The submitted title ("SolarWinds use the password 'solarwinds123' on their Update Servers") broke the site guidelines badly. Not only is it not the article title (which the site guidelines ask people to use except when it's misleading or baity), it's not even what the article actually says about that cherry-picked detail.
Titles are by far the biggest influence on threads. As a result of this title, this thread is a shallow, frothy rantfest.
The site guidelines say "Please use the original title, unless it is misleading or linkbait; don't editorialize." Cherry-picking a detail is editorializing, getting it wrong is misleading, and getting it wrong by making it more sensational is linkbait, for the trifecta.
Submitters: please don't do that. If you want to say what you think is important about an article, please do so in the comments. Then your view will be on a level playing field with everyone else's: https://hn.algolia.com/?dateRange=all&page=0&prefix=false&so...
>which the site guidelines ask people to use except when it's misleading or baity
Or too long and needs shortening. In these cases, what, if there is one, is the preferred way to shorten titles? Truncate or attempt to rewrite to shorten without editorializing?
Good question! (The limit is 80 chars.) The answer is to truncate, not rewrite. However, truncation isn't always natural. One shouldn't start abbreviating words, for example, that don't normally get abbreviated.
In cases where there isn't a natural way to truncate, a better option is to look at the HTML doc title, a subtitle, a heading, or sometimes even a photo caption, that say accurately and neutrally what the article is about. There's often also a sentence in the opening paragraph that can be used. Sometimes none of those exists, but you can find a representative phrase lurking in the article body. The key is that it be representative though, not cherry-picked. There's a bit of interpretation involved there, but you can nearly always pick out the general-overview phrase if one exists. They have a distinctive quality.
Rewriting should only be a last resort. When we edit titles, we always try to use representative language from the article and rather than to make up language ourselves.
Solarwinds was dumb, but this definitely was an advanced attacker who hit FireEye, DHS, and Treasury. They had ownership of over 18,000 solarwinds servers and went after 10 or less orgs. When they did, the attacks they used were complex. It was very clearly as a state sponsored action and I don't understand why you would dismiss that.
OP’s first sentence says Solarwinds was dumb. If anything, isn’t that evidence of the attack requiring less sophistication than one that excludes all but well funded attackers?
It would be impossible for this to be the attack vector used.
While these credentials let you push things to the download servers, the actual malware was inserted much earlier during the build process before the code was signed.
This flaw is from a year ago and had nothing to do with the recent hack. The discourse in these posts that often involve a certain country tend to always lean more towards people's political beliefs rather than anything actually being reported in the story.
Not OP, but pretty sure he’s saying that if you’re eg a CISO who’s naive enough to accept whatever argument is fed to you for why this is a “state sponsored attack” (implying that it’s not), then you may as well reduce your professional decision making to favoring whatever Gartner recommends in their “magic quadrant” marketing materials.
Remember that these individuals are usually hired and given responsibility based on their ability to game class signalling games; they exist to justify the status quo.
If the status quo were more justifiable their actual job responsibilities to other people within the organization ( conflict resolution, scheduling, resource allocation, and personnel management) are things that could be automated in a hot minute.
I don’t know about full automation, but I can confirm that in large f500 companies, Gartner holds a lot of weight. Most follow their recommendations. I’m guilty too of using that argument: “According to Gartner...” to give weight to my position when talking to C-level folks. I wish I didn’t have to, but lots of folks trust their recommendations.
"base your entire life out of the Gartner trade rag magic quadrants."
You just described the CIO of a billion dollar revenue NYSE traded company I was with briefly a few years back. The CIO had no degree and thought the Gartner organization could do no wrong, so they were his guide and trusted confidant. It was a nightmare, a total disaster. Everyone in IT there were so used to constant chaos no one seemed to notice or mind. Yikes.
I know you’re joking, but leaving out honeypots to slow down enemy attackers is a valid strategy. Except you need to purposefully leave honeypots that don’t have anything valuable in them. They seemed to have misunderstood the strategy.
You'd be surprised how many engineers don't understand security.
A few years ago I complained to the DD-WRT developers that they need to serve up with firmware images on HTTPS (They were serving them up on HTTP). Their images are not cryptographically signed and they didn't publish hashes so at the very least they could try to secure the transport and use HTTPS. My request was rejected and they were confused as to why HTTPS was necessary as "it's not like we're doing online banking".
