[HN Gopher] U.S. Treasury, Commerce Depts. Hacked Through SolarW...
___________________________________________________________________
U.S. Treasury, Commerce Depts. Hacked Through SolarWinds Compromise
Author : parsecs
Score : 436 points
Date : 2020-12-14 16:34 UTC (6 hours ago)
(HTM) web link (krebsonsecurity.com)
(TXT) w3m dump (krebsonsecurity.com)
| [deleted]
| icedistilled wrote:
| Wow the hackers had free rein over basically any company that
| they wanted.
|
| SolarWinds says it has over 300,000 customers including:
|
| -more than 425 of the U.S. Fortune 500
|
| -all ten of the top ten US telecommunications companies
|
| -all five branches of the U.S. military
|
| -all five of the top five U.S. accounting firms
|
| -the Pentagon
|
| -the State Department
|
| -the National Security Agency
|
| -the Department of Justice
|
| -The White House
| trixie_ wrote:
| As a user of Ignite, we're struggling to find an alternative
| that matches its feature set. Great business opportunity here.
| realmod wrote:
| Russia's hacking/software capabilities have always fascinated me.
| I might be out of the loop, but it very much feels like this
| "online cold-war" is very one-sided towards Russia, which is
| ridiculous given US capabilities. Though, this could be
| attributed to the US simply not getting caught.
|
| Nonetheless, everything I've read points to Solarwinds conduct
| being borderline negligent. For example, they not only told
| customers to ignore inaccurate checksums but they also failed
| basic server security.
| wonder_er wrote:
| I read _Countdown to Zero Day: Stuxnet and the Launch of the
| World 's First Digital Weapon_ a few weeks ago, and really
| enjoyed it.
|
| I'd recommend giving it a read. It gives an accurate-but-
| uncomfortable overview of how the US government handles cyber
| security issues.
| robocat wrote:
| More details: https://www.fireeye.com/blog/threat-
| research/2020/12/evasive...
|
| "SolarWinds.Orion.Core.BusinessLayer.dll is a SolarWinds
| digitally-signed component of the Orion software framework that
| contains a backdoor that communicates via HTTP to third party
| servers. We are tracking the trojanized version of this
| SolarWinds Orion plug-in as SUNBURST."
|
| " Multiple trojanzied updates were digitally signed from March -
| May 2020 and posted to the SolarWinds updates website. The
| trojanized update file is a standard Windows Installer Patch file
| that includes compressed resources associated with the update,
| including the trojanized SolarWinds.Orion.Core.BusinessLayer.dll
| component. Once the update is installed, the malicious DLL will
| be loaded by the legitimate SolarWinds.BusinessLayerHost.exe or
| SolarWinds.BusinessLayerHostx64.exe. After a dormant period of up
| to two weeks, the malware will attempt to resolve a subdomain of
| avsvmcloud[.]com."
|
| "This actor prefers to maintain a light malware footprint,
| instead preferring legitimate credentials and remote access for
| access into a victim's environment."
|
| "In observed [trojan] traffic these HTTP response bodies attempt
| to appear like benign XML related to .NET assemblies" "Command
| data is spread across multiple strings that are disguised as GUID
| and HEX strings."
|
| Edit: Silly me, that was the first article on hn, see thread:
| https://news.ycombinator.com/item?id=25413053
| wonder_er wrote:
| Seems like a good time to plug an excellent book:
|
| _Countdown to Zero Day: Stuxnet and the Launch of the World 's
| First Digital Weapon_ [0]
|
| The US Government has spent two decades and hundreds of millions
| of dollars building tools to undermine the security of systems
| around the world, and withholding information from "Industry"
| that would help harden those systems.
|
| I have no idea who "did" this, I don't really care. The NSA has
| been loading this footgun for decades.
|
| [0] https://www.amazon.com/Countdown-Zero-Day-Stuxnet-Digital-
| eb...
| misiti3780 wrote:
| I can second that that book was great.
| jkaptur wrote:
| I really enjoyed _The Hacker and the State_ by Ben Buchanan. It
| explores why various nations pursue cyber operations the way
| they do.
| meh206 wrote:
| The "Russia" allegation sounds like an extremely weak &
| repetitive claim made by people on a certain political side to
| divert attention away from their bad press for criminal behavior
| (to include all of the Chinese compromises that were recently
| revealed).
|
| They're playing a VERY dangerous game, as if they would rather
| the entire world be destroyed before facing the possibilities of
| justice (Gitmo, military court tribunals, and everything else
| that the EO from 9/18 outlined).
|
| The bottom line: the MSM has been full of $&@T for quite some
| time, and this claim in Reuters is most likely more of the same.
| intern4tional wrote:
| Microsoft and Fireeye have both made similar claims and
| released substantial technical details.
|
| Attribution is hard, but those two companies have a solid
| reputation and do not make BS claims.
| goodluckchuck wrote:
| I see where they claim it's a sophisticated / state-sponsored
| attack, but could you share where they attribute it to Russia
| in particular? If that's a political assessment made by the
| media that's one thing, but if these sourced have some sort
| of technical data that inherently links it to a particular
| nation... that's something I haven't seen.
| hackinthebochs wrote:
| The widespread use of unvalidated automatic updates will go down
| as one of the biggest security blunders of the last decade.
| tootie wrote:
| There was a fun one a few years ago when someone realized that
| Maven Central didn't require https so anyone could MITM
| arbitrary amounts of open source Java code. But I think this
| problem could be even more pervasive. Think about that giant
| green lock icon you see on secured sites. And then think about
| all the apps and devices making requests with no UI and we have
| no idea what they're all talking to until you have the patience
| and knowhow to operate wireshark.
|
| Off the top of my head, the only real solution is to feed a lot
| of this arbitrary traffic through trusted brokers which is
| going to make us even more dependent on Google, Microsoft or
| whoever else takes up that mantle.
| mdoms wrote:
| On balance, I don't think so.
| rossdavidh wrote:
| That's a pretty high bar, given the security blunders of the
| last decade.
| [deleted]
| dmitrygr wrote:
| This is why all this bullshit about "let's add a backdoor to all
| encryption just for the government" is just that: bullshit. A
| year or so after it is added, it will be available to every
| government on earth this way, and a year after, on your favourite
| warez site...
| Havoc wrote:
| Ouch. Via a security provider. Thats ugly no matter how you look
| at it
| [deleted]
| thesimon wrote:
| Adding snake oil usually adds more attack vectors rather than
| removing them. Look at all the "endpoint protection" and AV
| exploits surfacing almost every week.
| outworlder wrote:
| Yes. Security vendors have to add a bunch of snake oil
| products.
|
| If they just did "consulting" and trained the staff against
| social security attacks, and improved a company's policies,
| how could managers that authorized the expense justify it?
| Where's the shiny "product" that "keep us safe"?"Do you mean
| we have to periodically expend money to keep ourselves safe?
