Supply Chain Attacks Get Real
One developer obsessed with wringing every last bit of performance out of a PostgreSQL install saved the world from what may have been one of the most widespread compromise events to date, in large part because xz (the compromised open source project) is widely used in a Linux kernel module by top distributions. The compromised module had already been accepted by Linux vendors into their experimental and bleeding-edge distributions, and was on the verge of entering the mainstream repositories when the compromise was found out. Dan Goodin has an excellent overview at Ars Technica, and it’s required reading for anyone in our industry.
Even though the attack was (only just barely) unsuccessful, the xz incident is perhaps the most serious publicly known supply chain attack in part because the developer responsible—“Jia Tan”—appears to have spent literally years carefully making the changes required to pull the attack off. We still don’t know whether “Jia Tan” acted on their own or whether they themselves were compromised, however, the event has caused shockwaves throughout the open source industry as projects large and small grapple with how to counter these sorts of long-term threats.
As if on cue, the Open Source Security (OpenSSF) and OpenJS Foundations have issued a joint alert regarding attempted takeovers of open source projects, including some details of another failed attempt similar to the xz debacle. Open source projects, of course, aren’t the only ones vulnerable to this. The U.S. government, for example, has been known to compromise U.S.-based technology vendors, and they are hardly the only government doing so.
The Rising Extortion Threat of AI
Good enough is already here. While multimedia-generation AIs may have some ways to go before they meet the exacting desires of the most artistically inclined members of our society, for the purposes of fooling the average person, AIs that can do the job already exist. A year from now the best AIs will be indistinguishable from reality. Two years from now there will be open source models that good. More terrifyingly, there is a very real possibility that the best technologies we have will be unable to distinguish between reality and AI-generated multimedia before the end of the decade.
Consider Microsoft’s new VASA-1 AI. Daniel John at Creative Bloq discusses the AI in a piece appropriately titled Microsoft’s New AI Tool Is a Deepfake Nightmare Machine, and his concluding sentence of “just look how much generative AI has improved in one year” is the thing we should all be focusing on.
By now most readers of this newsletter will have had to sit through at least one corporate training session about being careful not to get scammed by a phone call from your CEO asking for emergency money, or any of dozens of similar email scams. We are on the verge of everyone having the ability to deepfake video calls of the same sort of scams, and that’s only the beginning.
Some experts say mitigating this is easy: simply return to in-person meetings in order to conclude critical contracts and the like. We ask the question: how do you prove those meetings took place? A video recording? Well about that …
Similarly, we are not far from the widespread availability of AIs that could deepfake those kinds of meetings believably enough to fool a judge. And again, we’re only scratching the surface of how this technology assuredly will be misused. Imagine, for example, a disciplined and well-researched attacker finding video or photos of someone’s manager, and then gaining access to the corporate Teams instance (through credential stuffing or some other means), and then deepfaking a call with an IT administrator requiring them to make a critical change to infrastructure which leaves the entire company vulnerable.
Now imagine how these technologies can be used either to gain access to individual or corporate files in order to extort them. Or, for that matter, simply generating deepfaked but utterly believable media to extort them.
Today we carefully vet people in critical positions to ensure that they cannot be easily compromised by corporate or national security threats. We want to make sure people in highly sensitive positions do not have any secrets which may cause them to experience significant economic or social pressures which might cause them to become compromised. Next-generation deepfake technology widens that attack surface dramatically.
Tomorrow we’re going to have to worry not only about who has skeletons in their closet, but also who is part of a social or ideological group which would respond so negatively to deepfaked multimedia of a person doing something that social or ideological group abhors that the individual is willing to become compromised to avoid that fallout. We have already seen ransomware gangs move from classic file-locking ransomware toward other forms of extortion. The evolution of AI presents those same practiced extortionists with a rich toolset to attack an increasingly diverse set of victims.
The Ransomware Risks of Enshittification
There is a critical piece of knowledge that every person who cares about the ongoing viability of their organization needs, and it can be found in a Cory Doctorow lecture on enshittification: “… in case you want to use enshittification in a more precise, technical way, let’s examine how enshittification works.
It’s a three stage process: First, platforms are good to their users; then they abuse their users to make things better for their business customers; finally, they abuse those business customers to claw back all the value for themselves. Then, they die.”
Doctorow goes on to use Facebook as an example of enshittification, but for those of us worried about cybersecurity threats, we think the better exemplar for this discussion is VMware. Sharon Hardin at Ars Technica reports on the ongoing fallout of the VMware acquisition by Broadcom, and it is absolutely worth the read.
