The SolarWinds Hack

the news for late December into January. It will likely be a part of the news cycle in the tech space for months and possibly years to come, as it was a particularly effective and potentially devastating attack, one that will take quite a long time to repair. And I wanted to bring Shannon on to the show because while I can do a lot of research into this stuff, I come at this as the same as anyone else would, really,

anyone who's not in the the info sex space. I would look at it as an outsider trying to learn as best I can. But Shannon has been working in the hacker sphere for many years and has a particularly uh strong point of view when it comes to such things and is able to see things that I just don't. So I was very glad that she took the time out of her schedule to jump on this episode. And so now here is my conversation with Shannon Morris about the solar winds hack. I hope you enjoy it. Shannon,

Welcome back to tech Stuff. It has been too long. Thank you for joining me. Thank you for having me. Jonathan, how are you. I'm well, It's always a pleasure to have you on even and we have to talk about terrifying existential threats, but this one is a fun one. This one is interesting, fun for us to talk about. Yeah, well, because it's it is different from a lot of of malware threats and hacker threats that we typically hear about. So, Shannon, you're the expert, you let me know if I'm way

off base. I'm going to give kind of my take on what the typical hacker attack tends to be and the way we tend to see, at least the ones

that we hear about. Um, if it's not something like someone taking advantage of a security vulnerability in a system or using social engineering to get access to someone's system, what we usually hear about our malware attacks where there's like an email attachment or someone has uploaded and infected file through some sort of distribution point where it might be a peer to peer network, it might be a database, or it might be that you go to some website

that you've been directed to and you click on something that then installs malware to your system. And in this sort of attack, you've got hackers that are kind of taking a shotgun approach, right. They don't know who's going to end up getting this malware. It's more like, let's try and spread it as far and wide as we possibly can, taking a pretty brute force kind of tactic. Is that more or less accurate for the general types of stuff we hear about? Yeah, pretty much. I mean

usually you hear about the very consumer oriented hacks. You know, an app gets installed from Google Play and it turns out it has hundreds of thousands of downloads and everybody all of a sudden has malware and they have to

get rid of it. Blah blah blah blah blah. So you see a lot of targeted assaults happening towards consumers, but in this case, with a supply chain attack, as what it's called, uh you see a a attack that's very targeted towards a specific type of brand or a vendor that happens to work with a whole bunch of people. So the attackers don't necessarily know of the whole bunch of people these businesses, clients that this vendor works with.

They don't know who's actually going to install it in order for them to be able to attack all these different brands. They just know, we know this vendor works with thousands of thousands of really important businesses, so let's just attack this one brand and then see what happens. Yeah, and in this case, the Solar Winds hack a lot of people. I'm sure the average person had never heard about solar Winds before the news broke about the actual hack.

Because this is a business to business sort of enterprise. They create software packages for businesses, typically really big businesses are really big organizations to use to do things like just monitor their network system. So it's not the kind of thing that the average person would ever have to come in contact with unless you happen to be like the I T. Person at a big company or a government agency exactly. So I give an example of when I used to work at a bank and forward facing.

When I was working at that bank, you know, I was talking to customers all the time, and I had my own little register where I had the money and everything, and I had my own computer. But that computer was

running Windows, and it was running software on Windows. But behind the scenes, for that entire branch and for all the different branches and all the different cities for this company that I worked at, they had servers that were connected to all the different physical locations for this bank, and on those servers is where you would see these kind of platforms being used, these kind of operating systems.

