Autodesk was one of the 18,000 firms breached in SolarWinds attack, firm admits Autodesk, makers of computer-aided design (CAD) software for manufacturing, has told the US stock market it was targeted as part of the the supply chain attack on SolarWinds' Orion software. In a filing with the American Stock Exchange Commission, Autodesk said it had identified a compromised server in the wake of public …
18,000 firms noticed they were attacked, we will never know how many didn't notice. Working on the Internet is like walked naked through a field of rapists looking at your phone while posting on social media without looking around - your gender is irrelevant.
"We are ready for an unforeseen event that may or may not occur." - Al Gore, a merry can VP
Ha ha!
And this is why you DO NOT EVER outsource IT.
Sure, it's more convenient. Sure, you can fire your IT staff.
But you WILL lose in the end. No matter how awful your local BOFH is, there's zero chance it's as bad as what you're going to deal with when your outsourcing provider is compromised.
Everyone hit by this deserved everything they got and then some.
It's not funny though, really. The CAD world has been pushing very hard to rent you stuff instead of sell it for some years now, Autodesk being very popular of course. If their network did get shut down I feel for all the folks and businesses who would be affected as soon as they try to log on in the morning. I don't rent my CAD software, but plenty do....
I was a CAD draughtsman back in the 90s on a DOS version of AutoCAD. I remember the costs back then were insane and I joked that one day they'd find a way to do away with the dongles and screw the company over some other way.
Later on I found out about the subscription models they were adopting, constant need for updates etc and realised they'd found that mechanism..
I have to disagree with you, since I work for an IT consulting firm. With that being said, there's nothing that I do for my clients that they couldn't do for themselves by hiring admins with my experience. All of the procedures that I follow are documented in their internal documentation library and all of the work that I do is tracked in their internal ticketing system.
Our internal systems are hardened more exhaustively than any of our clients' systems because we can't afford to be the mechanism by which an attacker of one client is able to attack another client.
As an example, remote access into our network is via username, password, certificate, and otp.
No the story is: "Firm was running a vulnerable version of an application and has no way of telling if anything happened."
If they managed to get hacked, what's the betting that they have no way of detecting what was extracted?
It's like a bank saying, there was a break-in and all the security deposit boxes were opened and were empty - but we have no evidence that anything was stolen.
What if they pulled the same trick with AutoDesk, and the other 17999 users of Solarwinds, as they did with Solarwinds, using them as insertion points into their clients networks... What if their goal was to download every AutoDesk clients' CAD files? It seems to me like that would be the jackpot to end all jackpots.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
