27 comments

[ 3.1 ms ] story [ 72.3 ms ] thread
> January 2021 disclosure by James C. Duff, who at the time served as secretary of the Judicial Conference of the United States, of "an apparent compromise" of confidentiality in the Judiciary's Case Management/Electronic Case Files system (CM/ECF).

Not to minimize this at all, but FYI the attack happened more than a year ago. I’m sure the fallout will be long and diffuse, assuming it was a state actor operating strategically, not just looking to make some money on the dark web.

There’s pretty immediate value in sealed records for blackmail purposes, though, so it could have just been non-state actors.
Nah, I think it's a state actor. Very obvious strategic move in line with a lot of other forms of attack underway. Of course they managed such an attack: it's really critical support of other stuff going on, a necessary component.

In retrospect we'll chalk this time up not as a messy time of great chaos, but as an unprecedented form of world war that's killed more people than all previous wars combined, and done more damage than any other war. Yet it's all cloaked in fog, incognito. Hell of a time to live through.

The article says the sealed records contained a lot of national intelligence information. I think that’s more interesting to state actors than individuals who want to sell it.
> sophisticated cyber security breach

Like an unpatched Windows XP machine?

Could be phishing as well
I mean, it’s possible, but I see no reason to assume that.

The article mentions files related to national security, so this isn’t your local school board. I’d expect they have at least decent security protocols in place.

> I’d expect they have at least decent security protocols in place.

Don't expect too much from the government :)

There's a reason the most sophisticated attacks usually come from "state actors".
The U.S. government actually provides a lot of really awesome free security resources and I believe they implement a lot of security measures. One of my favorite security resource provided by the govt. is STIG[1]. If you take your time to implement the measures outlined in STIG in your network it would be EXTREMELY difficult (in my opinion) to break into your network/devices without a zero-day or other undiscovered exploit.

I have not worked for the govt, so I do not have a first-party understanding. And I doubt any entity is impervious to simple/well-known attack vectors (such as EternalBlue) but my experience with STIG as a security engineer has always left me really impressed with the level of research and suggestions the government provides to the public -- for free.

[1] https://public.cyber.mil/stigs/

They also do this while other parts of the government have their budgets gutted. How do they pay IT to implement security?
Fair enough, I don't really have first-hand experience with government IT positions so I don't have much to add with how the government implements security.
Parts of the government related to national security are pretty well funded.
But why are sealed files on the network?
I imagine so people that should have access (like prosecutors) can get to them without visiting the court house (and potentially requesting copies of the original)
I would have expected that a strong, physical audit trail would be a highly desirable thing.

That said, I have no idea what the transaction volume is like here. My experience of TV crime investigation tells me these are rare occurrences, under warrant.

Sealed files don't require warrants they are just court records that aren't publicly accessible. My understanding is motions (appeals or some other proceeding?) can be filed by a defendent (if that's the right term) and prosecution has a limited time frame to respond. Defense lawyers will just file bogus motions hoping a deadline is missed and they can move things further along. When that happens, it makes even more work for prosecutors which eats up time they could be spending building cases
The "seal" is a Legal construct not a engineering/technical one.
And before it was a digital version, a sealed file would be removed from the general filing system, kept under lock and key.

They seem to have forgotten basic security principles.

Have you personally inspected those facilities, or in other words: on what do you base this generalized conjecture?
The same reason, in a health care context, that confidential patient data is: so that it an actually be worked with.
So that it can be conveniently shared. I know "it's not supposed to be shared". Right? But that's policy, if a judge says "make it so" they'd have to. Right?
Right? Every time I use PACER to look stuff up and I notice sealed-files in the docket, I think to myself, "PACER strikes me as very clunkily coded, and web programming is almost impossible to secure fully; apparently all that secures these files is simply the web app, they are foolish enough to commingle it all and count on access control denying the default of public access instead of storing them separately; I realize this is far more convenient than being offline or in separate systems entirely, but how has this not been hacked yet and all the sealed files exfiltrated?" Guess this answers that.
True story...

These people (https://www.nisc.coop/) make (and operate) software which is used by lots of infrastructury / governmenty organizations. (I leave the osint to you.)

My cable company leases fiber from the city. The city built out the fiber because SCADA; they used to run the cable company.

The city utility department uses SSNs as a PIN for customer accounts. Wouldn't let me change it. I eventually complained to the State Attorney General. Then they relented and let me set a PIN.

It's not that they have good practices around any of this. The "app" they use to verify your PIN *shows them the PIN* or SSN. They justify this because their employees pass background checks.

I'm sorry, I imagine that seems like a digression. So, back to the cable company.

The cable company uses a version of NISC's software which *stores passwords in a retrievable format* and displays them for their customer service personnel. They justify this because their employees pass background checks.

Welcome to 2022.

SolarWinds attack hit many branches including the Nuclear Agency.

I wonder how plausible it is that SolarWinds served as the attach vector for this different type of breach?