130 comments

[ 3.3 ms ] story [ 191 ms ] thread
dropping the caps out of their name was smart, that would have thrown me off
Yep, brilliant. I wish there were a tool that could go lowercase all my passwords out there so I could get that extra security.
Plus going to six. It’s like Spinal Tap.
>"1, 2, 3, 4, 5, 6... that's the combination I use on my luggage."

These people are supposed to be security professionals.

Came here to make this reference and you beat me by a fraction of a second.
It's almost like they were paid to be incompetent.
'solarwinds123' is gross negligence by any professional, let alone one that offers security/networking services to corporations and agencies
If this was in fact the origin of the compromise, I do wonder if there might be legal liability here.
Hey, it's more secure than 'solarwinds1'. ;-)
All good, the system is set to lock out access after 122 attempts.
Cost cutting is a wonderful thing
This is indefensible. However, Solarwinds isn't a security company. They build network monitoring/management tools and have a very telco feel. I'm honestly not surprised by this level of incompetence.
Their software allows network traffic to be monitored for some of the most important government agencies we have: the White House, the Pentagon, Treasury Dept, etc. They're not some retail company. Their tools provide a vector to attack extremely sensitive systems. Network monitoring and management is by definition supposed to be secure, especially for critical systems.
Agreed... but having used SolarWinds... I can't believe people use this stuff.
They have 6 tools listed on their IT Security Downloads:

- Access Rights Manager: Manage and audit access rights across your IT infrastructure

- Security Event Manager - Improve your security posture and quickly demonstrate compliance with an easy-to-use, affordable SIEM tool

- Server Configuration Monitor - Gain visibility into systems changes and easily compare configurations over time with our new change monitoring tool

- Patch Manager - Patch management software designed to quickly address software vulnerabilities

- Serv-U Managed File Transfer Server - Enhance security and control over file transfers in and outside your organization

- Serv-U File Transfer Protocol Server - Simple, affordable, easy-to-use FTP server software

While I wouldn't call all of these security sensitive, but considering some of the other tools that they built:

- Dameware Remote Support: Remote control and systems management tools in one easy-to-use package

- Dameware Remote Everywhere: Deliver the tools IT professionals need in a cloud-based, remote support solution

- User Device Tracker: Network device tracking software designed to locate users and devices on your network

they definitely count as a security-sensitive vendor.

You'd be surprised how many engineers don't understand security.

A few years ago I complained to the DD-WRT developers that they need to serve up with firmware images on HTTPS (They were serving them up on HTTP). Their images are not cryptographically signed and they didn't publish hashes so at the very least they could try to secure the transport and use HTTPS. My request was rejected and they were confused as to why HTTPS was necessary as "it's not like we're doing online banking".

I think if you put the capital letters in the middle and the numbers and punctuation at the beginning you are golden.
Add the current year and ! and that shit is unbreakable.

Not legally binding in the contiguous United States.

What are the good password practices for handling passwords that several people need to be able to use?

I have yet to be in an organization that hasn’t defaulted to something quite unwise simply because trying to maintain the institutional knowledge of that password is otherwise difficult.

The good password practice is to not do this.
You can use a team-oriented password manager with access controls, 2fa, etc.
> What are the good password practices for handling passwords that several people need to be able to use?

Mostly – don’t. Every user that has access to a system should have their own credentials. There’s no reason for an update server to be set up this way.

This. Assign required roles to existing company accounts. Use SSO where possible. Don't have shared "god accounts" for anything.
(comment deleted)
You can SSO the password to an identity store (LDAP / AD), add MFA

Or, you sign a key/certificate for each user, add MFA

Or, you create a complex password for each user, and add MFA

Or you create a complex password, shared in a keystore that handles checkout and rotation

Worst case, if you're lazy, you create a complex password for a handful of your teammates and reset it when a team member leaves

Or if you're solarwinds, you apparently choose gross negligence

In their defense, gross negligence takes less time and money, and they probably won't suffer much from this incident, so it all still paid off on the bottom line, and now a whole lot more people know who they are. Free marketing! Bonuses all around!
We used to have a shared password.

We've moved to identity + role based access control, but some older core pieces still used the shared password.

We simply have a portal that authenticated users can log into it, and see the current password which is rotated monthly, with a random selection from a series of dictionary words. (which can occasionally produce giggleworthy combinations)

But as the sibling comment says; the right way is to get rid of it entirely.

ours are rotated daily. If you don't have a key on you, you can "break glass" in a portal and get a temp password for 4 hours. We're in the process of phasing out service accounts.
Use a shared vault like LastPass or Password Hub
If you can build a house with a door, you can put a decent lock on the door. If you can’t put a lock on the door or don’t understand why or how, you can’t really build a house.
Realistically you shouldn't, I work in auditing and there are very few use cases where sharing passwords is okay. But here are a couple of approaches.

