The SolarWinds shit-show keeps on shitting
The Solarwinds hack may be even worse than originally thought as possibly as many as 250 government agencies may have been compromised. The original intrusion led to numerous compromises against numerous other organizations ranging from aforementioned US government departments, to security firm FireEye, to Microsoft.
In late December, investigators combing through the wreckage seem to have found another back door installed by a second threat actor.
This time it’s a webshell that infects a legitimate .NET component within Solarwinds’ Orion network monitoring application that has been modified to evade malware detection systems. It’s been dubbed SUPERNOVA and it enables remote attackers to execute arbitrary commands on the servers running the infected version of the software.
The trojan appears to have been present since possibly as far back as March 24, 2020, the time stamp of the compilation of the component.
Read: https://www.bleepingcomputer.com/news/security/new-supernova-backdoor-found-in-solarwinds-cyberattack-analysis/
It’s also been reported separately that another outcome of the Solarwinds hack is that the privacy of “countless” sealed court records in the US may have been blown.
The Administrative Office (AO) of the US Courts was using Solarwinds Orion software and is now conducting an internal investigation to ascertain if their trove of court records, sealed in various legal actions over the years, have been breached.
Read: https://krebsonsecurity.com/2021/01/sealed-u-s-court-records-exposed-in-solarwinds-breach/
Last issue I talked about the lack of evidence around the Russian attribution for Sunburst. Since then I’ve received some further communications relaying knowledge of the Russian APT designation. It’s from above my pay grade (meaning, I will never get a look at the materials), however I consider the sources whom relayed this to me to be reliable.
Singapore cops access COVID-19 tracing data for criminal investigations
Singapore has massaged the rules around its COVID-19 contact tracing app that allows police to access and use that data in criminal investigations. TraceTogether is the app, which is mandatory for all citizens to have installed on their phones.
In a response to a question in Parliament about the Singapore Police Force accessing TraceTogether data, Minister of State for Home Affairs Desmond Tan said:
‘The SPF is empowered under the Criminal Procedure Code (CPC) to obtain any data, and that includes the TraceTogether data, said Mr Tan. “The Government is the custodian of the TT (TraceTogether) data submitted by the individuals and stringent measures are put in place to safeguard this personal data,” added Mr Tan. “Examples of these measures include only allowing authorised officers to access the data, using such data only for authorised purposes and storing the data on a secured data platform.”‘
The privacy policy statement on the TraceTogether website originally said the data would only be used for COVID-19 contact tracing purposes.
Use stupid passwords, win stupid prizes: ZyXel hardcodes backdoor, Nissan uses “admin”
Hackers have begun actively exploiting unpatched Zyxel devices after a Dutch team of security researchers published their findings of a hard-coded back door last month. The backdoor consists of a “secret” account, hardcoded with userid “zyfwp” that has ssh access and can be used to gain administrator privileges on the device. ZyXel says the account was used for delivering firmware updates via ftp and recommends a firmware upgrade.
Meanwhile, Nissan let a bunch of their source code get breached and leaked across the internet when they misconfigured one of their own Github repositories and left the default login credentials in place. Username: admin Password…. admin
Read: https://www.zdnet.com/article/nissan-source-code-leaked-online-after-git-repo-misconfiguration/
DDoS provider under pressure for hosting Hamas, Qanon, 8Chan
KrebsOnSecurity published another chapter in his detailed reverse engineering on the operations of a Russian-based DDoS mitigation company called DDoS-Guard. In his October piece, he outlined how DDoS-Guard was servicing clients like 8Chan successor, 8Kun, along with Qanon websites and the official site of Hamas.
In his most recent chapter he traces one of DDoS-Guard’s scrubbing centres to a US publicly traded company called CoreSite (NYSE:COR), which is a Real Estate Investment Trust that invests in data centres (looks like about a $5B market cap with a 4% dividend, jeezus). The DC used by DDoS-Guard that is operated by CoreSite is located in Los Angeles.
Hamas has a Specially Designated Global Terrorist (SDGT) designation from the US State and Treasury Departments so it is a crime for US companies to provide any services to them, which can garner civil or criminal penalties.
The Great Deplatforming
As I was listening to the Triggernometry Podcast over the weekend with Madness of Crowds author Douglas Murray (easyDNS was a sponsor for that episode), it occurred to me that I hadn’t heard the Trump speech of Jan 6th. In fact I realized that I’ve never heard a single Trump speech, ever. I just can’t stand listening to the guy. What few snippets I’d heard over the years were usually cherry picked by the media and delivered via punditry in ways, upon examination (my preference was to read speech transcripts rather than forcing myself to listen to them), were so out-of-context and spun as to impair my opinion of the media rather than worsen my opinion of TheDonald.
