Schlagwort-Archive: Hacking

A hack nearly gained access to millions of computers. Here’s what we should learn from this.

The internet is far less secure than it ought to be.

https://www.vox.com/future-perfect/24127433/linux-hack-cyberattack-computer-security-internet-open-source-software

One of the most fascinating and frightening incidents in computer security history started in 2022 with a few pushy emails to the mailing list for a small, one-person open source project.

A user had submitted a complex bit of code that was now waiting for the maintainer to review. But a different user with the name Jigar Kumar felt that this wasn’t happening fast enough. “Patches spend years on this mailing list,” he complained. “5.2.0 release was 7 years ago. There is no reason to think anything is coming soon.”.

A month later, he followed up: “Over 1 month and no closer to being merged. Not a suprise.” [sic]

And a month after that: “Is there any progress on this?” Kumar stuck around for about four months complaining about the pace of updates and then was never heard from again.

A few weeks ago, the world learned a shocking twist. “Jigar Kumar” does not seem to exist at all. There are no records of any person by that name outside the pushy emails. He — along with a number of other accounts — was apparently part of a campaign to compromise nearly every Linux-running computer in the world. (Linux is an open source operating system — as opposed to closed systems from companies like Apple — that runs on tens of millions of devices.)

That campaign, experts believe, was likely the work of a well-resourced state actor, one who almost pulled off an attack that could have made it possible for the attackers to remotely access millions of computers, effectively logging in as anyone they wanted. The security ramifications would have been huge.

How to (almost) hack everything

Here’s how events played out: In 2005, software engineer Lasse Collin wrote a series of tools for better-compressing files (it’s similar to the process behind a .zip file). He made those tools available for free online, and lots of larger projects incorporated Collin’s work, which was eventually called XZ Utils.

Collin’s tool became one part of the vast open source ecosystem that powers much of the modern internet. We might think that something as central to modern life as the internet has a professionally maintained structure, but as an XKCD comic published well before the hack shows, it’s closer to the truth that “all modern digital infrastructure” rests on “a project some random person in Nebraska has been thanklessly maintaining since 2003.” XZ Utils was one such project — and yes, you should find it a little worrying that there are many of them.

Starting in 2021, a user going by the name “Jia Tan” — he, too, doesn’t seem to exist anywhere else — started making contributions to the XZ project. At first, they were harmless small fixes. Then, Tan started submitting larger additions.

The way an open source project like this one works is that a maintainer — Collin, in this case — has to read and approve each such submission. Effectively, Tan was overloading Collin with homework.

That’s when “Kumar” showed up to complain that Collin was taking too long. Another account that doesn’t seem to exist joined the chorus. They argued that Collin clearly wasn’t up to the task of maintaining his project alone and pushed for him to add “Jia Tan” as another maintainer.

“It seems likely that they were fakes created to push Lasse to give Jia more control,” engineer Russ Cox writes in a detailed timeline of the incident. “It worked. Over the next few months, Jia started replying to threads on xz-devel authoritatively about the upcoming 5.4.0 release.” He’d become a trusted “maintainer” who could add code to XZ Utils himself.

Why does any of this matter? Because one of the many, many open source tools that happened to incorporate XZ Utils was OpenSSH, which is used to remotely access computers and is used by millions of servers around the world.

“Tan” carefully added to XZ Utils some well-disguised code that compromised OpenSSH, effectively allowing the creators to log in remotely to any computer running OpenSSH. The files containing the (heavily disguised) code were accepted as part of the larger project.

Fortunately, almost all of the millions of potentially targeted computers were not affected because it’s routine for such a new update to first be released as “unstable” (meaning expected to have some bugs), and most administrators wait for a subsequent “stable” release.

Before that happened, “Jia Tan”’s work got caught. Andres Freund, a software engineer at Microsoft, was off work and doing some testing on a computer that had the “unstable” new release. Under most circumstances, the hack ran seamlessly, but under the circumstances he was testing in, it slowed down SSH performance. He dug deeper and quickly unraveled the whole scheme.

