Today Cyber Security plays a paramount role in global security. On this blog, the CEO of Paramount Defenses shares rare insights on issues related to Cyber Security, including Privileged Access, Organizational Cyber Security, Foundational Security, Windows Security, Active Directory Security, Insider Threats and other topics.


November 23, 2016

The World's Biggest Cyber Security Breach (Yet) & Role of Cyber Weapons

Folks,

I'll keep this very short. The recent U.S. Elections, possibly the world's most important global event, are now over, and one of the biggest takeaways from it would undoubtedly have to be the sheer impact that a cyber security breach can have today.


In fact, professionally speaking, if one were to consider the impact of a cyber security breach, the recent breaches of the DNC and Mr. Podesta's Gmail account, albeit so amateurwould have to be possibly the world's biggest cyber security breach yet.

Why?  Because these simple breaches resulted in the compromise of the confidentiality of vast amounts of an entity's sensitive private data (i.e. 1000s of emails of the DNC and Mr. John Podesta), the public disclosure of which is widely believed to have influenced the outcome of arguably the most important event on the planet, the election of the President of the United States.

In fact, the Director of the NSA, Admiral Michael Rogers recently said that there shouldn't be "any doubt in anyone's mind" that there was "a conscious effort made by a nation state" to sway the result of the 2016 presidential election.

If you can impact the most powerful office in the world, you can potentially impact the future of mankind as well as the planet. Since these cyber security breaches impacted the most powerful office in the world, they'd have to be the world's biggest yet.

In light of these breaches, there's been talk about the need for and role of cyber weapons to bolster America's cyber defenses.



[ (If I may digress for a bit.)  Begin Digression] 

Speaking of Cyber Security Weapons

Given cyber security's paramount importance in today's world, and the growing role that cyber warfare plays in modern warfare, the need for and the importance of cyber security weapons is becoming clearer. Reportedly, recently the U.S. Government may have been signaling more emphasis on developing cyber weapons to deter attacks, punish intruders and tackle adversaries.


Speaking of cyber security weapons, interestingly, unlike military weapons (e.g. conventional and nuclear weapons) which have traditionally and primarily been in the hands of and controlled by governments, since the development and deployment of cyber security weapons only requires technical cyber security expertise (, not massive infrastructures (e.g. materials, factories, bases, launch pads, personnel, deployment vehicles, satellites etc.)), they could actually be moderately easily developed as well as controlled by non-government entities (e.g. $B corporations) and potentially be used by not just governments (nations) to aid, assist and gain superiority in modern (and cyber) warfare and diplomacy, but also by business organizations alike to influence business and political outcomes, such as to influence elections in other nation states (e.g. Russia.)

Given today's super highly digitally connected world, cyber security weapons are likely to play a prominent role in global affairs.

(By the way, I only happen to know a thing or two about cyber security weapons since we recently built one, primarily to serve as a deterrent, and to demonstrate the sheer technical superiority (defensive and offensive capabilities) in the cyber security space that exists today for the protection of the business and national security interests of the United States and its allies.)

[End of Digression]



Of all the major recent cyber security breaches (Snowden, Target, JP Morgan, Sony, Anthem, OPM etc.), in terms of impact, the recent breaches of the DNC & Mr. Podesta's Gmail account may possibly have been the biggest cyber security breach(es) yet.

Oh and I say yet because today it is entirely possible to develop powerful cyber security payloads/weapons that could possibly automate the compromise/destruction of a specific organization or a vast number thereof, in a specific nation, or many thereof.

We care deeply about cyber security.

Best wishes,
Sanjay

November 4, 2016

Does Anyone Really Care? (Speaking of Cyber Security, Microsoft & Trust)

Folks,

This is important so if you care about cyber security, you'll want to take a few moments to earnestly read this in its entirety.


Microsoft (, Google, the U.S. Elections, the Russians) and an Unpatched Critical Zero-Day Vulnerability

On Oct 21, 2016, Google's Threat Analysis Group reported 2 critical zero-day (i.e. previously unknown) vulnerabilities, one to Adobe and to Microsoft. Adobe acted swiftly and patched the vulnerability in its Flash software on Oct 26, i.e. within 5 days.


On Oct 28, 2016, after 7 days of having reported it to the appropriate vendors, per its published policy for actively exploited critical vulnerabilities, Google publicly disclosed this vulnerability. As of Oct 28, Microsoft had not yet patched this vulnerability.

