After Failure to Detect Major Breaches, US Mulls Real-Time Threat Sharing with Private Sector (msn.com) 67
America is contemplating how to respond to breaches "pulled off by Russia and China against a broad array of government and industrial targets," reports the New York Times:
Both hacks exploited the same gaping vulnerability in the existing system: They were launched from inside the United States — on servers run by Amazon, GoDaddy and smaller domestic providers — putting them out of reach of the early warning system run by the National Security Agency. The agency, like the C.I.A. and other American intelligence agencies, is prohibited by law from conducting surveillance inside the United States, to protect the privacy of American citizens. But the F.B.I. and Department of Homeland Security — the two agencies that can legally operate inside the United States — were also blind to what happened, raising additional concerns about the nation's capacity to defend itself from both rival governments and nonstate attackers like criminal and terrorist groups. In the end, the hacks were detected long after they had begun not by any government agency but by private computer security firms...
Biden administration officials said they would seek a deeper partnership with the private sector, tapping the knowledge of emerging hacking threats gathered by technology companies and cybersecurity firms. The hope, current and former officials say, is to set up a real-time threat sharing arrangement, whereby private companies would send threat data to a central repository where the government could pair it with intelligence from the National Security Agency, the C.I.A. and other spy shops, to provide a far earlier warning than is possible today.
A U.S. representative who co-chairs a cyberspace commission colorfully characterized both breaches to the TImes. "When not one but two cyberhacks have gone undetected by the federal government in such a short period of time, it's hard to say that we don't have a problem. The system is blinking red."
But then there's this: Last month, in the days before Microsoft released an emergency patch for vulnerable Exchange Servers, multiple state-backed Chinese groups were apparently tipped off that the company was testing a patch. They began gorging on vulnerable systems with a speed and aggression that some security experts said they had never seen before.
It is unclear how exactly these Chinese groups learned of Microsoft's patch, but the timing suggests they caught wind of the moves when Microsoft rolled out a test version of its patch to its security partners at cybersecurity firms in late February. Eighty companies participate in a longstanding partnership with Microsoft, known as the Microsoft Active Protections Program, including 10 Chinese firms. Microsoft confidentially alerts these companies to emerging cyberthreats and vulnerabilities ahead of its official patch cycle. The company is investigating whether one of its partners may have leaked to Chinese hackers or was itself hacked.
Biden administration officials said they would seek a deeper partnership with the private sector, tapping the knowledge of emerging hacking threats gathered by technology companies and cybersecurity firms. The hope, current and former officials say, is to set up a real-time threat sharing arrangement, whereby private companies would send threat data to a central repository where the government could pair it with intelligence from the National Security Agency, the C.I.A. and other spy shops, to provide a far earlier warning than is possible today.
A U.S. representative who co-chairs a cyberspace commission colorfully characterized both breaches to the TImes. "When not one but two cyberhacks have gone undetected by the federal government in such a short period of time, it's hard to say that we don't have a problem. The system is blinking red."
But then there's this: Last month, in the days before Microsoft released an emergency patch for vulnerable Exchange Servers, multiple state-backed Chinese groups were apparently tipped off that the company was testing a patch. They began gorging on vulnerable systems with a speed and aggression that some security experts said they had never seen before.
It is unclear how exactly these Chinese groups learned of Microsoft's patch, but the timing suggests they caught wind of the moves when Microsoft rolled out a test version of its patch to its security partners at cybersecurity firms in late February. Eighty companies participate in a longstanding partnership with Microsoft, known as the Microsoft Active Protections Program, including 10 Chinese firms. Microsoft confidentially alerts these companies to emerging cyberthreats and vulnerabilities ahead of its official patch cycle. The company is investigating whether one of its partners may have leaked to Chinese hackers or was itself hacked.
The PC... (Score:2)
Since the rise of the PC, security and hardened software has always been an afterthought. This aggravated by government trust in private companies, primarily Microsoft.
Re: The PC... (Score:2)
Even more so - I thought that Microsoft and security people did learn the lesson after SQL slammer.
But obviously not.
Re: The PC... (Score:5, Insightful)
> I thought that Microsoft and security people did learn the lesson after SQL slammer.
> But obviously not.
