The massive Russian hack/data breach

[JoeWras]

Having seen, first hand, how IT and specifically IT security is treated in industry, it's no wonder these kind of things come up. They "sprint" to add features, and if there's a "security guy", he's just in the way. Every security enhancement has a cost in convince and complexity, and those investments are often priced higher than the leadership is willing to pay.

Sometimes I think sengsational and I worked at the same MC. Although other posts hint that we didn't. His observation is so true it hurts. Security issues are just one of many that lead me to retire. It only got worse as we "sprinted" and our security "stories" got pushed down in priority to oblivion.

There has never been a breach that wasn't explained without the use of quantum computing. Usually it's a C language buffer overrun...those have been around 40 years.

Yes. MC gave us a class one time to show how easy it was to do on our own products. Very enlightening, and a very good class. Good on MC for spending resources to show us just how easy it was, and how we need to work on the issue. Unfortunately, not everyone in the decision tree got that class.

Hackers today have whole toolkits at their disposal. They don't even need to do the machine level pushing into the buffer. There are whole development environments that allow them to normally code exploits, just as you would a feature, that automatically get inserted via various exploits such as buffer overruns.

 

[eytonxav]

NSA et al are almost certainly doing what they should be doing: misleading and confusing the adversary by releasing information that is misleading and confusing. They have every reason to make the adversary think he was more successful than he actually was and to claim hacks to systems that were not hacked or were not successfully hacked. We'll never know that truth and that's a good thing.

A simple example of this occurred a few years ago. The US announced that the Chicoms were blinding our imaging satellites with lasers. This is exactly what you would announce if you detected unsuccessful attempts. Even that simple scenario has lots of layers, since the adversary also knows what it is in our best interest to say. So does he believe our statement or does he keep spending resources on the laser project on the assumption that it is so far unsuccessful?

I tend to believer the Russian claim, but that too may have been made to mislead the actual adversary into believing that he had not been detected. Lots of layers to these things.

+1, I also lean toward Russia, but sophisticated hackers can leave finger prints/crumbs behind that are designed to place blame elsewhere. Not sure our gov't will point out the actual perp until a counterstrike is carried out which I suspect will be quite significant.

 

[easysurfer]

There was a good discussion on this with an interview with the CEO of FireEye on Face The Nation. FireEye was the security company that discovered the hack.

This was a drive by hack but well planned out, setting up a back door type entrance.

I have my own theory as to why, but that may lead to the pig, so I'll leave things there.

 

[target2019]

Speaking on the “Mark Levin Show,” Pompeo said the effort was “pretty clearly” tied to Russia.

“I can’t say much more as we’re still unpacking precisely what it is, and I’m sure some of it will remain classified,” Pompeo said. “This was a very significant effort, and I think it’s the case that now we can say pretty clearly that it was the Russians that engaged in this activity.”

 

[OldShooter]

Speaking on the “Mark Levin Show,” Pompeo said the effort was “pretty clearly” tied to Russia ...

Not sure what your point is. I'm sure the intelligence community has a number of people like Pompeo that they give misinformation specifically so it gets blabbed fairly quickly. This is chess, not rugby.

Edit: To be clear, I think it probably was the Russkis. But to think that everything the politicos blab is accurate is simply to not understand the game being played. They blab what they are given to blab, which might be accurate or might be part of the game.

 

[walkinwood]

It seems to me that the root of the problem is in the security around the SolarWinds build server. I don't know how it was breached or how the breach enabled them to insert malware in new builds though. It's possible that they use a 3rd party library and the issue was actually at that provider. It will take a while for that info to come out.

That explains the term "supply chain malware" quite well.

 

[target2019]

This hack has nothing to do with the users' passwords. The hackers already got access to the backend server and database systems. User's password to your record is on the front (user facing) end.
There is very little you or me can do to prevent our private / personal data from getting stolen at this point. Think in the sense that the hackers are the new system administrators. They have all access using the master key to the records of everything.

