[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security breach at multiple Federal agencies via SolarWinds
- To: BerkeleyLUG <berkeleylug@googlegroups.com>
- Subject: Re: Security breach at multiple Federal agencies via SolarWinds
- From: Rick Moen <rick@linuxmafia.com>
- Date: Mon, 21 Dec 2020 14:30:07 -0800
- Arc-authentication-results: i=2; gmr-mx.google.com; spf=pass (google.com: domain of rick@linuxmafia.com designates 96.95.217.99 as permitted sender) smtp.mailfrom=rick@linuxmafia.com
- Arc-authentication-results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of rick@linuxmafia.com designates 96.95.217.99 as permitted sender) smtp.mailfrom=rick@linuxmafia.com
- Arc-message-signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:user-agent:organization :in-reply-to:content-disposition:mime-version:references:message-id :subject:to:from:date:sender:dkim-signature; bh=Mjn0bkk/0ueIjDwL/ejTfHLALgmrVMUZ98BXKLQuVGI=; b=LSn+TDDC+tMnBmF3hEGsjCa8/b6nJw5I4Jj8ElFKEN0Yei0Wsc4YKHHz7WjOppJTG8 spynq6Y3QRaHrpdFbg5DVUzfBdkkZP8opZLJUFWjvheBsucT89+AMpPzsHS3m685FIv5 xUkFuVcL16Thz7jQgyR261FrTIqyCnrYJq+8jV2+/7r19K+NiFrk8hqcWjKz44b3KDWU 5lahzOeLkoRC+jQHfiP6VNAC9ulw+AfNW7UKHN1o94J9a0McORvUt2DvIjs9r1G78QuE LA/3RoKWEBe6pjaktKtjkXkzydaMrfaoQPWy7dauy4cXazt2R2WDFOnQ65ZljGmv/jgf 0ttw==
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=user-agent:organization:in-reply-to:content-disposition :mime-version:references:message-id:subject:to:from:date; bh=L8A6bIIjLBem4czu3p6cyVKVzR2snq2yei9Q6kBqLzU=; b=0o58ZYfcRF/wdy64iAw15z64lk9a2BwG6agvI3FvvZDK1EkDI4WUaoM/IGTfR7/fh+ VtPv5w0U+eIZ1FD1HLrBZjKCApWJXeh8U8YWcXqNBBkMPlw49pANkv4Blt3FCscs8m94 O18LIlCGsjdhWgQDjyeD0y6lbeH9ZyU5ezVJPaJHyqnipY660k+D4wqIn/ivTKA7QMWV RXmEnzX1dczDKaRwIxSMAz3aO+joIW+l7+TP+77QfneZy/bjs/hXBKbBeI/CJ0vt8Q0z sZRbj4F0bgG2MKrrgkWMMg5NrwRYFBL6XR9PI5rGTx3U5y/rSKVu3gEvkNoDnc1jOb4t ZCTQ==
- Arc-seal: i=2; a=rsa-sha256; t=1608589809; cv=pass; d=google.com; s=arc-20160816; b=JR51mYkEb/s3/NTqreijhgZEXFCxMwEr483UrQ8RuIu5Ik/kIG/rehltb9feHDKkMh EFN+EJAH3pT+UyDnrE0hMv+z7aKZzR1QAwYIZXJ7ocS40M5HbWLGXo7hzazpLdV7CD4I hh8yKbdQHGncMGxVepIVfWYRbrgpKVT5hUzkOZbQvmtOn8t0nfFYa8L9EXa4SMOulujs HKwykn5ARIYOwU1Ss1IpNbZRc52aMmqhogb3QVW1W3XgL7v+VzXSO8fRneJwdbsSm6ps HaAuH8qI2r3Ib6we35DmCEvWMxwtazS57ubIFgi1ALTb64PW9i3hj8IyRQPdsWpPqzb6 66sQ==
- Arc-seal: i=1; a=rsa-sha256; t=1608589808; cv=none; d=google.com; s=arc-20160816; b=w46ZFCyqJZ4kgUh2XsjlVrCu+HBnehnFISHGUJJP8oKBF3uKlNys86zWKHmFEGnxfd Zk20gL4Rw4UI4GQSVoqWy2HtDusXzPg+4VymHno2/tXPl3tBQlUeUJloH+yGG9FvJ4VH k/jBvhOWUCHn5l4SKGUzAwtdPT3j6kb0CRGDoKx5v70oHknJeMV+A8bsDDPgcDiaqLcs qFcGn2DoSGamT+LpZGRblj06hKIKQB+qd2gOW74m2yFmDgLpBcCOL7X8unL4WdGP3VJf KhXiaWpDDpSgU2ZnH2yW6r+4iQEpmUSdl9yi77AT4Wp31023Nz0iukZkMmBLI3CIx5n3 VYCQ==
