Daily Archives: January 7, 2021

Sealed U.S. Court Records Exposed in SolarWinds Breach

The ongoing breach affecting thousands of organizations that relied on backdoored products by network software firm SolarWinds may have jeopardized the privacy of countless sealed court documents on file with the U.S. federal court system, according to a memo released Wednesday by the Administrative Office (AO) of the U.S. Courts.

The judicial branch agency said it will be deploying more stringent controls for receiving and storing sensitive documents filed with the federal courts, following a discovery that its own systems were compromised as part of the SolarWinds supply chain attack. That intrusion involved malicious code being surreptitiously inserted into updates shipped by SolarWinds for some 18,000 users of its Orion network management software as far back as March 2020.

“The AO is working with the Department of Homeland Security on a security audit relating to vulnerabilities in the Judiciary’s Case Management/Electronic Case Files system (CM/ECF) that greatly risk compromising highly sensitive non-public documents stored on CM/ECF, particularly sealed filings,” the agency said in a statement published Jan. 6.

“An apparent compromise of the confidentiality of the CM/ECF system due to these discovered vulnerabilities currently is under investigation,” the statement continues. “Due to the nature of the attacks, the review of this matter and its impact is ongoing.”

The AO declined to comment on specific questions about their breach disclosure. But a source close to the investigation told KrebsOnSecurity that the federal court document system was “hit hard,” by the SolarWinds attackers, which multiple U.S. intelligence and law enforcement agencies have attributed as “likely Russian in origin.”

The source said the intruders behind the SolarWinds compromise seeded the AO’s network with a second stage “Teardrop” malware that went beyond the “Sunburst” malicious software update that was opportunistically pushed out to all 18,000 customers using the compromised Orion software. This suggests the attackers were targeting the agency for deeper access to its networks and communications.

The AO’s court document system powers a publicly searchable database called PACER, and the vast majority of the files in PACER are not restricted and are available to anyone willing to pay for the records.

But experts say many other documents stored in the AO’s system are sealed — either temporarily or indefinitely by the courts or parties to a legal matter — and may contain highly sensitive information, including intellectual property and trade secrets, or even the identities of confidential informants.

Nicholas Weaver, a lecturer at the computer science department at University of California, Berkeley, said the court document system doesn’t hold documents that are classified for national security reasons. But he said the system is full of sensitive sealed filings — such as subpoenas for email records and so-called “trap and trace” requests that law enforcement officials use to determine with whom a suspect is communicating via phone, when and for how long.

“This would be a treasure trove for the Russians knowing about a lot of ongoing criminal investigations,” Weaver said. “If the FBI has indicted someone but hasn’t arrested them yet, that’s all under seal. A lot of the investigative tools that get protected under seal are filed very early on in the process, often with gag orders that prevent [the subpoenaed party] from disclosing the request.”

The acknowledgement from the AO comes hours after the U.S. Justice Department said it also was a victim of the SolarWinds intruders, who took control over the department’s Office 365 system and accessed email sent or received from about three percent of DOJ accounts (the department has more than 100,000 employees).

The SolarWinds hack also reportedly jeopardized email systems used by top Treasury Department officials, and granted the attackers access to networks inside the Energy, Commerce and Homeland Security departments.

The New York Times on Wednesday reported that investigators are examining whether a breach at another software provider — JetBrains — may have precipitated the attack on SolarWinds. The company, which was founded by three Russian engineers in the Czech Republic, makes a tool called TeamCity that helps developers test and manage software code. TeamCity is used by developers at 300,000 organizations, including SolarWinds and 79 of the Fortune 100 companies.

“Officials are investigating whether the company, founded by three Russian engineers in the Czech Republic with research labs in Russia, was breached and used as a pathway for hackers to insert back doors into the software of an untold number of technology companies,” The Times said. “Security experts warn that the monthslong intrusion could be the biggest breach of United States networks in history.”