| I'll go with Vendor B, they have a blockchain-based Machine
| Learning tool that's going to safeguard us against current
| and future threats!"
| zentiggr wrote:
| Thanks now my skin's crawling again from the all too
| familiar cesspool feeling.
|
| Salesmen (external or even worse internal) convincing
| inexperienced CTOs or VPs that they need <this exact
| software> regardless of any real world factors...
|
| These are the people I would throw out with their own
| bathwater.
| just_steve_h wrote:
| Companies that provide faulty software are "magically" exempt
| from liability - neat trick!
| dang wrote:
| The major earlier threads on this ongoing story are:
|
| https://news.ycombinator.com/item?id=25413053
|
| https://news.ycombinator.com/item?id=25409416
| mxskelly wrote:
| When will people realize that slapping yet another startup's tech
| stack onto yours isn't going to magically fix anything and in
| fact just adds complexity and points of failure.
|
| I've always done my best to err on the side of "let's try not to
| add yet another level of complexity" and this strategy has yet to
| fail me.
| falcolas wrote:
| When the financial costs of exposing yourself to such risks
| outweigh the time saved.
|
| So, never. At least, not in our current software development
| industry.
| Karunamon wrote:
| I agree with the point, but that's not what happened here.
| SolarWinds Orion isn't some VC-backed panacea sold by SV
| hucksters to cure all your infrastructure's ills, it's a
| monitoring stack like Zenoss or Zabbix or (...) and is
| correctly marketed as such.
| nrmitchi wrote:
| SolarWinds is a 21-year-old publicly-traded company.
|
| They're not really "yet another startup".
|
| I also don't think that the departments of the US Government
| are all going around all willy-nilly dropping tools from "yet
| another startup" into their core infrastructure.
|
| While your _overall point_ may be valid, it 's tough to come to
| the conclusion that it is applicable here.
| wglb wrote:
| No longer publicly traded:
| https://www.solarwinds.com/company/press-
| releases/solarwinds...
| nrmitchi wrote:
| Went public again Oct 18, 2018:
| https://www.solarwinds.com/company/press-
| releases/2018-q4/so...
| mcguire wrote:
| Willy-nilly dropping tools into core infrastructure is
| largely how government IT works.
|
| Corporate IT, too, from what I've seen.
| notabee wrote:
| That's very true, In my limited experience, they are tools
| sold to non-technical leadership that are either thrown to
| technical staff to deal with and implement or require
| letting yet another vendor have network access to manage.
| It adds up to a hot mess.
| mcguire wrote:
| My favorite comment from a (authentication system)
| vendor, during a meeting where we were trying to figure
| out why users were having trouble logging into an
| internal app: "Do I have a charge code for this?"
| reaperducer wrote:
| _SolarWinds is a 21-year-old publicly-traded company. They
| 're not really "yet another startup"._
|
| Today it is. If we knew when SolarWinds was added to the
| government systems, his comment might stand.
| rplnt wrote:
| Startup or not, government contracts require certain
| certifications.
| mgreenleaf wrote:
| And yesterday's startup is tomorrow's billion dollar
| company, often with nothing changed except the number of
| customers.
| falcolas wrote:
| I believe that you have mis-read their comment - they aren't
| saying Solar Winds is "yet another startup", they're saying
| that SolarWinds is incorporating 3rd party technology (the
| so-called supply chain attack on their build) without vetting
| it.
|
| And, if we're being honest, those technologies probably are
| based off startup tech; SolarWinds purchases and incorporates
| startup companies (such as Vivid Cortex recently).
| nrmitchi wrote:
| That is entirely possible.
| hobs wrote:
| SolarWinds isn't another startup, its been around for over 20
| years, I have used their software half a decade ago and it did
| the job just fine.
|
| Age doesn't imply its good either, but blaming startups isn't
| the problem here.
| onetimemanytime wrote:
| >> _I have used their software half a decade ago and it did
| the job just fine._
|
| Russia agrees.
| trashcan wrote:
| This also came out today:
|
| https://mattermost.com/blog/coordinated-disclosure-go-xml-vu...
|
| It seems pretty likely that SolarWinds' SAML authentication was
| bypassed or escalated by this issue with Go's encoding/xml, and
| then used that to generate and distribute the trojaned
| SolarWind's updates.
| richardwhiuk wrote:
| Doubt it - that bug has been known by Go/Mattermost since
| August.
| trashcan wrote:
| How would SolarWinds know about it if it wasn't publicly
| disclosed until today?
|
| Timeline: https://lh6.googleusercontent.com/GI-
| MC0npwRiJju1O_PP_hG2mm8...
| koolba wrote:
| Is this the same SolarWinds that owns Pingdom?
|
| https://www.solarwinds.com/pingdom
| daniellarusso wrote:
| Yes. Luckily that is an external monitoring tool, but they do
| allow 'transactional' monitoring, so some folks could have
| login info saved.
|
| The two sites I monitored w/ that tool, we used it to determine
| when a 3rd party account's login info has expired.
|
| So, I would expect my saved credentials to be invalid, but that
| is just my anecdote.
|
| The rest is just simple uptime and response time monitoring of
| specific URLs, which we publicly expose anyway, so no threat
| there.
| andreasley wrote:
| I wonder if this unintended transparency actually makes for a
| safer world. The cold war might have been shorter if both sides
| would have been able to see that their enemy does not intend to
| escalate the situation.
| random5634 wrote:
| A couple of quick notes:
|
| 1) The OPM hack and now this all illustrate - if govt gives
| itself the big backdoors into everything, it's likely they will
| give it to russia, criminals, ex-boyfriends stalking ex-
| girlfriends etc.
|
| 2) My own impression of govt IT is largely security theatre in
| the area I was involved. In particular such massive complexity
| that agency staff think going around the rules is normal, because
| it's the only way to actually get work done. And then such
| glaring weaknesses that no one cares to fix. With google I've had
| one password for 20 years (my google account) which allows a
| hardware key for 2FA or google authenticator with what I imagine
| is sensible monitoring, new device authentication etc (I find
| this pretty secure).
|
| Govt you are forced to write down these insanely long passwords
| with super complexity that cannot be cut and pasted that change
| very 30 or 60 days.
|
| Because lost passwords are so common in these settings, the
| password reset process is usually a MASSIVE weakspot. I've seen
| it just be a phone call to a third party, you give them your
| username, they give you a new temp password - that's literally
| it. And the passwords end up everywhere. In lots of documents
| that float around, emailed around etc etc. And lots of password
| sharing when you get locked out of a tool and it will take a long
| time to get a new account setup (months). Pretty soon the
| procedures manual also gets you root access to everything.
| all_blue_chucks wrote:
| Neither of these hacks involved "back doors" as they are
| normally defined. One was an authentication bypass; the other
| was a supply chain attack. Neither involved any sort of
| deliberate covert access mechanism.
