back to article JetBrains' build automation software eyed as possible enabler of SolarWinds hack

The SolarWinds security breach disclosed last month, which US authorities believe was of Russian origin and led to the compromise of at least 18,000 organizations, may have been enabled in part by software from JetBrains. The company, founded by Russian software developers and based in the Czech Republic, makes software …

  1. Danny 2

    Bond Villain

    "So, Mr. Bond, can you integrate and test this code before the end of the month? Wha haha!" ~Jet Brains

    1. Korev Silver badge
      Coat

      Re: Bond Villain

      Well, he's good at fixing Spectre bugs

  2. Ashto5

    Looks like finger pointing

    Oh quick everyone look at them ....

    Don’t notice that regardless of what software was involved we got hacked ...

    Personally I bet it was intel they built the chips or maybe the electric company ...

    1. iron Silver badge

      Re: Looks like finger pointing

      They were probably using Supermicro servers with those Chinese "grain of rice" spy chips on the motherboard that Bloomberg was so fond of. The Chinese just gave their login details to the Russians.

      /s

    2. cyberdemon Silver badge
      Devil

      > Personally I bet it was intel

      And you thought you were joking!

      Considering SolarWinds was used by Intel too, even though Intel probably almost certainly wasn't a vector as you jest, it could be a vector in future!

      If those guys got their hands on Intel's Management Engine special super-secret CIA keys, then the whole world is pwned.

  3. Anonymous Coward
    Anonymous Coward

    Access to business critical systems

    The US authorities don't appear to have contacted JetBrains or issued any security advisories around new or existing TeamCitys vulnerabilities (or other JetBrains software products) so is this a vulnerability or just poor implementation?

    As a software company, making your build management/continuous integration system accessible from the Internet and not requiring either 2FA and ideally a VPN wrapper with 2FA would seem to indicate poor risk management. Particularly if we find out all the passwords were "solarwinds123" and the hard part is guessing if the username is geoff or jeff...

    It's also interesting to compare the FireEye and Solarwinds responses to these compromises/attacks - yes FireEye is a security company, had the resources available to investigate and stands to lose everything if it's security reputation is ruined, so it quickly disclosed a lot of information indicating the steps it had taken/was taking, what went wrong and what it was doing to address the issues within days.

    Solarwinds has had around a month and aside from a software update that supposedly addresses the issues, there's still a lot of unknowns around how this happened, whether there systems can be trusted and what Solarwinds are doing to ensure their products can be trusted in future. And then maybe Solarwinds will possibly learn that their security reputation was just as important as FireEyes when their sales dry up and customers move to other platforms.

    1. gggeek

      Re: Access to business critical systems

      Exposing the CI/Build/Dev systems to the internet only with 2FA and/or VPN is miles beyond the security practices that I've seen implemented at most companies I have been involved with...

      I'm speaking about the web dev industry, which might have (hopefully) different practices than other businesses, but what I have often seen, even in recent times, is rather:

      - Jenkins/Jira/Stash/Confluence & friends seldom updated to the latest release, even when they have known security bugs

      - shared passwords used for all these tools. Worst case scenario is that they are wide open without auth to anyone with intranet access

      - auth tokens to customers' systems written down in plaintext in source code, build scripts, developers wikis

      - domain credentials for all company employees handed out pre-generated from sysadmins and never rotated

      - no offboarding procedures set up, or plain disattended, with hundreds of ex employees and ex customers accounts still active everywhere

      - vpn enforced for connecting to the intranet, and assuming that everything on the intranet is secure (because devs run linux laptops instead of windows, ha!)

      - etc etc

      Luckily these companies do not have tens of thousand of high-value customers, and are thus below the radar of serious supply-chain hacking attempts, but they are ripe for abuse not by nation-state actors, just by joe random script kid.

      The reason for all these bad practices are all the usual, with the addition that developers cost a lot of money, so one does not want to have them sitting idle while the CI server is down for an update, or because they are waiting to be communicated a new auth token. Sure, tools like Vault exist, but they are not easy to implement and manage.

      Now, think about your average company: how many providers is it employing to implement its websites, cms, intranet, erp, hr, etc... softwares? Plus the external consultants of course! How many of those do practice good security? And how many of them have access to the company's servers and network?

      1. Pascal Monett Silver badge

        Re: they are ripe for abuse

        Indeed they are, but as you stated, they are nobodies, so no impact.

        Also, you're talking about web shops. These are often set up by people who have an idea, think they can program, but have no notion of security. For those types, security is the annoying stuff you have to get rid of in order to work.