Publicly disclosing a critical unpatched vulnerability in Windows (versions 7,8,8.1 and 10*), especially one that is being actively exploited, could potentially impact security globally, and just 10 days before the world's most important election, i.e. the U.S election, also possibly impact the future of mankind. (But wait, don't arrive at any conclusions yet; please read this entire post.)
* Customers using Microsoft Edge on Windows 10 Anniversary Update are known to be protected from versions of this attack observed in the wild.
If there's one thing the world has learnt this year, it is that in today's world, hacking and its impact can undoubtedly influence an election. The second thing the world has learnt this year is the ease with which purportedly Russian hackers have been able to engage in political hacking to compromise the cyber security of various U.S. entities including the DNC and Mr. John Podesta.

With just days left before the election, publicly disclosing a critical unpatched vulnerability in Windows could potentially empower many more malicious entities, including those widely believed to have already done so, to engage in further hacking in their attempt to further influence the election. If by any chance, U.S voting booth machines happen to be running an impacted version of Windows, and hackers are able to compromise them by exploiting this unpatched vulnerability, __ <you can fill in the blanks.>

By the same token, so could Microsoft not doing everything it can to immediately patch this critical vulnerability. In other words, in light of the possibilities shared above, like Adobe did, ideally Microsoft should have patched this without any delay.

It appears Google felt that it should be patched immediately. It appears the $ 500B Microsoft did not. You can be the judge.

(Instead of patching this immediately, what does Microsoft do and say?! Its astonishing, so please keep reading...)




Microsoft, are you Serious ?

Since Google probably took Microsoft by surprise by, per its published policy for actively exploited critical vulnerabilities, publicly disclosing this vulnerability 7 days after reporting it to Microsoft, Microsoft was likely left with no choice but to public defend itself and issue a statement, and instead of patching it immediately, it did a most astonishing thing (; see "But it was.." part below.)


On Nov 01, in a short blog post paradoxically titled Our commitment to our customers’ security, written by an Executive Vice President in the Windows and Devices group, it in effect said that an activity group called STRONTIUM conducted a low-volume spear phishing campaign to target a specific set of customers by leveraging this unpatched vulnerability, and that Microsoft is coordinating with Google and Adobe to investigate the campaign and create a patch, which they plan to release on Nov 08.

Excuse me Microsoft, but by then the election would have been over, and by not releasing a patch immediately, you left a 7-day window (no pun intended) of opportunity that who knows how many malicious entities, including those widely believed to have already done so, could use to engage in further hacking in their attempts to possibly further influence this historic U.S. election.

But it was the very next sentence in the blog post that was unbelievably astonishing and I quote - "To address these types of sophisticated attacks, Microsoft recommends that all customers upgrade to Windows 10, the most secure operating system we’ve ever built, complete with advanced protection for consumers and enterprises at every layer of the security stack."

Microsoft, are you kidding us?

This could potentially further impact the most important election in mankind's history, and instead of the $ 500 Billion Microsoft Corp immediately fixing the critical zero-day vulnerability, which they themselves are saying may have been used by purported Russian hackers in enacting the recent political hacks (, and which they should have ideally found before the STRONTIUMs of the world do/did so in the first place), they're using (even) this to pitch the latest version of Windows!   That's just unbelievable!

Oh, and by the way, in that same blog entry, Microsoft goes on to say, and I quote "Microsoft has attributed more 0-day exploits to STRONTIUM than any other tracked group in 2016." Er, here's a simple question for Microsoft - "How come STRONTIUM is able to find so many 0-day exploits, and if so, how come you, a $ 500 Billion company are not able to find and patch them before STRONTIUM or for that matter anyone else can?" Perhaps Microsoft could take a petty $ Billion from its Cloud marketing budget and use it to assemble a team dedicated to finding and fixing such vulnerabilities in their foundational Windows software.




Speaking of Trust  (Actions Speak Louder Than Words)

Microsoft if you are truly committed to your customers' security and to Trustworthy Computing, and I believe you are, please back your words with appropriate and responsible actions because to your customers your actions speak louder than words.


I believe that not immediately releasing a patch for a serious unpatched vulnerability in Windows that is currently being exploited to inflict great harm, especially days before the world's most important election that has already been influenced by the impact of such hacks, was not responsible. Further, ill-using this situation to pitch your latest version of Windows to customers was not responsible. Neither was not educating customers for 16 years about something so vital to their security (; context in next para.)