| hamburglar wrote:
| I don't think OP meant to imply that backdoors had anything
| to do with this. It's meant to underscore the argument
| against backdooring encryption by pointing out that when you
| trust some entity with a backdoor, you're potentially opening
| that backdoor to anyone who can break that entity's security,
| which may be very, very flawed.
| Eduard wrote:
| > With google I've had one password for 20 years (my google
| account) which allows a hardware key for 2FA or google
| authenticator with what I imagine is sensible monitoring, new
| device authentication etc (I find this pretty secure).
|
| I too hope this is not just security theater as well.
| mcguire wrote:
| Aside from anything else, your second point is exactly spot-on.
| That's not just your impression.
| textech wrote:
| Incompetence runs through every facet of American government,
| corporations and even private businesses. There's an insane
| amount of bureaucracy and people doing IT who have no business
| doing IT. As for the corporations, the established ones get
| taken over by the MBA types who have no clue about software or
| security nor do they care as long as the numbers look good for
| the next quarter.
| dcolkitt wrote:
| I'd bet dollars to donuts that firms run by professional
| managers almost certainly have better security practices than
| family or founder run firms. I say this because research
| shows that professionally managed firms excel in virtually
| every other facet of operations and management[1].
|
| [1] https://hbr.org/2011/03/family-firms-need-professional
| khamba wrote:
| Although I do not disagree with your comment, I would do a
| double take befpre accepting the source you cite because
| they are very much incentived to proclaim the result they
| proclaim.
| x0x0 wrote:
| MBAs discover companies desperately need MBAs!
| textech wrote:
| you mean professionally run corporations like Equifax,
| Target or SolarWinds (published ftp password to github)?
| snarf21 wrote:
| Spot on, humans are always the weakest link. You must assume
| your users will invoke every _worst_ practice imaginable and
| make your system secure anyway.
| kipchak wrote:
| For what it's worth NIST password guidance SP800-63b no longer
| advises the arbitrary expiration, so hopefully this is
| something that will change.
|
| >"Verifiers SHOULD NOT require memorized secrets to be changed
| arbitrarily (e.g., periodically). However, verifiers SHALL
| force a change if there is evidence of compromise of the
| authenticator."
| GordonS wrote:
| NIST changed those rules a few years ago, I think. I remember
| thinking "please, PLEASE let companies follow suit...".
|
| And still, very few have :(
| kipchak wrote:
| I think it's new as of the 2019 revision, though it
| wouldn't surprise me if it's been ignored for a while. I
| don't think CMMC requirements specifically call out
| expiration periods, so hopefully a good sign.
|
| Microsoft seems to be fairly forward thinking[1] on
| passwords, doing away with expiration requirements and
| focusing more on their risk based MFA stuff.
|
| [1]https://www.microsoft.com/en-us/research/wp-
| content/uploads/...
| at-fates-hands wrote:
| >> In lots of documents that float around, emailed around etc
| etc.
|
| The amount of fortune 500 and fortune 100 companies that I
| worked at where this is commonplace is staggering. The amount
| of businesses that never change their passwords is quite
| frankly, shocking. I left a fortune 500 company two years ago
| and I just tried my login on their external facing portal - and
| it still worked.
|
| I've seen passwords being passed around in word docs and
| internal blog posts. At one place they were mixing development
| information with financial information. The idea you had
| several folders of corporate contracts mingling with developer
| docs on a sharepoint server was a real eye opener for me.
|
| Nobody else seemed to care when I brought up the fact you just
| gave a bunch of developers access to facebook contracts and
| other financially important docs they have no reason to have
| access to. Their reason? It was too hard to set up a new folder
| with access restricted.
|
| After a few years of experiencing these, I just became kind of
| apathetic to it. If nobody in authority cares, then why should
| I??
| SystemOut wrote:
| I hated this part of being on-call for government customers. I
| had to go through some crazy adjudication process all for the
| privilege of having to change my passwords every 60 days. And
| even though I used a password manager for them I couldn't paste
| them in because the VM I was required to use to access the
| systems didn't allow pasting from the outside.
|
| So I just typed them into notes on the VM and left them there.
| Jtsummers wrote:
| The insistence on the stupidly long passwords and 30-60 day
| expiration times created _so_ many weaknesses. People choose
| obvious patterns for their passwords to get around it. Like
| `1q2w3e4r!Q@W#E$R`. Then they shift by one each time they have
| to update, by the time they get across the keyboard they can
| restart (or twice, in which case you swap the shift to the
| first half instead of second half). Or, this was fun, my first
| gov 't job the guy had stored passwords on a sticky underneath
| the keyboard (I changed them all). They also used a shared
| account for admin stuffs, even though we were all given an
| admin token (like the smart card or CAC for regular login, but
| with admin credentials and issued separately).
|
| In theory, the DOD CAC system (they've gotten better over the
| years) eliminates the need for passwords entirely, but somehow
| most teams never tie their system to it properly.
| triangleman wrote:
| >Or, this was fun, my first gov't job the guy had stored
| passwords on a sticky underneath the keyboard (I changed them
| all).
|
| Nothing wrong with writing passwords down. Or at least it's
| the least wrong thing you could do among all things mentioned
| here.
| vorpalhex wrote:
| It depends entirely on your security and threat model. Me,
| working from home? I'll write down the password for my
| netflix account and wifi - sure.
|
| In an office? Absolutely not, never, not once. Offices are
| not private and not secure and in any kind of even vaguely
| sensitive setting allowing a colleague to have access to
| your password and impersonate you is a massive risk.
| Jtsummers wrote:
| I would partially agree with this. It's not _wrong_ to
| write down passwords. It _is_ wrong to write them down and
| not secure them. Securing them is the same step that
| happens (or is intended to happen) with password managers.
| The passwords are, themselves, encrypted in some fashion so
| that they 're not (easily) accessible to others. If these
| passwords were _at least_ put in a locked cabinet, I 'd
| have felt better about it. A safe would've been even better
| (and this is assuming that they needed to be shared, we had
| security tokens that, if used properly, meant we _didn 't_
| need the passwords at all and each person would have a
| unique access token for better accountability).
|
| It is moronic to write passwords down and stick them
| underneath the keyboard.
| vngzs wrote:
| NIST no longer suggests such a rotation policy. They have
| accepted that it weakens security.
|
| Anecdotally, colleagues have successfully lobbied to drop (or
| not enforce) password expiration policies from other
| government bodies on the strength of this recommendation from
| NIST.
| briffle wrote:
| Yes, but as far as I have seen, not auditing/compliance
| frameworks have updated their recommendations yet. Maybe
| its not the frameworks, but the individual auditors and
| their templates, but I have seen it a 'requirement' for
| PCI, sarbenes-oakly, etc.
|
| its much easier to keep it in place to make the auditors
| happy than remove it, and risk exceptions on your report
| that you have to defend.