I don't agree with your statements which I've bolded. A user can do many things to protect their local and cloud data. And hackers don't have the master key. It's just not true that there is a single "hackers" monolith.

Here's what you and me can do.

Use the latest operating system versions, and stop playing Luddite. That reminds me of those who look for tax software that runs on Windows 7.

Another example is to invest in software security for your systems. Stop depending on free stuff like M$ Defender. That's just one company's approach, and you need additional layers of protection.

Passwords--I don't want to go there. Use a password manager!

All that is good advice, but I think the point was that we can't assume that other people are providing adequate protection for the data they collect from us and in some cases we can't refuse to provide it.

When I was working, I was required to give my personal information to OPM, and it was stolen by China.

I am required to give my personal information to the IRS every year, and it may have been stolen by someone who may or may not be Russia.

SSA has my personal information, state agencies like the DMV, county agencies like vital records and the tax assessor's office and the registrar of voters, etc. It's likely that every one of these agencies uses SolarWinds and installed the malware versions of their software. I'm sure they weren't all targeted and hacked, but there's no way that I can protect any of the data they have on me.

Yes, I've also stated that we can't rely on providers protecting us. Defense-in-Depth (DiD) would require M$, Symantec, SolarWinds, and so on.

But stating that someone has the master password was wrong. Ok, someone can think that, and use the assumption when building DiD, but the quoted post was not correct and I responded.

I also was in the OPM breach, and understand the feeling. In fact most have been affected by a breach at some time, and the way all of the weaknesses are stored and explored by criminals is evidence that our instititutions are weak.

I thinkt inside any of these institutions there isn't sufficient "creative exploring" by security. That's just the way it goes when there's lot of process to follow, but not much allowed off the path.

 

[CaptTom]

A quick story about information security. I used to go to conferences (remember those?) with other information security folks. There were usually a lot of banks, military installations and nuclear facilities represented.

The users at the banks always told their IS staff "We're not a military installation or nuclear plant, we don't have to worry about security."

The users at the military installations would say "We're not a nuke plant or a bank, we don't have to worry about security."

By now you know what the users at the nuke plants said.

Security is always someone eles's problem. Until it's not.

 

[zinger1457]

A quick story about information security. I used to go to conferences (remember those?) with other information security folks. There were usually a lot of banks, military installations and nuclear facilities represented.

The users at the banks always told their IS staff "We're not a military installation or nuclear plant, we don't have to worry about security."

The users at the military installations would say "We're not a nuke plant or a bank, we don't have to worry about security."

By now you know what the users at the nuke plants said.

Security is always someone eles's problem. Until it's not.

How long ago was that? Worked for the Army and although IT security is far from perfect it was always taken very seriously when I worked there. Never heard anyone talk like that and have a hard time believing anyone directly involved in military IT security would say that, they certainly wouldn't have a job for very long if that word got out. The biggest problem with the original military IT infrastructure is that each base implemented it's own IT systems and security, that started to change many years ago to a more centralized controlled and managed system.

 

[target2019]

I don't see how a signature scan could have caught this. The hackers corrupted the build server that produces the SolarWinds executables and caused a novel vector to be inserted into the builds. Any signature matching done by MS or any other network admin before installation would just confirm that the software they had received matched the original files published by the developer. Virus scans can show that no known malware is in a file, but they can't recognize the unknown ones.

It seems to me that the root of the problem is in the security around the SolarWinds build server. I don't know how it was breached or how the breach enabled them to insert malware in new builds though. It's possible that they use a 3rd party library and the issue was actually at that provider. It will take a while for that info to come out.

The secondary way to catch this kind of thing is for network admins to audit all outgoing traffic initiated from within their networks and recognize when a server starts trying to connect to a new domain/IP. I think that's actually how this was identified.

You're correct, and I should have said heuristic scan or plain old scan.

I think the entire SolarWinds organization is lax given what happened. No checksum before and after build? Ok, that's simplistic, but there would have to be some before/after check performed away from the build server. No intelligent, curious security engineer around? Probably, but not allowed to stray...

