- SolarWinds told Congress that using the password ‘solarwinds123’ was an internal error.
- A key researcher told Insider that the login information has been posted publicly on GitHub for years.
- Cybersecurity experts say the problem appears to represent more than a weak intern password.
- Visit the Insider Business section for more stories.
Two CEOs of SolarWinds told the United States Congress on Friday that the now infamous password exposure “solarwinds123” was the result of a trainee error in 2017. These new statements illuminate a cybersecurity lapse that raised questions about security attacks. cybersecurity. for several months.
Five cybersecurity experts tell Insider that they believe the problem has broad cybersecurity implications, in addition to a trainee’s weak password. Among the experts is the researcher who discovered the problem, which involved login information on a server used for software updates. An email that appears to be from the SolarWinds security team to this researcher notes that the information was “publicly accessible” and that the company addressed “exposed credentials”.
SolarWinds’ cyber security attacks used software updates to break into the computer networks of nine major US agencies and thousands of companies in historic and comprehensive supply chain attacks. The source of the attacks has not been found, and legislators’ scrutiny of the password issue on Friday served to raise new questions about the Texas-based IT company’s own cybersecurity practices.
Former CEO Kevin Thompson and current CEO Sudhakar Ramakrishna addressed the House’s oversight committee, where they answered questions about the weak password, news that was widely reported for the first time in December.
“I have a stronger password than ‘solarwinds123’ to prevent my kids from watching YouTube a lot on their iPads,” California representative Katie Porter said at the hearings. “You and your company should be preventing Russians from reading Defense Department emails.”
“I believe it was a password that an intern used on one of his servers in 2017, which was reported to our security team and was immediately removed,” Ramakrishna replied to Porter.
His predecessor gave a similar answer elsewhere in the testimony. “This is related to a mistake that an intern made, and they violated our password policies and posted that password to an internal location, on their own,” said Thompson. “As soon as it was identified and brought to the attention of my security team, they removed it.”
Cybersecurity experts, however, say the problem appears to have involved more than one trainee error. SolarWinds, which has not previously commented on the password problem, did not immediately comment on the problem to Insider.
The username solarwinds.net and the password solarwinds123 can be seen in a project on the code-sharing site GitHub, according to the researcher who found the problem and the screenshots reviewed by Insider. The researcher said that these credentials would provide access to a SolarWinds server that handles updates to the company’s software, the process that is at the heart of SolarWinds’ supply chain attacks.
The publicly displayed username and password were still in use in November 2019, more than two years after Ramakrishna said he was created, the researcher said. This seems to suggest that the problem went beyond a quickly corrected trainee error, rather than leaving the user’s critical credentials exposed – although there is no evidence as to whether SolarWinds hackers took advantage of such exposure.
“They should have said it was open for two years,” Vinoth Kumar, the cybersecurity researcher who first discovered the problem, told Insider after the testimony on Friday. “It was public and gave access to a critical server.” An email apparently from the SolarWinds security team to Kumar, dated November 22, 2019, notes that “The incorrect configuration of the GitHub repository has been fixed and is no longer accessible to the public, treatment has also been applied to exposed credentials.”
A researcher says that SolarWinds sent him this email about the exposed data he identified.
Vinoth Kumar
Insider asked four veteran cybersecurity experts to assess Kumar’s findings and compare them with CEOs’ statements that the problem involved an intern’s password. The four said they believed that the cybersecurity issues involved went well beyond what was discussed at Capitol Hill.
“This may have played a role in the attacks on the supply chain,” said Mike Hamilton, former Seattle city information security chief and founder of CI Security. The visibility of the username and password on GitHub suggests an automated process used by the company, he believes. “It is unlikely that all of this was the work of an intern,” he said.
Tony Cook, head of threat intelligence at GuidePoint Security and a former US Navy cybersecurity officer, said Kumar’s research “leads me to believe that this is a bigger problem than an intern’s password”.
And Etay Maor, senior director of security strategy at Cato Networks, said, “This was not internal,” despite what Thompson told Congress. “It’s on GitHub. It doesn’t take long for people to see it on the Internet. And what does it mean that they removed it? It was online.”
Porter, who wrote the password on a post-it note that she held up for the camera during Friday’s proceedings, told Insider that she was not surprised by the discrepancy between what the executives witnessed and what the experts said.
“Misrepresenting the facts to minimize the company’s role and responsibility for the hack is disappointing, but it is not surprising,” she said. “As I have been saying for the past two years, we need stronger federal oversight of internet companies, especially those that are vital to our national security and critical infrastructure. Rest assured, I will follow up.”