| jimnotgym wrote:
| However I'm pretty sure PCIDSS does still say 90 days
| boston_clone wrote:
| all the more reason to prioritize minimization of scope
| for PCI ;)
| Jtsummers wrote:
| Yeah, I know it's not actually recommended anymore, but the
| policy makers don't care. They're doing CYA policy. They do
| whatever seems to be the strongest possible thing, users
| and reality be damned.
|
| I was in a team whose security group eliminated the use of
| DVD drives for _reading_ (not writing) data except for a
| few permitted individuals. Creating a massive chokepoint in
| every process where data had to come from off-network.
| Security didn 't care, it took the realization of the cost
| (delays, people too busy moving data to do their actual
| jobs) for management to step in and end the nonsense.
|
| The same will be required for things like password
| policies. Until the issue becomes realized (weak/written
| passwords lead to a compromise), these policies will stay
| in place within organizations and teams. It doesn't help
| that the majority of the policy setters are _not_ IT
| professionals (or only in the loosest sense, they can
| install software but have no _real_ understanding of IT
| systems). In DoD, most come from a physical security
| background (retired /separated security forces).
| mumblemumble wrote:
| > They do whatever seems to be the strongest possible
| thing
|
| It's not that, it's inertia and poor incentive
| structures.
|
| In a large organization, if a policy was set in place by
| someone else, then, even when you know it's a sub-par
| policy, it's still in your interest to leave it alone.
| Doing so gives you a way to deflect blame in the event of
| a breach related to that decision. You can just blame the
| policy itself. If, on the other hand, you change the
| policy, you're more likely to be held personally
| accountable.
|
| That said, you're also absolutely right about the
| expertise problem. I don't know much about government,
| but, in private industry, I've observed that the best way
| to get put in charge of cybersecurity is to start from
| somewhere completely outside of IT, and become good
| friends with the CEO.
| craftinator wrote:
| > It's not that, it's inertia and poor incentive
| structures.
|
| This is the psychological/economics point of view, and I
| think it's the correct one for this problem. The other
| tricky issue, besides the CYA prioritization, is that
| being a dynamic entity requires other entities to do the
| same. If you start changing procedures in your section,
| other sections that rely on you need to adapt to these,
| and they may have the CYA attitude and resist that
| change.
| kodah wrote:
| Citation? I couldn't find anything on the web or here:
| https://pages.nist.gov/800-63-3/sp800-63b.html
|
| edit: I wasn't calling OP a liar, I just couldn't find it.
| NovemberWhiskey wrote:
| It's right there in section 5.1.1.2:
|
| _" Verifiers SHOULD NOT impose other composition rules
| (e.g., requiring mixtures of different character types or
| prohibiting consecutively repeated characters) for
| memorized secrets. Verifiers SHOULD NOT require memorized
| secrets to be changed arbitrarily (e.g., periodically)."_
| hsbauauvhabzb wrote:
| Harmj0y, who is probably the best public AD hacker right
| now suggests 3 month rotations, IIRC.
|
| My guess is the idea is to mitigate compromise of very
| old passwords, spray attacks using breached site creds,
| reduce insider threat and at least offer some mitigation
| for compromised hashes.
|
| I think this is wise compared in work environments - 90
| days, 180 or even 360 would be a good mitigation over
| _none_ to too many.
| acdha wrote:
| I think those concerns are better addressed elsewhere
| with tools like MFA, automatically disabling inactive
| accounts, or monitoring public services like HIBP to
| deactivate accounts quickly. Attackers can move quickly
| so you hit diminishing returns on rotation policies
| trying to avoid usability issues incentivizing worse
| passwords while not rotating long after the account has
| been compromised.
| alanning wrote:
| Should be noted that NIST's current recommendations are
| meant to be part of a number of mitigation's including
| checking passwords against known-breach databases, rate-
| limiting, etc.
|
| Without those other mitigations, pw rotation may still
| help more than it hinders, although I am definitely not a
| fan of it and recommend implementing all of the NIST's
| recs instead.
|
| For those looking to head that route, haveibeenpwned
| offers an API to check hashes against previous breaches.
| For a pw strength meter, have a look at zxcvbn.
| [deleted]
| Covzire wrote:
| Indeed. Sports Team + Year, Season + Year, Company + Year or
| some other such combination should get you a good 10% or more
| of your users with only a few dozen permutations.
|
| They wrote 60 days into FEDRAMP I believe, something I jaw-
| droppingly realized last year sometime. Whoever is writing
| these policy frames don't know what they're doing. NIST did
| away with those periodic password change recommendations for
| a very good reason but IMO they need to now recommend the
| opposite, directly, because the constant password changes are
| doing real harm.
| throwaway894345 wrote:
| According to another comment, they do:
|
| > It's right there in section 5.1.1.2: "Verifiers SHOULD
| NOT impose other composition rules (e.g., requiring
| mixtures of different character types or prohibiting
| consecutively repeated characters) for memorized secrets.
| Verifiers SHOULD NOT require memorized secrets to be
| changed arbitrarily (e.g., periodically)."
|
| https://news.ycombinator.com/item?id=25421584
| toomuchtodo wrote:
| What's preventing more rapid uptake of integrating with the
| CAC system? I can use my CAC when going through TSA for ID
| (and verification is sub 10 seconds) but other agencies keep
| dragging their feet.
| Jtsummers wrote:
| It seems to be laziness on the part of the IT system
| makers. There are (mostly) standardized ways to
| authenticate a CAC and associate it with a user for an
| information system. But people seem to prefer to roll their
| own. Either using traditional username/password combos, or
| a worse solution.
|
| The worse one is this (seen a few times): Username/password
| and _then_ you register your CAC with it. They only check
| the CAC itself for the cert expiration date. When it does
| finally expire (or gets revoked, say you need a new one
| early like happened to me a couple times, not to loss just
| became unreliable in the CAC reader), then you have to use
| the username /password combo (the password has been getting
| updated every 60-90 days during all this time) and register
| your new CAC.
|
| But, since they aren't checking revocation data a stolen
| CAC + PIN (say it's weak, beaten out of you, or they
| observe you using it) even _revoked_ would still be able to
| authenticate against that system until the cert expires or
| the admin (usually) manually removes the revoked CAC.
| toomuchtodo wrote:
| As an IAM/trust systems enthusiast with a passing
| interest in the CAC system (and tangentially, Login.gov),
| this is disappointing to hear. Thanks for the context.
| I'll keep my eye out for opportunities to contribute to
| improving the situation (USDS or 18F).
| mNovak wrote:
| You should check out the new CMMC requirements -- basically a
| new set of basic cyber security requirements for all DoD
| suppliers, starting next year.
|
| It's heavily based on the NIST guidelines, so strong on 2FA,
| and discourages arbitrary password rotation.
