SolarWinds Hackers Saw Microsoft's Code
Investigators are still determining the fallout from the SolarWinds hack, and last week Microsoft acknowledged that hackers had accessed Microsoft’s source code. Microsoft claims that, despite having accessed Microsoft’s code, there is no additional threat to Microsoft’s users because of how Microsoft manages its code repositories. Microsoft maintains no customer data was stolen.
Microsoft’s claims are plausible, although there are ways seeing code might help a threat actor a little. It seems the SolarWinds attackers were able to see Microsoft because Microsoft uses an “inner source” code development model. Inner sourcing allows developers from Microsoft to see code, even if people outside the organization cannot. Just because someone can see code does not mean they can change code. Seeing code might give an attacker a small advantage if that attacker can see in the code an unperceived weakness. The risk of an adversary finding such a weakness when Microsoft itself has not, is low.
If you would like a more in-depth explanation of how code development affects security, leave a comment.
Someone is Selling Chinese Citizens' Data
US security research Cyble discovered listings offering 200+ mil Chinese citizens records for sale on the Dark Web. The information apparently comes from Gong’an county in Hubei, China, and rumors indicate that the listings originate in Russian speaking sites. If the listing Cyble discovered is accurate, it is not clear how useful the information would be for either cybercriminals or government information collectors. The data leak is noteworthy because it demonstrates that information security is not just a problem in democratic countries. This kind of information release could be used as a “shot across the bow” for the Chinese government, but nothing about the venue or release information stands out as being from either the US or Russian governments (the most likely candidates).
Wall Street Punts Chinese Telecoms
The New York Stock Exchange (NYSE) will delist China Mobile, China Unicom HK, and China Telecom. China is framing the delisting as a part of Trump’s anti-China campaign, but the delisting is a consequence of China’s new national security law that curtailed Hong Kong’s autonomy. Most Chinese telecoms were incorporated in Hong Kong, and operated under a legal system similar to the US’s The US gave companies from Hong Kong the same special status as companies from other similar legal regimes. When China passed the new national security law, the legal regime those companies operated under was no longer commensurable with the legal system governing the NYSE, and could not meet transparency requirements.
Noteworthy
As with last week, there are more noteworthy articles to capture some of the retrospectives this week.
Privacy in 2020 and What to Expect for the Year Ahead by Hulefeld
A Different Kind of Virus - A Review of Ransomware in 2020 by Stout
A New Year, A New Administration: Doors Open in 2021 for Public-Private Cooperation by Uchill
2020 had Its Share of Memorable Hacks and Breaches. Here Are the Top 10 by Goodin
Russia’s SolarWinds Attack by Schneier
SolarWinds Attribution: Are We Getting Ahead of Ourselves? by Wetzel
What to Do If You’re Being Bullied in a Game by Grustniy
Ransomware Is Headed Down a Dire Path by Newman
Deepfakes are Literally Security Theater by Ottenheimer
How Your Digital Trails Wind Up in the Police’s Hands by Fussell
Role of Context in Threat Detection by Chuvakin
David Benson is a Professor of Strategy and National Security focusing on cyberstrategy and international relations. You can reach him at dbenson@osiriscodex.com.
To get more insightful analysis like this in your inbox at no cost please subscribe.
Share this Brief with someone who might appreciate it.
Ask a question! Raise an objection! Leave a comment!