SolarWinds Hack

Craig Peterson: In case you didn’t hear, we have had a massive hack. We’re going to be talking about that and what it means to you. What it means to the federal government. What it means to organizations that are using SolarWinds. Oh my

[00:00:24] Hi everybody. Craig Peterson here. Had a great discussion this week with Mr. Matt Gagnon Wednesday morning, as we usually do, and we’re going to continue that now. Let’s get into it into a little bit more depth.

Lack of Professionalism

[00:00:39] You probably heard me pounding on that table and it was just unbelievable because the bottom line here is these particular hacks were effective because these supposedly “Professional Security People” did not follow the basics. They didn’t have the software configured according to the manufacturer of the software’s specifications. 

[00:01:08] So number one, read the directions. 

[00:01:12] Number two, they didn’t use the most basic of security controls that are out there. 

[00:01:19] You’ve got to watch these domains, capabilities, practices, processes. That’s what we are always talking about in the cybersecurity business. They were not monitoring outbound connections. They didn’t stop the call home stuff. 

[00:01:38] What I keep telling you guys, the easiest way to stop the spread of some of this nasty software is to use Cisco Umbrella. It’s just that simple. Cisco Umbrella for just regular people is free. How could you get better than that? 

[00:01:57] When you get into the business level, which you cannot buy on their website. You can buy some very good stuff from the Umbrella website, from Cisco then you get a lot more features and fine-tuning and granularity and stuff.

[00:02:10]If they had just been using Cisco Umbrella, that probably would have stopped the call home. That’s what it does. Okay. 

Professional Organizations and Agencies Hit Hard

[00:02:21]These are professional organizations that got hit here. Professional organizations. 

[00:02:27] We do not allow Willy nilly, outbound connections.

[00:02:33]Some of these pieces of software pretend that they are a web browser and they just want to go to this website. If you’re allowing your employees on your network to go Willy nilly, wherever they want online, you got some problems. 

Porn Filters Not Enough

[00:02:47]If you’re just filtering, for instance, Oh I’m not going to let them go to porn sites or something. Violence sites or Netflix to watch TV movies all day long. Instead of working, that’s not good enough. That might help to keep them paying attention a little bit more to their work. I’ve found frankly, much of the time, they spend trying to figure out how to get around those filters.  We catch people doing that all of the time. You have to talk to them and explain why the most dangerous parts of the internet, from a security standpoint, are the parts of the internet where you are going to have some of that nasty content that they might be looking at for. Once they understand that, usually they wake up and smarten up, et cetera, et cetera. But if that’s all you’re filtering for.

[00:03:38] How are you going to know that there is a piece of Chinese back door software on your network, that’s trying to get out? How are you going to know that there’s a Russian back door trying to get out? Or there is a hacker that’s in your network who is exfiltrating all of your data and then they’re going to hold your data. Not quite hostage to where it used to be, but they’re going to extort you and say, Hey, if you don’t pay up, we’re going to release all of this intellectual property to the internet. 

[00:04:13] The right way to do it is you only allow outbound connections to places they have to go for work.

Regulated Industry

[00:04:22]We have a company, our client, just as an example, who is in the Department of Defense space. They are a subcontractor and they deal with parts for airplane engines, certain parts.  As such, they have all kinds of federal regulations and those regulations mean that they can’t have data that gets stolen, that gets exfiltrated, right? That’s the whole idea. They’re supposed to be secure. So what do we do in a case like that? 

[00:04:52]The people that work there can only get two websites that are approved. There websites of their suppliers. Their websites of their clients and that’s it. They cannot go anywhere else. Why? Because part of the problem here is what just happened this week. 

[00:05:14] What happened this week with this massive order? This has only happened five times before in all of history. We’ll talk about that, as well. What is this order? What happened is they tried to go out to some other websites.

[00:05:31] Let’s say they got infected, and their computer had some nastyware on there that was trying to call home. Just do its ET thing, call home.  It tries to get out of the network using what looks to be an innocent little web connection. It gets there normally. But if we block everything except the website that they absolutely have to go to, that software is not gonna be able to get out of their network, is it? 

[00:06:02] This is not rocket science. Yet we’ve got 18,000 organizations that look like they got hit in this massive cyber attack. Massive. There’s a company out there called SolarWinds. Now, SolarWinds we have used in the past. We stopped using them because of some of their practices.  We just couldn’t, in good conscience use them. Knowing what they were doing and how they were doing it.

Who Uses It?

[00:06:33] But SolarWinds has this network management software. They have sold it to government agencies, massive companies, 499 of the Fortune 500 companies use SolarWinds. They have this network management product called Orion.  Apparently, they like any other good little software vendor-provided updates.

[00:07:03]The updates between March and June 2020 apparently had a little extra payload. 

[00:07:12] Now, the way these actors, the bad guys got this payload into SolarWinds software really shows that it was a Nation-State actor. 

[00:07:26] Now of course the media is out there saying “Russia,” which is what they usually do. You’d think it was probably more likely to be China. But you know what we’ll probably never know because these people were very sophisticated. They basically reversed engineered a one-way hash function called SHA-1 which you should not be using anymore. It was thought to be relatively safe. They combined that with another vulnerability in a web server and in some software that supports the web server and is supported by the web server and bam! they’re in. 

Updates Were Poisoned

[00:08:03]SolarWinds sent out updates to their clients. Those updates included updates and went to government agencies, all, but one Fortune 500 company, and over 22,000 managed services providers. 

“Managed Services Providers” – Part of the Problem?

[00:08:21] Now, we’re going to talk about MSPs some more, and we’ve talked about them in the past. This is a big deal. Most businesses don’t do the information technology function themselves. They might have somebody that’s in charge of it, but that person is the person who goes out and tries to find somebody to take care of the systems or do an audit or whatever it might be that they’re trying to do. That makes sense, I think. So that’s what they’re trying to do. But do they really know what they should do? What they shouldn’t do? What should be done? What shouldn’t be done? That’s a subject that we’ll take up a little bit later. 

[00:09:01]This compromised software was distributed as a software update to SolarWinds customers by SolarWinds. It turned out that their software had this payload in it that now allowed an as yet unknown bad guy to get into the networks. 

[00:09:30] Now there’s a statement that was filed with the securities and exchange commission. I’m looking at it right now by SolarWinds corporation and talking about the Orion products. They say that SolarWinds believes that the Orion products downloaded, implemented, or updated during the relevant period, starting in March this year, contained the vulnerability. Orion products download implemented before the relevant period and not updated, did not contain the vulnerability. It goes on and on. It says SolarWinds values of privacy and security of its over 300,000 customers. 

[00:10:11] I can’t believe that this would happen. So not only was SolarWinds caught up in this but so were many of their customers and you will find it interesting to know who some of their customers are because they have also been in the news lately for different reasons. 

[00:10:35]This is just fascinating. The biggest hack in recent history, and one, that’s going to have consequences for years, literally years. 

Solarwinds Hack May Have Influenced the Election Results Due to Ties to Dominion Voting Software

[00:10:51]We’ve established that there was a hack. We’ve established that the media thinks Russia did it and so do many security consultants. We’re not absolutely sure. We probably never will be.

[00:11:03]What is this hack doing? How is SolarWinds tied into Dominion?

[00:11:12]This hack has been absolutely scary as heck. One of the congressmen who got a briefing on Tuesday about what had been going on. Called this absolutely terrifying. Now that is a terrifying statement to make and the accusations are that Russian government hackers are responsible for this.

[00:11:36] Now we’ve seen since March this software by SolarWinds called Orion, which was in place in 18,000 organizations, was compromised.  Once it was in the network, it gave bad guys access to that network. Coming out this week on Thursday, we found that the feds have, in fact, said that yes, we were affected by this. Now affected, what does that mean? Ultimately, the pros and cons of this. 

[00:12:13]The list of affected US government agencies and entities include the Commerce Department, the Department of Homeland Security, the Pentagon, the Treasury Department, the US postal service, and the National Institutes of Health.

[00:12:37]This is a long list of suspected Russian hacks into the US as well as many of our allies and other nations out there. This is very scary to hear that because Russia has been using hackers, they have been using bots, and they have had other means to try and influence elections in the United States and elsewhere. 

Did Russia Hack the Election (Again)?

[00:13:03] Before this latest election, we had the Democrats saying our election that elected President Trump there was influenced was hacked by the Russians. And of course, as you know of investigations for four years, they never really found that Trump was colluding with Russia. 

[00:13:23] I think the focus was absolutely wrong in those investigations. It should have been on what happened with our elections? How safe is our election software? How about the hardware? How about the mechanisms that are in place? The federal government does have guidelines for this election vote tabulating software and hardware. They have error rates that are allowed just like they have so many mouse parts that can be in peanut butter. They have error rates that are far lower than are being reported, right now. Oh, thousands of times more ballots were rejected than were allowed by law. But nothing is happening. Nothing happened. 

[00:14:10] They investigated one person, one, man, basically President Trump. A number of other people were caught up in this investigation as they laid traps for people. 

[00:14:22]We did not do a major investigation into these systems. To me, that is absolutely inexcusable. Now we’re seeing some other evidence that is something that I think we should be paying some attention to and that ties right into this hack of SolarWinds.

[00:14:43]As I mentioned, all but one, of the Fortune 500 companies use their software. 18,000 different organizations installed the version of SolarWinds Orion products that were in fact known to not just be vulnerable, but have built into them hacking tools, which is just astounding to me.

[00:15:11]Are we going to look into this now? Because looking right on this is from the Gateway They went to dominion voting software. You can go to the homepage. They probably removed it by now, but it was there when I had a quick look on their website. 

[00:15:28]This emergency directive 21 dot 01. Very rare. Only has been issued five times in the last five years is saying remove all of this. Yet Dominion Voting is apparently a customer of SolarWinds and Dominion Voting brags about how they use SolarWinds. That is scary, very scary to me. Let’s talk about what it does mean.

[00:15:58] It does mean that our friends Dominion Voting, who has been accused of having terrible software, all the way through having major backdoors in their software. Our friends over Dominion Voting could well, have been completely compromised by that is SolarWinds attack. Completely compromised. 

[00:16:22] We don’t know if they were but we do know that they were using it and they are the ones with our voting machines. This goes back to what I talked about last week, where I think there is only one solution to being able to be confident about votes. 

What’s the Best Way to Run an Election? Full Transparency.

[00:16:40] Obviously it’s too late now to deal with all of the potential voter fraud, software errors, hardware failures that have occurred in past elections. It really is too late based on the evidence I’ve seen, to quote Attorney General Barr. But how about the future? How about we do an investigation into these companies that are providing us with the hardware and software. Or better yet, my solution is we have ballots printed. Those ballots have serial numbers on them with very good checksums. All we do with those ballots is we scan them on regular commercial, industrial scanners that keep pictures of those votes. So we have a hard copy that we can go to at any time of the votes.  We can analyze them. We can compare it to the vote counts, et cetera. We take those pictures now and we run them through very inexpensive software. 

[00:17:52]Very inexpensive, under a thousand dollars to buy a license for some of the software. What that software does is it looks at the images that were taken by these scanners. And it goes ahead and tallies votes.  If we use two or three different software packages, they should pretty much agree. Our error rate should be less than one in a hundred thousand or maybe even a million. Should be pretty darn low. Then we hand tabulate a few of these just to double-check, make sure everything is all right. We now have hard counts. 

[00:18:26] People add up the counts and as always, you have election observers from the two major parties and the minor parties they’re watching this whole process. 

[00:18:38] I am for absolute transparency here. I think all of those images of the votes should also be made available to anyone who wants to download them. This is the age of the internet. Why are we not making the images of the votes available for anyone who wants to look at them? Private individuals can tally the votes and come up with what should have happened, what the count should be.

[00:19:06]You expect a little bit of variance, but absolute transparency. People add up those votes. It’s all audited. There are cameras running, webcams 24 seven watching the voting machines. Watching the election workers. Streaming to anyone who cares to look. Now we have absolute transparency. Now we can believe the vote. 

[00:19:30]That I think is the only way we can handle this. 

[00:19:34]Is that how much involvement did China really have? How much involvement did Russia have?  I strongly suspect. Russia had a lot of involvement here in hacking. In fact, even our voting machines, as we talked about in the last hour because of the SolarWinds hack. How about China? They’re saying it looks like it could be a major influence and have had a big impact on the election, in a number of ways, but we’re not going to get into that right now. 

[00:20:02] Those big hacks have been very successful against larger companies all, but one, of the Fortune 500 apparently was affected and some 22,000 managed services providers countrywide use it according to SolarWinds, about 18,000 businesses. Were using the affected or infected, depending on how you want to look at this, but using the affected software. That’s a real big deal, frankly. How about you and me? What does it mean to us as business people, as home users, et cetera? I want you guys to understand this a little better, so I’m going to explain it and I appreciate all the comments I’ve had about how much you guys appreciate me doing a little deeper dive into this far deeper than most anyone else can. You get these guys on the radio that just talk about absolute fluff in technology. Mainly because they don’t know any better. I’ve just been doing this for too long. 

[00:21:04] One of these commentators, a lady who’s had her own radio show for years. Just amuses me to know she was a marketer for years before she got on the radio. Maybe that’s why she’s a lot more successful on the radio than I am, but I’m much more successful in tech than she is. 

Affects End Users

[00:21:22]You as a regular end-user, you’re probably not badly affected by this hack, this SolarWinds hack, and all of the subsequent hacks that happened. It’s probably not a huge deal for you because your home computers were not running this Orion software from SolarWinds, and you’re probably not using any of the other software that’s out there. I’m continually reminding everybody and I’m covering this as well in my Windows Hardening Course, which’s coming up soon.

What Should You Do?

[00:21:57]When I was recording this week, it made me think about this a little bit, that you and I, as home users know better than to buy things like Norton and try and use them or some of these other antivirus products, because in this day and age with Windows 10, just not considering anything else in the network, but just the computer itself, you are probably best off using Windows Defender and making sure your computer stays up to date.

[00:22:30] You also know if you want to spend a couple of bucks. There is some other good stuff out there that’s going to help and one of those is Malwarebytes. In fact, I’m going to try and include a link to some of them Malwarebytes stuff this week. Malwarebytes is another good little piece of software to have, and how much I like Umbrella.

[00:22:51]You’ll find that online, of course, and you can get the free version. You can get the paid version. If you are a business, you need to talk to a reseller, like me, and have them set you up with the business version. Those three things are going to go a very long way. 

MSPs are Liable

[00:23:10] Obviously you need to lock down Windows and harden it. That’s why we’re doing this whole little course coming up here soon. If you are a business now you might be in some trouble. I have been saying now for three, four years, as well as the FBI has been saying this and I covered it in some of the FBI InfraGard webinars that I hosted. If you’re an MSP, if you’re a managed services provider or break-fix shop, in other words, if you take care of other peoples and more particularly businesses computers, you are a major target. You have to pull up your socks. 

[00:23:52] Now, the Department of Defense with this cybersecurity maturity thing that they’ve come out with CMMC. They have made it very obvious because he specifically says that if you are a managed services provider, you have to meet the requirements that the Department of Defense is putting on to their customers or their suppliers. I think that makes a lot of sense. 

[00:24:18] If you are a managed services provider, you probably have pretty much, if not completely full access to your customer’s computers and networks. So if you have a customer, that deals with the Portsmouth Naval shipyard, for instance, that is a Federal Government DOD facility and if those DOD contractors that are out there on base have to meet certain requirements for cybersecurity, you would expect that you as a managed services provider have to meet those same requirements. 

[00:24:52]The answer is yes, absolutely you do. We’re talking about some serious policies and procedures, some serious hardware to help make sure everything’s working right. Some serious monitoring of the hardware and the software and the alerts. It’s a lot of work. 

[00:25:09]We’ve talked about it before. Basically, if you have less than 200 people, you probably can’t afford it. There is no easy button when it comes to the NIST 800-171 or the CMMC standards. So you turn to one organization, that’s a managed service security services provider and you expect that they are going to be able to take care of you. I don’t think that’s unreasonable. 

[00:25:35]What should you be doing? How can you have these guys take care of you? The answer is almost none of them can. No, they’ll say so. They’ll put a nice little logo up on their site and, Oh my gosh, aren’t we just, Mr. Wonderful, Mrs. Wonderful. In reality, many of these companies know the buzz words. They know the key phrases, but they are not up to snuff when it comes to doing security or including their own security. 

[00:26:06] So they’ll go to other vendors. They go to distributors, try and get some help. This goes back to how I started out here, talking about these tech shows, where the host really knows very little about the actual technology. You want someone that understands. If you want a good meal, you’re going to go to one of these celebrity chefs. They know the business and they know the business from the start to the end. You’re not going to go to a fry cook for Wendy’s, in order to get a great meal. Now, you might get a decent meal.

[00:26:42] So the Department of Defense is now pushing all of these standards down to the MSSP’s. This is why we are actually a Master Managed Security Services provider. We provide security services through and for these Managed Services Providers, I think that just makes a whole lot of sense, but these companies have access to other businesses. 

That’s Where the Money Is

[00:27:07] Computer networks have been under attack forever and this now proves my point I’ve been trying to make for years. Which is the SolarWinds attack was directed at 22,000 companies that call themselves Managed Services Providers. Why? Because that’s where the money is, that’s where the access, the keys to the kingdom are for so many companies and so many government agencies are these managed services provider. 

[00:27:43] Now, this is difficult because I promise this week to get something out about selecting a managed services provider.  I have something, if you want a copy of it, make sure you email me because I got a little checklist that I put together. It’s one of these generic ones. 

[00:28:01] I’m not trying to say, Hey, you got to hire me. Do you know how that goes? Where they put out an RFP, requests for proposal and there’s only one company in the whole world that could possibly meet all of those specific requirements. Been in business 30.6 years, is located within two miles of us, et cetera, et cetera. No, that’s not what this is. This is a real nice generic list that you can use to help evaluate anyone out there that is going to be helping you out with your security. 

[00:28:34] So whoever it was, the Russians, most likely knew what they were doing. So they got not only the 22,000 managed services providers that got them in their site, but they also got all of these government agencies, and all, but one, of the Fortune 500 is right there in their sites.

[00:28:55] They are not stupid. This was a very difficult hack and they pulled it off. They would have been continuing to pull it off, frankly, for a very long time. 

[00:29:06] So if you outsource your IT, which you have to do, because that’s the only easy way to get some real talent part-time, which is what most small businesses need. They don’t need a necessarily full-time on their staff.  They need full-time attention and you got to pay attention.