“Loose Lips Sink Ships” has never been so true

By now everyone has seen in the news the major Supply Chain Attack against Solar Winds.  If so feel free to skip this and jump to the next paragraph, If not a very high level summary is as follows:  Originally accredited to the Russian hacking group ATP29 (however questions been recently raised on accuracy of that allegation) Solar Winds was breached in early March and source code was edited without their knowledge.  Solar Winds approved the changes, signed the code with their certificate validating it and pushed it to production making it available to all customers. All code released between March and June 2020 had been maliciously altered.

The breach came to light on Sunday Dec 13 after the sophisticated malicious group attacked the security vendor FireEye Mandiant, who was able to track the entry point in their network to a Trojan backdoor in the Solar Winds Orion product. That was a very brief, obviously a lot more packed in to the entire scenario, but the point is what follows.

Like many security vendors Solar Winds likes to brag about who they provide services to.  Currently removed due to the obvious above, but this was a screenshot of the customer page of SolarWinds.com on December 12.

Cut to the point: If your organizations name is listed on a website with a known major vulnerability you’ve automatically become a target.  Minimizing OSINT is important!  OSINT (Open Source Intelligence) is information that can be gathered by anyone with a little time and effort. As employees or as IT Professionals we need to be mindful of what is posted online in relation to your place of work and more specifically Org IT, infrastructures and controls.  Where this sharing is not be done with malicious intent, it can be damaging to the Organization in the hands of the wrong individual.

Example:  I post on my linked in that I’m an expert in securing Apache 2.2 running in a server 2008 environment.  Reason for posting is to demonstrate a skill-set of securing old software on old out of support servers. Where intent is innocent, any attacker interested in attacking your Org would have a hay day knowing there is an old vulnerable web server sitting on our network, potentially open to the world.

Some questions to ask yourself:
What do you post on Twitter, Facebook, Instagram and the tik tok etc?
What does your LinkedIn profile say about you, more importantly about your Orgs software that’s run?

General rules of thumb:

  • Whenever a new software purchase is made make it a point to opt out of the software vendor adding your companies logo / name to their customer list on their website
  • Don’t discuss the products you use with competing vendors unless there is an absolute need to know, keep your cards close to your chest
  • Never post an employee badge pic online
  • Never post information specific to a system
    • This is a harder one,  if we are hiring a Fortinet admin there is no way around posting a job listing without Fortinet info.  In that instance keep it general, no version numbers, no specifics on modules that are run
  • Never post pictures of your laptop which will again display software used
  • Never post pictures of infrastructure, Data Centers etc

Keep OSINT top of mind and always remember…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: