Biggest Cyber attack ever

[Samson]

Someone got a hacked Dynamic-link library (DLL) file onto the update system of a major windows network monitoring software (SolarWinds) in between March and June this year. There is a story that the password for the update server was password123, and this allowed the hackers access. This DLL allowed attackers to digitally sign further bits of software and so get them accepted by other bits of the windows ecosystem within the organisation. The impact is currently undetermined but will be huge. It is estimated that 18,000 companies have installed the backdoor, including many US federal departments including the nuclear weapons agency.

The blame seems to mostly pointed at Russian, the main evidence seems to be that the hackers are good.

I think this is clearly mostly the fault of people using servers based on closed source tools principally designed upon a single user system, and then having to build loads more layers of closed source tools on top to fix the holes. If anyone you vote for is still using windows for internet facing systems this time next year you will know they care not a whit for your data security.

This has been going on a week, and Trump has not made a statement.

 

[IglooDame]

This has been going on a week, and Trump has not made a statement.

Has, finally, in order to contradict Pompeo who among other things said it was likely the Russians, tweeting thusly:
"The Cyber Hack is far greater in the Fake News Media than in actuality. I have been fully briefed and everything is well under control," Trump wrote. "Russia, Russia, Russia is the priority chant when anything happens because Lamestream is, for mostly financial reasons, petrified of discussing the possibility that it may be China (it may!)."

And I don't agree about the blame. a more direct element is that during the installation/config of Solarwinds administrators created or used accounts in monitored boxes with unnecessary permissions.

 

[Samson]

And I don't agree about the blame. a more direct element is that during the installation/config of Solarwinds administrators created or used accounts in monitored boxes with unnecessary permissions.

I really disagree. It is unarguable that this is a threat model that open source is particularly well suited to guard against, but I do not see that there is a closed source solution to the problem that humans are fallible. Possibly with some sort of legal liability you could get companies to take these things seriously enough, but would any insurance companies cover Solarwinds against a government lawsuit?

 

[Birdjaguar]

And as part of Trump's response he has stopped the PDBs to Biden.

 

[Samson]

And as part of Trump's response he has stopped the PDBs to Biden.

Man, you have to know what is in them then.

Just to make my point above again, if your system requires trusting people you have no control over to not do something stupid, then your system is not secure.

 

[The_J]

I've been following this, and this is probably the biggest external threat to western society in years.
If they really got in everywhere what is claimed, then someone has now way to much information. I hope so much way to much that they can't possibly use it, but given that it's most likely a nation state actor, they now have their own ministry (a department will not cut it) dedicated to this.

 

[Birdjaguar]

Trump is trying to not be shown as an incompetent loser and he has a hard on for Putin. Plus, I'm sure there is money involved, somewhere.

 

[Sarin]

Trump is trying to not be shown as an incompetent loser and he has a hard on for Putin. Plus, I'm sure there is money involved, somewhere.

50/50 whether it's Russian or Chinese money. China is here just as likely culprit and more dangerous possibility.

 

[Zelig]

If anyone you vote for is still using windows for internet facing systems this time next year you will know they care not a whit for your data security.

Windows isn't the problem here. The problem is that third-party AV and monitoring solutions are, by and large, deleterious to security. Being open source doesn't make your build system more secure.

Was going to link this anyway, irrespective of above comment on Windows, it's Brad Smith's take, which is good, as usual: A moment of reckoning: the need for a strong and global cybersecurity response

Note just how targeted this attack was. They had privileged access to 18,000 enterprise networks, and acted on only 40 of them.

50/50 whether it's Russian or Chinese money. China is here just as likely culprit and more dangerous possibility.

This seems to be the Trumpian talking point.

 

[r16]

somebody has to explain something on the horizon . Like either a Chinese hypersonic stealth bomber or an lranian nuke already installed on an lCBM , which could not have happened without this hacking .Bill Gates is the responsible party . For assuming his backdoors would be forever closed to people he didn't like .

 

[IglooDame]

I really disagree. It is unarguable that this is a threat model that open source is particularly well suited to guard against, but I do not see that there is a closed source solution to the problem that humans are fallible. Possibly with some sort of legal liability you could get companies to take these things seriously enough, but would any insurance companies cover Solarwinds against a government lawsuit?