So if you're just working at a very like consumer facing or an office oriented job, then you don't necessarily run into this, even if you're an employee. A lot of times it's just happening on the back end for like the network administrators, the I T security and from Asian security, like those are the kind of people that

would be using this kind of uh networking product. Yeah. So, so like if you're a company that does products that are like software as a service, where you need to keep a really close eye on things like network loads because you might have to react uh nimbly and and quickly to changing demands on your system. Solar Winds makes the kind of software that allows you to have that that top level look at what's going on with your networks. So again not something that most of us would run into,

but it is really important software. And that's why nearly every company that's on the Fortune five list is a client of Solar Winds, and several high level government agencies, particularly in the United States, like the Department of Justice, the Department of Homeland Security, Department of the Treasury, the Department of Energy, like big national security level organizations are all client of Solar Winds, and in particular, they have

a product that's called Oriyan, and this is specifically to monitor stuff like network traffic and network assets and where you might need to make adjustments on the fly. And that ends up being the bulls eye of the target for the hackers who created the Solar Winds hack, which is also sometimes called sunbursts, the particular malware that was used, and um, this is where we get into that supply

chain attack. And I think an easy way for people to understand it is that it's unfortunate that it's an attack that that takes advantage of something that we typically tell people to do, which is, when a patch comes out for your software, you install it. Because typically patches do things like they address previous vulnerabilities in software and

they close down an avenue of attack for hackers. But if a hacker were able to target that that actual software, whatever it might be, like, if they were able to target Windows and insert the malicious code into the Windows code so that when the patch notes go out, when the patches go out, the malicious code hitchhikes along. And then when you install your patch, as you do as a good user, you have just installed the malware that

is the supply chain attack, and it's devastating. It's yeah, it's very very scary because the it kind of focuses on the inherent trust that a lot of clients have with the vendors that they use for this distributed software that they might use on their back end for for

their network or whatever it might be. So by having that inherent trust, you are trusting as a business that when you do these auto updates, when you physically go in and you know, update your firmware or whatever it might be, that you are going to be protecting yourself because you're on top of it, you're downloading that stuff every single time there's a new version that comes out.

But in this case, because the attackers were targeting the vendor itself and not the specific clients, they were distributing that malware, two thousands upon thousands of potential customers, and it's the ones that were updating like they should be that ended up being kind of caught in the crosshairs. Yeah, this is one of those cases where you say, I did everything right and you still screwed me. Uh yeah.

So oriyan Orian is a platform that's very popular. Around thirty three thousand of solar Wind's clients have some version of Orian running on their system. Out of that thirty three thousand, solar Winds said, approximately eighteen thousand had the versions that were specifically affected when the malicious code had been inserted and those patches had been pushed out to

the clients and they had actually installed it. Out of those eighteen thousand, however, we later learned that a very very small number were followed up on because, as it turns out, that sunburst attack was just stage one. It was not it was not the end all. It wasn't like, oh we snug some malicious code into a legitimate product. High fives all around. That was just the beginning. Yeah, So in this case, the attackers were like, let's just get it out there and see who gets caught in

the crosshairs. And then they started following up and they were like, Okay, well, who who matters the most to us? Which ones might be financially motivated for us to hack? Who might be the ones that have the biggest and best data sets that we could potentially pilfer off and

sell to a third party. Like, we don't necessarily know what their end goal is, but a lot of times with hacks like this, especially if they are distributed towards Fortune five hundreds and government and sectors like that, they are state sponsored or they are very very financially motivated. So that would be my general like hypothesis as far as what their their motivations were behind it and why

they specifically target, you know, the government sector. The very few that they actually did out of the eighteen thousand, Yeah, I think the last report I read said that it looked like it was around forty systems out of eighteen thousand. That's less than that's less than less like point two of all the different systems that they hit that they followed up on, and it does say that there was a very concentrated, focused effort to look at very specific systems.

Most of the ones that they targeted were out of big tech and then government agencies and then some non government offices outside of that, like think tanks and things like that. UM I've seen speculation that, as you say, it was very likely a state backed attack, and that the evidence seems to point, but it does not necessarily

indicate proof positive that Russia was behind the attack. At least, yes, there appears that that's what all the signs point to, but then there's also always the possibility of what is called a false flag operation exactly. So it's very interesting when people start kind of laying blame on specific groups of attackers or groups of hackers and saying like, hey, because the code looks this way, we think that it's, you know, backed by Russia or whoever, it might be

backed by China and North Korea. Those are usually the ones that we see in the news. Uh. In this case, they found samples of code that could be very very closely linked to a previous attacker group from Russia. So they made that tie and they were like, hey, we think that this is the same group. But there is always the potential that somebody could have copied previous malware and used samples of that for new quote code for solar winds for the sunburst. So it's entirely possible that

it's not the same group, but it's plausible, right. So again you can't draw any firm conclusions. But when you start thinking about this as a potential state backed attack that largely gives hackers high level access to systems once they deliver that second payload of malware, which specifically allows them to move laterally across networks, not just hit a specific server, but then to kind of infiltrate across an

entire system. A lot of the reports we've seen have shown that the hackers were at least able to read material to see what what material was around. They could look at source code at Microsoft, for example, or they can look at emails that had been both sent and received through a particular system. A lot of this kind of leads you down the path to thinking one potential

purpose for this attack could be espionage. That it literally is another part of cyber espionage where you're spying on UM an enemy or or adversary, and that fits the narrative really well. Again, we can't draw that conclusion conclusively to be redundant, but we can at least we can at least say like that is a potential answer to why this has happened. Yeah, So I like to lay out a lot of caveats because it's it's very dangerous to speak in absolutes when you come to something like this,

because it may turn out yes, ongoing. So we still have a lot of questions. But I am glad that we have companies like Microsoft, for example, with Office three and the fact that they were able to see source code, the attackers were able to see source code. I'm glad they're coming forward these clients that were attacked and we're targeted, because it's giving us a clear perspective of what was

actually targeted in this assault. And in Microsoft's case, it was, or at least they believe that it was the source code, because the attackers did get access to that information. Now, were they also like collecting the source code? Were they taking it from Microsoft and collecting it into their own data set? Maybe? Probably, I mean, they did have access

to it, so it's entirely plausible as well. But again it's that plausibility of like all these questions that we currently have with an active attack where there's still being discoveries happening. This is Jonathan outside the interview here. I'm just interrupting so that we can take a quick break, but we'll be right back. So we know that the nature of the attack allowed for a lot of access to things from a certain level, but in most cases that we've heard about, the companies are saying no one

was able to actually make any changes to anything. They might have seen it, they might have copied it, but they could not modify anything. However, part of what I would think would be useful if you're looking at source code for products like Office three six five, which has incredible distribution to millions of systems around the world, consumer level, enterprise level, everything in between, that now that you have that source code, you can start looking at ways to

exploit that. You essentially have a playground, a sandbox that you can work in with the actual source code of the product, at least from that particular era until Microsoft makes changes to it, and then you have a way of of practicing on that to try and develop malware that could potentially be used out in other distributions using perhaps totally different attack vectors. Is that something that could actually be possible or my addled by Hollywood, That's entirely possible.

And that's one of the reasons why we have seen supply chain attacks targeting very specific like firmware versions or or the back ends for these really large clients like Microsoft UH in order to be able to steal source code and stuff like that, because oftentimes, even though new versions might come out of an operating system or of software or firmware UH, they will use previous generations of that firmware in order to maintain like consistency across all

of the different platforms that their product might be installed onto. So there might be a few changes for future versions or future releases, but the source code might remain pretty similar to previous installations, and it's so much work to change things on a fundamental level that it's impractical. Right, There's there's almost no possibility, especially for programs that typically

they typically grow larger. I don't know if you've noticed this, Shannon, but I have, even from like a programming perspective, which I am not a programmer. But I have done some coding in the past, and I know that there is a lot of turnover at companies, and oftentimes they will forcibly not change a lot of the code in order to make sure that it still works with new employees if there is like a new codeer that comes in

or a new programmer. Uh and sometimes you won't find notes in the in the code for future programmers, so they just choose not to break anything by not changing anything, so code will remain the same for years and years

and years before somebody actually goes in and bravely changes anything. Right, So, if you if you are someone who's creating a uh some malware and you want to target users of a specific type of of software, whatever it may be, whether it's an operating system or something entirely different, then being able to make a change to like a fundamental part of that code, one that is not likely to have been altered because it's it's sort of a pillar of

the software, then that's a pretty decent bet that your malware, if you're able to inject it into the actual real software on whatever the vendor side is, that that will then get rolled out through various patches and updates or even just new installations of that that product as people come on board, and the longer you can keep that on the d L, the more systems you can infect without anyone being the wiser. As it turns out with with the solar winds hack, we now know that the

attacks started no later than October two thousand nineteen. It may have been insane. Yeah, So that that was for a full year plus a couple of months before we were made aware of it. And it was another security firm called fire Eye that noticed something hinky was going on. Something hinky. Yeah, but it's kind of but it was hanky, It's true. They were They were like, hey, what's this wise our network being weird? I call it jankie. But they just like, some odd is going on, Like we're

getting some red flags. And we didn't know at the time that it was Sunburst, that we didn't know that it was a solar winds hack or where it was being distributed from. So fire I was just like, we think we got hacked, and then a few days later everybody was like, oh, actually this is connected to a much bigger thing. It wasn't them, it was the vendor

that they were using. So all of a sudden, everybody was just like, oh, we should probably check our systems too, And then everybody started realizing, oh, this is actually a really huge thing because it wasn't just us, it was a vendor. That's scary. Well, and when it's a cybersecurity firm that first says, oh, gosh, we were hacked, you know it's bad because these are the people who are

paid to stop that from happening to other people. So it's a great example when you look at it from from that perspective of fire Eye as a cybersecurity company, even they had inherent trust in Solar Winds to distribute

their firmware and their updates in a trusted way. And even then they couldn't fully trust Solar Winds to do that in a matter that would keep them protected, right right, I mean, we there's this whole certification process, this digital certification that proves that a piece of code is really coming from the source that you think you're receiving it, you know from, so that there's this approach that's very well tested, very well proven by history that this is reliable.

And that's why this hack is so insidious because it said, cool, we were not going to try and get around that. We're gonna rely on that trust, on that that whole process, because everyone knows it works. So if you can, if you can get to the code before it goes through, then you're golden. And that's exactly what happened. Uh. An analogy I use is that the way we typically think of hackers is and you should appreciate this because I

know you've played with them. We can think of someone who's got lock picks and they're going through an apartment building and they're just they're they're opening up locks just for fun. But the Solar Winds hack is as if the supervisor for the entire building with the master key is the one who has decided to do all the snooping, and they can just walk in when because they've been trusted with that master key. So that's kind of the

analogy I give. It's it's totally different from the hacks where you're like, that person looks us I'm not gonna let them into the building. No, it's it's the supervisor. Of course, the supervisor comes in, he's tolly fied. Yeah, that's a great analogy. Actually, I don't I hope you don't mind if I steal that? Please? Do I get like two a year? So I'm just glad that I was able to. I mean I peaked early. We're in January.

But but yeah, so the scope of this attack, even though only only I say only, but like forty different systems have been compromised then further infiltrated. Uh, you still have around eighteen thousand that could potentially be infiltrated because they do have the malicious code installed within their systems

that allows for that backdoor access. So they have to they it is now incumbent upon them to make sure they uh they they isolate those servers, they remediate them, and that they bring everything up to a new version

that no longer has that backdoor access. Meanwhile, for all the systems that we're compromised, for those forty, which again includes like national security level government offices, they have the unenviable task of figuring out how extensive the attack was within their systems, what parts of their systems were specifically affected, at what level of access did the hackers have, was it like microsoftware they could just see it or could they do more? And how do they fix it? Um?

And this is. I think I think the way we could we could call it a ginormous challenge. Oh yeah, So I'll give you an example from a very much smaller scale. When I was working at Hack five in an office, I learned how I could do network sniffing on the entire office. So I was able to figure out from my little Lennox laptop what machines were connected all to the same network, even if they were Ethernet

or WiFi. I was able to figure out how to you know, sniff WiFi as well, because we made a product for that, uh, And I was able to see that we had, like I think it was like twelve different computers, we had two printers. So then from there I was able to look up the versions of everybody's operating systems and find out which ones were vulnerable. And

