Microsoft, SolarWinds Face New Criticism Over Russian Breach of US Networks (msn.com) 61
After Russia's massive breach of both government and private networks in the U.S., American intelligence officials "have expressed anger that Microsoft did not detect the attack earlier.
But new criticisms are also falling on SolarWinds: Some of the compromised SolarWinds software was engineered in Eastern Europe, and American investigators are now examining whether the incursion originated there, where Russian intelligence operatives are deeply rooted.... SolarWinds moved much of its engineering to satellite offices in the Czech Republic, Poland and Belarus, where engineers had broad access to the Orion network management software that Russia's agents compromised. The company has said only that the manipulation of its software was the work of human hackers rather than of a computer program. It has not publicly addressed the possibility of an insider being involved in the breach.
None of the SolarWinds customers contacted by The New York Times in recent weeks were aware they were reliant on software that was maintained in Eastern Europe. Many said they did not even know they were using SolarWinds software until recently.
Even with its software installed throughout federal networks, employees said SolarWinds tacked on security only in 2017, under threat of penalty from a new European privacy law. Only then, employees say, did SolarWinds hire its first chief information officer and install a vice president of "security architecture." Ian Thornton-Trump, a former cybersecurity adviser at SolarWinds, said he warned management that year that unless it took a more proactive approach to its internal security, a cybersecurity episode would be "catastrophic." After his basic recommendations were ignored, Mr. Thornton-Trump left the company.
SolarWinds declined to address questions about the adequacy of its security. In a statement, it said it was a "victim of a highly-sophisticated, complex and targeted cyberattack" and was collaborating closely with law enforcement, intelligence agencies and security experts to investigate. But security experts note that it took days after the Russian attack was discovered before SolarWinds' websites stopped offering clients compromised code.
And privately U.S. officials are now also considering the security of the U.S. power grid: Publicly, officials have said they do not believe the hackers from Russia's S.V.R. pierced classified systems containing sensitive communications and plans. But privately, officials say they still do not have a clear picture of what might have been stolen. They said they worried about delicate but unclassified data the hackers might have taken from victims like the Federal Energy Regulatory Commission, including Black Start, the detailed technical blueprints for how the United States plans to restore power in the event of a cataclysmic blackout. The plans would give Russia a hit list of systems to target to keep power from being restored in an attack like the one it pulled off in Ukraine in 2015, shutting off power for six hours in the dead of winter. Moscow long ago implanted malware in the American electric grid, and the United States has done the same to Russia as a deterrent....
But new criticisms are also falling on SolarWinds: Some of the compromised SolarWinds software was engineered in Eastern Europe, and American investigators are now examining whether the incursion originated there, where Russian intelligence operatives are deeply rooted.... SolarWinds moved much of its engineering to satellite offices in the Czech Republic, Poland and Belarus, where engineers had broad access to the Orion network management software that Russia's agents compromised. The company has said only that the manipulation of its software was the work of human hackers rather than of a computer program. It has not publicly addressed the possibility of an insider being involved in the breach.
None of the SolarWinds customers contacted by The New York Times in recent weeks were aware they were reliant on software that was maintained in Eastern Europe. Many said they did not even know they were using SolarWinds software until recently.
Even with its software installed throughout federal networks, employees said SolarWinds tacked on security only in 2017, under threat of penalty from a new European privacy law. Only then, employees say, did SolarWinds hire its first chief information officer and install a vice president of "security architecture." Ian Thornton-Trump, a former cybersecurity adviser at SolarWinds, said he warned management that year that unless it took a more proactive approach to its internal security, a cybersecurity episode would be "catastrophic." After his basic recommendations were ignored, Mr. Thornton-Trump left the company.
SolarWinds declined to address questions about the adequacy of its security. In a statement, it said it was a "victim of a highly-sophisticated, complex and targeted cyberattack" and was collaborating closely with law enforcement, intelligence agencies and security experts to investigate. But security experts note that it took days after the Russian attack was discovered before SolarWinds' websites stopped offering clients compromised code.
And privately U.S. officials are now also considering the security of the U.S. power grid: Publicly, officials have said they do not believe the hackers from Russia's S.V.R. pierced classified systems containing sensitive communications and plans. But privately, officials say they still do not have a clear picture of what might have been stolen. They said they worried about delicate but unclassified data the hackers might have taken from victims like the Federal Energy Regulatory Commission, including Black Start, the detailed technical blueprints for how the United States plans to restore power in the event of a cataclysmic blackout. The plans would give Russia a hit list of systems to target to keep power from being restored in an attack like the one it pulled off in Ukraine in 2015, shutting off power for six hours in the dead of winter. Moscow long ago implanted malware in the American electric grid, and the United States has done the same to Russia as a deterrent....
So let me get this straight (Score:3, Interesting)
People are upset that Microsoft allowed users to install compromised software? How does Microsoft know what third party garbage your organization is installing? How about getting mad at the government for paying god knows how much for it in the first place?
Re:So let me get this straight (Score:5, Informative)
Re: (Score:2)
Most likely that SolarWinds had access to Microsoft sources.
Re: (Score:2)
Exactly why M$ ran this whole con of blame Russia, ohh ahh, the KGB and Vlad, why they paid PR=B$ firms to bombard us with lobbyists and corporate main stream media propaganda to escape liability by blaming the Russian government.
Far more likely organised crime running the for profit espionage program from Czech Republic or Poland or Belarus, on spec, sell it to the highest bidder, doing from their country through Russia provides an investigation barrier, due to American intransigence to a cyber crime inves
Upset? (Score:2)
People are upset that there's been no evidence shown that it was the Russkies.
Re: (Score:2)
Apparently they're not. The point where everyone would instantly agree if I claimed the Russians ate my homework is uh, many years ago. That is the whole point of propaganda, to take you to that point.
Re: (Score:2)
How does Microsoft know what third party garbage your organization is installing?
From what I understand, in order to run third party software on current Windows, Microsoft needs to sign the objects, so Solarwinds dll got the "Microsoft blessing", which for end users is considered as good as gold (rightly or wrongly). So people assumed all was good, apparently even MS.
Re: (Score:1)
Your understanding is deficient, which is a polite way of saying that you are full of shit.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
The attackers exploited flaws in Microsoft products, services, and software distribution infrastructure.
At least one reseller of Microsoft cloud services was compromised by the attackers, constituting a supply chain attack that allowed the attackers to access Microsoft cloud services used by the reseller's customers.
Alongside this, "Zerologon", a vulnerability in the Microsoft authentication protocol NetLogon, allowed attackers to access all valid usernames and passwords in each Microsoft network that they breached.[21][22] This allowed them to access additional credentials necessary to assume the privileges of any legitimate user of the network, which in turn allowed them to compromise Microsoft Office 365 email accounts.
Additionally, a flaw in Microsoft's Outlook Web App may have allowed attackers to bypass multi-factor authentication.
Attackers were found to have broken into Microsoft Office 365 in a way that allowed them to monitor NTIA and Treasury staff emails for several months. This attack apparently used counterfeit identity tokens of some kind, allowing the attackers to trick Microsoft's authentication systems. The presence of single sign-on infrastructure increased the viability of the attack.
Re: (Score:1)
Anyone who runs anything of any significance on Other People's Servers gets what they deserve in the end.
Re: (Score:1)
The real question is why did these so-called victims install the third-party malware update in the first place? Was the version that they were using somehow deficient (other than, obviously, it did not contain the malicious payload). Victim, meet petard. And it is entirely of your own making!
An Exceptional Defense Posture (Score:3)
and the United States has done the same to Russia as a deterrent
STUXNET and related efforts might actually be a bigger deterrent, as it did real damage.
The US is less interested in hacking to steal classified information, because once you know about it, if you act on the knowledge then the enemy knows about your access and can take countermeasures. We have less use for fog than a little guy like Russia. So we need to keep tabs on specific programs, but we don't need to spy on all their agencies. We also don't fish for "kompromat," we stick to real bad deeds that would be prosecutable, because we'd look bad doing it; we have the moral high ground for strategic reasons.
We care about doing real damage, especially economic damage. Russia, being small and poor, but scary, benefits from mere chaos. They won't attack our grid in any serious way. They'd lose all their pipelines to Europe eventually, and they'd end up surrounded by a giant network firewall.
Re:An Exceptional Defense Posture (Score:4, Insightful)
We also don't fish for "kompromat," we stick to real bad deeds that would be prosecutable, because we'd look bad doing it; we have the moral high ground for strategic reasons.
Searching for "kompromat" (blackmail material) to use against someone only works if their superiors think they need to hold some moral high ground. That's a flaw in our system more so than the Russians.
