The president ordered a board to investigate a massive Russian cyberattack. It didn't.

[rangerrebew]

The president ordered a board to investigate a massive Russian cyberattack. It didn't.

By not investigating how the SolarWinds hack exploited Microsoft software, the Cyber Safety Review Board missed an opportunity to prevent attacks, experts say.
CRAIG SILVERMAN,PROPUBLICA | JULY 8, 2024 06:22 PM ET
RUSSIA INDUSTRY WHITE HOUSE CYBER
   
After Russian intelligence launched one of the most devastating cyber espionage attacks in history against U.S. government agencies, the Biden administration set up a new board and tasked it to figure out what happened — and tell the public.

State hackers had infiltrated SolarWinds, an American software company that serves the U.S. government and thousands of American companies. The intruders used malicious code and a flaw in a Microsoft product to steal intelligence from the National Nuclear Security Administration, National Institutes of Health and the Treasury Department in what Microsoft President Brad Smith called “the largest and most sophisticated attack the world has ever seen.”

The president issued an executive order establishing the Cyber Safety Review Board in May 2021 and ordered it to start work by reviewing the SolarWinds attack.

But for reasons that experts say remain unclear, that never happened.

https://www.defenseone.com/threats/2024/07/biden-ordered-investigation-massive-russian-cyberattack-it-didn/397890/

[Timber Rattler]

The squashed it to protect Microsoft.

[DefiantMassRINO]

SolarWinds was not owned by Microsoft.

All the Russians did was exploit a publicly-exposed, weakly-secured online SolarWinds software code repository to slip a Trojan Horse into SolarWinds software code that would be distributed to SolarWinds customers as part of normal software upgrades and updates.

As the SolarWinds software had to be deployed and to berun with Administrator privileges on Windows system, it was a perfect delivery system for Torjan Horse software code.

If you are going to be a decent systems administration, you need a healthy dose of paranoia.  Many software startups are run by younger persons who did not grow up during the Cold War.  They are evangelists for open source software and open source software collaboration.  Open source software and open source software collaboration (aka Commie-ware) is insecure by its open nature.

[Timber Rattler]

Nor did the board probe SolarWinds for its second report.

For its third, the board investigated a separate 2023 attack, in which Chinese state hackers exploited an array of Microsoft security shortcomings to access the email inboxes of top federal officials.

A full, public accounting of what happened in the Solar Winds case would have been devastating to Microsoft. ProPublica recently revealed that Microsoft had long known about — but refused to address — a flaw used in the hack. The tech company’s failure to act reflected a corporate culture that prioritized profit over security and left the U.S. government vulnerable, a whistleblower said.

Microsoft Chose Profit Over Security and Left U.S. Government Vulnerable to Russian Hack, Whistleblower Says

https://www.propublica.org/article/microsoft-solarwinds-golden-saml-data-breach-russian-hackers

The product, which was used by millions of people to log on to their work computers, contained a flaw that could allow attackers to masquerade as legitimate employees and rummage through victims’ “crown jewels” — national security secrets, corporate intellectual property, embarrassing personal emails — all without tripping alarms.

To Harris, who had previously spent nearly seven years working for the Defense Department, it was a security nightmare. Anyone using the software was exposed, regardless of whether they used Microsoft or another cloud provider such as Amazon. But Harris was most concerned about the federal government and the implications of his discovery for national security. He flagged the issue to his colleagues.

They saw it differently, Harris said. The federal government was preparing to make a massive investment in cloud computing, and Microsoft wanted the business. Acknowledging this security flaw could jeopardize the company’s chances, Harris recalled one product leader telling him. The financial consequences were enormous. Not only could Microsoft lose a multibillion-dollar deal, but it could also lose the race to dominate the market for cloud computing.

[roamer_1]

If you are going to be a decent systems administration, you need a healthy dose of paranoia.  Many software startups are run by younger persons who did not grow up during the Cold War.  They are evangelists for open source software and open source software collaboration.  Open source software and open source software collaboration (aka Commie-ware) is insecure by its open nature.

Quite the opposite is true. Open software is honest software. And it is very hard to maintain malicious code within code that everyone can see... Which is also why so little exists in the way of such code in the Linux ecosystem. You can quite reliably go without antivirus measures using any mainstream Linux variant, and be perfectly fine.

There is no advantage in code obfuscation. It does nothing. It is as useful as copyright protections... which is not much use at all.