RUSSIA/РОССИЯ THREAD—ASSANGE CHRGD W/ SPYING—DJT IMPEACHED TWICE-US TREASURY SANCTS KILIMNIK AS RUSSIAN AGNT
- Thread starter ☑︎#VoteDemocrat
- Start date
Special Report: HP Enterprise let Russia scrutinize cyberdefense system used by Pentagon
WASHINGTON/MOSCOW (Reuters) - Hewlett Packard Enterprise allowed a Russian defense agency to review the inner workings of cyber defense software used by the Pentagon to guard its computer networks, according to Russian regulatory records and interviews with people with direct knowledge of the issue.
The HPE system, called ArcSight, serves as a cybersecurity nerve center for much of the U.S. military, alerting analysts when it detects that computer systems may have come under attack. ArcSight is also widely used in the private sector.
The Russian review of ArcSight’s source code, the closely guarded internal instructions of the software, was part of HPE’s effort to win the certification required to sell the product to Russia’s public sector, according to the regulatory records seen by Reuters and confirmed by a company spokeswoman.
Six former U.S. intelligence officials, as well as former ArcSight employees and independent security experts, said the source code review could help Moscow discover weaknesses in the software, potentially helping attackers to blind the U.S. military to a cyber attack.
“It’s a huge security vulnerability,“ said Greg Martin, a former security architect for ArcSight. ”You are definitely giving inner access and potential exploits to an adversary.”
Despite the potential risks to the Pentagon, no one Reuters spoke with was aware of any hacks or cyber espionage that were made possible by the review process.
The ArcSight review took place last year, at a time when Washington was accusing Moscow of an increasing number of cyber attacks against American companies, U.S. politicians and government agencies, including the Pentagon. Russia has repeatedly denied the allegations.
The case highlights a growing tension for U.S. technology companies that must weigh their role as protectors of U.S. cybersecurity while continuing to pursue business with Washington’s adversaries such as Russia and China, say security experts.
‘BACKDOOR VULNERABILITIES’
The review was conducted by Echelon, a company with close ties to the Russian military, on behalf of Russia’s Federal Service for Technical and Export Control (FSTEC), a defense agency tasked with countering cyber espionage.
Echelon president and majority owner Alexey Markov said in an email to Reuters that he is required to report any vulnerabilities his team discovers to the Russian government.
But he said he does so only after alerting the software developer of the problem and getting its permission to disclose the vulnerability. Echelon did not provide details about HPE’s source code review, citing a non-disclosure agreement with the company.
FSTEC confirmed Markov’s account, saying in a statement that Russian testing laboratories immediately inform foreign developers if they discover vulnerabilities, before submitting a report to a government “database of information security threats.”
One reason Russia requests the reviews before allowing sales to government agencies and state-run companies is to ensure that U.S. intelligence services have not placed spy tools in the software.
HPE said no “backdoor vulnerabilities” were discovered in the Russian review. It declined to provide further details.
HPE said it allows Russian government-accredited testing companies to review source code in order to win the Russian defense certifications it needs to sell products to Russia’s public sector.
An HPE spokeswoman said source code reviews are conducted by the Russian testing company at an HPE research and development center outside of Russia, where the software maker closely supervises the process. No code is allowed to leave the premises, and HPE has allowed such reviews in Russia for years, she said.
Those measures ensure “our source code and products are in no way compromised,” she said.
Some security experts say that studying the source code of a product would make it far easier for a reviewer to spot vulnerabilities in the code, even if they did not leave the site with a copy of the code.
In a 2014 research paper, Echelon directors said the company discovered vulnerabilities in 50 percent of the foreign and Russian software it reviewed.
Still, security analysts said the source code review alone, even if it yielded information about vulnerabilities, would not give hackers easy entry into the military systems. To infiltrate military networks, hackers would need to first overcome a number of other security measures, such as firewalls, said Alan Paller, founder of the SANS Institute, which trains cybersecurity analysts
Paller also said HPE’s decision to allow the review was not surprising. If tech companies like HPE want to do business in Russia, ”they don’t really have any choice,” he said.
A general view shows a building, which houses the office of HP Russia, in Moscow. REUTERS/Sergei Karpukhin
HPE declined to disclose the size of its business in Russia, but Russian government tender records show ArcSight is now used by a number of state firms and companies close to the Kremlin, including VTB Bank and the Rossiya Segodnya media group.
