Solar Winds Hack....

It’s a hard conversation to have about security today, leadership wants reassurance that they are protected... all you can honestly talk about is risk mitigation strategies. That you can’t really stop a dedicated and skilled attacker, you can make your organization a harder target and a less likely target of opportunity, reduced the scope of a breach, reduce the time to detection, increased your forensic abilities, and reduce you time to restore and recover... but you can’t always stop it and that’s what leadership wants to hear. But you still need ever increasing resources to even provide that much...
 
Justice Roberts is that you? Thank you 😆


Somewhere in Beijing, in some darkened computer room, a poor little rice-burner is being slapped silly by someone in a Peoples Colonel uniform. And as the Colonel for Life slaps the dink, he's screaming - "I told you! Never! Never! Never hack G.Port's url! Now look at what you've done! And looking down at Beijing from far above, will be like looking at those pics of North Korea at night.
 
Sooo for us laymen can someone break this down. As far as impact on the average American? If Russia has dirt on the U.S, government from this hack I’m honestly not that upset about it. Hell if they launched our own nukes on D.C. I don’t think I would be upset. So, what difference does this make to the average American?

Breach of data. Social Security numbers? Tax info? Court, health, or other confidential files? Heck, credit card numbers.

I honestly do not believe that we will know the ramifications of this hack for years (and our government will probably never tell us). Supposedly they had access to sensitive networks for up to 9 months. I don't it was about getting any dirt (that would only be icing on the cake), it was about stealing technology/designs, determining capabilities and the state of current and future weapon and defense systems, finding weaknesses, etc. I would think they would also be looking how they could "shut down" or render systems inoperative if they deemed necessary (e.g., first strike attack if they felt "cornered").
 
Linux is great as a back end OS run by people who know what they're doing. When it's not managed, it's chaos.

I have a friend who is an AWS/system engineering type, etc. He works in linux back-ends and VMs all day. He makes retarded cake doing it, so he knows what he's doing. You know what his machine is? He runs a mac laptop... . to get to the linux boxes. And has a windows one as a backup. He would tell us to get f***ed if someone told him running linux on a laptop was a good
idea. It isn't. [laugh]

I own all cloud infra for a very large company. I try to still spend some time doing Linux and vom stuff between asking for & managing money and beating off all the people who want me to fund their pet project. I use a Mac lappie to get to the real (Linux) servers.

If it’s got a GUI it ain’t a server. So I spend exactly zero seconds a year bullshitting around with sound drivers or other user crap on Linux. Your pal is dead nuts on.

R

At one point in the past, when installing Linux on a laptop got to be too easy, I switched to FreeBSD. On a mid 90s Sony Vaio. So it’s not like I *cant* do it .
 
what difference does this make to the average American?

Probably nothing. A nation is not interested in Joe Nobody.

The Equifax hack caused more damage to individuals than this hack.

You could argue that maybe they stole some secrets that could be used to kill soldiers. But we don't know what they have.
 
Probably nothing. A nation is not interested in Joe Nobody.

The Equifax hack caused more damage to individuals than this hack.

You could argue that maybe they stole some secrets that could be used to kill soldiers. But we don't know what they have.


You think the credit bureaus weren't compromised by this.... Come on man.... SolarWinds is VERY popular in the space that it operates. I would be shocked if at least one of the major credit bureaus wasn't running it...

Credit bureaus, telco companies like Verizon, AT&T.... all compromised at this point...
 
You think the credit bureaus weren't compromised by this.... Come on man.... SolarWinds is VERY popular in the space that it operates. I would be shocked if at least one of the major credit bureaus wasn't running it...

Credit bureaus, telco companies like Verizon, AT&T.... all compromised at this point...
Maybe they were. But most likely not unless there is some information of national interest.

A nation doesn't want to steal your personal information. Maybe they want it for high ranking officials and politicians.

Unless they want to f*ck around and put all that information online for anyone to use. But I doubt it.
 
Probably nothing. A nation is not interested in Joe Nobody.