 

[timo2]

All that is good advice, but I think the point was that we can't assume that other people are providing adequate protection for the data they collect from us and in some cases we can't refuse to provide it.

Your point of you never know where your information goes when you give it out is absolutely correct. I just assume all my information is out in the dark web and act accordingly, including paying for malware, password programs, and other tracking services. I like the have I been Pwned site. https://haveibeenpwned.com/

One of my old jobs was working with private veterinary practices to get them to use our IT products. The problem was many of the veterinarians were using very old operating systems. The recent windows 7 discussion brought back memories. To get their business our products needed to work with the old systems. At one point, for security, management just said cut off the old systems.

 

[Music Lover]

Totally Russians. Denying this is politics.

Or not Russia. Denying that is politics.

 

[ExFlyBoy5]

Your point of you never know where your information goes when you give it out is absolutely correct. I just assume all my information is out in the dark web and act accordingly, including paying for malware, password programs, and other tracking services. I like the have I been Pwned site. https://haveibeenpwned.com/

This. I have a pretty good friend who is a secret-squirrel at the NSA. We were chatting this weekend about some other stuff and I asked him if there was anything different HE was doing in regards to IT security with his personal stuff. He said, "nope" and said there isn't much more he could do if he wanted. Of course, the stuff he can talk about professionally is very limited, but as long as he's still on the interwebs and isn't burying cash in the backyard, I am not *too* concerned.

 

[timo2]

This. I have a pretty good friend who is a secret-squirrel at the NSA. We were chatting this weekend about some other stuff and I asked him if there was anything different HE was doing in regards to IT security with his personal stuff. He said, "nope" and said there isn't much more he could do if he wanted. Of course, the stuff he can talk about professionally is very limited, but as long as he's still on the interwebs and isn't burying cash in the backyard, I am not *too* concerned.

One item I'm wondering about is the possibility that people with no internet footprint are actually at higher risk of getting hacked. Because they have these on-line unsecured accounts that they don't access and protect with security tools, so somebody else will take over their unprotected account. I seem to recall this issue with on-line hacked tax refunds.

 

[CaptTom]

How long ago was that? Worked for the Army and although IT security is far from perfect it was always taken very seriously when I worked there. Never heard anyone talk like that and have a hard time believing anyone directly involved in military IT security would say that, they certainly wouldn't have a job for very long if that word got out. The biggest problem with the original military IT infrastructure is that each base implemented it's own IT systems and security, that started to change many years ago to a more centralized controlled and managed system.

Yeah, times have changed. I got out of IT security just around the time it was starting to become popular.

Even back then, it wasn't the IT security folks who weren't taking it seriously. It was the users. And their management. Who influenced IT management. Security was a burden, a waste of time and money, you name it.

I think some of that attitude is still out there. Hence the headlines.

 

[Dtail]

Or not Russia. Denying that is politics.

Maybe it is the 450 lb guy in his basement.

 

[target2019]

While analyzing artifacts from the SolarWinds Orion supply-chain attack, security researchers discovered another backdoor that is likely from a second threat actor.

Named SUPERNOVA, the malware is a webshell planted in the code of the Orion network and applications monitoring platform and enabled adversaries to run arbitrary code on machines running the trojanized version of the software.

https://www.bleepingcomputer.com/ne...oor-found-in-solarwinds-cyberattack-analysis/

Not really much to say at this time.

 

[triangle]

Maybe it is the 450 lb guy in his basement.

And maybe he was using the stolen NSA tools they use to spoof other countries. Running the attack through a web of VPN/Proxy servers.

In the world of spy-VS-spy and double agents and our government agencies, the reality of the situation is the last thing I expect to be reported.

 

[ExFlyBoy5]

One item I'm wondering about is the possibility that people with no internet footprint are actually at higher risk of getting hacked. Because they have these on-line unsecured accounts that they don't access and protect with security tools, so somebody else will take over their unprotected account. I seem to recall this issue with on-line hacked tax refunds.

