The Intern Did It!

The intern did it! Solarwinds’ new CEO just added another top contender to the pantheon of bad excuses. This one is right up there with “the dog ate my homework” and is destined to become an instant classic.

Testifying before a U.S. Congressional Committee, Solarwinds came out looking like bungling amateurs. First, they had a system that allowed a password like solarwinds123. Second, they had an externally accessible system where that password worked. Third, they didn’t do anything about it when security researchers pointed it out. Fourth, they try to pin the blame on an intern that created that password.

As a CIO, you can either isolate your public-facing systems completely from the internal ones, and allow username/password access. Or you can use two-factor authentication or other additional security. The time when you could secure a non-trivial, externally-facing system with just a username and password are long gone.

Who is Listening?

Clubhouse is apparently fairly leaky. It bills itself as an exclusive new form of social media and is iPhone-only and invitation-only. However, that doesn’t mean that everybody can’t listen in. A hacker just proved as much by accessing several supposedly private audio streams. Additionally, all of their back end infrastructure is located in China, letting Chinese authorities listen in as well.

There are very few services that are actually secure. We used to assume that our conversations are private, but that assumption rarely holds. A US school board were bad-mouthing parents on a Zoom they thought were private, but the recording was public. They have now all resigned.

If you have confidential information that will be valuable to an adversary, talk about it in a meeting room in the office. And leave your phones outside.

Hackers Almost Poisoned our Water Supply

What would be a truly scary computer intrusion? It would have to be something potentially lethal and something we weren’t expecting. Like hackers poisoning our water supply. But the water supply is highly secured, you say? Couldn’t happen, you say? Think again. It just did.

In a US city, hackers turned up the amount of sodium hydroxide that is added to the water. Adding a little is part of normal procedures, but the hackers turned it up to dangerous levels. Fortunately, operators immediately noticed, and countermanded the order.

Like in almost all disasters and near-disasters, there is a long chain of events that have to go wrong for the problem to occur. For example, you would have to be running an unsupported old Windows 7 installation. Check. You would need to keep remote access software running all the time. Check. You would need to have a widely shared common password. Check. You would need to have no firewall software in place. Check.

If you are a CIO, share the story of this almost-disaster. Security reviews are good, and would have caught most or all of these problems. But security awareness among users is better. Reminding people of the IT policy doesn’t work. But sharing a story of how it almost went wrong might change behavior.

Another Avoidable Disaster

Today’s totally avoidable IT disaster is found in the Slack app for Android. It turns out the app stored the user password in unencrypted plain text. That means that every other app on your phone had access to it, and it might now lurk in various log files on your device. Slack is red-facedly asking users to update their app and change their password.

This is an example of what happens when developers operate under tight deadlines and without adult supervision. Any competent IT development organization has code review procedures. If you are a large, high-profile organization that release apps to millions of user, any new release should have a separate security review performed by a security professional. But Slack insisted on letting their team operate without any guardrails. That means it was a matter of time before they ran off the track.

If you are a CIO, take a look at your systems list. For every non-trivial or externally facing system, there should be a link to the latest security review with a date and a name of a real person – outside the development team – who performed the security audit.

Convenience vs Security

The convenience of Microsoft Azure come with some serious problems. It seemed like a good idea at the time to store your cloud service credentials in your on-premise identity management solution. With Microsoft Active Directory and Microsoft Azure, you got exactly that convenience.

The only problem is that when hackers get into your on-premise system, they own your cloud instances too. The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert about SolarWinds hackers using privilege escalation to gain access to the Microsoft Active Directory Federated Services (ADFS) and then producing OAuth tokens to move laterally to your cloud instances.

The SolarWinds hack shows that having intruders in your system is the new normal. You need to compartmentalize access, and storing all your access rights in one central place is a very dangerous convenience.