Which means that, thanks to one Microsoft engineer doing some work off-hours, your computer remains secure — at least, as far as I know.

Can we do better than getting lucky?

There was nothing inevitable about this hack getting discovered. Lots of other people were running the unstable new build without noticing any problems. What made Freund suspicious in the first place wasn’t the suspicious code but a bug that had been accidentally introduced by “Jia Tan.”

If the “Jia Tan” team had avoided that error, they might well have pulled this off. Catching the suspicious code “really required a lot of coincidences,” Freund said later on Mastadon.

No one wants to believe that modern computer security essentially relies on “a lot of coincidences.” We’d much rather have reliable processes. But I hope this narrative makes it clear just how hard it is to reliably defend the jury-rigged internet we have against an attack like this.

The people behind “Jia Tan” spent more than two years building the access they needed for this attack. Some of the specifics have to do with the dynamics of open source software, where decades-old projects are often in a quiet maintenance stage from which, as we saw, an aggressive actor can seize control. But with the same resources and dedication that were behind “Jia Tan,” you could get hired at a software company to pull off the same thing on closed-source software too.

Most of all, it’s very hard to guess whether this attempted attack was unprecedented or unusual simply in that it got caught. Which means we have no idea whether there are other land mines lurking in the bowels of the internet.

Personally, as someone who doesn’t work in computer security, the main thing I took away from this was less a specific policy prescription and more a sense of awe and appreciation. Our world runs on unsung contributions by engineers like Collin and Freund, people who spend their free time building stuff, testing stuff, and sharing what they build for the benefit of everyone. This is inconvenient for security, but it’s also really cool.

I wasn’t able to reach Collin for comment. (His website said: “To media and reporters: I won’t reply for now because first I need to understand the situation thoroughly enough. It’s enough to reload this page once per 48 hours to check if this message has changed.”) But I hope he ultimately comes to think that being personally targeted by this fairly extraordinary effort to make his work on XZ utils feel inadequate is, in fact, a remarkable vindication of its importance.

More Hacking Attacks Found as Officials Warn of ‘Grave Risk’ to U.S. Government

Kommentar verfassen

WASHINGTON — Federal officials issued an urgent warning on Thursday that hackers who American intelligence agencies believed were working for the Kremlin used a far wider variety of tools than previously known to penetrate government systems, and said that the cyberoffensive was “a grave risk to the federal government.”The discovery suggests that the scope of the hacking, which appears to extend beyond nuclear laboratories and Pentagon, Treasury and Commerce Department systems, complicates the challenge for federal investigators as they try to assess the damage and understand what had been stolen.Minutes after the statement from the cybersecurity arm of the Department of Homeland Security, President-elect Joseph R. Biden Jr. warned that his administration would impose “substantial costs” on those responsible.“A good defense isn’t enough; we need to disrupt and deter our adversaries from undertaking significant cyberattacks in the first place,” Mr. Biden said, adding, “I will not stand idly by in the face of cyberassaults on our nation.”

President Trump has yet to say anything about the attack.Echoing the government’s warning, Microsoft said Thursday that it had identified 40 companies, government agencies and think tanks that the suspected Russian hackers, at a minimum, had infiltrated. Nearly half are private technology firms, Microsoft said, many of them cybersecurity firms, like FireEye, that are charged with securing vast sections of the public and private sector.

Thanks for reading The Times.

Subscribe to The Times

“It’s still early days, but we have already identified 40 victims — more than anyone else has stated so far — and believe that number should rise substantially,” Brad Smith, Microsoft’s president, said in an interview on Thursday. “There are more nongovernmental victims than there are governmental victims, with a big focus on I.T. companies, especially in the security industry.”The Energy Department and its National Nuclear Security Administration, which maintains the American nuclear stockpile, were compromised as part of the larger attack, but its investigation found the hack did not affect “mission-essential national security functions,” Shaylyn Hynes, a Department of Energy spokeswoman, said in a statement.“At this point, the investigation has found that the malware has been isolated to business networks only,” Ms. Hynes said. The hack of the nuclear agency was reported earlier by Politico.Officials have yet to publicly name the attacker responsible, but intelligence agencies have told Congress that they believe it was carried out by the S.V.R., an elite Russian intelligence agency. A Microsoft “heat map” of infections shows that the vast majority — 80 percent — are in the United States, while Russia shows no infections at all.