The Equifax hack caused more damage to individuals than this hack.

You could argue that maybe they stole some secrets that could be used to kill soldiers. But we don't know what they have.

On the contrary, because Russia often uses criminal organizations for hacks to obtain deniability, personal/profitable information is at risk too.
 
Be a shame if it were to broom all the evidence of Deep State collusion against Trump.
But that would just be coincidence.

OTOH, they won't be able to resist stealing stuff,
and evidence is going to surface in dumpsters and flea markets
when they least expect it...
Yup, likely all the Hunter and "The Big Guy" Biden stuff will be gone as well.
 
A nation doesn't want to steal your personal information.

Personal information on the proles is absolutely essential for espionage, leverage, and blackmail when operating at the nation state level. Look at the folk that were caught enabling/sending IP or sensitive / state secrets in the past. Consider how espionage plans are set into motion and who gate keeps the doors.
 
I’d just fund the projects but I guess that’s one way to “handle” it.

Sure.

IT is a service organization. We get our budget via allocations from the business units. Those are my customers and they get my attention and resources. The groups that come to me mid year with grandiose schemes and no budget of their own? If I funded everyone who knocked on my door, I’d be out of budget and answering hard questions from the cio.

If we all followed your model, then I guess AWS, Azure and GCP all wouldn’t mind if I didn’t pay their invoices.

But, you run your organization your way and I’ll do me.
 
It might be the NY Times, but it pretty much sums up what I;ve been saying about this...

" The remediation effort alone will be staggering. It will require the segregated replacement of entire enclaves of computers, network hardware and servers across vast federal and corporate networks. "

" A “do over” is mandatory and entire new networks need to be built — and isolated from compromised networks. "
Wait, wait;
I can do even better than highlight it as an opportunity to conceal evidence of sedition:

Watch the Deep State use this as an excuse to pay back Google, Twitter, et. al.
by outsourcing all Federal computing to privately-owned cloud $ervice$.

Rand Paul will be lucky if his paycheck autodeposit doesn't get "lost"
once they do that.
 
Maybe they were. But most likely not unless there is some information of national interest.

A nation doesn't want to steal your personal information. Maybe they want it for high ranking officials and politicians.

Unless they want to f*ck around and put all that information online for anyone to use. But I doubt it.


Sure they do. Very much so in fact. Using your information to commit fraud is how nations like N Korea skirt sanctions and raise money. Users are predictable. Knowing a lot about you makes it easier to guess passwords, answer security challenge questions, etc when trying to gain entry/access... They very much want all of our information...
 
I got called back from vacation because of the SolarWinds hack. We run it where I work and we were on the affected version. We are going through remediation and forensics right now trying to estimate the scope.

I didn't think that 2020 could suck any more than it did.

Damn...that sucks. I've read some companies are actually considering teardown rip/replace....if that's true...WOW !!!!!!
 
Sure.

IT is a service organization. We get our budget via allocations from the business units. Those are my customers and they get my attention and resources. The groups that come to me mid year with grandiose schemes and no budget of their own? If I funded everyone who knocked on my door, I’d be out of budget and answering hard questions from the cio.

If we all followed your model, then I guess AWS, Azure and GCP all wouldn’t mind if I didn’t pay their invoices.

But, you run your organization your way and I’ll do me.


I think you missed the joke.
 
Linux is great...... for servers. For desktop OS - it's just not there. Even Google can't break into that market and make significant gains with their Chromebooks. Maybe one day - but we're not there yet. Mobile - that's a different story... The most prevalent mobile OS is Linux - a.k.a Android.

How many times has:

sudo apt update && sudo apt upgrade

....f*cked shit up on me.... Let me count the ways... I do run Kali on a laptop though... But it's used for one purpose, and my daily computing isn't it.