Just last week, I had to publicly take Microsoft to Active Directory Security School, because over the last 16 years, across the entirety of security guidance (whitepapers, blogs, videos etc.) they have released on Active Directory Security, they have not once mentioned the most important and cardinal aspect of Active Directory security - Active Directory Effective Permissions.

In my professional opinion, in not having done so, even if unknowingly, they may have left over 85% of the world to deal with a massive cyber security challenge, a prime example of which is the sheer lethal power of Mimikatz DCSync made possible by a certain talented Mr. Benjamin Delpy, and for which Microsoft has no solution to offer to the world today. (None whatsoever.)

In fairness to them, they might say that they don't have to have a solution to every problem, because they have a huge partner ecosystem that helps address many such problems. They may be right, but they don't even seem to know that this problem is so difficult to solve that out of thousands of partners in their ecosystem, not one of them has a solution to this Trillion $ problem (; except one, and that's only because behind it, is one of their own i.e. a passionate former Microsoft cyber security expert.)


Microsoft is spending billions of dollars to become a dominant player in the Cloud, and to persuade IT executives at the world's biggest public and private organizations to move to their Cloud. However, they need to understand that if they want the world to move large parts of their IT infrastructures and IT assets into their cloud, especially the Keys to these Kingdoms (i.e. Domain Controllers), they're going to have to demonstrate trustworthiness and EARN trust, and that's done by actions, not mere words.

By the way, the "mere talk is cheap" saying applies to everyone, including us; behind my talking is decade of industrious action.

I.e., this is coming from someone who loves Microsoft, cares deeply about cyber security and who's persevered for a decade to solve arguably the world's most difficult cyber security problem for Microsoft and the world, and whose work today uniquely helps secure and defend the foundational cyber security of so many prominent organizations across six continents worldwide, including the United States Government.

Along with great power, comes great responsibility.

Best wishes,
Sanjay

PS: Satya, in August I said someday I'll tell you what the most valuable thing in life is. It's Trustfollowed by love, faith & time.

November 1, 2016

Election Influencing Podesta/DNC Email Hacks, Cyber Attacks and Russia

Folks,

There is no doubt that the recent email hacks of John Podesta and the DNC will have influenced the U.S. presidential election.



Given my background, I am often privately asked about my thoughts on the Podesta / DNC Email hacks purportedly carried out by Russia. Due to paucity of time, instead of having to respond to this so many times, I figured I'd publicly share a few thoughts.

But first I do wish to make it unequivocally clear that as (the CEO of) not just America's, but possibly the world's most relevant cyber security company today, we are professional, completely unbiased and objective, and this is only a professional opinion.

Disclaimer: My thoughts below are based on a cursory assessment of how Mr. Podesta's email was hacked. It is believed that at the time the DNC was hacked, they too may have been using Gmail, and thus may have been hacked in a similar fashion.



Simple Hacks, Huge Impact

Brass tacks, the Podesta/DNC email hack is simply a case wherein an entity that was engaging in high-value communications using a relatively low-assurance system (i.e. a free/low-cost email service) and insufficient security controls (i.e. not requiring two-factor authentication for password changes/resets) was compromised using simple social engineering involving very basic technical means by a 2nd entity, who in turn purportedly passed the compromised data to a 3rd entity that disclosed it publicly.

The 1st entity was John Podesta / the DNC, purportedly the 2nd entity was Russian hackers, and the 3rd entity was WikiLeaks.

When I say relatively, I mean that compared to (say) an in-house deployed, managed and controlled Active Directory integrated Microsoft Exchange Server based communications infrastructure that also requires 2-factor authentication (i.e. Smartcards), a free/low-cost email service is a relatively low-assurance system, especially when being used for high-value communications.

For those may not know, Mr. Podesta was using a Gmail account; he apparently received a phished email and clicked on a link.

In fairness to Mr. Podesta, apparently his assistant did ask their IT staff about the legitimacy of that phished email, and was told that it seemed legitimate and was okay to click on. In addition, at that point in time, apparently someone did ask as to whether or not two-factor authentication was enabled on his account, and if not, suggested that it be immediately enabled.

All said and done, apparently Mr. Podesta did end up clicking that link and at that very moment his account was compromised.


The rest i.e. the huge impact of the public disclosure of this sensitive data on the U.S. presidential election, is all over the news.


Now, strictly speaking, the only thing that makes this a huge deal is that in this case the compromised data happened to be vast amounts of high-value sensitive, private email conversations of one of two parties contesting an election in a specific country. The actual technical means involved in compromising security here were basic, a 2.5 on a scale of 1 to 10, 1 being very easy.

