Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security IT Technology

SolarWinds Hack Was 'Largest and Most Sophisticated Attack' Ever, Microsoft President Says (reuters.com) 66

A hacking campaign that used a U.S. tech company as a springboard to compromise a raft of U.S. government agencies is "the largest and most sophisticated attack the world has ever seen," Microsoft Corp President Brad Smith said. From a report: The operation, which was identified in December and that the U.S. government has said was likely orchestrated by Russia, breached software made by SolarWinds Corp, giving hackers access to thousands of companies and government offices that used its products. The hackers got access to emails at the U.S. Treasury, Justice and Commerce departments and other agencies. Cybersecurity experts have said it could take months to identify the compromised systems and expel the hackers. "I think from a software engineering perspective, it's probably fair to say that this is the largest and most sophisticated attack the world has ever seen," Smith said during an interview that aired on Sunday on the CBS program "60 Minutes." The breach could have compromised up to 18,000 SolarWinds customers that used the company's Orion network monitoring software, and likely relied on hundreds of engineers.
This discussion has been archived. No new comments can be posted.

SolarWinds Hack Was 'Largest and Most Sophisticated Attack' Ever, Microsoft President Says

Comments Filter:
  • by Forty Two Tenfold ( 1134125 ) on Monday February 15, 2021 @09:17AM (#61065432)
    ... Negligence. This is the word you're looking for. Never attribute to malice that which can be adequately explained by stupidity. [wikipedia.org]
    • by BAReFO0t ( 6240524 ) on Monday February 15, 2021 @09:50AM (#61065494)

      Stop parroting that stupid meme, please. It has no basis in reality.

      It's something comforting, that people say, to lull themselves when reality overwhelms them.

        Any asshole since the dawn of time quickly learned that their assholery was more successful, if they could make ot look like "Whoopsie, stoopid me! I'm sorry, (let's do it again right away)! Whoops again, how clumsy of me!". And then they learned that if you overwelm people, which is easy if they lived in their safe space their entire lives, *they will do it for you*. Assume you're just stupid, I mean.

      In reality, the distinction is irrelevant. It is always stupid to be harmful. And it is always harmful to be stupid. The more so, the more it converges to the same thing.

      But if you want to be precise, you can tell evilness from stupidity:
      Because stupidity is incompetent. That means it diverges and is closer to randomness. While something competent by definition converges towards a goal. So if you are smart, but consistently fail, all by yourself, you aren't smart, now are you? And even an idiot who consistently achieves goals that are harmful to you, is competent, and therefore not stupid, but evil.
      The exception is when somebody else is in control. You can be as smart as you want, if a moron with club that's big enough forces you to do his bidding, you will still act stupid. And you can be as stupid as you want, of you are some smart person's puppet, you can still act evil.

      • Negligence is basically apathy. It's a "I don't care". Doesn't excuse it, but that's it's foundation. Want to change it? Show that it's in their own (selfish) interest to care. Lose money, life, CO, whatever is important to them. People behave this way because they don't see the connections between what's important to them and what's important to us.

      • by notsouseful ( 6407080 ) on Monday February 15, 2021 @12:26PM (#61065984)
        I believe what you're looking for is Grey's law: "Any sufficiently advanced incompetence is indistinguishable from malice". It should also be treated as such. Willful maliciousness, extreme negligence -> same outcome, should be similar punishment. Parents who leave their infants in a hot car for a day deserve the manslaughter charges, and the world will never know if they did it consciously or not. Politicians should not be able to justify their malicious acts by feigning ignorance.
        • Parents who leave their infants in a hot car for a day deserve the manslaughter charges, and the world will never know if they did it consciously or not.

          Ask me how I know you don't have kids. Now go take your antipsychotics please. Nobody bakes their kid on purpose.

          • Ask me how I know you don't have kids. Now go take your antipsychotics please. Nobody bakes their kid on purpose.

            People can be awful [wikipedia.org], and we can't read minds, but I am sorry that what I mentioned was so horrid and revolting. It's what popped into my head as a deeply unforgivable offense that nobody would believe was possible. A parent should never have to bury a child, but any parent that does so intentionally... Let's just say that there's a certain scene from the book 11/22/63 that has haunted me for years. Thank you for pointing this out.

