Share this page!

Jake Williams Profile picture
Twitter logo
31 Dec 20, 13 tweets, 3 min read
This story is getting a lot of attention. Let me quickly break down for followers not in offensive security what it means.

This is not great, but *the sky isn't falling*. Anyone who says this will immediately result in {thing} is uninformed (or worse) 1/
reuters.com/article/us-glo…
First, we need to take the MSFT information at face value. MSFT says attackers could *view* some code (not sure how much/what) but specifically notes that the attackers could not modify anything.

Claiming "well there's risk they had write access" is unproductive in every way. 2/
As MSFT notes in their blog post, they have embraced an open source threat modeling approach - assume the code will become open and don't tie security to secrecy.

With some companies, you might hear that and call BS. Don't do that here. 3/
msrc-blog.microsoft.com/2020/12/31/mic…
MSFT practically invented the Secure Software Development Lifecycle (SSDLC) - though can we PLEASE drop the first S?

I mean who implements an SDLC and then says "no, we need to make it insecure" - who does that?! But I digress - I'll step down off my soapbox... 4/
MSFT revolutionized secure development practices - and this isn't new. The real push was in the development of the dumpster fire known as Vista.

Did Vista suck? Yep. Was it leaps and bounds more secure than its predecessors? Darn skippy. Ask ANY exploit developer. 5/
So we're talking about a company with almost two decades of commitment to secure coding practices. The attackers are unlikely to find some secret engineering backdoor in the code.

So is this still a big deal? Perhaps. Source code access makes a lot of things WAY easier. 6/
If you need to write rootkits, you know, like this sort of attacker does, then source code access really helps there.

In particular, I'm thinking about two things:
1) The networking subsystem
2) PatchGuard (aka KPP)

However, there are certainly others. 7/
But before I even finish this thread, people at MSFT that are much smarter than me will have been threat modeling with their security teams about how the *specific* source code accessed (which remember, we don't know) might potentially help an attacker. 8/
And then they'll take countermeasures in the OS. And that's important. KPP itself is a countermeasure to what MSFT saw attackers *doing* NOT what they saw them exploiting.

And when was KPP introduced? I'm glad you asked. Vista. See a correlation (hint: it's SSDLC)? 9/
If you take only one thing from this thread, it's DON'T STOP APPLYING PATCHES!

Many "patches" are really security feature updates that aren't remediating a vulnerability, but instead making it harder for attackers to use known techniques to accomplish their goals. 10/
"But Jake, what if they really COULD compromise the build process like they did with SolarWinds?!"

Okay, I'll play that out - keep right on patching. This compromise isn't brand new so in your world you're probably already pwned (unless you haven't patched for a LONG TIME). 11/
So that's it. This is certainly a big deal, we just don't know how big or even specifically why. Unfortunately then it's not actionable.

What do you do then? All the infosec basics: check your logging posture, review trust relationships, and filter traffic at the egress. /12
Oh, and Cyher says to pet your dog. /FIN

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Jake Williams

Jake Williams Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @MalwareJake

Jake Williams Profile picture
29 Dec 20
Quick thread 🍸:
I’m a gen-X kid. I grew up in an age where I was told that nobody cared what you got a degree in, as long as you had a degree “they would know you can be trained.”

WTAF did that mean, anyway? Why did I need a college degree for that? 1/
But hey, I failed out of college. It was the best thing that ever happened to me. It took me out of medicine (I’d have been a practitioner, not a researcher) and put me on a track for something else. Of course it took a TBI along the way to get me here, but fate and all... 2/
Now I have degrees that are barely worth the paper they’re printed on. Lots of my friends do too. Most of them aren’t doing as well. The vast majority work in fields outside of their study.

But hey, you can still succeed. I come from food stamps, not generational wealth. 3/
Read 10 tweets
Jake Williams Profile picture
24 Dec 20
Twas the night before Christmas and all over the ‘net,
Not a creature was stirring except a few cyber threats
The firewalls were configured at the egress with care,
But that wouldn’t stop us from being hit by ransomware. 1/
The children were nestled all snug in their beds,
While attackers hit the web server and established a beachhead
Mama with her EDR and I with my IDS
Were ready to tackle this hot infosec mess. /2
Down in the SOC there arose such a clatter,
I logged into my dashboard to see what was the matter.
This thing had better work, it cost so much cash.
How in 2020 can this thing STILL require Flash?! 3/
Read 16 tweets
Jake Williams Profile picture
24 Dec 20
Alrighty - here's my $.02 on the topic (was trying not to poison the well, but will also use this thread to collect my thoughts).

First, it's important to note that Facebook not is suing NSO just because it created and sold an exploit. That's lost in so much of the discussion 1/
Now governments have sovereign immunity in most matters under international law. Mercenaries, not so much (IANAL, talk to yours).

But certainly suppliers of weapons to a government wouldn't be held liable if they are used against another nation, right? 2/
That's what NSO is arguing - they are just a provider of weapons. The problem is that NSO went far beyond "just providing the exploit." It appears that in most (if not all) cases they delivered the exploit and managed collection from targets as well. 3/
Read 10 tweets
Jake Williams Profile picture
23 Dec 20
There’s an additional aspect to this particular government shutdown: these disruptions are favorable operating conditions for cyber adversaries. I hear we’re in the middle of investigating a fairly large breach...

A shutdown now will ABSOLUTELY harm our ability to remediate. 1/
Yes, I know “essential personnel” will still report to work. But as a former fed myself (who was always considered essential), I can tell you that things obviously don’t function as normal, even for your “mission essential” activities. 2/
And some of the damage is already done. Managers are already preparing for shutdowns, distracting them from focusing on where they need to be placing effort on breach investigation and response. The damage will be so much worse if the shutdown starts though. 3/
Read 4 tweets
Jake Williams Profile picture
23 Dec 20
Got this in my mail today and it’s some next level BS. Shame on these people for trying to threaten people into voting. Image
That’s right “Club for Growth” - I’m getting your message out there, but perhaps not in the way you hoped... Image
I'm not saying that you should sign up for Club For Growth's email updates, but if you had the desire to do so using, oh I don't know, any email address, here's the link to do so:
clubforgrowth.org/user-registrat…
Read 4 tweets
Jake Williams Profile picture
23 Dec 20
On today’s #dogWalkingThread, let’s talk about the recently disclosed abuse of SAML by attackers to “bypass” MFA.

For those not familiar with the concept, SAML allows the separation of identity providers (IDP) and service providers (SP). Why the separation? 1/
Suppose you want to access a service, and the service needs to authenticate you, but you really don’t want the service ever having your credentials (EVER). As long as the SP trusts the IDP, this is no problem. You authenticate with the IDP and the IDP tells the SP “trust them” 2/
Let’s consider passports as an analogue. I’ve traveled to many countries I wouldn’t want to have all my identity data, but the State Department serves as my identity provider. Because the country I’m entering trusts the US State Department, the passport is enough. 3/
Read 14 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @MalwareJake has new unrolls!

Check out other threads from @MalwareJake!

Read all threads by @MalwareJake