The massive Russian hack/data breach

[Pellice]

This huge Russian hack (databreach?) appears to be ongoing and "they" don't even know where it's been and what the status is.

My Big Banker relative advised changing passwords, but he doesn't even know if banks are affected - have any of you heard of that?

And it isn't even apparently about money (well, everything is about money eventually).

I've seen very little advice from anywhere, which in itself is alarming. Nothing from Lastpass - have any of the password managers communicated? The silence out of the Executive Branch is alarming. Can they really not know this much?

Any thoughts, advice?

*edited title to make the topic clearer. Not even sure if I should call this a data breach.

 

[Midpack]

If you’re worried change your passwords, at least on sensitive accounts - no one knows the extent of the breach yet though SolarWinds says 18,000 of their 300,000 clients may be affected - “American government agencies and businesses.” If you wait until all the details are known, you’re just further increasing your exposure. I’m not recommending anything, judge for yourself.

 

[njhowie]

Hackers gaining access to a financial institution's system should not be an indication that passwords were compromised or that customers need to change them for security precautions. It would only be the case if those passwords were stored in clear text or by some weak encryption algorithm which could be decyphered.

Any system developers and institutions worth their salt utilize one-way encryption. Having the password database of a system utilizing one-way encryption is almost worthless to the thieves. To be of value, they would need to know the encryption algorithm being used, and additionally develop a password generator that would brute-force generate passwords, run them through the encryptor over and over until they found one that generated a match. For those using weak passwords, they are no more at risk than they are every day for using a weak password. For those who have strong passwords there is really nothing to be concerned about, though there is nothing wrong with changing passwords periodically...assuming that the computer being used at the time isn't infected, or you're doing it over a public wifi network, etc.

Further, considering what financial institutions currently offer, there is little reason for anyone not to be using two factor authentication on all of their financial accounts.

There's a higher likelihood that hackers get your password(s) as a result of doing something stupid, for example storing all your passwords in a text file on your computer, your phone, or in the cloud.

Today, most financial institutions have multiple layers of checks in place to prevent anything terrible from happening. In the absolute worst case, should something terrible actually happen, my understanding is that in most all cases these days, the customer is protected against loss by the financial institution.

Personally, I wouldn't be concerned.

 

[Chuckanut]

I highly recommend people read the part of the Mueller Report that talked about Russian penetration of social media and computer systems in 2016. (Ignore the part that triggered the political squabbling. That's over and done with.) The really important part is how sophisticated and clever their invasion of computing systems was and is. It is scary.

 

[zinger1457]

The really important part is how sophisticated and clever their invasion of computing systems was and is. It is scary.

I think it was Krebs who stated in his book that in the USA top computer/software grads go to work for Google, Apple, etc., in Russia they go to work for hacking companies, many of which have ties to the government.

 

[cathy63]

This is a very good article about what happened: https://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye/

While it's pretty clear that bank networks must have been infected, so far they do not appear to have been attacked. The malware creates a backdoor into a system, but just because there's a door somewhere doesn't mean someone has walked through it. It seems that one way the attackers stayed under the radar was to target their attacks very narrowly and it looks like they've gone after mostly IT and government related groups.

Microsoft has been allowed to take over the domain used to control the malware and they've sinkholed it, so there should not be any new attacks from this hack. They can also watch the control domain to see which systems "phone home" and notify the owners of those IP addresses.

 

[Freedom56]

Some reports indicated that personal data from the Treasury and IRS was compromised. This means that hackers have access to tax payer name, SSN, address, phone number, date of birth, bank routing and account number for those who e-file. It would be a good idea to monitor your bank accounts for suspicions transactions (especially the account linked to the IRS) on a regular basis.

 

[cathy63]

Some reports indicated that personal data from the Treasury and IRS was compromised. This means that hackers have access to tax payer name, SSN, address, phone number, date of birth, bank routing and account number for those who e-file. It would be a good idea to monitor your bank accounts for suspicions transactions (especially the account linked to the IRS) on a regular basis.

This advice should not be limited to e-filers. Even if you file on paper, the IRS still translates all your data into electronic formats and treats it the same as that which arrives through e-file.

 

[MRG]

Hackers gaining access to a financial institution's system should not be an indication that passwords were compromised or that customers need to change them for security precautions. It would only be the case if those passwords were stored in clear text or by some weak encryption algorithm which could be decyphered.

Any system developers and institutions worth their salt utilize one-way encryption. Having the password database of a system utilizing one-way encryption is almost worthless to the thieves. To be of value, they would need to know the encryption algorithm being used, and additionally develop a password generator that would brute-force generate passwords, run them through the encryptor over and over until they found one that generated a match. For those using weak passwords, they are no more at risk than they are every day for using a weak password. For those who have strong passwords there is really nothing to be concerned about, though there is nothing wrong with changing passwords periodically...assuming that the computer being used at the time isn't infected, or you're doing it over a public wifi network, etc.

Further, considering what financial institutions currently offer, there is little reason for anyone not to be using two factor authentication on all of their financial accounts.

There's a higher likelihood that hackers get your password(s) as a result of doing something stupid, for example storing all your passwords in a text file on your computer, your phone, or in the cloud.

Today, most financial institutions have multiple layers of checks in place to prevent anything terrible from happening. In the absolute worst case, should something terrible actually happen, my understanding is that in most all cases these days, the customer is protected against loss by the financial institution.

Personally, I wouldn't be concerned.

++

You couldn't get past any audit since ~1990 with storing clear text passwords.

 

[teetee]

This hack has nothing to do with the users' passwords. The hackers already got access to the backend server and database systems. User's password to your record is on the front (user facing) end.
There is very little you or me can do to prevent our private / personal data from getting stolen at this point. Think in the sense that the hackers are the new system administrators. They have all access using the master key to the records of everything.

 

[bolt]

This hack has nothing to do with the users' passwords. The hackers already got access to the backend server and database systems. User's password to your record is on the front (user facing) end.
There is very little you or me can do to prevent our private / personal data from getting stolen at this point. Think in the sense that the hackers are the new system administrators. They have all access using the master key to the records of everything.

Well articulated tt.My understandings similar.

 

[target2019]

A moment of reckoning: the need for a strong and global cybersecurity response - M$

This is a very good article about what happened: https://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye/

While it's pretty clear that bank networks must have been infected, so far they do not appear to have been attacked. The malware creates a backdoor into a system, but just because there's a door somewhere doesn't mean someone has walked through it. It seems that one way the attackers stayed under the radar was to target their attacks very narrowly and it looks like they've gone after mostly IT and government related groups.

Microsoft has been allowed to take over the domain used to control the malware and they've sinkholed it, so there should not be any new attacks from this hack. They can also watch the control domain to see which systems "phone home" and notify the owners of those IP addresses.

Thanks for posting the link to the article as well as your comments.

https://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye/

This is important and well put in the blog:

The evolving threats

The past 12 months have produced a watershed year with evolving cybersecurity threats on three eye-opening fronts.

The first is the continuing rise in the determination and sophistication of nation-state attacks. In the past week this has again burst into the headlines with the story of an attack on the firm FireEye using malware inserted into network management software provided to customers by the tech company SolarWinds. This has already led to subsequent news reports of penetration into multiple parts of the U.S. Government. We should all be prepared for stories about additional victims in the public sector and other enterprises and organizations. As FireEye CEO Kevin Mandia stated after disclosing the recent attack, “We are witnessing an attack by a nation with top-tier offensive capabilities.”

An embedded link in the article showed the major nation-state actors (according to M$) in illustration I posted below.

Microsoft report shows increasing sophistication of cyber threats - Microsoft On the Issues
https://blogs.microsoft.com/on-the-issues/2020/09/29/microsoft-digital-defense-report-cyber-threats/

It's a nation state (Russia, China, or a combination of adversaries) in this current attack, and the political focus is in two camps. I don't need to get into that, but we see through the evidence that our major adversaries are stronger than they were in the past. Hence, "The evolving threats" is how we should treat the problem. That last concept is something which still needs to ingrain itself into the general population. Politicians who step into it are focused on the identity of the nation state, whereas the security personell know that is just political talk. They need leadership to set the response for retribution, similar to post 9/11 terrorism attacks.