        • If what you're saying is true then there shouldn't even be a manslaughter charge. I think what you're not taking into account is motive. Extreme negligence doesn't need a motive, but maliciousness does. Getting back at your employer for some perceived slight is worse than just being terrible at your job and not caring because you're lazy and just want a paycheck.
      • by Chas ( 5144 )

        Stop parroting that stupid meme, please. It has no basis in reality.

        It's something comforting, that people say, to lull themselves when reality overwhelms them.

        Oh my sweet summer child.

        What it must be like to be that young and gullib^H^H^H naive...

      • by rtb61 ( 674572 )

        The last gasp of a massive PR=B$ con M$ trying to escape liability for shit security. What has been going on in the background hidden, tens of millions spent with lobbyists to prevent billions in losses and penalties.

        This is what the greedy incompetent liars cheats and thieves were paid to prevent. This is their job. They fucked it up due to lax security, Proof, they were hacked and are now seeking to scam their way out of it all.

        M$ shit a security, good at marketing their lies. Why was the hack successfu

      • by U0K ( 6195040 )
        What are you talking about?

        Incompetence and or negligence are not a "get out of jail free card". The legal concept of has existed for a long time: https://en.wikipedia.org/wiki/... [wikipedia.org]

        In German, which you ought to know, we have this nice little saying "Unwissenheit schützt vor Strafe nicht". It figuratively translates to ignorance does not protect from justice.
        And of course it's not only a concept in German because "Ignorantia juris non excusat" dates back to ancient Rome. Today the concept can be fo
    • The problem with Security is that it gets in the way of getting things done.
      Even for companies that take security seriously still need to balance the needs to get things done effectively and efficiently.

      Most people are not IT Security Experts, most people in IT are not Security Experts. They have a wide set of skill sets that can span many topics. So for many the security in their consumer level Wi-Fi Router is good enough. As that will block 99.9% of all the attacks. While for a business or an organiz

      • You make a good point.

        ALSO security is the trial CIA:
        Confidentiality
        Integrity
        Availability

        That means the system:

        Confidentiality - Gives info only to the right people
        Integrity - Gives correct results
        Availability - Can be used by the people who need it

        Confidentiality and availability are sometimes at odds. All three are security. 2/3rds of security is making sure you can use the system and it works properly for you - even when somebody is trying to break it. Which implies we need to make sure you can use it

      • by micheas ( 231635 )
        There is something that is really hard to get through to people which is that there are secure designs and insecure designs. You can make an insecure design secure enough most of the time (Sendmail, Active Directory), and secure designs will occasionally have a flaw discovered with them (Postfix, Qmail) But, overall, the long term expectation is that if you rely on Active Directory or Sendmail you need to simply accept that cleaning up after intrusions is part of your day to day business operations and not
      • by gtall ( 79522 )

        Security doesn't seem to have stopped MS from getting stuff done.

        • I am unsure if you are trying to prove or disprove my point.
          In terms of Security, I normally do not relate Microsoft Products as being very secure....
          However they have put more effort into security than most companies, being how incredibility visible their products are.

    • by fazig ( 2909523 )
      I am not sure if that applies here.

      I mean Microsoft being negligent? Sure.
      But what's the malice here? Did someone suggest Microsoft did it out of malice? If no, Hanlon's Razor does not apply.

      And you can neither apply it to the perpetrators to erase the malicious quality of their action. That would be like like saying that it was your negligence not locking the doors of your house that caused it to burn down. It wasn't the malice of the arsonist who set it on fire.
    • by gweihir ( 88907 )

      Indeed. And the real question is what have they not seen of what is going on.

    • by Chas ( 5144 )

      Exactly.

      This is Microsoft we're talking about.

      They may know "Large".

      But they wouldn't recognize sophistication if you beat them to death with it.

  • "SolarWinds Hack Was 'Largest and Most Sophisticated Attack' Ever Admitted To"

    There, fixed that headline for you.

    • "SolarWinds Hack Was 'Largest and Most Sophisticated Attack' Ever Admitted To"

      There, fixed that headline for you.

      Yup, I was going to point that out but you beat me to it. Many years ago I watched a TV interview with Markus Wolf who was the director of the Main Directorate for Reconnaissance (i.e. intelligence). The interviewer eventually asked him who he thought were the three most important spies he ever recruited in the west (including the USA). Wolf just smiled and said, "... you've never heard of them".

