The Russians did it? Truth is I’m not surprised.
Was US computer security found lacking?
Oh yeah, big time, and the more I read about it, the outcry from the US security machinery reads like someone is trying to cover their butt BIG TIME by deflecting blame.
The biggest smile for me was this snippet in the Guardian.
‘The only reason we know about this breach is that the security company FireEye discovered it had been hacked and alerted the US government. We shouldn’t have to rely on a private company to alert us of a major nation-state attack.’
How surprising, a private company has BETTER security in place than the state!
SolarWinds (using Orion Code), with over 300,000 customers world-wide.
[Which included a number of state establishments]
Sometime before March, hackers working for the Russian SVR – previously known as the KGB – hacked into SolarWinds and slipped a backdoor into an Orion software update. (We don’t know how, but last year the company’s update server was protected by the password “solarwinds123”
March? 9 months ago and all this bleating about the attack was actually caused by a hardware / software installer and probably a network manager (or 10) who did the initial installation of a server but didn’t think to change a password?
Still, I think the US should nuke the Russians. (Not)
Only lets put this into context.
- 2018- An attack on Facebook has exposed personal information of 50 million users, according to the social network.
- 2018- Quora 100 million accounts
- 2019- Capital One data breach: Details of 100 million customers exposed in massive hack. Some 140,000 social security numbers obtained, says bank.
- 2019- Dubsmash had the highest number of user accounts, 162 million to be precise, that were exposed in the hack, followed by MyFitnessPal, which had 151 million account details leaked.
Look people. What is being screamed about happens almost on a daily basis, only it seldom hits the media. Mostly it’s all about lax security and poor practices and that is a problem that is endemic in the computer industry.
So was this sinister? Could be.
Is this malicious? Not really but could turn out REALLY bad.
So what was it? Espionage.
Do I condone it? No way!
Is it illegal? Actually no (sort of).
Russia was just doing what everyone does, espionage i.e. spying on each other all the time. I mean the US spy, hack, intercept, divert, and spoof the planet. OR is the US above all that? The UK certainly isn’t.
So why am I speaking like this?
I used to work in a College / University on their network support team and the 41 servers were under attack by a small team of hackers on a daily basis.
Whose fault was that? Where to start.
- Commercial Server Software probably (A gift for most hackers is that).
- End users suite of software. I’ll bet mostly Microsoft but there may be a little UNIX / and clone programs like Ubuntu. Bottom line? That list will be short, and the shorter the list, the easier it is for hackers to find vulnerabilities.
- Users i.e. staff. WHAT! Yep! From the lowly cleaner putting in an order for toilet rolls on their terminal, to way up the food chain to the Gods of whatever.
The higher rank they are, and the lower they are paid, the less the operators seem to care about security.
It always makes me laugh why the guru’s of computer security don’t gather together and stop this insane rush to integrate everything through the Internet.
At best it is stupid, and at worse an invitation to your enemies, both foreign and domestic agents, and the criminal element, to poke around, usually with impunity, steal and read your most sensitive material.
Yet, in the UK, and I have no reason to think we are alone, EVERYTHING is done by computers that are interlinked and at some point cross public networks.
To that I’ll add there are only a few common sets of industry standard network and Internet communications packages in use and RARELY will you find someone working exclusively from code (a program) they write from scratch. Even then, how that information is transmitted across the Internet is also rarely encrypted to any depth and, if it is, it’s usually done using a commercial package.
So who are the fools now?
When I was first introduced to computers they had metal cases and no graphics let alone colour. Games for us was what we wrote and the biggest one everyone was playing was Kong.
Even at that time we all realized that computers everywhere would end up networked and nothing would ever be 100% secure again, and since 1974 all that has happened is things regarding security have got worse.
As for who to blame? Will the software scribes, computer designers, big business, bean counters, State department’s, Government, and Military, please look in a mirror. That way y’all get a look at the guilty.
So what to do about the Russians?
Personally I would write them a letter of thanks for exposing the inadequacy of the US computer security. Then scrap everything and start again using PRIVATE networking, point to point (peer to peer) connections without going ANYWHERE near a public transmission media for secure installations. Only no one will.
You foolish children in charge never learn from your mistakes.
p.s. In case you are wondering, we did catch the hackers.
We put up covert CCTV (illegally) in public places to capture their faces.
That and installed key stroke capture software (which we borrowed from a hacker) to record exactly what they typed.
What happened then? NOTHING.
Why? One of the hackers father was a large financial contributor to the university. As the university board couldn’t expel the others without including this well connected individual, The whole ‘matter’ was dropped.
Rather like what will happen to the guy(s) who didn’t do their job right in Orion regarding it’s security and SolarWinds for an operational error, or the rest of the list of the guilty listed above.
After all ‘good’ help is hard to find. Even today.
And it was the Russians after all.