Whether the customer is Russia or the United States, overlooked errors in software code can allow foreign governments and hackers to penetrate a user’s computer.
Exploiting vulnerabilities found in ArcSight’s source code could render it incapable of detecting that the military’s network was under attack, said Allen Pomeroy, a former ArcSight employee who helped customers build their cyber defense systems.
“A response to the attack would then be frankly impossible,” Pomeroy said.
The HPE spokeswoman said Reuters’ questions about the potential vulnerabilities were “hypothetical and speculative in nature.”
HPE declined to say whether it told the Pentagon of the Russian review, but said the company “always ensures our clients are kept informed of any developments that may affect them.”
A spokeswoman for the Pentagon’s Defense Information Systems Agency, which maintains the military’s networks, said HPE did not disclose the review to the U.S. agency. Military contracts do not specifically require vendors to divulge whether foreign nations have reviewed source code, the spokeswoman said.
The U.S. military agency itself did not require a source code review before purchasing ArcSight and generally does not place such requirements on tech companies for off-the-shelf software like ArcSight, the Pentagon spokeswoman said. Instead, DISA evaluates the security standards used by the vendors, she said.
‘EVERYONE IS HAPPY’
Echelon operates as an official laboratory and software tester of FSTEC and Russia’s FSB spy agency, according to Russian government registries of testing laboratories and software certifications reviewed by Reuters. U.S. intelligence has accused the FSB of helping mount cyber attacks against the United States and interfering in the 2016 presidential election.
Markov, Echelon’s president, defended the reviews, saying that “if a vulnerability is found, everyone is happy” because the detected flaw means laboratory experts are “able to demonstrate their qualifications” and “the developer is happy that a mistake was detected, since by fixing it the product will become better.”
Russia in recent years has stepped up demands for source code reviews as a requirement for doing business in the country, Reuters reported in June.
A number of international companies, including Cisco Systems Inc, the world’s largest networking gear maker, and German software giant SAP, have agreed to the reviews, though others, including cybersecurity firm Symantec, have refused because of security concerns.
CYBERDEFENSE BULWARK
U.S. government procurement records show ArcSight is used as a key cyberdefense bulwark across much of the U.S. military including the Army, Air Force and Navy. For example, ArcSight is used to guard the Pentagon’s Secret Internet Protocol Router Network (SIPRNet), which is used to exchange classified information, according to military procurement records.
The Pentagon spokeswoman declined to comment on risks posed by specific products to its network but said all software used by DISA is “extensively evaluated for security risks,” and continually monitored once deployed.
Created in 2000 as an independent company, ArcSight broke new ground by allowing large organizations to receive real-time alerts about potential cyber intrusions.
The software draws activity records from servers, firewalls, and individual computers across a network - up to hundreds of thousands per second. The system then searches for suspicious patterns, such as a high number of failed login attempts within a few seconds, and alerts analysts.
A decade later, ArcSight had become “the core” cyber network defense tool the Pentagon’s analysts “rely on to defend DoD networks,” DISA said in a 2011 ArcSight procurement request.
Today ArcSight is a virtually irreplaceable tool for many parts of the U.S. military, at least for the immediate future, Pentagon records show.
“HP ArcSight software and hardware are so embedded,” the Pentagon’s logistics agency wrote in April, that it could not consider other competitors “absent an overhaul of the current IT infrastructure.”
HPE agreed last year to sell ArcSight and other security products to British tech company Micro Focus International Plc in a transaction that was completed in September.
Jason Schmitt, the current head of the ArcSight division, said the product makes up a little less than half of the $800 million in annual revenue Micro Focus expects to get from the security software business purchased from HPE.
Schmitt said he could not comment on any source code review that took place before this year, when he took the job, but stressed such reviews do not currently take place. Micro Focus did not respond to requests for comment on whether it would allow Russia to do similar source code reviews in the future or whether Micro Focus executives knew of the review prior to the acquisition.
Reporting by Joel Schechtman and Dustin Volz in Washington and Jack Stubbs in Moscow; Editing by Jonathan Weber and Ross Colvin
What in all the fukk????
I see everyone is willing to sell out America.
