Wednesday, December 16, 2020

Who really got hacked. Air Canada? Vancouver international?

News is flowing that Everest hacking group hacked Vancouver Airport and Air Canada, but this appears false.



When you visit the Everest Ransomware groups darkweb site, the information published looks to be a contractors data with regards to construction projects @ Vancouver International, that includes the Air Canada Lounge and various other enterprises across Canada including Pomerleau.


At first glance, it looks more like a contractor got hit and the files have been broken down into the various subjects since every leak on the Everest site has the exact same type of data (architecture diagrams, electrical diagrams, demolition plans, etc.)




Everyone is reaming on Air Canada/Vancouver airport today without looking at the data, and this looks more like a consultant got hit.



Now, since we have the plans for Vancouver International Airport (or partial plans), and the Annex Skywalk that leads to the Air Canada Lounge, should we now expect John McClane to kill off Colonel Stuart's mercenaries with his Beretta 92?


After all, we are certainly in the Christmas period and a nice Die Hard scenario would certainly spice things up.





Wednesday, December 9, 2020

FireEye piraté, une occasion manquée de se taire

Grande nouvelle cette semaine : FireEye fait les gros titres avec un nouvel incident cybernétique très médiatisé.


On dirait que leur boîte à outils d'exploits militarisés qui utilise des vulnérabilités connues a été levée.


https://www.nytimes.com/2020/12/08/technology/fireeye-hacked-russians.html


En entendant et en lisant ceci, j'ai pensé... oui ... et alors...  Tout le monde peut se faire pirater, c'est juste un avant l'autre.

Cependant, ils semblent mettre tellement l'accent sur "leurs outils militarisés", presque comme s'ils voulaient avoir l'air cool en se vantant que leur boîte à outils est si géniale.


Jetons un coup d'œil à cela....  Si vous aviez une arme nucléaire... la sécuriseriez-vous avec :


1) Une surveillance 24 heures sur 24, 7 jours sur 7.

2) Un registre détaillé de toutes les personnes qui s'en approchent.

3) Des alertes et alarmes et toutes sortes de trucs sympas pour le protéger.


Je suppose donc qu'ils ont échoué sur quelques points.


Mais en voici quelques autres.  Ces exploits semblent faire appel à des CVE pour la plupart documentés


Donc rien qui soit vraiment un ZERO DAY dans le sens où il serait totalement inconnu.  Ils en ont probablement des juteux dont ils ne parlent pas encore....



Voici le véritable coup de pied... ils ont publiquement révélé qu'ils mettraient désormais à la disposition de leurs clients des outils pour détecter ces attaques.


C'est mon moment WTF.   Pourquoi ne pas avoir mis cela à la disposition de leurs clients avant cette brèche.

Pensent-ils vraiment que personne sur la planète n'aurait trouvé ces vulnérabilités "connues" ?


ou bien veulent-ils simplement continuer à exploiter ces vulnérabilités avec leurs propres clients lorsqu'ils font des tests de pénétration pour pouvoir obtenir des résultats garantis.


Peut-être n'auraient-ils pas dû révéler tout cela pour être ouvertement critiqués


Ce que j'appelle une occasion manquée de se taire.   Non pas à propos de la brèche, mais à propos de leur excellente offre de protéger désormais leurs clients.....


De tout cela peuvent surgir d'importantes questions d'éthique.


De quoi alimenter une bonne réflexion.


_______________________________________________


Eric Parent est un expert en sécurité (et un pilote chevronné), spécialisé dans le coaching de cadres supérieurs.  Il enseigne la cyber-sécurité à l'École Polytechnique et aux HEC de Montréal, et est le PDG de Logicnet/EVA-Technologies, l'une des plus anciennes sociétés de sécurité privées du Canada.


Suivez Eric :

Twitter @ericparent

LinkedIn : EVA-Technologies



www.eva-technologies.com



FireEye Hacked, missed opportunity to shut up

Big news this week as FireEye makes the charts with yet another high profile cyber incident.


Looks like their toolkit of weaponized exploits that makes use of mostly known vulnerabilities was lifted.


https://www.nytimes.com/2020/12/08/technology/fireeye-hacked-russians.html


As I heard and read this, I thought... yeah .. so what...  Everyone can get hacked, this is just the one before the next one.


However, they seem to put so much emphasis on "their weaponized tools" almost like they want to seem all cool by bragging that their toolkit is so awesome.


Lets take a look at that....  If you had a nuclear weapon... wouldn't you:


1) Have it watched 24x7.

2) Have detailed logging of everyone who comes near it.

3) Have alerts and alarms and all sorts of cool stuff to protect it.


So I guess they failed on a few things.


But here are a few more.  These exploits appear to be making use of mostly documented CVE's


So nothing that is truly a zero day in the sense that it would be fully unknown.  They probably have some juicy ones that they are not yet talking about....



