Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Exactly my thoughts and confusion. It was a valid signed component of the Solarwinds application... so.... how did the attackers manage to sign it and publish it as a legitimate update? I used to work at a bank and any software deployment had multiple automatic and manual checks. Multiple senior engineers and managers had to approve the publish.

Was someone being blackmailed? Or a malicious actor managed to gain employment?



There could be many vectors including the compromise of the build server.

That Jenkins plugin you haven't updated in years. Or that maven package no one knows about.

Third party risk management is unfortunately not well funded cyber security vertical.


Solarwinds is not your average software company. Look at their customer list. They would have had ISO certifications and independent 3rd party audits done a billion times. Those type of companies don't even speak to you if you don't have those credentials.

You think you are supplying software to all the armed forces branches and "forgot" to update a Jenkins plugin?


Yes, absolutely. Oh, the amount of outdated software that your average corp runs is mind blowing. Not only that, but if you have a tight IT department, the amount of shadow IT that happens because of the too onerous processes put in place by IT will leave so much infrastructure that is critical but not managed correctly.

As a security professional, getting people to upgrade simple software is difficult enough, upgrading critical infrastructure used 24/7 by the development team... forget about it.


Corporation probably doesn’t even know, IT management is all outsourced


>You think you are supplying software to all the armed forces branches and "forgot" to update a Jenkins plugin?

yeah. Just now I am reading that their FTP servers had such a weak password that it allowed the pentester to upload/replace any binary back in 2019


One conclusion is that process and certification is a waste of time and get you stuck with the same crappy software forever.


No, just hacked. Code signing keys get abused all the time. It's why Microsoft now insist they're held in hardware devices whereas they used to allow them to be free-standing files, but it hardly helps.

If you think about it for even a moment you'll see that for code signing to be meaningful requires a completely locked down software supply chain, including controls that trace through developer laptops and third party open source code that's pulled in to your application. The typical app developer combines components from a huge number of sources of unknown reputability and security strength, which are then all executed on laptops that have permission to push arbitrary jobs to CI clusters.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: