Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
United States Privacy Security

SolarWinds Hack Got Emails of Top DHS Officials (apnews.com) 27

Suspected Russian hackers gained access to email accounts belonging to the Trump administration's head of the Department of Homeland Security and members of the department's cybersecurity staff whose jobs included hunting threats from foreign countries, The Associated Press reported Monday, citing sources. From the report: The intelligence value of the hacking of then-acting Secretary Chad Wolf and his staff is not publicly known, but the symbolism is stark. Their accounts were accessed as part of what's known as the SolarWinds intrusion, and it throws into question how the U.S. government can protect individuals, companies and institutions across the country if it can't protect itself. The short answer for many security experts and federal officials is that it can't -- at least not without some significant changes. "The SolarWinds hack was a victory for our foreign adversaries, and a failure for DHS," said Sen. Rob Portman of Ohio, top Republican on the Senate's Homeland Security and Governmental Affairs Committee. "We are talking about DHS's crown jewels."
This discussion has been archived. No new comments can be posted.

SolarWinds Hack Got Emails of Top DHS Officials

Comments Filter:
  • by alvinrod ( 889928 ) on Monday March 29, 2021 @12:27PM (#61213634)
    Anyone that high up should be using some form of encryption so that even if an attacker does gain access, they don't gain a lot beyond who you're receiving messages from. That itself may be valuable information, but it probably pales in comparison to the contents of those messages.
    • by Hodr ( 219920 )

      This would have been their unclassified e-mail, and any e-mails sent over those channels containing CUI, FOUO, or PII would have been encrypted with a cert on their PIV/CAC.

      So no, likely nothing of any value to be found in those e-mails.

    • by jmccue ( 834797 )

      I do not think Exchange handles encryption that well unless sending emails between non-exchange servers. That is whet you get using proprietary systems. Sadly Thunderbird seems to be going that route with encryption due toits change to embedded pgp.

      But if the data was copied from saved emails, I do not know how you can stop that since most people (including Linux) relies on encrypting the full Hard Disk as opposed to encryption saved data.

  • We are talking about DHS's crown jewels.

    Well that's putting the squeeze on someone.

    The SolarWinds hack was a victory for our foreign adversaries, and a failure for DHS

    What goes around comes around. [bbc.com]

  • The Problem (Score:3, Informative)

    by XopherMV ( 575514 ) on Monday March 29, 2021 @12:33PM (#61213666) Journal
    The problem is counting on a single vendor to provide services for all government agencies. That creates a single point of failure that can be exploited by bad actors.

    I'd also like to point out that the problem wasn't with the government agencies themselves, but the capitalist, for-profit company they hired to manage this problem because government agencies are supposedly incompetent at managing these problems for themselves.
    • Re: (Score:2, Offtopic)

      by Ostracus ( 1354233 )

      Explains a hundred different Linux distros. No single point of failure there.

    • by Zap25 ( 221031 )

      Agreed: never put all your eggs in one basket.
      Especially if they're not actually eggs because "We are talking about DHS's crown jewels."

      Maybe I'm a simpleton, maybe I wasn't bribed by a lobbyist to grant a services contract to a capitalist for-profit company.
      But I think the CIA, NSA, FBI and the Pentagon not only have the competence, but also the resources and knowledge to provide bulletproof cybersecurity services. But that's the thing about the DHS isn't it? Like many departments they are lead by people w

    • This. And also layers and layers of complexity... Security and complexity doesn't go well together.

  • So was Microsoft's Government Cloud hacked? Those accounts should have been in the Government cloud and have MFA enabled. If not, DHS isn't following the rules. Did they catch these emails in transit somehow?

  • Manufacturing more consent. Watch for a request for more budget.

    • ~$600M went for federal security in the recently passed stimulus. Along with a comment mentioning that this was just a down payment.

  • SolarWinds is advertising software on the /. front page just under this post lol.

  • We won't touch SolarWinds ever again...
  • getting sick and tired of the bullshit in headlines, treating things as if verified when all we actually have are suspicions - based on info that any competent IT person knows is dodgy proof at best.

  • by BardBollocks ( 1231500 ) on Monday March 29, 2021 @04:10PM (#61214628)

    With the kneejerk reaction to Whistleblowing creating a 'need' to centralise infrastructure control and credentials every competent IT guy saw this kind of event coming - like Steve Irwin playing with deadly animals.

    What could go wrong eh?

    It's bloody obvious that policy makers are scared shitless that the public is going to find out what is going on and having the evidence to know it's not a 'conspiracy theory' (except to idiots, because facts are ALWAYS conspiracy theories regardless) - and US vendor after vendor that has been trying to sell us products, including Solar Winds, really seem to be focused on 'control' and 'risk management', whilst asking you to hand it all over to them.

    • Re: (Score:3, Interesting)

      by XopherMV ( 575514 )
      For the past 40 years, conservatives and libertarians have been telling us that government is the problem. Government can't do anything right. We need to cut government. Government doesn't help. It only wastes money. Reagan famously stated, "The nine most terrifying words in the English language are: I'm from the Government, and I'm here to help."

      So, what did we do? We outsourced damn near every function of government to private contractors who could do everything "better." Oh, and nevermind the fact th
  • Ever since they moved to Microsoft Windows, Department of Homeland computer security has been a joke. People moving from Microsoft to Federal government. Then the DHS buys the Microsoft product.
    U.S. Department of Homeland Security Washington, DC 20528 Microsoft Enterprise License Agreement [dhs.gov]

Kiss your keyboard goodbye!

Working...