"Deeds that would be prosecutable." By whom? Our standards of conduct, or more accurately our facade of law and order works against us more than it does the Russians. They came out of a culture of socialism. Where one's rank clearly rewards them with added privileges and opportunities to benefit from their system. We operate behind a veneer of law and order, which must be maintained. Even if our elites are allowed to abuse our systems to the same extent that the Soviets did theirs.
Re: An Exceptional Defense Posture (Score:2)
Are you trying to say that our âoeelitesâ donâ(TM)t currently see themselves as above the law?
Iâ(TM)ve got some casinos to sell you...
Re: (Score:2)
Are you trying to say that our "elites" don't currently see themselves as above the law?
Exactly the opposite. They do. But they expect that the plebeians believe in the rule of law. Or at least act as though they do.
Re: (Score:2)
Searching for "kompromat" (blackmail material) to use against someone only works if their superiors think they need to hold some moral high ground.
So, you're saying you haven't even read the wiki on it?
I mean, what a moronic claim. But look, it is so far from the standard analysis, if you assert it bare like that, that blackmain is associated with the moral high ground, with no attempt to explain the reasoning, then you're just a moron.
You're basically just saying, good people must be bad, because you said so.
Many eyes make security shallow. (Score:5, Funny)
"Some of the compromised SolarWinds software was engineered in Eastern Europe, and American investigators are now examining whether the incursion originated there, where Russian intelligence operatives are deeply rooted.... SolarWinds moved much of its engineering to satellite offices in the Czech Republic, Poland and Belarus, where engineers had broad access to the Orion network management software that Russia's agents compromised. "
Try "Made in the US" open-source. Where security is a cool thing that programmers do. ;-)
Re: (Score:1)
Offshore this (Score:5, Insightful)
Lowest wage outsourcing at work.
Re: (Score:1)
Microsoft is EXTREMELY poorly managed. (Score:2, Funny)
Windows 10 is possibly the worst spyware ever made. [networkworld.com]
"Buried in the service agreement is permission to poke through everything on your PC."
More examples of Microsoft failures, a Google search: Windows 10 update failures [google.com].
One of the failures: Windows 10 Warning: Users Hit By Serious New Failure [forbes.com]
"
Re: (Score:3)
Microsoft needs a better CEO! My opinion.
Microsoft is like any established company that has been around long enough. It's extremely difficult to grow a company for decades without it getting all fat and out of shape.
Re: (Score:1)
"The Win10 licensing limitations make it hard to repair a bad installation."
This is a plea to facts not in evidence. Which particular (enforceable) terms of the license do yo believe have this effect?
Re: (Score:3)
It's not stated in the summary that MS updates of Windows itself were compromised. It would be reasonable to suspect that they have been, but there's no clear evidence. The other problems MS has had with updates aren't relevant to this particular issue.
SO MS: what *did* happen, and where are the updates (out of band if necessary) to patch anything that Solar Winds-related hackers may have introduced?
Re: (Score:2)
Bring Steve Ballmer! No wait. Bill Gates. ;P
Re: (Score:1)
There is nothing in the contract which prevents you from taking action to prevent Microsoft from doing these things. That you are so incompetent that you cannot be bothered to take proper steps towards Safe and Secure computing is your problem, not Microsofts' problem. The contract merely protects Microsoft from liability for your incompetence. It does not mean that you have to be incompetent, merely that if you are, you agree that Microsoft shall not be liable for your actions or failure to act.
did they think it would be a simple cyberattack ? (Score:4, Interesting)
it said it was a "victim of a highly-sophisticated, complex and targeted cyberattack"
well duh. They knew, or should have known, they there were an EXTREMELY vulnerable point in any system's network and would be subject to such attacks.
They should have a highly trained staff who's whole mission in life is to look for highly-sophisticated, complex and targeted cyberattacks.
And yet, I would guess that the were worried much more about new and exciting features, and that Mr. Thornton-Trump's recommendations were over-ruled because of a negative impact to "user experience" or some such bullshit.
Solar Winds will go down in history as yet another company that proves capitalism doesn't work nearly as well as you think it does. They will remain in business and sign up new customers even after this fiasco.
Re: (Score:1)
The fault lies entirely with the victims and their failure to properly assess the Risk and Consequences of installing an "update"; and the victims failure to adequately assess trustworthiness.
Re: (Score:2)
Re:"highly sophisticated" hackers attack a server (Score:2)
so (Score:1)
Re: (Score:2)
Recognizing the people with the skill to do so, and also the general lack of such people.
