Community Breakfast Bytes The Biggest Security Breach Ever

Author

Paul McLellan

Community Member

Blog Activity
Options

The Biggest Security Breach Ever

4 minute read

breakfast bytes logo Over the Christmas break, the biggest security breach ever came to light. It is assumed to be instigated by a foreign entity. As you know, my security go-to guy is Bruce Schneier. See for example my posts RSA: Bruce Schneier or Encryption: Why Backdoors Are a Bad Idea. When his book Practical Cryptography (the first edition) was published in 1994, I immediately bought a copy. In that era, "cryptography" was considered a "munition" by the US government and I fully expected attempts would be made to unpublish it.

SolarWinds

The latest breach is known mostly as SolarWinds. SolarWinds produces network management software called Orion that is used by...well, almost everyone. The attackers inserted a backdoor into an Orion software update. You know how the operating system on your PC or Mac gets automatically updated. Your laptop (and phone) are vulnerable to this type of attack if Microsoft, Apple, or Google's security gets compromised. it is a bit like robbing a bank by breaking into the lock manufacturer and making a skeleton key that means you instantly have access to all the banks.

The best piece I have read about the attack over the break is Bruce's article, which appears in, of all places, the British newspaper The Guardian. His piece is titled The US has suffered a massive cyberbreach. It's hard to overstate how bad it is. Let me quote a couple of paragraphs to give you an idea of how serious this is. Users of Orion include:

all five branches of the US military, the state department, the White House, the NSA, 425 of the Fortune 500 companies, all five of the top five accounting firms, and hundreds of universities and colleges.
...
It’s hard to overstate how bad this is. We are still learning about US government organizations breached: the state department, the treasury department, homeland security, the Los Alamos and Sandia National Laboratories (where nuclear weapons are developed), the National Nuclear Security Administration, the National Institutes of Health, and many more. At this point, there’s no indication that any classified networks were penetrated, although that could change easily.

It is also not restricted to the US, most closely allied countries are affected, too.

To make it worse, this backdoor was inserted months ago before March 2020. It was not discovered until a security company called FireEye discovered that it had been compromised and discovered the vulnerability during the subsequent audit. So for months, a long list of companies and organizations were penetrated.

The challenge now is what to do about it. In the first place, removing your network management software is not as simple as deleting an app from your phone. But worse, it is standard infiltration practice (I was going to say "bad guy" but the NSA is the biggest organization in the world doing this sort of thing) to add hooks so that even if the original infection is cleaned up, hooks remain. But it is known that there are even exploits that can survive a disk reformatting. We know the attackers have that because it was stolen from the NSA and then published to hide the tracks. So everybody has it, not just the attackers and the NSA. There are also exploits that update the BIOS (actually called UEFI these days), or compromise the server management processor. As Bruce puts it, the only way "to ensure your network isn't compromised is to burn it to the ground and rebuilt it".

A Defensive Mindset

The big problem, that Bruce has been warning about for years, decades even, is that the US Government in general, but especially the FBI, NSA, and politicians, don't seem to have a defensive mindset. They are constantly seeking to insert backdoors into things like WhatsApp or iPhone encryption, on the basis that only they will be able to gain access to it. But that never remains true for long. The NSA in the past has weakened encryption protocols, weakened random number generators, and as far back as the 1990s was pushing for the Clipper Chip with a backdoor for all secure networks. I was aware of some of that at the time since VLSI Technology was the manufacturer so it was a big issue when the entire security industry pushed back and it was eventually abandoned. The NSA's budget seems to go mainly on offense. in fact, as I mentioned above, even the NSA can't keep its own software secure. How long do you think an enormous database of backdoor keys would remain safe? Especially once local law enforcement starts to demand access to go after petty criminals, as they always do.

This exploit is a condemnation of the NSA's lack of a defensive mindset. It is an embarrassment that, that despite being the largest and best-budgeted such organization in the world, the NSA failed to detect this exploit, along with all those government organizations and most of the Fortune 500. The alternative, which after the Snowdon revelations would not be surprising, is that the NSA did detect it, but decided to use it for offense and didn't notify anyone.

Read the Whole Thing

If you have any interest in security, and the safety of your own communications, you should read Bruce's whole article. Once again it is The US has suffered a massive cyberbreach. It's hard to overstate how bad it is.

UPDATE: New York Times article from last weekend As Understanding of Russian Hacking Grows, So Does Alarm (may require a subscription).

 

Sign up for Sunday Brunch, the weekly Breakfast Bytes email.