May 5, 2024

The mountain of shit theory

Uriel Fanelli's blog in English

Fediverse

Accher in Lazio, interview with an expert.

Uriel Fanelli 0 Comments

Accher in Lazio, interview with an expert.

In Bologna it is said that the more you piss it off, the more it stinks, which is in a certain sense the opposite of "throwing it in caciara". This proverb applies to those public discussions that are best NOT done in public, for the simple reason that as the discussion progresses, details emerge that do NOT improve the reputation of those taking part.

And it is the problem that arises when the people listening to the discussion are experts in some subject, capable of extrapolating embarrassing things from the details that emerge. The Lazio region has evidently chosen to "throw it in caciara" when the best thing to do would have been "respectful silence of the ongoing investigations".

The result is that their "security measures" are already a joke in all the canteens of any serious IT department, because what they say "to save face" reveals things that definitely do not save any face.

To clarify this, I decided to interview an expert I trust very much: myself. 26 years of experience in IT, including supercomputing, access network (both mobile and fiber) and various infrastructures, including banking. Let's start.

To give it an “accher” atmosphere, I decided to appear as Herr Stakkah, short for Alfred StaccaStaccah von Cistannotracciandoh. Very common name in Pomerania, as everyone knows.

  • Herr Staccah, we see you as quite critical of what emerges from the investigation into the intrusion into the systems of the Lazio region. Yet the person responsible for the flaw seems to have been identified.
  • Let's say they found the poor guy who's gonna take it all on. This does not surprise me, given the level of sloppiness that can be seen from what filters. Because even if it were as it is said, it clearly shows how much sloppiness there was.
  • In what sense?
  • Imagine that after a robbery from a large bank, someone discovered the accomplice: the butcher opposite had the keys to the bank and they stole them because he kept them hanging on a nail. Now, surely the butcher is an essential link in the chain of events, and perhaps it was not wise to keep the key hanging on a nail, but don't you find it strange that a bank gives the key to everything to the butcher opposite? Do you find this a good practice?
  • And what would this bad practice of the butcher correspond to?
  • No, it was not an example. And not even a metaphor. I was just explaining that “we had given the keys to the bank to the butcher” cannot be an explanation, on the contrary it makes the situation worse. And I mean, even if all the cybersecurity in that facility was on that guy's shoulders, the problem is that it was all on that guy in the Home Office.
  • The home office has nothing to do then?
  • It would take too long to debunk the tide of bullshit accusing the Home Office. Let's turn it from the right perspective: do you think a network that offers services via the internet is more secure only because we have locked up employees inside a building, while pirates can move anywhere?
  • Does the home office add insecurity?
  • Here is the strange belief. You do not know the concept of "perimeter" and "perimeter security". Either you are inside a perimeter, or you are outside the perimeter. Clearly, all computers on a network should be in some perimeter , wherever they are physically located. And this is possible. Even in the Home Office. The perimeter must be built well. But perimeter does not necessarily mean "physical infrastructure".
  • What does it mean?
  • It means, for example, that almost all serious multinationals allow people to read corporate mail using a corporate cell phone. Let's take the interesting case of a person reading emails after hours. This, ma'am, is already Home Office , but the peons don't notice it because we're using a cell phone instead of a computer. But if in your opinion this is dangerous, then we should ask all employees to leave the company cells in the company, connected only to the company wifi. Congratulations: we have invented the first “im-mobile phone” in history: for the sake of brevity we will call it Tischfernsprecher, or Fernsprechtischapparat. Brilliant.
  • But the cell phone can be protected if the domain controller takes control of it.
  • Take control of a cell phone connected to a market from which you can install any rubbish? Interesting. Possible indeed with some technologies, and a well-known brand of cell phones, but how many do it? And … had it been done? So, simply his proposal to put everyone to work from the office means that they will be contacted by email on their mobile phone, or through an app on their mobile phone… and the vector of the attack will be the mobile phone rather than the PC. Is that all his improvement?
  • So how does the problem arise?
  • It arises in the way that, as I said, there is a perimeter. Either you are inside the perimeter (and therefore ISOLATED from the outside), or you are in contact with the outside (via your home network or your telephone connection) and then you are NOT in the corporate network. VPNs can force network splitting for this. But there is a lot to be said about the VPN.