it turns out one of our printers was vulnerable. So even though I was not necessarily connected to the printer, like I didn't have it installed, the driver's installed, or anything on my Lenox computer, I was able to send that printer a piece of paper that said I got hacks, and I was able to print it out on the computer. And it was the funniest thing because like nobody it was. It was Darren's printer, so like he was able to

look at it. My coworker, Darren Kitchen, and he was and he looks at the piece of paper and he was like, s did you just figure out how to hack the printer? And I said, yeah, it was super funny. But even from a much more broad perspective of when you're looking at solar winds um, if somebody had access to a net, the network of one of their clients, they could see the actual desktop computers that many of their office employees might have access to. They could see printers,

They might be able to see network connected security cameras. UH. If they work at a bank, they might be able to see network connected a t M s UH. They have access to maybe like passwords or anything that's being distributed across the network if it's not being protected correctly. They could have access to network attached storage in server racks,

all sorts of things. So if you have hundreds and hundreds of different connected devices and any of those have not been like auto update, and then again we're putting trust in vendors to auto update correctly. If these machines have not been auto updated or patched correctly, and a hacker has access over that network to see what version these programs are running. There's plenty of information on Google about what version of what software is still vulnerable to

what problems. There are these things called c v s and you can look them up and see what kind of vulnerabilities are currently out there and how they are being fixed. And if a hacker knows and they look at this version and then they find out there's a vulnerability, they could use that to their advantage to get another foothold within that network. Even if even if the network admin found out that there was a vulnerability on their network and they were able to cut that off, the

hacker might have already gotten another foothold. So it's entirely possible that there's like plenty of other places that these attackers are snooping on networks through. So yeah, it's a huge issue, and it's no wonder like given that this was just discovered a few weeks ago, maybe about a month month in two weeks ago or six weeks, Uh, it's no wonder that there's tons of network admins and security professionals that are still having to work like over

time just to ensure that their networks are safe. And and you pointed out a problem that I hadn't even thought about, which just as like, hey, you know how

bad you thought this was. Guess what, It's worse than that, because because like, if to go back to my analogy, it would be almost like if you are you have infiltrated a building, you were able to sneak in, and you're snooping around and you're looking at all this sort of stuff, and meanwhile you're also unlocking every window you go by, so that if if your original entry point

has been shut off, you got like fifty others. Because example, so if somebody was to change the lock on their door, but you also had unlocked the windows so that you could get access that way, they might not even think about checking the window when they fixed the lock on the door, right right, So, like you were saying, looking at all the different versions of software that are running on various computers and other systems, other devices running on

that network, if you identify all those potential vulnerabilities, really you're just you're like you're saying, we should use this time to start developing tools to take advantage of all these different potential weak points, because we can make the problem so big that it is almost impossible to think of what the solution would be apart from new kit from orbit. It's the only way to be sure. A lot of it is risk assessment, and that's something that a lot of a lot of large businesses do, and

it's even something that customers can do. Consumers like I could do this from my home network risk assessment. What's running on your network right now? What devices are vulnerable or potentially vulnerable? Have you done a yearly audit to make sure that there's nobody getting access there's no like random email addresses tied or associated to your online accounts?

Have you changed your passwords in the past year to comply with nests recommended framework for passwords, Like, there's a bunch of different things that you can do to kind of assess where your risks lay and then act on those assessments before a hack actually happens, right, Yeah, And as long as you don't have an issue like this where a trusted vendors where because yeah, because that just slips right in right, just like you were saying, like

these these companies could have been doing all the right things it's not like they did something wrong. They did the right thing. And you might wonder, well, how did the hackers get access to the Orion software to start with? Like how did that happen? And honestly, we don't fully know, you, or at least the public doesn't fully know yet. Someone might know, but I don't. But the working theory right now is that another third party vendor called jet Brains

creates a tool called Team City. Jet Brains, by the way, I'm sure completely coincidentally founded by a group of Russian cybersecurity experts, but Team City. Team City is a software testing environment. So it's the kind of thing where you've got your little virtual say in box, so that you can build software and try and break it and see if it works before you deploy it in the real world. Right,

That's kind of the thing they make. And Solar Winds is one of the customers who uses Team City, and so the current thinking is that the hackers targeted Team City. They specifically targeted a server that Solar Winds uses that has Team City on it. They targeted that and then they were able to get access to solar Winds software through that link, which just shows you, like there could be a lot of hops from between the hacker and their ultimate goal. So this team City Server was one hop.

The solar winds system where they were able to inject malware into Orion was a second hop. The customers were the third hop, and then they could go in and start adding a second payload. Because once they once they were deployed to the customers, that was the in road,

that was the back door. There is no doubt in my mind that their end goal what were the clients that use solar winds, And chances are that these attackers are very very advanced and that they probably are state sponsored because the time that they're investing in order to get the foothold within get these back doors within these clients took them over a year. I mean, it took them a very very long time. And if they started even behind solar winds to jet brains, that's insane, Like

that is extremely advanced. And that's one of the reasons why this is such a crucial attack and what why it's It's going to go in like history books when people talk about information security and learning about previous attacks, this is going to be one of those historical examples of a supply chain attack, because it's insane how how advanced it is. We'll be right back with more with

Shannon Morse about the solar winds hack. After this quick message, I've read some articles by cybersecurity experts who, you know, hindsight is, now that it's happened, you can see where the opportunities were earlier on, in the sense that if you're thinking about the cybersecurity environment of say two eighteen to present day, a lot of that attention was rightfully devoted to things like how do we maintain a secure election cycle here in the United States, So a lot

of resources we're looking in one direction, which meant that not as many resources we're looking for potential supply chain threats. So while there were a few analysts who had previously said this is something we really need to be cognizant of and have developed best practices so that we can hopefully prevent it, but if not prevent it, certainly detected

and react to it. But because there were other pressing matters that were very much tied to cybersecurity, that that just didn't get as much attention as it might have otherwise,

and it ended up being the perfect opportunity. It actually really does point to the incredible um UH inventiveness and the the how how nimble the hackers were to be able to recognize a time and and opportunity to really develop and deploy that malware, because you couldn't have asked for a better environment, right, It just was the perfect time for for the neighborhood Watch to be looking the

other way. Oh yes, it's um And I feel like the attackers got very lucky on their timing, even though and this this is bringing up the pandemic in a sense, even though the it's probable that this started in October nineteen and that happened before the pandemic. What perfect timing for these attackers because the entire time that they have been silently getting intrusions into all these different clients and

into solar Winds as the vendor. There have been companies out here that have been losing funds because of the pandemic.

They don't have as much manpower because everybody's working from home, and they've had to lay off a lot of their network administrators and their I T and consultants and everybody else, and they don't have the money right now to fund doing like third party audits of their systems and stuff like that, So perfect timing for attackers to just come in and silently attack and intrude on all of these different networks because nobody, nobody has the manpower right now.

It's it's almost impossible for all these companies to be able to fulfill all the projects they could have potentially had for security and privacy of their networks. Yeah, uh, it is. It's it's a remarkable set of circumstances that all helped create almost a perfect storm. The only way, this is the only way you could argue that this would be obviously worse, is if that number of compromise systems had an even larger number of ones that were followed up upon, if that were if that number were

even bigger than we would be talking about. I mean, it's I don't even know how to call it like a catastrophe, because I think it's already a catastrophe. We're already at catastrophic level because of the potential espionage that could have been done in critical systems. We don't know if they were ever able to really access like highly classified information. Clearly that's something that the government likes to

keep on the down low. They're not they're not too they're not too happy to say like, oh, by the way, Russian spies were able to look at our top secret classified information that even most of our government official never get a chance to see. That would be bad. Uh, we don't know if that's happened or not from based

on what we've seen at other places. Uh, it's hard to say because it all depends upon what other security practices these different departments were doing, whether or not they had had sort of sequestered some of their most sensitive information in systems that are not as easily accessible. There are possible ways of doing that. Microsoft in fact, has talked about how through their own security system that is part of the reason why they were limited in their access.