- Using a password manager where there is audit logging that is reviewed and the access to the passwords is segregated to those who need it - Using a privileged access monitoring tool such as CyberArk - Simply creating separate named privileged accounts for each person to use is the best alternative

Part of CyberArk's functionality is also rotating/updating local accounts on systems as well (including root).
> What are the good password practices for handling passwords that several people need to be able to use?

The answer is typically “never share accounts” and therefore never share passwords.

I wouldn’t the surprised if “do not share credentials” is explicitly stated in solarwinds internal security policies.

Beyond the challenge of sharing strong passwords, there’s also the (important from compliance perspective) issue of losing the ability to audit who took what action if multiple people use the same credentials.

I agree with the others that the right answer is don't. But if you are going to anyways a way to do it less idiotically is to use the 'static password' feature of a YubiKey. [0] That at least eliminates the desire to pick too simple of a password or to not change it on a regular basis for fear of having to memorize a new password. This doesn't protect against a malicious insider giving the password away but it makes it easy to use a strong (randomly generated) password.

[0] https://www.yubico.com/resources/glossary/static-password/

>Three people familiar with the investigation have told Reuters that Russia is a top suspect, although others familiar with the inquiry have said it is still too early to tell.

If this is the case, then why is Russia so definitively portrayed as the culprit in so many publications, currently?

Because Russia were legitimately a culprit during the cold war, and many people who grew up during that period are susceptible to clickbait where Russia is, again, the bad guy. They were primed for it during their entire childhood, and then as adults with movies, video games, etc.
Uh huh, so that means even when there's direct evidence people shouldn't believe it because it's the boogeyman argument?
As Obama told Romney years ago, "the 80s called and are asking for their policy back!".

American media loves their heroes and villains narratives, and the characters change depending on what is convenient. Even if Russia was responsible, would you believe them after all the other times they cried wolf?

This is annoying without knowing the sources. But APT behaviours are repeated, researched, investigated. This could be legitimately mapped to a specific group using details which relevant agencies don't want to make public. Not sure we can deal with it better than acknowledge this is someone's opinion and there's a chance they may have more information, but there's also chance they're playing games.
A third possibility is that the attacker is pretending to be someone else as misdirection and that whoever is investigating fell into their trap.
There were Russian characters in a comment in one of the scripts! Open-and-shut case!
This seems very unlikely to me. Not only would the attacker need to know precise detail about the exact methods and steps taken by a russia-sponsored group, the attacker would also need to entirely suppress their own methods and approaches so that they are not identifiable as themselves.

Much easier to simply hide who you are by changing your compromise fingerprint than to try to impersonate someone else's compromise fingerprint.

If a technique is seen in this attack that has been seen in previous attacks which are now known to be by a russia-sponsored group, that is very strong evidence that the same group is responsible. It is not proof, but it is strong evidence.

If you know what the investigators are looking for (say, after you hacked them), then it might not be that hard.

Given the fact that attribution is so difficult that we haven't seen any lawsuits yet, I'd imagine that entirlely suppressing your own methods if you know what the investigator is expecting from someone else as well as what the methods of others are is feasible.

For the same reason it has been the persistent narrative for the past four years.
Seems to me that they have a `with good authority` hunch, but just need a few more pieces to make it a fool proof connection. With anything, unless they actively admit to it, or made a lot of mistakes, it's not really going any where. Does anything really happen to rogue nation Russia even if they are caught?

It's like getting a new, untrained puppy; it's one of those cases where, you walk into a dark room the puppy was in for a little while. You can smell it, and you're more than likely correct what it's coming from, you just can't see it so you can't really prove, yet, that there is shit somewhere... until you turn the lights on.

"Anonymous source say...." is how just about every other Washington Post and New York Times article that turns out to eventually be wrong starts.
It's also how about every other WaPo or NYT article that turns out to be right works. Anon sources are the core of journalism, good and bad.
Maybe because it is believed (or known, or anywhere in between) that they are presently actively doing things of this nature...

Attackers also leave breadcrumbs behind; fingerprints, in a way. Sometimes the actions taken are the fingerprint, sometimes the effort to cover up those actions is the fingerprint.

If I am an investigator and I see trademark actions or cleanup that I've seen before in a russia-sponsored attack, it is not a huge leap to strongly suspect I am investigating a russia-sponsored attack.

And if you're a skilled attacker, wouldn't you leave breadcrumbs leading to someone else's door?

Like how North Korea is largely seen as responsible for hacking Sony. If you paint a big enough arrow, people will follow it.

It's official If you are stupid enough to accept the advanced persistent state sponsored threat argument

And you're dense enough to give these guys a second chance

Then you should just fire your engineers and base your entire life out of the Gartner trade rag magic quadrants.