- Delivered-to: historian@entropia.netisland.net
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20161025; h=sender:date:from:to:subject:message-id:references:mime-version :content-disposition:in-reply-to:organization:user-agent :x-original-sender:x-original-authentication-results:reply-to :precedence:mailing-list:list-id:list-post:list-help:list-archive :list-subscribe:list-unsubscribe; bh=Mjn0bkk/0ueIjDwL/ejTfHLALgmrVMUZ98BXKLQuVGI=; b=LQ+ghpHTVeX7f3Y3xaxLDNy2C2/v+9k/GUCdyYPMxt0w71yFE6sY3w8bmYYzbTOWFB m5yfKGvSYz/3O6N5R82uSeeIW9u0EPMaH5cN3RoGqn2Ik+CROtAR4829kMwqf5/4PFeO WkvCf3fikXcqVLVFiX2sIL+NzMn0IeQDoj/IwIP9h3SzVkYciZAsXKE8XNHL4d9TC+hE /uMZs52Ny7f2I0RnYo0gQLXzl1n13kEq2OvvQkuOu7b/8kaiRcyGNXBXHTxDXUgqRmqe AALMznALPFKJyncEsuO5xgU5CoJt05f3MhEQco1Q/kGR5p7hZI+nAecZO9b10c90AQwk sAvw==
- In-reply-to: <20201220000941.186362b9oefo06ww@webmail.rawbw.com>
- List-archive: <https://groups.google.com/group/berkeleylu>
- List-help: <https://groups.google.com/support/>, <mailto:berkeleylug+help@googlegroups.com>
- List-id: <berkeleylug.googlegroups.com>
- List-post: <https://groups.google.com/group/berkeleylug/post>, <mailto:berkeleylug@googlegroups.com>
- List-subscribe: <https://groups.google.com/group/berkeleylug/subscribe>, <mailto:berkeleylug+subscribe@googlegroups.com>
- List-unsubscribe: <mailto:googlegroups-manage+61884646931+unsubscribe@googlegroups.com>, <https://groups.google.com/group/berkeleylug/subscribe>
- Mailing-list: list berkeleylug@googlegroups.com; contact berkeleylug+owners@googlegroups.com
- Organization: If you lived here, you'd be $HOME already.
- References: <d09145ca-6392-4db8-8e55-11f352d847c6n@googlegroups.com> <20201220000941.186362b9oefo06ww@webmail.rawbw.com>
- Reply-to: berkeleylug@googlegroups.com
- Sender: berkeleylug@googlegroups.com
- User-agent: Mutt/1.5.20 (2009-06-14)
Quoting Michael Paoli (Michael.Paoli@cal.berkeley.edu):
> I think Rick Moen - and others, have already quite well covered it.
> Though I might come from slightly different perspective,
> and maybe if I were sufficiently motivated, I might find a few
> minor bits to quibble slightly over, but I think Rick already pretty
> much has it spot on well covered.
Since as mentioned I _literally_ was trying to assess the news coverage
in real time as I read it, I'd not be the least bit surprised at my
having missed things. And also, there will doubtless be plot twists.
