So, did you hear about the SolarWinds hack?

[thewayne]

SolarWinds provides network security appliances to corporations. And governments. And universities. These organizations depend on companies like SolarWinds because security is VERY hard and it helps to get outside help. You can take my word for it to a degree - I worked in IT for over three decades, and while I did not specifically work in computer/network security, I had enough exposure to it to understand what a huge, tiresome, endless, and thankless job it was. It was truly neverending. You never had enough money or resources, and you were always outnumbered by the baddies.

Now what happens when a company like SolarWinds gets hacked?

I guess the first thing to talk about would be the nature of the hack. Let's suppose an update that SolarWinds pushes out to all of their customers was compromised. Now, ALL of your customers are vulnerable to being infiltrated by the people who compromised SolarWinds.

Perhaps it was a nation-state who did it.

Perhaps Russia.

Let's take a look at who makes up SolarWinds customer list. Here's a listing from SolarWinds' web site:



Notice any familiar names there?

I thought not.

So basically, Russian hackers, some of which are largely synonymous with the Russian government, compromised pretty much the entirety of the United States Government. And the U.S. Military. And effectively the entirety of the S&P 500.

Yeah, and our President has poo-poohed Russian election interference and sucked up to Putin for how long?

https://krebsonsecurity.com/2020/12/u-s-treasury-commerce-depts-hacked-through-solarwinds-compromise/

https://www.schneier.com/blog/archives/2020/12/another-massive-russian-hack-of-us-government-networks.html

Comments

[thewayne]

Yup.  I was digging through some old hardware in the library that I work at and came across some old networking gear.  Thought they might be switches.  Nope.  They were hubs.  I laughed out loud at that.  Might as well toss 'em in the trash.  Then I thought if I could put them in promiscuous mode, I might be able to use 'em at home to snoop on traffic if I ever started working with pfSense or WRT or something. A friend and I made the mistake of going to a "business college" (trade school), complete waste of time and money.  Fortunately it wasn't a huge cost sink at that time.  We pulled an interesting hack which would probably get us arrested these days.  HP3000 computer.  People would leave their sessions signed on and walk away.  So we wrote a password stealer.  It would clear the screen, look like the login screen, asking for the user name and password, then simulate a glitch or login failure or something with a bogus error message, clear the screen and do an actual logoff, returning to the real login screen.  In the background, it wrote the user name/password to a public text file. Interestingly, that school had the first conviction in the State of Arizona for a computer crime.  So they buy this (at the time) new and lovely HP3000.  And very quickly the students start complaining about the lack of disk space (not because of our little prank).  The only other big user with serious expertise of this system is Kaibab Forestry Industries up in Flagstaff.  So one day when the IT director is off, they arrange for Kaibab's head tech to come down and hack their system.  And he finds this huge program consuming vast gobs of space in the school's system.  And it's a forestry management system.  And it looks strangely familiar to the tech. It's Kaibab's internally developed system, with the identifying information being scraped off. Somehow the school's IT director had gotten ahold of the source code and was in the process of modifying it to make it look like his product so that he could resell it. He was charged with some counts of computer theft and fraud and who knows what else, to which he pled guilty.

[kathmandu]

Yow, that's chutzpah.

[kraig]

If you want to snoop your own traffic, there's cleaner ways to do it than hubs, which aren't really compatible with the environment you'd be likely to have at home in 2020. I don't know what your home internet is like, but here 150 meg down is pretty standard for cable connections now (I just upgraded to 500M). Your hub can likely do 100M max, and if you've got multiple devices connected to it, your speed is going to be severely affected as network traffic floods to each port.

Of course, something you already have can be better than a better solution you need to acquire, but for a bit under $100 Canadian I just ordered a Netgear 8 port switch with port mirroring and VLAN capabilities - model GS108PE-300NAS - for exactly that purpose, snooping my own traffic. That model has 4 POE ports because I wanted to play with a VOIP phone, but you could likely get the 5 port equivalent sans POE for about half that price.

[thewayne]

Ah, no more taking hubs and putting them in promiscuous mode, eh?  Yeah, it's been a lot of years since I had my CCNA.  You're absolutely right, those old hubs are probably capped at 10 mbs and our connection at home is a fiber at 50/50.  Considering we live literally on top of a mountain in the middle of a national forest, that's pretty darn spiffy!

[kraig]

I think you're thinking of putting the network card on your monitoring server into promisc, hubs by design already flood traffic to every port, then your NIC will ignore any unicast traffic not directed to its address without PROMISC.

[thewayne]

You're right.  With the hub automatically flooding everything across all ports, it would be the card in the monitoring device that would be in promiscuous.  Probably just end up with a RasbPi for monitoring if I ever get around to sniffing my own traffic.

[kraig]

Zeek (zeek.org) is fun to put on mirror ports. We made extensive use of this BC, but even with many people WFH and a lot not VPN'ing, it's still useful.

[thewayne]

I will look in to that, thanks!