: Yes, and I would say firewalls help, but are insufficient, and as Kevin said, and I would agree with him. There isn’t a breach that we’ve investigated that the company didn’t have a firewall or even legacy antivirus. So, when you look at the capabilities of a firewall, they’re needed, but certainly they’re not be all end goal, and generally they’re a speed bump on the information super highway for the bad guys.
    • Senator Wyden: I’m going to close, and uh, my colleagues are all waiting. Bottom line for me is that multiple agencies were still breached under your watch by hackers exploiting techniques that experts had warned about for years. So, in the days ahead it’s gonna be critical that you give this committee assurances that spending billions of dollars more after there weren’t steps to prevent disastrous attacks that experts had been warning about was a good investment. So, that discussion is something we’ll have to continue, thank you Mr. Chairman.
  • Other thoughts and discussion about the hearing.
  • There was general consensus amongst the witnesses that there’s a strong need for mandatory reporting of cyber attacks

News

News stories to cover this week, include:

Wrapping Up – Shout Outs

Good talk! It will be interesting to see what legislation comes out of Washington in response to SolarWinds.

  • Who’s getting shout outs this week?
  • Closing – Thank you to all our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh. Other Twitter handles where you can find some of the stuff we do, UNSECURITY is @unsecurityP, SecurityStudio is @studiosecurity, and FRSecure is @FRSecure. That’s it. Talk to you all again next week!

…and we’re done.

Episode 110 Show Notes – All Hell Broke Loose

Welcome! These are the show notes for episode 110 of the UNSECURITY Podcast.

We’re putting the Information Security @ Home series on hold again this week. In case you didn’t know, it seems we have a big problem on our hands. Over the course of this last week (or so), we’ve witnessed events in our industry that we’ve not seen before, in terms of magnitude and impact. It all started (publicly) with FireEye’s announcement of an intrusion and exfiltration of data. FireEye is one of the largest and most respected firms in our industry, so this was big news!

Unfortunately, this was only the tip of the iceberg.

Over the weekend, we learned of two more really significant breaches; one at the U.S. Treasury Department and the other at the U.S. Commerce Department. On Monday (12/14), all hell sort of broke loose when we learned that these breaches are all related, and the source is SolarWinds. Attackers compromised SolarWinds defenses and inserted malware into their premier product, the Orion platform. Orion is a network management system (NMS) used by thousands of organizations to manage and monitor their IT infrastructure. SolarWinds has become a single source of possible intrusions into ~18,000 other organizations. These intrusions into the other organizations aren’t run of the mill either, these are intrusions using “trusted” software (often) configured with elevated/privileged access. This and will continue to get worse before it gets better.

Seems 2020 isn’t done 2020ing yet. The end of 2020 countdown at the time of this writing:

Other things? Yes, or course!

There are always many, many things going on around here (SecurityStudio and FRSecure). One very newsworthy event included the announcement from the State of North Dakota. North Dakota has made our S2Me (personal information security risk assessment) available for all state residents and will use it to help their citizens be more secure at home! One down, and 49 left to go!

Alright, on to it. Brad’s leading the discussion this week, and these are his notes. GOOD NEWS, we’ve invited our good friend Oscar Minks to join us as we delve in to the whole SolarWinds debacle.


SHOW NOTES – Episode 110

Date: Tuesday December 15th, 2020

Episode 109 Topics

Opening

[Brad] Hey there! Thank you for tuning in to this episode the UNSECURITY Podcast. This is episode 110, the date is December 15th, 2020, and I’m your host, Brad Nigh. Joining me as usual is my good friend and co-worker, Evan Francen. Good morning Evan.

[Evan] Cue Evan.

[Brad] Also joining us this morning is another good friend and co-worker, Oscar Minks. Good morning Oscar.

[Oscar] Cue Oscar.

Quick Catchup

[Brad] As if 4th quarter wasn’t crazy enough we had the SolarWinds news break this week.  Before we dig into that let’s catch up and see how we are all doing with just over 2 weeks left in the year. What’s new?

Transition

Information Security @ Home
All Hell Broke Loose

[Brad] Well, we planned to do more security at home stuff, but as I said a couple weeks ago, 2020 won’t stop 2020’ing.

Topics

  • SolarWinds breach (only the beginning)
  • The timeline (FireEye announcement)
  • FireEye, U.S. Government, (possibly) 425 of the Fortune 500, and (probably) 18,000 organizations.
  • What happened?
  • What are the ramifications of all this?
  • What do you need to do?
  • What do we need to do?

Discussion between Brad, Evan, and Oscar

[Brad] 2020 is not going quietly into the night, is it? Alright, moving on for now.

News

[Brad] Amazingly SolarWinds wasn’t the only news in the last week. We probably won’t have time to get to all of these but they are good reads and good to stay on top of.

Wrapping Up – Shout outs

[Brad] That’s it for episode 110. Thank you Evan and Oscar! Who you got a shoutout for today?

[Evan & Oscar] We’ll see.

[Brad] Thank you to all our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m@BradNigh and Evan can be found @evanfrancen.

Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more things we do when we do what we do.

That’s it! Talk to you all again next week!