Whether you’re protecting mission-critical data on a classified network or managing a thousand users at a federal medical facility, Wyse thin clients offer an affordable, low-maintenance solution. And, when rigorous security and safety are called for, Wyse rises to the challenge with thin-client solutions for government applications, guarding sensitive data while offering affordable options for field, and military operations.
That’s the system just named in CVE-2020-29491 and CVE-2020-29492. Both critical flaws, with a perfect CVSS score of 10 out of 10.
Using an anonymous FTP server for config. Like this:
{username}.ini Files must be Write-Enabled
All {username}.ini files must be write-enabled to allow the thin client to place the encrypted user passwords in the files.
None of the links indicate that budget restraints prevented them from anything. One is specifically for the energy sector, and the other is for the medical sector, neither of which Solarwinds is directly involved in.
So, how would those initiatives actually affected the practices at a company who up until very recently didn’t have budget problems on the horizon, but did have security issues?
I’m bored, I’ll go into detail on each. The first is about an admiral lauding his access to a network after it has been compromised (the Sony hack). In fact, he seems to be pretty pleased at how it worked out. Not seeing how that would have assisted in this case.
The second is about the healthcare industry. Not seeing the relevance here. They’re historically behind in this area, and could always use help. Software companies aren’t even in the same game.
The third is about the energy industry and its successes collaborating with the government. Threat streams are already-identified threats. Even if that was not fulfilled for budgetary reasons, that would not apply here, it was a new threat.
The fourth involves the successes already mentioned, but doesn’t mention any budgetary restrictions. In fact, it’s concluding statement is.
So, I’m not seeing the relevance in any of your links to this hack, or how it would have been avoided by not having the budget diversions mentioned already. I’ve already agreed that those diversions were stupid in the extreme, but it wouldn’t have affected this.
Maybe because the links are from 2016 and 2017? Showing a strong desire for public-private coordination for years?
But obviously you are never going to admit that slashing the budget of cybersecurity resulted in less cybersecurity - and less cybersecurity coordination with the private sector - so there’s no point in arguing with you further.
Ahh, the flaw in this is that I have never argued anything of the sort. I have purely argued that more cybersecurity spending would not have averted this hack. More cybersecurity spending could have resulted in a lot of other net positives, but it wouldn’t have fixed Solarwinds’ security practices in any way I can see.
Again, Trump probably hobbled our reaction to this hack in every way and twice on Sundays. Conversely, if I could have voted in Obama for a third term, I absolutely would have. I don’t think having him in office would have prevented it.
Ok, yes we can. I honestly don’t have a good answer to this tightrope. But stockpiling zero day attacks and not notifying the parties who could fix them seems to have a terrible track record. It doesn’t really seem that sanctions are appropriate in this case, as it’s assumed that the perpetrators had already resigned themselves to never entering a jurisdiction they could be apprehended from.
But other than the normal levels of cyber espionage (which is, grab everything that’s not already locked down), what do we do? Hacking Russian companies isn’t likely to gain you the same level of high value targets (plus, if you’re in there, your job is to exfiltrate data and not be noticed).
I’m just not sure that cybersecurity is a field you generally want to send a “message” in, other than “Try again, sucker, I’ll be here all day (unless by saying that, you’ve already said to much).” There should be a political response, but that’s wholly separate, and I admit I don’t know what it should be
Seeing as Dark Halo aka APT29 has been around since 2008, seems appropriate actions should have been taken long ago.
APT29
APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008. [1][2] This group reportedly compromised the Democratic National Committee starting in the summer of 2015. [3]
"What they do also say is that they suspect the breach by the Dukes began in the summer of 2015 already, whereas APT28 only entered the systems in April 2016. Which again, is actually important from a timing perspective because in the summer of 2015, that was still before the whitepaper for instance, and back when the Dukes were still actively targeting new organizations, especially targets relevant for foreign policy goals.
And in the case of the DNC I think they were there just to gather information. I think they were there just because it’s an important political target if you want to understand how the foreign policy and security policy of the US may evolve in the future. So they wanted to get that visibility, they wanted to be there just listening in, gathering information. "