Orion, a SolarWinds product, was designed to monitor the users’ networks to make sure they were functioning properly and, ironically, kept safe. Pho

We Already Know How to Stop SolarWinds-Like Hacks

submited by
Style Pass
2021-06-12 10:30:03

Orion, a SolarWinds product, was designed to monitor the users’ networks to make sure they were functioning properly and, ironically, kept safe. Photograph by Camilo Concha / Shutterstock

L ast year, hackers made headlines after they breached SolarWinds, a software company that specializes in network monitoring software. About 33,000 organizations, including the Pentagon, the U.S. State Department, and some intelligence agencies, use Orion, one of SolarWinds’ products. Orion was designed to monitor the users’ networks to make sure they were functioning properly and, ironically, kept safe. 

The breach seems to have started with an attack on Microsoft products, including the Microsoft Office 365 server SolarWinds was using. Office 365 handles email, among other things, and email servers are notoriously hard to protect against malware infection because they have to process data from computers all over the Internet. The attackers then mounted a supply chain attack, meaning that instead of directly attacking government offices, the attackers compromised the Orion software that those organizations used, before the software was actually delivered to them. 

What could software manufacturers do to defend against such an assault? Recently, researchers from Ohio State University and Potomac Research LLC, led by Noeloikeau Charlot, published a paper on the idea of using “physically unclonable functions.” Physically unclonable functions, or PUFs, exploit the fact that, at a microscopic level, even mass-produced computer chips have tiny differences from one chip to the next. PUFs leverage that to let every chip in a computer, smartphone, or other device generate a signal that no other chip can generate. Just like your bank might want to check your fingerprint before you access your safety-deposit box, an online bank can check a device’s PUF to make sure that only someone with the right device is accessing a bank account. PUFs can be impressively distinct. “The researchers,” according to a press release, “believe it would take longer than the lifetime of the universe to test for every possible combination available.”

Leave a Comment