We like VMware as an example of enshittification because the enshittification journey of VMware is really straightforward. VMware began by solving a very real problem for customers, giving them the ability to radically reduce their data center costs by virtualizing physical servers. VMware then focused on building out a massive partner-based cloud ecosystem which placed new and critical features in ever-higher license tiers and funneled customers into partner clouds and away from their own data centers. Now under Broadcom VMware is clawing customer accounts back from partners and jacking the prices up so high that many (especially small and midsize) customers simply cannot afford to continue with VMware, and this is where the ransomware risks enter the conversation.
The number of customers who have been unable to afford the new subscription licences, and thus opted to stick with the perpetual licences they already have, is large enough to have attracted the regulatory attention of the EU. Broadcom has temporarily agreed to keep patching Zero days for the old perpetual licences, but we all know that is not a forever thing. This opens organizations up to the risks of compromise and ransomware directly, but it also opens organizations up to these risks more indirectly as they begin their migration away from VMware.
Moving off VMware to another vendor isn’t easy. Every platform has its own quirks, and it takes both training and experience in order to appropriately configure and secure them. The third-party ecosystems around these platforms are still emerging, and the internal integrations and tooling that each organization has will have to be rebuilt for the new platforms. Infrastructure is complex, integration is hard, and it can take years to properly harden something so fundamental to an organization as a virtualization platform, especially when you consider that every integration and tool connected to it widens the attack surface.
VMware is a particularly notable example, but it’s far from the only one. Enshittification of absolutely everything is now the industry norm, with small and midsize organizations regularly having to make significant changes in vendors and/or tooling just to be able to afford to keep workloads and services operational. This is happening at a time when organizations of all sizes are laser-focused on reducing staffing costs, demanding already burnt-out employees constantly do more with less. Far from having the desired effect of pushing down wages, the result of this has been to drive the most experienced and capable people out of the industry altogether, increasing the burnout—and the skills gap—of those who remain.
As an industry, enshittification has created a new and rapidly growing area of vulnerability that we’re collectively reluctant to talk about, let alone address. This problem affects us all not only because of the difficulties we all face juggling vendors to keep the lights on, but also because those vendors are themselves dealing with the exact same problems internally, leading to decreasing product quality, more mistakes by vendor-side administrators, and decreasing rigour in vendor-side security policies.
How the Microsoft Monopoly Problem Affects You
Eric Geller at Wired has written an article excoriating the U.S. federal government for its single-vendor dependency on Microsoft, and it puts Microsoft on blast for a string of massive security failures and profit-first security culture. It is another must read, as is this piece by Kevin Purdy at Ars Technica, which provides some color specifically on the Exchange-related security problems that Microsoft has had of late.
The TL;DR of the problem is that Microsoft long ago decided that charging for information security functionality was a way to increase profits rather than something that should be a fundamental part of each product or service. Combined with Microsoft’s renewed focus on realizing workforce efficiencies, the company that most organizations around the world are absolutely dependent upon for operating systems, productivity software, email, and cloud services has chosen business practices at odds with positive outcomes for … everyone.
Email is a great example of how the concentration of critical technologies to a small number of vendors has become highly problematic. Over the past decade it has become nearly impossible to successfully host your own email server. Google, Microsoft, and a handful of other email providers around the world have been regularly implementing new “anti-spam” functionality that at best deprioritizes mail which doesn’t originate from one of the big email providers, and at worst can block that email, even if you follow all the rules and set up your DNS, DMARC, DKIM, and so forth correctly.
If you want to have the best chance that your recipient will actually receive the email you send them then you realistically have no choice except to use one of the big providers today. Even if your self-hosted email works fine today, they may decide tomorrow to make a change that blocks your mail server(s), and with it your ability to send or receive email from a significant percentage of the planet. Of course, even choosing one of the big email providers is no guarantee that your email will actually work, as we have already seen this year that they will block one another, too.
With everyone using one of a handful of email providers, any change those providers really does affects significant percentages of the entire planet’s ability to email one another. And email is only one example. Microsoft has a well-known stranglehold on productivity software, and the bundling of applications into their Microsoft 365 subscriptions has gotten so bad the EU has taken action to force the unbundling of Teams.
A handful of big tech companies having most of the world forced to subscribe to their constantly updating, cloud-based applications just so that everyone can communicate with one another means that nearly everyone is vulnerable to the security choices made by these tech titans. Small and midsize businesses in particular have little choice here, as successfully using alternative vendors is increasingly difficult. Some of this is due to decisions taken by the large vendors to shift the burden of interoperability and compatibility to their much smaller rivals, but much of it is due to the lack of experienced technology administrators for alternative vendors.
Microsoft in particular is problematic because of the absolute dependence so many of the world’s governments have on it. The decisions of one senior executive at Microsoft can have literally global implications, affecting millions or even billions of individuals and organizations. To say nothing of the power it has to determine pricing, and the downstream consequences that has for organizations with thin margins just trying to keep the lights on. |
|
ransomware.org
”
