It appears that while you’ve been distracted by the holidays, coronavirus, and politics, the more we learn and understand about the SolarWinds security fiasco, the worse it looks and as Microsoft has precisely put it — ‘hackers got further into systems than we previously thought.’ Beginning of 2020, Americans and the whole world at large began to realize that the coronavirus was deadly and was going to be a real problem hence many countries started imposing lockdowns as to minimize the spread of the coronavirus but what no Americans knew then was that at about the same time, the Russian government’s hack of SolarWinds’s proprietary software Orion network monitoring program was destroying the security of top American government agencies and tech companies. There were no explosions, no deaths, but it was the Pearl Harbor of American IT.
The ongoing investigations by the U.S. intelligence points to the fact that Russia, as we now know, used SolarWinds’ hacked program to infiltrate at least 18,000 government and private networks. The data within these networks, user IDs, passwords, financial records, source code, you name it, can be presumed now to be in the hands of Russian intelligence agents. The Russians may even have the crown-jewels of Microsoft software stack: Windows and Office. In a twist, which would be hilarious if it weren’t so serious, Microsoft claims it’s no big deal.
That’s because Microsoft has “an inner-source approach – the use of open-source software development best practices and an open-source-like culture – to make source code viewable within Microsoft.” It’s nice that Microsoft is admitting that the open-source approach is the right one for security — something open-source advocates have been saying for decades. But, inner source isn’t the same thing as open source.
According to a ZDNet analyst and contributor, Steven J. Vaughan-Nichols, When hackers, not Microsoft developers, have access to proprietary code, the door’s open for attacks. True, Microsoft’s “threat models assume that attackers have knowledge of source code. So viewing source code isn’t tied to elevation of risk.” But, making that assumption is one thing. Dealing with reality is something else.
For decades, one of proprietary software’s stupid assumptions is that “security by obscurity“ works. While it can help — no, really it can if used intelligently — that’s not the case with proprietary code. Even with the best will in the world, I doubt that Microsoft has really undertaken the hard security code review needed to lock down its proprietary code. The almost weekly revelations of new Microsoft security holes and mishaps doesn’t make me feel warm and fuzzy about the security of its software.
While President Donald Trump has completely ignored the actions of Russian President Vladimir Putin’s government, America’s Cybersecurity Infrastructure and Security Agency (CISA) said the hacks posed a “grave risk” to US governments at all levels. Worse was revealed. Over the Christmas season holidays, the CISA said that all US government agencies must update to Orion’s 2020.2.1HF2 version by the end of the year. If they can’t, they must take these systems offline.
Why? Because yet another SolarWinds’ Orion vulnerability was being used to install the Supernova and CosmicGale malware. This security hole, CVE-2020-10148, is an authentication bypass in the Orion API that allows attackers to execute remote code on Orion installations. Some have an even better idea than updating Orion. Dump Orion. Dump it now. And start an investigation of the SolarWinds’ mediocre security record.
As time goes by more and more government agencies and companies have been shown to have been hacked. This includes the Department of State; Department of Homeland Security; National Institutes of Health; the Pentagon; Department of the Treasury; Department of Commerce; and the Department of Energy, including the National Nuclear Security Administration. Everyone claims that nothing too important has been revealed, but then, they would say that, wouldn’t they?
Sen. Mark Warner (D-Virginia), ranking member on the Senate Intelligence Committee, told the New York Times the hack looked “much, much worse” than first feared. “The size of it keeps expanding.” How much bigger will it get? We don’t know. Personally, I’d assume that if my company had been using SolarWinds Orion software during 2020, I’ve been hacked
According to a ZDNet analyst and contributor, Steven J. Vaughan-Nichols ,“it didn’t come with bombs like the attack on Pearl Harbor, but this attack on American national agencies and Fortune 500 companies may prove to be even more damaging to American national security and their business prosperity. Now, we’ll see if American developers, system administrators, and managers can rise to the occasion to rebuild their systems the way their grandparents did the country in the 1940s.”
3 Comments
Pingback: The SolarWinds Hack is Stunning: Here's What Should be Done - Innovation Village
Pingback: FireEye Points Fingers at Chinese Hackers for Compromising Government Agencies, Defense Contractors | Innovation Village | Technology, Product Reviews, Business
Pingback: Microsoft: Russian Group 'Nobelium' Behind SolarWinds Hack now Targeting Government Agencies, NGOs | Innovation Village | Technology, Product Reviews, Business