The government warning, issued by the Cybersecurity and Infrastructure Security Agency, did not detail the new ways that the hackers got into the government systems. But it confirmed suspicions expressed this week by FireEye, a cybersecurity firm, that there were almost certainly other routes that the attackers had found to get into networks on which the day-to-day business of the United States depend.

Dealbook: An examination of the major business and policy headlines and the power brokers who shape them.

FireEye was the first to inform the government that the suspected Russian hackers had, since at least March, infected the periodic software updates issued by a company called SolarWinds, which makes critical network monitoring software used by the government, hundreds of Fortune 500 companies and firms that oversee critical infrastructure, including the power grid.Investigators and other officials say they believe the goal of the Russian attack was traditional espionage, the sort the National Security Agency and other agencies regularly conduct on foreign networks. But the extent and depth of the hacking raise concerns that hackers could ultimately use their access to shutter American systems, corrupt or destroy data, or take command of computer systems that run industrial processes. So far, though, there has been no evidence of that happening.The alert was a clear sign of a new realization of urgency by the government. After playing down the episode — in addition to Mr. Trump’s silence, Secretary of State Mike Pompeo has deflected the hacking as one of the many daily attacks on the federal government, suggesting China was the biggest offender — the government’s new alert left no doubt the assessment had changed.“This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks,” the alert said.“It is likely that the adversary has additional initial access vectors and tactics, techniques and procedures,” which, it said, “have not yet been discovered.”Investigators say it could take months to unravel the extent to which American networks and the technology supply chain are compromised.

In an interview on Thursday, Mr. Smith, of Microsoft, said the supply-chain element made the attack perhaps the gravest cyberattack against the United States in years.“Governments have long spied on each other but there is a growing and critical recognition that there needs to be a clear set of rules that put certain techniques off limits,” Mr. Smith said. “One of the things that needs to be off limits is a broad supply chain attack that creates a vulnerability for the world that other forms of traditional espionage do not.”Reuters reported Thursday that Microsoft was itself compromised in the attack, a claim that Mr. Smith emphatically denied Thursday. “We have no indication of that,” he said.Officials say that with only one month left in its tenure, the Trump administration is planning to simply hand off what appears to be the biggest cybersecurity breach of federal networks in more than two decades.Mr. Biden’s statement said he had instructed his transition team to learn as much as possible about “what appears to be a massive cybersecurity breach affecting potentially thousands of victims.”“I want to be clear: My administration will make cybersecurity a top priority at every level of government — and we will make dealing with this breach a top priority from the moment we take office,” Mr. Biden said, adding that he plans to impose “substantial costs on those responsible.”The Cybersecurity and Infrastructure Security Agency’s warning came days after Microsoft took emergency action along with FireEye to halt the communication between the SolarWinds network management software and a command-and-control center that the Russians were using to send instructions to their malware using a so-called kill switch.

That shut off further penetration. But it is of no help to organizations that have already been penetrated by an attacker who has been planting back doors in their systems since March. And the key line in the warning said that the SolarWinds “supply chain compromise is not the only initial infection vector” that was used to get into federal systems. That suggests other software, also used by the government, has been infected and used for access by foreign spies.Across federal agencies, the private sector and the utility companies that oversee the power grid, forensic investigators were still trying to unravel the extent of the compromise. But security teams say the relief some felt that they did not use the compromised systems turned to panic on Thursday, as they learned other third-party applications may have been compromised.Inside federal agencies and the private sector, investigators say they have been stymied by classifications and siloed approach to information sharing.“We have forgotten the lessons of 9/11,” Mr. Smith said. “It has not been a great week for information sharing and it turns companies like Microsoft into a sheep dog trying to get these federal agencies to come together into a single place and share what they know.”

