By Scott Hamilton
Senior Expert Emerging Technologies
This week I want to talk about the difference between big technology companies and the open-source software movement. I plan to raise questions as to whether you can trust big technology companies. I will also raise questions into the trustworthiness of computer and network security companies. I just want to provoke thought into the trustworthiness of these large, well-known companies. Are you getting the protection you think you are paying for, or is your personal data still at risk?
The thing that sparked this article was a recent news release regarding the network security giant SolarWinds. As the story begins to unfold, another company, FireEye, who is the self-proclaimed watcher of the Internet, was the first to discover and report the issue through spotting unusual web traffic in their monitoring systems.
The story ties back to an unreported event that occurred in November 2019. An ethical hacker, which is someone who monitors open-source software and free downloads for vulnerabilities in order to notify the software developer of the issues, noticed a password in a public website script that allowed him access to SolarWinds’ main software deployment servers. Armed with this information, he could plant malicious software in SolarWinds’ installers and modify the software before being downloaded to customers. He notified SolarWinds of the issue at the time of discovery.
On Tuesday night around 11 p.m., reports began coming out of a vulnerability in SolarWinds’ Orion product, which is a network security and scanning tool. It was believed that a militant Russian group planted the extra software in Orion in order to gain access to major software vendors and high security networks in the U.S. Among the targeted systems were all five branches of the U.S. military, the Pentagon, the State Department, NASA, the National Security Agency, the Department of Justice and the White House. There were known exploits of the vulnerability, allowing the hacker to read all the e-mail traffic to and from the U.S. Treasury and Commerce departments, Congress and Senate. It was estimated that nearly 18,000 SolarWinds Orion customers have been compromised with data stolen or modified. Among the private companies on the list of potential victims are Microsoft, Netflix, Google, Facebook and Dominion, the maker of several voting machines.
This is a story that, to me, speaks volumes about the level of trust we should have in the closed companies. SolarWinds knew they were vulnerable to attack and did nothing to stop it. They knew customer systems were vulnerable starting as early as March 2020 and did nothing to notify customers. They sat on the information, allowing hackers to roam freely until caught by FireEye. It was then that they took action to stop the attacks. As customers of these types of technology giants, we do not have access to their code or their practices, we are stuck with trusting they are doing things in a safe and secure manner. My argument is that it is far safer to trust open-source community maintained software than it is to trust anything coming from big tech due to the fact the open-source community is over one million developers who work on open-source software and are constantly checking one another for errors and vulnerabilities. This is not the first time a major security company allowed a breach of national security systems and is not likely to be the last.
For more information on the Open Source community, a great place to start is http://www.gnu.org, the parent project behind the widely distributed, free Linux operating system. For more information on the security breach, search for SolarWinds hack and click on the GeekWire article. Until next week, stay safe and learn something new.
Scott Hamilton is a Senior Expert in Emerging Technologies at ATOS and can be reached with questions and comments via email to firstname.lastname@example.org.