Security people generally don't have the authority and budget to banish Microsoft products from the enterprise. Many of us would if we could, but that's not our decision to make.*
Security people understand the problems. Because we have to deal with the demands of the business, we're left trying to plug all the holes in the chain link fence that is Windows.
* I did ban all Microsoft products from our network when I was CEO.
Re: The PC... (Score:4, Interesting)
More on topic with TFA security wise if I may; I have observed a clear tendency lately which attacks take place from servers in the same country where the target is located, almost to the point where geoblocking would-be attackers becomes useless.
TFA raises a nice issue with regards to coping with this new trend.
Re: The PC... (Score:4, Interesting)
That's true sophisticated, targeted attacks sometimes come from proxies / relays inside the country.
It's also true that you'll get literally thousands of scans PER DAY from Russia and China. If you don't do business with Russia and China, I don't see any reason to welcome those attacks.
There is a research result from the cybersecurity school at Georgia Tech which basically says no security system can detect the important attacks if you throw too much crap traffic at it. Basically, "it's impossibe to find the needle if the haystack is too big", but in a scientifically rigorous way.
In my experience, one of the best ways to increase your chances of detecting the sophisticated in-country attack you have in mind is to not spend all of your time and resources fighting off the constant barrage of untargeted attacks from Russia and China, and all the script kiddies. Block the deluge the easy way and that frees you up to focus your more sophisticated defenses on defending against the more sophisticated attacks.
After all, in a thunderstorm you wouldn't say "there is a drip coming from a leak in the roof - let's just not bother having a roof".
Re: (Score:2)
That's true sophisticated, targeted attacks sometimes come from proxies / relays inside the country.
It's also true that you'll get literally thousands of scans PER DAY from Russia and China. If you don't do business with Russia and China, I don't see any reason to welcome those attacks.
There is a research result from the cybersecurity school at Georgia Tech which basically says no security system can detect the important attacks if you throw too much crap traffic at it. Basically, "it's impossibe to find the needle if the haystack is too big", but in a scientifically rigorous way.
In my experience, one of the best ways to increase your chances of detecting the sophisticated in-country attack you have in mind is to not spend all of your time and resources fighting off the constant barrage of untargeted attacks from Russia and China, and all the script kiddies. Block the deluge the easy way and that frees you up to focus your more sophisticated defenses on defending against the more sophisticated attacks.
After all, in a thunderstorm you wouldn't say "there is a drip coming from a leak in the roof - let's just not bother having a roof".
I don't systematically geoblock IPs from the countries you mentioned in your post since my customers and myself sometimes have to go to these countries. I only automatically block IPs from the countries you mentioned if they are blacklisted (DNS blacklists) while I don't from countries where 99% of our users are located. I have all kinds of filtering measures in place.
Re: (Score:3)
Well - you can at least put the stuff behind a firewall and not expose any unnecessary ports to the internet. That was why SQL Slammer got around - I don't know why people even exposed a database at all to the net.
Re: (Score:2)
> I thought that Microsoft and security people did learn the lesson after SQL slammer.
> But obviously not.
Security people generally don't have the authority and budget to banish Microsoft products from the enterprise. Many of us would if we could, but that's not our decision to make.*
Security people understand the problems. Because we have to deal with the demands of the business, we're left trying to plug all the holes in the chain link fence that is Windows.
* I did ban all Microsoft products from our network when I was CEO.
That may have been the appropriate action once, but I'll take Windows 10 all day long over what the container-based Linux OSS paradigm has become in the current generation's ecosystem.
Re: (Score:3, Informative)
This.
MS products do not belong to anything that is critical in any way. You would think that after 30 years, people would get the hint, but no.
And don't hold your breath for it to becoming any better. The MS ecosystem is fundamentally flawed and cannot be fixed. I will grant that it became better, but that's like saying your abusive husband has bettered himself and now only beats you once or twice a week.
Re: The PC... (Score:5, Insightful)
The fundamental problem is not Windows or Linux or any other software, the very basis of this mess are the people: Developers are dumb and lazy, their bosses are dumb and greedy and the admins are constantly overworked, because they have to fix the bullshit, that the first two groups are throwing at their doorsteps. Agile development only added to this cesspool, as everybody only tests for the predefined outcome of his little change and no one views the big picture, where interactions and synergies come down like a sledgehammer... after over 25 years as an admin and part-time developer, I left this industry to keep my sanity!