I see everyone is willing to sell out America.
Special Report: HP Enterprise let Russia scrutinize cyberdefense system used by Pentagon
WASHINGTON/MOSCOW (Reuters) - Hewlett Packard Enterprise allowed a Russian defense agency to review the inner workings of cyber defense software used by the Pentagon to guard its computer networks, according to Russian regulatory records and interviews with people with direct knowledge of the issue.
The HPE system, called ArcSight, serves as a cybersecurity nerve center for much of the U.S. military, alerting analysts when it detects that computer systems may have come under attack. ArcSight is also widely used in the private sector.
The Russian review of ArcSight’s source code, the closely guarded internal instructions of the software, was part of HPE’s effort to win the certification required to sell the product to Russia’s public sector, according to the regulatory records seen by Reuters and confirmed by a company spokeswoman.
Six former U.S. intelligence officials, as well as former ArcSight employees and independent security experts, said the source code review could help Moscow discover weaknesses in the software, potentially helping attackers to blind the U.S. military to a cyber attack.
“It’s a huge security vulnerability,“ said Greg Martin, a former security architect for ArcSight. ”You are definitely giving inner access and potential exploits to an adversary.”
Despite the potential risks to the Pentagon, no one Reuters spoke with was aware of any hacks or cyber espionage that were made possible by the review process.
The ArcSight review took place last year, at a time when Washington was accusing Moscow of an increasing number of cyber attacks against American companies, U.S. politicians and government agencies, including the Pentagon. Russia has repeatedly denied the allegations.
The case highlights a growing tension for U.S. technology companies that must weigh their role as protectors of U.S. cybersecurity while continuing to pursue business with Washington’s adversaries such as Russia and China, say security experts.
‘BACKDOOR VULNERABILITIES’
The review was conducted by Echelon, a company with close ties to the Russian military, on behalf of Russia’s Federal Service for Technical and Export Control (FSTEC), a defense agency tasked with countering cyber espionage.
Echelon president and majority owner Alexey Markov said in an email to Reuters that he is required to report any vulnerabilities his team discovers to the Russian government.
But he said he does so only after alerting the software developer of the problem and getting its permission to disclose the vulnerability. Echelon did not provide details about HPE’s source code review, citing a non-disclosure agreement with the company.
FSTEC confirmed Markov’s account, saying in a statement that Russian testing laboratories immediately inform foreign developers if they discover vulnerabilities, before submitting a report to a government “database of information security threats.”
One reason Russia requests the reviews before allowing sales to government agencies and state-run companies is to ensure that U.S. intelligence services have not placed spy tools in the software.
HPE said no “backdoor vulnerabilities” were discovered in the Russian review. It declined to provide further details.
HPE said it allows Russian government-accredited testing companies to review source code in order to win the Russian defense certifications it needs to sell products to Russia’s public sector.
An HPE spokeswoman said source code reviews are conducted by the Russian testing company at an HPE research and development center outside of Russia, where the software maker closely supervises the process. No code is allowed to leave the premises, and HPE has allowed such reviews in Russia for years, she said.
Those measures ensure “our source code and products are in no way compromised,” she said.
Some security experts say that studying the source code of a product would make it far easier for a reviewer to spot vulnerabilities in the code, even if they did not leave the site with a copy of the code.
In a 2014 research paper, Echelon directors said the company discovered vulnerabilities in 50 percent of the foreign and Russian software it reviewed.
Still, security analysts said the source code review alone, even if it yielded information about vulnerabilities, would not give hackers easy entry into the military systems. To infiltrate military networks, hackers would need to first overcome a number of other security measures, such as firewalls, said Alan Paller, founder of the SANS Institute, which trains cybersecurity analysts
Paller also said HPE’s decision to allow the review was not surprising. If tech companies like HPE want to do business in Russia, ”they don’t really have any choice,” he said.
A general view shows a building, which houses the office of HP Russia, in Moscow. REUTERS/Sergei Karpukhin
HPE declined to disclose the size of its business in Russia, but Russian government tender records show ArcSight is now used by a number of state firms and companies close to the Kremlin, including VTB Bank and the Rossiya Segodnya media group.
Whether the customer is Russia or the United States, overlooked errors in software code can allow foreign governments and hackers to penetrate a user’s computer.
