[conspire] (forw) Re: Security breach at multiple Federal agencies via SolarWinds
Rick Moen
rick at linuxmafia.com
Thu Dec 17 17:23:58 PST 2020
----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----
Date: Thu, 17 Dec 2020 11:15:40 -0800
From: Rick Moen <rick at linuxmafia.com>
To: BerkeleyLUG <berkeleylug at googlegroups.com>
Subject: Re: Security breach at multiple Federal agencies via SolarWinds
Organization: If you lived here, you'd be $HOME already.
Quoting goossbears (acohen36 at gmail.com):
> Further thoughts and insights on this from Michael P, Rick M, Thomas L, and
> anyone else here?
I'll pass on my late-night posting to CABAL's mailing list. As an
additional comment, cybersecurity firm FireEye, cited below as one of
the victims of the software-chain infiltration, i.e., one of
SolarWinds's customers who bought and ran the trojaned Orion Platform
network-management software, was also a _key good guy_. FireEye
figured out that their retail copies of Orion were up to no good (had
briefly breached FireEye corporate security from inside the firm's own
networks) and alerted Department of Homeland Security (and alerted
SolarWinds).
https://www.bloomberg.com/news/articles/2020-12-15/fireeye-stumbled-across-solarwinds-breach-while-probing-own-hack
My point is that Texas-based proprietary software company SolarWinds, Inc.
had been utterly clueless about having had their entire software
production chain taken over for months, and had to be informed of their
stunning incompetence and its catastrophic effects by a customer.
The phrase 'You had _one_ job!' comes to mind.
https://www.youtube.com/watch?v=zHCzlCoDBCI
One obvious lesson for Linux users is that it's a reminder that blithely
running some chump corporation's proprietary software exposes you to
risks that you would avoid if you said 'I'll pass' -- and that
code-signing can be just another way to go wrong with confidence...
as three million users of Google Chrome and Microsoft Edge are finding
out:
https://arstechnica.com/information-technology/2020/12/up-to-3-million-devices-infected-by-malware-laced-chrome-and-edge-add-ons/
"How could the Vimeo Video Downloader extension have been unsafe? It was
signed by the [Google|Microsoft] online store!"
I suspect I'll write about the latter story on CABAL's mailing list.
[snip forwarded copy of my upthread Conspire post, that was underneath]
More information about the conspire
mailing list