SolarWinds, the Security Consulting Company That Maybe Wasn’t Very Good at Security

Reuters, last week:

On Monday, SolarWinds confirmed that Orion - its flagship network management software - had served as the unwitting conduit for a sprawling international cyberespionage operation. The hackers inserted malicious code into Orion software updates pushed out to nearly 18,000 customers. And while the number of affected organizations is thought to be much more modest, the hackers have already parlayed their access into consequential breaches at the U.S. Treasury and Department of Commerce. […]

In one previously unreported issue, multiple criminals have offered to sell access to SolarWinds’ computers through underground forums, according to two researchers who separately had access to those forums. […] Security researcher Vinoth Kumar told Reuters that, last year, he alerted the company that anyone could access SolarWinds’ update server by using the password “solarwinds123”

“This could have been done by any attacker, easily,” Kumar said.

Mistakes happen. That simple axiom is sometimes at the heart of seemingly stupid security breaches. But setting an important password to “companyname123” isn’t a mistake, it’s just malpractice. Like a doctor deciding to perform surgery using kitchen shears. And being warned about it and ignoring it? It’s hard to comprehend. So one thing I’ve been thinking about this SolarWinds company is that maybe they’re no good at security at all. That what they’re good at is just selling themselves to big corporate and government clients as being good at security. There are a lot of successful consulting companies — security-related or otherwise — who are no good at all on the actual consulting part, but are very good at the selling their services part, to clients who don’t know the difference between bullshit and expertise.

Here’s a report today from Ryan Gallagher at Bloomberg*, suggesting exactly that:

Thornton-Trump, as well as a former SolarWinds software engineer who talked to Bloomberg News, said that given the cybersecurity risks at the company, they viewed a major breach as inevitable. Their concerns about SolarWinds are shared by several cybersecurity researchers, who discovered what they described as glaring security lapses at the company, whose software was used in a suspected Russian hacking campaign.

“My belief is that from a security perspective, SolarWinds was an incredibly easy target to hack,” said Thornton-Trump, now the chief information security officer at threat intelligence firm Cyjax Ltd.

I’m not suggesting that SolarWinds might be a fraud in the way that buying an expensive “super secure” smartphone and getting a box containing a heavy rock inside instead of a phone is a fraud. More like buying a purportedly “super secure” smartphone and getting a crappy phone with confusing “security” software installed on it that really doesn’t do anything useful and may in fact be less secure.

* Don’t make me say it.

Monday, 21 December 2020