Well, we'll agree to disagree then. I'm no fan of Solarwinds for a few different reasons (their business is like modern printers and printer cartridges - the initial software is substantially less expensive than their maintenance contracts; their salesfolk are extremely persistent and very predictably go on big squeezes at the end of each quarter; and their products don't handle distributed sites well as they don't have site node capabilities), and my own organization is actually moving away from it for those reasons and more, but network security is as much about layered defenses, compartmentalization, and least-privilege as it is having trustworthy services. And I'd be very surprised if Solarwinds doesn't have cybersecurity insurance already, it gets asked about in almost every RFP I see.

 

[El_Machinae]

I don't know enough about this type of hacking to know how easily they could figure out that it was Russian. Simple logic that a larger economy with a better tech base would be more capable of doing this, so that creates a probability bias.

It's interesting, also, that I don't have any idea on what an appropriate response is. Like, personally or even geo-politically.

 

[IglooDame]

50/50 whether it's Russian or Chinese money. China is here just as likely culprit and more dangerous possibility.

I'd think that too, right up until it is announced by those that really should know (and I'd put federal officials like Pompeo in that category) that it is the Russians that did it. We'll know if Pompeo is making stuff up in late January, I suppose, but if the presidential daily briefings have just been suspended I'm fairly sure how it'll turn out.

 

[Ajidica]

Can someone explain what happened here, and its implications, like I'm 12?
Everything in this thread is going right over my head.

 

[AdamCrock]

My data has been collected (and used) since google, fortunately I have no facebook , no tinder and no such crap ! I am "au naturel" ....

---- smelling too .... Eat my shorts !
sorry guys but this just smells like "teen spirit" (deodorant) :

Spoiler smells like teen spirit :

 

[Naskra]

MSFT Windows Security Updates, which in the past have been issued about twice a week, have lately (past ten days) been coming out about six times a day. Something is going on that they are not quite on top of.

 

[AdamCrock]

Not "is going" it has already happened , past tense or something like that

 

[innonimatu]

The blame seems to mostly pointed at Russian, the main evidence seems to be that the hackers are good.

The russians are the universal excuse in Oceania. And if it wasn't them it would be DR evil or some other designated villain.

I think this is clearly mostly the fault of people using servers based on closed source tools principally designed upon a single user system, and then having to build loads more layers of closed source tools on top to fix the holes. If anyone you vote for is still using windows for internet facing systems this time next year you will know they care not a whit for your data security.

As you say the fault is clearly with the incompetents why pretend to do security while being incapable of basic security checks. Digitally signing software and checking hashes, anyone? But they probably don't care because they're just going through the required motions anyway. Because...

I've been following this, and this is probably the biggest external threat to western society in years.
If they really got in everywhere what is claimed, then someone has now way to much information. I hope so much way to much that they can't possibly use it, but given that it's most likely a nation state actor, they now have their own ministry (a department will not cut it) dedicated to this.

The existential threat has been in place for nearly 20 years now. It's the fact that so much information is collected and linked. It's the interconnections and complexity that add nothing but extra layers of bureaucracy and some supposed "efficiency" that we do not need anyway. That is the threat. That is what enables attackers, of which there are many, to abuse information. The infrastructure that was put in place inevitably enables such abuse. Security and Internet do overlap. Nothing that is connected to the internet can really be secure. There are software bugs everywhere, and there is plenty of sloppy work always.

And it's not really existential. The most critical stuff is still isolated. No one is going to launch the nukes this way. Electric grids are unlikely to be easily crashed. Though that, as well as plants in several industries, etc, is getting sloppy. Smart meters for what really? Convenience, robustness, profit: choose one.

 

[innonimatu]

Can someone explain what happened here, and its implications, like I'm 12?
Everything in this thread is going right over my head.

Nothing much. A supposed security software for network monitoring that gets installed with elevated privileges and of which government services in many countries were particularly fond, as well as large corporations, was compromised by some group of attackers. The company that produced it was distributing the compromised version and took months to even notice. The supposed "security experts" who were deploying and using this network monitoring software failed to notice the suspicions data in their network borders and in the systems where the software was installed that would flag the fact that it was establishing connections to come foreign command&control server. Probably because software is currently so rotten through with calling home, calling advertisement servers, calling all kings of extra resources from the internet. The whole "ecosystem" is rotten.

No one who really was serious about security got compromised in this one. The people who did security as a performance act are very shocked, so very shocked and offended that they were exposed as incapable.

 

[AdamCrock]

You think they're gonna advertise like that : " we big gangsta. now we gonna.....(explain our evil master-plan)"

stop/start playin' RPG man, maybe You'll understand more how this world is built ?