Wait a second … I thought that MFA (Multi-Factor Authentication) was set up to prevent some attacks?
The Googleblog post from a couple of years ago: Security Google blog
had some data that proved the efficacy of MFA in this image:
So MFA (or 2FA Two Factor Authentication) does prevent a number of potential attacks.
But how did SolarWinds get their MFA server hacked?
Arstechnica had the story which showed that when your server is hacked (the server that houses some parts of the MFA pieces) was thouroughly taken over. Then as the criminal hacker learned what was on it, they stole the MFA cryptological information so that they can log on with a valid user to any part in your network. Thus they bypassed MFA – it does not matter apparently when one has the crypto keys of hte MFA server.
So we spend on MFA to defend our network, but that only works if we defend the MFA server enough to show that the cryptological MFA pieces will actually be private. MFA depends on cyberdefense of your systems.
There is even more information coming about the SolarWinds hack – including(from NYTimes article:
“18,000 private and government users downloaded a Russian tainted software update — a Trojan horse of sorts — that gave its hackers a foothold into victims’ systems, according to SolarWinds, the company whose software was compromised.”
Maybe the criminal hackers had other targets and one way to attack those targets was through the bad security practices of SolarWinds, even though they are a security company.
There is even an attribution to extremely bad password management from Reuters article:
{Security researcher Vinoth Kumar told Reuters that, last year, he alerted the company that anyone could access SolarWinds’ update server by using the password “solarwinds123”}
It is hard to fathom setting up a default password such as solarwinds123 for a ‘company’ that controls so many pieces in the defense of your company and many other clients. When can we depend that SolarWinds will get it’s security act in gear?
My guess is w will always be wary of their security practices – time to replace all of their systems.
Contact Us to discuss
All of these links were first read on Bruce Schneiers crypto-gram from Jan 15th (which I read since it is in my https://oversitesentry.com/security-news-reviewed/ )