IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

New Krebs' reporting on these things always seems to be good and level-headed.
https://krebsonsecurity.com/2020/12/solarwinds-hack-could-affect-18k-customers/

[...]

The breach at SolarWinds could well turn into an existential event for the company, depending on how customers react and how SolarWinds is able to weather the lawsuits that will almost certainly ensue.

“The lawsuits are coming, and I hope they have a good general counsel,” said James Lewis, senior vice president at the Center for Strategic and International Studies. “Now that the government is telling people to turn off [the SolarWinds] software, the question is will anyone turn it back on?”

According to its SEC filing, total revenue from the Orion products across all customers — including those who may have had an installation of the Orion products that contained the malicious update — was approximately $343 million, or roughly 45 percent of the firm’s total revenue. SolarWinds’ stock price has fallen 25 percent since news of the breach first broke.

Some of the legal and regulatory fallout may hinge on what SolarWinds knew or should have known about the incident, when, and how it responded. For example, Vinoth Kumar, a cybersecurity “bug hunter” who has earned cash bounties and recognition from multiple companies for reporting security flaws in their products and services, posted on Twitter that he notified SolarWinds in November 2019 that the company’s software download website was protected by a simple password that was published in the clear on SolarWinds’ code repository at Github.

[ tweet image ]

Andrew Morris, founder of the security firm GreyNoise Intelligence, on said that as of Tuesday evening SolarWinds still hadn’t removed the compromised Orion software updates from its distribution server.

[ tweet image ]

Another open question is how or whether the incoming U.S. Congress and presidential administration will react to this apparently broad cybersecurity event. CSIS’s Lewis says he doubts lawmakers will be able to agree on any legislative response, but he said it’s likely the Biden administration will do something.

“It will be a good new focus for DHS, and the administration can issue an executive order that says federal agencies with regulatory authority need to manage these things better,” Lewis said. “But whoever did this couldn’t have picked a better time to cause a problem, because their timing almost guarantees a fumbled U.S. response.”


(Emphasis added.)

:-/

Cheers,
Scott.
New tl;dr: The National Incompetence Q. is not confined merely to obv. political: it is Everywhere.
     Putin-hacking of Duh-US Govt et al--summarized with latest bucket-list - (Ashton) - (13)
         Solarwinds software was hacked then the distro proceeded into govt systems -NT - (boxley) - (12)
             Now DHS.. - (Ashton) - (4)
                 Maybe they (and especially NSA) should spend more time on defense instead of attacks - (drook) - (3)
                     have you met security folks? Theatre mostly - (boxley) - (2)
                         There is a fix. - (a6l6e6x) - (1)
                             The true fix - (InThane)
             What business are these crackers in? - (scoenye) - (3)
                 security and monitoring software tools are very lackadasial when it comes to security and monitoring -NT - (boxley) - (2)
                     (If you Know this: "why haven't you committed seppuku, rather than staying-on? quietly") - (Ashton) - (1)
                         I point out the foibles to the pecksniffs -NT - (boxley)
             C&C domain has been seized and blackholed - (drook) - (2)
                 Krebs' reporting on these things always seems to be good and level-headed. - (Another Scott) - (1)
                     tl;dr: The National Incompetence Q. is not confined merely to obv. political: it is Everywhere. -NT - (Ashton)

A mindset is a terrible thing to waste.
36 ms