- SolarWinds told Congress that using the password ‘solarwinds123’ was a trainee error.
- A key researcher told Insider that the login information was posted publicly on GitHub for years.
- Cybersecurity experts say the problem seems to represent more than one intern’s weak password.
- Visit the Insider Business section for more stories.
Two SolarWinds executives told the US Congress on Friday that the now infamous exposure of the password “solarwinds123” was the result of a trainee’s mistake in 2017. These new statements shed light on a cybersecurity decline that has called into question the widespread cyber security attacks. for several months.
Five cyber security experts tell Insider that they believe the problem has major cyber security implications beyond a trainee̵
SolarWind’s cyber security attacks used software updates to invade the computer networks of nine major US agencies and thousands of companies in historic and extensive supply chain attacks. The origins of the attacks have not been identified, and lawmakers’ investigation into the password issue on Friday eventually raised new questions about the Texas-based IT company’s own cyber security practices.
Former CEO Kevin Thompson and current CEO Sudhakar Ramakrishna addressed the House Oversight Committee, answering questions about the weak password, which was first reported on news in December.
“I have a stronger password than ‘solarwinds123’ to prevent my kids from watching too much YouTube on the iPad,” California representative Katie Porter said in the hearing. “You and your company should prevent Russians from reading emails from Ministry of Defense. “
“I think it was a password that an intern used on one of his servers in 2017, which was reported to our security team, and it was immediately removed,” Ramakrishna replied to Porter.
His predecessor gave a similar answer at another point in the testimony. “It had to do with a mistake an intern made, and they broke our password policy, and they posted the password on an internal, on their own,” Thompson said. “As soon as it was identified and alerted to my security team, they took it down.”
However, cybersecurity experts say the problem appears to have involved more than one trainee’s mistake. SolarWinds, which has not previously commented on the password issue, did not immediately provide Insider with a comment on the issue.
The username solarwinds.net and the password solarwinds123 were visible in a project on the code-sharing site GitHub, according to the researcher who found the problem and screenshots reviewed by Insider. The researcher said the credentials would provide access to a SolarWinds server that handles updates to the company’s software, the process at the heart of SolarWinds supply chain attacks.
The publicly exposed username and password were still in use in November 2019, more than two years after Ramakrishna said it was created, the researcher said. This seems to suggest that the problem went beyond a quickly corrected internal error, instead leaving critical user credentials exposed – although there is no evidence that SolarWinds hackers took advantage of such exposure.
“They should have said it was open for two years,” said Vinoth Kumar, a cyber security researcher who first discovered the problem to Insider after testifying on Friday. “It was public and provided access to a critical server.” An email apparently from SolarWind’s security team to Kumar, dated November 22, 2019, notes that “The incorrect configuration of the GitHub repository has been addressed and is no longer publicly available, processing has also been applied to the exposed credentials.”
Insider asked four veteran cybersecurity experts to evaluate Kumar’s findings and compare them with CEOs’ statements that the problem involved a trainee’s password. The four said they believe cybersecurity issues are much more than what was discussed on Capitol Hill.
“This may have played a role in the supply chain attacks,” said Mike Hamilton, former head of information security at the City of Seattle and founder of CI Security. The visibility of the username and password on GitHub suggests an automated process used by the company, he believes. “It’s unlikely that this was all the work of an intern,” he said.
Tony Cook, head of threat guidance at GuidePoint Security and a former U.S. Navy cybersecurity officer, said Kumar’s research “leads me to believe that this was a bigger problem than an intern’s password.”
And Etay Maor, senior director of security strategy at Cato Networks, said “This was not internal,” despite what Thompson told Congress. “It’s on GitHub. It does not take long before people see this on the internet. And what does it mean that they took it down? It was online.”
Porter, who wrote the password on a sticker she held up for the camera during the Friday case, told Insider that she was not surprised by the discrepancy between what the leaders testified to and what the experts said.
“Incorrect presentation of facts to downplay the company’s role and responsibility for the hacking is disappointing, but not surprising,” she said. “As I have said for the last two years, we need stronger federal oversight of Internet companies, especially those that are critical to our national security and critical infrastructure. Rest assured, I will follow up.”