The Daily Parker

Politics, Weather, Photography, and the Dog

Ransomware in the news

I've just received my third nearly-identical fake DMCA takedown notice, which I may decide to turn over to the FBI if I can muster the shits to give. I find it funny how each one of them has a few differences that make them look like something other than lazy script-kiddie stuff. This one again misstated the statutory damage limits for willful copyright infringement, and the randomly-generated name of the "claimant" was no less bizarre than the other two. And yet I wonder why they bothered altering the bits they altered. Maybe there are multiple entities involved, with each email coming from a different person or group? Maybe they have some low-paid flunky typing in the note each time, so I'm watching its slow drift from a semi-competent DMCA notice into the digital equivalent of "hodor?"

This one bounced through an IP address in New York State, which means my previous guess that this was a domestic script-kiddie operation might be wrong. For one thing, the threatening language has a few tells that its author doesn't speak English natively. I had originally thought the author merely wanted to sound more convincing by using stock phrases and "magic" legal words, but now that I've seen three examples of the same basic text, it looks more like Russian-inflected English. In any event, I wave my private parts at their aunties.

Both the New Yorker and New York Times published reports over the weekend about crap like this. In the first, Rachel Monroe talked with ransomware negotiator Kurt Minder about negotiating with criminals:

For the past year, Minder, who is forty-four years old, has been managing the fraught discussions between companies and hackers as a ransomware negotiator, a role that didn’t exist only a few years ago. The half-dozen ransomware-negotiation specialists, and the insurance companies they regularly partner with, help people navigate the world of cyber extortion. But they’ve also been accused of abetting crime by facilitating payments to hackers. Still, with ransomware on the rise, they have no lack of clients. Minder, who is mild and unpretentious, and whose conversation is punctuated by self-deprecating laughter, has become an accidental expert.

Hackers use various techniques to gain access to a company’s computers, from embedding malware in an e-mail attachment to using stolen passwords to log in to the remote desktops that workers use to connect to company networks. Many of the syndicates are based in Russia or former Soviet republics; sometimes their malware includes code that stops an attack on a computer if its language is set to Russian, Belarusian, or Ukrainian.

When Minder founded GroupSense, in Arlington, Virginia, in 2014, the cybersecurity threat on everyone’s mind was data breaches—the theft of consumer data, like bank-account information or Social Security numbers. Minder hired analysts who spoke Russian and Ukrainian and Urdu. Posing as cybercriminals, they lurked on dark-Web marketplaces, seeing who was selling information stolen from corporate networks. But, as upgrades to security systems made data breaches more challenging, cybercriminals increasingly turned to ransomware.

Early last year, GroupSense found evidence that a hacker had broken into a large company. Minder reached out to warn it, but a server had already been compromised. The hacker sent a ransom note to the company, threatening to release its files. The company asked Minder if he would handle the ransom negotiations. Initially, he demurred—“It never occurred to me as a skill set I had,” he said—but eventually he was persuaded.

The profile on Minder dovetailed with the Times' collaboration with a criminal named Woris who gave the paper access to the tools gangs use to launch ransomware attacks:

The Times gained access to the internal “dashboard” that DarkSide customers used to organize and carry out ransom attacks. The login information was provided to The Times by a cybercriminal through an intermediary. The Times is withholding the name of the company involved in the attack to avoid additional reprisals from the hackers.

Access to the DarkSide dashboard offered an extraordinary glimpse into the internal workings of a Russian-speaking gang that has become the face of global cybercrime. Cast in stark black and white, the dashboard gave users access to DarkSide’s list of targets as well as a running ticker of profits and a connection to the group’s customer support staff, with whom affiliates could craft strategies for squeezing their victims.

In the chat log viewed by The Times, a DarkSide customer support employee boasted to Woris that he had been involved in more than 300 ransom attacks and tried to put him at ease.

“We’re just as interested in the proceeds as you are,” the employee said.

Together, they hatched the plan to put the squeeze on the publishing company, a nearly century-old, family-owned business with only a few hundred employees.

In addition to shutting down the company’s computer systems and issuing the pedophile threat, Woris and DarkSide’s technical support drafted a blackmail letter to be sent to school officials and parents who were the company’s clients.

The Russian government allows this to happen because (a) Russian President Vladimir Putin loves annoying the West, and (b) it seems obvious after two seconds of thought that Russian government officials are probably on the take.

All of this gets so exhausting, doesn't it? Simple economics demonstrates the inevitability of theft. It imposes a tax on everyone else, both financially (it costs money to set up good security) and mentally (I will never get back the hour I spent investigating the bogus DMCA notices). At some point, though, it just becomes easier to tolerate a certain level of theft than to build a squirrel-proof bird feeder.