Re: (Score:3, Funny)
Lemme guess: you're an admin.
Re: The PC... (Score:4, Funny)
Lemme guess: you're an admin.
Wow spooky guess.
after over 25 years as an admin
Are you sure you aren't psychic?
Re: (Score:3)
Too easy to just make someone else guilty. We techies also like to blame the (l)users and that's equally short-sighted.
Software is a huge problem. The amount of bugs in operating systems is scary, and the fact that we're now releasing the 3rd? 4th? generation of IT students from universities into the wild and we STILL have no clue how to write secure software (don't get me started on the "best practices" - they're just anecdotes with no systematic foundation - sometimes useful, sometimes nonsense, e.g. pass
Re: (Score:2)
Replying to undo misclicked moderation.
Re: (Score:2)
For fuck's sake, /. - this user, like all the other users who post spam, has nothing but spam posts in their profile.
When are you going to introduce a REPORT USER feature to report spammers?
Re: (Score:1)
I did ban all Microsoft products from our network when I was CEO.
I used to explain to people that the reason I - a Windows tech - recommended Linux was for the same reasons that a Chevy tech might recommend a Toyota.
Re: (Score:1)
Re: (Score:3)
* I did ban all Microsoft products from our network when I was CEO.
This line of thought is so goddamn tedious, especially on Slashdot. The effort that bad guys put in to finding security flaws in software is proportional to how widely used the software is. If everyone stopped using Microsoft products tomorrow, there would still be exploits developed for whatever software the majority switched over to. If you think running Linux on your desktop make you inherently secure, you're wrong. You're simply a less valuable target.
Re: (Score:2)
Let us suppose your idea is correct.
Well, that would mean Microsoft has stupidly wasted a billion dollars over the last few years, but more to the point it would STILL mean you're much more secure running Linux.
"It's only more secure because ..." can be summarized as "it's more secure".
But if that's true, Microsoft would have to fucking stupid. Because Microsoft has spent a lot of resources over the last 5-10 adding security protections to Windows that Linux has had for 20 years.
One clear example is MAC.
Re: (Score:2)
Re: (Score:2)
Just FYI, based in 25 years of full-time work in the field, and graduate-level work in secure operating system design, I disagree. So does Microsoft. But hey, maybe Microsoft is stupid, and so are all the people who study security.
Re: (Score:2)
Just FYI, based in 25 years of full-time work in the field, and graduate-level work in secure operating system design, I disagree. So does Microsoft. But hey, maybe Microsoft is stupid, and so are all the people who study security.
No, in fact I think many people who study security are quite smart. You know, like the people who have discovered hundreds of vulnerabilities [cvedetails.com] in the Linux operating system.
Re: (Score:1)
Where it has really come into play was 20 years of "security has no ROI" thinking. I've been in so many jobs where there was so little interest in security, to the point where people knew that their coding was going to cause a breach, but they didn't care, because the company getting sued, there were a lot of layers between them and the dev, compared to not making deliverables.
Plus, a lot of C-levels want security breaches to happen. That way, they can short their stock before the announcement, and buy it
Re: (Score:3)
In order to be omniscient, you need to be omnipotent. Every old school security person knows that and we used to balance "how much we know" vs "how big of the risk is" 20 years ago. Today there is no balance. The industry has gone on a never ending chase of omniscience with the expected results - the solar winds hack and the other hacks along the same lines.
In fact, this initiative is yet another attempt at it - just
Re: (Score:2)
The sad fact though is there ISNT much ROI in security. I wish it were not true but here is the reality.
With the exception of a few security firms and vendors being harmed by embarrassing breaches for a longer term the cost of being popped is pretty small. Even as a far as big security firms and security vendors go, being breached can even be good for you reputation wise; just convince the world 'It was nation state actor that would have popped anyone!' and now the story isn't you got popped but rather you
Re: (Score:2)
This is interesting, but I think you somewhat conflate "victim" and "perpetrator" or at least don't sort out multiple levels of victimhood/perpetrator status.
If an org is breeched and only the org's information is lost, they're still victims even if their breech is a result of their own actions.
