Tag Archives: Joshua Schulte

Security News for the Week Ending June 17, 2022

Ransomware Morphs Again

We know that ransomware has gone through a lot of iterations over the last couple of years as hackers try to maximize their revenue. The BlackCat group is now creating public websites for each victim company and has indexed the data to make it easy to search. I guess this means that it will be harder for companies that get hacked to hide what data was stolen. In one of their sites, you can select between employee data and customer data as the first filter and then search on that subset. Credit: Brian Krebs

NSA Quietly Appoints General Counsel After Two Years

You may remember that in the final, sort of weird, final days of the last President’s administration, the ex-President attempted to force the NSA to accept an unqualified political hack in the role of GC – a person who had not even worked inside the intelligence community, a process known as burrowing. Burrowing converts a political appointee into a career civil servant. Gen. Nakasone was ordered, on the last day of the ex-President’s administration to swear the guy in. That same day, the General put the new GC on administrative leave pending an inquiry about some security incidents. After several months in limbo, he resigned. He now is a lawyer at Rumble, a business partner of Truth Social. See a pattern? Anyway, April Falcon Doss, who seems to have impressive legal creds, was finally, quietly, sworn in as GC last month. Credit: The Record

Cyberattack – One and Done? Nope; Not Likely

According to research by Cymulate, 39% of companies were hit by cybercrime over the last year. Of those, TWO THIRDS were hit more than once. Also, of those who were hacked once, 10% were hacked ten times. That doesn’t give me a lot of warm fuzzies. Credit: ZDNet

Joshua Schulte, Former CIA Coder, Represents Himself in Second Espionage Trial

Joshua Schulte, is a former software engineer who worked for the CIA. He is accused of the largest, most damaging leak the CIA ever had. In his first trial, the jury hung on espionage charges. Now the second trial is beginning and he is representing himself. I recall a saying about a lawyer who represents himself has a fool for a client. Even though he is not a lawyer, the saying applies. He says he was framed. Prosecutors say he is guilty. Stay tuned for details. Credit: Security Week

Indian Police Planted False Evidence on Activist’s Computers to Arrest Them

Police in India were caught using hacking tools to plant evidence on people’s computers and then arresting them for the staged crime. The people being cyber attacked are not terrorists, but rather journalists and activists – in other words, people who annoy the police. With the help of SentinelOne, the hacking-by-police incidents have been publicly exposed. Credit: Wired

Your Cybersecurity is Likely Better Than the CIA’s Was. Or is?

The Vault 7 leak, in which Wikileaks posted information about a large number of CIA hacking tools was possibly the worst national security compromise the Agency has ever seen.

Not only did it reveal our techniques for hacking foreign systems but the hackers repurposed those tools and hacked American and other friendly companies and governments.

The CIA had to create a whole new series of tools that used different exploits, assuming that is even completely possible.

While the Vault 7 leaks did not distribute source code, it did disclose Tactics, Techniques and Procedures (TTPs). This gives the other side all kinds of clues into our thinking, what software we think is vulnerable and our approach to hacking.

Joshua Schulte was arrested and tried for the leak but was only convicted on a few of the lesser charges. Why?

Because the CIA had horrible internal security practices.

An internal CIA report reviewing the breach said that bad cyber practices led to the disclosure of at least 180 GB of hacking tools and documentation.

The report said that the Agency shared administrative passwords and had no control of removable storage, for example.

While if you do that, it is a problem, if the CIA does that, well, it is a disaster.

The Intelligence Community has a historical love, maybe obsession is a better word, for OFFENSIVE security (hacking the bad guys) and not much interest in DEFENSIVE security.

A redacted, but still damning, version of the report has been released.

Following Tom Lehrer’s song of Wernher Von Braun’s thoughts about rockets (“Once the rockets are up, who cares where they come down”), the report says:

“Most of our sensitive cyber-weapons were not compartmented, users shared systems administrator-level passwords, there were no effective removable media controls, and historical data was available to users indefinitely.

Furthermore, CCI focused on building cyber weapons and neglected to also prepare mitigation packages if those tools were exposed. These shortcomings were emblematic of a culture that evolved over years that too often prioritized creativity and collaboration at the expense of security.”

The report also says that there were deficiencies in the Agency’s procedures for detecting rogue insiders, which allowed the insider to take all of the data out and give it to Wikileaks.

According to Senator Wyden, who released the redacted report, years later the Agency’s security is not a whole lot better.

So maybe your security is not so bad. At least when your stuff gets compromised, you aren’t helping the Russians and Chinese.

That is probably not the metric that you want to use for your security program.

And why did Schulte’s trial end in a mistrial for many of the charges? Because the CIA’s security was so bad that they could not convince the jury definitively that Schulte took the information.

Credit: The Register