Solarwind Hack – Exploitation Of The Development Process

Solarwind Hack – Exploitation Of The Development Process

The increased rates of hacking, together with the sophistication of methods used, is quite alarming. The Solaris attack shows a well organised, targeted and phased execution, planned with precision.

How can the development and deployment lifecycle process be improved?

The tech industry talk about development best practises and standards, and companies go further to develop their internal process and standard. 

Case Study 

 

I will be using the Microsoft analysis of the Solorigate to discuss why it is vital to have a development process in place.

The affected dll was digitally signed, which means the hackers could access the source code before deployment. Let us focus on this aspect of software vulnerability. 

 

I have heard in the past developers say, “the documentation is the code”. Unfortunately, this is where the hacking began. The development environment seems to be the least likely place an attack will occur, so everyone lets their guards down. Solorigate tells us otherwise. 

So how can we improve this part of the process? I have to say, it starts with simple documentation. In your documentation, you should have critical components such as classes, subclasses and methods all listed. The fact that someone could create a class in your library undetected shows a flaw in the release process. 

During the review process, check what has changed using a source-code management tool. A new class or code that is not owned by anyone in your team should alert you to an automatic software audit. Create an algorithm that will trigger security and deployment freeze escalations.

 

Update Security Training

 

In the past, security training and warnings had always focused on gaining access by obtaining passwords and or being on-site to inject malicious code.  Companies security trainings need to be updated to include potential source code hacking.

Update Development Process and standards

 

The development communities need to be more conscious of the code they put into production and check that they know who owns all the changes. If the person has left the company, then the code should not be changing unless someone in the team changes it. Developers should cross-check all code.

Generate a list of classes, check what has been added, and verify there are no ghost developers in your team. 

The Solaris hackers injected a block of code. An excellent defensive development process and standard would have caught the injected code. Invoking a thread creation process differently from the internal invocation would have been caught as this seems to violate their internal coding standard. It sticks out like a sore thumb.

Source: Microsoft.com

Store configurations and code separately

 

The hack exploited known development processes. For example, the process stops when it identifies a test environment by checking for a test in the domain name. Put environment-specific information in a configuration file and tables in your database. Do not hard code names and sensitive environment information.

Create a separate repository for configuration and code. If your source code gets into the wrong hands, the configurations will not be there. 

 

References

 

  1. https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
  2. https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
  3. https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/

 

Any Strategic Thinkers Out There?

Any Strategic Thinkers Out There?

Lately, I have seen the need for strategic thinkers in the decision-making process to transform society, environment and culture.

What are the characteristics of non-strategic thinkers? 

  • Decision-making process is slow. Dithering, procrastinating and uncertainty are words that come to mind. 
  • The review intervals are too short. Critical factors are not taken into account during the decision making process. It leads to decisions being revised often.
  • There is no clear vision. Businesses, departments, teams cannot take decisions because the vision is not clear. When the decision is made, it comes late. Those who are dependent on it now all have to scramble to meet deadlines and may be late in delivery.

Strategic Thinkers

Most definitions I have seen, define strategic thinkers within the context of a company. Strategic thinkers have no constraints. Their focus should be on their goal to provide a clear vision of the future. 

They can see how the future should be and what is required, and they communicate their vision clearly, and all stakeholders can see their role in this vision.

These thinkers are not concerned about limitations, technologies, legacy or resources. They are free of these shackles. They say this is where we should be, why we should be there and what we should do to get there. Some call them visionaries or pioneers.

Characteristics of a strategic thinker

  • Out-of-the-box thinkers. They are not constrained by the way things have been done already.
  • Explore the possibilities. They are willing to try different things and are not rigid.
  • Challenge the norm or so-called best practices. They look at best practices and standards and are willing to challenge them.
  • They are agile by design.  These thinkers can adapt and willingly embrace changes. 
  • They are disruptive and transformative. The strategic thinker brings about change in environment, society, culture, industries and governance.
  • Clarity of vision. Businesses, companies, departments can take decisions based on clear vision and guidance.
  • Fewer reviews. The vision is wholistic and principle-based in its scope and has timeless relevance.

Strategic thinkers can be found in any environment. Their title is no indication of who they are. 

The Sun Has Risen On IT

The Sun Has Risen On IT

When I look back at businesses over the years, IT people were at the bottom of the pile. They were the embarrassing ones the company hid in the basement or darkroom somewhere not to be seen by the business. Perhaps it was the way they dressed? T-shirt, socks and all in a corporate environment. Oh, and there were language differences too.  

A conversation with an IT help desk went like this; 

Conversation 1

You:” Hello, my application is frozen.”

IT: “Have you tried restarting your computer?”

You: ” Well, no. Why do I need to restart my computer?”

IT: “*&(#!! .Jargon speak”

You: “Ok. I will restart my computer now.”

You restart your computer, and it works! Wow, how did they know this was what the issue was? They are so smart. 

Conversation 2

You: Hello, I am unable to connect to an application.

IT: Was the “exe” installed?

You: What is “exe”?

IT: It is the executable that runs when you click on your icon.

IT: In your search type “cmd” and go to the command window.

You: Where is the search?

IT: Explains…

You: I am in the command prompt.

IT: Type “ipconfig” …..

The acronyms are still there, but it is not limited to IT. You spend years learning how to spell words, only to contract them for whatever reason. A simple example will be, the “DB” is up and running? Are all the “apps” deploy correctly? Do we need to install “SSD’s”?  

