This is indefensible. However, Solarwinds isn't a security company. They build network monitoring/management tools and have a very telco feel. I'm honestly not surprised by this level of incompetence.
Their software allows network traffic to be monitored for some of the most important government agencies we have: the White House, the Pentagon, Treasury Dept, etc. They're not some retail company. Their tools provide a vector to attack extremely sensitive systems. Network monitoring and management is by definition supposed to be secure, especially for critical systems.
You'd be surprised how many engineers don't understand security.
A few years ago I complained to the DD-WRT developers that they need to serve up with firmware images on HTTPS (They were serving them up on HTTP). Their images are not cryptographically signed and they didn't publish hashes so at the very least they could try to secure the transport and use HTTPS. My request was rejected and they were confused as to why HTTPS was necessary as "it's not like we're doing online banking".
What are the good password practices for handling passwords that several people need to be able to use?
I have yet to be in an organization that hasn’t defaulted to something quite unwise simply because trying to maintain the institutional knowledge of that password is otherwise difficult.
> What are the good password practices for handling passwords that several people need to be able to use?
Mostly – don’t. Every user that has access to a system should have their own credentials. There’s no reason for an update server to be set up this way.
In their defense, gross negligence takes less time and money, and they probably won't suffer much from this incident, so it all still paid off on the bottom line, and now a whole lot more people know who they are. Free marketing! Bonuses all around!
We've moved to identity + role based access control, but some older core pieces still used the shared password.
We simply have a portal that authenticated users can log into it, and see the current password which is rotated monthly, with a random selection from a series of dictionary words. (which can occasionally produce giggleworthy combinations)
But as the sibling comment says; the right way is to get rid of it entirely.
ours are rotated daily. If you don't have a key on you, you can "break glass" in a portal and get a temp password for 4 hours. We're in the process of phasing out service accounts.
If you can build a house with a door, you can put a decent lock on the door. If you can’t put a lock on the door or don’t understand why or how, you can’t really build a house.
Realistically you shouldn't, I work in auditing and there are very few use cases where sharing passwords is okay. But here are a couple of approaches.
- Using a password manager where there is audit logging that is reviewed and the access to the passwords is segregated to those who need it
- Using a privileged access monitoring tool such as CyberArk
- Simply creating separate named privileged accounts for each person to use is the best alternative
> What are the good password practices for handling passwords that several people need to be able to use?
The answer is typically “never share accounts” and therefore never share passwords.
I wouldn’t the surprised if “do not share credentials” is explicitly stated in solarwinds internal security policies.
Beyond the challenge of sharing strong passwords, there’s also the (important from compliance perspective) issue of losing the ability to audit who took what action if multiple people use the same credentials.
I agree with the others that the right answer is don't. But if you are going to anyways a way to do it less idiotically is to use the 'static password' feature of a YubiKey. [0] That at least eliminates the desire to pick too simple of a password or to not change it on a regular basis for fear of having to memorize a new password. This doesn't protect against a malicious insider giving the password away but it makes it easy to use a strong (randomly generated) password.
>Three people familiar with the investigation have told Reuters that Russia is a top suspect, although others familiar with the inquiry have said it is still too early to tell.
If this is the case, then why is Russia so definitively portrayed as the culprit in so many publications, currently?
Because Russia were legitimately a culprit during the cold war, and many people who grew up during that period are susceptible to clickbait where Russia is, again, the bad guy. They were primed for it during their entire childhood, and then as adults with movies, video games, etc.
As Obama told Romney years ago, "the 80s called and are asking for their policy back!".
American media loves their heroes and villains narratives, and the characters change depending on what is convenient. Even if Russia was responsible, would you believe them after all the other times they cried wolf?
This is annoying without knowing the sources. But APT behaviours are repeated, researched, investigated. This could be legitimately mapped to a specific group using details which relevant agencies don't want to make public. Not sure we can deal with it better than acknowledge this is someone's opinion and there's a chance they may have more information, but there's also chance they're playing games.