All the words and reports that exist in this world will not stop these threats. Just as with biologic virus infections these cyber attacks do not stop at border walls. The greater percentage of resources spent on defense and domestic programs such as Littoral Combat Ship (LCS) and Border Wall System would be better spent on total cyber protection for the nation.

The editor’s note at the end of first article is important.

"Following news reports about the impact on Microsoft of the SolarWinds issue, the company issued the following statement:

“Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed. We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others.”

Well, that's nice but doesn't help millions of customers who went to M$ cloud thinking they'd be protected. After all there should be signature scans by M$ somewhere in the process so that data landing in the cloud is not a future threat. I don't think any company or organization should be left off the hook, including Amazon, Feds, and so on.

 

[target2019]

This hack has nothing to do with the users' passwords. The hackers already got access to the backend server and database systems. User's password to your record is on the front (user facing) end.
There is very little you or me can do to prevent our private / personal data from getting stolen at this point. Think in the sense that the hackers are the new system administrators. They have all access using the master key to the records of everything.

I don't agree with your statements which I've bolded. A user can do many things to protect their local and cloud data. And hackers don't have the master key. It's just not true that there is a single "hackers" monolith.

Here's what you and me can do.

Use the latest operating system versions, and stop playing Luddite. That reminds me of those who look for tax software that runs on Windows 7.

Another example is to invest in software security for your systems. Stop depending on free stuff like M$ Defender. That's just one company's approach, and you need additional layers of protection.

Passwords--I don't want to go there. Use a password manager!

 

[jim584672]

Just a general statement on security, if it leaves your system in the clear don't trust any system to keep it secure. That means your email or cloud data needs to be encrypted on your machine BEFORE it goes up. Plenty of programs are available to do this.

Just a plug for Linux, it is much less likely to have an attack since no one, relatively speaking, is using it, and attackers like numbers of potential victims.

 

[mpeirce]

This huge Russian hack

There is zero publicly released evidence that this was "Russian". Just officials making the claim.

It's possible that that this is the case, but there are many examples of malware that disguises itself as coming from others. It's a giant cat and mouse game involving individuals, corporations, organized crime, intelligence agencies, and others.

Remember that one of the most effective malware attacks in the past, the stuxnet attack against Iran, probably came from the US and/or Israel. And even so there is little public evidence of this.

Always be skeptical of attribution of these attacks unless there is proof.

 

[cathy63]

I don't agree with your statements which I've bolded. A user can do many things to protect their local and cloud data. And hackers don't have the master key. It's just not true that there is a single "hackers" monolith.

Here's what you and me can do.

Use the latest operating system versions, and stop playing Luddite. That reminds me of those who look for tax software that runs on Windows 7.

Another example is to invest in software security for your systems. Stop depending on free stuff like M$ Defender. That's just one company's approach, and you need additional layers of protection.

Passwords--I don't want to go there. Use a password manager!

All that is good advice, but I think the point was that we can't assume that other people are providing adequate protection for the data they collect from us and in some cases we can't refuse to provide it.

When I was working, I was required to give my personal information to OPM, and it was stolen by China.

I am required to give my personal information to the IRS every year, and it may have been stolen by someone who may or may not be Russia.

SSA has my personal information, state agencies like the DMV, county agencies like vital records and the tax assessor's office and the registrar of voters, etc. It's likely that every one of these agencies uses SolarWinds and installed the malware versions of their software. I'm sure they weren't all targeted and hacked, but there's no way that I can protect any of the data they have on me.

 

[38Chevy454]

There is zero publicly released evidence that this was "Russian". Just officials making the claim.

It's possible that that this is the case, but there are many examples of malware that disguises itself as coming from others. It's a giant cat and mouse game involving individuals, corporations, organized crime, intelligence agencies, and others.

Remember that one of the most effective malware attacks in the past, the stuxnet attack against Iran, probably came from the US and/or Israel. And even so there is little public evidence of this.

Always be skeptical of attribution of these attacks unless there is proof.

X2, blaming Russians is just politics.