  • In what sense?
  • In the sense that I hear "they took the VPN username and password". Interesting. But a VPN has more: it has certificates and keys. Which are normally not accessible by domain users, but only by administrators, and only while they are logged in as such. But this assumes that you allow someone to log into the laptop as an administrator while on the VPN. Who wrote this policy?
  • But a virus could hit the laptop and still steal credentials and even certificates and keys.
  • Sure, and if my grandmother had a wheel it would be a wheelbarrow. Do we know this happened? Okay, let's just say we know, then. Also for this there are remedies, such as two-factor authentication, of which one of the two factors (an RSA token, a Yubikey, or an authenticator on the mobile) could mitigate the problem. But there was no 2FA. So, are we still at the “who designed the perimeter security” point?
  • But as effective as it is, what can we do if our admin's son goes to computers, creates an account, and goes to the porn site?
  • Herr Stakkah: I realize that if you hang out with prostitutes, you can get sick. But this does not imply that by going to a porn site you are catching computer viruses. It can happen on smaller porn sites, but the bigger ones are very safe, sometimes more so than Google or Microsoft. Either way, the point is that computers can be monitored, audited. When you are INSIDE the perimeter you should go out to the internet ONLY using corporate proxies, which will obviously block porn and dangerous sites. Some even have antivirus that block malware in transit.
  • But if it's still an unknown virus, it won't work.
  • True. We always talk about MITIGATING security problems, and we talk about "best practices", never about "things that will work for sure always and in any case". But as far as has been released so far, the malware used has been known for years and there are at least 3 known and certain botnets. Where is zero day? Here we enter another bad practice: the data is still encrypted, the effects of the attack are still present, it is not known how many backdoors are open after the infection, but the names of the malware begin to run . An invitation. See under “it was better to shut up”. In any case, one wonders why, from “inside” the perimeter it would have been possible to visit porn sites. Was the perimeter closed? On the practice of sharing a computer within the perimeter (children or not) a pitiful veil is falling. It shouldn't even be POSSIBLE. And there are means to avoid it. BUT the shortcomings are still many, and from what transpires, evident. For example, there was no backup.
  • But that's not true: the backup existed, but it was encrypted.
  • No, the backup is offline by definition. A backup that remains online (and therefore can be edited) is not a backup. It's just a mirror, a shadow copy, call it what you want, but the backup is by definition offline. And this story should clarify to the skeptics what the danger is, and what the difference is: to those who believe that the backup can be online and buy products from more or less cialtronic companies on this point. If the backup is offline (for example on tape and the tape is out of the drawers), nobody can modify it. So sorry: a shadow copy existed, if you want a mirror, but no backup.
  • But you can make the backup have some versioning, and then maybe you can only modify the last copy.
  • From inside the backup system, for sure. The problem comes when someone encrypts your filesystem where the old "immutable" versions are. I repeat: offline means offline. I know it's inconvenient, I know it's expensive, but one wonders if in the long run it really is.
  • Isn't it easy to talk in hindsight?
  • Of course. But the word "then" identifies a moment in time. Let's try to identify this moment: the first attack of this type occurred about ten years ago and there are traces of similar things since 1989. However those based on strong encryption only became a business in 2006. We are immersed in hindsight. then for a decade. It is as easy to speak for me as it is for those who managed that infrastructure. But it doesn't seem like it was very easy for the manager of that data center.
Accher in Lazio, interview with an expert.
Accher in Lazio, interview with an expert.
https://www.varonis.com/blog/a-brief-history-of-ransomware/
  • Touche '. But the Lazio region does not seem to be the only one to be attacked.
  • Here we go to another catastrophic understanding of the management of the “after”, that is of communication. A company that had nothing to do with it got involved, it was said that “it also happens in the Netherlands”, by inflating news or even inventing it.
  • But Engineering suffered a few attacks just at the same time.
  • Even his home router and his newspaper too. Anything exposed to the internet is under constant attack. I can guess that the White House website was attacked at that very moment, without even turning on a computer. Because it happens to all sites. Engineering is a consulting firm working on mission critical projects that I know of, so it is obvious that they will have received constant attacks. I can tell you that Engineering, like Accenture, Mc Kinsey, Roland Berger and others, are under attack even at this very moment. For the simple reason that they are ALWAYS under attack, or at least under ATTEMPTED attack. It was foolish to publish that news.