Anyway, all I promised was a quick take.
> First of all, yes, it's a big deal.
Seconded. A _lot_ of important government institutions, businesses,
research institutions, etc. now have to worry about undetermined amounts
of security compromise, and that is a Big Problem. It's a problem
equally if the institution decides it might have been rooted and decides
to do a ground-up rearchitecting and rebuild, if the institution elects
to shrug off the problem and bet that it'll get away with it, or -- most
likely -- if the institution takes a few half-assed ineffective steps
involving buying some more security wooga-wooga.
Anyone who's worked in the field has seen management go for dumb
wooga-wooga 99 times out of 100 -- and never learning from experience.
Like, for example, corporate board rooms all over the world are having
briefings where the point discussed is "We relied on SolarWinds Orion
Platform for network management and ran versions said to have been
trojaned, and have excised that software and changed all passwords,
but really have no idea whether systems have been intruded upon by
criminals, what systems, and whether we've now locked them out."
Rationally, the next point of discussion _ought_ to be "Why is our
internal monitoring and detection is so bad, that we cannot answer that
question?", but experience says it won't be.
Instead, they'll just at most buy a consulting package to issue a report
and make some recommendations, so management can claim they followed
"best practices".
http://linuxmafia.com/~rick/lexicon.html#best-practices
Best Practices
Making sure your blunders are popular ones. Rationally, this term
_should_ mean "methods that meet professional standards of competence
and due care", but tends instead to be a managerial code phrase
meaning "If anything goes wrong, I want to escape being a specific
target of blame by pointing out that our hapless cock-up was the same
one countless others made, too."
> Additionally, something gravely lacking here in so many places,
> adequate monitoring and detection. This should'a been caught a whole
> lot sooner and stopped and shut down ... but ... it wasn't.
Quite.
This is exactly where FireEye stands out for its leadership.
> One of the posts I saw mentioned, Debian, and "what if", as if what if
> something like that had happened to Debian? Well, fair number of
> years back, it kind'a did. A Debian Developer (DD)'s key was
> compromised. And some bad folks started doing some nasty stuff - even
> using a Zero-day
> https://en.wikipedia.org/wiki/Zero-day_(computing)
> exploit.
And, as it happens, I wrote in some depth about it for _Linux Gazette_:
http://linuxmafia.com/~rick/constructive-paranoia.html
In particular, I pointed out how and why the Debian Project detected
within one day the compromise of four of their machines _despite_ it
having been a zero-day kernel exploit, took immediate effective action,
and wrote an authoritative after-action postmortem report. Also, I
pointed out that the Debian package archive was not compromised by the
intruder, and why.
As I mention in the article, Gentoo Project was likewise hit by the same
kernel security bug and that the compromise was detected within an
_hour_ by effective use of an IDS and a file-integrity checker.
These were two all-volunteer geek projects, and yet, when challenged by
an existential security threat, they responded correctly and effectively
-- succeeding immediately to a worse threat than SolarWinds faced, and
where SolarWinds allegedly had absolutely no idea they'd vfailed at
their one job for something like eight months (until customer FireEye
briefed them).
> Well, was bit earlier, but in any case, SolarWinds blames
> Open Source.
> https://thwack.solarwinds.com/t5/Geek-Speak-Blogs/The-Pros-and-Cons-of-Open-source-Tools/ba-p/478665
Oh, that is, as Dana Carvey's Church Lady used to say, Extra Special. ;->
How does crow taste, Greg W. Stuart?
This _partcular_ Greg W. Stuart appears to be one of a stable of
rent-a-pundits SolarWinds publishes.
https://orangematter.solarwinds.com/brains/ If I have found the correct
one in hunting around, this one is an ex-USAF guy who fell in love with
VMware while in the service, and then decided that he's an IT expert.
--
You received this message because you are subscribed to the Google Groups "BerkeleyLUG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to berkeleylug+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/berkeleylug/20201221223007.GC28791%40linuxmafia.com.