# BlackBerry uncovers China-backed hacking campaign



## RackMaster (Apr 8, 2020)

Speaking of China. 



> BlackBerry Ltd. says its researchers have uncovered how China-backed hackers have been able to extract data from many of the world's servers for a decade -- largely without being noticed by cyber security.  It says the tactics give the hackers the ability to extract information from huge amounts of valuable data from computers using the Linux operating system, which is used on most of the world's web servers and cloud servers.



BlackBerry uncovers China-backed hacking campaign


----------



## Kaldak (Apr 8, 2020)

BlackBerry is still used?


----------



## R.Caerbannog (Apr 8, 2020)

Holy shit! That is huge! I can't imagine the amount of data the Chinese have had due to these breaches. Fuck... depending on the severity, China could've had real time access to intel and comms as it was being disseminated via those servers and devices. If anyone remembers the Clinton Email Fiasco, part of scandal was that Hillary kept an unsecured cell phone and server alongside her Gov issued BlackBerry.

Not sure how it is now, but it used to be that BlackBerries were the preferred means for Gov officials and bureaucrats to have secured comms.


----------



## Kaldak (Apr 8, 2020)

If I remember correctly, that changed with Obama insisting on having an iPhone as his device.

I've been out for sometime now, so I can't speak to the Gov or Mil, but finding anyone with a BlackBerry nowadays is like finding out your house is built ontop of buried pirate treasure.


----------



## R.Caerbannog (Apr 8, 2020)

Kaldak said:


> If I remember correctly, that changed with Obama insisting on having an iPhone as his device.
> 
> I've been out for sometime now, so I can't speak to the Gov or Mil, but finding anyone with a BlackBerry nowadays is like finding out your house is built ontop of buried pirate treasure.


I feel like an iPhone being used a Presidential commo device is scary as all heck. While I ain't accusing Apple and Microsoft of having dual loyaties, it's worrisome how much the communications market is touched by the Chicoms.


----------



## RackMaster (Apr 8, 2020)

BlackBerry is still the standard here in Canuckistan. We weren't going to give up security for politicians to use TikTok at work.


----------



## 0699 (Apr 8, 2020)

R.Caerbannog said:


> Holy shit! That is huge! I can't imagine the amount of data the Chinese have had due to these breaches. Fuck... depending on the severity, China could've had real time access to intel and comms as it was being disseminated via those servers and devices. *If anyone remembers the Clinton Email Fiasco, part of scandal was that Hillary kept an unsecured cell phone and server alongside her Gov issued BlackBerry.*
> 
> Not sure how it is now, but it used to be that BlackBerries were the preferred means for Gov officials and bureaucrats to have secured comms.


IIRC, HRC as SecState did *NOT* have a government issued phone or Blackberry.  She had a personal Blackberry synced with her personal (family) email server.  I believe her position was that it was too difficult to maintain two devices/phone numbers/email addresses, although thousands of low-ranking federal employees manage to do so.

AFAIK, she did not use an official State Dept email address, but her personal family email address.  If the OP is correct, this means the ChiComs probably scarfed up everything she sent and received as SecState.

I don't know of any federal agencies still using Blackberries.  AFAIK, everyone is either on iPhones or Samsungs.  Although I'm sure there are still some agencies out there.


----------



## Ranger Psych (Apr 8, 2020)

Obama didn't have an Iphone while president, he had a Blackberry.

Blackberry's been on the high security end of phone stuff for a while, at least with regards to messaging smartphones. Now if you go dumber? well... there's phones that are pretty cool.


----------



## DA SWO (Apr 8, 2020)

Ranger Psych said:


> Obama didn't have an Iphone while president, he had a Blackberry.
> 
> Blackberry's been on the high security end of phone stuff for a while, at least with regards to messaging smartphones. Now if you go dumber? well... there's phones that are pretty cool.


Pentagon just signed a contract for 17,400 (IIRC) iPhones.


----------



## Kraut783 (Apr 8, 2020)

I actually miss my work Blackberry....it was flawless and had no syncing issues with the secure business server.  Our Android phones suck....I have a personal Samsung S10 and love it!! but it isn't locked down with security software that makes the work S9 suck.


----------



## Florida173 (Apr 9, 2020)

We're always outsourcing our infrastructure and security.


----------



## 0699 (Apr 9, 2020)

Kraut783 said:


> I actually miss my work Blackberry....it was flawless and had no syncing issues with the secure business server.  Our Android phones suck....I have a personal Samsung S10 and love it!! but it isn't locked down with security software that makes the work S9 suck.


I have two S9s; work and personal.