They still got to see a ton of stuff. It's not good, but but it was a low privileged user access. They weren't able to get like full access to everything on Microsoft systems because the attacker was only able to

get that lower end access. So here's hoping, and and the cynic in me it feels like hope is a strong word to use because I've also familiar with government systems and they're not always laid out in the best way, often because not to any fault of government officials, I don't want to throw a lot of shade at them. We also have to keep in mind that some of those positions there's a lot of turnover just because government

changes a lot. So it's hard to keep a real legacy of security in those systems because you don't necessarily have the same personnel from one administration to the next. Um and there can even be turnover within administrations, as our most recent administration taught us nearly daily. So so yeah, so this is this is a huge challenge. The process of cleaning it up is going to take a really

long time. I tried to see if any analysts had kind of an estimate, but the most specific answer I could get was probably years to really assess the full extent. That's the same thing that I saw, which was pretty much the consensus even among like my hacker friends, was it's probably going to take several years in order for them to really figure out how deep this honestly goes. That is a sobering fact. It's also, you know, a good reminder that this is something that you know, it's

not necessarily going to be an isolated incident. The fact that this was so successful sends out a message to any state sponsored hacker group that if you can manage something like this, then the the all the doors are open to you. So it's now something that vendors are really going to have to be cognizant of to make certain that the the product they send out has not been altered in any way. And this has made more

challenging because obviously hackers are clever. They figure out ways to cover their footsteps, thank you, I mean, a good caer is anyway, right, A good hacker doesn't just figure out how to intrude on the system, they also figure out how to cover up that intrusion so that it's

not immediately apparent. Yes, because a lot of companies have like they have really good intrusion detection software which will send them a red flag or notify several of the administrators that are working on that network immediately as soon as something is noticed, so that they can um assess

the situation and cut off the threat. Yeah. And just to make this story even more scary, uh, there have been four major cybersecurity companies that have reported being compromised in some way or at least attacked by these hackers. One of the four says that no harm was done, and those would be fire Eye, which we mentioned before. That was the first company that came forward that kind of broke open the dam on on the discovery of this. Mike Soft as another, uh, malware bites which we learned

about not too long before the recording of this. Yeah, like really recently and worse than that, not related directly to solar winds because they don't use solar winds products. We'll get back to that. And then CrowdStrike, which is the company that says, yeah, they tried, we didn't. Then they didn't and they didn't do anything. So good on them. But as for malware bites, they came forward and said, yes, we also have detected the presence of these hackers in

our systems. But in our case it was because of an Office three sixty five email protection app that was dormant that they were able to target and get to our systems through that. So they were able to read some emails. So that tells us that potentially that could have been something they learned by being able to look

at the source code over at Microsoft. We don't know that but that's possibly how that happened, was that they learned of a particular attack vector by scouring the source code, and thus we're able to have a secondary attack through a totally different approach and not have to depend upon solar winds at all. And if that's the case, if malware bites was targeted, then there's a really good chance that others were too and we just don't know about

it yet. Yeah, that's an excellent example, and it kind of takes us back, you know, back to the beginning of the conversation, kind of explaining why the attackers were targeting these companies in the first place, because they're getting access to this crucial information that could potentially give them access to other people or other brands and companies in the future for completely different hacks that have nothing to

do with solar winds. So so while we're we might be on the lookout for one type of attech, just like we did with what I was talking about the you know, election cycle, really taking a lot of cyber security attention. If we're all looking for one specific type of attack, that just means that there's opportunities for other attacks. In fact, this is sort of just the the cracker style of hacker, you know, the ones that specifically are

are looking at how to infiltrate systems. It really just goes into their mindset, which is that all they care about is at first anyway, figuring out how do I infiltrate that system. That's that's their only focus. The problem with people who build these systems, they also are burdened with the weighty responsibility of making the system do whatever it was supposed to do, plus make it invulnerable to intrusion.