The world keeps turning

Even though my life for the past week has revolved around a happy, energetic ball of fur, the rest of the world has continued as if Cassie doesn't matter:

And if you still haven't seen our spring concert, you still can. Don't miss it!

I'm screaming in my head

The Times continues its coverage of the SolarWinds breach, and adds a detail that explains why the Russians continue to eat our lunch:

Employees say that under [SolarWinds CEO Kevin] Thompson, an accountant by training and a former chief financial officer, every part of the business was examined for cost savings and common security practices were eschewed because of their expense. His approach helped almost triple SolarWinds’ annual profit margins to more than $453 million in 2019 from $152 million in 2010.

But some of those measures may have put the company and its customers at greater risk for attack. SolarWinds moved much of its engineering to satellite offices in the Czech Republic, Poland and Belarus, where engineers had broad access to the Orion network management software that Russia’s agents compromised.

So many things went wrong in this case that singling out one CEO for taking profits over security may seem myopic. But the SVR must love the poetry of it: a greedy American CEO tries to increase his paycheck by hiring engineers easy for them to compromise, leading to the largest network intrusion in history.

I want to see Congress investigate this, and I want to see Thompson reduced to penury for his greed. Not that anything will change; until we have rational regulation of software security—hell, until we have any regulation of software security—criminals and our adversaries will keep exploiting companies like SolarWinds.

Putin finally gives us the punchline

You have to admire Vladimir Putin's sense of humor. For five years, he's manipulated our STBXPOTUS into doing just about everything Russia could have wanted. Now that our STBXPOTUS has become STBX, Putin doesn't need him anymore. So why not come clean?

He did just that at his year-end press conference last Thursday:

Steve Rosenberg, BBC: Don't you think over the last years you also have borne part of the responsibility for making these relations [with Europe and the West] seem like a cold war...?

Putin: Who withdrew from the missile defense treaties? The INT treaty: who withdrew? It wasn't us but it was the US. ... You do realize that we are smart people, we are not idiots.

Here's the whole clip. The part in question starts at 44:17.

It really warms the heart that our STBXPOTUS never got to the level of artistry and malice Putin can exhibit so casually. He calls our president an idiot, with good evidence to support the insult, while lying on a scale the target of the insult can scarcely fathom.

Also, I love that the French spell his name "Poutine." But that's just an accident of the French language.

Major, ongoing network penetration

FireEye, a cybersecurity firm, revealed last week that unknown parties had penetrated its network and that its clients, including the US Government, were at risk. Bruce Schneier has technical details about the attack. Former Homeland Security Adviser Thomas Bossert lays out the scope of it:

The attackers gained access to SolarWinds software before updates of that software were made available to its customers. Unsuspecting customers then downloaded a corrupted version of the software, which included a hidden back door that gave hackers access to the victim’s network.

This is what is called a supply-chain attack, meaning the pathway into the target networks relies on access to a supplier. Supply-chain attacks require significant resources and sometimes years to execute. They are almost always the product of a nation-state. Evidence in the SolarWinds attack points to the Russian intelligence agency known as the S.V.R., whose tradecraft is among the most advanced in the world.

According to SolarWinds S.E.C. filings, the malware was on the software from March to June. The number of organizations that downloaded the corrupted update could be as many as 18,000, which includes most federal government unclassified networks and more than 425 Fortune 500 companies.

The magnitude of this ongoing attack is hard to overstate.

The Russians have had access to a considerable number of important and sensitive networks for six to nine months. The Russian S.V.R. will surely have used its access to further exploit and gain administrative control over the networks it considered priority targets. For those targets, the hackers will have long ago moved past their entry point, covered their tracks and gained what experts call “persistent access,” meaning the ability to infiltrate and control networks in a way that is hard to detect or remove.

The logical conclusion is that we must act as if the Russian government has control of all the networks it has penetrated.

Now, if only we had an administration that believed its experts and a majority party in the Senate that would pass a Defense Reauthorization Bill...

Adhering to our Enemies, giving them Aid and Comfort

So, did the president know about and fail to act on this intelligence, or did his staff conceal it from him? I don't really care; either answer should disqualify them from continuing to work in the White House:

United States intelligence officers and Special Operations forces in Afghanistan alerted their superiors as early as January to a suspected Russian plot to pay bounties to the Taliban to kill American troops in Afghanistan, according to officials briefed on the matter.

