Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Wednesday October 04 2017, @09:48PM   Printer-friendly
from the more-eyes-the-better? dept.

Arthur T Knackerbracket has found the following story:

Hewlett Packard Enterprise allowed a Russian defense agency to review the inner workings of cyber defense software used by the Pentagon to guard its computer networks, according to Russian regulatory records and interviews with people with direct knowledge of the issue.

The HPE system, called ArcSight, serves as a cybersecurity nerve center for much of the U.S. military, alerting analysts when it detects that computer systems may have come under attack. ArcSight is also widely used in the private sector.

The Russian review of ArcSight's source code, the closely guarded internal instructions of the software, was part of HPE's effort to win the certification required to sell the product to Russia's public sector, according to the regulatory records seen by Reuters and confirmed by a company spokeswoman.

Six former U.S. intelligence officials, as well as former ArcSight employees and independent security experts, said the source code review could help Moscow discover weaknesses in the software, potentially helping attackers to blind the U.S. military to a cyber attack.

"It's a huge security vulnerability," said Greg Martin, a former security architect for ArcSight. "You are definitely giving inner access and potential exploits to an adversary."

Despite the potential risks to the Pentagon, no one Reuters spoke with was aware of any hacks or cyber espionage that were made possible by the review process.

[...] The HPE spokeswoman said Reuters' questions about the potential vulnerabilities were "hypothetical and speculative in nature."

HPE declined to say whether it told the Pentagon of the Russian review, but said the company "always ensures our clients are kept informed of any developments that may affect them."

-- submitted from IRC


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Informative) by frojack on Wednesday October 04 2017, @11:10PM (3 children)

    by frojack (1554) on Wednesday October 04 2017, @11:10PM (#577225) Journal

    Its a commercial off the shelf [microfocus.com] product for pete sake!

    ArcSight is also widely used in the private sector.

    If you were a large organization, contemplating deployment on hundreds of thousands of machines you'd demand to look at the source code too.
    Kaspersky even preemptively offered the same to the US Government [theregister.co.uk].

    Should Cummings refuse to sell engine manuals for their 6.7L Turbo Diesel Engine to any Russian customers simply because that engine is used in some MRAP versions of the Army Humvee?

    If it was so secret, why did the US government not block the sale of HP Enterprise to a Foreign Company (MicroFocus)?

    This is a story made up of nothing.

    --
    No, you are mistaken. I've always had this sig.
    Starting Score:    1  point
    Moderation   +4  
       Insightful=2, Informative=2, Total=4
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 2) by BenJeremy on Thursday October 05 2017, @11:46AM (2 children)

    by BenJeremy (6392) on Thursday October 05 2017, @11:46AM (#577410)

    This is a story made up of nothing.

    Not really. The problem is that this is a closed source application and the implications are that any potential exploits found in the examination by Russian Intelligence would not be shared with HP - it would be further exploited. HP essentially made the job easier for Russian government hackers to undermine our defense department's cybersecurity.

    Open source, of course, mitigates this issue because it would be examined by security researchers who would document and hopefully, fix any potential exploits.

    Being closed source, therefore, it relies on security by obscurity, which as poor as that is, becomes pointless when you expose the source code to foreign agents.

    If you believe nobody in the Russian government was tasked with finding security holes to exploit against America's interest, then I have some prime tropical resort property to sell you in Siberia, comrade.

    /Disclaimer: I worked for HP on a government contract for ten years in a previous professional life

    • (Score: 2) by ledow on Thursday October 05 2017, @12:14PM (1 child)

      by ledow (5567) on Thursday October 05 2017, @12:14PM (#577414) Homepage

      Microsoft has offered Windows source code to just about every country, including Russia and China, under a lovely license agreement specifically for such purposes. So have just about every major software manufacturer in the world. Unless there's an embargo (and referring to Russia as an "adversary" is unusual wording in this day and age), there's nothing stopping those companies selling to foreign governments, which often needs such code inspection.

      Where were you to pipe up about that?

      This happens all the time. No idiot, not even the US, uses a piece of foreign software in military applications or even close to anything important without reviewing the code first.

      The choice is "Don't sell the software to foreign governments (even allies)" or "Let them see the source code". The first would create a market with a US-only vendor supplying all government contracts with no external independent review or revenue outside the country of origin. It's like saying "American guns should only work in America" - bye bye all those cushy arms deals (and, no, I'm totally anti-gun anyway). It's also a security monoculture which will weaken everyone.

      If you don't want the Russians to break the software, don't allow them access to it. At all. Ever. Source or not. You can run all kinds of fuzz-testing against even a closed-source binary, and technically if it was a worthwhile target you could reverse engineer it back to source anyway. It's just hard, not impossible. In fact, people tend to find more holes that way based on things like compiler assumptions, dead code that can be jumped to, etc. than looking at the source. It's just slightly more difficult, that's all.

      • (Score: 2) by ledow on Thursday October 05 2017, @12:16PM

        by ledow (5567) on Thursday October 05 2017, @12:16PM (#577415) Homepage

        Source:

        https://www.ecommercetimes.com/story/31237.html [ecommercetimes.com]

        "Microsoft has revealed portions of its Windows source code to a dozen foreign governments as part of its Government Security Program Initiative"
        "Entities already associated with the program include NATO, Austria, China, Finland, Norway, Russia, Taiwan, Turkey and the United Kingdom."

        Article date: 2003.

        Welcome to 14 years ago.