Yeah, Linux on servers is great until those servers are hosting the logic tier for a customer-facing application and a critical or high vulnerability is discovered in your latest vulnerability scan. The vulnerability requires a kernel upgrade to remediate it. The application has kernel dependencies and the kernel upgrade will require coding time and extensive testing before it goes into production. So now, it's time to sit down with the Product Manager for the application to determine how much engineering time will be required to remediate this vulnerability. The Product Manager now realizes that the release of a new feature that has been promised to a customer will have to be delayed as engineering hours in the next sprint will have to be diverted from the feature development to recoding in support of the kernel upgrade.

Yet people wonder why companies get hacked via unpatched systems.
 
Yeah, Linux on servers is great until those servers are hosting the logic tier for a customer-facing application and a critical or high vulnerability is discovered in your latest vulnerability scan. The vulnerability requires a kernel upgrade to remediate it. The application has kernel dependencies and the kernel upgrade will require coding time and extensive testing before it goes into production. So now, it's time to sit down with the Product Manager for the application to determine how much engineering time will be required to remediate this vulnerability. The Product Manager now realizes that the release of a new feature that has been promised to a customer will have to be delayed as engineering hours in the next sprint will have to be diverted from the feature development to recoding in support of the kernel upgrade.

Yet people wonder why companies get hacked via unpatched systems.


I get it, man. Believe me. But that's a very specific edge case. Most organizations, in that edge case, would say, exploiting a kernel-level vulnerability in Linux requires the attacker to have shell access to the server, or in some limited cases, shell/admin access to another machine on the network. So they accept the risk and focus on the edge and keeping an attacker from getting that access. To your point, they're not always successful. I think it's a poor strategy myself, but sometimes I don't win that argument. I think it's better to operate under the assumption of compromise and make sure your internally facing systems are just as hardened as your edge.
 
I got called back from vacation because of the SolarWinds hack. We run it where I work and we were on the affected version. We are going through remediation and forensics right now trying to estimate the scope.

I didn't think that 2020 could suck any more than it did.

I wish you the best of luck my friend.... May be worth bringing a threat/incident response service at this point..
 
I wish you the best of luck my friend.... May be worth bringing a threat/incident response service at this point..

Thanks. We are doing that. We actually have a company on retainer for this sort of thing. They just discovered that besides the original SUNBURST hack we also have one called SUPERNOVA. They are fairly confident that SUPERNOVA piggybacked on top of the SUNBURST hack.

SolarWinds is saying that SUPERNOVA is not related but the fact is that without SUNBURST the SUPERNOVA hack wouldn't be there.

There is a lot of contradicting information out there. My head is still spinning.
 
Thanks. We are doing that. We actually have a company on retainer for this sort of thing. They just discovered that besides the original SUNBURST hack we also have one called SUPERNOVA. They are fairly confident that SUPERNOVA piggybacked on top of the SUNBURST hack.
SolarWinds is saying that SUPERNOVA is not related but the fact is that without SUNBURST the SUPERNOVA hack wouldn't be there.
There is a lot of contradicting information out there. My head is still spinning.
what happened here, hopefully, should be a lesson for CEOs and CTOs that were so glad to outsource all support to those dirt cheap external vendors and terminate all those severely overpaid, in their eyes, CCNPs and network architects who were supporting their networks and infrastructure before.

now it is a payback time, and I am not even a little bit surprised of what happened - it was supposed to happen when you outsource management of your holy grail to some cheap outsourcers in bangalore or hyderabad. everybody wants it simple and wants it cheap. no longer you build different loops, isolated medias, it all sits on the same switch and all is supposed to be tight and secure 'because the vendor said so'. yep, right. and, as a cherry on top, throw out all ciscos (as they are so damn expensive to maintain!) and put in huawais.
 
I'm sure joe b and friends will increase the Visa's needed to in/out source the employees or at least retrain a Coal miner to write code!
 
Thank god we didn't run that software. We did have Solar Winds TFTP server on a box though, and their SCP server on another box... Not any more. Thankfully not impacted software. We've been keeping an eye out for the IoCs though and nothing popping up on radar.

I don't see how Solar Winds survives as a company after this...
 
Back
Top Bottom