2021-01-19

SolarWinds, the Security Consulting Company That Maybe Wasn’t Very Good at Security

Spread the love

Reuters, last week:

On Monday, SolarWinds confirmed that Orion – its flagship network
management software – had served as the unwitting conduit for a
sprawling international cyberespionage operation. The hackers
inserted malicious code into Orion software updates pushed out to
nearly 18,000 customers. And while the number of affected
organizations is thought to be much more modest, the hackers have
already parlayed their access into consequential breaches at the
U.S. Treasury and Department of Commerce. […]

In one previously unreported issue, multiple criminals have
offered to sell access to SolarWinds’ computers through
underground forums, according to two researchers who separately
had access to those forums. […] Security researcher Vinoth Kumar
told Reuters that, last year, he alerted the company that anyone
could access SolarWinds’ update server by using the password
“solarwinds123”

“This could have been done by any attacker, easily,” Kumar said.

Mistakes happen. That simple axiom is sometimes at the heart of seemingly stupid security breaches. But setting an important password to “companyname123” isn’t a mistake, it’s just malpractice. Like a doctor deciding to perform surgery using kitchen shears. And being warned about it and ignoring it? It’s hard to comprehend. So one thing I’ve been thinking about this SolarWinds company is that maybe they’re no good at security at all. That what they’re good at is just selling themselves to big corporate and government clients as being good at security. There are a lot of successful consulting companies — security-related or otherwise — who are no good at all on the actual consulting part, but are very good at the selling their services part, to clients who don’t know the difference between bullshit and expertise.

Here’s a report today from Ryan Gallagher at Bloomberg*, suggesting exactly that:

Thornton-Trump, as well as a former SolarWinds software engineer
who talked to Bloomberg News, said that given the cybersecurity
risks at the company, they viewed a major breach as inevitable.
Their concerns about SolarWinds are shared by several
cybersecurity researchers, who discovered what they described as
glaring security lapses at the company, whose software was used in
a suspected Russian hacking campaign.

“My belief is that from a security perspective, SolarWinds was an
incredibly easy target to hack,” said Thornton-Trump, now the
chief information security officer at threat intelligence firm
Cyjax Ltd.

I’m not suggesting that SolarWinds might be a fraud in the way that buying an expensive “super secure” smartphone and getting a box containing a heavy rock inside instead of a phone is a fraud. More like buying a purportedly “super secure” smartphone and getting a crappy phone with confusing “security” software installed on it that really doesn’t do anything useful and may in fact be less secure.

* Don’t make me say it.