[ad_1]
In March 2020, Americans began to realize that the coronavirus was fatal and was going to be a real problem. What no American knew then was that at around the same time, the Russian government’s hack into the Orion network monitoring program, SolarWinds proprietary software, was destroying the security of major U.S. government agencies and technology companies. There were no explosions, no deaths, but it was the Pearl Harbor of American computing.
Russia, as we now know, used the hacked SolarWinds program to infiltrate at least 18,000 government and private networks. Data within these networks, user IDs, passwords, financial records, source code, you name it, can now be presumed to be in the hands of Russian intelligence officers.
Russians may even have the gems of the Microsoft software stack: Windows and Office. In a twist, which would be hilarious if it weren’t so serious, Microsoft says it’s not a big deal.
This is because Microsoft has “an internal approach – using open-source software development best practices and an open-source type culture – to make source code visible in Microsoft.” It’s good that Microsoft is admitting that the open-source approach is the right one for security – what I and other open source advocates have been saying for decades. But internal source is not the same as open source.
When hackers, not Microsoft developers, gain access to proprietary code, the door is open to attack. Certainly, Microsoft’s “threat models” assume that attackers have knowledge of the source code. Thus, the visualization of the source code is not linked to the elevation of the risk ”. But making that assumption is one thing. Facing reality is something else.
For decades, one of the stupid assumptions of proprietary software has been that “security by obscurity” works. While this can help – no, it’s really possible if used smart – it doesn’t with proprietary code. Even with the best will in the world, I doubt Microsoft has really embarked on the security code review necessary to lock down its proprietary code. The almost weekly revelations of new security vulnerabilities and incidents from Microsoft don’t make me feel warm and confused about the security of its software.
While President Donald Trump has completely ignored the actions of the government of Russian President Vladimir Putin, the Cybersecurity Infrastructure and Security Agency (CISA) has said the hacks pose a “serious risk” to US governments at all levels.
The worst has been revealed. During the Christmas break, the CISA said all U.S. government agencies must update version 2020.2.1HF2 of Orion by the end of the year. If they can’t, they have to take those systems offline.
Why? Because another Orion vulnerability from SolarWinds was used to install Supernova and CosmicGale malware. This security vulnerability, CVE-2020-10148, is an authentication bypass in the Orion API that allows attackers to remotely execute code on Orion installations.
I have an even better idea than updating Orion. Dump Orion. Throw it away now. And launch an investigation into SolarWinds’ poor safety record.
Over time, more and more government agencies and businesses have been hacked. This includes the State Department; Department of Homeland Security; National Institutes of Health; the Pentagon; Treasury Department; Commerce Department; and the Department of Energy, including the National Nuclear Security Administration.
Everyone claims nothing too important has been revealed, but then they would say that, right?
Senior Senate Intelligence Committee Senator Mark Warner (D-Virginia) told The New York Times the hack looked “much, much worse” than initially feared . “Its size keeps growing.”
How much bigger will it be? We do not know. Personally, I guess if my company used SolarWinds Orion software in 2020, I got hacked
It did not come with bombs like the attack on Pearl Harbor, but this attack on our national agencies and US Fortune 500 companies could prove to be even more damaging to our national security and the prosperity of our business. Now we’ll see if US developers, sysadmins, and managers can take the opportunity to rebuild their systems like their grandparents did in the 1940s.
Related stories:
[ad_2]
Source link