  • What about... (Score:5, Informative)

    by haus ( 129916 ) on Monday February 15, 2021 @09:31AM (#61065458) Journal

    The attack that got in and allowed the hacker to sign certificates as Adobe? That seemed to expose a big user base.

    For sophistication Stuxnet seems a bit higher up the scale than guessing/stealing a password that should have not been allowed for a account used to track a junior high students account at the schoolâ(TM)s cafeteria.

    • But then how could we keep the fearmongering up that forces you on our side, and to assume that there are "sides" in the first place? (Yeah, most Russians and Americans are just ... people.)

      You know, if in 50 years it came out, that the US and Russian governments (or war industries) had a deal to be each others' conventient villain in the closet, to achieve the above, I would not be surprised one single bit.

    • Re:What about... (Score:5, Insightful)

      by AmiMoJo ( 196126 ) on Monday February 15, 2021 @11:23AM (#61065776) Homepage Journal

      The issue with Solarwinds is that it became a key, trusted bit of software and yet nobody bothered to properly secure it. The NSA should have been all over it, actively looking for these kinds of vulnerabilities and monitoring it for attacks.

      • by haus ( 129916 )

        Solarwinds is dead tech, it has clearly been on a declining path for sometime now.

        The business model for most software is that you do not really work that hard on security on the way up because it will increase cost and slow you down. Once you near the top you sell it off to some investment firm and let them try to milk the remaining money out of it, and your DEFINITELY do not want to spend money on security now, because it messes up your spreadsheet and ruins your chance at a profit.

        The NSA is more concern

        • The NSA is not about securing the west from the Russians (or China), it is about owning you using the Russians (or China) as an excuse.

          Russia or China may not be the biggest security and privacy problem I have living in North America. China isn't the one suggesting we should have trivial backdoors for law enforcement.
        • Software relied upon by micro$oft 'admins' to do what they think of as monitoring.
          This is only the biggest hack that was made public.
          Hard for the micro$oft system 'admin' group to do security when their priority is what's for lunch and who gets the window seat. Oh, and checking linkedin to see if there is a higher paying job for someone with their stellar record.
      • The issue with Solarwinds is that it became a key, trusted bit of software and yet nobody bothered to properly secure it. The NSA should have been all over it, actively looking for these kinds of vulnerabilities and monitoring it for attacks.

        What's proper security for SolarWinds? The update server was compromised. The organizations that got infected were the ones keeping up with security updates.

        If a nagios update server was compromised, that would be the same sort of problem. It's a tool all your admins use frequently, so the juiciest credentials on the network are toast. And the nature of the work it does gives it a map of the network and access to many things.

        Hell, it may as well have been an Ubuntu update server. How far do you go to p

        • by AmiMoJo ( 196126 )

          The NSA should offer to audit update servers and actively look for zero day issues in critical software.

  • by BAReFO0t ( 6240524 ) on Monday February 15, 2021 @09:32AM (#61065460)

    I think Israel's operations against e.g. Iran make SolarWinds' hackers look like script kiddies.

    Also, I wonder which ones the world has never seen. Apart from government agencies that spy on their own people (${China's}, NSA, FSB, etc) which the article apparently does not count, but which should. (Old rule of "too big to horrify" again?)

    • I thought this same thing.

      Student, at least in terms of potential, was pretty amazing. They likely had to gain physical access to a computer via good old spy type stuff, and the payload was software that could autonomously do actual physical damage to industrial equipment. The Natanz fire is probably going to be caused by something similar.

      That stuff has so far been aimed at a specific industry in a specific country, but there is equipment running critical infrastructure all over the world that is vuln
      • by lsllll ( 830002 )
        I don't think they needed physical access to a computer for Stuxnet. I think they just "lost" a few USB sticks where they were readily available to Iranian scientists, officials, and workers with access to inside the network that ran the centrifuges.
  • Ever seen (Score:5, Insightful)

    by kvutza ( 893474 ) on Monday February 15, 2021 @09:37AM (#61065472)
    He said ever seen, not just ever. It is a big difference.
  • “I have been fully briefed and everything is well under control...” (Donald Trump 2020-12-19) https://www.theverge.com/2020/... [theverge.com]

    ... And now cyber security experts say it could take months to identify compromised systems and expel hackers.

    • Well under control till out of office, then the wheels fall off the wagon.

    • Re: (Score:2, Funny)

      by gtall ( 79522 )

      Well, to be fair, the former alleged president didn't specify under whose control everything is well. That's just his stock phrase to cover for anything that went wrong under his administration regardless of whether they were to blame or not. However, seeing as he took credit for anything good that happened while in office, it seems fair to assign him blame for anything bad that happened while in office.

    • He's gone, no point quoting him.

  • So let me get this straight. Solarwinds is security software installed on hundreds of thousands of computers, and as security software it essentially has unfettered access to each machine. Solarwinds has an automatic update system that pushes software updates to all those machines. Someone found a way to have that update system push their arbitrary code to those computers. So in other words Solarwinds became the global InstallShield tool for hackers. Does it get any more convenient than that? Not only d

    • The software in question isn't security, it's monitoring. Primarily network devices but it'll handle servers too. This makes it a juicy target because in order to monitor your systems, your firewalls and ACL's have to allow access to the monitoring systems.
      • Really good target because WMI credentials have been broken and rebroken for multiple generations of Microsoft software. The tie to having to make a call to AD for "public" equlent has hosed a tremendous number of windows admins.

        Read only (ro) creditials can do just about anything view wise on a switch and have been time tested for 30+ years or the verbalities found and corrected. That was Solarwinds bread and butter for 20 years, if they would have avoided extending to WMI they would have been not wor
    • From Wiki: "In November 2019, a security researcher notified SolarWinds that their FTP server had a weak password of "solarwinds123"

      So indeed, the initial break is most likely through that, or some other weakness that is rather unsophisticated. OTOH, there was most likely a sophisticated state level actor seeking out such things and planning the best ways to exploit them without being noticed until it was too late. The typical script kiddie would have just defaced a web page or something, not collected v

    • It seems sort of simple, but I'm curious how hard it was to manipulate the SolarWinds build process so easily that you could include your own malicious code. Isn't there some reasonable risk somebody notices unexpected check-ins and revision changes if you're targeting "old" code not being updated as much? Or wouldn't frequently updating code be at risk of breaking malware or having it get discovered?

      I'd also assume that at companies like Microsoft or FireEye that literally everything that makes it "insid

  • So let me get this straight. This attack happened because people use 3rd party software to update Windows, because Windows Update is so broken?

    • by PPH ( 736903 )

      It's not unusual for 3rd party software to use its own update system and servers. Where SolarWinds/Microsoft fail is that too many 3rd party tools are needed to manage Windows hosts and networks.

    • The OpenSSL problems have been bigger, just the average tech reporter had no idea of what he was looking at.
    • How many systems were reported compromised as a result of Heartbleed? Last I checked, zero. Heartbleed had a good publicity team. It even had a logo.

  • To call it the largest & most sophisticated ever seen sounds like ignoring some that others have mentioned here, and the fact that we don't know what others have not been publicized yet, including things like this (https://www.schneier.com/blog/archives/2021/02/chinese-supply-chain-attack-on-computer-systems.html where we don't know everything, there can be debate; but given means, motive, and opportunity, I think at *least* keeping our eyes open and attempting to adopt wise practices based on realisti

  • Isn't this Solarwinds some security software? Why is the company still in business?
    • by gweihir ( 88907 )

      Isn't this Solarwinds some security software? Why is the company still in business?

      Because customers cannot distinguish crap with glitter on top from actually good software.

  • In the real world there are often multiple cameras pointing at each other so that it makes it much harder to obscure and/or spoof a camera. Here is a case where we have a single point of failure and no other systematic monitoring to make sure that single point failed. Ideally, there are multiple security detections both for triangulation as well as layered security with independent gates. Having "root" for the whole system is ridiculous.

  • This was an inside job. Nothing sophisticated about that.

    As long as these companies continue to outsource the work and not require that American, or at least western, citizens to do the work, this will continue to happen.
  • When we analyzed everything that we saw at Microsoft, we asked ourselves how many engineers have probably worked on these attacks. And the answer we came to was, well, certainly more than 1,000

    That would be 1,000 Microsoft developers to achieve the same results as a single hacker using generic online sources.
  • The fact that Office 365 was breached as well isnâ(TM)t a non-issue.

A committee takes root and grows, it flowers, wilts and dies, scattering the seed from which other committees will bloom. -- Parkinson

Working...