How will this even begin to be remediated (the broader hack that is coming to light right now)?
It seems like malicious actors had unrestricted access to almost every major computer system in the US Government, and now possibly microsoft itself as well?
How are these people ever going to be able to trust any of this equipment ever again? This just seems unbelievably catastrophic.
Also, the rest of us use products they’ve designed to be basically unsecurable against them. The feudal model of security only works if the overlords are trustworthy and competent. We’ve known they aren’t trustworthy for a long time, but this shows the other side of the coin.
The idea is that security is hard and expensive, so we serfs surrender ourselves to feudal overlords (Google, Microsoft, Facebook) in exchange for protection.
This model has been bitterly fought since the beginning. Problem is the underdogs have never had the money, and governmental support to manufacture consent in the masses.
What are the alternatives? Surely we can't design our own systems from scratch and outdo FAANGs in terms of security, and any underdog trying to change the status quo will end becoming a feudal lord itself.
Remediation and recovery for most threats involves OS/app reinstallation, perhaps restoring from backups and images. However, if your threat is a sophisticated state actor based out of Russia, it's hard to rule out that they're got hooks in your server's firmware, that they've corrupted your backups as well, etc, etc.
One wonders how Russia could exploit the systems they've penetrated. Brick every gov't system on Jan 20th? Shut down SCADA systems? It's a cybersecurity nightmare.
> Remediation and recovery for most threats involves OS/app reinstallation
Except for all those SolarWinds admins arguing that doing a simple scan and infected binary removal is enough and then moving on and anything more is "overreacting"
I feel sorry for all these people who are stuck working with such inflexible risk assessment/ITIL processes who are now trying to justify not taking any action because "SolarWinds said everything is ok"
There's obviously a contemporary movement that all your systems should be rebuildable by code, which would make getting the systems back into a trusted state (assuming you trust other layers / your code) a lot easier.
Obviously this doesn't help if your data is already messed up, if firmwares are hacked, and if your code itself hasn't had te rigour to be trusted, but it's a hell of a lot better position than "scan, remove, forget".
Am I confused about something? How is everybody not absolutely running around frantically ripping ethernet cables out of patch panels right now in every single one of these companies?
I mean...the smart controllers on the HVAC systems in these companies have to be replaced don't they? The smart locks, everything IoT, everything with a network interface in it at this point has to be assumed compromised. This seems like by far the worst cyber security incident of all time.
And my comment was also a nod to that prominent hack. The discussion back then revolved a lot around the idea that Target had done a really good job of hardening most of their network, but then allowed a smart HVAC controller onto it.
What seemed at the time like something minor (I believe it was a remote diagnostic device or something like that) is what the intruders used to gain access.
Your article seems to directly contradict the idea that any sort of IoT / "smart" device was involved:
> Fazio Mechanical Services just issued an official statement through a PR company, stating that its “data connection with Target was exclusively for electronic billing, contract submission and project management.”
We should all remember to read PR statements with the assumption they aim to be technically true but come with an intent to deceive. Because what you quoted is a weaselly statement, and it neatly avoids answering the underlying questions.
Namely: was that "exclusively" a contractual exclusion or a technically sound, enforceable exclusion? And on top of that, how was it secured? If the connection setup was breached, what was the maximum blast radius?
I'm sorry, but in this case I disagree. Whether the device was smart or not is irrelevant.
If there is a connected device in a supposedly otherwise secure network that allows traffic in or calls home, that device is an attack vector. Pure and simple. The only safe assumption is that such a thing is an insecure, unmaintainable black box that was put together by the cheapest fly-by-night contractor.
A "smart" device is worse, and guaranteed to be a dumpster fire. One should not be allowed anywhere near a secure network, regardless of its function. Printers, VoIP phones, climate control systems, ... they're all the same.
I now factorys, they replaced every PC (complete Harware, not just software) and also loaded every PLC, connected to the network, new. Such things can happen.
> Am I confused about something? How is everybody not absolutely running around frantically ripping ethernet cables out of patch panels right now in every single one of these companies?
You mean everyone should have a panic attack? As deeply terrifying this is, anyone giving in to panic would make them unfit for their job. I assure you they are very scared, but huge companies have protocols to deal with situations like this.
Why do I have this really bad feeling that the dead man switch is about to drop... based on what we know of the deployment / strategy, ‘they’ really might have every key to every castle. The only thing left to do is find out who hasn’t been affected by this.
Correct. It's been blindingly obvious for at least a decade that there is no such thing as computer security. Any computer that is connected in any way to the Internet should be considered at least semi-public. We get reminders of this weekly. Yet we continue to connect everything to the Internet. This is going to get a whole lot worse before it gets any better.
Incident response procedures exist to address this as does forensic analysis. But each org might fail at eradication (hardest phase of IR) and get reinfected. It is hard but doable imo
This is somewhat routine actually. Microsoft, and most other major tech companies, have been “hacked” many times.
Note that being hacked isn’t a binary state. What matters is what they were able to obtain. It could range from full compromise of the C-suite and domain admin, to phishing some marketing employee with no access to anything interesting. If anything, you should be afraid of companies who haven’t been hacked. It most likely means they’re either irrelevant, or they have been hacked and don’t know it yet.
This isn’t even the first time they’ve been hacked by Russians. It’s honestly not a big deal.
As someone who has been on the inside of these attacks, I’m just saying, what probably sounds earth shattering to most people is just a slightly more interesting Thursday for us. My expectations for security have been calibrated to be unfazed by yet another one. Honestly, it’s actually a little refreshing to see something slightly novel (although this isn’t actually that novel).
This is pretty obnoxious and doesn't belong on HN. Millions of people live there. If we are somehow able to leave our humanity behind, the practical fact is that would lead to widespread annihilation.
Now ask about all of the things opening source wouldn’t affect: beyond compilers, modern devices have a lot of software running in firmware which can alter data. Proving that every component involved in the process hasn’t been subverted is a massive undertaking.
It's obviously true that open source is not sufficient to good software quality, or even necessary, but it does correlate, especially for open source projects with many users.
I often read through the libraries I use in projects (if their source is available). And if I find errors or shortcomings I will write an issue about it.
It seems like malicious actors had unrestricted access to almost every major computer system in the US Government, and now possibly microsoft itself as well?
How are these people ever going to be able to trust any of this equipment ever again? This just seems unbelievably catastrophic.