  • But the caciara doesn't hurt.
  • You just told the consultant market that if you touch the Lazio Region you risk a random shower of manure. Really an invitation to become their suppliers: those who do it in the future will pretend not to be mentioned, or to put an intermediary in the way to hide their name. Which will certainly increase costs, since no one takes risks without making money. Damage upon damage upon damage. At least incompetent post-accident communication .
  • But even in the Netherlands they have such a problem, a real emergency.
  • The entire planet is in security emergency, for two reasons. The first is that investments in safety are always considered a liability and not a value, the second is that everyone wants to digitize, everyone has promised the markets, but hardly anyone has estimated the costs and implications of all this WELL. The result is that the demand for specialists is enormous, people who aren't specialists pretend to be specialists, and so on. But Holland is not worse off than Italy: it just has more fintech and more digitalization. This thing about mentioning Holland doesn't make any sense, and was just for caciara. The French are no better off, so to speak.
  • Returning to the subject, however, it is clear that everything revolved around that gentleman who worked from home
  • And to those who gave him insecure ways to do it. And to those who took a mirror and passed it off as a backup. But that's not the only catastrophe I see.
  • And which ones do you see?
  • From what the newspapers say, after hitting the home-office computer, the malware escalated privilege on domain controllers and hooked itself to a botnet. From which he then installed the real ransomware. Now, the fact that someone can contact a botnet from inside the network already puzzles me. They are known and monitored IPs. Therefore, there were no IDS, alarming systems, outlier detection. In fact, no one knew exactly what the computers on that network were doing.
  • But this is science fiction, isn't it?
  • No, it has been in business for at least 15 years now, in any serious enterprise structure. It is true that private is NOT perfect, and there are also enterprise structures that are ten, fifteen years behind. I call them "Kim Jong-un's birthday parties": the place where script kiddies gather to party, play rock music and do other things the devil likes. There are also many in the PA. And some seem designed to favor it.
  • Are you referring to LAzio?
  • Yes. According to the newspapers, after having climbed the domain where a typically "office" or "backoffice" computer was connected; or whatever it's called according to local lingo, the malware attacked production machines. But this shouldn't be possible, unless the production machines are in the same network segment, there's a firewall in between, you're not accessing it via bastion host, or jumpbox, call it whatever you like. Here we have production machines that can be reached directly from the network where the employees are, without any element of separation or segregation. All of this smells like Duckburg, and I bully them. Obviously…
  • Obviously?
  • Obviously all of this is as true as the things that the newspapers wrote. The problem is whether you journalists have been telling the truth or have you made it all up. The interview with the alleged culprit of everything, as well as the fact that Engineering had to resort to a sacrosanct press release, makes me think that you have access to documents of an ongoing investigation and that you are publishing them, which is a great catastrophe. catastrophe. But yeah, let's give details of an investigation while the post is looking for the culprits, what could possibly go wrong?
Accher in Lazio, interview with an expert.
Accher in Lazio, interview with an expert.
  • But it's legal to do so.
  • Giving me a blowjob right now is also legal, but she's not doing it. Not everything legal has to be done.
  • But people have a right to know. And they want to know.
  • For that matter, my cock doesn't suck itself. But, I repeat, what people would like is not really relevant if there is an investigation underway and there are forensic investigations underway. The fact that I want a blowjob, or that I want to be informed, doesn't force anyone to do anything. Nor is it wise to point to a scapegoat.
  • And why is it unwise to reveal that there is a culprit?
  • First of all, because if you make a guy work inside an insecure facility, you can't accuse him of creating the problem . You have to be very sure that you can prove that everything comes from the porn sites your son visits. If no trace is found, for example, everything will fall not on the use of the computer, but on the security of the home office infrastructure. But that's not the point either.
  • And which'?
  • The problem is that taking a black goat, accusing it of all evil and throwing it off a ravine has not been a safety procedure since the time of Emperor Titus. The Lazio region is no longer safe now, on the contrary it is the opposite.
  • Because'?
  • Because once it is clear that the region reacts to malfunctions by throwing a random employee out of a crevasse , and knowing full well that perimeter security sucks, the other employees will react in the usual way: they will ONLY do what is requested, IF requested, if requested IN WRITING , and they will do as little as possible . Considering that security is an issue that requires proactivity, we have practically emasculated an IT department. Also, to avoid accusations from colleagues, they will stop doing teamwork so that no colleague can say "but he was the one who worked there yesterday". So communication will be reduced to the minimum necessary. Result: an absolutely dysfunctional team. What could possibly go wrong?
  • Why do you say "a random employee"?
  • Herr Stakkah: because we are starting from the idea that the computer in question was attacked thanks to “the son playing with it” or other speculations about porn movies. But when you are faced with an infection you must not only ask yourself "where did the attack start", but "where could it start from?". Maybe the infected computers were ten, a hundred, and the attack started only from that. But the fact that privilege escalation started from that computer in the home office does not imply that it was the only computer compromised. It could have been a random one in a group of 100 infected computers. And maybe the infection started from another computer.
  • But this is speculation.
  • We are talking about malware that has taken domain controllers. And then it went for production servers. But from the domain controller you see the whole domain. The safest thing for the hacker is to infect everything, even the computers of other colleagues in the home office. Sure it's speculation, but you can't take it for granted that someone only steals Sunday silverware but not Saturday silverware. That would really be speculation. But it doesn't change the point.
  • That is'?
  • Herr Stakkah: That is, that particular employee worked in a perimeter situation as insecure as any other employee in the home office. Assuming that only he was washed is pure delirium. Everyone likes porn, the babe has been mainstream for a few billion years on this planet.
  • True, but it's very theoretical. The facts say it all started from that computer.
  • No. The post, from what I read, says the attack was conducted with certain credentials . They are two different things. It is the word "everything" that is free. I repeat, if we give the keys to the bank to the butcher opposite, it is true that the next theft will start from the butcher, and maybe he shouldn't have kept the keys on a nail hanging on the wall, but we must always ask ourselves who made the decision to give the keys to the butcher. The sloppiness is immanent.
  • Okay, let's change the subject. Draghi has appointed a security agency.
  • This is good, but those agencies do not solve anything, they limit themselves to assessing and standardizing: their main job is not to provide advice to companies or to the PA, but to give common practices and inform the government, such as does Bfdi in Germany. But common practices are necessary but not sufficient, and the problem is not all IT.
  • What does it mean?
  • It means that if we have employees who work in an insecure perimeter when they are in the home office, and the network is not very segmented, and there are no outlier detection systems, and more, investigating well almost always finds a wicked purchasing policy, or if he prefers a procurement system that does not seem understandable to humans, but only to Komodo monkeys. In this way, an infrastructure that is too expensive, with an inconsistent design, grows. This infrastructure swallows the money that had to go to security, and in addition it fails to have that simplicity that allows monitoring and inclusion in a describable and observable perimeter.
  • Can you clarify?
  • According to leaks in the press, the post office went back to the scapegoat by looking at the logs. Now, I don't know what was logged in, but if this is enough for the post, then there are many systems that can continuously observe the logs and issue alarms. But the postal service took two days to do so: so either there was no catalog of data and logs, or there was but no automatic system read them in order to launch alarms. Now, if it is mandatory practice to have logs, the network is observable. If someone keeps logs and someone doesn't, then the network is not really observable. A consistent network produces consistent logs, in a hopefully fairly homogeneous format, and sends them to some monitoring system. If it's a designed network. If, on the other hand, the network is dictated by contracts, then pieces begin to appear without there being a project. And if you don't have a project, nothing works.
  • I still don't understand.
