- SolarWinds has told Congress that using the password ‘solarwinds123’ is the fault of an intern.
- A key researcher told Insider the login information has been made public on GitHub for years.
- Cyber security experts believe that the issue seems to be more than the weak password of an intern.
- Visit the Insider Business Department for more stories.
Two SolarWinds executives told the US Congress on Friday that the now infamous exposure of the password ‘solarwinds123’ was the result of an error by an intern in 2017. These new statements shed light on a decline in cyber security which has raised questions about the far-reaching attacks on the internet. for several months.
Five cyber security experts tell Insider that they believe the issue has broad cyber security implications beyond the weak password of an intern. Among the experts is the researcher who discovered the problem, which involved the login information on a server used for software updates. In an email apparently from the SolarWinds security team to the researcher, it is noted that information was ‘publicly available’ that the company was addressing ‘exposed evidence’.
The cyber security attacks from SolarWinds used software updates to infiltrate the computer networks of nine major U.S. agencies and thousands of businesses within historical and comprehensive attack chain attacks. The origin of the attacks was not found and lawmakers’ investigation into the password eventually raised questions about the IT company’s own cyber security practices in Texas.
Former CEO Kevin Thompson and current CEO Sudhakar Ramakrishna addressed the House Oversight Committee, where they answered questions about the weak password, the news of which was first widely reported in December.
“I have a stronger password than ‘solarwinds123’ to prevent my kids from watching too much YouTube on their iPad,” California representative Katie Porter said at the hearing. “You and your company would prevent the Russians from reading emails from the Department of Defense.”
“I believe it was a password that an intern used on one of his servers in 2017, which was reported to our security team and removed immediately,” Ramakrishna told Porter.
His predecessor gave a similar answer at another point in the testimony. “It’s related to an error made by an intern, and they’re violating our password policy and they’re putting that password on their own,” Thompson said. “Once it was identified and brought to the attention of my security team, they took it down.”
However, cybersecurity experts say the issue appears to have involved more than one internal error. SolarWinds, which has not previously commented on the password issue, did not immediately comment to Insider on the issue.
The username solarwinds.net and password solarwinds123 were visible in a project on the code-sharing website GitHub, according to the researcher who found that the problem and screenshots were checked by Insider. The researcher said that this evidence would give access to a SolarWinds server that handles the updates of the company’s software, which is at the heart of the attacks on the SolarWinds supply chain.
The publicly-exposed username and password are still in use in November 2019, more than two years after Ramakrishna said it was created, the researcher said. It seems that the problem goes beyond the error of a quickly corrected trainee, but rather exposed critical user evidence – although there is no evidence that the SolarWinds hackers used such exposure.
“They should have said it’s been open for two years,” Vinoth Kumar, the cyber security researcher who first discovered the issue, told Insider on Friday after the testimony. “It was public and gave access to a critical server.” An email, apparently from the SolarWinds security team to Kumar, dated 22 November 2019, states that ‘the incorrect configuration of the GitHub repository has been addressed and is no longer publicly accessible, and treatment has also been applied to the exposed credentials. ‘
A researcher says SolarWinds sent him this email about exposed data he identified.
Vinoth Kumar
Insider asked four cyber security veterans to evaluate Kumar’s findings and compare them with CEOs’ statements that the issue of an inmate’s password was involved. The four said they believe cyber security issues go far beyond what was discussed on Capitol Hill.
“It could have played a role in the attacks on the supply chain,” said Mike Hamilton, the former chief information officer for the City of Seattle and founder of CI Security. The visibility of the username and password on GitHub indicates an automated process used by the company, he believes. “It’s unlikely that it was all the work of an intern,” he said.
Tony Cook, head of threat information at GuidePoint Security and a former U.S. Navy cyber security officer, said Kumar’s research ‘made me believe it was a bigger problem than the password of an intern.’
And Etay Maor, senior director of security strategy at Cato Networks, said ‘it was not internal’, despite what Thompson told Congress. “It’s on GitHub. It’s not long before people see it on the internet. And what does it mean that they’ve removed it? It’s been online.”
Porter, who wrote the password on a sticky note she kept for the camera during the Friday proceedings, told Insider she was not surprised by the difference between what the drivers testified and what the experts said.
“The misrepresentation of the facts to diminish the role and responsibility of the company for the hack is disappointing, but not surprising,” she said. “As I have said for the past two years, we need stronger federal oversight of Internet companies, especially those that are essential to our national security and critical infrastructure. Rest assured, I will follow up.”