- SolarWinds told Congress that using the password “solarwinds123” was an intern’s mistake.
- A key researcher told Insider that the login information has been publicly posted on GitHub for many years.
- Cyber security experts say that this problem does not seem to represent only the weak passwords of interns.
- Please visit the “Business” section of Insider for more stories.
The two CEOs of SolarWinds told the U.S. Congress last Friday that the exposure of the infamous password “solarwinds123” was the result of a mistake by an intern in 201
Five cybersecurity experts told Insider that they believe that this issue not only affects the weak passwords of interns, but also has a wide-ranging impact on cybersecurity. Among the experts, there is a researcher who discovered a problem related to the login information of the server used for software updates. An e-mail that appeared to be sent to the researcher from SolarWinds’ security team stated that the company’s “public credentials” information was “publicly accessible”.
The SolarWinds cyber security attack used software updates to invade the computer networks of nine major US organizations and thousands of companies, thus carrying out historical and comprehensive supply chain attacks. The root cause of the attack has not yet been discovered, and last Friday’s review of the password issue by lawmakers finally raised new questions about the Texas-based IT company’s own cybersecurity practices.
Former CEO Kevin Thompson (Kevin Thompson) and current CEO Sudhakar Ramakrishna spoke to the House Oversight Committee, where they answered questions about weak passwords, and the news was first reported in December .
California representative Katie Porter said at the hearing: “I have a stronger password than’solarwinds123′, which can prevent my kids from watching too many YouTube shows on the iPad.” “You and your company should block Russia. People read emails from the Department of Defense.”
Ramakrishna replied: “I believe this is a password used by an intern on one of his servers in 2017. The password has been reported to our security team and the password has been immediately deleted.”
His predecessor made a similar response at another point in his testimony. Thompson said: “This is related to a mistake made by the interns. They violated our password policy and posted the password internally.” “Once it was discovered and brought to the attention of my security team, they removed it. .”
However, cybersecurity experts say that this problem seems to involve more than just the error of the intern. SolarWinds did not comment on the password issue before, but did not immediately comment on this issue to Insider.
According to the researchers who discovered the problem and the screenshots reviewed by Insider, the username solarwinds.net and password solarwinds123 can be seen in a project on the code-sharing website GitHub. The researchers said that these credentials will enable the server accessing the SolarWinds server to process the company’s software updates, which is the core process of SolarWinds’ supply chain attack.
The researchers said that the public username and password were still in use in November 2019, more than two years after Ramakrishna said it was created. This seems to indicate that the problem goes beyond the intern’s error that was quickly corrected, and instead exposed key user credentials-although there is no evidence that SolarWinds hackers took advantage of this exposure.
Cybersecurity researcher Vinoth Kumar said: “They should say it has been open for two years.” “It is public and allows access to critical servers.” Apparently an email sent by the SolarWinds security team to Kumar, dated 2019 On November 22, 2012, it stated: “The GitHub repository configuration error has been resolved and is no longer publicly accessible, and the public credentials have also been processed.”
Insider asked four senior cybersecurity experts to evaluate Kumar’s findings and compare them with the CEO’s statement that the issue involved the intern’s password. The four said that they believe the cybersecurity issues involved are far beyond the scope of discussions on Capitol Hill.
Mike Hamilton, former chief information security officer of the city of Seattle and founder of CI Security, said: “This may have played a role in supply chain attacks.” He believes that the visibility of usernames and passwords on GitHub indicates that the company uses Automated process. He said: “This is unlikely to be the entire job of interns.”
Tony Cook, the head of threat intelligence at GuidePoint Security and a former U.S. Navy cybersecurity officer, said that Kumar’s research “leads me to believe that this is a lot bigger than the intern’s password.”
Cato Networks Senior Director of Security Strategy Etay Maor said, “Although this is what Thompson told Congress, it is not internal.” “It’s on GitHub. People will be able to see it on the Internet soon. What does it mean to take it down? It’s online.”
Porter wrote the code on a sticky note she kept for the camera during Friday’s procedure, and he told insiders that she was not surprised by the difference between the testimony of the executives and the statements of the experts.
She said: “Distorting the facts to understate the company’s role and responsibilities in hacking is disappointing but not surprising.” “As I have been saying in the past two years, we need to strengthen federal supervision of Internet companies. , Especially those Internet companies that are critical to our national security and critical infrastructure. Don’t worry, I’ll follow up.”