thewayne: (Default)
[personal profile] thewayne
SolarWinds provides network security appliances to corporations. And governments. And universities. These organizations depend on companies like SolarWinds because security is VERY hard and it helps to get outside help. You can take my word for it to a degree - I worked in IT for over three decades, and while I did not specifically work in computer/network security, I had enough exposure to it to understand what a huge, tiresome, endless, and thankless job it was. It was truly neverending. You never had enough money or resources, and you were always outnumbered by the baddies.

Now what happens when a company like SolarWinds gets hacked?

I guess the first thing to talk about would be the nature of the hack. Let's suppose an update that SolarWinds pushes out to all of their customers was compromised. Now, ALL of your customers are vulnerable to being infiltrated by the people who compromised SolarWinds.

Perhaps it was a nation-state who did it.

Perhaps Russia.

Let's take a look at who makes up SolarWinds customer list. Here's a listing from SolarWinds' web site:



Notice any familiar names there?

I thought not.

So basically, Russian hackers, some of which are largely synonymous with the Russian government, compromised pretty much the entirety of the United States Government. And the U.S. Military. And effectively the entirety of the S&P 500.

Yeah, and our President has poo-poohed Russian election interference and sucked up to Putin for how long?

https://krebsonsecurity.com/2020/12/u-s-treasury-commerce-depts-hacked-through-solarwinds-compromise/

https://www.schneier.com/blog/archives/2020/12/another-massive-russian-hack-of-us-government-networks.html

Date: 2020-12-15 09:58 pm (UTC)
graydon: (Default)
From: [personal profile] graydon

Really do have to start over with the net; the existing design makes inappropriate assumptions about the participants.

There's likely a DARPA project. Trick is to get the new version to be open enough people will consider trusting it, even more than the massive logistical change.

Date: 2020-12-15 10:56 pm (UTC)
dewline: Text - "On the DEWLine" (Default)
From: [personal profile] dewline
World-wide retrofitting, ad nauseum, right?

Date: 2020-12-17 04:39 am (UTC)
dewline: Text - "On the DEWLine" (Default)
From: [personal profile] dewline
Facebook is crying foul about that privacy model in full-page ads, I'd read this morning...?

Date: 2020-12-17 01:27 pm (UTC)
kraig: Salty+Zack (Default)
From: [personal profile] kraig
You're probably thinking of DNS over HTTPS, which afaik Apple didn't spearhead, but Cloudflare did. Cloudflare is in many ways a shitty and reprehensible company, but this (and its followon, Oblivious DNS over HTTPS) is probably A Generally Good Thing, even if it does make the lives of folks like me - network defenders - difficult.

The thing with the Solarwinds customer list is that Solarwinds has lots of products and as far as I know, it was one specific product that was compromised - one they use for network and service management/alerting. And the indications are that it wasn't some worm that caused passive data exfil, compromises etc - it required some active intervention from the baddies. Still awful that it happened, but not every customer will have been using that particular product and not every one of those would necessarily be of interest to the black hats here.

Date: 2020-12-22 05:30 pm (UTC)
kraig: Salty+Zack (Default)
From: [personal profile] kraig
Ah, that could be it. It seems like an Apple thing to do, for sure.

Default passwords are what they are; it doesn't matter how good or bad they are, they'll still be defaults. The crime is not forcing an admin to change that the very instant it is used. My new cablemodem did exactly that.

If you haven't read https://www.zdnet.com/article/partial-lists-of-organizations-infected-with-sunburst-malware-released-online/ then you'll likely find it interesting.

One of the more interesting pieces of news that's come out since I last commented/you replied is that, probably unsurprisingly, there was probably more than one group inside of Solarwinds.

Date: 2020-12-16 12:54 am (UTC)
graydon: (Default)
From: [personal profile] graydon

When I was an undergrad, a typo in an init script could start your session on a different machine someone else was already using.

Designing in security really is a complete "start again", because it can't just be the network layer. (it has to be all the hardware implementing the network layer and pretty soon that's all the hardware.)

Worth doing, but no one's even close to putting up the money.

Date: 2020-12-16 04:11 am (UTC)
kathmandu: Snipped from a NASA picture of the Earth by night (Earthlights)
From: [personal profile] kathmandu
Yow, that's chutzpah.

Date: 2020-12-17 01:36 pm (UTC)
kraig: Salty+Zack (Default)
From: [personal profile] kraig
If you want to snoop your own traffic, there's cleaner ways to do it than hubs, which aren't really compatible with the environment you'd be likely to have at home in 2020. I don't know what your home internet is like, but here 150 meg down is pretty standard for cable connections now (I just upgraded to 500M). Your hub can likely do 100M max, and if you've got multiple devices connected to it, your speed is going to be severely affected as network traffic floods to each port.

Of course, something you already have can be better than a better solution you need to acquire, but for a bit under $100 Canadian I just ordered a Netgear 8 port switch with port mirroring and VLAN capabilities - model GS108PE-300NAS - for exactly that purpose, snooping my own traffic. That model has 4 POE ports because I wanted to play with a VOIP phone, but you could likely get the 5 port equivalent sans POE for about half that price.

Date: 2020-12-22 05:25 pm (UTC)
kraig: Salty+Zack (Default)
From: [personal profile] kraig
I think you're thinking of putting the network card on your monitoring server into promisc, hubs by design already flood traffic to every port, then your NIC will ignore any unicast traffic not directed to its address without PROMISC.

Date: 2020-12-23 08:15 pm (UTC)
kraig: Salty+Zack (Default)
From: [personal profile] kraig
Zeek (zeek.org) is fun to put on mirror ports. We made extensive use of this BC, but even with many people WFH and a lot not VPN'ing, it's still useful.

Date: 2020-12-16 02:39 am (UTC)
devilc: Go Like Hell (Default)
From: [personal profile] devilc
ARRRGH!

Date: 2020-12-18 06:55 am (UTC)
silveradept: A kodama with a trombone. The trombone is playing music, even though it is held in a rest position (Default)
From: [personal profile] silveradept
I'm not sure how you would prevent that kind of hack being that destructive, apart from there being more companies and such doing this work, but it sounds like that's the sort of thing where if you spread that effort and money across multiple companies, you get less ability in defending from all of the attacks and all of the actors.

July 2025

S M T W T F S
   1 2345
6789101112
13141516171819
20212223242526
2728293031  

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Jul. 8th, 2025 10:50 am
Powered by Dreamwidth Studios