Parasite hacking

From time to time you stumble across an article that, at first, looks like an ordinary APT attack from one group targeting people from another country but then hits you as “wow, that is so ingenious”.


Here is the TLDR:

Storm-0156 (Pakistani’s) use their own C2 infrastructure and are persistent in some Afghani networks. Then comes Secret Blizzard along (Russians) and they jump along the C2 of the Pakistani’s. As such they can deploy their own malware and get access to the Afghani networks. Then they also jump further to the other side of the C2 side: Not the controlled but the commander: Pakistani operator PC’s (hackers on the keyboards). Those PC’s don’t have any endpoint protection otherwise their own malware will be scoped up by virustotal.com and will be burnt/useless from there onwards. So jumping on those unprotected operators PC’s will get them (potentially) access to all the acquired data as a result of their hacking operations. So this is a case of parasite hacking or put in a nicer way: Intelligent people are lazy people.

Snowblind: The Invisible Hand of Secret Blizzard – Lumen Blog

And when you ask ChatGPT/Dall-E to generate an article related to the original article you realize that the hoodie stereotype will never die.

PS: RITA is one of the best tools to detect C2 tooling in your network. Named after John Strands mother which coincidentally also stands for Real Intelligence Threat Analytics
GitHub – activecm/rita: Real Intelligence Threat Analytics (RITA) is a framework for detecting command and control communication through network traffic analysis.

Almyros – the god who created Almere

create a Greeke mythical god with the name Almyros who has a spade and a bag of sand

In our Greece Holiday here on the beautiful Evia Island, we made some daytrips to Athens and visited the beautiful Benaki museum.

We made a stunning discovery that I think hardly anyone knows: Almyros, the god of Landcraft and Coastal Transformation, son of Poseidon and Anthera, is the deity who brought forth land from the sea with his divine spade and bag of sand and as such created Almere.

In the distant past, when the gods still roamed the earth and the seas, there was a lesser-known corner of the divine family tree where oddities were born. Among these oddities was Almyros, the god of Almere, who was not like other gods. He was the son of Poseidon, the mighty god of the sea, and Anthera, the goddess of bad decisions and impromptu picnics.

Almyros grew up surrounded by water, as any good son of Poseidon would. He had seashells for toys, dolphins as playmates, and could swim before he could walk. But despite all this, Almyros had one nagging thought: he was tired of water. “Water, water, everywhere,” he grumbled, “but not a plot of land to stand on!” One day, after yet another boring underwater feast, where the menu consisted of nothing but seaweed salads and fish, Almyros approached his father with an unthinkable request. “Father,” he began, “I want land!” Poseidon, with his trident in hand and a perplexed look on his face, nearly spat out his kelp wine. “Land? But you’re the son of the sea! Why on earth would you want land?” Almyros explained, “I’m tired of being soggy all the time. I want to build something, plant something, and, most importantly, dry out for once!” Poseidon sighed, “Land is for mortals and those other land-loving gods. But fine, if you insist, I’ll grant you a piece of land. But only a small one!” With a wave of his trident, Poseidon raised a tiny patch of land from the sea. It was no bigger than a picnic blanket (one of Anthera’s doing, no doubt). Almyros looked at it and frowned. “This won’t do at all! I need more land!”

Now, Anthera, who had been lounging nearby, munching on ambrosia sandwiches, chimed in. “Darling, why not make your own land? Get creative!” Inspired by his mother’s suggestion (though perhaps not fully understanding the implications of ‘getting creative’), Almyros grabbed the first things he could find—a spade and a bag of sand.”Watch and learn,” he declared with great enthusiasm.

He began digging up sand from the seabed and piling it onto the tiny patch of land. With every scoop, the land grew. Almyros, so absorbed in his work, didn’t notice the seas around him slowly starting to drain. Soon, the land he was creating became vast, stretching out into what would later be known as Flevoland. Poseidon, realizing that the sea level was dropping alarmingly, rushed over to his son. “Almyros! What have you done?” But Almyros, covered in sand and grinning from ear to ear, replied, “I’ve made land, Father! Now I can plant trees, build towns, and dry my feet whenever I please!” Poseidon sighed deeply. “You’ve turned a sea into a land… Fine, but you’ll have to take care of it. And don’t come crying to me when you miss the ocean breeze.”

And so, Almyros became the god of Almere, lord of the newly formed land. His symbols—a spade and a bag of sand—are reminders of his grand project. To this day, the people of Almere sometimes find odd patches of sand where they shouldn’t be, a lingering sign of their god’s slightly overenthusiastic land reclamation project. Almyros, for his part, couldn’t be happier. After all, he had the best of both worlds—land to walk on and, if he ever got nostalgic, water is just a short walk away.

BaaS – Bricking as a Service

BaaS – Bricking as a Service

Let’s start with a defintion from Techopedia

It’s already some time ago (January 2024) when this news showed up but I think HP deserves being mentioned for introducing this new service concept:

Bricking as a Service.