Re: (Score:1)
Spotted the just out of "programming boot camp" dude who has never worked for a fortune 500 corporation before.
No, dude, you do not use home grown systems unless your situation is so unique that nothing else is available. Home grown systems are terrible solutions for the most part. Especially when you take into account how the "creators" end up telling the business what and how the tasks should be done. Then they move on - because - all just out of boot camp programmers only want to work on "new" stuff.
Docu
Re: (Score:2)
Even better, why not just contribute employees, money, and time to F/OSS alternatives? The one maintainer of OpenSSL was doing it all by his lonesome until a hole was found, and people realized that they need to help out, and helping him out with that is cheaper than trying to make SSL/TLS libraries in house.
For example, an open NMS that isn't a "free" version of a commercial product, something that has its source code vetted, audited, and inspected, would go a long way into ensuring something like this do
Anyone getting tired of hearing this yet? (Score:1)
Should have hired me instead, assholes.
Re: (Score:1)
Solar Winds should have hired you or is this an attempt to beg Microsoft for a job.
Maybe you want to work for the Government or are you a spy?
Re: (Score:1)
You sound young. Even if they hired you there is the pointy haired boss. They're everywhere. Here's a short list of excuses:
1) Too hard to do that.
2) Too expensive to do that.
3) When 1 & 2 fail - "It'll break something." - just put this one on the epitaph of Microsoft admins.
4) You have this new paperwork to do.
I've already heard them on this one - There's no evidence they were able to take advantage of our solarwinds server. We're going to leave it as it is.
Re: (Score:1)
My solution was a bunch of shell scripts, so the argument was "there's no product here." As in, nobody to blame if something goes wrong. Well, now something has gone wrong and there's even people to blame. How far did that get us? I guarantee my shell scripts would have been at least few hundred million dollars cheaper.
...and what about Linux Repos (Score:2)
Take for example pfsense... how much work would it take to do an elegant takeover of their systems?
I get the whole idea of defense-in-depth, and reducing your attack surface... but how do you balance the risks with patching?
Re: (Score:1)
For RedHat managed distros it would be a very tough nut to crack. They're very paranoid about it. There have been attempts that I happen to know about. Attempts by some very talented and crafty attackers.
Debian and the others - who knows. I hope they're very secure. I'm not familiar with their operations.
Keep in mind this wasn't MS. This was a Third Party Software package. The hack was sent out in an authorized update. Looked legit unless they (Solar winds, not the end customer) followed change control like
Re: (Score:1)
"but how do you balance the risks with patching?"
Very simple. The rules are thus:
(1) If is works, don't fix it.
(2) Do a Risk Assessment to determine if the patch actually fixes anything that need fixing. If not, see step 1.
(3) Assess if the Consequence of applying the update is greater than the Consequence of NOT applying the update and if the possible Risk and Consequence of applying the update is GREATER than the Risk and Consequence associated with NOT applying the update, do not update.
Be sure to i
Breaches all the way down (Score:1)
Re: (Score:1)
No, they're angry that Solar Winds didn't follow the Devops procedure like they're required to. This is not a Microsoft hack.
I'm retired, but... (Score:2)
"Many said they did not even know they were using SolarWinds software until recently."
I see IT Management hasn't changed a bit.
Isn't this that scenario against open source where you can'r answer "Who're you gonna sue?"
Eastern Europe software (Score:1)
Re: (Score:2)
There's a level of corruption in former eastern bloc states, *particularly* in former Soviet republics like Ukraine or Moldova, that you do not see in western Europe. Some former communist states like Poland and Czechia are basically as reliable as a western state, while others like Romania have a lot more corruption.
The scary country on this list though is Belarus, a Russia-friendly dictatorship where you can NOT get any business done without cozying up to the government. It has all the corruption issues p
Cybersecurity cost (Score:2)
According to the article: "Employees say that under Mr. Thompson, an accountant by training and a former chief financial officer, every part of the business was examined for cost savings and common security practices were eschewed because of their expense. His approach helped almost triple SolarWinds’ annual profit margins to more than $453 million in 2019 from $152 million in 2010."
If you operate in a market where buyers cannot objective assess cybersecurity of the offered products and security pract
Attack? (Score:1)
There was no attack. The victims merely hoisted themselves by their own petards by their failure to perform proper Risk Assessments and through their use of stupid asinine ill-conceived policies.