However, if the information lost is private to a third party (consumer, partner, etc) then they're both victim and a kind of exposed to fault as well because of their obligation (moral, at least) to maintain the secu
Re: (Score:2)
The thief is at fault in the criminal sense. In the civil liability sense; if you said you'd keep my wallet safe and failed to do so you probably are liable.
Its just like if you get injured in some freak accident on my property like an otherwise healthy appearing tree falls on you. Am I really 'at fault' in the moral sense, no but in the legal sense you likely can collect damages; My homeowners carrier will end up with the bill ultimately.
Same thing here, until we actually say you know what if you collect p
Re: (Score:2)
Since the rise of the PC, security and hardened software has always been an afterthought.
To be fair, before the rise of the PC, security was largely an afterthought, also.
Re: (Score:2)
Before PCs, it was usually mainframe serial terminals. Those were pretty secure. Five wrong passwords, and the terminal was locked out until the provider was called to unlock it. This, as well as the fact that terminals had a physical key switch with a six pin Medeco cam lock which shut things down completely when turned to the lock position, ensured solid security from remote.
Extremely good idea (Score:2)
By centralizing all breach announcements with the government, it allows for the CIA breaches to go unreported while still blocking whatever governments or hacking groups have not yet paid the CIA the access fees requited to hack into U.S. systems.
Vastly more efficient than having to except pressure on independent security reporting firms to ignore certain breaches.
Re: (Score:2)
So, the CIA has been giving you the memos on their activity? Please share or STFU.
Re: (Score:1)
So, the CIA has been giving you the memos on their activity?
Oh we've all got the memo, it's just that not all of us read it apparently.
Re: (Score:2)
The agency, like the C.I.A. and other American intelligence agencies, is prohibited by law from conducting surveillance inside the United States
So this has nothing to do with protecting the US but is just the regularly scheduled annual spook attempted power grab by exploiting fear over whatever the current bogeyman is.
Swiss cheese barn doors. (Score:2)
10 firms, imagine that? Plus maybe they got the news from all the taps they already have.
Re: (Score:3)
10 firms, imagine that? Plus maybe they got the news from all the taps they already have.
Honestly they could have just as easily had someone on the payroll at one of the other 70 firms.
Re:Swiss cheese barn doors. (Score:4, Insightful)
10 firms, imagine that? Plus maybe they got the news from all the taps they already have.
Honestly they could have just as easily had someone on the payroll at one of the other 70 firms.
Indeed. There is nothing inherently more secure in non-Chinese companies, especially when they all hire the cheapest people they can find.
Re: (Score:2)
10 firms, imagine that? Plus maybe they got the news from all the taps they already have.
Honestly they could have just as easily had someone on the payroll at one of the other 70 firms.
Indeed. There is nothing inherently more secure in non-Chinese companies, especially when they all hire the cheapest people they can find.
No, I think being based in China is absolutely inherently less secure than being based in the US/EU. But that doesn't defacto mean that's where the leak originated.
Re: (Score:3)
No, I think being based in China is absolutely inherently less secure than being based in the US/EU. But that doesn't defacto mean that's where the leak originated.
If you have effectively no security in both places, that is not true.
Re: (Score:2)
When your threat model is heavy on attackers backed or operated by the Chinese and Russian government -- and unless your business is based in one of those countries, your threat model should be heavy on such attackers -- sharing information with Chinese and Russian companies does elevate the risk of losing confidentiality.
Re: (Score:3)
Re: (Score:2)
Especially since Chinese companies are required to share this sort of information with the Chinese government, which is going to use it offensively. And controls every company anyhow.
I would say that it is quite unlikely this went though any "official" spy channels. You see, spies know on ting and Chinese ones are no exception: You must protect your sources even if that means not using information you have. Hence even if the Chinese government has all that info real-time, it is highly unlikely they will start attacks or even prepare attacks based on it before they have the info from a source the enemy does not know about.
The problem is that sources the enemy knows about or can infer abo
Re: (Score:2)
In other words (Score:1)
Oh my sides, it hurts from laughing (Score:5, Informative)
The agency, like the C.I.A. and other American intelligence agencies, is prohibited by law from conducting surveillance inside the United States, to protect the privacy of American citizens.
