![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
SolarWinds provides network security appliances to corporations. And governments. And universities. These organizations depend on companies like SolarWinds because security is VERY hard and it helps to get outside help. You can take my word for it to a degree - I worked in IT for over three decades, and while I did not specifically work in computer/network security, I had enough exposure to it to understand what a huge, tiresome, endless, and thankless job it was. It was truly neverending. You never had enough money or resources, and you were always outnumbered by the baddies.
Now what happens when a company like SolarWinds gets hacked?
I guess the first thing to talk about would be the nature of the hack. Let's suppose an update that SolarWinds pushes out to all of their customers was compromised. Now, ALL of your customers are vulnerable to being infiltrated by the people who compromised SolarWinds.
Perhaps it was a nation-state who did it.
Perhaps Russia.
Let's take a look at who makes up SolarWinds customer list. Here's a listing from SolarWinds' web site:

Notice any familiar names there?
I thought not.
So basically, Russian hackers, some of which are largely synonymous with the Russian government, compromised pretty much the entirety of the United States Government. And the U.S. Military. And effectively the entirety of the S&P 500.
Yeah, and our President has poo-poohed Russian election interference and sucked up to Putin for how long?
https://krebsonsecurity.com/2020/12/u-s-treasury-commerce-depts-hacked-through-solarwinds-compromise/
https://www.schneier.com/blog/archives/2020/12/another-massive-russian-hack-of-us-government-networks.html
Now what happens when a company like SolarWinds gets hacked?
I guess the first thing to talk about would be the nature of the hack. Let's suppose an update that SolarWinds pushes out to all of their customers was compromised. Now, ALL of your customers are vulnerable to being infiltrated by the people who compromised SolarWinds.
Perhaps it was a nation-state who did it.
Perhaps Russia.
Let's take a look at who makes up SolarWinds customer list. Here's a listing from SolarWinds' web site:

Notice any familiar names there?
I thought not.
So basically, Russian hackers, some of which are largely synonymous with the Russian government, compromised pretty much the entirety of the United States Government. And the U.S. Military. And effectively the entirety of the S&P 500.
Yeah, and our President has poo-poohed Russian election interference and sucked up to Putin for how long?
https://krebsonsecurity.com/2020/12/u-s-treasury-commerce-depts-hacked-through-solarwinds-compromise/
https://www.schneier.com/blog/archives/2020/12/another-massive-russian-hack-of-us-government-networks.html
no subject
Date: 2020-12-15 09:58 pm (UTC)Really do have to start over with the net; the existing design makes inappropriate assumptions about the participants.
There's likely a DARPA project. Trick is to get the new version to be open enough people will consider trusting it, even more than the massive logistical change.
no subject
Date: 2020-12-15 10:39 pm (UTC)And that is the core problem. The internet was designed to be open, not secure. And bolting security on to it is night unto a never-ending challenge. Back when it was created, as I understand it, machine to machine connections did not have passwords.
no subject
Date: 2020-12-15 10:56 pm (UTC)no subject
Date: 2020-12-16 01:38 am (UTC)There's a new privacy model designed by Apple and someone else, I don't recall, that makes DNS fairly securely private. I should post about that. But that just gives users more privacy, it doesn't increase security. That's a network perimeter and server OS issue. For most users, security isn't much of an issue for their devices because they don't have valuable information. Occasionally someone falls victim to ransomware, but that's more of a drive-by attack, not targeted. Worst a user is looking at is throwing away a hard drive for a couple hundred bucks and starting fresh with a loss of data. Stealing corporate and gov't data is the big ticket target these days. And, of course, securing a toehold in corporate, government, university, and utility networks for potential future exploitation. It's a little funny. Just a week or so ago the uni that I work for started sending emails that they were implementing two-factor authentication (2FA) for email and I think for online Microsoft product use, I don't recall if it was just for employees or across the board, because it was the "gold standard" for security. I almost did a spit take. I guess they didn't read about all of the bitcoin wallets that were stolen because these 15 and 16 y/o's social engineered Verizon and AT&T to change cell phone credentials and intercepted 2FA verification and committed some pretty big thefts. Yeah, gold standard. If they want gold standard, they'd issue those Verisign random number generator security dongles to employees or give them the app for their phones. I had one for World of Warcraft for a while, had to enter a random number when logging on.
no subject
Date: 2020-12-17 04:39 am (UTC)no subject
Date: 2020-12-19 02:56 pm (UTC)Best
Thing
Ever :D
no subject
Date: 2020-12-17 01:27 pm (UTC)The thing with the Solarwinds customer list is that Solarwinds has lots of products and as far as I know, it was one specific product that was compromised - one they use for network and service management/alerting. And the indications are that it wasn't some worm that caused passive data exfil, compromises etc - it required some active intervention from the baddies. Still awful that it happened, but not every customer will have been using that particular product and not every one of those would necessarily be of interest to the black hats here.
no subject
Date: 2020-12-17 06:01 pm (UTC)Yeah, it was Oblivious DNS that I was reading about. What I had read - and I could be mistaken, it was not a deep dive, was Apple had co-developed it with Cloudflare. From reading more on SolarWinds, it was definitely one specific product they offer that was compromised - Orion. And SolarWinds should really be taken to task: a default password of SolarWinds123?! That is such ridiculous idiocy that it isn't worth mention. The only good news from that hack is that a bunch of security companies plus Microsoft managed to identify the C&C server and get control of the domain and give it to Microsoft, so theoretically the hack is neutralized, but that assumes the baddies only have one C&C server and the deployed package won't look elsewhere if PhoneHome#1 is no longer available. I should do another post now that more information has come out.
no subject
Date: 2020-12-22 05:30 pm (UTC)Default passwords are what they are; it doesn't matter how good or bad they are, they'll still be defaults. The crime is not forcing an admin to change that the very instant it is used. My new cablemodem did exactly that.