The crucial information that led the spies and commandos to focus on the bounties included the recovery of a large amount of American cash from a raid on a Taliban outpost that prompted suspicions. Interrogations of captured militants and criminals played a central role in making the intelligence community confident in its assessment that the Russians had offered and paid bounties in 2019, another official has said.

The emerging details added to the picture of the classified intelligence assessment, which The New York Times reported on Friday was briefed to President Trump and discussed by the White House’s National Security Council at an interagency meeting in late March. The Trump administration had yet to act against the Russians, the officials said.

Mr. Trump defended himself on Sunday by denying that he had been briefed on the intelligence, expanding on a similar White House rebuttal a day earlier, as leading congressional Democrats and even some Republicans demanded a response to Russia that the administration had yet to authorize.

Read that last graf again: the president responded not by demanding Russia stop the practice, not by sending his flaccid Secretary of State to excoriate Putin in person, not by doing anything that a normal person would do in this situation. No, the president flatly lied that he just didn't know about the contents of his daily intelligence brief. I guess he didn't want to risk offending his KGB case officer.

Remember back in 2015 and 2016 when we worried a lot about Russia's influence over Trump? This is not something I wanted to be correct about, but the evidence is pretty damning.

Back when we sabotaged an empire

People who don't study history tend not to understand why our foreign allies and adversaries behave the ways they do. Case in point: the Soviet Union, of which the largest part lives on as the Russian Federation, ended in part because we forced them to spend down their economy just to keep up with us. They might still hate us a little for that.

One man who helped this effort, Gus Weiss, hit on the idea of sabotaging the technology that Soviet spies bought or stole from American and other Western companies. Via Bruce Schneier, Wired has a long-form description of Weiss and his plan:

This plan to feed defective technology, which Weiss says carried the operation designation “Kudo,” existed as part of a larger government mobilization in response to the Farewell intelligence across the national security community. “It was multilayered operation,” Galahad told me. According to Galahad, Weiss didn’t hold any formal leadership role in this effort; instead, “Gus did his work through his own contacts. He was a White House guy. He could get people to pay attention to his ideas. He had friends in the computer business. He had Casey’s ear.”

Galahad told me that Weiss zeroed in on the Soviet industrial sector; he wanted to gut punch the Soviet economy. Galahad recalled that Weiss was friendly with the analysts in the CIA’s Office of Soviet Research. “Let’s say the Italians were building a tractor factory for the Russians in the Ukraine—the guys in OSR would have had access to those blueprints. Gus shared his ideas and recommendations based on that intelligence to his friends at the DoD.”

Meanwhile, the government worked with private sector software companies to create doctored industrial products. They were then made available to the patent clerks and engineers in American technology and arms companies who’d been recruited by the KGB.

High up on the Soviet tech shopping list was software to regulate the pressure gauges and valves for the critical Siberian gas pipeline. According to Tim Weiner’s Legacy of Ashes, the Soviets sought the software on the open market. American export controls prohibited its sale from the US. However, a small industrial software company located in Calgary called Cov-Can produced what the Soviets wanted. As Weiner writes, “The Soviets sent a Line X officer to steal the software. The CIA and the Canadians conspired to let them have it.”

The faulty software “weaved” its way through Soviet quality control. The pipeline software ran swimmingly for months, but then pressure in the pipeline gradually mounted. And one day—the date remains unclear, though most put it in June 1982—the software went haywire, the pressure soaring out of control. The pipeline ruptured, igniting a blast in the wilds of Siberia so massive that, according to Thomas C. Reed’s At the Abyss, “at the White House, we received warning from our infrared satellites of some bizarre event out in the middle of Soviet nowhere. NORAD feared a missile liftoff from a place where no rockets were known to be based. Or perhaps it was the detonation of a nuclear device. The Air Force chief of intelligence rated it at three kilotons.”

I wonder if Presidents Putin and Trump discussed this history during any of their recent unrecorded conversations?

Russia is winning the 2020 election

Don Von Drehle argues that Vladimir Putin succeeds by weakening the West, regardless of the short-term consequences to Russia:

It’s ironic that Americans of all political stripes have contributed to Putin’s success — by failing to understand what he wants and why he wants it. His goals are not the goals of the former Soviet Union (though he has described the collapse of the U.S.S.R. as a “disaster”). During the Cold War, the Kremlin pursued the spread of communist ideology. Putin is nonideological, according to former U.S. ambassador to Russia Michael McFaul, now of Stanford University and a Post contributing columnist. “I see him as impulsive, emotional, opportunistic. Putin sees himself as the last great nationalist, anti-globalist leader.”

