Note for 2021-12-24

We now are at 3141 articles.

And who did NOT have log4j and SolarWinds Combined on their bingo card?

SQL injection in SolarWinds, no less, plus a CVE relating to access control

We now are at 3117 articles.

The Whitehouse asks for discussion, Federal CISO suggests support for eliminating passwords, a challenge to Microsoft exclusivity at USDA, Suggested Cyber Academy.

Note for 2021-12-09

The disappointing news of today is that the NDAA did not include the much-anticipated breach notification requirement. Now with 3103 articles.

Note for 2021-07-17

Collection is behind. We now are at 3084 articles.

Biggest recent news is an analysis from Mandiant about the extent and depth of the ongoing attacks.

Note for 2021-07-17

2848 articles. We now have 70 articles with RCE with SolarWinds . Most of those are the recent one detected by MicroSoft And it is related to exposing SSH to the internet.

You may see articles that link a recently-revealed iOS vulnerability, but the only connection is that this was done by the presumed hacker that did SolarWinds. Slight confusion has ensued.

Note for 2021-07-06

2848 articles. Lots of the news is about Kaseya referencing SolarWinds. I've elected not to follow that story. There are many articles that I don't include, mostly the market analysis, along with the surprisingly frequent Take Control Not Working.

Note for 2021-07-01

The Danish National Bank is said to have the comrpomised SolarWinds vector in their systems for seven months. The Denmark Nationalbank denies these reports

A Microsoft CS agent was compromised by the SolarWinds actors, resulting in three companies being compromised

Note for 2021-06-21

The SEC is investigating several firms for failure to disclose breach.

Jake Sullivan says that US is preparing more sanctions for Russia.

Simple measures would have prevented the attack.

Note for 2021-06-19

Google develops a tool to help with SBOM called SLSA.

There is a new White House Cyber Director White House Cyber director.

Note for 2021-06-15

News today is about government staffing efforts for cybersecurity, and the possiblity of regulation

Note for 2021-06-11

The collection of articles in the legal section now has the biggest article to date, where strong claims are made, some with possible non-civil liabilities.

The claims are severe, detailed, and damning. All the claims made on the SW website about security are claimed in the lawsuit to be false--a full fabrication. Multiple people are quoted, including Ian Thornton-Trump, Costin Raui, and ten former employees.

A summary:

  1. There was no Information Security Policy
  2. SolarWinds did not follow their password policy
  3. There was no security training
  4. SolarWinds had no security team
  5. SolarWinds did not segment its network and did not limit user authorization
  6. SolarWinds did not perform background checks on its empolyees
  7. SolarWinds did not prioritize cybersecurity
  8. The lawsuit further claims that the emphasis put on increasing sales and stock prices and cutting costs at the expense of security led to personal financial gain to some named individuals.

This whole thing puts a stark emphasis on how we evaluate vendors whose software runs as root in our systems.