Posts

Indicators of a Chinese Front Company

Image
Some stream of conscious thoughts. Please remember indicators if just taken alone will sound ridiculous. Use the list together:



"Ltd" in the name or even better "Co Ltd". I am starting to see preferences for LLC now, although humorously it tends to be overly aggressive...such as L.L.C. I assume they will eventually get it right...Any domain or subdomain being hosted on Hetzner, Psychz, Joes Datacenter, Incapsula, Imperva, GlobalFrag, LeaseWeb, Liquid Web, Mimecast, etc (will produce a full list some day)Sky or Labs or Dragon or Oasis is in the name. the contact email address is slightly different from the web address...e.g. website.com and then sales@website.ioCan you actually buy their services? Or are they like http://dcsmanage.comWhen you call the number late at night, does someone always answer, even for a business that is clearly non 24/7 like gardening supplies?Are they in marketing, analytics, or just "immense data gathering" business?Are they in the…

Granicus Essay 5 - New Dream Network

Image
Originally this post was going to be a cautiously updated account of me uploading a Lambda function to one of the major cloud providers that would aggressively alter (and likely not for the better) the database server cluster Granicus left open. After calling my congressman, NIST, State of Texas DIR, 2 media outlets, and tweeting at them 3 times over the previous 3 months I do have to acknowledge it was finally fixed without further fuss.

That being said I thought my actions were a respectful way to balance following the law, exploiting the doctrine of prior restraint, and just getting a company (they all think they are invincible today) to ACT.



I end this small last post with a screenshot from the Elasticsearch documentation. You can see the big warning for anyone wanting to look at version 0.90+ of the ES reference material. Today the latest version of Elasticsearch is 7.6.

0.90 hasn't been updated in almost 7 years, and it was this exact version, or more precisely 0.90.13, that…

Granicus Essay 4 - ArchonDev

Image
Q&A: You've been posting a lot about this firm Grancius. I assume they've left a lot of data exposed. I also assume this exposure is important. Yes and yes. Granicus delivers an enormous amount of software / IT services / hosting infrastructure to governments in the United States and the United Kingdom. Also, due to their private equity owner and some mergers that happened a few years ago, they aren't just Granicus. They are GovDelivery, GovLoopGovInteract, and Acquia to name a few. Acquia supports Drupal by the way, which is very similar to WordPress. Whitehouse.gov runs on Drupal for instance. As for GovInteract, these people run part of the national Emergency Alert System for FEMA and the Department of Homeland Security. This is serious stuff.



Ok so they're important and a major data leak or breach or whatever you're calling it would be bad. But isn't all government IT bad anyway?  Also does this data even impact the sensitive parts you mentioned like…

Granicus Essay 3 - Etheric Networks

Image
I. Democratic Faith Democracy tests.  The entire system reminds one of a quote I've heard used to describe Wikipedia in the platform's early days..."something that doesn't work in theory but performs quite well in practice".

Democracy performs what seems to be incredible acts of incompetence, sleepwalking from crisis to crisis, or going-in-circles behavior. This is less frustrating if it is viewed instead as a complex set of historical and social forces that simply aren't that well understood, yet seem to be indispensable to long term functioning democracies.

Peter Turchin has written some about this, and I will quickly cover some of his theories here. Authoritarian governments are renowned for their swiftness and the demanding pace that their institutions seem to work at. Their ability to the seize the future and build the dreams of tomorrow has always captured the imagination. Fascism has been associated with a sort of elan, innovation, and theatrical fla…

Granicus Essay 2 - ASN 26658

Image
I don't have easy adjectives or metaphors to draw on for the state of Granicus's cybersecurity. The Federal government is an entity I have an enormous amount of respect for, and the challenges they go through everyday trying to keep a country of 330 million running while still adhering to the principles of democracy is nothing to be laughed at.

A few things:

They are in violation of many different parts of FedRAMP. This is a *big* deal. 
NOTE: I talked briefly with the CISO who told me only Communication Cloud falls within FedRAMP. If that is true, I would say then my original statement was incorrect. For accuracy and fairness to all parties I will still preserve it here.
They are in violation of TAC-202 in the State of Texas, even if analyzed from the lowest priority level. This standard was always notoriously "chillax", but they still fail to meet parts of it.Bob Ainsbury has appeared to lie (said something that wasn't true and likely was known by the person not t…

Granicus Essay 1 - Floor.Senate.Gov

Image
Back in November I tweeted about how terrible Granicus and their security was. This of course followed weeks of tying to reach out.


NOV 27 2019 - https://twitter.com/danehrlich11/status/1199928987541225472JAN 11 2020 - https://twitter.com/danehrlich11/status/1215969291943673857 FEB 6 2020 - https://twitter.com/danehrlich11/status/1225411873534881793

I've even talked to their very nice CISO on Twitter.

I have no idea what to make of this organization. They are responsible for so much of so great importance (the national 911 system, the website for the US Senate, etc), that this is pretty concerning. Below is a screenshot from one of their open Jenkins servers. There were multiple.





I will show later how you could have changed content or swapped out links on pages such as https://senate.gov that I mentioned above:


The Internet Within The Internet

Image
From Beijing to Berlin to Cairo to Boston runs a secret internet. Operating through front companies, dummy ASNs, and acquired hosting companies, this "internetwork" grows larger day by day. Its purpose is two-fold. First: to slowly outacquire, outmaneuver, and outflank Western aligned countries in the battle for internet control. Second: it is to grow the surveillance powers and data storage of the organizations in charge of running it.

Unbeknownst to most Americans, companies selling databases that promise info on every person on Facebook, all of the private messages sent on Twitter in say the last two weeks, or the military deployment records of everyone in the Army, have existed for some time now.


Here you can see something called the Distributed Data Acquisition System. I have it both in the original Chinese and the translated English version.




The below screenshots come from yet another company, this time using the very information social media encourages us to collect …