A unified United States, pursuing a bipartisan, pro-democracy foreign policy is Putin’s biggest fear. So, he has taken the risk of creating an operation specifically to sow discord through social media. Putin’s computer hackers look for any internal divisions and tensions that tend to erode American unity or discredit American leadership. Though he clearly favored Trump over Hillary Clinton in 2016, Putin doesn’t generally favor one point of view over another; he supports whichever candidates are most divisive and amplifies whatever arguments are most bitter. Whoever is freaking out on Facebook or Twitter is a potential ally in his cause. At the State of the Union address, he no doubt enjoyed both the snubbed handshake and the ripped speech.

At the same time, Putin went to work on other vulnerable pieces of the Western alliance. By enabling Syrian dictator Bashar al-Assad’s brutal tactics, he helped to send millions of refugees fleeing to Europe. When xenophobic nationalist movements flared up in reaction, the Russians poured on the gas via social media. Russia’s unseen hand wasn’t the only factor in the European backlash. But now the European Union may be coming apart.

These efforts would have been toxic even if Clinton had made a better case to voters around the Great Lakes and won the election in 2016. But the fact that Putin’s hackers went all-in for Trump, who won the electoral college with just 46 percent of the vote, turned a Russian win into a rout. The election itself became a cause of further division. Russia’s role became a new wedge issue, the doubt that keeps on festering.

I've no doubt the US and Western Europe will survive Putin's passive-aggression. Ultimately, the fundamentals are on our side. But remember, Putin's goal isn't to win, exactly; it's for us to lose. And in that respect he's succeeding.

Two big 20th anniversaries today (and a centennial)

We typically think of January 1st as the day things happen. But December 31st is often the day things end.

On 31 December 1999, two things ended at nearly the same time: the presidency in Russia of Boris Yeltsin, and the American control of the Panama Canal Zone.

Also twenty years ago, my company gave me a $1,200 bonus ($1,893 in 2019 dollars) and a $600 suite for two nights in midtown Manhattan because I volunteered to spend four hours at our data center on Park Avenue, just so that Management could say someone was at the data center on Park Avenue continuously from 6am on New Year's Eve until 6pm on New Year's Day. Since all of the applications I wrote or had responsibility for were less than two years old, literally nothing happened. Does this count as an anniversary? I suppose not.

And one hundred years ago, 31 December 1919 was the last day anyone could legally buy alcohol in the United States for 13 years, as the Volstead Act took effect at midnight on 1 January 1920.

I'm DD tonight, but I will still raise a glass of Champagne to toast these three events.

Photo by Harris & Ewing - Library of Congress, Public Domain, Link

Feeling insecure? Blame these guys

The Post reported today that a simple review of phone logs shows how the president and his stooges left themselves open to Russian espionage by using insecure cell phones:

The disclosures provide fresh evidence suggesting that the president continues to defy the security guidance urged by his aides and followed by previous incumbents — a stance that is particularly remarkable given Trump’s attacks on Hillary Clinton in the 2016 presidential campaign for her use of a private email account while serving as secretary of state.

The connection to the Ukraine campaign is also troubling because of how Moscow could exploit knowledge that Trump was secretly engaged in efforts to extract political favors from the government in Kyiv.

Trump and Giuliani have effectively “given the Russians ammunition they can use in an overt fashion, a covert fashion or in the twisting of information,” said John Sipher, former deputy chief of Russia operations at the CIA. Sipher and others said that it is so likely that Russia tracked the calls of Giuliani and others that the Kremlin probably knows more now

“Congress and investigators have call records that suggest certain things but have no means whatsoever of getting the actual text” of what was said, Sipher said. “I guarantee the Russians have the actual information.”

Ordinarily I'd chalk this up to stupidity. But GOP strategist Rick Wilson sees something far darker:

The traitors deliberately ignore the reporting, counsel, and warnings of the intelligence community when it comes to Russia’s attacks and Vladimir Putin’s vast, continuing intelligence and propaganda warfare against the United States.

The traitors — be they United States senators like John Kennedy and Lindsey Graham or columnists from the Federalist, Breitbart, and a slurry of other formally conservative media outlets — repeat the Kremlin-approved propaganda messages and tropes of that warfare, word for word.

It’s not simply treason by making common cause with a murderous autocrat in Russia, or merrily wrecking the alliances around the world that kept America relatively secure for seven decades.

Their betrayal is also to our system of government, which as imperfect — and often downright fucked up — as it is, has been remarkably capable of surviving.

And if you can’t spot the treason yet, you will soon enough. That’s the thing about spies, traitors, and those who betray their country — they rarely stay hidden forever.

We need to get this administration out of office in 2021, and help the American people understand the danger their sympathizers represent. If only we still taught civics in schools.