by Bethann Rome
Security researcher Vinoth Kumar told Reuters that, last year, he alerted the company that anyone could access SolarWinds’ update server by using the password "solarwinds123".
Cybersecurity experts are examining – and puzzling over – what some are calling the most extensive and damaging breach of all time. The SolarWinds Breach may deserve that title, because the target was the biggest fish in the sea - the United States government, along with many of the big tech companies – including Microsoft and Google – thrown in for good measure. Weeks later, the investigation continues to identify more victims.
If an understanding of the mechanisms of the breach can lead to an effective means of stopping such exploits in the future, then the SolarWinds Breach might be the "greatest of all time", as Muhammad Ali used to say. But, if we can’t learn how to stop it, then it will simply prove to be the most infamous (so far) in a dangerous progression toward a new kind of warfare.
Is that message too strong for your morning coffee?
Experts differ on how the attack took place, and specifically, they cast doubt on the claim that "solarwinds123" was the point of entry. They may be right. Still – it’s a warning. Hackers got in, where they should not have. Hackers are nearly always described as "breaking in" to systems. That implies some they have a clever, sophisticated method of entering a system – one that doesn’t attract any attention and looks completely normal to all the surveillance systems that operate to protect the network. Actually, there is a way to do that, but it’s not all that sophisticated.
In action movies, a brilliant and attractive individual (a scientist!) discovers what amounts to a secret backdoor and enters the system that way. In a comedy, the plot is different: the crook – dressed, of course, like a ninja – waits in the bushes while a well-dressed party goer gets out of his car and heads for the door. Before he can reach the door, the crook leaps out of the bushes, knocks the party goer out cold, drags him back into the bushes, dons the unconscious guy’s clothes – which always fit him perfectly – and strolls into the party. The real-life scenario is even more simple: the SolarWinds crook(s) may have entered simply by walking in the front door – by discovering and using valid credentials – because that is the fastest, easiest and utterly unsuspicious way of doing it.
More than 80% of all data breaches start that way.
The methods of grabbing the valid credentials don’t require knocking someone out. No – people often simply hand them over. Here are some of the ways:
- They write them down, and the document, notebook, PC, or phone is "lost."
- They choose a password that is easy to remember: a word, a team, a bunch of characters all in a row on the keyboard, a birthdate or anniversary ... easy to remember, easy to guess.
- They use the same password, or a variation of it, in several places.
- They "change" their passwords in predictable ways: "solarwinds456"
- They share passwords with colleagues – and there are plenty of reasons why people who would NEVER share a toothbrush would share a password. Here’s just one: the company we work for doesn’t have enough licenses for everyone to have their own account, so we share.
- They click on a link, or respond to one of the many forms of phishing attacks.
There are other ways of obtaining valid credentials, such as guessing, dictionary attacks, brute force attacks, purchasing lists of usernames and credentials collected from earlier breaches and so on. Even more worrisome, many of these exploits are also capable of bypassing common forms of multifactor authentication. The point is this: once the attacker has the credentials – the tuxedo, in our movie scenario – he can impersonate the users and enter, unchallenged.
That is, assuming the tuxedo fits. Imagine, though, that the tuxedo is magic – and it shrinks down to a handkerchief whenever it is removed from the true wearer. Or, if you like, the glass slipper only fits Cinderella.
TickStream is the "magic" (actually, it is math, but that’s another story) that is applied to fortify passwords and stop cybercriminals from impersonating you. The credentials work only when you type them. In the crook’s hands, the slipper doesn’t fit ... and the exploit blows away.
You can learn more about password attacks and see TickStream at work, for yourself, from one of the best in the business. Register for security expert Roger Grimes’ free webcast: Unhacking Password Attacks with Roger Grimes.