This is indefensible. However, Solarwinds isn't a security company. They build network monitoring/management tools and have a very telco feel. I'm honestly not surprised by this level of incompetence.
Their software allows network traffic to be monitored for some of the most important government agencies we have: the White House, the Pentagon, Treasury Dept, etc. They're not some retail company. Their tools provide a vector to attack extremely sensitive systems. Network monitoring and management is by definition supposed to be secure, especially for critical systems.
>Three people familiar with the investigation have told Reuters that Russia is a top suspect, although others familiar with the inquiry have said it is still too early to tell.
If this is the case, then why is Russia so definitively portrayed as the culprit in so many publications, currently?
This is annoying without knowing the sources. But APT behaviours are repeated, researched, investigated. This could be legitimately mapped to a specific group using details which relevant agencies don't want to make public. Not sure we can deal with it better than acknowledge this is someone's opinion and there's a chance they may have more information, but there's also chance they're playing games.
This seems very unlikely to me. Not only would the attacker need to know precise detail about the exact methods and steps taken by a russia-sponsored group, the attacker would also need to entirely suppress their own methods and approaches so that they are not identifiable as themselves.
Much easier to simply hide who you are by changing your compromise fingerprint than to try to impersonate someone else's compromise fingerprint.
If a technique is seen in this attack that has been seen in previous attacks which are now known to be by a russia-sponsored group, that is very strong evidence that the same group is responsible. It is not proof, but it is strong evidence.
If you know what the investigators are looking for (say, after you hacked them), then it might not be that hard.
Given the fact that attribution is so difficult that we haven't seen any lawsuits yet, I'd imagine that entirlely suppressing your own methods if you know what the investigator is expecting from someone else as well as what the methods of others are is feasible.
As Obama told Romney years ago, "the 80s called and are asking for their policy back!".
American media loves their heroes and villains narratives, and the characters change depending on what is convenient. Even if Russia was responsible, would you believe them after all the other times they cried wolf?
Seems to me that they have a `with good authority` hunch, but just need a few more pieces to make it a fool proof connection. With anything, unless they actively admit to it, or made a lot of mistakes, it's not really going any where. Does anything really happen to rogue nation Russia even if they are caught?
It's like getting a new, untrained puppy; it's one of those cases where, you walk into a dark room the puppy was in for a little while. You can smell it, and you're more than likely correct what it's coming from, you just can't see it so you can't really prove, yet, that there is shit somewhere... until you turn the lights on.
Maybe because it is believed (or known, or anywhere in between) that they are presently actively doing things of this nature...
Attackers also leave breadcrumbs behind; fingerprints, in a way. Sometimes the actions taken are the fingerprint, sometimes the effort to cover up those actions is the fingerprint.
If I am an investigator and I see trademark actions or cleanup that I've seen before in a russia-sponsored attack, it is not a huge leap to strongly suspect I am investigating a russia-sponsored attack.
Because Russia were legitimately a culprit during the cold war, and many people who grew up during that period are susceptible to clickbait where Russia is, again, the bad guy. They were primed for it during their entire childhood, and then as adults with movies, video games, etc.
Additionally, that was a flaw from a year ago. Still incredibly stupid, but not really relevant to the recent hacks at all. This is being used to discredit the fact that investigators are pointing to "a" state actor for the source of these hacks.
>Additionally, that was a flaw from a year ago. Still incredibly stupid, but not really relevant to the recent hacks at all.
I'd argue that it's very relevant; if they were making such terrible decisions a year ago, what else did they do wrong between then and the hack? I am reluctant to assume that they didn't make other mistakes, given how obvious this password flub was.
Hanlon's Razor etc etc, but if I wanted to create an intentional security vulnerability and have plausible deniability, I would use stupidly simple passwords as well.
From the perspective of people who run real, serious monitoring systems for big ISP stuff, solarwinds has never been taken seriously. It's "monitoring" software for those persons who are entirely dependent on the Windows GUI.
What you're hearing is the sound of thousands of corporate IT security personnel realizing that, compared to these attackers, the have no idea what they are doing.
Using a bad password on one of your systems (a year ago) does not, in any way, preclude the possibility of being attacked in a sophisticated manner by a sophisticated attacker.
