With the rise of more Ransomware attacks — the most recent hitting Silicon Valley VC firms, I decided to re-post this reminder.
I wrote this a few months ago as the recrimination and finger pointing continued centred on the Solarwinds hack that showed why we need to move beyond Passwords, as subsequent hacks show — the Colonial Pipeline hack on the eastern seaboard, JBA stopping much of US beef production, a Florida water treatment plant under water, the list is now endless as we enter the realms of Ransomeware-as-a-Service.
Whilst we have (APT) Advanced Persistent Threat teams working away, it is far easer to just blame Russia, North Korea, China and Iran. Then case closed. Are we really surprised these types of hacks take place? The average hack remains undetected for 220 days or more…with the first signs of abuse when the organisations data becomes available for sale on the Dark Web — often sold through data brokers. I also suggest those intent on stealing your information assets are already on the inside — the enemy within, like a sleeper agent, waiting to burst into polynomial life.
Whilst the precise details of the SolarWinds attack may never be know it is clear a catastrophic event happened. A critical collapse at every level of security. Or was it? Given the lessons from Sandworm attacks on US national infrastructure were themselves simple in approach and execution. The plan is always to create a beachhead, then press the button on a cascade strategy — get further inside, hide, gather and distribute, then spread the infectious malware far and wide, and keep repeating.
It is always interesting to me to witness how large businesses, government agencies and national infrastructure work with cyber security firms. In this case the compromise (a sunburst) was directed against the Orion development environment, highlights the sheer scale of the vulnerability, and how inadequate any cyber security systems really is.
Will the Solarwinds attack become the new ‘poster boy’ for the hacking community, whether state sponsored or frustrated opportunist given the amount of mayhem that it created? How sophisticated was the SolarWinds attack? In my view not very, but it was genius thinking.
They found a way in using a compromised User Account — Password, created a small gap through which a malware was injected. The new patch on a development system distributed to all users and systems to make things more secure, was the issue. They were about to compromise a software update the Cyber Security software was going to deploy. In other words they were about to commit the ‘perfect crime’ — the defenders unknowingly compromising their own systems! Don’t you just love it.
Every hacker is wishing they thought of it — injecting malware into a trusted SolarWinds software update, the hackers were able to remain undetected, across the entire user network for months and months, pulling data from everywhere. We may never know how long they were on the inside.
Once on the inside the hackers compromised and collected all users identity access rights, secure tokens to keep unlocking systems, even the heavily encrypted ones. I bet the hackers couldn’t believe their luck. A simple intrusion strategy that manifested in seeing and knowing everything. Happy days!
The way in? Point of least resistance — is mostly linked to human frailties, mistakes, stupidity and cross use of credentials and user name/passwords across apps, mixing social and business activities from a single device, moving from one to another while keeping everything logged in. Fatal when using a publicly visible browser connected to the Internet. Or was the vulnerability the generic password sent with the Orion update, part of an automated software update, where Admin Rights handled global decision making? Or was it a case of get inside, find the server or user areas that hold all of the passwords, an old ploy.
The strategy was clearly those of a rogue state, given the size of the opportunity an ‘update server’ that supports thousands of high-security organisations that in this instance included the US Departments of Defence, Homeland Security and other core functions — all at once.
After all there are three reasons to hack –
Steal State Secrets.
Plants and Distribute Misinformation.
Steal Money.
The question remains do cyber security companies ‘eat their own dog food’and would we know? We can be sure based on similar hacks, the developer or engineer preparing the distribution of the ‘patch’ to gain access to the Orion update server, the password was likely to be ‘SolarWinds123’? Maybe not? I would still have a small wager on this one…
The common theme — 90% of hacks breach use old fashioned Passwords. The root cause of most security issues and the people Passwords are attached to, especially now we have 90% of the people outside the company infrastructure working from home, in a post pandemic world.
Indeed the SolarWinds’ CEO confirmed “the Office 365 environment was the likely first breach, to gain access to employee email accounts opening the door wide open to the Orion systems development server, from which new code could be distributed unchallenged’.
Eventually the CEO Sudhakar Ramakrishna mentioned in a blog “We’ve confirmed that a SolarWinds email account was compromised and used to programmatically access accounts of targeted SolarWinds personnel in business and technical roles,” he continues “By compromising credentials of SolarWinds employees, the threat actors were able to gain access to and exploit our Orion development environment.”
Makes perfect sense – attack the bodyguard, of the bodyguard…
What has made the Solarwinds hack more interesting, it emerged hackers were covering their attacks, in a sense walking back over their steps, removing fingerprints and deleting any evidence they were there (in the system) at all. All this without the use of Quantum AI systems?