This seems very unlikely to me. Not only would the attacker need to know precise detail about the exact methods and steps taken by a russia-sponsored group, the attacker would also need to entirely suppress their own methods and approaches so that they are not identifiable as themselves.
Much easier to simply hide who you are by changing your compromise fingerprint than to try to impersonate someone else's compromise fingerprint.
If a technique is seen in this attack that has been seen in previous attacks which are now known to be by a russia-sponsored group, that is very strong evidence that the same group is responsible. It is not proof, but it is strong evidence.
If you know what the investigators are looking for (say, after you hacked them), then it might not be that hard.
Given the fact that attribution is so difficult that we haven't seen any lawsuits yet, I'd imagine that entirlely suppressing your own methods if you know what the investigator is expecting from someone else as well as what the methods of others are is feasible.
Seems to me that they have a `with good authority` hunch, but just need a few more pieces to make it a fool proof connection. With anything, unless they actively admit to it, or made a lot of mistakes, it's not really going any where. Does anything really happen to rogue nation Russia even if they are caught?
It's like getting a new, untrained puppy; it's one of those cases where, you walk into a dark room the puppy was in for a little while. You can smell it, and you're more than likely correct what it's coming from, you just can't see it so you can't really prove, yet, that there is shit somewhere... until you turn the lights on.
Maybe because it is believed (or known, or anywhere in between) that they are presently actively doing things of this nature...
Attackers also leave breadcrumbs behind; fingerprints, in a way. Sometimes the actions taken are the fingerprint, sometimes the effort to cover up those actions is the fingerprint.
If I am an investigator and I see trademark actions or cleanup that I've seen before in a russia-sponsored attack, it is not a huge leap to strongly suspect I am investigating a russia-sponsored attack.
Remember that these individuals are usually hired and given responsibility based on their ability to game class signalling games; they exist to justify the status quo.
If the status quo were more justifiable their actual job responsibilities to other people within the organization ( conflict resolution, scheduling, resource allocation, and personnel management) are things that could be automated in a hot minute.
I don’t know about full automation, but I can confirm that in large f500 companies, Gartner holds a lot of weight. Most follow their recommendations. I’m guilty too of using that argument: “According to Gartner...” to give weight to my position when talking to C-level folks. I wish I didn’t have to, but lots of folks trust their recommendations.
Not OP, but pretty sure he’s saying that if you’re eg a CISO who’s naive enough to accept whatever argument is fed to you for why this is a “state sponsored attack” (implying that it’s not), then you may as well reduce your professional decision making to favoring whatever Gartner recommends in their “magic quadrant” marketing materials.
It would be impossible for this to be the attack vector used.
While these credentials let you push things to the download servers, the actual malware was inserted much earlier during the build process before the code was signed.
This flaw is from a year ago and had nothing to do with the recent hack. The discourse in these posts that often involve a certain country tend to always lean more towards people's political beliefs rather than anything actually being reported in the story.
Solarwinds was dumb, but this definitely was an advanced attacker who hit FireEye, DHS, and Treasury. They had ownership of over 18,000 solarwinds servers and went after 10 or less orgs. When they did, the attacks they used were complex. It was very clearly as a state sponsored action and I don't understand why you would dismiss that.
OP’s first sentence says Solarwinds was dumb. If anything, isn’t that evidence of the attack requiring less sophistication than one that excludes all but well funded attackers?
"base your entire life out of the Gartner trade rag magic quadrants."
You just described the CIO of a billion dollar revenue NYSE traded company I was with briefly a few years back. The CIO had no degree and thought the Gartner organization could do no wrong, so they were his guide and trusted confidant. It was a nightmare, a total disaster. Everyone in IT there were so used to constant chaos no one seemed to notice or mind. Yikes.
Using a bad password on one of your systems (a year ago) does not, in any way, preclude the possibility of being attacked in a sophisticated manner by a sophisticated attacker.
