[ad_1]
- SolarWinds told Congress that using the password “solarwinds123” was an intern’s mistake.
- A key researcher told Insider that login details have been posted publicly on GitHub for years.
- Cyber security experts say the issue appears to represent more than a weak intern’s password.
- Visit Insider’s Business section for more stories.
Two SolarWinds CEOs told Congress on Friday that the now infamous exposure of the “solarwinds123” password was the result of an intern error in 2017. The new statements highlight a cybersecurity loophole that has asked about large-scale cybersecurity attacks. for several months.
Five cybersecurity experts tell Insider they believe the issue has broad cybersecurity implications beyond an intern’s weak password. Among the experts is the researcher who discovered the problem, which involved the connection information to a server used for software updates. An email that appears to have come from SolarWinds security team to this researcher says the information was “publicly available” and the company was dealing with “exposed credentials.”
SolarWind’s cybersecurity attacks used software updates to invade the computer networks of nine major US agencies and thousands of companies in historic and sweeping supply chain attacks. The origin of the attacks has not been found, and lawmakers’ scrutiny of the password issue on Friday ultimately raised new questions about the Texas-based IT company’s own cybersecurity practices.
Former CEO Kevin Thompson and current CEO Sudhakar Ramakrishna addressed the House Oversight Committee, where they answered questions about the weak password, the news of which was first widely reported in December.
“I have a stronger password than ‘solarwinds123’ to prevent my kids from watching too much YouTube on their iPad,” Representative Katie Porter of California said during the hearings. “You and your company were supposed to prevent the Russians from reading Defense Ministry emails.”
“I think it was a password that an intern used on one of his servers in 2017, which was reported to our security team and was immediately deleted,” Ramakrishna replied to Porter.
His predecessor gave a similar response at another point in the testimony. “It was related to a mistake made by an intern, and they violated our password policies and they posted that password on an intern on their own,” Thompson said. “As soon as it was identified and brought to the attention of my security team, they removed it.”
Cyber security experts, however, say the problem appears to have involved more than a trainee error. SolarWinds, which has yet to comment on the password issue, did not immediately comment on Insider on the issue.
The solarwinds.net username and solarwinds123 password were visible in a project on the GitHub codeshare site, according to the researcher who found the problem and the screenshots reviewed by Insider. The researcher said these credentials would provide access to a SolarWinds server that manages the company’s software updates, the process at the heart of SolarWinds supply chain attacks.
The publicly exposed username and password were still in use as of November 2019, more than two years after Ramakrishna announced its creation, the researcher said. This seems to suggest that the problem went beyond a trainee’s error that was quickly fixed, instead leaving critical user credentials exposed – although there is no evidence of whether the SolarWinds hackers may or may not have taken advantage of such exposure.
“They should have said it was open for two years,” Vinoth Kumar, the cybersecurity researcher who first discovered the problem after Friday’s testimony, told Insider. “It was public and provided access to a critical server.” An email apparently sent by SolarWinds security team to Kumar, dated November 22, 2019, states that “the misconfiguration of the GitHub repository has been fixed and is no longer publicly available, treatment has also been applied to the exposed credentials ”.
Insider asked four seasoned cybersecurity experts to assess Kumar’s findings and compare them with CEOs’ claims that the issue involved an intern’s password. The four said they believe the cybersecurity issues involved go far beyond what was discussed on Capitol Hill.
“It could have played a role in the supply chain attacks,” said Mike Hamilton, former head of information security for the city of Seattle and founder of CI Security. The visibility of the username and password on GitHub suggests an automated process used by the company, he said. “It is unlikely that all of this was the work of an intern,” he said.
Tony Cook, head of threat intelligence at GuidePoint Security and a former US Navy cybersecurity officer, said Kumar’s research “leads me to believe this was a bigger problem than the password of an intern “.
And Etay Maor, senior director of security strategy at Cato Networks, said, “It wasn’t internal,” despite what Thompson told Congress. “It’s on GitHub. It doesn’t take long for people to see this on the internet. And what does that mean they deleted it? It was online.”
Porter, who wrote the password on a sticky note she handed out for the camera during Friday’s proceedings, told Insider she was not surprised by the discrepancy between what executives testified and what the experts said.
“Exposing the facts to minimize the role and responsibility of the company in hacking is disappointing but not surprising,” she said. “As I have said over the past two years, we need stronger federal oversight of Internet businesses, especially those vital to our national security and critical infrastructure. Rest assured I will do so. a trace.”
[ad_2]
Source link