I think that vantage point of being extremely turned off by both variants of “TDS” (Type 1: Trump Derangement Syndrome, Type 2: Trump Divinity Syndrome) is what gives me that vantage point a lot of people find quizzical: that of finding the coordinated deplatforming of him, or of anybody distasteful, counter-productive and dangerous.
If it’s true he incited the crowd to violence, then that should be addressed via orthodox legal avenues and due process. Anybody who instigated or executed violence, anywhere, any reason (including the rioting throughout the summer of 2020, which also featured repeated attacks against US federal buildings) should be subject to bearing responsibility for their actions.
But what we saw in the aftermath of whatever did happen on the 6th happened so fast and from so many fronts it’s extremely difficult not to conclude that it was all coordinated, or at the very least, contagious.
The list, almost certainly incomplete:
- Facebook, permanently removed his accounts from all platforms
- Twitter temporarily then permanently suspended him
- Reddit terminated /r/DonaldTrump
- Shopify piled on, shutting down his stores
- And I saw somewhere his email CRM canceled his account
- Stripe, whom easyDNS uses for payment processing, stopped processing payments for the Trump campaign (which was still operating)
But the deplatformings and cancellations didn’t confine themselves to someone who is still, technically, the sitting president of the USA (at least as I write this on Sunday night).
Setting aside the philosophical imponderables of who should be held responsible for acts of violence and vandalism – the people who actually commit those acts or people who, in a word, didn’t, Big Tech, and pretty well anybody else who could get in a shot, decided now was the time for the mother of all pile ons. Everybody even perceived to be within the orbit of Trump is coming under the blazing guns of cancel-culture, the list is growing faster than my reporting:
- Tens of thousands of conservative Twitter accounts have been reportedly suspended.
- Simon and Schuster canceled their deal to publish Senator Josh Hawley’s book on “Big Tech tyranny” (I hadn’t heard of it before now, but now that I have I would want to read it)
- Ariel Pink was dropped by his record label for attending the DC rally (I’d never heard of him either, so I gave him a listen on Spotify before his music is purged from there too)
- Reports are coming in from across the country, citizens and business owners who attended the rally are being fired and their businesses boycotted.
- Youtube nuked Steve Bannon’s podcast channel
But it didn’t stop there. In what could only be seen as a coordinated hit, Parler has been taken out, big time. The fast growing challenger social media platform that promotes itself largely as a safe space for Conservatives was removed from the Apple and Google app stores, and culminated in Amazon kicking them off their AWS platform with less than 24 hours notice.
As I opined on Twitter:
The risk analysis for using #awscloud has completely changed. If you’re a CTO or a fiduciary, you can’t leave your underlying infrastructure on a platform that will decide your fate capriciously and arbitrarily in order to pile onto a witch-hunt or coordinated hits like this
And another commentator put it:
“Imagine if, in the midst of the massive BLM riots this summer, the entire tech infrastructure had deplatformed Facebook because some had used that app to plan events devolving into violence. People would rightly have called that an insane act of ideological fascism.”
That commentator was the ultra-Conservative Ben Shapiro, a person of whom many Libertarians find polarizing and wrong about a lot of things. But he isn’t wrong about this. (Miraculously, Shapiro has not been suspended from Twitter… at least not yet).
Parler for their part say they are considering legal action, and congressman Congressman Devin Nunes (R-CA), is calling for a RICO investigation into Big Tech for the ban. Mozilla chairwoman Mitchel Baker called for tech companies to go beyond deplatforming in a blog post titled We Need More Than Deplatforming, including identifying who was paying for advertisements on social media that supported Trump and implementing “by default tools to amplify factual voices over disinformation.” Recall that Mozilla’s Firefox browser previously raised some eyebrows amongst privacy watchdogs for their overriding end-user’s preferences, and sending DNS lookups to Cloudflare regardless of what you had your resolvers set to locally (see AxisOfEasy #116).
Personally, I deleted Firefox from my laptop. I’ve been on Brave for months anyway.
For my part, I wrote a longer piece (yes, even longer than this) over on my Out of The Cave blog. I wrote it on Friday and put it there as opposed to on easyDNS or AxisOfEasy because it seemed a tad political then and I wanted to try to maintain some separation from what Mark Jeftovic thinks personally vs easyDNS, the company. But as events unfolded over the weekend I feel the need to go on the record unequivocally and double down:
Deplatforming and cancel culture is morally wrong, and long term it doesn’t work. So it really seems just pointless, polarizing, and destructive.
