/ Security

Solarwinds password issue - the intern did it.

Former CEO Kevin Thompson echoed Ramakrishna's statement during the testimony. "That related to a mistake that an intern made, and they violated our password policies and they posted that password on their own private GitHub account," Thompson said. "As soon as it was identified and brought to the attention of my security team, they took that down."

https://thehackernews.com/2021/03/solarwinds-blame-intern-for-weak.html

The above comment was made last week by the CEO of Solarwinds, Kevin Thompson and his replacement Sudhakar Ramakrishna.
In short, the soon to be former CEO and the soon to be CEO of solarwinds put the blame for the recent security issue on an intern.

Now, there is absolutely no reason to doubt this statement and I am going to accept it as a fact. It's also the reason that I'll never be able to trust Solarwinds again and I suggest that anyone using solarwinds products think very hard about doing so and let me explain why.

Firstly, lets have a look at what an intern is.

a student or trainee who works, sometimes without pay, in order to gain work experience or satisfy requirements for a qualification.

To summerise - Solarwinds allowed someone who was basically a trainee to modify and submit code which was then pushed to product that had a weak password in it and during that process no system, no checks and no management caught it.
Of course, Solarwinds takes your security seriously.

image-1

I worked at Symbian for a number of years. During my time there I became a storage admin on their NetApp systems. One of the things we hosted on the NetApp was the Perforce repository. During my time there an iniative was started around code signing, the idea being that apps would need to be signed so that they could be installed on a mobile phone. It's something we see a lot today and it just guarentees the integrity of the app.
Even though I was only a storage admin I still had to go on a two day internal course about how to handle requests to access the area, the perforce repository and so on. Symbian really did take the security seriously and as such, no incidents occured and certainly no intern would ever be given access to such a sensitive area. Sure, they might be told about it, they might even be show that area with a specalist engineer sitting with them but they sure wouldn't have any sort of access to be able to modify anything and this was in something like 2007.

I have several questions for Solarwinds that I'd really like an answer to, here they are:

  1. Why did an intern have access to such sensitive data?
  2. Why was an intern allowed to modify such senstive data?
  3. Why wasn't their any monitoring in place for anything being posted to private github accounts?
  4. Why wasn't the intern working with an senior developer who could have checked for such code submissions?
  5. Why didn't automated code testing find the password?
  6. Did the intern have any training for handling sensitve code?
  7. Why did the intern modify the code? Was it accidential? Malicious? To fix an issue?
  8. What changes have you made to the integrity of the code checking process to ensure that this can never happen again?
  9. How can you claim to treat security seriously when, not long ago, an intern was able to put a backdoor password into sensitive code and it went unchecked for a year?

I will make a bet now, before March is out the soon to be CEO Sudhakar Ramakrishna will backtrack on his statement. It's too late now because the damage is done and it's not just the damage to the companies reputation for security, it goes deeper than that.

I'm no psychologist but I suspect that Sudhakar Ramakrishna made an off the cuff statement and blamed an intern for this backdoor password. I suspect he did it because he thought that saying "the intern did it" would have people going "Oh that makes sense, of course someone junior could make a mistake like that" but it opens up two sets of problems, the first being the security aspects I mentioned above and the second being that Sudhakar Ramakrishna just revealed that under his leadership, he will have no issues in pointing the finger of blame at someone and throwing them under a bus.
This is not acceptable.

If you blame someone for a mistake they made then you are showing others that you will out them and you will not have their backs. This makes for a very uncomfortable working environment where people will not want to come forward in case others get pushed under the bus.
This also means that other flaws might go unntoiced by solar winds because people are too afraid to point them out.

Sudhakar Ramakrishna just made the security and working standards at Solarwinds many times worse and he probably didn't even realise it, the fact that Kevin Thompson backed him up shows to me that the working standards problem may have been an issue at solarwinds for some considerable time.

I predict more issues in solarwinds over the course of this year.

Gary Williams

Gary Williams

IT Person | Veeam Vanguard | VMware vExpert | Windows admin | Docker fan | Spiceworks moderator | keeper of 3 cats | Avid Tea fan

Read More