Sign in / up

back to article Warning on SolarWinds-like supply-chain attacks: 'They're just getting bigger'

Back in 2020, Eric Scales led the incident response team investigating a state-backed software supply-chain attack that compromised application build servers and led to infections at government agencies and tech giants including Microsoft and Intel. "It was similar to a fraternity rush - the best experience I never want to do …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. dwodmots

    The spin, each line quoted from the article:

    >nation-state hack

    >the supply-chain attack of the decade

    >attributed to Russia's Cozy Bear gang

    >most high-profile supply-chain breach

    The reality:

    The password for the update server was stored in a public github repo

    The password was solarwinds123

    18 2 Reply
    1. John Robson Silver badge
      Reply Icon

      I was going to say citation needed but:

      https://www.theregister.com/2020/12/16/solarwinds_github_password/

      8 0 Reply
    2. p302111
      Reply Icon
      Black Helicopters

      This FTP password may well have played a role in the initial access.

      But the code to subvert the build process, if true, was really a state-of-the-art operation.

      If those guys got hold of the sealed DOJ indictments trove, I do not expect the ones they have been waiting to "catch if traveling" will be caught anytime soon, if ever.

      USA has such a huge footprint and outdate software platforms, that some more than 10-yeard-old code / exploits still function over there, in some industries.

      9 1 Reply
      1. Al fazed
        Reply Icon
        Thumb Up

        Hmmm

        It's probably not a lot different here in Blighted

        ALF

        2 0 Reply

  2. This post has been deleted by its author

  3. CasualBrowsing
    Unhappy

    Is it only me who doesn't want to watch a 12 minute video?

    17 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Say what?

      When I can use handwaving and lipreading to get code into the computer faster I might switch from being text based. I definitely can read faster than y'all can drawl. Text is compressed data!

      10 0 Reply
      1. anonymous boring coward Silver badge
        Reply Icon

        Re: Say what?

        Not to mention that skipping is much faster and more precise.

        2 0 Reply
        1. Snowy Silver badge
          Reply Icon
          Coat

          Re: Say what?

          Also easier to go back and read a part I did not fully understand on first pass.

          4 0 Reply
    2. Richard 12 Silver badge
      Reply Icon

      It's a video?

      My subconscious clearly assumed the iframe was an advert and ignored it entirely.

      Well done advertisers, my training is complete.

      Did think the article was a bit short and content-free, but that's sadly common so didn't really think much of it.

      Not going to bother going back, 12 minutes is longer than I've got time for this morning.

      7 0 Reply
    3. veti Silver badge
      Reply Icon

      Nope.

      El Reg: you're supposed to be a written medium. Write already.

      3 0 Reply
  4. Jadith

    Not much improved and not much likely to

    The approach to shoring up secutiy is quite often to throw money at some consultants/security software/hardware etc.

    While often these can improve and aid in securing systems, the problem is, has been, and will be cultural. As long as you have devs/executives/managers/etc that see even basic secure practices as bothersome or annoying (or even an affront to their ego) the attacks will continue to succeed. As long as you have sysadmins/IT managers/engineers unwilling to put their foot down and say no because that would be bad customer service, bad 'teamwork', or just not good soft skills, the attacks will continue to succeed.

    No amount of money can protect you from being attacked if you store the ftp password in plain text on a public github repo. Sure, people like to make these attacks out to be super sophistcated spy v. spy level activitie. Writing the sophisticated tools, or listening in on the sophisticated communications, or injecting the sophisticated code is really just normal dev work in many cases. Gaining the access is often simple and about as unsophisticated as you can get while being the single most important part of the attack.

    Honestly, until we start doling out consequences for leaving the door open instead of giving companies a pass beacuse "the attack was so expertly sophistacted" is how it is reported, people will continue to "prop the back door open with a rock" if you will.

    6 1 Reply
    1. Marty McFly Silver badge
      Reply Icon
      Facepalm

      Re: Not much improved and not much likely to

      Will "doling out consequences" really change anything? Human nature won't care.

      Scenario 1: Buy a new car. Drive crazy. Destroy new car. Receive a ticket for reckless driving. "Gee, officer, if I had known I was going to get a ticket, I wouldn't have trashed my new car"

      Scenario 2: Build a company. Screw up cyber security. Stock price bombs. Receive a 'consequence' from government. "Gee, if I had known I was going to get punished, I would have never destroyed my company and all my stock value."

      The solution, or as stated, the "consequences" need to come from industry, not from government or regulation. SolarWinds screwed up. Did the rest of the world dump them completely, or are their products still in use? Microsoft has yet another 'Patch Tuesday' with a zillion vulnerabilities patched, has the world dumped Windows? No. Everyone uses Microsoft Defender to protect themselves from security issues with Microsoft Windows. How is this not crazy stupid??

