[Cryptography] Solar Winds hack

Jerry Leichter leichter at lrw.com
Mon Dec 21 13:02:24 EST 2020

> I'm a bit suspicious of the timing of the announcement
> of this hack.
> Does anyone know when the hack was actually discovered?
FireEye, a security company, publicly reported that they had been breached on December 8th.  Apparently as they dug into how they breach occurred, they discovered that it was through Solarwinds.  Determining this took significant effort.  (A public report by the WSJ says FireEye initially got an alert about an unexpected new device connected to their VPN, and then a team of 100 employees scanned through 50,000 of code to figure out the cause.  I take those numbers with a huge grain of salt - if the vulnerability was in Solarwinds they would have no code to scan.  Most likely, they scanned log files.  And while 50,000 lines sounds like a lot to those unfamiliar with this kind of thing, I've personally scanned many hundreds of thousands of lines of log files myself to track down anomalies.  Obviously, that doesn't mean *reading* all those lines - you use various automated tools to winnow out all the noise.  I used to joke at one point that my main job qualification was knowing how to start with a million lines of logs and quickly tease out just the hundred or so that actually had useful information.)

> Well stories about Solar winds execs dumping stock a few days before the announcement...
Tracking down this kind of thing is something the SEC is really good at, and they love to nail people for it.  It's one of the few white-collar crimes that gets successfully pursued quite frequently.  There are more subtle ways to profit from this kind of inside information ... if these guys were stupid enough to actually trade directly on it, they're going to be very sorry.

> What I am finding interesting is that so many people are going on about the fact that a weak password was chosen.
> All passwords become weak as soon as you stick them in a shell script and upload the result to a public server...
There are two interesting points about this that I haven't seen discussed:

- Did this password allow writing to the download server, or only reading from it?  If the latter ... it is, after all, a *download* server which 18,000 customers have to have access to.  A password would only be intended as a minor hindrance to non-customers.

- Even if the password *did* allow uploading, that in and of itself, while bad practice, was not was not much of a vulnerability:  The files there were signed and so any fakes should have been ignored by the update software.  The *real* problem was that Solarwinds managed to lose control of their private signing key.  At that point, everything is lost.

                                                        -- Jerry

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20201221/636aec6e/attachment.htm>

More information about the cryptography mailing list