| imchillyb wrote:
| RELEVANT XKCD:
|
| https://xkcd.com/936/
| lovecg wrote:
| Though it should be noted those "4 random word" passwords are
| strong only if the words are truly random (and the string is
| less likely to be memorable in this case).
|
| A password generator that allows retries means people will hit
| that button until the string is memorable, reducing the
| entropy.
| vngzs wrote:
| Since this is a supply chain attack on software downloads, I
| think it's interesting to consider the implications for the
| security posture of a cloud-native organization. While cloud-
| native is commonly recognized as less secure (because the cloud
| provider could be hacked!), there are a few categories of attacks
| exclusive to onprem software deployments:
|
| 1. You misconfigure the onprem software, making it more insecure
| than the alternatives. This does not occur with SaaS products.
|
| 2. The software delivery system is tampered with, and you
| download and run malicious code on your systems with high
| privileges. If you don't run it, this can't happen.
|
| Cloud deployments aren't obviously safer, but they have clear
| advantages unless you are willing to pay top people to work on
| and secure each onprem deployment full-time.
|
| NB: I don't actually believe "the cloud" is fundamentally more or
| less secure than onprem deployments. Rather, I frequently hear
| people argue that a website being hacked - or the potential for
| it - justifies a movement to onprem, and I think this is
| (usually) false.
| tyldum wrote:
| Things aren't black or white, but SaaS typically removes one
| layer of security (the corporate firewall). Misconfigurations
| are then typically exposed to the whole world.
| caminocorner wrote:
| > While cloud-native is commonly recognized as less secure
| (because the cloud provider could be hacked!)
|
| That's not a common recognition by any means. Cloud providers
| are more secure and spend more on infosec than any business
| managing their own tech & data centers. Pretending that the
| cloud provider being the point of entry is in the same ball
| park of risk (or greater risk) is a strange talking point in
| 2020
| jsty wrote:
| Whilst not being a "cloud is someone else's computer" adherent,
| the notion SaaS products can't be misconfigured into opening up
| security holes not present / so serious in some on-prem
| environments doesn't hold water - see the last decade's stories
| of accidentally open S3 buckets, plaintext secrets pushed to
| public GitHub repos, and all manner of other "minor
| misconfigurations"
| just_steve_h wrote:
| So far I've seen ZERO EVIDENCE. Reuters and the Washington Post
| have breathless claims of Russian hackers "according to officials
| familiar with the matter." Uh huh.
|
| Saying "APT29" or "CozyBear" doesn't make the accusation any more
| credible.
|
| If multiple US agencies are trumpeting the same story, you really
| must ask yourself "Why? Why this? Why now?"
|
| It's pretty amusing, in a depressing way, to see how quickly so
| many otherwise intelligent people can be made to snap to
| attention and fight the Russian Menace with a few anonymous
| government claims.
| jen729w wrote:
| Given the scope of this product -- basically everyone runs it
| -- any chance that this is some sort of hoax will be mitigated
| by the "too large to be a hoax" thing. Probably some sort of
| fallacy whose name I don't know.
|
| See: moon landing. Of course we went to the moon otherwise,
| what, 50,000 people are keeping a perfect and scandalous secret
| for half a century?
| jiggawatts wrote:
| The best proof that the United States went to the Moon is
| that there was extensive Russian spying going on at the time,
| but Russia never claimed that the US was lying about the
| Apollo program.
| icedistilled wrote:
| Why are there so many people who absolutely deny Russia does
| any hacking.
|
| It's always some big conspiracy theory that multiple cyber
| security agencies, all the three letter agencies, and multiple
| news agencies are in on.
|
| I'd bring up tin foil hats, but nowadays we can make fabric
| faraday cages so we can all be fashionable no matter what we
| believe.
| ehsankia wrote:
| I'm curious, are people saying that "Russia doesn't do any
| hacking" or that "there isn't yet enough evidence that this
| specific attack is by Russia". Those are two very different
| claims.
|
| I don't think there's any doubt about the former claim,
| personally. The latter though, I think it's too early to
| tell, especially since we've seen recently how certain
| hackers have explicitly started putting bait signs from other
| nation-states to misdirect.
| jeffreyrogers wrote:
| He's not denying Russia does hacking. He's saying there is no
| evidence that ties this to Russia over any other group. Maybe
| Russia is most likely based on priors, but I don't think the
| average HN commenter has an accurate estimate of nation-state
| hacking frequencies.
| njharman wrote:
| > Why are there so many people who absolutely deny Russia
| does any hacking.
|
| Because there are many people paid to do so. (and soon if not
| already automated bots).
| La1n wrote:
| Not everyone who questions something is a paid shill.
| ineedasername wrote:
| Could someone explain what a "supply chain" exploit is?
| vsareto wrote:
| https://attack.mitre.org/techniques/T1195/ as an example
| Dirlewanger wrote:
| These breaches will continue to happen, and happen...and happen
| until our limp-dick federal government gives a shit and starts to
| punish companies for their malicious malfeasance regarding IT
| security.
| andromeduck wrote:
| This is the same congress that moved to largely indemnify
| Equifax?
| IronRanger wrote:
| And until we end the H1B visa and only allow Americans or
| American allies to run the IT systems of companies in America.
| jorblumesea wrote:
| So basically, Russians had the highest level of access to every
| large company and most government agencies in the US? (Including
| defense, DOD, pentagon)
|
| If so, this is on scale with the OPM hack in 2015. This is huge.
|
| Smart to use the election timing while authorities were focused
| elsewhere.
| colinmhayes wrote:
| Is there any actual evidence that his was Russia? All I've seen
| so far is solarWinds unsubstantiated claim.
| jorblumesea wrote:
| Attribution is very difficult in this space. According to
| most articles I've read, senior officials believe it's Russia
| (and it makes sense given the scope/scale) but smoking guns
| are hard to find.
| jeffreyrogers wrote:
| The Russia attribution track record is not very good. E.g.
| that Afghanistan bounty story appears doubtful and many of
| the earlier allegations of ties between the Trump
| administration and Russia were not substantiated.
|
| Not that Russia is not a threat to the US, but there is a
| sizable part of the federal bureaucracy that wants to pin
| things on Russia for various reasons (it's not all anti-
| Trump either).
|
| Edit: Downvoters, feel free to prove me wrong. Here's one
| source for my claims[0]
|
| [0]: https://www.nbcnews.com/politics/national-
| security/u-s-comma...
| thisisdallas wrote:
| No, not at all. It's political theatre the media is playing.
| Russia has been the big bad wolf since 2016. It's far more
| likely China than Russia, although it could be a variety of
| different states/parties.
| outworlder wrote:
| > Russia has been the big bad wolf since 2016.
|
| For a very good reason.
| realmod wrote:
| I still cannot help but laugh at the intentional
| ignorance by a lot of people in the US right now. They
| have for some reason (we all know why) gotten the notion
| that Russia is some kind of innocent nation that does
| nothing at all and that US is unreasonably antagonistic
| against Russia.