Under the AO’s new procedures, highly sensitive court documents filed with federal courts will be accepted for filing in paper form or via a secure electronic device, such as a thumb drive, and stored in a secure stand-alone computer system. These sealed documents will not be uploaded to CM/ECF.

“This new practice will not change current policies regarding public access to court records, since sealed records are confidential and currently are not available to the public,” the AO said.

James Lewis, senior vice president at the Center for Strategic and International Studies, said it’s too soon to tell the true impact of the breach at the court system, but the fact that they were apparently targeted is a “a very big deal.”

“We don’t know what the Russians took, but the fact that they had access to this system means they had access to a lot of great stuff, because federal cases tend to involve fairly high profile targets,” he said.

All Aboard the Pequod!

Like countless others, I frittered away the better part of Jan. 6 doomscrolling and watching television coverage of the horrifying events unfolding in our nation’s capital, where a mob of President Trump supporters and QAnon conspiracy theorists was incited to lay siege to the U.S. Capitol. For those trying to draw meaning from the experience, might I suggest consulting the literary classic Moby Dick, which simultaneously holds clues about QAnon’s origins and offers an apt allegory about a modern-day Captain Ahab and his ill-fated obsessions.

Many have speculated that Jim Watkins, the administrator of the online message board 8chan (a.k.a. 8kun), and/or his son Ron are in fact “Q,” the anonymous persona behind the QAnon conspiracy theory, which holds that President Trump is secretly working to save the world from a satanic cult of pedophiles and cannibals.

Last year, as I was scrutinizing the computer networks that kept QAnon online, researcher Ron Guilmette pointed out a tantalizing utterance from Watkins the younger which adds tenuous credence to the notion that one or both of them is Q.

We’ll get to how the Great White Whale (the Capitol?) fits into this tale in a moment. But first, a bit of background. A person identified only as “Q” has for years built an impressive following for the far-right conspiracy movement by leaving periodic “Q drops,” cryptic messages that QAnon adherents spend much time and effort trying to decipher and relate to current events.

Researchers who have studied more than 5,000 Q drops are convinced that there are two distinct authors of these coded utterances. The leading theory is that those identities corresponded to the aforementioned father-and-son team responsible for operating 8chan.

Jim Watkins, 56, is the current owner of 8chan, a community perhaps now best known as a forum for violent extremists and mass shooters. Watkins is an American pig farmer based in the Philippines; Ron reportedly resides in Japan.

In the aftermath of back-to-back mass shootings on Aug. 3 and Aug. 4, 2019 in which a manifesto justifying one of the attacks was uploaded to 8chan, Cloudflare stopped providing their content delivery network to 8chan. Several other providers quickly followed suit, leaving 8chan offline for months before it found a haven at a notorious bulletproof hosting facility in Russia.

One reason Q watchers believe Ron and Jim Watkins may share authorship over the Q drops is that while 8chan was offline, the messages from Q ceased. The drops reappeared only months later when 8chan rebranded as 8kun.


Here’s where the admittedly “Qonspiratorial” clue about the Watkins’ connection to Q comes in. On Aug. 5, 2019, Ron Watkins posted a Twitter message about 8chan’s ostracization which compared the community’s fate to that of the Pequod, the name of the doomed whaling ship in the Herman Melville classic “Moby Dick.”

“If we are still down in a few hours then maybe 8chan will just go clearnet and we can brave DDOS attacks like Ishmael on the Pequod,” Watkins the younger wrote.

Ishmael, the first-person narrator in the novel, is a somewhat disaffected American sailor who decides to try his hand at a whaling ship. Ishmael is a bit of a minor character in the book; very soon into the novel we are introduced to a much more interesting and enigmatic figure — a Polynesian harpooner by the name of Queequeg.

Apart from being a cannibal from the Pacific islands who has devoured many people, Queequeg is a pretty nice guy and shows Ismael the ropes of whaling life. Queequeg is covered head to toe in tattoos, which are described by the narrator as the work of a departed prophet and seer from the cannibal’s home island.

