MS, the present attack on central MS systems – and the Bundeswehr

Some days ago I set up a list of questions regarding the Bundeswehr Leak of last week. During my discussion I touched the question that the BWI had praised its rollout of MS-based email-systems and Sharepoint platforms in large scale within the BW after Oct., 2021. Ironically I asked the question how the CCC would comment on this implementation of “notoriously insecure systems”.

Well, we do not need to ask the CCC any more. Yesterday, MS itself and the press informed the public once again that central key systems of Microsoft in the US are under attack. Probably a Russian hacker group is responsible. Actually, the present hacker activities continue and escalate an attack that already started in November 2023. It seems to be a fact that information gathered from core and central email systems is now abused systematically. Apparently, these emails have been stolen from executives and security staff. See also the article in the Washington Post about this topic.

You find more information at the following resources:

https://edition.cnn.com/ 2024/03/08/ tech/ microsoft-russia-hack/ index.html

https://abcnews.go.com/ International/ microsoft-russian-state-backed-hack-update/story ?id=107927553

https://www.reuters.com/ technology/ cybersecurity/ microsoft-says-cyber-threat-actor-has-been-able-access-internal-systems-2024-03-08/

https://www.washingtonpost.com/ technology/ 2024/03/08/ microsoft-hack-email-russia/

I hope that responsible managers at the BMVg or BWI read some of these information channels, too. And take notice of the comments of security officers of Sentinel One and CrowdStrike cited in the articles. And afterward reevaluate whether the broad rollout of MS-systems in the Bundeswehr really is a success story.

 

More fun with veth and Linux network namespaces – V – link two L2-segments of the same IP-subnet by a routing network namespace

During the last two posts of this series

More fun with veth and Linux network namespace – IV – L2-segments, same IP-subnet, ARP and routes

More fun with veth and Linux network namespace – III – L2-segments of the same IP-subnet and routes in coupling network namespaces

we have studied a Linux network namespace with two attached L2-segments. All IPs were members of one and the same IP-subnet. Forwarding and Proxy ARP had been deactivated in this namespace.

So far, we have understood that routes have a decisive impact on the choice of the destination segment when ICMP- and ARP-requests are sent from a network namespace with multiple NICs – independent of forwarding being enabled or not. Insufficiently detailed routes can lead to problems and asymmetric arrival of replies from the segments – already on the ARP-level!

The obvious impact of routes on ARP-requests in our special scenario has surprised at least some readers, but I think remaining open questions have been answered in detail by the experiments discussed in the preceding post. We can now move on, on sufficiently solid ground.

We have also seen that even with detailed routes ARP- and ICMP-traffic paths to and from the L2-segments remain separated in our scenario (see the graphics below). The reason, of course, was that we had deactivated forwarding in the coupling namespace.

In this post we will study what happens when we activate forwarding. We will watch results of experiments both on the ICMP- and the ARP-level. Our objective is to link our otherwise separate L2-segments (with all their IPs in the same IP-subnet) seamlessly by a forwarding network namespace – and thus form some kind of larger segment. And we will test in what way Proxy ARP will help us to achieve this objective.

Not just fun …

Now, you could argue that no reasonable admin would link two virtual segments with IPs in the same IP-subnet by a routing namespace. One would use a virtual bridge. First answer: We perform virtual network experiments here for fun … Second answer: Its not just fun ..

Our eventual objective is the configuration of virtual VLAN configurations and related security measures. Of particular interest are routing namespaces where two tagging VLANs terminate and communicate with a third LAN-segment, the latter leading to an Internet connection. The present experiments with standard segments are only a first step in this direction.

When we imagine a replacement of the standard segments by tagged VLAN segments we already get the impression that we could use a common namespace for the administration of VLANs without accidentally mixing or transferring ICMP- and ARP-traffic between the VLANs. But the results in the last two previous posts also gave us a clear warning to distinguish carefully between routing and forwarding in namespaces.

The modified scenario – linking two L2-segments by a forwarding namespace

Let us have a look at a sketch of our scenario first:

We see our segments S1 and S2 again. All IPs are memebers of 192.168.5.0/24. The segments are attached to a common network namespace netnsR. The difference to previous scenarios in this post series lies in the activated forwarding and the definition of detailed routes in netnsR for the NICs with IPs of the same C-class IP-subnet.

Our experiments below will look at the effect of default gateway definitions and at the requirement of detailed routes in the L2-segments’ namespaces. In addition we will also test in what way enabling Proxy ARP in netnsR can help to achieve seamless segment coupling in an efficient centralized way.

Continue reading

After the Bundeswehr Leak and the explanation of the Minister of Defense – some more questions …

Today I heard the explanation of the German Minister of Defense regarding the probable cause of the leak of last Friday. What I understood was:

  • WebEx is hosted in a special variant (WebEx BWI) on servers of the Bundeswehr.
  • Clear rules are in place, but were not followed. One participant attended the WebEx session via telephone.
  • Systems were not compromised.

Are these explanations sufficient? Do they cover all concerns described in my previous post
“Some simple questions after the Bundeswehr Leak …”
on this topic?

In my opinion some questions remained open:

  • Why and by whom was the WebEx session set up such that a participant could access it via telephone at all? With a zero-trust and MLS-based session this should have been excluded …
  • Did the participants get an invitation with an option that offered an access to the session via telephone? If yes: Who sent this information via which channels? Is it excluded that already the invitation was accessible to foreign powers?
  • Why did nobody check by which devices and communication channels the participants were attending the session? At the beginning and during the session? Why did a log- and intrusion system not react?
  • Why did none of the other participants react to the fact that the poor guy in Singapore talked over telephone? Despite the clear rules in place …
  • How did the eavesdropping happen? Were the telephone lines of the hotel tapped? Or did the participant use a wireless headset with Bluetooth?

So, if it was a human failure it may have happened due to mistakes and unawareness on multiple sides – on the side of IT-administrators responsible for the session setup, on the side of the person which sent the respective invitation, on the side of the participant who did not use a BWI- or SINA-device to access the session.

Well, and I would say that when a session running through servers of the Bundeswehr was overheard by Russia, at least the session was compromised. And if someone can access an audio-session, which is enabled by and via a Bundeswehr server and which is intended to be secure, via an open telephone line then something is severely wrong in the overall security measures.

So, my dear Minister, as a concerned citizen I still do not sleep well. More explanations have to follow …