|
| Russia is in NO uncertain terms a hostile and aggressive
| nation that we all need to be wary of.
| miguelmota wrote:
| It's not fully confirmed yet but its probable it's the same
| 'Cozy Bear' Russian hack group that hacked the State
| Department and White House email servers during Obama
| administration.
| [deleted]
| afrcnc wrote:
| duplicate: https://news.ycombinator.com/item?id=25413053 and a
| few others more
| ummonk wrote:
| For a minute I misparsed the title and thought that the US
| Treeasury and Commerce departments' staff hacked their way around
| a SolarWinds compromise. That would have been cooler.
| ethanolburner wrote:
| Just to add, 15 mins ago Chris Bing from Reuters and other
| journalists confirmed the U.S. Department of Homeland Security to
| be the 3rd agency to be impacted [1].
|
| I suspect there will likely be further agencies and of course
| private companies to come forward in the upcoming weeks/months.
|
| [1] https://twitter.com/Bing_Chris/status/1338552048342753288
| pmlnr wrote:
| Sigh.
|
| "Engineers are expensive, so don't build, buy!"
|
| How about... the middle way? Let your own engineers deploy open
| source, something you can verify, even audit, if you ever have
| to.
|
| Ah, I forgot. Those usually don't come with fat envelopes from
| the provider to the people making the decisions.
| DougN7 wrote:
| It should be noted that everyone with a recent version of
| SolarWinds installed is considered exposed - not just the US gov
| swalsh wrote:
| So, am I reading this right? the Russian government had the
| ability to impersonate the credentials of ANYONE in the marjoity
| of the fortune 500, the US Government, the US DOD, and our
| telecomm infrastructure... and they likely had this access for a
| while.
|
| How is this NOT an act of war?
| abvdasker wrote:
| Anyone calling for war between the the largest nuclear power
| and second-largest nuclear power is insane or ignorant. To even
| suggest something like that is obscene given the
| incomprehensible loss of life it would entail. I think most
| people who can remember it would agree that it's a good thing
| the Cold War stayed cold.
| pvg wrote:
| _How is this NOT an act of war?_
|
| Very simply because it's not an act anyone would initiate armed
| conflict over.
| yibg wrote:
| Everyone country does this to every other country that they
| can. Not like the US doesn't (or at least try to) pull off
| stuff like this too. So if it's an act of war then every major
| power has pretty much at some point declared war on every other
| major power, even allies.
| UnpossibleJim wrote:
| As I'm forced to speculate, because it is inconvenient for us
| to call it an act of war. We routinely conduct cyber espionage
| missions on other countries and "probe" their cyber defenses.
| If we were to call this an all out act of war, then we would
| also be found guilty of unprovoked acts of war on many other
| countries, including allied countries. So, too, would many
| other countries. This is the new spywork.
| wavefunction wrote:
| Russia has a policy where they allow "patriotic hackers" to
| operate freely while turning a blind eye to their actions. The
| Kremlin even mentioned this in their disavowal.
| dragonwriter wrote:
| While I disagree with the claim that merely having the
| capacity is an act of war, doing something that would be an
| act of war through privateers rather than official state
| forces doesn't make it any less an act of war than it
| otherwise would be.
| Nginx487 wrote:
| It is. Hope, after new administration takes office, "hell
| sanctions" package would be approved, as well as closing
| Russian embassies and increasing military pressure to its
| borders. Sanctions already work, and Russian regime does not
| enjoy a variety of options to oppose it.
| Consultant32452 wrote:
| We (the public) have not been provided evidence that this was
| Russia. Let's not get ahead of ourselves. Some anonymous people
| claimed it's Russia. That is meaningless.
| bduerst wrote:
| It's from sources vetted by Reuters. Their public-facing
| anonymity was required for coming forward.
|
| https://www.reuters.com/article/uk-usa-cyber-treasury-
| exclus...
| Consultant32452 wrote:
| Right, so anonymous sources who provided no evidence to the
| public. It's meaningless.
| dragonwriter wrote:
| Having the capacity isn't an act of war, in the same way that
| having the much more significant capacity to obliterate major
| population centers isn't.
|
| How the capacity is applied may be another story.
| [deleted]
| beamatronic wrote:
| Are you personally willing to go to war? Are you willing to be
| a foot soldier? Do you wish to kill? Do you wish to be killed?
| skinkestek wrote:
| I do not want to go to war over _this_ , and generally I have
| friends from a number of countries in the east but make no
| mistake: if my country asks me to defend its borders or even
| NATO borders I'll be there[1], even if it is many years since
| I finished draft and I know have a family. The alternative
| will probably be worse.
|
| Anyways, no sane, decent person should wish a war.
|
| [1]: I am a whole lot less interested in defending us around
| the middle East and in Afghanistan though.
| SpaceRaccoon wrote:
| Did you also consider this[0] an act of war?
|
| [0] (U.S. Escalates Online Attacks on Russia's Power Grid) [
| https://www.nytimes.com/2019/06/15/us/politics/trump-cyber-r...
| ]
| citilife wrote:
| > the Russian government
|
| You sure about that? "They" have been claiming Russia is the
| boogie man for years, but it's _never_ been proven. In this
| case, it does appear like a complex hack. Wouldn 't be
| surprised if it's China, Iran, North Korea, Russia, U.S.
| Government (yes, hacking itself), etc.
| mrlala wrote:
| Who is "they"? And what hasn't been proven, are you referring
| to Russian interference in 2016?
| anaganisk wrote:
| And how many such tools have been employed by CIA? So are all
| the other countries supposed to wage war against US? Govt's all
| over the world do shady shit, constantly. Sometimes they get
| caught, sometimes they dont. Men in power use tensions to stay
| in power, waging wars against more powerful/equal, wont help
| men in power neither of the sides.
| kerng wrote:
| Tense is wrong, they have this ability RIGHT NOW to a very high
| degree of certainty.
|
| Just because the tip of the iceberg has been discovered doesn't
| mean its mitigated. Even Fireeye is probably still compromised.
| It will take a while to understand the actual scope of this.
|
| And in the meantime new attacks are likely happening also.
| jessaustin wrote:
| Hopefully they'll find out some horrible things that our
| public servan^Wmasters are doing, and leak it to Wikileaks...
| where have I heard that before?
| COGlory wrote:
| If it wasn't Russia (and the evidence supporting that it was
| hasn't been released yet) it would be literally anyone else.
| North Korea. Iran. Even our allies. Some 400lb dude sitting in
| his parents basement in New Jersey. And the US is doing this,
| or attempting to do this, to many other countries.
|
| Ultimately, the hack is the practical responsibility of the
| victim.
|
| Don't fall for the Kissinger style war mongering.