        As a consultant in Luxembourg for the past 25 years, I can tell you that I have worked in banks, insurance companies and government organizations and I can assure you, the network security in these places is impressive. There are institutions where I do not have the right to bring my laptop.

        All of these have an IT department which is staffed with people who know their stuff. Many have an Information Security Officer, and I can tell you : you do as he says.

        Yes, given the nature of my skills, when I do finally get to a workstation with a working login, I do have access to the server, and to many, many databases. But if I so much as try going around and poking places I'm not supposed to do, I can kiss that customer good-bye as I will be caught out, and then thrown out.

        Not every company is staffed by cowboys.

        1. gggeek

          Re: they are ripe for abuse

          Re: Not every company is staffed by cowboys.

          I agree.

          I also worked in airport IT for quite a while (security was a complete joke there), and as contractor for banks for a shorter while (and indeed they took security much more seriously).

          There's no hard proof yet but it seems rather probable that SolarWinds did not operate with the level of infosec paranoia that is common in the banking sector.

          The problem with supply chain attacks is that your security is only as good as the one of your weakest provider, and everybody has a million providers. And providers' providers.

          Sure, software companies raking in billions should know and do better than coding cowboys, but experience tells me that habits and mentality are hard to change. If anything, it is harder to improve existing practice than it is to start from scratch with the good mindset.

          PS: one of my favorite anecdotes in security is when I was called in to consult for a company producing both mil and civilian aircraft. Their security setup was impressive: no way anyone external was allowed to enter the premises unescorted, and I could not even move from the devs room to the restroom without someone looking over me. But... at midday... the cantine being off premise... the company just opened the gates for two hours and anyone plus their dog was allowed to get in and out, as doing id checks would have impeded the employees from getting their lunch in a timely fashion!

        2. el kabong

          So, in Luxembourg no one who matters is a customer of SolarWinds

          That's good to know, this is what I should expect from people who hire no one but the best.

          I praise them for their prescience.

      2. Anonymous Coward
        Anonymous Coward

        Re: Access to business critical systems

        While I get that these issues are common in startups/small companies (i.e. less than 25 employees/$25m revenue) where infrastructure is often self-managed and security best effort, Solarwinds has (had?) an annual revenue of close on US$1bn a year with a 25%-30% profit margin.

  4. el kabong

    This is what happens when you opt to use overcomplicated setups, now pay the price

    You lose visibility, errors start popping everywhere and you can't see them all because they are so many and everything is so opaque.

    When it inevitably breaks don't blame your poor judgement, it is so much easier to put the blame on someone else.

  5. T. F. M. Reader

    A loing time ago, in this unfashionable end of the Galaxy...

    an attack vector was described. A somewhat simpler variant of it is finding its way into our warped reality.

    1. elDog

      Re: A loing time ago, in this unfashionable end of the Galaxy...

      Thanks for that reference to a Ken Thompson paper: Reflections on Trusting Trust.

    2. Anonymous Coward
      Anonymous Coward

      Re: in this unfashionable end of the Galaxy...

      Meanwhile, not a long time ago at all, in the part of the galaxy currently known as Florida, what the Twitterati are currently describing as an existential threat to safety critical SCADA systems actually sounds much more likely to be a plain and simple remote PC access (TeamViewer etc) foulup.

      Not as yet reported on El Reg afaict. Anyone got any actual facts yet for this one?

      It's not Camelford.

  6. druck Silver badge
    Happy

    The good news is...

    ...I've not noticed JetBrains' PyCharm sneaking in any

    from Russia import backdoor

    1. Wilhelm Schickhardt

      Re: The good news is...

      You have ANY proof JetBrains enabled this ? Or is it just "guilt by association with an unproven claim" ?

    2. Wilhelm Schickhardt

      Re: The good news is...

      Like "Cisco gear improved by NSA", eh ?

      https://www.engadget.com/2016-08-21-nsa-technique-for-cisco-spying.html?guccounter=1&guce_referrer=aHR0cHM6Ly93d3cucXdhbnQuY29tLz9xPWNpc2NvJTIwbnNhJnQ9d2Vi&guce_referrer_sig=AQAAAIRMLhvPZKtrW2x13_H0L_pNY71On0TObKaILNRDFUxQgRlTUHLM3ZX9xG6xoyDx0dTshg_fckirNDxJoW-lFm6gCmNwWM2Xx_85XbRRk2081lDdXe6DM0fkGxQCpHIZYGk2GB8_TQMz750urZMiK4irRx0dsUAlTQS1PUHMR-X9

    3. Evil3eaver

      Re: The good news is...

      You should have wrote:

      from Russia import WithLove as backdoor

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like