  • Let's go step by step. We don't want this to happen again, right? So, unless you believe that the problem will be solved by throwing a black goat out of a crevasse, you need to understand what state the security is in this infrastructure, and WHY it is in this state. Take all the contracts and see how much they have spent on safety. If the figure were enough, we go to understand what concept of security they were following. Segregation? Legitimation? What design was there? Why did the state of the art include non segregated production and back office machines? In any case, the problem is higher.
  • Maybe they didn't have enough budget.
  • In this case there are several tricks to get out of it. For example, you take capacity away from insecure systems and use the budget for security systems. In short, that malware has existed for years, because it was possible to attack the domain controllers remains under the heading "OS Security Patch". Why weren't the servers up-to-date enough to let in an old and well-known malware? Because maintenance and patching is considered Opex and financial controllers prefer to see capex charges. They prefer to buy new servers or buy the latest version of the operating system, asking you “but in the new OS these patches are there, right?”. The trouble is that after a month without patches the new OS is already vulnerable.
  • But the home office arrived because of the covid, it was unpredictable.
  • Bales. The home office has existed for decades, Cisco made people work from home in Italy fifteen years ago. If that CED needs one hundred and thirty thousand deaths to implement the state of the art, obviously the hackers will be more and more ahead. And then, I repeat, when she reads (and maybe replies) to work emails from her cell phone, she is doing home-office. Maybe not smartworking, but home-office for sure. The home office has been used, accordingly, for decades: it's simply that no one has ever thought enough about the cell phone as part of the attack surface, and that anyone who brings home their work cell phone is doing home office . simply with a tool other than the computer.
  • So let's go back to the budget. But now comes the Recovery Plan that forces digitization. So should we have more investments in security?
  • HERE we need to understand one thing once and for all. Forcing people and entities to be digital doesn't work. It works if all you want to do is do random procurement. Digitization requires a radical change of culture: otherwise we will get what is already there, that is WEBSITES OPEN ONLY IN OFFICE HOURS: https://www.repubblica.it/tecnologia/blog/stazione-futuro / 2020/09/15 / news / i_siti_web_della_pa_che_chiudono_la_notte_and_il_weekend-299509713 / And obviously, if there is no culture of information security because investments in security were low even before, the proportion will continue to be that. The same mistakes will be made, only bigger.
  • So there is no hope?
  • On the contrary: but a gigantic turnover is needed among the IT executives of the Public Administration. We must first eradicate a culture that requires you to spend your budget in a certain way, which requires you to procure in a certain way, which considers security (for example keeping everything on the latest available patch) an opex expense. Throwing money on the problem doesn't help, it just feeds the problem. The first thing a tumor does is build the blood vessels that are used to feed itself.
  • Would it help to impose a certain quota of investments in security?
  • We need to understand what "security" is. Even the design of the network is "security", but the doubt is that it would spend everything on firewalls and antivirus. Let it be clear: they serve like bread. But security (also) has a lot to do with know-how, so to speak. If you buy me a hundred thousand Juniper firewall appliances and don't redesign my network competently, it's useless. Security ALSO has a lot to do with updating every software to the latest patch, so to speak. But it's an opex expense and the “mummy managers” there don't want it. They almost prefer to switch OS versions or buy a new server, having the money. But after a few months without patches, a server is an open door. But the patches are opex. Security is everything. Literally EVERYTHING. Once it happened to me that …
  • that…
  • That I was in Düsseldorf. A manager of the Italian office calls me. He asks me to go to Rome for a security problem in a telco. I take the plane at eleven fifty in the evening, business class for late booking, there were just those. The customer pays a lot. Arrival in Rome. Short sleep in the hotel, now there is no need for the person in the company. My manager is waiting for me. It's the next day. Let's go to the venue. We arrive at the headquarters. The person we are looking for is not there. Let's go back in the afternoon. There is nobody in the gatehouse. The employee turnstiles are in front of us, helpless. We make some noise and we discover that the security was watching the derby in the isolated room of the gatehouse. For me the security problem was already clear: anyone can physically enter there and the managers are absent at night and in the morning. Actually the hole was another, but it makes no sense to close a leak if there is a bigger one.
  • Moral?
