SolarWinds Hack Was 'Largest and Most Sophisticated Attack' Ever, Microsoft President Says (reuters.com) 66
A hacking campaign that used a U.S. tech company as a springboard to compromise a raft of U.S. government agencies is "the largest and most sophisticated attack the world has ever seen," Microsoft Corp President Brad Smith said. From a report: The operation, which was identified in December and that the U.S. government has said was likely orchestrated by Russia, breached software made by SolarWinds Corp, giving hackers access to thousands of companies and government offices that used its products. The hackers got access to emails at the U.S. Treasury, Justice and Commerce departments and other agencies. Cybersecurity experts have said it could take months to identify the compromised systems and expel the hackers. "I think from a software engineering perspective, it's probably fair to say that this is the largest and most sophisticated attack the world has ever seen," Smith said during an interview that aired on Sunday on the CBS program "60 Minutes." The breach could have compromised up to 18,000 SolarWinds customers that used the company's Orion network monitoring software, and likely relied on hundreds of engineers.
The Largest and Most Sophisticated... (Score:3, Insightful)
Re: The Largest and Most Sophisticated... (Score:4, Insightful)
Stop parroting that stupid meme, please. It has no basis in reality.
It's something comforting, that people say, to lull themselves when reality overwhelms them.
Any asshole since the dawn of time quickly learned that their assholery was more successful, if they could make ot look like "Whoopsie, stoopid me! I'm sorry, (let's do it again right away)! Whoops again, how clumsy of me!". And then they learned that if you overwelm people, which is easy if they lived in their safe space their entire lives, *they will do it for you*. Assume you're just stupid, I mean.
In reality, the distinction is irrelevant. It is always stupid to be harmful. And it is always harmful to be stupid. The more so, the more it converges to the same thing.
But if you want to be precise, you can tell evilness from stupidity:
Because stupidity is incompetent. That means it diverges and is closer to randomness. While something competent by definition converges towards a goal. So if you are smart, but consistently fail, all by yourself, you aren't smart, now are you? And even an idiot who consistently achieves goals that are harmful to you, is competent, and therefore not stupid, but evil.
The exception is when somebody else is in control. You can be as smart as you want, if a moron with club that's big enough forces you to do his bidding, you will still act stupid. And you can be as stupid as you want, of you are some smart person's puppet, you can still act evil.
Re: (Score:2)
Negligence is basically apathy. It's a "I don't care". Doesn't excuse it, but that's it's foundation. Want to change it? Show that it's in their own (selfish) interest to care. Lose money, life, CO, whatever is important to them. People behave this way because they don't see the connections between what's important to them and what's important to us.
Re: The Largest and Most Sophisticated... (Score:5, Insightful)
Some people don't work at McDonald's. Their employer pays them for what they know and the benefits they bring to the company, not for the hours they clock. GP is probably one of those people.
That's why people kept telling you to stop skipping school.
You can actually go back to school whenever you get tired of your boss being up your butt.
Re: (Score:3)
I would reply to that, but I've already said enough mean things about Barefoot. :)
Re: The Largest and Most Sophisticated... (Score:5, Interesting)
Re: The Largest and Most Sophisticated... (Score:2)
Parents who leave their infants in a hot car for a day deserve the manslaughter charges, and the world will never know if they did it consciously or not.
Ask me how I know you don't have kids. Now go take your antipsychotics please. Nobody bakes their kid on purpose.
Re: (Score:2)
Ask me how I know you don't have kids. Now go take your antipsychotics please. Nobody bakes their kid on purpose.
People can be awful [wikipedia.org], and we can't read minds, but I am sorry that what I mentioned was so horrid and revolting. It's what popped into my head as a deeply unforgivable offense that nobody would believe was possible. A parent should never have to bury a child, but any parent that does so intentionally... Let's just say that there's a certain scene from the book 11/22/63 that has haunted me for years. Thank you for pointing this out.
Re: (Score:2)
Re: (Score:1)
Stop parroting that stupid meme, please. It has no basis in reality.
It's something comforting, that people say, to lull themselves when reality overwhelms them.
Oh my sweet summer child.
What it must be like to be that young and gullib^H^H^H naive...
Re: (Score:1)
The last gasp of a massive PR=B$ con M$ trying to escape liability for shit security. What has been going on in the background hidden, tens of millions spent with lobbyists to prevent billions in losses and penalties.
This is what the greedy incompetent liars cheats and thieves were paid to prevent. This is their job. They fucked it up due to lax security, Proof, they were hacked and are now seeking to scam their way out of it all.
M$ shit a security, good at marketing their lies. Why was the hack successfu
Re: (Score:2)
Incompetence and or negligence are not a "get out of jail free card". The legal concept of has existed for a long time: https://en.wikipedia.org/wiki/... [wikipedia.org]
In German, which you ought to know, we have this nice little saying "Unwissenheit schützt vor Strafe nicht". It figuratively translates to ignorance does not protect from justice.