      This will not be solved until the rest of us collectively decide we are not going to use products from companies which have bad security track records.

      5 0 Reply
      1. p302111
        Reply Icon
        Black Helicopters

        Re: Not much improved and not much likely to

        <i>"until the rest of us collectively decide we are not going to use products from companies which have bad security track records."</i>

        Have you ever tried to hire a secretary to use Linux + LibreOffice instead of Windows + Word?

        Remember most users are not computer-savvy. Just change 1 little thing and most will panic and be lost.

        Some consider us developers / security guys who discover holes in software something close to witches, black magicians or bad demons.

        1 4 Reply
        1. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Re: Not much improved and not much likely to

          "Have you ever tried to hire a secretary to use Linux + LibreOffice instead of Windows + Word?"

          Actually, I know of a number of modern-day secretaries who happily use Google Apps instead of MS Office on mac OS and Linux, with zero problems, and one of our clients actually uses Softmaker Office on Linux as standard desktop platform, and here, too, no problems.

          And why should there be, being able to adapt to new/other variants of the software used by your trade is a basic competency expected of any employee today. Especially considering the constant change MS Office and other MS products are seeing. If that's too much for you then you might want to consider a career change to flipping burgers.

          "Remember most users are not computer-savvy. Just change 1 little thing and most will panic and be lost."

          And yet millions of "not computer-savvy' people have no problem handling constantly changing user interfaces on apps, smartphones and IoT, and many of them don't even use Windows but mac OS.

          Which proves that the notion of people panicking because of minor UX changes is nothing more than utter nonsense.

          6 0 Reply
        2. captain veg Silver badge
          Reply Icon

          Re: Not much improved and not much likely to

          Have you ever used WordPerfect?

          -A.

          3 0 Reply
          1. An_Old_Dog Silver badge
            Reply Icon

            Re: Not much improved and not much likely to

            I did, I loved it (the DOS versions), and I miss it. Version 4.2 was the best. It's still available on abandonware-hosting web sites, but understands only 8.3-format file names.

            1 0 Reply
            1. chasil
              Reply Icon

              Free Wordperfect for Linux

              I doubt that limit applies to this version for X/Windows.

              https://www.theregister.com/2022/07/20/wordperfect_for_unix_for_linux/

              0 0 Reply
        3. An_Old_Dog Silver badge
          Reply Icon

          Rote Learners

          Just change 1 little thing and most will panic and be lost. This is typical of extreme rote-learners. Rote learning has its place and applications (learning foreign languages come to mind), but if someone understands computers so poorly that an icon position-change or color-change throws them off, then they need remedial computer training to bring their mental model of how things work up to speed. If the remedial training doesn't help them, then they need to be in a different job.

          A desktop/laptop computer (vs an embedded device) is not a no-brainer, works-like-a-toaster thing.

          1 3 Reply
          1. veti Silver badge
            Reply Icon

            Re: Rote Learners

            Yeah, GP's characterisation was exaggerated to the point of caricature. If someone is that clueless, they wouldn't be able to stick with MS Office for more than about six months anyway.

            That's not why Linux and Libre haven't swept the market.

            5 0 Reply
            1. An_Old_Dog Silver badge
              Reply Icon

              Linux Adoption

              That's not why Linux and Libre haven't swept the market.

              Potential Newbie Linux User: "Linux, huh? Hmm ... does it run CallofDutyCrisis IV, SuperUltraCandyCrush, Microsoft Word-thingy, TurboTax, and FaceBook?"

              Linux Advocate: "Nrgggghhhhh..."

              0 0 Reply
              1. thinking ape
                Reply Icon

                Re: Linux Adoption

                My Parents (around 80 years old) prefer linux (mint), and have done so for the last 8 or more years (I forget when they started to use it). They do have their kids to set it up for them

                When a new laptop was purchased, they tried windows again, and then quickly, 'can we have linux back please?' Basically, it's stable, doesn't constantly change it's UI, doesn't ask you for constant restarts and 'please wait while we update your...." and they have all the programs they need, even LibreOffice and a Garmin GPS programs via WINE.

                So why don't people switch? Marketing. Most people don't even know it exists and they're scared. They stick to what they are used to. If more companies pushed it, and it was loaded by default on hardware (and so was cheaper), people would switch.

                However, then it comes to games, and compatibility with random program X, or they have to choose a distro (what is a distro? which is better? where do I click for that?)

                1 0 Reply
        4. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Re: Not much improved and not much likely to

          Even if you wanted to many industries at the moment could not move to Linux, we looked into doing it (part of the NHS) and it's simply not possible as there are still too many windows only clients kicking about for essential systems. That's slowly dropping year on year as things move to web interfaces but even then the backend of many of these systems requires due to supplier demands - Windows Server!

          Bottom line is that until there is a push from government for software to be multiplatform Windows will dominate for decades to come.

          0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like