  • That you cannot increase investments in security if you do not define what security is, and that just increasing the budget is useless if the underlying culture does not change. But the reaction of the Lazio region, starting from the black goat to be thrown into the cliff, that is to throw it into the caciara, makes me understand what the mentality, the culture is. And it's not possible to be confident with this IT culture. We need a large turnover of executives, and of long-time employees.
  • Otherwise?
  • Otherwise larger and apparently (but only apparently) modern systems will be punctured. The budget is necessary but not sufficient.
  • Do you see efforts in this direction?
  • The decision to contract out the construction of a national cloud, for example, is. It is assumed that private cloud computing companies do not have the same executives and / the same culture. Hoping that the private is more modern than the public. It is true that it does not take long, but "I have seen things" also in the private world. However, this is true for all nations. In Germany the public is more efficient than the private, when certain dimensions are exceeded. Each country has its own peculiarities. The Italian one is to reject progress. In Germany everyone asks for the change but no one wants to change (unless the boss orders it). In England you change everything to keep the same incompetent turds with the embarrassing Eton accent in power. Each country reacts against progress in its own way: the problem is finding the key. In my experience as a consultant in Germany you have to convince the boss to order progress. In Italy, in my opinion the only thing that works is the complete turnover of managers. In England, the Queen should be decapitated while she burns in a bed of flames and then nuclearize Eton, but after Brexit I don't feel the urgency as soon as possible. France is not necessary. Each country, I said, has its own solutions.
  • Change the subject. Do you think then that the employee who started it all will be acquitted in a possible trial?
  • No. Unfortunately not. In my past experience as a court appraiser, almost certainly not. For one thing, the judges almost always believe in the prosecution when the postal service is involved. If the post has a culprit, throw the black goat out of the crevasse and don't talk about it anymore. Any complaints of the defense experts are not only not understood by the judge, but they are not even read. I was an expert in a lawsuit where the password was written as a screensaver, to avoid using the postit (the guy who admitted the fact said that postits come off easily). The password was the child's name and year of birth. I pointed out that the name of the son was number two for frequency, in the indicated year, in Bologna. I pointed out that the password was definitely compromised. Result? According to the judge, you can use the password as a screen saver because people cannot know it is the password, and dictionary attacks are not possible because no one can know that you used your child's name as a password. And you understand that with judges like this, the postal service does not actually write the report of the prosecution: it writes the sentence.
  • And there is no way to defend oneself, to appeal, etc.?
  • Normally not. If anything, it's the other way around. Garlasco's case shows how an excellent report (if not historical in the sense of forensic law) was simply canceled with reasons such as “but who the fuck understands it, is that stuff? I was poor in technical education ". The specific competence in IT is accepted when it arrives from the Post Office because the post in the report writes things like "it is therefore clear that Mr. Rossi is guilty, without a shadow of a doubt, and must be condemned and a spit in the face does not fit bad ". As if that weren't enough, the judges try to shorten the trials to do more and make a career, and having a culprit already at hand suits them. And when public administration is involved, the judge's problem is that accusing the guy of something negligent or unintentional is easy, accusing his IT manager of having built an insecure system does not even correspond to a crime.
  • But won't the post say the system is insecure?
  • No. It's not their job. They are the police, they just have to say "dude did this that caused that and so he doesn't have to get Christmas presents because he's bad." They do not make estimates on the goodness of the infrastructures. That the system is inherently insecure others must prove it, but if we talk about the defense, their report will not even be read by the judge.
  • Do the judges not read the technical reports?
  • No, because they don't understand them. Their education is completely humanistic. Only if the report concludes by saying "pine stinks their breath" then they could understand, but generally they do not. However, they would believe the postal report. If the post office accuses a guy, he's done for. It might also save you money on lawyers.
  • And is there no defense? Authoritative experts, for example?
  • The defense against these processes is, as far as I know, only one: emigrate.

Leave a Reply

Your email address will not be published. Required fields are marked *

Create a website and earn with Altervista - Disclaimer - Report Abuse - Privacy Policy - Customize advertising tracking