And of course it's not only a concept in German because "Ignorantia juris non excusat" dates back to ancient Rome. Today the concept can be fo
Re: (Score:3)
The problem with Security is that it gets in the way of getting things done.
Even for companies that take security seriously still need to balance the needs to get things done effectively and efficiently.
Most people are not IT Security Experts, most people in IT are not Security Experts. They have a wide set of skill sets that can span many topics. So for many the security in their consumer level Wi-Fi Router is good enough. As that will block 99.9% of all the attacks. While for a business or an organiz
True, for 1/3rd of security (Score:3)
You make a good point.
ALSO security is the trial CIA:
Confidentiality
Integrity
Availability
That means the system:
Confidentiality - Gives info only to the right people
Integrity - Gives correct results
Availability - Can be used by the people who need it
Confidentiality and availability are sometimes at odds. All three are security. 2/3rds of security is making sure you can use the system and it works properly for you - even when somebody is trying to break it. Which implies we need to make sure you can use it
Re: (Score:2)
Re: (Score:2)
Security doesn't seem to have stopped MS from getting stuff done.
Re: (Score:2)
I am unsure if you are trying to prove or disprove my point.
In terms of Security, I normally do not relate Microsoft Products as being very secure....
However they have put more effort into security than most companies, being how incredibility visible their products are.
Re: (Score:2)
I mean Microsoft being negligent? Sure.
But what's the malice here? Did someone suggest Microsoft did it out of malice? If no, Hanlon's Razor does not apply.
And you can neither apply it to the perpetrators to erase the malicious quality of their action. That would be like like saying that it was your negligence not locking the doors of your house that caused it to burn down. It wasn't the malice of the arsonist who set it on fire.
Re: (Score:2)
Microsoft is malicious simply by continuing to inflict their crap on the human race.
Re: (Score:2)
Indeed. And the real question is what have they not seen of what is going on.
Re: (Score:1)
Exactly.
This is Microsoft we're talking about.
They may know "Large".
But they wouldn't recognize sophistication if you beat them to death with it.
Ever? (Score:1)
"SolarWinds Hack Was 'Largest and Most Sophisticated Attack' Ever Admitted To"
There, fixed that headline for you.
Re: (Score:2)
"SolarWinds Hack Was 'Largest and Most Sophisticated Attack' Ever Admitted To"
There, fixed that headline for you.
Yup, I was going to point that out but you beat me to it. Many years ago I watched a TV interview with Markus Wolf who was the director of the Main Directorate for Reconnaissance (i.e. intelligence). The interviewer eventually asked him who he thought were the three most important spies he ever recruited in the west (including the USA). Wolf just smiled and said, "... you've never heard of them".
What about... (Score:5, Informative)
The attack that got in and allowed the hacker to sign certificates as Adobe? That seemed to expose a big user base.
For sophistication Stuxnet seems a bit higher up the scale than guessing/stealing a password that should have not been allowed for a account used to track a junior high students account at the schoolâ(TM)s cafeteria.
Re: What about... (Score:2)
But then how could we keep the fearmongering up that forces you on our side, and to assume that there are "sides" in the first place? (Yeah, most Russians and Americans are just ... people.)
You know, if in 50 years it came out, that the US and Russian governments (or war industries) had a deal to be each others' conventient villain in the closet, to achieve the above, I would not be surprised one single bit.
Re:What about... (Score:5, Insightful)
The issue with Solarwinds is that it became a key, trusted bit of software and yet nobody bothered to properly secure it. The NSA should have been all over it, actively looking for these kinds of vulnerabilities and monitoring it for attacks.
Re: (Score:3)
Solarwinds is dead tech, it has clearly been on a declining path for sometime now.
The business model for most software is that you do not really work that hard on security on the way up because it will increase cost and slow you down. Once you near the top you sell it off to some investment firm and let them try to milk the remaining money out of it, and your DEFINITELY do not want to spend money on security now, because it messes up your spreadsheet and ruins your chance at a profit.
The NSA is more concern
Re: (Score:2)
Russia or China may not be the biggest security and privacy problem I have living in North America. China isn't the one suggesting we should have trivial backdoors for law enforcement.
Re: (Score:2)
This is only the biggest hack that was made public.
Hard for the micro$oft system 'admin' group to do security when their priority is what's for lunch and who gets the window seat. Oh, and checking linkedin to see if there is a higher paying job for someone with their stellar record.
Re: (Score:2)
The issue with Solarwinds is that it became a key, trusted bit of software and yet nobody bothered to properly secure it. The NSA should have been all over it, actively looking for these kinds of vulnerabilities and monitoring it for attacks.
What's proper security for SolarWinds? The update server was compromised. The organizations that got infected were the ones keeping up with security updates.
If a nagios update server was compromised, that would be the same sort of problem. It's a tool all your admins use frequently, so the juiciest credentials on the network are toast. And the nature of the work it does gives it a map of the network and access to many things.
Hell, it may as well have been an Ubuntu update server. How far do you go to p
Re: (Score:1)
The NSA should offer to audit update servers and actively look for zero day issues in critical software.