As an engineer, to resolve a problem you need to identify root cause. Only then can effective corrections be implemented. Treating symptoms doesn't fix the problem. Blaming Russians or anybody at this point doesn't help any proper root cause analysis.

 

[jim584672]

Totally Russians. Denying this is politics.

 

[robls]

https://market-ticker.org/akcs-www?post=240979
This guy has been warning on this for years.

 

[cathy63]

Well, that's nice but doesn't help millions of customers who went to M$ cloud thinking they'd be protected. After all there should be signature scans by M$ somewhere in the process so that data landing in the cloud is not a future threat. I don't think any company or organization should be left off the hook, including Amazon, Feds, and so on.

I don't see how a signature scan could have caught this. The hackers corrupted the build server that produces the SolarWinds executables and caused a novel vector to be inserted into the builds. Any signature matching done by MS or any other network admin before installation would just confirm that the software they had received matched the original files published by the developer. Virus scans can show that no known malware is in a file, but they can't recognize the unknown ones.

It seems to me that the root of the problem is in the security around the SolarWinds build server. I don't know how it was breached or how the breach enabled them to insert malware in new builds though. It's possible that they use a 3rd party library and the issue was actually at that provider. It will take a while for that info to come out.

The secondary way to catch this kind of thing is for network admins to audit all outgoing traffic initiated from within their networks and recognize when a server starts trying to connect to a new domain/IP. I think that's actually how this was identified.

 

[sengsational]

Having seen, first hand, how IT and specifically IT security is treated in industry, it's no wonder these kind of things come up. They "sprint" to add features, and if there's a "security guy", he's just in the way. Every security enhancement has a cost in convince and complexity, and those investments are often priced higher than the leadership is willing to pay. Certainly mistakes should be forgiven, but if the companies are managed such that the environment breeds mistakes, then whoever is responsible for that environment needs to go to jail. That is to say there's probably some lowly, overly burdened security guy who blew it, but security was probably not even central to his job (probably a sys admin), and he did the best he could. The leadership, on the other hand, might have made decisions to put features, staffing and schedule above safety.

 

[MRG]

Having seen, first hand, how IT and specifically IT security is treated in industry, it's no wonder these kind of things come up. They "sprint" to add features, and if there's a "security guy", he's just in the way. Every security enhancement has a cost in convince and complexity, and those investments are often priced higher than the leadership is willing to pay. Certainly mistakes should be forgiven, but if the companies are managed such that the environment breeds mistakes, then whoever is responsible for that environment needs to go to jail. That is to say there's probably some lowly, overly burdened security guy who blew it, but security was probably not even central to his job (probably a sys admin), and he did the best he could. The leadership, on the other hand, might have made decisions to put features, staffing and schedule above safety.

+1

Security is considered last in most development projects. I had security people on the team I managed that were inbedded with project teams. PMs would often blame securty as to why they were running late against a mostly arbitrary deadline.

 

[cyber888]

China just reached Quantum computing supremacy, and maybe Russia just did and hiding it. With Quantum computing, you can calculate Trillions of times faster than the fastest US Super-computer and save billions of years solving a problem - like breaking into computer encrption, meaning they could easily break computer encryption so much faster.

 

[sengsational]

There has never been a breach that wasn't explained without the use of quantum computing. Usually it's a C language buffer overrun...those have been around 40 years.

 

[OldShooter]

NSA et al are almost certainly doing what they should be doing: misleading and confusing the adversary by releasing information that is misleading and confusing. They have every reason to make the adversary think he was more successful than he actually was and to claim hacks to systems that were not hacked or were not successfully hacked. We'll never know that truth and that's a good thing.

A simple example of this occurred a few years ago. The US announced that the Chicoms were blinding our imaging satellites with lasers. This is exactly what you would announce if you detected unsuccessful attempts. Even that simple scenario has lots of layers, since the adversary also knows what it is in our best interest to say. So does he believe our statement or does he keep spending resources on the laser project on the assumption that it is so far unsuccessful?

I tend to believer the Russian claim, but that too may have been made to mislead the actual adversary into believing that he had not been detected. Lots of layers to these things.