If you haven't read https://www.zdnet.com/article/partial-lists-of-organizations-infected-with-sunburst-malware-released-online/ then you'll likely find it interesting.
One of the more interesting pieces of news that's come out since I last commented/you replied is that, probably unsurprisingly, there was probably more than one group inside of Solarwinds.
no subject
Date: 2020-12-22 10:50 pm (UTC)I did see that! Quite interesting. Quite a haul for the Russians, and zero repercussions from Trump. Of course, in a month Biden is going to be in office.... The scary bit is the strongly- and widely-held belief of multiple backdoors installed, so they may have access to these networks for a few years!
no subject
Date: 2020-12-16 12:54 am (UTC)When I was an undergrad, a typo in an init script could start your session on a different machine someone else was already using.
Designing in security really is a complete "start again", because it can't just be the network layer. (it has to be all the hardware implementing the network layer and pretty soon that's all the hardware.)
Worth doing, but no one's even close to putting up the money.
no subject
Date: 2020-12-16 01:51 am (UTC)Yup. I was digging through some old hardware in the library that I work at and came across some old networking gear. Thought they might be switches. Nope. They were hubs. I laughed out loud at that. Might as well toss 'em in the trash. Then I thought if I could put them in promiscuous mode, I might be able to use 'em at home to snoop on traffic if I ever started working with pfSense or WRT or something. A friend and I made the mistake of going to a "business college" (trade school), complete waste of time and money. Fortunately it wasn't a huge cost sink at that time. We pulled an interesting hack which would probably get us arrested these days. HP3000 computer. People would leave their sessions signed on and walk away. So we wrote a password stealer. It would clear the screen, look like the login screen, asking for the user name and password, then simulate a glitch or login failure or something with a bogus error message, clear the screen and do an actual logoff, returning to the real login screen. In the background, it wrote the user name/password to a public text file. Interestingly, that school had the first conviction in the State of Arizona for a computer crime. So they buy this (at the time) new and lovely HP3000. And very quickly the students start complaining about the lack of disk space (not because of our little prank). The only other big user with serious expertise of this system is Kaibab Forestry Industries up in Flagstaff. So one day when the IT director is off, they arrange for Kaibab's head tech to come down and hack their system. And he finds this huge program consuming vast gobs of space in the school's system. And it's a forestry management system. And it looks strangely familiar to the tech. It's Kaibab's internally developed system, with the identifying information being scraped off. Somehow the school's IT director had gotten ahold of the source code and was in the process of modifying it to make it look like his product so that he could resell it. He was charged with some counts of computer theft and fraud and who knows what else, to which he pled guilty.
no subject
Date: 2020-12-16 04:11 am (UTC)no subject
Date: 2020-12-17 01:36 pm (UTC)Of course, something you already have can be better than a better solution you need to acquire, but for a bit under $100 Canadian I just ordered a Netgear 8 port switch with port mirroring and VLAN capabilities - model GS108PE-300NAS - for exactly that purpose, snooping my own traffic. That model has 4 POE ports because I wanted to play with a VOIP phone, but you could likely get the 5 port equivalent sans POE for about half that price.
no subject
Date: 2020-12-17 06:03 pm (UTC)Ah, no more taking hubs and putting them in promiscuous mode, eh? Yeah, it's been a lot of years since I had my CCNA. You're absolutely right, those old hubs are probably capped at 10 mbs and our connection at home is a fiber at 50/50. Considering we live literally on top of a mountain in the middle of a national forest, that's pretty darn spiffy!
no subject
Date: 2020-12-22 05:25 pm (UTC)no subject
Date: 2020-12-22 10:32 pm (UTC)You're right. With the hub automatically flooding everything across all ports, it would be the card in the monitoring device that would be in promiscuous. Probably just end up with a RasbPi for monitoring if I ever get around to sniffing my own traffic.
no subject
Date: 2020-12-23 08:15 pm (UTC)no subject
Date: 2020-12-23 08:52 pm (UTC)I will look in to that, thanks!
no subject
Date: 2020-12-16 02:39 am (UTC)no subject
Date: 2020-12-16 03:21 am (UTC)Now, don't hold back, K! Tell us what you're really feeling! Yeah. You'd think someone would have compared checksums or something to verify the patch before they pushed it out to make sure it was authentic. Wanna bet they're going to do that from now on, as will a number of other companies?
no subject
Date: 2020-12-18 06:55 am (UTC)