Exploiting vulnerabilities found in ArcSight’s source code could render it incapable of detecting that the military’s network was under attack, said Allen Pomeroy, a former ArcSight employee who helped customers build their cyber defense systems.
“A response to the attack would then be frankly impossible,” Pomeroy said.
The HPE spokeswoman said Reuters’ questions about the potential vulnerabilities were “hypothetical and speculative in nature.”
HPE declined to say whether it told the Pentagon of the Russian review, but said the company “always ensures our clients are kept informed of any developments that may affect them.”
A spokeswoman for the Pentagon’s Defense Information Systems Agency, which maintains the military’s networks, said HPE did not disclose the review to the U.S. agency. Military contracts do not specifically require vendors to divulge whether foreign nations have reviewed source code, the spokeswoman said.
The U.S. military agency itself did not require a source code review before purchasing ArcSight and generally does not place such requirements on tech companies for off-the-shelf software like ArcSight, the Pentagon spokeswoman said. Instead, DISA evaluates the security standards used by the vendors, she said.
‘EVERYONE IS HAPPY’
Echelon operates as an official laboratory and software tester of FSTEC and Russia’s FSB spy agency, according to Russian government registries of testing laboratories and software certifications reviewed by Reuters. U.S. intelligence has accused the FSB of helping mount cyber attacks against the United States and interfering in the 2016 presidential election.
Markov, Echelon’s president, defended the reviews, saying that “if a vulnerability is found, everyone is happy” because the detected flaw means laboratory experts are “able to demonstrate their qualifications” and “the developer is happy that a mistake was detected, since by fixing it the product will become better.”
Russia in recent years has stepped up demands for source code reviews as a requirement for doing business in the country, Reuters reported in June.
A number of international companies, including Cisco Systems Inc, the world’s largest networking gear maker, and German software giant SAP, have agreed to the reviews, though others, including cybersecurity firm Symantec, have refused because of security concerns.
CYBERDEFENSE BULWARK
U.S. government procurement records show ArcSight is used as a key cyberdefense bulwark across much of the U.S. military including the Army, Air Force and Navy. For example, ArcSight is used to guard the Pentagon’s Secret Internet Protocol Router Network (SIPRNet), which is used to exchange classified information, according to military procurement records.
The Pentagon spokeswoman declined to comment on risks posed by specific products to its network but said all software used by DISA is “extensively evaluated for security risks,” and continually monitored once deployed.
Created in 2000 as an independent company, ArcSight broke new ground by allowing large organizations to receive real-time alerts about potential cyber intrusions.
The software draws activity records from servers, firewalls, and individual computers across a network - up to hundreds of thousands per second. The system then searches for suspicious patterns, such as a high number of failed login attempts within a few seconds, and alerts analysts.
A decade later, ArcSight had become “the core” cyber network defense tool the Pentagon’s analysts “rely on to defend DoD networks,” DISA said in a 2011 ArcSight procurement request.
Today ArcSight is a virtually irreplaceable tool for many parts of the U.S. military, at least for the immediate future, Pentagon records show.
“HP ArcSight software and hardware are so embedded,” the Pentagon’s logistics agency wrote in April, that it could not consider other competitors “absent an overhaul of the current IT infrastructure.”
HPE agreed last year to sell ArcSight and other security products to British tech company Micro Focus International Plc in a transaction that was completed in September.
Jason Schmitt, the current head of the ArcSight division, said the product makes up a little less than half of the $800 million in annual revenue Micro Focus expects to get from the security software business purchased from HPE.
Schmitt said he could not comment on any source code review that took place before this year, when he took the job, but stressed such reviews do not currently take place. Micro Focus did not respond to requests for comment on whether it would allow Russia to do similar source code reviews in the future or whether Micro Focus executives knew of the review prior to the acquisition.
Reporting by Joel Schechtman and Dustin Volz in Washington and Jack Stubbs in Moscow; Editing by Jonathan Weber and Ross Colvin
John Reena
Superstar
Please......my nikka.....just post links. Going thru this thread is painful.
Please......my nikka.....just post links. Going thru this thread is painful.
Good luck with that.
Nap's been acting pissy because he thinks reasonable rules on posting tweet threads, gifs, and smileys are "unfair".