It's reveling how little the average HN user understands about security, maybe in part revealing why there is such a problem with security to begin with l.
First time I ever had to leave a comment surrounding the HN Guidelines, but "Please don't use Hacker News for political or ideological battle. It tramples curiosity."
Just today you wrote "[...] Russians, you're a fucking Trump supporter!"
HN is the best and I'm sure you agree. Please take it easy with these kinds of comments.
It tramples curiosity when no one questions why the Russians are blamed for everything which is intellectually dishonest. A few hackers isn’t indicative of the entire country. It’s almost starting to border on bigotry
Nobody is blaming Russian people, they’re blaming the Russian government. All large foreign powers engage in espionage of their rivals and have done so for literally millennia.
There is still no proof it was Russia though unless you have some facts other than “someone told me so” or “I read it somewhere”. Why are people so naive
Why is no one questioning if Russia hacked this election then? Seems the Democrats are really sure this time unlike 2016. To any non-biased person it’s so blatantly obvious a lot of people drink the bay area Kool-Aid which they’ll soon find out is terrible when everyone’s gone in a decade.
The Mueller inquiry was 4 years of lies and theater on the side of the Democrats, that verged on treason. Having said that, as a superpower, the US requires a relationship with Russia.
It turns out that the CCP is vastly more dangerous than Russia ever was, making our relationship with Russia even more important. The CCP has been in a cold war with the US since the 1950s when Mao said, "hide our strength, bide our time." Mao had a falling-out with Russia because Russia wouldn't declare a joint military war for ideological reasons on the US on multiple occasions in the 50's and 60's. (The CCP developed nuclear missiles mainly to attack the US.)
Xi is literally an ideological clone of Mao, even though Maoists jailed his father and made Xi do child labor in a work camp digging ditches. To protect his immediate family, they live in Australia and Canada because it's not safe to live in China.
The real Mueller investigation should have been into the Biden family, who was involved in influence peddling to the CCP and Ukraine. And the Clintons, who were bought by the Saudis. (There is indisputable proof online, and neither family has ever denied it. Biden's "I love my son." is not a denial.)
Trump's foreign policy is widely acknowledged to be the best in almost 70 years. Whereas Obama is compared to Jimmy Carter, Trump is compare to Reagan. (Don't confuse what's best for the US and the free world with what Europeans whine about. They don't even pay for their own defense.)
The password to a twitter account, and the password to an update server which apparently allows you to pwn parts of seemingly every branch of the US government are not even remotely on the same scale.
Hanlon's Razor etc etc, but if I wanted to create an intentional security vulnerability and have plausible deniability, I would use stupidly simple passwords as well.
Additionally, that was a flaw from a year ago. Still incredibly stupid, but not really relevant to the recent hacks at all. This is being used to discredit the fact that investigators are pointing to "a" state actor for the source of these hacks.
>Additionally, that was a flaw from a year ago. Still incredibly stupid, but not really relevant to the recent hacks at all.
I'd argue that it's very relevant; if they were making such terrible decisions a year ago, what else did they do wrong between then and the hack? I am reluctant to assume that they didn't make other mistakes, given how obvious this password flub was.
I know you’re joking, but leaving out honeypots to slow down enemy attackers is a valid strategy. Except you need to purposefully leave honeypots that don’t have anything valuable in them. They seemed to have misunderstood the strategy.
That's actually the most secure password they could have chosen. Who'd suspect that a security company would use the simplest of passwords. Dumbasses wasting time trying to crack a secure password, hah! /s
These kinds of passwords are all over the place. Cisco uses a simple variation of c!sco123 for a lot of it’s managed gear which is a documented default that doesn’t get changed.
>Security researcher Vinoth Kumar told Reuters that, last year, he alerted the company that anyone could access SolarWinds’ update server by using the password “solarwinds123”
130 comments
[ 3.3 ms ] story [ 191 ms ] threadThese people are supposed to be security professionals.
- Access Rights Manager: Manage and audit access rights across your IT infrastructure
- Security Event Manager - Improve your security posture and quickly demonstrate compliance with an easy-to-use, affordable SIEM tool
- Server Configuration Monitor - Gain visibility into systems changes and easily compare configurations over time with our new change monitoring tool
- Patch Manager - Patch management software designed to quickly address software vulnerabilities
- Serv-U Managed File Transfer Server - Enhance security and control over file transfers in and outside your organization
- Serv-U File Transfer Protocol Server - Simple, affordable, easy-to-use FTP server software
While I wouldn't call all of these security sensitive, but considering some of the other tools that they built:
- Dameware Remote Support: Remote control and systems management tools in one easy-to-use package
- Dameware Remote Everywhere: Deliver the tools IT professionals need in a cloud-based, remote support solution
- User Device Tracker: Network device tracking software designed to locate users and devices on your network
they definitely count as a security-sensitive vendor.
A few years ago I complained to the DD-WRT developers that they need to serve up with firmware images on HTTPS (They were serving them up on HTTP). Their images are not cryptographically signed and they didn't publish hashes so at the very least they could try to secure the transport and use HTTPS. My request was rejected and they were confused as to why HTTPS was necessary as "it's not like we're doing online banking".
Not legally binding in the contiguous United States.
I have yet to be in an organization that hasn’t defaulted to something quite unwise simply because trying to maintain the institutional knowledge of that password is otherwise difficult.
Mostly – don’t. Every user that has access to a system should have their own credentials. There’s no reason for an update server to be set up this way.
Or, you sign a key/certificate for each user, add MFA
Or, you create a complex password for each user, and add MFA
Or you create a complex password, shared in a keystore that handles checkout and rotation
Worst case, if you're lazy, you create a complex password for a handful of your teammates and reset it when a team member leaves
Or if you're solarwinds, you apparently choose gross negligence
We've moved to identity + role based access control, but some older core pieces still used the shared password.
We simply have a portal that authenticated users can log into it, and see the current password which is rotated monthly, with a random selection from a series of dictionary words. (which can occasionally produce giggleworthy combinations)
But as the sibling comment says; the right way is to get rid of it entirely.
- Using a password manager where there is audit logging that is reviewed and the access to the passwords is segregated to those who need it - Using a privileged access monitoring tool such as CyberArk - Simply creating separate named privileged accounts for each person to use is the best alternative
The answer is typically “never share accounts” and therefore never share passwords.
I wouldn’t the surprised if “do not share credentials” is explicitly stated in solarwinds internal security policies.
Beyond the challenge of sharing strong passwords, there’s also the (important from compliance perspective) issue of losing the ability to audit who took what action if multiple people use the same credentials.
[0] https://www.yubico.com/resources/glossary/static-password/
If this is the case, then why is Russia so definitively portrayed as the culprit in so many publications, currently?
American media loves their heroes and villains narratives, and the characters change depending on what is convenient. Even if Russia was responsible, would you believe them after all the other times they cried wolf?
Much easier to simply hide who you are by changing your compromise fingerprint than to try to impersonate someone else's compromise fingerprint.
If a technique is seen in this attack that has been seen in previous attacks which are now known to be by a russia-sponsored group, that is very strong evidence that the same group is responsible. It is not proof, but it is strong evidence.
Given the fact that attribution is so difficult that we haven't seen any lawsuits yet, I'd imagine that entirlely suppressing your own methods if you know what the investigator is expecting from someone else as well as what the methods of others are is feasible.
It's like getting a new, untrained puppy; it's one of those cases where, you walk into a dark room the puppy was in for a little while. You can smell it, and you're more than likely correct what it's coming from, you just can't see it so you can't really prove, yet, that there is shit somewhere... until you turn the lights on.
Attackers also leave breadcrumbs behind; fingerprints, in a way. Sometimes the actions taken are the fingerprint, sometimes the effort to cover up those actions is the fingerprint.