> base your entire life out of the Gartner trade rag magic quadrants

Seems to work pretty well for a lot of the CIO/CTO level people who I have worked with.

Unfortunately.

Remember that these individuals are usually hired and given responsibility based on their ability to game class signalling games; they exist to justify the status quo.

If the status quo were more justifiable their actual job responsibilities to other people within the organization ( conflict resolution, scheduling, resource allocation, and personnel management) are things that could be automated in a hot minute.

I don’t know about full automation, but I can confirm that in large f500 companies, Gartner holds a lot of weight. Most follow their recommendations. I’m guilty too of using that argument: “According to Gartner...” to give weight to my position when talking to C-level folks. I wish I didn’t have to, but lots of folks trust their recommendations.
I'm either too old or too young to understand anything of what you've just said.
Not OP, but pretty sure he’s saying that if you’re eg a CISO who’s naive enough to accept whatever argument is fed to you for why this is a “state sponsored attack” (implying that it’s not), then you may as well reduce your professional decision making to favoring whatever Gartner recommends in their “magic quadrant” marketing materials.
It would be impossible for this to be the attack vector used.

While these credentials let you push things to the download servers, the actual malware was inserted much earlier during the build process before the code was signed.

This flaw is from a year ago and had nothing to do with the recent hack. The discourse in these posts that often involve a certain country tend to always lean more towards people's political beliefs rather than anything actually being reported in the story.
(comment deleted)
Solarwinds was dumb, but this definitely was an advanced attacker who hit FireEye, DHS, and Treasury. They had ownership of over 18,000 solarwinds servers and went after 10 or less orgs. When they did, the attacks they used were complex. It was very clearly as a state sponsored action and I don't understand why you would dismiss that.
You seem to be asserting that it’s “very clear” with basically zero justification for why it’s so clear.
It's clear that the justification is in the two sentences preceding the "very clear" comment.
OP’s first sentence says Solarwinds was dumb. If anything, isn’t that evidence of the attack requiring less sophistication than one that excludes all but well funded attackers?
"base your entire life out of the Gartner trade rag magic quadrants."

You just described the CIO of a billion dollar revenue NYSE traded company I was with briefly a few years back. The CIO had no degree and thought the Gartner organization could do no wrong, so they were his guide and trusted confidant. It was a nightmare, a total disaster. Everyone in IT there were so used to constant chaos no one seemed to notice or mind. Yikes.

Remember when FireEye told you this was a super sophisticated nation state attack?

Not much left of them trying to lie their way out of this shambles.

Using a bad password on one of your systems (a year ago) does not, in any way, preclude the possibility of being attacked in a sophisticated manner by a sophisticated attacker.
It's reveling how little the average HN user understands about security, maybe in part revealing why there is such a problem with security to begin with l.
Love to be a ~$6 billion company handling critical infrastructure that saves money by using paperclips instead of padlocks.
RUSSIA is the only one who could have guessed this password!
First time I ever had to leave a comment surrounding the HN Guidelines, but "Please don't use Hacker News for political or ideological battle. It tramples curiosity."

Just today you wrote "[...] Russians, you're a fucking Trump supporter!"

HN is the best and I'm sure you agree. Please take it easy with these kinds of comments.

It tramples curiosity when no one questions why the Russians are blamed for everything which is intellectually dishonest. A few hackers isn’t indicative of the entire country. It’s almost starting to border on bigotry
Nobody is blaming Russian people, they’re blaming the Russian government. All large foreign powers engage in espionage of their rivals and have done so for literally millennia.
There is still no proof it was Russia though unless you have some facts other than “someone told me so” or “I read it somewhere”. Why are people so naive
People are questioning why everyone is so quick to point at Russia: https://news.ycombinator.com/item?id=25438348
Why is no one questioning if Russia hacked this election then? Seems the Democrats are really sure this time unlike 2016. To any non-biased person it’s so blatantly obvious a lot of people drink the bay area Kool-Aid which they’ll soon find out is terrible when everyone’s gone in a decade.
> Russians, you're a fucking Trump supporter!

The Mueller inquiry was 4 years of lies and theater on the side of the Democrats, that verged on treason. Having said that, as a superpower, the US requires a relationship with Russia.

It turns out that the CCP is vastly more dangerous than Russia ever was, making our relationship with Russia even more important. The CCP has been in a cold war with the US since the 1950s when Mao said, "hide our strength, bide our time." Mao had a falling-out with Russia because Russia wouldn't declare a joint military war for ideological reasons on the US on multiple occasions in the 50's and 60's. (The CCP developed nuclear missiles mainly to attack the US.)