GnauzBookOfRhymes
Superstar
Mod-elect @wickedsm has entered the thread
Shhhh. Don't draw attention to me, my nails aren't done and I need my eyebrows attended to also
Shhhh. Don't draw attention to me, my nails aren't done and I need my eyebrows attended to also
I need 100 rep points
88m3
Fast Money & Foreign Objects
Mother Jones
32 mins ·
!!
Documents Reveal Previously Unknown Contacts Between Russia and Trump’s Campaign
MOTHERJONES.COM
uh-oh
32 mins ·
!!
Documents Reveal Previously Unknown Contacts Between Russia and Trump’s Campaign
MOTHERJONES.COM
uh-oh
just a re-hash of the WaPo article on last page.Mother Jones
32 mins ·
!!
Documents Reveal Previously Unknown Contacts Between Russia and Trump’s Campaign
MOTHERJONES.COM
uh-oh
Triipe
All Star
What in all the fukk????
I see everyone is willing to sell out America.
"The Russian review of ArcSight’s source code, the closely guarded internal instructions of the software, was part of HPE’s effort to win the certification required to sell the product to Russia’s public sector, according to the regulatory records seen by Reuters and confirmed by a company spokeswoman."
This is one thing that has been hiding in plain sight. These monsters of the tech industry don't pledge allegiance to the American Flag thats for sure. Between this and several other examples
Mark Zuckerberg's letter annotated: what he said and what he didn't very obvious intention of global expansion
People were warned about this years ago. They didn't care. Tech had the veneer of being this new and cool thing.
Not any more.
Playtime is over. Silicon Valley has to grow up.
B R E A K I N G N E W S
A L E R T
B R E A K I N G N E W S
HERE
WE
GO
AGAINNNNNNN
THERES A THIRD... THIRD... EMAIL ACCOUNT!
A L E R T
B R E A K I N G N E W S
HERE
WE
GO
AGAINNNNNNN
THERES A THIRD... THIRD... EMAIL ACCOUNT!
Hundreds of White House emails sent to third Kushner family account
Hundreds of White House emails sent to third Kushner family account
White House officials are reviewing a third email account associated with Ivanka Trump and Jared Kushner’s private email domain.
JOSH DAWSEY10/02/2017 07:52 PM EDT
White House officials have begun examining emails associated with a third and previously unreported email account on Jared Kushner and Ivanka Trump’s private domain, according to three people familiar with the matter.
Hundreds of emails have been sent since January from White House addresses to accounts on the Kushner family domain, these people said. Many of those emails went not to Kushner’s or Ivanka Trump’s personal addresses but to an account they both had access to and shared with their personal household staff for family scheduling.
The emails—which include non-public travel documents, internal schedules and some official White House materials—were in many cases sent from Ivanka Trump, her assistant Bridges Lamar and others who work with the couple in the White House. The emails to the third account were largely sent from White House accounts but occasionally came from other private accounts, one of these people said.
The existence of additional accounts on the family domain beyond the two personal accounts used by Kushner and Ivanka Trump and reported earlier raises new questions about the extent of personal email use by the couple during their time as White House aides. Their use of private email accounts for White House business also raises concerns about the security of potentially sensitive government documents which have been forwarded to private accounts.
The family has declined to say what privacy measures have been placed on the domain, but a person familiar with the set-up said some security measures were taken when it was installed.
Many of the emails came from Ivanka Trump’s assistant and included work-related “data,” according to a person familiar with the exchanges. Such messages were sent “daily,” this person added.
“They’ve pretty much been using it since they got here,” this person said.
Kushner set up the new personal domain in December, ijkfamily.com, as he was preparing to accept a senior adviser role in President Donald Trump’s administration. Ivanka Trump joined the administration in March but was given a government-secured email device prior to becoming a government employee.
POLITICO reported in September that Kushner and Ivanka Trump used their personal emails to conduct some government business. Other current or former White House officials have also used personal email accounts or encrypted messaging apps that can be set to automatically delete communications for official matters. The White House is reviewing the use of personal email addresses by administration officials.
A representative for the family said Ivanka Trump has been careful about keeping her personal life separate from her work.
“Her White House assistant did not and does not work on these matters,” the representative said. “Her personal and work obligations, schedule, travel arrangements and contacts were and are coordinated in accordance with this separation, as she was advised to do.”