Our work S9s are actually better and more reliable now that they are locked down hard.  They've stripped out a lot of the "included" apps like Bixby that cause problems and consume RAM.  There are very few apps that can be installed anymore, and they're all work apps.  We aren't even allowed to have airline, hotel, or rental car apps, even though we use them for official purposes.  Thanks Pete, thanks Lisa.

I'd love to find a way to be able to get rid of all the crap Samsung and Sprint put on commercial phones.  I have zero use for Android Auto, Your Phone Companion, and Bixby.


----------



## Florida173 (Apr 9, 2020)

0699 said:


> I have two S9s; work and personal.
> 
> Our work S9s are actually better and more reliable now that they are locked down hard.  They've stripped out a lot of the "included" apps like Bixby that cause problems and consume RAM.  There are very few apps that can be installed anymore, and they're all work apps.  We aren't even allowed to have airline, hotel, or rental car apps, even though we use them for official purposes.  Thanks Pete, thanks Lisa.
> 
> I'd love to find a way to be able to get rid of all the crap Samsung and Sprint put on commercial phones.  I have zero use for Android Auto, Your Phone Companion, and Bixby.



We were able to root and re-load the AOSP base rom, or even a custom custom one from the XDA forums. That's really the only way I've found. Samsung's One UI is pretty slick now though. It's definitely getting better and better. super fast and responsive at 120hz on my s20 Ultra.


----------



## SaintKP (Apr 9, 2020)

0699 said:


> Bixby




I hate Bixby and the fact that it is so easy to trigger it going off especially on the S9, it feels like on the note10 that you have to almost hold it down for it to trigger at times. Which is an improvement, but would be even better if I could get rid of it entirely.


----------



## medicchick (Apr 9, 2020)

SaintKP said:


> I hate Bixby and the fact that it is so easy to trigger it going off especially on the S9, it feels like on the note10 that you have to almost hold it down for it to trigger at times. Which is an improvement, but would be even better if I could get rid of it entirely.


I just changed what the button does, it now launches my camera I think.


----------



## Kaldak (Apr 9, 2020)

Bixby is insanely useless.


----------



## R.Caerbannog (Apr 17, 2020)

China decimated US intelligence apparatus years ago, posing steep challenge during coronavirus cover-up

I'm thinking maybe the CCP having access to that bitch Hillary Clinton's servers may have had a role to play in our intel assets getting rolled up. #ThanksObama #tigerking


----------



## Florida173 (Apr 17, 2020)

Kaldak said:


> Bixby is insanely useless.



Bixby's photo recognition stuff is pretty solid


----------



## Kaldak (Apr 17, 2020)

I'll have to try it out. Thanks @Florida173


----------



## AWP (Apr 17, 2020)

RE: Operating systems and the like for the DoD...

Short version: Even the best computers are vulnerable.

Long, not-as-nerdy explanation:
DISA maintains STIG's which are essentially configurations for devices, operating systems, etc.

Understanding DISA STIG Compliance Requirements | SolarWinds
Security Technical Implementation Guides (STIGs) – DoD Cyber Exchange

In a nutshell a STIG is a checklist of things to disable when securing your whatever and they go pretty deep. However, you can "assume" or "mitigate" risks associated with not fully implementing the STIG. Say a Win 10 registry value breaks a piece of software, but DISA considers that registry value high risk. When you do your RMF package to put that Win 10 workstation (I'll spare you an RMF explanation) on a DoD network, you note the high risk and someone has to accept that risk OR find other ways of reducing said risk.

In other words, DISA STIG's aren't gospel.

Now take a Linux machine, out of the box that O/S is riddled with vulnerabilities. You can "STIG out" a machine, but at the end of the day it is an O/S and hackers devote insane amounts of time to find 0-day exploits, exploits unknown to the software publisher and for which there are no patches.

Maybe unrelated to the thread's OP, but funny all the same, this was one DISA's homepage, dated from Feb. 21, 2020. 
DISA Has Released the BlackBerry UEM 12.11 STIG – DoD Cyber Exchange

You can go hard in the paint with your security, but eventually the bad guys will find a way into your network. If you want a secure computer, put it in a Faraday cage and without any outside connectivity.


----------



## ThunderHorse (Apr 17, 2020)

Oh man, I remember all the gamers in high school trying to tell me I needed to switch my box to linux because fuck microsoft...I still played games and shit, but never made the jump to open source thank god.


----------



## AWP (Apr 17, 2020)

ThunderHorse said:


> Oh man, I remember all the gamers in high school trying to tell me I needed to switch my box to linux because fuck microsoft...I still played games and shit, but never made the jump to open source thank god.



And all of your big phone choices run some flavor of Linux, including Apple.


----------



## Ranger Psych (Apr 18, 2020)

AWP said:


> And all of your big phone choices run some flavor of Linux, including Apple.



