Sign in / up

back to article SonicWall breach hits every cloud backup customer after 5% claim goes up in smoke

SonicWall has admitted that all customers who used its cloud backup service to store firewall configuration files were affected by a cybersecurity incident first disclosed in mid-September, walking back earlier assurances that only a small fraction of users were impacted. In an updated statement published on Wednesday, the …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. ParlezVousFranglais Silver badge

    Maybe a silly question but can't they just encrypt by default BEFORE sending security-critical information off to sit on a website somewhere? Have they now implemented such encryption? The files are then useless to anyone but the original owner regardless of whether SonicWall's own security and "encryption" is breached (not a great look for a security company anyway tbh...)

    19 0 Reply
    1. Stevie Silver badge
      Reply Icon

      Silly Question

      Exactly what my first thought was.

      5 0 Reply
      1. FILE_ID.DIZ
        Reply Icon
        Boffin

        Re: Silly Question

        While I am no expert nor anything beyond a layperson - a big problem with config files like these is that the encryption has to be reversible. So, how do you do that at-scale?

        A client-managed password is always a solid option. However I'm sure there's a non-zero number of SonicWall Cloud Backup users who wouldn't want to do that. Think about AWS S3 encryption-at-rest. I wonder what portion of companies use the server-managed encryption key vs using their own key?

        So now the service provider has to manage the encryption key(s). KEK can be used here, but still at the end of the day, if the KEK key(s) is/are compromised, then everything encrypted by that DEK can be decrypted.

        Basically it is hard to handle encryption safely at scale.

        1 1 Reply
    2. Glennda37
      Reply Icon

      This doesn't work when you need to restore a backup to a different set of hardware in the event of hardware failure.

      0 0 Reply
      1. ParlezVousFranglais Silver badge
        Reply Icon

        Why not? If you want to use the service, you tick the box on the firewall config to say so and you provide an encryption key (if you don't keep it safe somewhere, then that's on you..) - as long as you know the encryption key used, you can retrieve the config with no problem either to the original hardware or to a replacement, and if someone hacks Sonicwall's own service, then your encrypted data is protected with a key only you know.

        0 0 Reply
        1. razorfishsl
          Reply Icon

          I'm just waiting for MS top go completely tits up on this ......

          Their "ENTRA" records the security key of every harddrive that the system connects to.

          nice for the US government.... .. oh we have a "bitlocked" hard drive..... just contact MS for the keys they extricated....

          now you know why they are insisting for win 11 to have a MS account..

          it's so they have an ENTRA security login & a place to keep the bitlocker drive keys....

          1 0 Reply
    3. Slow Joe Crow
      Reply Icon

      That's exactly what Sophos does with Sophos Central. When you deploy a firewall you set a master encryption key, and then a separate backup encryption password which Sophos requires you to store elsewhere. I work for an MSP so we have dozens of firewalls and we store the encryption keys in a documentation system. It seems to work fine and we can easily pull a saved configuration to apply to replacement firewalls

      0 0 Reply
      1. nonpc
        Reply Icon

        ...and the pessimist in me says that when the documention system is borked and you want to recover it from the backup, you need the encryption key which is stored in...

        Analagous to the story of the key to the fireproof safe which was stored on the premises and melted in the fire.

        0 0 Reply
  2. Anonymous Coward
    Anonymous Coward

    We've now got some devices reported as needing remediation. After the initial report (with the 5% claim) I even contacted Sonicwall support to confirm that our devices weren't affected (no warnings were shown in the portal) and they assured me that no, none of our devices were affected so we didn't need to do anything.

    Useless tossers! Giving assurances like that when they clearly hadn't finished investigating is really not a good look for a security company.

    14 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      You simply weren't sufficiently paranoid. If a service provider where I have an account is hacked, the first thing i'm going to do is change my password, keys, etc, even if I have to change them again later. Only then will I decide whether to continue the relationship.

      11 0 Reply
    2. JHD
      Reply Icon

      If they were actually taking actions out of an "abundance of caution" (a phrase I have grown to hate), the actions would have included telling users to change all saved passwords and trash the existing config backups.

      "Abundance" my ass. It is PR minimization. Such statements should never be trusted.

      1 0 Reply
  3. Rich 2 Silver badge

    Mind blown!!!

    Why on Earth would you dump your firewall details onto some random (and apparently vulnerable) server???

    Some people are just asking for it

    13 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Mind blown!!!

      It's part of the Sonicwall management portal. If they can't keep this secure then they really are fucking useless!