| tessierashpool wrote:
| The entire Trump administration's been an act of war. They got
| classified intel, private phone calls with the president,
| numerous concessions, everything they could have possibly
| wanted in terms of foreign policy, including an abrupt and
| chaotic withdrawal from Syria where Russian troops literally
| took over American bases, and a significant number of GOP
| congressional representatives visiting Moscow on July 4th
| together, with no American press there to cover the event or
| tell us who they met with, what they discussed, or why they
| went.
|
| There's also evidence that Russia infiltrated the Treasury in
| 2015, unrelated to the election interference afterwards.
|
| It's been war for a long time, and we have not been winning.
| robertlagrant wrote:
| On the plus side, no actual wars were started or joined. Like
| Jimmy Carter.
| nromiun wrote:
| Am I missing something? Why is everyone so sure that it is
| Russia? Are they the only ones with access to computers beside
| US?
| Consultant32452 wrote:
| Because Russia has somewhat of an oil monopoly in Europe and
| the US doesn't like that. We've been being fed Russia war
| propaganda for at least a decade. If it even feels like a
| "Russia kind of thing" to the general public that is just the
| result of intentional conditioning by warmongers.
|
| It could have been literally any major world power, including
| our allies. No evidence has been presented whatsoever as to
| who the culprit is.
| jessaustin wrote:
| Hell, it could be a different part of the USA government,
| like those "sonic embassy attacks" were.
| Anon4Now wrote:
| Don't you know? Liberals automatically blame Russia.
| Conservatives automatically blame China. Me, I Blame Canada.
| Damn you, Gordon Lightfoot!
| DethNinja wrote:
| Because it definitely couldn't be China or any other country.
| mistermann wrote:
| Psychological conditioning is my theory. If you think about
| it, has this not been a rather popular news item for many
| years? If people should not get their perception of world
| affairs from the news, then from where should they get it?
| justaman wrote:
| It is an act of war. Be suspect of anyone downplaying.
| jessaustin wrote:
| That's what all the SolarWinds people are saying!
| justaman wrote:
| I suspect I'm being downvoted by foreign agents.
| jessaustin wrote:
| We can't rule out that possibility, but I also downvoted
| that comment. HN needs less paranoia.
|
| [EDIT:] although, with the more recent comment you have
| approached tantalizingly close to possible irony. So, I
| upvoted that.
| sorokod wrote:
| If you had an experince of an actual war, you would NOT have
| asked this question.
| rossdavidh wrote:
| Well, that is very similar to asking how it is that
| conventional spying is not an act of war. It isn't, because
| everyone is going to be doing it anyway, so if you make that an
| act of war we have war all the time, rather than nations not
| doing it.
| bluedino wrote:
| If it were Iran, Turkey, etc the missiles would already be in
| the air
| randmeerkat wrote:
| If the U.S. didn't go to war over Crimea why would they go to
| war over this?
| xtracto wrote:
| Because Crimea is another country/outside of usa
| jurisdiction? Whereas this is a direct attack to USA
| institutions/government.
| randmeerkat wrote:
| This isn't an attack _yet_. This is potentially a part of
| the process of developing the capabilities for a later
| attack.
|
| Crimea is the first time a nation state has meaningfully
| changed its borders that I know of since WW2. As a result I
| would consider Crimea a much more egregious attack on
| American values and western interests than a software
| vulnerability that hasn't been leveraged to cause actual
| harm.
| 8note wrote:
| The US executive branch is favourable to Russian interference.
| They're invited
| ars wrote:
| > How is this NOT an act of war?
|
| Because spying is not an act of war.
|
| If it was, the entire world would be at war with the entire
| world.
| aaomidi wrote:
| Lmao act of war. You going to fight?
|
| This is just what countries do to eachother. Welcome to the
| 21st century.
| lovecg wrote:
| And 20th, 19th, 18th, etc. The methods change, the spying is
| constant.
| maedla wrote:
| It is appalling how so many people seem to have such little
| regard for what the consequences of the next "war to end all
| wars" would be.
| georgiecasey wrote:
| > How is this NOT an act of war?
|
| So you want bombing to start over this? I don't.
| jimbokun wrote:
| So it's an act of war. Now what?
|
| Does the US escalate to a shooting war with the second biggest
| nuclear power in the world?
|
| So it's not surprising Russia thinks they can act with a lot of
| impunity without facing catastrophic consequences.
| swalsh wrote:
| We can try sanctions, but we've pretty much maxed out that
| route after the Crimea annexation.
|
| If we do nothing, we're sending the message that these
| actions are okay.
| nemothekid wrote:
| > _If we do nothing, we 're sending the message that these
| actions are okay._
|
| I think it sends the message that these actions won't
| trigger nuclear war. How would you even get public support
| for war with Russia?
| [deleted]
| spand wrote:
| Does anyone believe the US isn't doing similar shit
| themselves ? In that light it seems pretty disingenuous to
| call out others for the same act.
| jessaustin wrote:
| Maybe we should "send the message" that we won't install
| insecure shit on our networks?
| asimovfan wrote:
| no... nuclear war before free software.
| alasdair_ wrote:
| Microsoft's rejected new slogan.
| wonder_er wrote:
| The US Government does stuff like this to other countries
| all. the. time.
|
| We don't hear about it much. But if this is an "act of war"
| the US has conducted dozens of these kinds of "attacks" on
| others over the last ten or fifteen years.
|
| _Countdown to Zero Day: Stuxnet and the Launch of the
| World 's First Digital Weapon_ [0]
|
| [0]: https://www.amazon.com/Countdown-Zero-Day-Stuxnet-
| Digital-eb...
| eunos wrote:
| One of the shortcoming of maximalist position, you lost
| your leverage.
| tfehring wrote:
| We aren't even close to maxing out what could be
| accomplished with economic sanctions! The US and Russia
| still have a direct trading relationship!
| smithza wrote:
| US imposed individual sanctions and explicitly named hackers
| from the GRU after the DOD investigated 2016 election
| hacking, effectively authorizing their arrest if stepping on
| western soil. This will be handled diplomatically through the
| State Dept. first. There is little incentive to starting a
| war with Russia I don't think.
| x86_64Ubuntu wrote:
| I may be wrong, but I thought members of the security
| apparatus weren't allowed to leave the country in Russia? I
| may be horrendously wrong, but I thought someone mentioned
| that when these sanctions came out about Guccifer 2 and
| such.
| tomatotomato37 wrote:
| There are ways for US to retaliate through espionage, such as
| doing a mass round up of minor russian spy assets that
| usually aren't worth the effort to go after, going after
| russian operations in places in which neither country have
| jurisdiction in, exposing blackmail of some random oligarch,
| stirring up unrest with plausible deniability, etc.
|
| Essentially make life difficult for the people who actually
| run Russia.