Fast forward many years later, we are now fully trained to restart our computers when we have issues. We know to save our work—years of hard work to prepare the masses to use computer technology has finally paid off. We are now in the cloud.

IT staff can now remote to your desktop and not ask you silly questions.

People are now using technology to make everyday life easy. The IT guy, well most have been brought out of the darkroom, and the sun is shining on them. 

They are now the superheroes of the world. During the pandemic, IT companies are enabling businesses to move online. I know people are still asking were online is and what it means to be online, but that is a question for another day.

IT is here to stay. As we go into 2021, it will be interesting to watch how technology hardware and software will evolve.

In case you are still wondering what “IT” is, well, you can ask Siri or Cortina.

Securing Your Digital Assets

Securing Your Digital Assets

Security breaches are occurring every day. The world will forgive you for thinking you have your antivirus, security software and all locks in place to protect you and your company. 

A companies data refers to all the companies digital asset, which includes company emails, voice mails, files and lots more.

What is a security breach? It is merely unauthorised access. You have a security breach in your house if strangers walk into your home and help themselves to your belongings. Some may force the lock (brute force), some may tailgate you into your house and hide, others may make a copy of your key and open your door. 

securing digital assets

The concept is similar for your data. Your application is the interface that gives you access to your data. When thinking about your companies digital assets, you will not only have to think about the security of your application; you also have to think about securing all steps that lead you to your application. Ideally, the company should carry all analysis long before deploying the application into a production environment.

Let us go back to your home security, if you have your gold stored in a safe in the wall of your study and put a picture over it. Do you lock the door of the room and leave the main house and gate wide open? No, you still have security in your home.

Let us look at some of the steps leading to the execution of an application. 

  1. Turn on your computer or mobile device
  2. Log in to your computer 
  3. Access your application that lives on your computer or 
  4. Access application that lives in the cloud.

There may be more but I will address these simple steps in this writeup.

When you turn on your computer, if in the past you had

  •  Visited some strange site
  •  Used a USB key that someone gave to you for free
  •  Clicked on a link in an email 
  • Downloaded malware. 

When you turn on your computer operating system boots up, one of the above processes may have installed malicious software to execute on boot. Some may capture your keystroke and use this to obtain your password—one gate down, now to the next. 

You now log into the application that gives access to your data. So what happens is that your invisible key logger now also has access to your data and you do not know it. Wow, now how do you know that there is a stranger on your system? You have to be actively monitoring to know. 

Most social media sites will send the owner an email to say “you logged in from this IP is this you?”. These sites already have implemented security by default. For companies with legacy systems, this is not always the case. So they will never know unless they redesign their security framework. 

What if you are an application administrator and your password was hacked? Well, you are doomed. Unless you have a process that informs you when data over a certain number of rows have been retrieved and notifies you, you will not know. Or perhaps you have an algorithm that notices unusual pattern in your access and typing and sends you an email. Assuming the hacker does not get there first.

Let’s face it the prominent hackers are not going to retrieve data row by row? They are going for your whole database or whole directory files and disk.

As part of your security framework for your company, you have to implement security for:

  1. data at rest and in transit
  2. monitor changes to files
  3. monitor changes to directories
  4. remove all unused applications
  5. change passwords regularly* avoid using default usernames and passwords, and that includes using your name as a username.  
  6. Limit the number of times a user can try to log in
  7. Lock user out ofter x number of tries 
  8. Force password change after x number of tries
  9. Encrypt your data by default
  10. Protect your users from themselves. Educate them on security matters
  11. Users should avoid clicking on links in their email. Check who it is sent from first.

This is by no means an exhaustive list, but it is a start. Check all gates to your systems and secure them.

*The frequency of password change should be assessed by individual companies. We now have GPU’s that allows hackers to run code-breaking algorithms quicker. Think of ways to break their tries. 

Technology – Automatic Landing

Technology – Automatic Landing

Bad weather affects the airline industry more than other modes of transportation. For example, when there is a thunderstorm, you are still able to drive your car, take public transport or take a train (usually).
However, when there is a thunderstorm, the airlines in the affected region experience disruption.
When this happens, there is a whole lot of logistical work that goes into rescheduling flights and delays may be experienced in other destinations not affected by the weather.

Not too long ago, about ten years, while travelling by air we would experience disruptions due to poor weather. One particular type was flight delay due to fog.

Fast forward someday in the year 2020, and there was some announcement at the airport about some delays affecting European flights. I thought the delay was due to another French air traffic controls on strike.

We got on the plane, and the pilot apologised for delays and stated that this was in fact due to weather disruptions across Europe. I was glad it was over; I did not know what type of weather delay it was.
As we approached our final destination, the captain announced that due to the weather conditions, we would have an automated landing. All devices had to be powered down, not on safe, sleep or any other sleep flavoured mode.

I was very excited as I had never experienced an automated landing. We were all set and ready to go I looked out the window, and it was all clouds there light coming through the clouds as we made our way towards the airport.

The plane began its descent towards the airport as if gliding. I looked out the window, and it was still very cloudy. I could not see a thing. The wheels came out as the plane progressed towards landing, still very cloudy outside. It felt like we were still in the clouds then the tyres were on the runway, visibility was poor. I could see nothing just what looked like fog lights shining through the deep fog.

The landing was great made me appreciate the advances in technology even more. What would have been cancellations and hours of delays was saved by technology.