SolarWinds hack

[mud]

I'm surprised there is not some sort of audit log like what Wikipedia and Google Docs uses.
How could a company of this size not have some sort of user log for their code editor?

[Buster Highmen]

I'm surprised there is not some sort of audit log like what Wikipedia and Google Docs uses.
How could a company of this size not have some sort of user log for their code editor?

Normally, that's tracked by source control, which is likely GIT.
What hasn't been established is whether the hackers got access to the GIT repository or managed to bypass that and directly hack the server on which the root source lay.

[Toadman]

Damn, some people need to lose their jobs.

https://www.cnn.com/2020/12/23/polit...ery/index.html

No idea what moving laterally means in the context of computer hacking. But assume it just means moving around within different files that store more sensitive data, like nuclear launch codes and such.

FireEye was tipped off to the hackers' presence when they attempt to move laterally within the firm's network, according to the sources, a move that suggested the hackers were targeting sensitive data beyond emails addresses or business records. Whether that exposure was the result of a mistake by the attackers or because they took a calculated risk remains unclear, the sources said.
"At some point, you have to risk some level of exposure when you're going laterally to get after the things that you really want to get. And you're going to take calculated risks as an attacker," one source familiar with the investigation said.

[Buster Highmen]

FWIW, this hack is much, much different than previous efforts when existing code or administrative credential are exploited.

When dealing with code databases, there is literally terabytes of code and no one person can even read it, let alone understand it all.

Right now, it's unclear how the hackers placed their code in the source tree, but it's not something people normally look for, particularly when code reviews are based on objectives within the organization. The problem here is that the code was injected outside of all the ongoing efforts within the company.

I just don't like blaming people, I'd rather try to identify the loopholes in the constructs.

[riser4]

Change the para-diggum.

[schuss]

Also, just as likely they used some contractor creds and someone was asleep at the wheel on code reviews of pull requests since that stuff is usually scripted. They'd just have to ape the script for the first third and it's doubtful anyone would dig if it doesn't trip any static code analysis vulnerability alerts.

[davjr96]

No idea what moving laterally means in the context of computer hacking. But assume it just means moving around within different files that store more sensitive data, like nuclear launch codes and such.

"Moving laterally" is jumping around a network in which you have already gained access. Say "Server A" has super sensitive information and is blocked off from the outside world, with the exception of "Server B". If "Server B" is improperly secured, then a hacker can get to "Server B" and use the one open access point to "Server A". In the real world this is generally lots of hops between systems allowing a hacker to get access to "very well secured" systems that they could not get directly into. "Very well" secured systems is in quotes because it is security 101 to defend against these types of hacks with segmented access controls.

In skiing terms, imagine they only check for lift tickets at the bottom lifts. If you managed to get to the upper mountain without a lift ticket, you can jump around between all those lifts without getting caught.

[riser4]

My wife likes to dream up conspiracy theories as a hobby. What if the "discovery" of the hack was intentional so that when Donnie starts selling secrets, he can blame any data compromises on the hackers? She doesn't believe the stuff she comes up with, it's just a fun mental exercise over our morning hot beverages.

[riser4]

"Moving laterally" is jumping around a network in which you have already gained access. Say "Server A" has super sensitive information and is blocked off from the outside world, with the exception of "Server B". If "Server B" is improperly secured, then a hacker can get to "Server B" and use the one open access point to "Server A". In the real world this is generally lots of hops between systems allowing a hacker to get access to "very well secured" systems that they could not get directly into. "Very well" secured systems is in quotes because it is security 101 to defend against these types of hacks with segmented access controls.

In skiing terms, imagine they only check for lift tickets at the bottom lifts. If you managed to get to the upper mountain without a lift ticket, you can jump around between all those lifts without getting caught.

There are mountains that don't check tickets at every lift?

[ötzi]

There used to be, at least. Solitude was that way, and I've been other places like that.

[schuss]

My wife likes to dream up conspiracy theories as a hobby. What if the "discovery" of the hack was intentional so that when Donnie starts selling secrets, he can blame any data compromises on the hackers? She doesn't believe the stuff she comes up with, it's just a fun mental exercise over our morning hot beverages.

For those that don't work in technology: rare that stuff like this is a conspiracy as so much shit is broken/badly configured/poorly built.
That anything works at all is a small miracle.

[riser4]

There used to be, at least. Solitude was that way, and I've been other places like that.

Weird.

[riser4]

For those that don't work in technology: rare that stuff like this is a conspiracy as so much shit is broken/badly configured/poorly built.
That anything works at all is a small miracle.

Heh. I've seen it first-hand.

[beer30]

There are mountains that don't check tickets at every lift?

JHole still don’t as far as I know

[RShea]

"Moving laterally" is jumping around a network in which you have already gained access. Say "Server A" has super sensitive information and is blocked off from the outside world, with the exception of "Server B". If "Server B" is improperly secured, then a hacker can get to "Server B" and use the one open access point to "Server A". In the real world this is generally lots of hops between systems allowing a hacker to get access to "very well secured" systems that they could not get directly into. "Very well" secured systems is in quotes because it is security 101 to defend against these types of hacks with segmented access controls.

In skiing terms, imagine they only check for lift tickets at the bottom lifts. If you managed to get to the upper mountain without a lift ticket, you can jump around between all those lifts without getting caught.

Great analogy, getting past the first server device security "gate" and then being able to use the trusted network once you are behind the first device.

[skaredshtles]

Weird.

Pretty much every mountain "out west" that has a upper mountain lifts, IME, doesn't check lift passes on the upper mountain.

[riser4]

Pretty much every mountain "out west" that has a upper mountain lifts, IME, doesn't check lift passes on the upper mountain.

That would explain things. I am from "back east".

[ötzi]

Pretty much every mountain "out west" that has a upper mountain lifts, IME, doesn't check lift passes on the upper mountain.

Now that they have lift tickets that can be scanned this has changed a lot, they put the readers at every lift a lot of places.

[Buster Highmen]

I've read that there's 2 hacks: one a signed binary and one not.
So not only has someone hacked their source and build processes, but the release process as well.

I haven't read much about the unsigned binary.