Here is the real kicker... they publicly disclosed that they would now make tools available to their clients to detect these attacks.


This is my WTF moment.   Why not have made this available to their clients before this breach.


Do they really think that no one on the planet would have found these "known" vulnerabilities?


or did they simply want to continue milking these vulnerabilities with their own clients when they do penetration tests so they can score.


Perhaps they shouldn't have tossed that out there to be torn apart ;-)

What I call a missed opportunity to shut up.   Not about the breach, but about their great offer to now protect their clients.....


Some serious ethics questions can surface from all this.


Food for thought.


_______________________________________________


Eric Parent is a senior security expert (and seasoned pilot), specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.


Follow Eric on:

Twitter @ericparent

LinkedIn :  EVA-Technologies



www.eva-technologies.com





Do we really want to stop cheating

Cheating in colleges and universities.   This may be news to the normal citizen, but for people who have been in the education field, this is another Monday morning.


If you have "feelings", you might want to stop reading now.




Many news articles have been written over the last weeks, because final exams are taking place, and with COVID this means finding new ways to do exams, and control cheating.


Here is a reality, plagiarism and cheating cannot be successfully subdued with marketing campaigns.


This is much more a PR (public relations) stunt, to save face, and inspire students and employeurs that the universities take this so so seriously.


I call bullshit.


Here is why.


After teaching in a dozen different establishments over the last two decades:

  • I have seen them ignore it internally
  • I have seen them take a purely political stance at enforcing punishment
  • I have seen them protect the student because the student is a "paying client"


Why will  the marketing campaign not really change anything...Simple...


They let in students that would NEVER pass without cheating.

Think about that for a minute.


YOU WILL NEVER PASS.... why wouldn't you risk cheating or copying since it is the only way you WILL pass.


Our education system tends to shovel a lot of shit in my opinion.


They will tell you that they want to produce the best students.  They will not tell you that this is a secondary objective.  


Of course, who would offer to sell you a car and tell you the engineers can't count to 20 without an iPhone.


And our schooling system relies on money..... lots and lots of money... and for every student that is enrolled, a large financial incentive is present that goes well beyond what the student is paying.


So in other words, the motivation to enrol students is larger than the desire to kick them out when they cheat.  Of course, we cannot say this, so what we do is put in place complexe political processes that protects the poor innocent student in case the bad bad teacher doesn't like them.  And then throw in any other excuse such as "I'm too short", "I had a bad cough last week", "the teacher doesn't like me", or the race or gender card and you have yourself the entire recipe for a system that will continue to fail, and continue to produce sub quality students.  


Here is the reality, I do not know your name.  I have 60 students, they all have a number, I correct everything without even knowing your name.  I do not care what your sexual orientation is, or your hair colour, I am a professional, I do my job.  You are a student, why don't you do yours.   


I have had a case that even accused me of discrimination because the individual wasn't a minority.  As a society, we have become weak, spineless imbeciles who refuse to take responsibility for our lack of effort.  It is a classic case off finding an angle that make you look good, and makes you the poor helpless victim.


Think about that if you have open heart surgery... Did my doctor graduate because he took the class 11 times or cheated consistently through his educational career?  Was he lucky enough to always be sitting near the "smart" asian kid.


Yeah yeah, I know, that is cultural appropriation.  Yet another term for all the losers who need to have their feelings protected.  We all know that asian kids rock because THEY READ THE FUCKING BOOK and show up in class prepared you whiny ass losers.


Obviously, medical studies have other safeguards in place.  Yet we still get shit doctors.


What about all the other fields that are not regulated or controlled for quality, aside from trusting that beautiful certificate from a prestigious establishment.


Things will have to get worst before they get better.


Obviously, when management is looking at the short term, these are the results you get and should expect.

 

Will we ever see the quality we once had along with long term vision and values?


Since society is going to hell in a hand basket, and since the people in power are in it for their yearly bonus....   I will not hold my breath.


In the mean time, perhaps a good safe guard is to ask for a PhD for any position, this way you know that person has gone through a long process of refining their political skills ;-).  Instead of getting a normal cheater, you will get a professional who has demonstrated mastery of multiple domains combined with patience and perseverance!


In closing, most students I have had demonstrated good values, good competency, and I would hire them.  My point is simply that by tolerating the 5% who are beyond shit, the image of an entire industry can be impacted, and the trust over time will erode.  This will result in people like me not being able to simply "recommend" someone because they went to XYZ academy.  My response will always be... let us interview the candidate and determine what the quality is on our own.


End of rant.


Banning TP-LINK..... the correct strategy?

OBJECTIVE:  Something to think about.  This type of news comes around frequently over the last decade.   Should we ban a Chinese manufacture...