That's a good question. Christopher Walken might be in trouble...

In yet more evidence that Christopher Walken might be from another planet, the enigmatic actor claimed that he’s never possessed a cellphone or a computer. The Oscar winner dropped the bombshell during a virtual appearance on “The Late Show” Monday.

https://nypost.com/2020/12/16/christopher-walken-has-never-owned-cellphone-or-computer/

 

[mcbraemer]

I don't see how a signature scan could have caught this. The hackers corrupted the build server that produces the SolarWinds executables and caused a novel vector to be inserted into the builds. Any signature matching done by MS or any other network admin before installation would just confirm that the software they had received matched the original files published by the developer. Virus scans can show that no known malware is in a file, but they can't recognize the unknown ones.

It seems to me that the root of the problem is in the security around the SolarWinds build server. I don't know how it was breached or how the breach enabled them to insert malware in new builds though. It's possible that they use a 3rd party library and the issue was actually at that provider. It will take a while for that info to come out.

The secondary way to catch this kind of thing is for network admins to audit all outgoing traffic initiated from within their networks and recognize when a server starts trying to connect to a new domain/IP. I think that's actually how this was identified.

Excellent technical analysis!

 

[smihaila]

I don't agree with your statements which I've bolded. A user can do many things to protect their local and cloud data. And hackers don't have the master key. It's just not true that there is a single "hackers" monolith.

What part didn't you understand from the previous post? The hackers DO have the "master key" - while not in the form of an encryption key, it is the access itself to the back-end systems. They got administrator-level access, namely they could open a database containing your account balance info and subtract money from your super precious account. While it may be true that - if proper data security and privacy was put in place - sensitive info like credit card numbers, SSN number, passwords, DOB etc are encrypted, once is inside the system, one can still do damage.

Here's what you and me can do.

Use the latest operating system versions, and stop playing Luddite. That reminds me of those who look for tax software that runs on Windows 7.

Another example is to invest in software security for your systems. Stop depending on free stuff like M$ Defender. That's just one company's approach, and you need additional layers of protection.

Bollocks! As is one would call M$ Windows 10 a "secure OS"

Use a password manager!

Bollocks 2nd time. I, for one, do not wish to give the keys to my house to the "Mr. Password Manager" - no matter how much auditing and open source "transparency" he's showing to me.

 

[FIREarly]

My Big Banker relative advised changing passwords, but he doesn't even know if banks are affected - have any of you heard of that?

FIDO is a great new password security system. To my understanding, it uses Multifactor authentication (MFA). This includes biometrics and other methods. Read more about it via this non-profit link: https://fidoalliance.org/what-is-fido

*This is quick post from cellphone. Wish you the best with your pw security.

 

[WWDog]

I haven't read this thread top to bottom. I have shunned doing anything financially over the internet. There will always be holes that can be exploited. I just can't understand why companies push people to open themselves to vulnerabilities when the potential loss can be so devastating.

 

[CaptTom]

I'm afraid I can't side with the Luddites on this one.

Our whole financial system is based on trust. Any assets in a financial institution exist only as ones and zeros in a computer somewhere. Even a pile of cash is only as valuable as society says it is.

So where do you draw the line? I protect my account information using the current best practices. I take steps to limit my exposure to any single hack.

But in the end, the kind of massive back-end attack we're talking about here is not a risk I can - or really need to - mitigate. If something like this were to hit a major bank where I had an account, I certainly wouldn't be alone. The bank, the banking industry and the government all have a stake in maintaining society's trust. I don't think I'd simply wake up to a zero balance one day, with no recourse.

I do everything almost exclusively on line. I'm having a hard time coming up with any scenario where this would be a bad idea, short of total breakdown of our society. At which point I'd have bigger things to worry about.

 

[sengsational]

Staying offline probably is not going to make much difference in these server-side breaches.


You might be a little safer if you don't link accounts/don't enble transfers, but, as always, a trade-off between security and convenience.