The representative added that Ivanka Trump’s emails have been preserved on the White House email system. “The extent of this coordination illustrates both full transparency and a desired separation between her work and personal functions,” this person said.
A White House spokesman said staff have been told to comply with the Presidential Records Act and “applicable guidelines for work-related communications.”
“In light of recent congressional inquiries, we have briefed staff on the need to preserve records and are working to ensure compliance,” the spokesman said.
Kushner’s lawyer Abbe Lowell said his client “uses his White House email address to conduct White House business” and that Kushner exchanged fewer than 100 emails with White House colleagues through the personal account. In most cases, those exchanges were initiated by the other party sending a message to Kushner’s private account, Lowell said.
Kushner forwarded such messages to his official White House email account to comply with the Presidential Records Act, which mandates that documents about White House activities be preserved, according to Lowell.
The blurring of lines between personal and professional communications isn’t unique to the Kushners, but the use of personal email accounts creates a security risk, White House officials and experts say.
“Everyone uses private email, no one thinks about security, and that’s why it keeps happening,” said James A. Lewis, senior vice president and director of the Strategic Technologies Program at the Center for Strategic and International Studies. “Even if there’s not any classified information sent, that doesn’t mean the information wasn’t sensitive.”
Kushner’s activities have been put under a microscope during the ongoing investigation into Russian meddling in the 2016 election. That probe, run by FBI special prosecutor Robert Mueller, is further reviewing possible obstruction of justice by the president and White House officials since the inauguration.
The revelations about the Kushner family email domain have drawn parallels to Democratic presidential nominee Hillary Clinton’s use of a private email server for official business during her tenure as Secretary of State. Clinton’s emails were a major point of contention during the 2016 election. President Trump criticized Clinton’s email habits and frequently called for Clinton’s arrest on the campaign trail, leading crowds at rallies in chants of “lock her up,” and urged the Justice Department to re-open the investigation into her emails.
Clinton called the private email use by White House staffers the “height of hypocrisy” during an interview last week with SiriusXM.
Many details about the ijkfamily.com email domain remain unclear, including what type of security protections are in place.
The accounts would have been more secure if they relied on commercial email providers rather than a private server, some experts say. “If you’re using a commercial email service provider, you’re really reducing the risk,” according to Lewis, because the major tech companies that run platforms like Gmail and Outlook typically have robust security teams. “If you’re doing your own email, it gets to be a lot easier [to hack],” he added.
White House press secretary Sarah Huckabee Sanders said last week that White House staff had been told to stick to their government email accounts. “All White House personnel have been instructed to use official email to conduct all government related work,” Sanders said. “They are further instructed that if they receive work-related communication on personal accounts, they should be forwarded to official email accounts.”
House Oversight and Government Reform Committee chair Rep. Trey Gowdy (R-S.C.), and ranking member Rep. Elijah Cummings (D-Maryland) sent a letter to White House counsel last week requesting more information about the use of private email addresses by White House staff.
“With numerous public revelations of senior executive branch employees deliberately trying to
circumvent these laws by using personal, private, or alias email addresses to conduct official
government business, the Committee has aimed to use its oversight and investigative resources
to prevent and deter misuse of private forms of written communication,” the pair wrote.
Cummings and the previous chair, then-Rep. Jason Chaffetz (R-Utah), sent a similar letter in March after reports that White House staffers used encrypted or disappearing messaging apps.
Concerns about how the White House should preserve electronic records like emails far pre-date the Trump administration. Some 22 million White House emails stored on private email servers hosted by the Republican National Committee during President George W. Bush’s administration were subsequently deleted, impeding a later investigation into politically motivated firings of U.S. attorneys.
This article was reported in coordination with the Project On Government Oversight, a nonprofit investigative watchdog organization.
POLITICO Playbook and get the latest news, every morning — in your inbox.
Show Comments
@DonKnock @SJUGrad13 @88m3 @Menelik II @wire28 @smitty22 @Reality @fact @Hood Critic @ExodusNirvana @Blessed Is the Man @THE MACHINE @OneManGang @dtownreppin214 @JKFrazier @tmonster @blotter @BigMoneyGrip @Soymuscle Mike @Grano-Grano @.r.