      10 0 Reply
      1. Rich 2 Silver badge
        Reply Icon

        Re: Mind blown!!!

        I guess they’re fucking useless then

        Maybe, eventually (yea, right!), people will realise that saving stuff on someone else’s computer is not compatible with any notion of security. You may as well post your security credentials up on the nearest public toilet wall

        2 0 Reply
        1. JHD
          Reply Icon

          Re: Mind blown!!!

          Toilet wall, being analog, is perhaps a nit more secure initially.

          0 0 Reply
  4. sitta_europea

    Backups - everything that you value - in The Cloud. What a great idea.

    11 0 Reply
    1. tip pc Silver badge
      Reply Icon

      doesn't really matter where your backups are stored if they are not protected somehow.

      strongly encrypted backups in the cloud should be as well protected as in your physical safe place.

      if your cloud provider isn't using strong encryption & controls for your precious data then its not protected.

      This is why governments mandating back doors in cloud providers is a recipe for disaster for us all.

      16 0 Reply
      1. Gerhard den Hollander
        Reply Icon

        Remember

        The cloud is just someone else's computer.

        8 0 Reply
        1. t0m5k1
          Reply Icon

          With a Gov. sanction backdoor!

          1 0 Reply
    2. Roland6 Silver badge
      Reply Icon

      In this instance the issue is Device Management and thus security configurations in the Cloud.

      Remember it was only a few years back when cloud managers for network configuration were all the rage…

      0 0 Reply
  5. Decay

    Just to be the pedant in the room, encrypting your backups will stop or slow reading the data but will not stop your encrypted backups being encrypted for ransomware. Thats not what happened here but just in case someone assumes encryption is the magic charm that fixes all evils.

    End PSA

    8 0 Reply
  6. John Brown (no body) Silver badge

    every customer who had ever used the cloud backup service

    Wait...what? Is that just poor wording or are there people who no longer use Sonicwall who should now be worried that their previous firewall configs are still on SonicWall servers and have now been leaked too? If so, that's even more worrying. People may change their firewall provider, but odds are their network won't change all that much so even year old data could give an attacker an extra boost.

    5 0 Reply

    1. This post has been deleted by its author

  7. JamesTGrant Silver badge

    I wouldn’t go to a restaurant to get my car fixed, even if the food was excellent. Quite why people think that a firewall company would make a good cloud storage provider is… odd to me.

    1 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      They aren't a cloud storage provider - there is a small amount of storage attached to the management portal where the config backups are stored. That's literally it! If they they are going to offer this service then they need to keep it secure. Keeping things secure is after all supposed to be their business!

      3 0 Reply
  8. Homo.Sapien.Floridanus Silver badge

    Famous Quotes

    “We’re out of helium? Fill her up with hydrogen.”

    “That little old iceberg is no match for this ship”

    “Let’s put it in the cloud”

    11 0 Reply
  9. Kevin McMurtrie Silver badge
    Trollface

    Best backups

    Extreme redundancy, globally distributed backups. Rest assured that your data can never be accidentally deleted.

    2 0 Reply
  10. K555 Bronze badge

    VPN creds

    Whilst the login details are no doubt hashed in the config, will these have VPN keys / certificates for remote workers/sites that could be leveraged?

    1 0 Reply
  11. Anonymous Coward
    Anonymous Coward

    And yet they'll survive and post record share prices very soon.

    How are companies in business after disasters like this? Like what was their name that blue screened everyone's computers a few months ago - for some unfathomable reason they're still in business.

    0 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      not just in businesss.. but share price is Higher

      almost 2.5 x higher... unfathomable....

      what was funny is that someone registered the domain "clownstrike.com" and has it pointing to...

      1 0 Reply
      1. Tim Kemp
        Reply Icon

        Re: not just in businesss.. but share price is Higher

        [checks availability for chronicwall.com]

        1 0 Reply
  12. razorfishsl

    The irony is that the config files are "encrypted"

    the stupidity has more folds than a kilt....

    1. the key is a simple XOR (takes about 2 min to crack it.)

    2. the key is the SAME for EVERY firewall.

    3. All the passwords for every account appear to be in plain text , not salted strongly.

    not only is the config file blown wide open on SONICWALL ,but every other firewall brand you want to VPN connect to with a secret.

    4. 4th level of stupidity & incompetence ,that i won't get into because it is potentially a huge security issue that is currently out in the open,

    it gives an insight into just how little thought the people in charge have and is a direct result of mitigating this initial problem.

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like