I Guess Chris Krebs was wrong

All of our agencies were compromised including infrastructure of private industry.

100% so was the election infrastructure.

And this guy did a media round to ensure is that we were safe and Donald was dangerous for spreading lies.

He should be arrested and imprisoned. What nerve.

Since March! When Krebs told us we were safer than ever this year right?

Tyranny of Experts

2 Likes

Silent - nice to see you!

Here’s a wonderful analysis for anyone interested in this Solarwinds Orion breach. Short and concise but as you can see - very dangerous.

We use Solarwinds. It basically has its hands in anything on your network. Servers, access points, routers, SQL databases, firewalls, switches, load balancers, you name it. Anything on the network that needs to be monitored. Depending on how it is configured, it can either accept information or it can poll devices. If it is configured for your AD servers you pretty much hand over the keys to the domain if you give the polling service account enough rights. If you have SSH access to your network devices from Orion and you stupidly save login credentials they can do or capture whatever they want. Hackers can get an entire roadmap of your company and from there you’re fucked.

Thank you for that explanation. Question.

The Dominion spokesperson came out today and said Dominion doesn’t run Solarwinds.

(Their login page has a Solarwinds logo on it. But let’s grant her that for a second.)

If the voting machines were connected to the internet, and we know they were because they are doing live updates to Edison Research for the media to monitor and track, then…

Would it be possible to hack right though those routers? Particularly if they are utilizing Solarwinds? (Maybe even if their not I suppose).

When you plug anything directly into the internet within minutes it will start to be scanned by random bots from all over the world just looking for open ports. These devices were probably behind a router and/or firewall so not directly connected. Let’s assume they had routers and firewalls monitored by Solarwinds (Orion). Orion has to use a service account to access devices. You probably wouldn’t be surprised to know how lazy and dumb some admins are that they grant this service account more rights than they should. When this happens it’s very possible to access the routers/firewalls using this service account, open them up to whatever you want and blow right past them. This is straight from Solarwinds:

By default, our services run under the NETWORK SERVICE account, which is a pre-existing local account used by the service control manager. By default, it has very limited permissions on the local system and cannot access the network. What permissions Network Service has explicitly is a question for Microsoft, but it is designed to be a low-privilege account.

However, there are scenarios where a server is locked down to the point that the Network Service account cannot access the resources it needs to run our software (such as certain files or directories). In this case, we elevate the privileges of the account, rather than change the account the services are running under.

Having services run under a domain account is, in general, not a great idea. Domain accounts are likely to be restricted to GPOs than local accounts, and there is a greater risk that something could happen to a domain account (deletion, lock out) vs. the default Network Service account.

While it’s possible that running the software will work this way, we do not support it – meaning we will not help you set it up, and if a problem arises we will likely ask you to change it back to the default.

1 Like

Speaking of the tyranny of expert, here is a talk given by Walter Williams.