THE GLOBAL IT OUTAGE YOU WITNESSED WAS NOT AN ACCIDENT!
@eh_den
X / Twitter
Sat, 20 Jul 2024
IMPORTANT! The purpose of this thread is to explain non-IT and to non information/cyber security professionals why I believe the outage you are seeing around the world due to the update from #Crowdstrike is not an accident.
Before we begin – introduction. Hi everyone. My name is Ehden Biber. I’m known as the person behind #PfizerLeak, and most of my writing here on X/Twitter has been on ph@rma related topics. HOWEVER, my professional work has been information security and cybersecurity.
My credentials include:
· Head of information security in Metro Bank (UK).
· Merck/MSD Information security office for Europe, Middle East and Africa (EMEA).
· Consultant to insurance and financial institutes.
The opinion you are about to read is based on YEARS of experience.
Let’s start with what we have – HUGE number of systems around the world has crashed because of a deployment of an update to a software that was installed on them, that came from a company called Crowdstrike, making them display the infamous Blue Screen of Death (BSoD).
How can a software kill your computer? Simple: most software run in a restrictive mode, meaning the system allow them to run in an environment on your computer and is restricting its access to the real resources of the computer. There are, however, some exceptions.
Drivers are a type of software that run in a highly unrestricted mode. It needs to, because drivers, or example for your screen display, needs to have access to the hardware to operate correctly.
Antimalware/antivirus/antispyware also run in such a way. Why? Because they need to inspect other software on your computer, and thus they run in what is known as privilege mode. If a code that runs in a privilege mode is not written correctly, it can crash your computer.
Since the threats that a modern computer which is connected to the internet is constantly evolving, modern antimalware/antivirus/antispyware manufacturers needed to develop a mechanism that allows them to develop, TEST, and distribute such code, which brings us to DevOps.
DevOps is a set of practices, tools, and cultural philosophies that aim to automate and integrate the processes of software development (Dev) and IT operations (Ops). Its primary goal is to shorten the systems development lifecycle and provide continuous delivery w/high quality.
In traditional software development methods, any update which is being released must be tested by a Quality Assurance (QA) team, and then after the QA team submit their results, they are being reviewed by change management committee who decide whether to deploy the update.
DevOps is an attempt to industrialize and automate the process using technology, so that rapid changes can be developed and installed, and a whole set of platforms have been developed over the years to allow such thing to occur, which brings us to SecOps.
ALL software can lead to unwanted results, to issues related to the confidentiality, integrity, availability, or authenticity of information. Thus, the role of security is to manage these risks. In parallel to the development of DevOps, a new approach to security was formed.
SecOps, or Security Operations, is a discipline within information security that focuses on maintaining and improving the security posture of an organization through continuous monitoring, proactive threat hunting, incident response, and security infrastructure management.
DevOps aims to streamline & accelerate the software development lifecycle (SDLC) by fostering development (Dev) & operations (Ops) teams’ collaboration. SecOps aims to integrate security practices into IT operations, ensuring security is maintained throughout the IT lifecycle.
BACK TO CROWDSTRIKE.
Let’s focus on a cybersecurity company who has a product that protect computers. How does security look like in a modern software company? Multiple technologies are being used to automate what in the past took A LOT of time and effort.
Let’s say a new threat has been discovered: a script was identified as having the capacity (if run on someone’s computer) to give administrative rights to download and install from the internet a malicious code that will allow an attacker to gain control over your computer.
If your company is in the business of protecting systems, you want to make sure that the computers which uses your code to protect their assets will not be vulnerable to that threat. How would you do it in a way that would be efficient? You write a code that identify the script!
In a DevOps/SecOps environment you submit that update (change), and it passes an automated process that checks for the quality of the change. What does it mean? The automated process takes your code and run it to validate it works correctly!
How do you check such code? You run the update on MULTIPLE systems and based on the results you decide if it works or not!
In other words: you run your update vs A LOT of systems which have your software deployed on, AND YOU TEST YOUR CODE DOES NOT BREAK THE SYSTEM!
Obviously, you will check for more things, but this is THE MOST BASIC THING YOU DO, ESPECIALLY WHEN YOUR CODE IS RUNNING AS A DRIVER ON A COMPUTER SYSTEM!
After your code is tested, you add another layer of protection by performing something called singing your code (or change).
What is signing? Signing is part of cryptography, which is the practice and study of techniques for securing communication and information from adversaries. A digital signature provides authenticity the same way your handwritten signature is used a proof of your authenticity.
Since you do not want your software update mechanism to be hijacked by adversaries (threat agents) you use something called digital signature to make sure that it will ONLY update a code that was signed by your company, and you protect the method of signing!
THIS IS HOW EVERY MODERN COMPANY IN THE WORLD WHO DEVELOP CODE, ESPECIALLY IN THE DOMAIN OF SECURITY, WORLD ACT.
In most cases this is an automated process that takes place after the results of the Quality Assurance process were successful.
Which brings us back to Crowdstrike!
THERE IS NO WAY ON EARTH THAT THIS UPDATE FROM CROWDSTRIKE HAS PASSED QUALITY ASSURANCE TESTS, AND THERE IS NO WAY ON EARTH SUCH A BAD CODE THAT MUST HAVE CRASHED SO MANY SYSTEMS IN QA PHASE WOULD HAVE BEEN SIGNED … UNLESS SOMEON WANTED TO KILL A LOT OF SYSTEMS AND DO IT FAST!
Why would anyone want to cause such outbreak of so many computer systems? BECAUSE WHEN A COMPUTER SYSTEM CRASHES, IT CAN LEAD TO LOSS OF DATA. Who will want data/information to be lost? People who want to hide things they did. Who wants to hide things they did? CRIMINALS!
Can you think of ANY criminal activity that took place in the last week which was SO BIG that could have altered the faith of the world? I’M SURE YOU CAN!
So, if you were behind this criminal activity, and needed to erase evidence, WHAT COULD YOU DO?
THE ANSWER IS ABOVE!
To those who asks: what would they achieve by crashing the systems and how can they delete evidence, here’s a plausible explanation:
Ehden (#PfizerLeak/#MonkeyBusiness/#COptiGate)
Possible objectives of the threat agent: 1) Cause system crash that leads to systems restorations from a state BEFORE the attempt on Donald Trump. 2) You must enter safe mode in order to delete the faulty update. In safe mode data and logging records can be manipulated & erased.
Crowdstrike was established in 2011. Over the years I’ve attended many, MANY talks of people who work in the company and are considered to be subject matters expert in their field of cybersecurity. The notion that this company f***ed up by mistake has a simply an insult. NO WAY!
IF threat agents conspired to kill a US president, and just a few days later another non imaginable security event occurs, since digital data represents a large part of the data generated in the world, don’t you find it HIGHLY PLAUSIBLE that these two are related?
We leave digital traces everywhere, and since the picture that came from the crime scene does not make sense, we must take into account that the most plausible action these threat actors would take is to make these traces disappear.
This is the reality we live in right now.
My purpose of writing this thread is to try to help people grasp the reality we live in. All technologies are double-edged sword. It can bring good into our lives, and if used against us can drag us to the pit of endless despair. It’s all up to us. Trust god, serve truth w/love.
I’M NOT INTO CONSPIRACIES. I’M INTO CONFIDENCES. When two events which are considered highly unlikely take place one after another, I find great interest in this confidence, as I find great interest in evaluating what is the possibility it was not a coincidence. Here? HIGH.