Don't shortchange Apple, let's have a word about what ALL their shit runs on...

nevermind what basically everything runs on, other than the end boxes on the interwebs that you consume the data on...


----------



## AWP (Apr 18, 2020)

I stand corrected about Apple, it uses a proprietary hybrid version of UNIX with which Apple has modified and placed its own user interface.


----------



## CQB (Apr 18, 2020)

As for a Faraday Cage, I’d try putting a PC in cement & using it as a boat anchor, but I’m not sure if it would still be secure. 🤣


----------



## professional_nerd (Apr 20, 2020)

There's a mountain of problems that come with attempting security compliance in government, OS be damned. There are folks in charge of each system that can literally write an Acceptance Of Risk to continue operating either un-patched or configured in a "less secure" manner. There are companies like Purism that are trying to bridge the hardware gap together with software, but i don't think there's any one platform out there yet that gives a good enough "out of the box" solution without administrator intervention. There's no replacing the admin who configures the system as secure as they can. 

If someone wants to, they're going to get in. In the case of nation-state actors like China, they'll do it faster and better than the basement nerd. It's only a matter of when.


----------



## CQB (Apr 20, 2020)

China broke Blackberry? Seriously...


----------



## RackMaster (Apr 20, 2020)

CQB said:


> China broke Blackberry? Seriously...



No, BlackBerry just uncovered other hacks.


----------



## BloodStripe (Apr 21, 2020)

AWP said:


> I stand corrected about Apple, it uses a proprietary hybrid version of UNIX with which Apple has modified and placed its own user interface.


I still trust Apple servers to be better protected than most though. And thankfully last I knew,  they weren't giving up the encryption info to Uncle Sam and other countries.


----------



## professional_nerd (Apr 25, 2020)

BloodStripe said:


> I still trust Apple servers to be better protected than most though. And thankfully last I knew,  they weren't giving up the encryption info to Uncle Sam and other countries.


That's a pretty bold assumption. Why do you consider them better protected than most?


----------



## BloodStripe (Apr 26, 2020)

professional_nerd said:


> That's a pretty bold assumption. Why do you consider them better protected than most?



Having been to one of their server facilities before and many briefings on all things tech. Plus as a civilian I have appreciated them not handing out the encryption code to DOJ and other law enforcement agencies.


----------



## professional_nerd (Apr 26, 2020)

BloodStripe said:


> Having been to one of their server facilities before and many briefings on all things tech. Plus as a civilian I have appreciated them not handing out the encryption code to DOJ and other law enforcement agencies.


Maybe in the physical security portion of things, but I don't know of anyone doing anything particularly earth-shattering as far as technical security is concerned. It's a fairly level field when it comes to who is targeted. Success for someone who breaches security isn't really measured in headlines either, but more of what is done for long periods of time without being discovered. Not handing over encryption codes to DOJ etc might be fine for publicity, but that doesn't mean it hasn't been cracked by other means. 

I guess what I'm saying is that I have doubts any time there's a claim of great protection. It allows people to relax their own security protocols (password management/changes, implementing MFA, basic awareness) because a platform claims better security than the competition. That's been wrong more than it's been right with platforms providing mass services.


----------



## BloodStripe (Apr 26, 2020)

professional_nerd said:


> Maybe in the physical security portion of things, but I don't know of anyone doing anything particularly earth-shattering as far as technical security is concerned. It's a fairly level field when it comes to who is targeted. Success for someone who breaches security isn't really measured in headlines either, but more of what is done for long periods of time without being discovered. Not handing over encryption codes to DOJ etc might be fine for publicity, but that doesn't mean it hasn't been cracked by other means.
> 
> I guess what I'm saying is that I have doubts any time there's a claim of great protection. It allows people to relax their own security protocols (password management/changes, implementing MFA, basic awareness) because a platform claims better security than the competition. That's been wrong more than it's been right with platforms providing mass services.



Everyone is always looking for access, whether it's physical or  cyber. Most of the briefings I attended centered around upcoming technologies and how they could be deployed or new vulnerabilities and how to exploit them. Physical security is of equal importance, if not greater, than cyber protection. A lot more damage can be done to a whole network if you have direct physical access and can do as you please.


----------



## professional_nerd (Apr 26, 2020)

BloodStripe said:


> Everyone is always looking for access, whether it's physical or  cyber. Most of the briefings I attended centered around upcoming technologies and how they could be deployed or new vulnerabilities and how to exploit them. Physical security is of equal importance, if not greater, than cyber protection. A lot more damage can be done to a whole network if you have direct physical access and can do as you please.


Oh, no doubt. I had a business for a while where that was my main focus (physical security pen testing). It's hard to impress upon people the importance of those things, especially when you tell them the cost, lmao. But, it's a fight we have to keep fighting, unfortunately.


----------