Like so many Q drops, Queequeg’s tattoos tell a mysterious tale, but we never quite learn what that full story is. Indeed, the artist who etched them into Queequeg’s body is long dead, and the cannibal himself can’t seem to explain what it all means.

Ishmael describes Queequeg’s mysterious markings in this passage:

“…a complete theory of the heavens and earth, and a mystical treatise on the art of attaining truth; so that Queequeg in his own proper person was a riddle to unfold; a wondrous work in one volume; but whose mysteries not even himself could read, though his own live heart beat against them; and these mysteries were therefore destined in the end to moulder away with the living parchment whereon they were inscribed, and so be unsolved to the last.”


It’s perhaps fitting then that one of the most recognizable figures from the mob that stormed the U.S. Capitol on Wednesday was a heavily-tattooed, spear-wielding QAnon leader who goes by the name “Q Shaman” (a.k.a. Jake Angeli).

“Q Shaman,” a.k.a. Jake Angeli, at a Black Lives Matter event in Arizona (left) and Wednesday, confronted by U.S. Capitol Police. Image: Twitter, @KelemenCari.

“Angeli’s presence at the riot, along with others wearing QAnon paraphernalia, comes as the conspiracy-theory movement has been responsible for the popularization of Trump’s voter-fraud conspiracy theories,” writes Rachel E. Greenspan for Yahoo! News.

“As Q has become increasingly hands-off, giving fewer and fewer messages to his devotees, QAnon leaders like Angeli have gained fame and power in the movement,” Greenspan wrote.

If somehow Moby Dick was indeed the inspiration for the “Q” identity in QAnon, yesterday’s events at The Capitol were the inexorable denouement of a presidential term that increasingly came to be defined by conspiracy theories. In a somewhat prescient Hartford Courant op-ed published in 2018, author Steven Almond observed that Trump’s presidency could be best understood through the lens of the Pequod’s Captain Ahab. To wit:

“Melville is offering a mythic account of how one man’s virile bombast ensnares everyone and everything it encounters. The setting is nautical, the language epic. But the tale, stripped to its ribs, is about the seductive power of the wounded male ego, how naturally a ship steered by men might tack to its vengeful course.”

“Trump’s presidency has been, in its way, a retelling of this epic. Whether we cast him as agent or principal hardly matters. What matters is that Americans have joined the quest. In rapture or disgust, we’ve turned away from the compass of self-governance and toward the mesmerizing drama of aggression on display, the masculine id unchained and all that it unchains within us. With every vitriolic tweet storm and demeaning comment, Trump strikes through the mask.”


If all of the above theorizing reads like yet another crackpot QAnon conspiracy, that may be the inevitable consequence of my spending far too much time going down this particular rabbit hole (and re-reading Moby Dick in the process!).

In any case, none of this is likely to matter to the diehard QAnon conspiracy theorists themselves, says Mike Rothschild, a writer who specializes in researching and debunking conspiracy theories.

“Even if Jim Watkins was revealed as owning the board or making the posts, it wouldn’t matter,” Rothschild said. “Anything that happens that disconfirms Q being an official in the military industrial complex is going to help fuel their persecution complex.”

Rothschild has been working hard on finishing his next book, “The Storm is Upon Us: How QAnon Became a Movement, Cult, and Conspiracy Theory of Everything,” which is due to be published in October 2021. Who’s printing the book? Ten points if you guessed Melville House, an independent publisher named after Herman Melville.

McAfee Welcomes its ISO 27701 Certificate!

This post was also written by Darragh McMahon

At McAfee, we adhere to a set of core values and principles – We Put the Customer at The Core, We Achieve Excellence with Speed and Agility, We Play to Win or We Don’t Play, We Practice Inclusive Candor and Transparency.

And reaching the ISO 27701 enshrines all of these values.

For those who are not familiar with it, the ISO 27701 is the industry leading certification for information security & privacy management. Achieving the ISO 27701 certification demonstrates that McAfee is able to protect personal data, thanks to a multidisciplinary effort coupled with cross-functional expertise. Because yes, We Play to Win or We Don’t Play.