Read: http://outofthecave.io/articles/the-cultural-purge-is-now-in-overdrive/
And yes, I’m talking up my book, again, but I really wish I didn’t have to (it’s free now anyway, so its not like I profit from it).
Alright… you’ve made it this far in a thoroughly deflating issue, let’s finish it off on a few high notes:
Reverse Engineering the mRNA vaccine
Bert Hubert, a the Dutch data scientist who happens to also be the creator of the PowerDNS nameserver, has been putting out first-rate coverage of science and data behind the pandemic. A few months back he was writing about studies about Vitamin D’s impact (tl,tr if you catch it, it would be preferable not to be Vitamin D deficient, also see this tweet thread).
A couple weeks ago he wrote up a post about “reverse engineering” the mRNA vaccine which went viral and has been read millions of times, now he’s put out an accompanying video which takes you through exactly how mRNA vaccines actually work. It’s quite fascinating, and while mandatory vaccinations bug me, de facto mandatory even more so (given that I’m being forced to take something by Ticketmaster instead of the government), life is a series of trade offs, so given that I’ll probably end up getting one of these, I feel more comfortable around the actual vaccine itself.
View: https://www.youtube.com/watch?v=8r45jGNQ7Lg Read: https://berthub.eu/articles/posts/reverse-engineering-source-code-of-the-biontech-pfizer-vaccine/
What to use instead of Google
A lot of you may be thinking, sure, Big Tech is abusing their position, invading my privacy, monetizing my data, modifying my behaviour with well aimed dopamine hits, moderating what content I can consume and actively censoring what content I can produce, but what can I do about it? If the house always wins, how does one bet against the house?
Well I’ve always said, if there’s one thing their own existence proves, it’s how fast incumbents can be disrupted out of relevancy. Yet somehow, with Big Tech being the “New Incumbents”, so to speak, they are hoping that the cycle ends with them and they never suffer the ravages of being displaced by what comes next and the relentless iterative improvement of society from the bottom up, and the creative destruction that brings.
Now these platforms are actively incentivizing their own disruption. With decentralized protocols like Mastodon (easyDNS is a gold sponsor) and IPFS, and crypto-currencies back in the limelight this may happen much faster than anybody anticipated.
Here is an article by Kira Mclean I came across via Angsuman Chakraborty’s Twitter feed, which is a good follow for all things tech. It’s about all the different challenger services one could use instead of Google. I’d have a different recommendation for the recursive DNS part in Quad9 (9.9.9.9) instead of Cloudfare’s, but you get the idea…
Humour: Who hacked us? Cyber attribution generator
And finally, in this age of Advanced Persistent Threat actors and the mightiest if tech companies and government agencies being 0wned, a security researcher brought my attention to the “Cyber Attribution Generator” which can whip a formidable sounding nation state actor to blame when it turns out your that your root passwords were set “abc123.”
As I went there to post the link, mine was the APT group “Masquerading Panda” out of Taiwan.
Attack Vector: Old AOL Floppy Disk Malware Used: Backdoor.PlugX Data lost in the breach: PHI Who’s to blame? The Intern Who’s getting fired? Board of directors Contributing factors/excuses: Gluten Free Snacks Will Fox News call it “Cyber Terrorism?” Yes, and China will deny it. Will we be targeted again? Stop huffing superglue and go fortify your defenses. Cost of the data loss: $7,441,123 How much did you save using this tool for attribution? 11861800000.00 Japanese Yen
Repeatedly hitting “reload” is provided endless fun, eating up time I should have been spending writing this newsletter. I ended up dropping a story about the US State Department creating a new Cyber-Security agency.
Eventually I even hit an APT from Canada:
Country: Canada APT Group Name: EH? Attack Vector: Phishing Malware Used: Cryptolocker!g9 Data lost in the breach: The pre-release details for the Badlock vulnerability Who’s to blame? TAO developer who took source code for classified cyber weapons home Who’s getting fired? CIO Contributing factors/excuses: Taylor Swift CD Will Fox News call it “Cyber Terrorism?” No, bigger news to air that day. Will we be targeted again? Most likely. Cost of the data loss: $8,950.38 How much did you save using this tool for attribution? $16,500.04
See: http://whohackedus.com/
(This was sent to me by one of the people vouching for the Russia attribution in the Solar Winds hack)
We’re taping the next AxisOfEasy Salon this Thursday, see all next week.
|
I believe the quote is from Bill Bonner.
Gotta be John Maynard Keynes…or Kenneth Galbraith. Bitchez, both of ’em.
I’ll take a chance on Scott Adams
For a pretty good reason, I’ll guess Frank Zappa.
Tucker Carlson