But you have to make your system work first, right, So you're like, hey, everything works, and like, oh, you forgot about this way that a person could intrude to and and get access to your system without authorization. You think, well, shoot, I was just trying to make the thing go. Oh yeah, like straight up, even if you're like working in an office. I love giving those kind of examples because a lot

of people work in offices. Uh, let's say they have to update the firmware on your printer and they have to disconnect it to make it invulnerable from some kind of attack. All of a sudden, they have to reauthorize all of the PCs to connect to that one printer. And that's a huge headache, and that creates even more work. So you have like all these people that are just trying to get their work done and you can't do

anything from from the perspective of an employee. And yeah, and I'm definitely that guy who gets a little pop up in Windows that says, hey, we've got some updates. Do you want to reboot your system or do you wanna you know, and you're like no, I'm like no, twelve hours, tell me in twelve hours. And then after like four days, like no, seriously, my heart is going to come and take your computer if you don't update, Like, okay, you know what, We've had some fun, I'll go ahead

and reboot. Uh. Yeah. So so this is this is fascinating to me, and I'm so thankful for you to join the show to help me kind of suss all this out because I kind of had a handle on it, but you really we opened up my eyes to other opportunities that, honestly, I mean, I just didn't think about. So that's exactly why I wanted you to to join the show and why I'm so thankful that you you said yes. After yeah, of course, after I bugged you

while you were on holiday. Well, I'm I'm glad I was able to join you because there are so many different ways that you can look at this attack. So talking about all those different perspectives like I have been is really important to really understand and get ingrained into, like the motivations behind the solar winds attack, but also understand it from a client perspective why this has been so crucial and so important to so many people. And it's it's great to be able to have that sort

of conversational approach. Where as I get my understanding, I hope that my listeners have gotten a deeper understanding of what's going on and why this is such a big deal and why it dominated tech news for a couple of weeks. Uh, you know, before we hear about Apple interfering with you know, defibrillators and things like that. Um So I'm sure we're going to hear a lot more about this over the coming months and potentially years as

well as well. Inevitably we're going to hear about other hacks that are going to be compared against this, because, as you say, this is going to be a benchmark, This is this is a historic hack event. And will be one of those big ones we talked about for years to come, you know. Um, But Shannon, if people want to find your work and follow all the incredible things that you do, where would they go? Check out YouTube dot com slash Shannon Morse spelled just like my name.

That's where I've been doing a lot of security and privacy as well as tech reviews too, and I do answer a lot of questions about security and privacy for consumers. Yeah, and if you hunt around, you can follow Shannon doing all sorts of crazy things like traveling the world when there's not a pandemic going on. And she takes really good photos. Me too. Me two. And it doesn't help that my wife will occasionally send me a picture of a place I really want to be in but cannot

go to until it's very relatable. Yes, well, thank you again, and I will certainly have you back on tech stuff whenever you agree to do it. Well, thank you, Jonathan, I appreciate it. Thank you so much for having me. I hope you guys enjoyed the interview with Shannon Morrise and once again I have to thank her for coming

onto the show. She is very generous with her time, so I greatly appreciate it, and I hope that that discussion gives you a deeper understanding and appreciation for the large challenge ahead in dealing with this hack, as well as just you know, something to think about for all of you folks managing stuff out there about things to look out for in the future. I mean, as Shannon points out, the real issue here is that the attack

targeted something from a trusted source. So when you get a message that is from a trusted partner, you don't expect there to be malware in that. So this really is a major wake up call, and unfortunately it's a wake up call that's doing active damage right now. But hopefully we'll have better news to bring about the Solar Winds hack as time goes on and as people learn

how to remediate those servers. In the meantime, if you guys have any suggestions for future topics I should cover on tech stuff, whether it's a company technology, a trend, something like the Solar Winds hack, or maybe there's somebody you would love for me to have on the show as a guest. Let me know. The best way to get in touch with me is over on Twitter. The handle for the show is text Stuff H s W and I'll talk to you again really soon. Text Stuff

is an I heart Radio production. For more podcasts from I heart Radio, visit the i heart Radio app, Apple Podcasts, or wherever you listen to your favorite shows.