| hn_throwaway_99 wrote:
| > Malicious code added to an Orion software update may have gone
| undetected by antivirus software and other security tools on host
| systems thanks in part to guidance from SolarWinds itself. In
| this support advisory, SolarWinds says its products may not work
| properly unless their file directories are exempted from
| antivirus scans and group policy object restrictions.
|
| Ouch!
| dj_mc_merlin wrote:
| Not uncommon for software that has to do very "shady" stuff,
| although their other advisories are quite bullcrap.
| octopoc wrote:
| It's not just shady stuff. Recently, on a customer's Windows
| server, antivirus software randomly decided to permanently
| delete some our DLLs (!). We weren't doing anything remotely
| shady; it was a normal ASP.NET Core app.
| mandevil wrote:
| Also, any task that involves reading or writing files will,
| in the presence of cutomer antivirus software, turn into a
| random number generator on whether the read/write goes
| through at all, how long it takes, etc. We are constantly
| having issues with customer AV because of this.
| dj_mc_merlin wrote:
| Yes, the shady was in quotes. It's hard to tell some
| classes of malware from a security program in general.
| thesimon wrote:
| SolarWinds hasn't bothered to revoke their certs or remove the
| package
|
| https://twitter.com/KyleHanslovan/status/1338360093767823362
|
| Back in 2019 apparently their FTP server credentials were exposed
| on GitHub, allowing automated updates being pushed
|
| https://twitter.com/vinodsparrow/status/1338431183588188160/...
|
| Edit: If updates failed due to signature not matching, SolarWinds
| recommended downloading the package and installing it manually,
| LOL
|
| https://twitter.com/KyleHanslovan/status/1338419999665508354...
| Merman_Mike wrote:
| Am I understanding the last one correctly?
|
| 1. Customers complain that they can't install latest version
| because it's checksum doesn't match what SolarWinds posted
|
| 2. The checksum doesn't match because malware has been inserted
| into the package during build/delivery
|
| 3. SolarWinds tells customers to ignore this and install it
| manually
|
| Did no one think to check _why_ the checksum didn 't match?
| [deleted]
| jessaustin wrote:
| One suspects they've given this advice for a long time...
| because their shit has been hacked for a long time.
| gitweb wrote:
| I don't understand why anyone would pay for SW in the first
| place. It has been garbage software for a long time. If
| government clients are paying for this and installing in on
| their servers, we have bigger worries.
| RobRivera wrote:
| Solarwinds is def. Used by acrive duty cyber units at
| Lackland afb...and they wonder why we tell them they can't
| just install what they feel like.
| eli wrote:
| #2 is speculation. Seems possible that there's an unrelated
| bug causing checksum errors. In any event, it's not a good
| look right now.
| swiley wrote:
| I guess if you can be as successful as SolarWinds with that
| level of incompetence I should stop worrying so much about
| myself.
| spondyl wrote:
| You'd be surprised honestly
| 1vuio0pswjnm7 wrote:
| Is it possible that there could be SolarWinds customers who are
| not vulnerable because, for whatever reason, they did not
| enable/install updates. Were updates to the Orion software
| necessary for the original software to continue to function or
| were they optional.
| zimpenfish wrote:
| They've said that 33k customers were potentially exposed but
| only 18k actually downloaded that update.
|
| https://www.zdnet.com/article/sec-filings-solarwinds-
| says-18...
| Nightshaxx wrote:
| LOL that last one. Why bother having the checksum at all in
| this case....
| coldcode wrote:
| Clearly whoever is the CIO/CISO could care less? I find it
| hilarious that people get these positions without seemingly a
| care in the world. Or maybe they do care and the CEO didn't?
| Hardly anyone ever gets fired in these circumstances.
| ilikeerp wrote:
| Surely he COULDN'T care less?
| 35fbe7d3d5b9 wrote:
| > SolarWinds hasn't bothered to revoke their certs or remove
| the package
|
| _Amazing._ While I 'm sure the attackers have already shut up
| shop and the threat no longer exists, this feels insanely tone-
| deaf from SolarWinds.
| bluedino wrote:
| Maybe they were just bribed?
| 35fbe7d3d5b9 wrote:
| An employee, possibly. The whole company, unlikely. And
| either way, even if someone was bribed to introduce the
| attack there's zero reason to allow the hacked software to
| be downloaded now.
|
| I work at a large and highly regulated (HIPAA) company and
| we have the equivalent of Electric Dylan/Pete Seeger with
| the axe: if someone at the VP+ level declares a major
| incident, our infosec team has a script that will lock down
| all inbound/outbound traffic, snapshot all our running
| machines for later forensics, lock our AWS IAM access down
| to a single incident response account, and move DNS for our
| web properties to a "we've been hacked" page. (OK, it
| obviously doesn't say _that_ , but something similar that
| has been heavily vetted by legal and marketing ;-)). We've
| drilled and timed it out and can stop the ship in ~5
| minutes.
|
| Either SolarWinds doesn't have a major security incident
| response plan, or they don't have the stomach to pull the
| trigger. Neither is promising.
| whatshisface wrote:
| > _if someone at the VP+ level declares a major incident
| [...]_
|
| I read this as, "we have a policy that under no
| circumstances will someone at a VP+ level declare a major
| incident."
| strogonoff wrote:
| Sounds like a solid information security incident
| response mechanism!
|
| The only missing piece is making sure that VP+ level
| folks are not incentivized in any way to suppress
| incidents. However, that's beyond infosec--in that
| treacherous area between information security,
| shareholder interests and organizational politics.
|
| I wish business continuity planning (which would include
| infosec procedures but has a much wider overall scope)
| was paid more attention and more widely scrutinized.
| NikolaNovak wrote:
| 1. That's impressive
|
| 2. My own knowledge of folk rock and subsequent visits to
| Google and Wikipedia have not helped me interpret this
| reference, in this context:
|
| "Electric Dylan/Pete Seeger with the axe"
|
| Help, please :-D
| 35fbe7d3d5b9 wrote:
| Ha!
|
| https://en.wikipedia.org/wiki/Electric_Dylan_controversy
|
| http://communityvoices.post-gazette.com/arts-
| entertainment-l...
|
| > The Cliff Notes version is Dylan, whose latest album
| Bringing It All Back Home had upset many folk purists
| with its amplified accompaniment, performed at Newport on
| July 25 with amplified backing by the Paul Butterfield
| Blues Band, who played the festival on their own. As an
| offended audience booed Dylan performing with
| Butterfield's band (minus Butterfield himself), an
| incensed Seeger, outraged at his friend's apostasy,
| wanted the audio shut off and sought an axe to cut the
| cables as Dylan and the band ripped through "Maggie's
| Farm" and "Like A Rolling Stone," Dylan's just-released
| single.
| thrower wrote:
| Have there been any statements / postmortems released from
| SolarWinds itself yet?
___________________________________________________________________
(page generated 2020-12-14 23:00 UTC)