The government stopped using it entirely, and any corporations using the orion product should probably do the same.
@Gendal: Presumably, you work at one company. The US government is a gigantic octopus of hundreds of agencies, not comparable to even a huge fortune 50 company.
I deal with many of the same issues but it is technically one company that just operates like a few dozen. We exceeded all our goals this year for transition and consolidation and the needle still moved in the wrong direction.
The real scale though, sure, isn’t comparable to the US Government.
Much like every regulatory agency in the U.S., the companies being regulated understand the system better than the regulators. Most government security standards (e.g. FIPS) make no sense, and do not actually guarantee security. Generally you get certified that your product can be FIPS-compliant, but nobody actually runs the products in FIPS-enabled mode, because then they would be useless, because FIPS is nonsensical.
Personally, I’m not sure the problem is homogeneity of the security environment, but that everybody’s software relies on hundreds of other people’s software, usually with no vetting or auditing of those components, beyond “lots of people use this so it must be ok”. So a failure in any one of thousands of libraries out there in the world can bring down just about anything, anywhere.
and constant vigilance.
Well this wasn’t a dependency problem, it was a supply chain attack. But yes that’s an issue too, we know from OpenSSL that open-source isn’t necessarily secure if it hasn’t been code audited.
They’re making us turn FIPS mode on, heh. Not entirely clear if it works or not.
So I guess nothing public has made it clear if this code was actually added through source control (and thus (theoretically) had to somehow get past code reviews) or if somehow they maliciously hooked into the build steps to add the code post-checkout. I’m assuming the latter though as that seems like the easier target.
No, it looks to have happened at the source.
I read that article but that article wasn’t clear (unless I missed it) that it was actually checked in. It appears that they were careful to make it look like existing code, but that might have been done for decompilation purposes, not for source browsing purposes.
Edit:
The big question is: was source control compromised, or was the attackers’ code just placed on the build machine?
Unfortunately, that is something the metadata can’t reveal. There are no such artifacts that get preserved during software compilation. But the attackers went through a lot of trouble to ensure that their code looks like it belongs within the code base. That was certainly done to hide the code from the audit by the software developers.
So yeah, it could easily be that their build pipeline was compromised and someone sneakily added build steps to insert the malicious code during that process.
Ahh I see what you mean. Yeah, only SolarWinds can answer that question.
I should have said “less than A DAY”, and it’s the head clown himself because obviously…
Could he be any more obviously under Putin’s thumb? He stays quiet all week about this, and now, suddenly on Saturday, it’s all “why can’t it be China?”. No acknowledgement that this is serious, no talk about how the U.S. government is on this, instead it’s deflection away from his Russian masters and using it as fuel for the “stolen election” bullshit to further erode trust in the democratic process.
I was thinking exactly the same thing. It’s beyond obvious that Russia has the goods on Trump and he sings and dances to their tune. I don’t think it’s a coincidence that this attack took place now while Trump is still in the WH so they could rely on him to ignore the attack and deflect blame from Russia. The same thing happened previously with the bounties placed on US troops so this is an ongoing pattern.
It’s beyond infuriating that no one in Congress, the military, or the intelligence communities says anything at all about what is the most obvious thing in the world. The US is a pretty pathetic actor on the world stage these days.
No one will, they had plenty of other massively lax security practices and all their source code was made off with. They are a dead company.
The only way they survive is if the Government takes them over to clean up the mess.
MS with a pretty in-depth look at the hack
MS Defender Antivirus isn’t “next generation protection”. That’s bullshit. It obviously would not have protected from this attack, as they didn’t have its signature beforehand. It’s great that they added it after the fact but that has no pertinence on the matter.
I’m not entirely clear on what the “Microsoft Defender for Endpoint” product is, but if it’s host-based intrusion detection then yes, it could potentially have detected the trojan’s unusual behavior. The problem with host-based IDS is it generates an insane number of false positive alerts, so most companies tell their clients to exclude their products. I know my company does. I wouldn’t be surprised if Solarwinds did too.
An enhanced suite of protection tools based on integration with some recent acquisitions. They sell an O365 ‘E5’ edition that encapsulates a more complete and (they would argue) next gen protection platform.
YMMV, but I agree, there is a minimal chance any particular security vendor’s tooling is going to be all that adequate at preventing this kind of attack, particularly with organisations often having a mix of server OS’s, including non-MS, and being a state sancitoned attack (huge resources).
Zero trust networking and full application whitelisting would be the ‘next gen’ approach, but that is sooooo far away a goal for most organisations and I would argue government departments in particular, since they tend to move slowly.
Even then, a KNOWN and TRUSTED vendor’s code was compromised at source/compile. That is next to impossible to protect against. Even in a white listing scenario, your business process would potentially be to whitelist the compromised code’s behaviour and class it as good. Wooo!
It will be more interesting to read analysis from the Checkpoints, Palo Alto’s and other leading SIEM vendors on this attack to determine if any particular approaches may have helped mitigate. But, you know, that’s kind of what SolarWinds does too…
What SolarWinds did.
I totally agree. I don’t know how you defend against this.
LOL.
I changed usernames and passwords for all online accounts that are in any way (at least that I can think of) accessing my money, including my Social Security account. And I don’t store passwords or usernames electronically.
My question is do these precautions make me any safer from the implications of the solar winds hack?
There’s a multitude of factors in answering that question. I don’t think there’ll be a definitive answer as to what, exactly, was leaked from the multitude of compromised services and how that can or will affect you.
Definitely the right thing to do in the circumstance - there’s not much else you can do - however I will point out you’ll probably gain little unless you’ve used a unique password for each account. I would consider electronic to make that easier.