Xi is literally an ideological clone of Mao, even though Maoists jailed his father and made Xi do child labor in a work camp digging ditches. To protect his immediate family, they live in Australia and Canada because it's not safe to live in China.

The real Mueller investigation should have been into the Biden family, who was involved in influence peddling to the CCP and Ukraine. And the Clintons, who were bought by the Saudis. (There is indisputable proof online, and neither family has ever denied it. Biden's "I love my son." is not a denial.)

https://apnews.com/article/joe-biden-politics-business-ukrai...

https://www.politifact.com/article/2016/jul/07/fact-checking...

Trump's foreign policy is widely acknowledged to be the best in almost 70 years. Whereas Obama is compared to Jimmy Carter, Trump is compare to Reagan. (Don't confuse what's best for the US and the free world with what Europeans whine about. They don't even pay for their own defense.)

AMA.

(comment deleted)
So does this attack really require "State sponsored infrastructure" to have occurred?
Clearly only state sponsored attacker could’ve guessed that password
The password probably hasn't been changed since they last updated the UI of Orion ten years ago.

https://www.networkmanagementsoftware.com/wp-content/uploads...

(comment deleted)
The password to a twitter account, and the password to an update server which apparently allows you to pwn parts of seemingly every branch of the US government are not even remotely on the same scale.
Hanlon's Razor etc etc, but if I wanted to create an intentional security vulnerability and have plausible deniability, I would use stupidly simple passwords as well.
No, why? If they have special customers I’m sure they could give their special customers a complicated password to use just the same.
Actual title:

Hackers used SolarWinds' dominance against it in sprawling spy campaign

Not to dismiss the point of the editorialised title here ("SolarWinds use the password 'solarwinds123' on their Update Servers") but note:

Neither the password nor the stolen access is considered the most likely source of the current intrusion, researchers said

Additionally, that was a flaw from a year ago. Still incredibly stupid, but not really relevant to the recent hacks at all. This is being used to discredit the fact that investigators are pointing to "a" state actor for the source of these hacks.
>Additionally, that was a flaw from a year ago. Still incredibly stupid, but not really relevant to the recent hacks at all.

I'd argue that it's very relevant; if they were making such terrible decisions a year ago, what else did they do wrong between then and the hack? I am reluctant to assume that they didn't make other mistakes, given how obvious this password flub was.

(comment deleted)
The title should be edited from "use" to "used" imo.
> Neither the password nor the stolen access is considered the most likely source of the current intrusion, researchers said.

For what it's worth.

Burglar 1: "Hey guys I managed to bypass the security system on the window and jimmy it open just enough for us to squeeze in and out"

Burglar 2: "Key's under the doormat"

It's surprising how many hacks are from insiders or through social engineering.
It's not surprising if you track the industry news.
With such a blisteringly dumb mistake already being made, I’m sure the attackers had to choose which one of the wide open doors to use.
Yep, forget security through obscurity. They're going for paralysis through over-analysis.
I know you’re joking, but leaving out honeypots to slow down enemy attackers is a valid strategy. Except you need to purposefully leave honeypots that don’t have anything valuable in them. They seemed to have misunderstood the strategy.
90 days prior to that it was 'solarwinds12'.
Surprising they added complexity with 123 I stead of just incrementing to 13.

Or maybe a few years ago some security genius mandated a weekly password change and they had just made it to week 123.

How did Solarwinds ever pass a SOC2 or similar audit? And who performed the audit(s)?
It would be nice to know if they did or if it was ever required of them.
(comment deleted)
What value does SolarWinds provide? I manage three days centers, about 4000 physical machines, and tens of thousands of VMs, switches, routers, etc.

Never had a need for anything SolarWinds provides, and we have tons of stuff in PCI-DSS environments...

'501@rw1nd5IZE' would be better.
Three data centers, 4000 physical machines, tens of thousands of VMs, switches, routers, etc...

Never needed SolarWinds, and we'll definitely never entertain them now.

That's actually the most secure password they could have chosen. Who'd suspect that a security company would use the simplest of passwords. Dumbasses wasting time trying to crack a secure password, hah! /s
Throwaway here.

These kinds of passwords are all over the place. Cisco uses a simple variation of c!sco123 for a lot of it’s managed gear which is a documented default that doesn’t get changed.

> Three weeks ago, SolarWinds posted a job ad seeking a new vice president for security; the position is still listed as open.

Does this mean the job listing was posted before this incident gone public?

A friend of mine talked about building a simple crawler to find companies with open security positions.

He noticed whenever there is a spike in open security positions a breach is soon announced or was just announced recently.

Take it to its logical conclusion and short the company.
Nice! Hopefully more is government stuff gets hacked.
>Security researcher Vinoth Kumar told Reuters that, last year, he alerted the company that anyone could access SolarWinds’ update server by using the password “solarwinds123”

Wow.