The next evolution of threat is shapeshifting code, that hides. If detected copies itself, moves, destroys itself, or fragments. All this hack did was disguise itself, as one of the good guys, piggybacking on the good guys system. A free pass.
Could this hack have been prevented?
There are wide range of open source algorithms delivering quantum-safe ‘belt and braces’ public key encryption, not only removing the primary threat but also securing what we have today. A simple relatively inexpensive overlay. The second level ‘braces’, the one that really holds your trousers up, not the belt which is for show, that keeps things neat a tidy and stops the ugly bits leaking.
The bad actors is not just the hacker, but also the use of Passwords themselves, your Users (staff) become bad actors, they are part of the crime itself due to laziness, stupidity and ignorance. One can also argue your Cyber Security Department was asleep at the wheel. Unfortunately, Passwords are a poor 20th century concept that implicates everyone and makes everyone a target. As soon as a single password or a single user is compromised, the entire infrastructure is deemed open, vulnerable, and every security system rendered worthless. A single point of failure system, one stupid User ruins everything.
Two things are important in any system and organisation. Validating who or what is at each end of the network (person and device), and the validation of the content about to be sent as trusted data/information, which may already be infected.
2FA
Even with 2FA (two factor authentication in place), a breached Office 365 email account may still have allowed an attacker to gain entry with the users phone or message services ( iMessage) going visibility of the 2FA code sent to the device, the issue remains — Who is it? The addition of the Second Factor is no longer enough. The only way for authentication to work is when access credentials are tied biometrically to the individual, and doesn’t become a best kept shared secret existing in more than one place like a password, pin code or record of a fingerprint scan that are transferable.
Identifying who is in your network beyond reasonable doubt, man and/or machine. To validate what exactly is being sent down the pipe, across the network. The Solarwinds hacks demonstrates the new security patch was probably already infected. Unfortunately biometrics has had a bad reputation recently — solutions can be expensive and also tied to a validation point centrally or on each device, as biometric files can be large, making them harder to work with and not able to be sent efficiently, maybe unless ‘hashed’ to a secure Blockchain, using a zero trust protocol. The other issue is any file holding the usernames and password — its continued ‘state’ is not know — because data holds no intrinsic value in a network, and pass willy nilly without a care or thought, because it has no value, which is another story.
How to validate Who, having seen the recent Tom Cruise Deep Fake messages going around where he discusses ‘cryptocurrencies’, true authentication is often dependent on independent corroborative checking. But it gets worse as all trust evaporates as soon as a users mobile phone is compromised, lost or stolen. A trust network requires everyone to be vigilant and comply, one mistake is all it takes. This is because the hackers toolkit makes it easy for them to re-trace fingerprints, facial recognition (re-facing to replace or bypass the user) from what is already stored on the device. The single point of failure being all data can be Copied, Edited and Pasted.
Is Bio-metrics the answer?
The right solution might involve using a biometric check from a trusted third party, a form of multi-party consensus, enabling the user to login from any device and location they choose. But then between systems remains a Byzantine fault where the messages can be intercepted.
Each device has an identity — IAM and passwords and even face recognition seemingly validating Who is it really remains a grey area. From an enterprise or large organisation (government) perspective there is no appetite to replace the current infrastructure, as lots of people who have signed off big expenditure will have ‘egg on face’, instead it is possible to add the ‘braces’ (new layer), a set of standards like OpenID Connect already exists.
Replacing SolarWinds password with a simple facial scan, combined with ‘three line voice’ check, before they could access the Orion system, but mostly before the firm’s employees accessed its Microsoft 365 environment. Whilst one can always speculate after the event, a take a superior position of — ‘if only’ there is a strong case that suggests eliminating Passwords and replace this with password less biometric validation would have most likely prevented the breach. We now have to move beyond static and transferable credentials for authentication and non-repudiation, dumping the infamous Password, that hackers take great pleasure, similar to the team at Bletchley Park, solving the puzzle .
However we can take this even further for mission critical “cannot fail” infrastructure such as defence, critical national infrastructure and core capital markets infrastructure. In this scenario the authentication, the ‘key’ is a segregation of duties that control parts of the biometric and device landscape. Separating access rights, from entry rights, from supervisors and admin rights. A rogue nation may still have the resources and capabilities to compromise even this, but it gets harder and may be easier to spot.
The obvious solution — a cryptographically based multi-party approval would be ideal as in the SolarWinds case, where above all else a critical update (software patch) cannot leave the sender, the source — unless a quorum of supervisors and permission have been released.
Whilst these actions may seem unnecessary, as they say in ‘Aliens’ when they decide to take off and newk the entire site from space, as the creatures have assumed control of the facility “Its the only way to be sure”!
Author: Nick Ayton is a futurist, technologist, speaker and writer
© Copyright 2021