Why the breach of SolarWinds network management software shows a major blind spot in cybersecurity.
Over the Christmas break, the biggest security breach ever came to light. It is assumed to be instigated by a foreign entity. The breach is known mostly as SolarWinds. SolarWinds produces network management software called Orion that is used by…well, almost everyone. The attackers inserted a backdoor into an Orion software update. You know how the operating system on your PC or Mac gets automatically updated? Your laptop (and phone) is vulnerable to this type of attack if Microsoft, Apple, or Google’s security gets compromised. It is a bit like robbing a bank by breaking into the lock manufacturer and making a skeleton key that means you instantly have access to all the banks.
The best piece I have read about the attack over the breach is cryptography expert Bruce Schneier’s article, which appears in, of all places, the British newspaper The Guardian. His piece is titled The US has suffered a massive cyberbreach. It’s hard to overstate how bad it is. Let me quote a couple of paragraphs to give you an idea of how serious this is. Users of Orion include:
…all five branches of the US military, the state department, the White House, the NSA, 425 of the Fortune 500 companies, all five of the top five accounting firms, and hundreds of universities and colleges.
…
It’s hard to overstate how bad this is. We are still learning about US government organizations breached: the state department, the treasury department, homeland security, the Los Alamos and Sandia National Laboratories (where nuclear weapons are developed), the National Nuclear Security Administration, the National Institutes of Health, and many more. At this point, there’s no indication that any classified networks were penetrated, although that could change easily.
It is also not restricted to the US, as most closely allied countries are affected, too.
To make it worse, this backdoor was inserted months ago, before March 2020. It was not discovered until a security company called FireEye discovered that it had been compromised and discovered the vulnerability during the subsequent audit. So for months, a long list of companies and organizations were penetrated.
The challenge now is what to do about it. In the first place, removing your network management software is not as simple as deleting an app from your phone. But worse, it is standard infiltration practice (I was going to say “bad guy” but the NSA is the biggest organization in the world doing this sort of thing) to add hooks so that even if the original infection is cleaned up, hooks remain. But it is known that there are even exploits that can survive a disk reformatting. We know the attackers have that because it was stolen from the NSA and then published to hide the tracks. So everybody has it, not just the attackers and the NSA. There are also exploits that update the BIOS (actually called UEFI these days), or compromise the server management processor. As Bruce puts it, the only way “to ensure your network isn’t compromised is to burn it to the ground and rebuilt it”.
The big problem, which Bruce has been warning about for years, decades even, is that the US Government in general, but especially the FBI, NSA, and politicians, don’t seem to have a defensive mindset. They are constantly seeking to insert backdoors into things like WhatsApp or iPhone encryption on the basis that only they will be able to gain access to it. But that never remains true for long. The NSA in the past has weakened encryption protocols, weakened random number generators, and as far back as the 1990s was pushing for the Clipper Chip with a backdoor for all secure networks. I was aware of some of that at the time since VLSI Technology was the manufacturer, so it was a big issue when the entire security industry pushed back and it was eventually abandoned. The NSA’s budget seems to go mainly on offense. In fact, as I mentioned above, even the NSA can’t keep its own software secure. How long do you think an enormous database of backdoor keys would remain safe? Especially once local law enforcement starts to demand access to go after petty criminals, as they always do.
This exploit is a condemnation of the NSA’s lack of a defensive mindset. It is an embarrassment that, that despite being the largest and best-budgeted such organization in the world, the NSA failed to detect this exploit, along with all those government organizations and most of the Fortune 500. The alternative, which after the Snowden revelations would not be surprising, is that the NSA did detect it, but decided to use it for offense and didn’t notify anyone.
If you have any interest in security, and the safety of your own communications, you should read Bruce’s whole article. Once again it is The US has suffered a massive cyberbreach. It’s hard to overstate how bad it is. Another good article on the subject is the New York Times article As Understanding of Russian Hacking Grows, So Does Alarm (may require a subscription).
 |
 |
 |
 |
 |
 |
 |
 |
 |
Leave a Reply