Largest, maybe. Most sophisticated, no. (Score:5, Insightful)
I think Israel's operations against e.g. Iran make SolarWinds' hackers look like script kiddies.
Also, I wonder which ones the world has never seen. Apart from government agencies that spy on their own people (${China's}, NSA, FSB, etc) which the article apparently does not count, but which should. (Old rule of "too big to horrify" again?)
Re: (Score:2)
Student, at least in terms of potential, was pretty amazing. They likely had to gain physical access to a computer via good old spy type stuff, and the payload was software that could autonomously do actual physical damage to industrial equipment. The Natanz fire is probably going to be caused by something similar.
That stuff has so far been aimed at a specific industry in a specific country, but there is equipment running critical infrastructure all over the world that is vuln
Re: (Score:2)
Ever seen (Score:5, Insightful)
Autosuggestion is no cybersecurity measure (Score:2)
“I have been fully briefed and everything is well under control...” (Donald Trump 2020-12-19) https://www.theverge.com/2020/... [theverge.com]
Re: (Score:2)
Well under control till out of office, then the wheels fall off the wagon.
Re: (Score:2, Funny)
Well, to be fair, the former alleged president didn't specify under whose control everything is well. That's just his stock phrase to cover for anything that went wrong under his administration regardless of whether they were to blame or not. However, seeing as he took credit for anything good that happened while in office, it seems fair to assign him blame for anything bad that happened while in office.
Re: (Score:2)
He's gone, no point quoting him.
Sophisticated? (Score:2)
So let me get this straight. Solarwinds is security software installed on hundreds of thousands of computers, and as security software it essentially has unfettered access to each machine. Solarwinds has an automatic update system that pushes software updates to all those machines. Someone found a way to have that update system push their arbitrary code to those computers. So in other words Solarwinds became the global InstallShield tool for hackers. Does it get any more convenient than that? Not only d
Re: Sophisticated? (Score:2)
Re: (Score:3)
Read only (ro) creditials can do just about anything view wise on a switch and have been time tested for 30+ years or the verbalities found and corrected. That was Solarwinds bread and butter for 20 years, if they would have avoided extending to WMI they would have been not wor
Re: (Score:2)
From Wiki: "In November 2019, a security researcher notified SolarWinds that their FTP server had a weak password of "solarwinds123"
So indeed, the initial break is most likely through that, or some other weakness that is rather unsophisticated. OTOH, there was most likely a sophisticated state level actor seeking out such things and planning the best ways to exploit them without being noticed until it was too late. The typical script kiddie would have just defaced a web page or something, not collected v
Re: (Score:2)
It seems sort of simple, but I'm curious how hard it was to manipulate the SolarWinds build process so easily that you could include your own malicious code. Isn't there some reasonable risk somebody notices unexpected check-ins and revision changes if you're targeting "old" code not being updated as much? Or wouldn't frequently updating code be at risk of breaking malware or having it get discovered?
I'd also assume that at companies like Microsoft or FireEye that literally everything that makes it "insid
Windows updates (Score:2)
So let me get this straight. This attack happened because people use 3rd party software to update Windows, because Windows Update is so broken?
Re: (Score:2)
It's not unusual for 3rd party software to use its own update system and servers. Where SolarWinds/Microsoft fail is that too many 3rd party tools are needed to manage Windows hosts and networks.
Bigger than the Heartbleed backdoor? (Score:2)
I think not.
Re: (Score:2)
Re: (Score:2)
How many systems were reported compromised as a result of Heartbleed? Last I checked, zero. Heartbleed had a good publicity team. It even had a logo.
supply chains? MS (non-)credibility? (Score:1)
To call it the largest & most sophisticated ever seen sounds like ignoring some that others have mentioned here, and the fact that we don't know what others have not been publicized yet, including things like this (https://www.schneier.com/blog/archives/2021/02/chinese-supply-chain-attack-on-computer-systems.html where we don't know everything, there can be debate; but given means, motive, and opportunity, I think at *least* keeping our eyes open and attempting to adopt wise practices based on realisti
What were they paid to do? (Score:2)
Re: (Score:2)
Isn't this Solarwinds some security software? Why is the company still in business?
Because customers cannot distinguish crap with glitter on top from actually good software.
Who monitors the monitors. (Score:2)
In the real world there are often multiple cameras pointing at each other so that it makes it much harder to obscure and/or spoof a camera. Here is a case where we have a single point of failure and no other systematic monitoring to make sure that single point failed. Ideally, there are multiple security detections both for triangulation as well as layered security with independent gates. Having "root" for the whole system is ridiculous.
largest? Maybe. Sophisticated? Nope. (Score:2)
As long as these companies continue to outsource the work and not require that American, or at least western, citizens to do the work, this will continue to happen.
Solar BS .. (Score:1)
That would be 1,000 Microsoft developers to achieve the same results as a single hacker using generic online sources.
Classic diversion... (Score:1)
The fact that Office 365 was breached as well isnâ(TM)t a non-issue.
largest and most sophisticated attack the world .. (Score:2)
... that we know of.