You see, usually perpetrators begin by trying to phish a target just to gain a foothold inside the organization's network perimeter. However, in a case where emails may be all they're after, and the target's already using a free/low-cost email service, merely step 1, i.e. being able to successfully phish that free/low-cost email service account will get them to mission-accomplished, because once they have compromised that email account, right then and there they have access to all of the account's emails.

Thus, using relatively easily targetable and compromisable free/low-cost email accounts likely increased their risk exposure.


From a professional cyber security standpoint, one of the most fundamental principles of security, the Principle of Adequate Protection, states that "an asset must be protected to a degree consistent with its value". In line with it, ideally entities engaging in high-value communications should be using sufficiently high-assurance systems and employing adequate security controls.   In light of this, in this case, the use of a free/low-cost email service to engage in high-value communications seems perplexing.

If you have high-value/sensitive communications to engage in, please do not use low-assurance / inadequately-secure systems to engage in them. If you must absolutely have to use a low-assurance/free email service such as Gmail for high-value/sensitive communications, at least do enable 2-factor authentication for password changes/resets to protect against phishing attacks.

At the end of the day, it matters not so much as to who compromised you, as it does that someone was able to compromise you. Once you've been compromised, the impact of that breach is purely a function of the perpetrator's motives and actions.



Speaking of Massive Cyber Attacks

Sorry for a brief digression. As a mature cyber security practioner, what I find more amusing than comical write-ups such as this and this is that the recent DoS attacks to hit the U.S. east coast were being referred to as a massive/huge cyber attack.

Don't get me wrong. Those attacks may have been massive/huge in terms of the number of websites they momentarily DOS'ed out, but if you consider the technical mechanics involved, brass tacks, its still just a (large) bunch of old-fashioned basic TCP/IP SYN flooding, using compromised IoT devices. Its fancy, but its still simple stuff with relatively low moment-in-time impact.


To put things in perspective, a massive cyber security attack would be one wherein a proficient adversary such as an advanced persistent threat could gain control over large parts of a country's power-grid, government, security and financial infrastructures. These are the kinds of cyber attacks we (know of and) worry about. In fairness, most cyber security companies aren't there yet.



Speaking of Russia

It is widely suspected that Russia carried out the DNC and Podesta email hacks. No one likely knows the facts, neither do I, so in regards to Russia, I'll share what I do know.


This so-called "hack" was so simple, that possibly even a smart freshman from anywhere in the world could have carried it out.

That said, speaking of Russia and its purported cyber attacks on U.S entities, what should be more concerning (and we know this based on publicly available info) is that most likely, code that was likely either written in Russia or is still being supported / updated from inside Russia, may likely be running in highly privileged security contexts in various parts of the U.S. Government.

(Responsible disclosure: Strictly speaking, there's nothing to disclose here since this info has been publicly available for years, yet out of an abundance of caution, earlier this year we did bring this to the attention of several top U.S. Government officials.)

The Russians are considered to be adept at hacking, so if it was them, I'm surprised that they would resort to using such basic attack vectors (i.e. phishing a Gmail account); I suppose it must be their starting point, and it appears they got lucky at step 1 itself. Now, if their target was a specific Gmail account to begin with, then of course that is exactly where they would start.



An Important Concluding Point

I'd like to make one very simple and important point - it matters not as to who is trying to hack you, because as long as you have digital assets of value to someone, there could be (and likely already are) many entities wanting to hack you, driven by various motives; what matters is that you need to protect yourself from being hacked by anyone in the first place.

In this specific case, although any logical mind can easily see why Russia might stand to gain a lot from the outcome of the U.S. election, one could similarly reason that many other countries in the world could stand to gain much from its outcome as well. In fact, not just countries, many corporations worldwide could stand to gain or lose much based on the outcome of this election.

The point again being that it matters not as to who is trying to hack you (or why), it matters that you protect yourself from being hacked by anyone. Mature entities consider it a norm to assume that they are always operating in a hostile environment with numerous adversaries trying to hack them 365-24-7. That is the unfortunate reality of engaging in business in a digital world.

By the way, I prefer not to use the word hack, because there's a connotation of casualness to it. It would be nice to see the media use professional terms like breach, compromise, security incident etc. as they rightfully have a serious connotation.

As I conclude, I'd like to request all organizations (including of course, all media companies and all cyber security companies) worldwide to look  within and if required, consider bolstering their cyber security defenses and enhancing their security posture.

Best wishes,
Sanjay