CrowdStrike founder George Kurtz made some outrageous claims in Fortune Magazine this week [2015]

George Kurtz has quite the resume. Perhaps you remember the time he spent at McAfee, a company founded by a drug-addled heavily-armed lunatic and maybe murderer whose recent contributions to infosec include being one of the handful of companies to use BSAFE encryption library in their products, the library famously back-doored by government security contractors/prostitutes RSA for a National Security Agency check in the amount of $10 million. Or perhaps you arm more familiar with his time as Chief Financial Officer of General Motors, whose flagship "IT" product, OnStar, is best known to actual security researchers as the government tracking device that allows police to disable your car remotely and quite likely kill you in the process. Did I say police? Because I meant basically anybody who has a computer and can read. And did I say disable? Because I also meant unlock the car and start the engine.

George Kurtz is to the information technology community what Bull Connor was to the civil rights community. Which is to say: not helpful. . .

He also regularly uses the word "cyber" without a hint of irony, for example to announce new hires. "FBI's Top Cyber Lawyer Steven Chabinsky Joins CrowdStrike" "Former FBI Top Cyber Cop Shawn Henry joins as CrowdStrike Services President" ... all on his personal website called Security Battlefield that has a picture of a little army man for a logo.

But this post isn't about the general tom-foolery that Mr Kurtz engages in. No, this is about a specific series of ridiculous claims made by Kurtz and parroted from the rooftops by Fortune magazine, like this:

"CEO and co-founder George Kurtz tells it like this: A besieged customer needed backup. So Kurtz’s team sent in reinforcements, placed its cloud-based software sensors across the breached business’s computing environment, and started gathering intel. Aha! Investigators spotted Hurricane Panda, an old Chinese nemesis that Kurtz’s crew had been battling since 2013. What happened next surprised them: When the attackers scanned an infected machine only to find traces of CrowdStrike, they fled."

"'These fraudsters used to work a street corner—they had a geographic area of stealing and limited scalability,' Kurtz says. 'Now, because of the cloud, they can scale exponentially—no longer a street corner but the entire globe.'"

In two paragraphs in the article, the word "cloud" appears in every sentence. Replacing the word "cloud" with a word like "sorcery" provides a clearer understanding of the three card Monte game that Kurtz and people like him play with competency.

You are led to believe that competency is underneath one of the cups; but its not. Let's unpack these claims, starting with the first quote. There are at least six separate factual claims in this quote. . .

5. "Investigators spotted Hurricane Panda, an old Chinese nemesis that Kurtz’s crew had been battling since 2013"

So this is where the real problems begin to start. The problem is this simple and straight-forward. "Hurricane Panda" does not exist. Let's unpack that. . .

Not everyone that works at CrowdStrike is a schmuck. As far as I can tell, CrowdStrike's irascible schmuckiness is isolated to the management, marketing, sales and legal. I am fairly confident that there is at least one competent tech employee at CrowdStrike. I am confident of this because CrowdStrike played some role in the discovery of one '0 day' exploit: CVE-2014-4113 (I've also been told a few of their tech guys have made a few decent tools available, like Tortilla, that I haven't tried yet ... this really isn't intended as an FU to the guys shoveling the coal at Crowdstrike, any more than mocking the Facebook guy's latest evil plot would be a slight to the guys shoveling coal at Facebook ... please consult the Death Start contractors conversation from the film Clerks for more information )

CrowdStrike's exact role in this discovery is unclear, because another group called FireEye was also credited with the discovery of the vulnerability. While FireEye itself is not free on controversy, there is simply no comparison between FireEye and CrowdStrike when it comes to security research. FireEye's $1 billion acquisition of Mandiant brought a lot of smart people to the team, and I am aware of at least 16 zero day exploits that FireEye has published. 16 > 1.

In response to CVE-2014-4113, Microsoft released a patch, MS14-058. Microsoft credits both CrowdStrike and FireEye in their post outlining MS14-058 (as well as crediting FireEye for a second 0-day addressed in the patch, CVE-2014-4148, which used malware embedded in TrueType font files). Neither Microsoft or FireEye makes any mention of a single organizaed group behind the release of CVE-2014-4113 (the ridiculous Hurricane Panda name was dreamed up without rhyme or reason by CrowdStrike ... perhaps because panda bears come from China?). In fact, FireEye's blog post explaining their work on both exploits, released on the same day as CrowdStrike's fantastical panda story, goes out of their way to state that they believe that CVE-2014-4113 was not the work of a single group (emphasis mine):

"The tool appears to have gone through at least three iterations over time. The initial tool and exploits is believed to have had limited availability, and may have been employed by a handful of distinct attack groups. As the exploited vulnerability was remediated, someone with access to the tool modified it to use a newer exploit when one became available. These two newer versions likely did not achieve the widespread distribution that the original tool/exploits did and may have been retained privately, not necessarily even by the same actors."

The point here is clear. FireEye admits that the use of CVE-2014-4113 was limited, but was not owned by a single group. So what evidence does CrowdStrike provide to dispute the findings of their much more experienced and respected co-publisher? According to CrowdStrike, Panda attacks can be identified through their use of:

Why is this bullshit? AlienVault identified the author of PlugX in September of 2012 as a developer working for Chinansl Technology Co., Ltd with the email address whg0001@163.com (feel free to scrape and spam that address y'all) and a face only a mother could love. No Pandas were included on this man's baidu profile. . .

6. "When the attackers scanned an infected machine only to find traces of CrowdStrike, they fled"

This is the claim that compelled me to write this post. There is so much wrong with this. Fundamentally the statement is a cum hoc ergo propter hoc logical fallacy. Even if we take Kurtz at his word, that an attack of some kind was ongoing, that CrowdStrike installed software, and the attack then stopped, this, on its own, does not prove that CrowdStrike's presence caused the attack to stop. Even though the CrowdStrike install and the attack ceasing are correlated, this relationship does not imply causation.

The red flag that nonsense is occurring is amplified by the use of the word "fled". The word speaks to the state of mind of the supposed attackers, because to flee presupposes fear. The state of mind for these attackers is unknowable to Kurtz or CrowdStrike. Again if we take Kurtz at his word that an attack was ongoing, how could he know the attackers did not stop once they realized that someone, anyone, was logged into the server; or more realistically, that a human being was behind the supposed "attack", rather than a bot

Remember back in #1 how we pointed out it was suspicious that Kurtz did not specify what kind of attack it was? That concern becomes much more important here in the sixth claim. Without an understanding of what kind of 'attack' this was, how can we determine why the attack stopped; or that, in fact, an attack had occurred at all? Network scanning, even aggressive network scanning, is a fact of life on the internet. Every server with an internet connection will be scanned by multiple hosts, multiple times, every day. Such scanning can abruptly stop for a number of reasons - the most common is such scans look for a small set of software vulnerabilities and when they don't find it, they move on. Kurt's story fits hand in glove with this sort of common behavior.. . .

The 'Cloud' has not had any impact on the tactics used to break into other people's computers, at least not in any way resembling what Kurtz described here. Botnets existed before virtualization became ubiquitous. The theories driving DDoS and spam remain unchanged even as individual exploits continue to be patched in older software and uncovered in newer software. The notion that those breaking into other computers are bound by a geographic area has always been false. It is so obviously and demonstrably false that it is difficult to begin to respond. Such a statement betrays a breathtaking lack of understanding about the history of the internet and the malicious use of computers. Some of the first people to break into NASA were from Australia. East German teenagers were among the first hackers to break into US military servers. Neither group was identified or bound by anything having to do with server architecture but by monitoring of telco traffic.

It is difficult to see what the readers of Fortune Magazine gain from the publication of long-winded, credulous, fact-free interviews. Furthermore, George Kurtz does a dis-service to the customers of CrowdStrike as well as his own technical employees by speaking so incompetently about the field his company seeks to compete in.

An unflattering portrait of CrowdStrike by a computer expert from 2015, demolishing the company's claims to competency and mentioning that CrowdStrike boasted of hiring former FBI personnel. In relation to the DNC email controversy, note especially the author's criticism of the premise that hackers are bound by a geographical area.

This early critique of CrowdStrike raises the question of who was advising the intelligence community and the DNC on IT that charlatans and con men like this were being hired as government and political campaign contractors. Was this mere incompetence, or is CrowdStrike another example of the type of infiltration exemplified by the Awan brothers?

Guy talks like Karl W. Schwarz, the Walter Mitty of 9/11, drones and carbon nanotube fame and at least John McAfee is intelligent and amusing.

McAfee killed a person and when the cops came he hid in a hole in the ground, in his back yard, until they left.

I get amusement from that.

A important PSA: How to Uninstall McAfee anti-virus.
https://www.youtube.com/watch?v=bKgf5PaBzyg

NSFW!

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.