In March 2020, Americans began to realize that the coronavirus it was deadly and would be a real problem. What no American knew was that, at about the same time, the Russian government’s hack of the Orion network monitoring program, proprietary software from SolarWinds, was destroying the security of major American government agencies and technology companies. There were no explosions or deaths, but it was American IT’s Pearl Harbor.
Russia, we now know, used the hacked SolarWinds program to infiltrate at least 18,000 private and government networks. The data within these networks, user IDs, passwords, financial records, source code, among others, can now be assumed to be in the hands of Russian intelligence agents.
Russians may even have the crown jewels in the Microsoft software stack: Windows and Office. In a twist, which would be hilarious if it weren’t so serious, Microsoft says it’s no big deal.
That’s because Microsoft has “an internal source code approach – the use of open source software development best practices and a culture similar to source code – to make the source code visible within Microsoft.” It is good that Microsoft is admitting that the open source approach is the right one for security – something that I and other open source advocates have been saying for decades. But, internal source code is not the same as open source.
When hackers, not Microsoft developers, have access to proprietary code, the door opens for attacks. It is true that “Microsoft threat models assume that attackers are aware of the source code. Therefore, viewing the source code is not linked to heightened risk.” But making that assumption is one thing. Dealing with reality is another thing.
For decades, one of the stupid assumptions of proprietary software is that “security through obscurity” works. While it may help – no, it can really be used intelligently – it is not the case with proprietary code. Even with the best will in the world, I doubt that Microsoft has actually undertaken the difficult security code review necessary to block its proprietary code. The almost weekly revelations of new Microsoft security flaws and setbacks do not leave me confused and confused about the security of its software.
Although President Donald Trump has completely ignored the actions of the government of Russian President Vladimir Putin, America’s Security and Infrastructure Security Agency (CISA) said that hacks pose a “serious risk” to US governments across the board. levels.
The worst was revealed. During the Christmas holidays, CISA said that all U.S. government agencies should upgrade to version 2020.2.1HF2 of Orion by the end of the year. If they cannot, they must take these systems offline.
Because? Because yet another SolarWinds Orion vulnerability was being used to install the Supernova and CosmicGale malware. This security breach, CVE-2020-10148, is an authentication bypass in the Orion API that allows attackers to execute remote code on Orion installations.
I have an even better idea than updating Orion. Orion dump. Throw it away now. And start an investigation into SolarWinds’ mediocre security history.
Over time, more and more government agencies and companies have been hacked. This includes the State Department; Department of Homeland Security; National Institute of Health; the Pentagon; Treasury Department; Department of Commerce; and the Department of Energy, including the National Nuclear Security Administration.
Everyone claims that nothing very important has been revealed, but then, they would say that, wouldn’t they?
Senator Mark Warner (D-Virginia), a senior member of the Senate Intelligence Committee, told the New York Times that the hack looked “much, much worse” than initially feared. “The size continues to expand.”
How much bigger will it get? We do not know. Personally, I assume that if my company was using SolarWinds Orion software during 2020, I was hacked
It did not come with bombs like the attack on Pearl Harbor, but this attack on our national agencies and the American Fortune 500 companies could be even more damaging to our national security and our commercial prosperity. Now, we’ll see if American developers, system administrators and managers can take the opportunity to rebuild their systems the way their grandparents did in the 1940s.
Related stories: