britechguy
Well-Known Member
- Reaction score
- 4,041
- Location
- Staunton, VA
This Agency’s Computers Hold Secrets. Hackers Got In With One Password.
If ever there were a place where MFA, regardless of what type, should have been in use, it's here. But, the bigger issue is that someone's email password was clearly being used as that individual's "key to the kingdoms" across systems. In an agency such as this one that's shocking, and after something like this it should be a firing offense, too. We are so far past the stage where the basic premise that you don't reuse a password across critical systems should not only be common knowledge, but carried out almost like breathing - automatically and without thought - that it's almost impossible to believe it continues to happen. But it also points out that the weakest link in the security chain is the human one.
The Ars Technica article, SolarWinds hackers have a clever way to bypass multi-factor authentication, from December 2020 that's referenced makes very interesting reading as well.
The other NYT article referenced, Scope of Russian Hacking Becomes Clear: Multiple U.S. Agencies Were Hit, includes several points I have made on many occasions:
But, the root issue here is that the most basic security measure, never reusing a password across important systems, was ignored. How this could be in an agency like this one is beyond my comprehension. You really can't fix stupid, sadly, but you can and should punish it.
If ever there were a place where MFA, regardless of what type, should have been in use, it's here. But, the bigger issue is that someone's email password was clearly being used as that individual's "key to the kingdoms" across systems. In an agency such as this one that's shocking, and after something like this it should be a firing offense, too. We are so far past the stage where the basic premise that you don't reuse a password across critical systems should not only be common knowledge, but carried out almost like breathing - automatically and without thought - that it's almost impossible to believe it continues to happen. But it also points out that the weakest link in the security chain is the human one.
The Ars Technica article, SolarWinds hackers have a clever way to bypass multi-factor authentication, from December 2020 that's referenced makes very interesting reading as well.
The other NYT article referenced, Scope of Russian Hacking Becomes Clear: Multiple U.S. Agencies Were Hit, includes several points I have made on many occasions:
- hackers exploited only what was considered the most valuable targets. [These kinds of attacks look to exploit only high value targets, even if low value ones exist.]
- But unless the government was aware of the vulnerability in SolarWinds and kept it secret — which it sometimes does to develop offensive cyberweapons [Security by obscurity still plays a role in the great mix. Giving away everything you know immediately is generally counterproductive.]
- “A supply chain attack like this is an incredibly expensive operation — the more you make use of it, the higher the likelihood you get caught or burned,” said John Hultquist, a threat director at FireEye. “They had the opportunity to hit a massive quantity of targets, but they also knew that if they reached too far, they would lose their incredible access.” [You need to limit your reach to juicy targets, getting overambitious is to be avoided, and your window of opportunity is limited.]
But, the root issue here is that the most basic security measure, never reusing a password across important systems, was ignored. How this could be in an agency like this one is beyond my comprehension. You really can't fix stupid, sadly, but you can and should punish it.