Over the past years, and all around the world, lawmakers and regulators have been and continue to introduce new laws governing the processing of personal data (such as those adopted in Australia, Brazil, Singapore and Canada) -the GDPR and the CCPA are only few of these. This changing legal environment raises challenges for all businesses, but especially those that must comply globally with regulations in multiple jurisdictions. Compliance to requirements and controls of ISO 27701 is relevant to support the fulfillment of obligations to articles 5 to 49 (except 43) of the GDPR. The application of the ISO 27701 standard can also be used for supporting compliance with other data privacy laws. Because yes, We Practice Inclusive Candor and Transparency.

The ISO 27701 Standard has been published in August 2019, and all companies, whether vendors or customers, should look into it. At the time of certification by McAfee’s assessment firm[1], McAfee is one of the very first companies to achieve the certification within the cyber-security industry. Because yes, not only do We Achieve Excellence with Speed and Agility, but We also Put the Customer at the Core.

Key requirements include, but are not limited to:

  • Fundamental Data Protection Principles: purpose of the data processing, legal basis for the data processing, obtaining individuals’ consent and mechanisms to modify or withdraw that consent, records of data processing activities, and privacy impact assessments;
  • Individuals’ Data Protection Rights: notice, access, correction, erasure, and automated decisions;
  • Privacy by Design and by Default: data minimization, de-identification and deletion, and data retention;
  • Data processing agreements, data transfers and data sharing;
  • Determination of the role of the organization as a data controller and/or data processor;
  • Unified management of IT risks for the organization of privacy risks for data subjects;
  • Appointment of a person responsible for the protection of privacy (DPO or equivalent);
  • Staff awareness; data classification; protection of removable media; user access management and data encryption; backups and event logging; conditions for the transfer of personal data; Incident management; and
  • Compliance with legal and regulatory requirements, etc.

McAfee’s ISO 27701 certificate, along with its other certificates, is publicly available at trust.mcafee.com/privacy-compliance

[1] Schellman, December 2020

The post McAfee Welcomes its ISO 27701 Certificate! appeared first on McAfee Blogs.

#CiscoChat Live: Recapture Your Time and Get More Out of Secure Remote Working

How do you feel when you hear phrases like, “the pandemic”, “remote working”, “the new (or next) normal”? Fatigued?

You are not alone.

Most of us are experiencing online fatigue as a result of working from home for months now. Worse, we’re physically and mentally fatigued by the shift to the “always on” mode with remote working. It doesn’t take much if you think about it. Just ask yourself, “How many more hours do you find yourself working on a daily basis now that you’re working from home?” all while keeping your remote employees and your company data secure all at the same time. There is a better way. Simplify, simplify, simplify.

Join us for a #CiscoChat Live on how to get time back and start unlocking the opportunity ahead while you and your employees continue to work remotely. Especially,  as the transition to a hybrid work environment begins, we’ll discuss how you do this while ensuring a simple and secure experience. Learn from experts from both Cisco Security and our customers as they talk about the future of secure remote work including the major trends, 10 key takeaways and how Cisco can help you on this journey  – so you can get back some time and some much-needed peace of mind. 


Recapture Your Time and Get More Out of Secure Remote Working
Thursday, January 14 at 3:00 p.m. ET, 12:00 p.m. PT

Philipp Neidlein, IT Product Manager Voice & Data Network, Festo
Collin John, Global Security Manager, Alvarez & Marsal
Ben Munroe, Director of Product Marketing, Cisco
Jolene Tam, Product Marketing Manager, Cisco SecureX

Hazel Burton, Product Marketing Manager, Cybersecurity Thought Leadership 

Join our live broadcast on these channels:

Cisco.com homepage 
Cisco YouTube 
Cisco Secure Facebook 
Cisco Secure Twitter 
Cisco Secure LinkedIn
Cisco Designed Twitter 

Using the social media channels above, you will have the opportunity to ask questions about how remote working is changing, the challenges, even participate in a few polls, and learn the role security can play in helping simplify a secure experience. Set your clocks and mark your calendars for January 14th at 12:00 p.m. PT syou get some time and much needed peace of mind back into your work life. 

SolarWinds Hackers Also Accessed U.S. Justice Department’s Email Server

The U.S. Department of Justice on Wednesday became the latest government agency in the country to admit its internal network was compromised as part of the SolarWinds supply chain attack. "On December 24, 2020, the Department of Justice's Office of the Chief Information Officer (OCIO) learned of previously unknown malicious activity linked to the global SolarWinds incident that has affected

How to Communicate Application Security Success to Your Executive Leadership

Over the past several years, there have been many changes to software development and software security, including new and enhanced application security (AppSec) scans and architectural shifts like serverless functions and microservices. But despite these advancements, our recent State of Software Security (SOSS) report found that 76 percent of applications have security flaws. Yet CISOs and application security program owners still find themselves having to justify and defend application security initiatives.

Members of the Veracode Customer Advisory Board (CAB), a group of AppSec professionals in several industries, faced this challenge as well. In response, a working group subset of the CAB collaborated to establish a set of metrics that security professionals can use to establish, drive adoption, and operationalize their application security program. These data points should help inform decisions at different stages of program maturity while answering the basic question: is the application security program effective or not?

How to determine and justify the required resources for an application security program

AppSec managers need a justi?ャ?able AppSec approach and dataset that set parameters around the program, give a starting point, and set up how the program will grow over time. That approach starts with providing evidence that an application security program is necessary and that it will reduce risk.

To show that an AppSec program is necessary, call attention to data points around flaw prevalence in applications (76 percent) or the average cost of a data breach ($3.86 million).

Software security landscape today

To show that AppSec programs reduce risk, consider stats like the one from our SOSS report that found that organizations scanning for security the most (more than 300 times per year) fix flaws 11.5x faster than organizations scanning the least.

How to determine and prove that development teams are adopting software security practices

AppSec success hinges on development buy-in and engagement. Therefore, proving that your AppSec program is effective requires evidence of developer adoption.

Consider highlighting the rate at which development teams are taking advantage of APIs to integrate security into their processes Then prove that developers are taking the time to fix the identified flaws by showing your developer???s fix rate (the # of findings closed / the # of findings open).

By examining the fix rate, you can see if developers are actively adopting AppSec practices by fixing ??? not just finding ??? vulnerabilities. The fix rate also shows you where additional training or resourcing investment is needed.

How to determine if the application security program is operating efficiently

AppSec programs are meant to be ongoing ??? not a one-off project with an end date. An effective AppSec program is ultimately a component of the software development process, just like QA, and the measures of success need to reflect that.

A key metric here is the correlation between security activities early in the development process and the number of security flaws found in a release candidate or in production. For example, the figure below shows the relationship between security testing early in the development process, in the individual IDE of a software developer, and the number of flaws found in the release candidate.

Security activities in dev process

In addition, use metrics to show that you???re fixing more flaws than you???re finding.

open and closed findings

Or show that your applications are passing your security policy.

Security policy

By using the metrics established in the CAB report, and adding further context and background to the metrics, you can tell the story of your AppSec program to drive further adoption.

For more tips on proving the success of your AppSec program, including additional metrics, check out our full report, Communicating Application Security Success to Your Executive Leadership.

The New NIST Fire Calorimetry Database Is Available to Answer Your Burning Questions

This news article is reproduced from a blog post that originally appeared in the NIST TAKING MEASURE Just a Standard Blog on December 16th, 2020. By: Matthew Bundy Several centuries ago, scientists discovered oxygen while experimenting with combustion and flames. One scientist called it “fire air.” Today, at the National Institute of Standards and Technology (NIST), we continue to measure oxygen to study the behavior of fires. The NIST National Fire Research Laboratory (NFRL) has four progressively larger canopy hoods that are used to research the behavior of fires. The hoods, like massive