It’s not completely new since in the past there have been cases where a manufacturer/vendor sent a faulty firmware/upgrade to your system which renders it inoperable, forever. But that was unintentional. Then there are the BaaS examples which are intentional but also with malicious intent, like the SVR did with Viasat, which was called by Dmitri Alperovitc “perhaps the most strategically impactful cyber operation in wartime history”. But with good intent bricking a device that, you as a private individual bought and is residing in your home, that is new.
HP claims, with research from Bugcrowd, that it’s possible for a third party ink cartridge can compromise your network: ” We have seen that you can embed viruses in the cartridges. Through the cartridge, [the virus can] go to the printer, [and then] from the printer, go to the network.” (HP CEO Enrique Lores cited in Ars Technica). So don’t blame them for being reactive!. They are even visionaries since they found a solution for this threat before it actually became a threat.

HP’s CEO had the guts to elling this in public with a straight face deserves an honourable mention.

Ars Technical mentioned that an HP spokesperson commented that HP offers a wide range of printing products and solutions for customers to choose from, including Instant Ink and regularly expands its offerings to create more value for customers.

You can’t make this up.

Sources:

HP CEO evokes James Bond-style hack via ink cartridges | Ars Technica
Third-party ink cartridges brick HP printers after ‘anti-virus’ update (9to5mac.com)
Blue screen of death on printer’s touchscreen 83C0000B – HP Support Community – 8686089




Vulnerable by Design and by Default

Just posting the seal here since it looks so cool and flashy

CISA recently published an update of their 2023 Security by Design document: Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software . The previous one dated from 2023 and this one sounds so pragmatic that it reminded of when i first learnt about ITIL which was also based on best practices. It’s so clearly written and contains so many open doors that it’s a no-brainer.

I said “was” since ITIL has become so academic that it’s losing it’s pragmatic, easily to deploy unique selling point. Just like I don’t like Internet Security Forum, now rebranded to ISF I guess. Why I don’t like it? It is so academic, lenghty buky that it’s more like an academic schoolbook, a research product, maybe even the result of a Phd from people with high foreheads that do not work in companies but at universities. It’s not pragmatic. Imagine you are an energetic fresh information security officer and from ISO 27001 best practice point of view you are meeting up with the business owner and system owner of an IT asset and you ask them to perform a security classification (rate it along the Confidentiality, Integrity and Availability axes with High, medium and low. Sort of a BIA,). The moment you show up with an asset classification form that you just downloaded from ISF they will still smile at you but after 8 pages, they will show you the door and will think of security as a ridiculous bureaucratic failure. It’s just not implementable ! Academic wise I am sure it’s brilliant.

Going back to applauding the pragmatic approach of CISA with their security by design, let me highlight some parts from the document that really stand out:

Manufacturers are encouraged to take ownership of improving the security outcomes of their customers. Historically, software manufacturers have relied on fixing vulnerabilities found after the customers have deployed the products, requiring the customers to apply those patches at their own expense. Only by incorporating secure by design practices will we break the vicious cycle of constantly creating and applying fixes.
===>>>>> Remember those days where Microsoft issued security fixes/patches/packs that were sometimes as big as the original OS?

Well before development, products that are secure by design are conceptualized with the security of customers as a core business goal, not just a technical feature.
===>>>>> This sounds like a no-brainer but it’s the mindset that makes the difference. Comparable when Maersk Oil had the zero safety incident policy. One could argue that it’s not realistic to have zero safety incidents with hundreds of oil rigs and thousands of employees but the policy signalled the intent and the commitment to go for it.

Security should not be a luxury option, but should be considered a right customers receive without negotiating or paying more.
===>>>>> This reminds me of Alex Stamos writing a cynical article about Microsofts Midnight Blizzard incident. in which he blames Microsoft for recommending potential victims of attack on their own cloud-hosted infrastructure to buy additional premium services. “They need to throw away this poisonous idea of security as a separate profit centre and rededicate themselves to shipping products that are secure-by-default while providing all security features to all customers.”

Embrace radical transparency and accountability.
===>>>>> I think they borrowed that term from Ray Dalio. The point being made is “The collective industry would benefit from more information sharing on topics such as strategies to measure the cost of security defects and to eliminate classes of vulnerability”. Radical transparency will benefit the defenders more than the adversaries.

The idea is that security must be “baked in,” and not “bolted on. [1]
I just loved that phrase and followed the footnote since I was curious where it came from. Guess what: it’s a 1972 paper from the Electronic Systems Division, written by James. P. Anderson
[1] https://csrc.nist.rip/publications/history/ande72.pdf ]

Test security incident event management (SIEM) and security orchestration, automation, and response (SOAR) integration.
===>>>>> In the previous version it was mentioned: Consider best practices such as providing easy integration with security information and event management (SIEM) systems.
In this version it says on page 18:

That is a leap of a lightyear !

Provide logging at no additional charge.
===>>>>> And again I am reminded of Microsoft where only companies/customers who paid for an additional logging feature could detect an attack on the Microsoft Cloud infrastructure.