My sides are hurting from laughing so hard. How can any journalist say this with a straight face today unless they're covering for the powerful? James Clapper was director of National Intelligence when he lied under oath to Congress and the American people saying we were not spying on innocent Americans. Good thing Scandal Free Obama was in charge and the media didn't care.
On March 12, 2013, Director of National Intelligence James Clapper told Congress that intel officials were not collecting mass data on tens of millions of Americans. NSA whistleblower Edward Snowden soon revealed material that proved Clapper's testimony false: The government had been gathering and storing data from ordinary Americans' phone records, email and Internet use. [wikileaks.org]
Let's see what Politifact has to say [politifact.com]: do they cover for the people in power or not?
Yup, right on schedule.
Re: (Score:2)
Any time you give a group power to operate in secret, they will eventually abuse it.
In the case of the US secret agencies, the abuse started happening nearly a century ago [wikipedia.org], and hasn't stopped since.They also lie when they talk to the public.
They don't speak the truth, they release words to influence your opinion.
So the bottom line is... (Score:3)
... it's like a bad horror movie. Our national security infrastructure is unable to tell when the calls are coming from inside the house.
Re: (Score:2)
... it's like a bad horror movie. Our national security infrastructure is unable to tell when the calls are coming from inside the house.
It's exactly like a bad movie, they know or don't know only based on if the script says so.
If it is grandma making the call, they have it recorded. If it's scary movie mask man, now they don't know because it's illegal.
This is just another episode where for reasons of plot-plot, they can beam through the shields.
Re: (Score:2)
Or, more likely they spy domestically, but they didn't catch it, so they pretend they could have stopped it but were prevented from doing so because their hands were tied.
Orange Tsai (Score:2)
intelligence agencies are never prohibited (Score:3)
"The agency, like the C.I.A. and other American intelligence agencies, is prohibited by law from conducting surveillance inside the United States"
Intelligence agencies are never prohibited in reality. There are plenty of other intelligence agencies (eg, five eyes) willing to do dirty work for American intelligence agencies. Also, there are plenty of private corporations conducting surveillance inside the United States, gathering terabytes of data. The American intelligence agencies can get corporate data easily with the threat of FISA court (FISC).
When will the 5-EYES hand over its zero-days? (Score:3)
If we have them then the bad guys have them. It's getting to where you need a scoresheet to know which is which
Re: (Score:2)
Right. When the NSA is organized to be an offensive organization, one of its victims is the American People.
Who pay its bills to be victims. This isn't a healthy relationship.
It doesn't have to be this way, and their actors should feel bad about being the lapdogs of the power elite instead of public servants.
If I were them I would reform before the Fourth Turning progresses much further - the writing is on the wall. As a bonus they can sleep well at night.
Snowden embodied the inevitable changing tide; he
Oy vey - and said with a straight face, too! (Score:2)
In one paragraph we have this gem, "Eighty companies participate in a longstanding partnership with Microsoft, known as the Microsoft Active Protections Program, including 10 Chinese firms." It is followed by this gem, "The company is investigating whether one of its partners may have leaked to Chinese hackers or was itself hacked."
It is actually less laughable to me to think that our security agencies are not poking around in our own country's servers than to presume at LEAST one of these Chinese partners
So you are saying reailty != what they "see"? (Score:1)
No news there... ^^
Funny how the Biden government still pulls the exact same no-proof accusations bullshit that the Trump one did.
"Chinese partners" = CCP hackers. (Score:2)
And no, it wouldn't be a "leak". Leaks are secret, unofficial acts. This would just be an organ of the state doing it's legal duty to share intelligence with the CCP's hackers. The cost of doing business with a totalitarian dictatorship that dabbles in genocide, cyberwarfare
Real yime with the private sector (Score:1)
Real time threat sharing with private sector (Score:1)
I blame the NSA (Score:2)
You know, if the NSA had decided that National Security was best served by keeping computers secure, instead of keeping them hackable, we might actually have capability based security in widespread practice, and our nation would be more secure.
Glass Onion (Score:1)
While many eyes might help spot vulns the private sector is already full of researchers who have ties to the same nation states that are behind the attacks.
There are a thousand hacking at the branches of evil to one who is striking at the root.
- Thoreau