If I am an investigator and I see trademark actions or cleanup that I've seen before in a russia-sponsored attack, it is not a huge leap to strongly suspect I am investigating a russia-sponsored attack.
Like how North Korea is largely seen as responsible for hacking Sony. If you paint a big enough arrow, people will follow it.
And you're dense enough to give these guys a second chance
Then you should just fire your engineers and base your entire life out of the Gartner trade rag magic quadrants.
Seems to work pretty well for a lot of the CIO/CTO level people who I have worked with.
Unfortunately.
If the status quo were more justifiable their actual job responsibilities to other people within the organization ( conflict resolution, scheduling, resource allocation, and personnel management) are things that could be automated in a hot minute.
While these credentials let you push things to the download servers, the actual malware was inserted much earlier during the build process before the code was signed.
You just described the CIO of a billion dollar revenue NYSE traded company I was with briefly a few years back. The CIO had no degree and thought the Gartner organization could do no wrong, so they were his guide and trusted confidant. It was a nightmare, a total disaster. Everyone in IT there were so used to constant chaos no one seemed to notice or mind. Yikes.
Not much left of them trying to lie their way out of this shambles.
Just today you wrote "[...] Russians, you're a fucking Trump supporter!"
HN is the best and I'm sure you agree. Please take it easy with these kinds of comments.
The Mueller inquiry was 4 years of lies and theater on the side of the Democrats, that verged on treason. Having said that, as a superpower, the US requires a relationship with Russia.
It turns out that the CCP is vastly more dangerous than Russia ever was, making our relationship with Russia even more important. The CCP has been in a cold war with the US since the 1950s when Mao said, "hide our strength, bide our time." Mao had a falling-out with Russia because Russia wouldn't declare a joint military war for ideological reasons on the US on multiple occasions in the 50's and 60's. (The CCP developed nuclear missiles mainly to attack the US.)
Xi is literally an ideological clone of Mao, even though Maoists jailed his father and made Xi do child labor in a work camp digging ditches. To protect his immediate family, they live in Australia and Canada because it's not safe to live in China.
The real Mueller investigation should have been into the Biden family, who was involved in influence peddling to the CCP and Ukraine. And the Clintons, who were bought by the Saudis. (There is indisputable proof online, and neither family has ever denied it. Biden's "I love my son." is not a denial.)
https://apnews.com/article/joe-biden-politics-business-ukrai...
https://www.politifact.com/article/2016/jul/07/fact-checking...
Trump's foreign policy is widely acknowledged to be the best in almost 70 years. Whereas Obama is compared to Jimmy Carter, Trump is compare to Reagan. (Don't confuse what's best for the US and the free world with what Europeans whine about. They don't even pay for their own defense.)
AMA.
https://www.networkmanagementsoftware.com/wp-content/uploads...
Hackers used SolarWinds' dominance against it in sprawling spy campaign
Not to dismiss the point of the editorialised title here ("SolarWinds use the password 'solarwinds123' on their Update Servers") but note:
Neither the password nor the stolen access is considered the most likely source of the current intrusion, researchers said
I'd argue that it's very relevant; if they were making such terrible decisions a year ago, what else did they do wrong between then and the hack? I am reluctant to assume that they didn't make other mistakes, given how obvious this password flub was.
For what it's worth.
Burglar 2: "Key's under the doormat"
Or maybe a few years ago some security genius mandated a weekly password change and they had just made it to week 123.
Never had a need for anything SolarWinds provides, and we have tons of stuff in PCI-DSS environments...
Never needed SolarWinds, and we'll definitely never entertain them now.
These kinds of passwords are all over the place. Cisco uses a simple variation of c!sco123 for a lot of it’s managed gear which is a documented default that doesn’t get changed.
Does this mean the job listing was posted before this incident gone public?
He noticed whenever there is a spike in open security positions a breach is soon announced or was just announced recently.
Wow.