Source: https://www.nytimes.com/2020/12/17/us/politics/russia-cyber-hack-trump.html?auth=login-email&login=email

The CIA Leak Exposes Tech’s Vulnerable Future

Kommentar verfassen

WIRED

YESTERDAY’S WIKILEAKS DUMP reiterated something we already knew: Our devices are fundamentally unsafe. No matter what kind of encryption we use, no matter which secure messaging apps we take care to run, no matter how careful we are to sign up for two-factor authentication, the CIA—and, we have to assume, other hackers—can infiltrate our operating systems, take control of our cameras and microphones, and bend our phones to their will. The same can be said of smart TVs, which could be made to surreptitiously record our living-room conversations, and internet-connected cars, which could potentially be commandeered and even crashed.

Previous security revelations told us that our data wasn’t safe. The Vault 7 leak reminded us that our machines aren’t secure—and, because those machines lived in our homes and on our bodies, they rendered our homes and bodies insecure as well. There is a word for these flaws and holes in code that leave us open to harm, and it’s the same word for the unease that accompanies them: vulnerability.

Take the iPhone—a single example among many, but an especially instructive one. Last year, while fighting the FBI’s request to access the iPhone of the San Bernadino shooter, Apple CEO Tim Cook presented his company as a bulwark against intruders. “Customers expect Apple and other technology companies to do everything in our power to protect their personal information,” he wrote. Now, like a child learning of his parents’ inability to prevent bad things from happening, we understand Cook’s promises to be unfulfillable. This morning Apple announced that it had already patched most of these holes, but we can never know if there aren’t others out there, unbeknownst to us or to the company.

If we feel freshly vulnerable, we are not alone. The darlings of the tech industry—which for much of the past decade have convincingly presented themselves as swaggering inevitabilities—are showing signs of vulnerability as well. Google and Facebook, which pride themselves as algorithmically-pristine information-delivery systems, fell prey to fake-news mills and virulent troll armies. Uber’s scorched-earth approach to capitalism and human resources, which once made it a seemingly indomitable competitor, now threaten to sink its once-bulletproof CEO. The more powerful and inevitable something appears, the more startling and devastating its weaknesses are when they are exposed. Or, to borrow a phrase, the harder they come, the harder they fall.

That’s useful to remember when you consider the transformation we are currently undergoing, one in which more and more of our devices become connected to the internet. Whether you call it the “Internet of Things” or the “Internet of Everything” or the “Third Wave” or the “Programmable World,” the long-predicted moment when connectivity becomes as ubiquitous as electricity is nearly upon us. The benefits will be staggering—a world that will know us and adjust to our needs and desires, a universe of data that will impart new wisdom. But so will the vulnerabilities, the opportunities for our worlds to be penetrated, manipulated, and even destroyed by malevolent intruders.

This exposes yet another vulnerability for the tech industry—a meta-vulnerability, really. That vision depends on trust. It requires us to put our faith in our self-driving cars and Alexa-enabled virtual assistants and thermostats and, yes, smart televisions. Every time we learn of a new zero-day exploit, it renews fears of an entirely hackable world, where our machines can be enlisted against us. It reminds us that the future is a necessarily more vulnerable place.

The Vault 7 leak is not the tech industry’s fault, exactly, but we must ask at what point we stop placing our trust in devices, systems, and people that are inherently undeserving of it? Actually, never mind, we’re past it already. The most troubling aspect of the latest revelations is that there is no way to protect yourself beyond not buying a smartphone, or at least not having any meaningful conversations when you are in the same room with one. These vulnerabilities and cracks are not optional, but woven throughout the fabric of our social and commercial lives. They are coming from inside the house.

Source: https://www.wired.com/2017/03/cia-leak-exposes-techs-vulnerable-future/

TheIdea – The Innovation Agency

DIEIDEE InnovationsAgentur – Innovation!