3. Solar winds was just the vector, the actual payloads were targeted and advanced.
Their insecure password may be disappointing but it's not relevant to the much more important story about who used them to compromise very sophisticated targets.
That's actually the most secure password they could have chosen. Who'd suspect that a security company would use the simplest of passwords. Dumbasses wasting time trying to crack a secure password, hah! /s
>Security researcher Vinoth Kumar told Reuters that, last year, he alerted the company that anyone could access SolarWinds’ update server by using the password “solarwinds123”
grep -e '[a-zA-Z]\{4,\}$' /etc/dictionaries-common/words | shuf | head -n 4
if for some reason you don't want to use a password manager's generator. There's some entropy lost by the fact that you're choosing without replacement but it's not the end of the world.
What are the good password practices for handling passwords that several people need to be able to use?
I have yet to be in an organization that hasn’t defaulted to something quite unwise simply because trying to maintain the institutional knowledge of that password is otherwise difficult.
> What are the good password practices for handling passwords that several people need to be able to use?
Mostly – don’t. Every user that has access to a system should have their own credentials. There’s no reason for an update server to be set up this way.
In their defense, gross negligence takes less time and money, and they probably won't suffer much from this incident, so it all still paid off on the bottom line, and now a whole lot more people know who they are. Free marketing! Bonuses all around!
I agree with the others that the right answer is don't. But if you are going to anyways a way to do it less idiotically is to use the 'static password' feature of a YubiKey. [0] That at least eliminates the desire to pick too simple of a password or to not change it on a regular basis for fear of having to memorize a new password. This doesn't protect against a malicious insider giving the password away but it makes it easy to use a strong (randomly generated) password.
> What are the good password practices for handling passwords that several people need to be able to use?
The answer is typically “never share accounts” and therefore never share passwords.
I wouldn’t the surprised if “do not share credentials” is explicitly stated in solarwinds internal security policies.
Beyond the challenge of sharing strong passwords, there’s also the (important from compliance perspective) issue of losing the ability to audit who took what action if multiple people use the same credentials.
Realistically you shouldn't, I work in auditing and there are very few use cases where sharing passwords is okay. But here are a couple of approaches.
- Using a password manager where there is audit logging that is reviewed and the access to the passwords is segregated to those who need it
- Using a privileged access monitoring tool such as CyberArk
- Simply creating separate named privileged accounts for each person to use is the best alternative
We've moved to identity + role based access control, but some older core pieces still used the shared password.
We simply have a portal that authenticated users can log into it, and see the current password which is rotated monthly, with a random selection from a series of dictionary words. (which can occasionally produce giggleworthy combinations)
But as the sibling comment says; the right way is to get rid of it entirely.
ours are rotated daily. If you don't have a key on you, you can "break glass" in a portal and get a temp password for 4 hours. We're in the process of phasing out service accounts.
If you can build a house with a door, you can put a decent lock on the door. If you can’t put a lock on the door or don’t understand why or how, you can’t really build a house.
The password to a twitter account, and the password to an update server which apparently allows you to pwn parts of seemingly every branch of the US government are not even remotely on the same scale.
These kinds of passwords are all over the place. Cisco uses a simple variation of c!sco123 for a lot of it’s managed gear which is a documented default that doesn’t get changed.
First time I ever had to leave a comment surrounding the HN Guidelines, but "Please don't use Hacker News for political or ideological battle. It tramples curiosity."
Just today you wrote "[...] Russians, you're a fucking Trump supporter!"
HN is the best and I'm sure you agree. Please take it easy with these kinds of comments.
It tramples curiosity when no one questions why the Russians are blamed for everything which is intellectually dishonest. A few hackers isn’t indicative of the entire country. It’s almost starting to border on bigotry
Nobody is blaming Russian people, they’re blaming the Russian government. All large foreign powers engage in espionage of their rivals and have done so for literally millennia.
Titles are by far the biggest influence on threads. As a result of this title, this thread is a shallow, frothy rantfest.
The site guidelines say "Please use the original title, unless it is misleading or linkbait; don't editorialize." Cherry-picking a detail is editorializing, getting it wrong is misleading, and getting it wrong by making it more sensational is linkbait, for the trifecta.
Submitters: please don't do that. If you want to say what you think is important about an article, please do so in the comments. Then your view will be on a level playing field with everyone else's: https://hn.algolia.com/?dateRange=all&page=0&prefix=false&so...