Share this page!

Robᵉʳᵗ Graham😷, provocateur Profile picture
Twitter logo
29 May, 5 tweets, 1 min read
Again: There's no evidence this was a "supply chain" attack.

In the case of Solar Winds, hackers hacked into Solar Winds, and thus, their customers.

In the current story, there's no evidence they hacked into Constant Contact, but instead, hacked the customer.
There are three possibilities:
1. they hacked Constant Contact and can use any account there
2. they hacked USAID and can use any service for which USAID has an account
3. they hacked just the USAID account at Constant Contact (e.g. from "credential stuffing")
Possibility #1 would be a supply-chain attack like Solar Winds.
Possibility #2 would be an attack against the US government, like against OPM
Possibility #3 is just a common thing teenager hackers do and is relatively silly
Now the email they sent was rather sophisticated and targeted, according to reports. It's just that the means to do so appear to have been the simplest and most common of all things.
Now, in much the same way that the NYTimes has assumed possibility #1, I'm assuming #3. However, #3 is a bajillion times more common than #1, I think the burden of proof is on those claiming #1.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Robᵉʳᵗ Graham😷, provocateur

Robᵉʳᵗ Graham😷, provocateur Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ErrataRob

Robᵉʳᵗ Graham😷, provocateur Profile picture
29 May
As far as I can tell from the publicly available information, the SVR hackers did not hack into either the USAID organization nor into Constant Contact "systems" as the NYTimes claims in this story.
The hackers appear to have used the USAID.gov's account at Constant Contact, a mass emailing firm. This implies neither a hack of USAID nor of Constant Contact -- only a hack of the password used by somebody at USAID to log into Constant Contact.
Password reuse is a chronic problem. If "ashainfo.gov" used the same password for Constant Contact as they used for "canva.com", then we see how this "hack" happened. It's an extremely common, easy attack, and does not represent an "escalation".
Read 6 tweets
Robᵉʳᵗ Graham😷, provocateur Profile picture
27 May
You know how they blew up the second Death Star exploiting the same failure as the first? It's because the Empire reacted like this to the first one that blue up: "Let's ignore that vent and apply bureaucracy to the problem".
Every ransomware I've seen leverages the fact that it's easy to get "domain admin" then own the entire enterprise. Centralizing everything with "Active Directory" is the ventilation shaft of modern Death Stars.
If you look at case studies that look step-by-step how ransomware hackers worked, such as spreading laterally with Mimikatz, then compare these to the cybersecurity guidelines for pipeline operators, you see they aren't related to each other.
tsa.gov/sites/default/…
Read 6 tweets
Robᵉʳᵗ Graham😷, provocateur Profile picture
26 May
I dunno. This sounds like the typical problem with the cybersecurity industrial complex that sees security as a good in of itself, a moral duty. Thus, the more damage caused by hackers the better it is for security, because it'll cause more security to happen.
Security is a bad thing.
It's bad when police demand it.
It's bad when the military demands it.
It's bad when infosec people demand it.

Security is only valuable when it's benefits outweigh its costs, not because it's a moral duty.
Cybersecurity is not your goal. It's the means to your goal. Those who claim it's your goal are bad people. They push cybersecurity to the point where it becomes destructive.
Read 4 tweets
Robᵉʳᵗ Graham😷, provocateur Profile picture
23 May
Python is an excellent choice used by many beginners, so you'll find lots of resources to help you along your way.

I recommend JavaScript. You'll eventually need it anyway for messing around the browser, and it's closer to other programming languages than Python.
By which I mean, I don't dis-recommend Python. I mean instead: learning to code is great. Choose whichever path is easiest. It may be Python, it may be JavaScript. Maybe it's just Bash scripting. Just start writing something.
There are no wrong answers. Unless that's C++. Friends don't let friends C++.
Read 4 tweets
Robᵉʳᵗ Graham😷, provocateur Profile picture
19 May
What's the difference between a "routable" and "non-routable" protocol?

Correct answers only.

I mention this because googling the question gives handwaving by people who don't understand the answer.
Routers forward packets based on the address PREFIX (average around 20-bits of a 32-bit IPv4 address).

Ethernet bridges forward packets based on the entire 48-bit MAC address.

Thus, routing tables can handle 4-billion IPv4 devices with 1-million routing table entries.
As far as Ethernet switches/bridges are concerned, a MAC address is a random 47-bit number. Sure, it has a prefix assigned to the vendor, but it doesn't correspond to the location on the network, so is random as far as they are concerned.
Read 9 tweets
Robᵉʳᵗ Graham😷, provocateur Profile picture
19 May
I have Soviet and East German friends. In every much we had totally valid lessons from Nazism about the Trump administration, so we have totally valid lessons from the Soviet era and the current administration. Not so much Biden himself, but the movement he's the head of.
No, we weren't headed toward Nazism under Trump, nor are we headed toward Marxist-Leninism today. But at the same time, we are adopting the evils.

I assume the above was subtweeting the recent UK proposal, which attempts to regulate what good speech is vs. harmful speech.
This UK law is similar to the "Section 230" fights in the US, where each side is trying to get big tech platforms like Facebook and Google to simultaneously defend their side's speech and crack down on the opposing side's speech.
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @ErrataRob has new unrolls!

Check out other threads from @ErrataRob!

Read all threads by @ErrataRob

:(