One of companies that read this document is Google, as can be seen with their announcement of ChromeOS Flex where they write ChromeOS Flex is built with security as a first principle, not an afterthought

In case you want to respond, please do so by means of Twitter or e-mail. (just typer peter then add the @ symbol and then the domain name baurichter.com

Shake anyone tailing you with Tails 5.0

After using this for a couple of years, i noticed Tails 5.0 was out so gave it a try. The result is this praise post for Tails and it’s people developing it.

What’s so great about Tails 5.0?

  • installation is a breeze. Previously 2 USB sticks were needed and now just one and download an image and burn this onto the USB
  • installation manual is fool proof and super easy and user friendly with even a QR code to continue reading the installation manual on your phone
  • website is so concise, to the point and in multiple languages, even in Portuguese and Russian
  • and you can donate in multiple ways
  • the people developing Tails and everyone around it are pro’s which can be seen by the Kanban board, the auto-reply-bot in development, transparent list of issues
  • the best thing of it all: it just works!

Any comments? @peterbaurichter on Twitter

AltaVista anyone?

findability.org - by Peter Morville

Those were the days when AltaVista was one of the first search engines (together with Archie, Gopher, Excite) where you would turn to and wonder: why does anyone makes that for free? Then its bigger brothers came along like Google, Bing, yahoo, Baidu, DuckDuckGo. After Google i thought that everyone sort of gave up: too hard to beat. Until i discovered once more that I don’t know everything and that there are other search engines out there who don’t do evil and sometimes even privacy friendly like the first 5 listed down here. So they don’t do evil and don’t steal all your data. Then how do they make money?

and there are even more as you can see here and here.

Trojan Source: out in the open but invisible

In a previous century (1993), bugtraq was sprung to live to publish vulnerabilities, regardless of vendor response, as part of the full disclosure movement of vulnerability disclosure. Now it’s a given that vulnerabilities are published and it’s not a matter IF vendors are going to issue fixes but more like WHEN this is going to happen.

If we would still be stuck in a reaility where the debate is about wether vulnerabilities allowed to be published and when up to a point that vendors will ripp out pages from textbooks, we would not be able to discuss the vulnerability itself, its potential exploit nor its potential impact. This is a benefit we have achieved in the world. Something to remember in these times when we realize that the internet has not fullfilled the dream of making the world a better place. The free open internet is now a place of firewalled countries, censored websites, tracking websites, spying applications and pushing encryption to the masses wherever possible to avoid mass surveillance. At least there is Full Disclosure now.

Without that kind of transparancy we would no tbe able to discuss the subtleties of the Trojan Source vulnerability/exploit, that it looks fine to the human eye (out in the open) but nasty to the computer that we are actually dealing with an invisible vulnerability. (Invisible to the human eye as pointed out by Ross Anderson in an interview with KrebsOnSecurity.

Standards versus culture

In my corporate technology risk working history, i have come across various situations where the emphasis is on the policies & standards and less on the implementation. There is a big disconnect. Various discussions can go on for weeks about what kind of data classification (rating high, medium or low for confidentiality, integrity and availability) is most appropriate for a certain asset (application) yet no discussions take place about what kind of security measures or attached to the classification or who is going to implement and maintain it. Or lengthy discussions about the interpretation of some kind of government security standard, regardless of what it does in terms of risk management.

However, I have always been surprised about the ethical standards in photojournalism. There seems to be some kind of standard but much more a widely accepted agreement of ‘thou shall not photo-shop images’. Whenever in a newsbulletin some kind of altered image is detected, the condemnation is always unanimous. The culture exceeds the standards

Same as here, where FoxNews posted a real badly sloppy edited image. See the sharp line on the right of the picture.

No idea who owns the standards (Associated Press?) and it doesn’t matter since everyone agrees with the same held belief that one should not alter images used in news reporting.

Examples of digital altered images are here and here.

Another twist in standards:

Source: XKCD

Standards

National Geographic: The best photos of 2019

Pedestrians, shoppers, and people-watchers stroll on Chuo-dori in Ginza, one of Tokyo’s busiest destinations. Cars travel on the street during weekdays, but on weekend afternoons a one-mile stripis closed to traffic and becomes a promenade. Cafés, high-end boutiques, and street performers attract local residents and visitors. Photograph by David Guttenfelder

The best photos of 2019
National Geographic’s 100 best images of the year–curated from 106 photographers, 121 stories, and more than two million photographs.
See them all here

The one displayed above is my favorite. It’s a bit of an artistic one by the way, as opposed to the other 99.

The missing Crowdstrike server story.

I just changed the picture as displayed on the Wired article from Brian Barret called “Trump’s Ukraine Server Delusion Is Spreading”. The beautiful picture just reminds me of a movie poster. The picture, made by Andrew Harrer, is super telling and would fit in a Magnum collection.

This conspiracy theory about a missing Crowdstrike server is not being fabricated by Trump. No, he truly believes in the story of Crowdstrikee hiding a server that contains evidence that Ukraine hacked the DNC and not Russia. The people around him know that all parts of the story are false but learned not to speak up against him.