I’m not in favour of having public client lists, especially when you’re a critical software vendor — but this list is just terrifying. There are a lot of big there, and I won’t be surprised to hear of more incidents in the coming days.
“ More than 425 of the US Fortune 500
All ten of the top ten US telecommunications companies
All five branches of the US Military
The US Pentagon, State Department, NASA, NSA, Postal Service, NOAA, Department of Justice, and the Office of the President of the United States
All five of the top five US accounting firms”
What’s the opposite of security through obscurity?
Any fortune 500 company that's been around for more than a decade probably has one of every enterprise software product running somewhere. When I worked at a big bank, when we acquired any company, large or small, the software stack they used usually just got bottled up where they were, and the client list on the vendor's website just got updated to the new company name.
I mean that company list has "smith barney" which doesn't exist anymore.
SolarWinds’ comprehensive products and services are used by more than 300,000 customers worldwide, including military, Fortune 500 companies, government agencies, and education institutions. Our customer list includes:
- More than 425 of the US Fortune 500
- All ten of the top ten US telecommunications companies
- All five branches of the US Military
- The US Pentagon, State Department, NASA, NSA, Postal Service, NOAA, Department of Justice, and the Office of the President of the United States
- All five of the top five US accounting firms
- Hundreds of universities and colleges worldwide
Partial customer listing:
Acxiom
Ameritrade
AT&T;
Bellsouth Telecommunications
Best Western Intl.
Blue Cross Blue Shield
Booz Allen Hamilton
Boston Consulting
Cable & Wireless
Cablecom Media AG
Cablevision
CBS
Charter Communications
Cisco
CitiFinancial
City of Nashville
City of Tampa
Clemson University
Comcast Cable
Credit Suisse
Dow Chemical
EMC Corporation
Ericsson
Ernst and Young
Faurecia
Federal Express
Federal Reserve Bank
Fibercloud
Fiserv
Ford Motor Company
Foundstone
Gartner
Gates Foundation
General Dynamics
Gillette Deutschland GmbH
GTE
H&R; Block
Harvard University
Hertz Corporation
ING Direct
IntelSat
J.D. Byrider
Johns Hopkins University
Kennedy Space Center
Kodak
Korea Telecom
Leggett and Platt
Level 3 Communications
Liz Claiborne
Lockheed Martin
Lucent
MasterCard
McDonald’s Restaurants
Microsoft
National Park Service
NCR
NEC
Nestle
New York Power Authority
New York Times
Nielsen Media Research
Nortel
Perot Systems Japan
Phillips Petroleum
Pricewaterhouse Coopers
Procter & Gamble
Sabre
Saks
San Francisco Intl. Airport
Siemens
Smart City Networks
Smith Barney
Smithsonian Institute
Sparkasse Hagen
Sprint
St. John’s University
Staples
Subaru
Supervalu
Swisscom AG
Symantec
Telecom Italia
Telenor
Texaco
The CDC
The Economist
Time Warner Cable
U.S. Air Force
University of Alaska
University of Kansas
University of Oklahoma
US Dept. Of Defense
US Postal Service
US Secret Service
Visa USA
Volvo
Williams Communications
Yahoo
For those at least you don’t have to install SolarWinds code on your server to use them. They’re endpoints for syslog. As long as your logs don’t contain secrets (they shouldn’t) then it’s not great but not terrible.
Well I don't see real practical reason for keeping it secret.
If you look at operation model of threat actors, even with current hack, they have their targets and no one is going to say "hey they have solar winds let's hack them". Threat actors have their budget, limited time and goals. They could also find this information by other osint means. Even if they have it on that page, they still need to make their research.
Even if SolarWinds would not have a list on their page they are so big that you can count them as interesting target anyway. It is the same with Google and MSFT you can safely assume if you hack them, some of your targets will use some tools from those companies.
I mean security by obscurity is fine, but I don't see what kind of value it would bring in this scenario.
> Well I don't see real practical reason for keeping it secret.
Generally, you have to get a company's permission to use it's name or logo as an endorsement. That agreement has stipulations, such as being revoked if the association could bring disrepute or reputational harm to the endorser.
I'm sure none of the companies on that list want their investors calling the IR to ask about whether this event is a material issue for the company.
I'm not a security person, but my first thought is that you're not trying to avoid "hey they have solar winds let's hack them," but rather "Hey, I want to attack Large Co., and a quick Google search says they run software from these 14 companies, so compromising any of those might get me in."
General reminder that your funny 404 page becomes instantly unfunny the second your tech department both publicly and catastrophically shits the bed: https://i.imgur.com/kNbScVH.png
If you see the range of offering, it makes more sense, and doesn't sound as scary (or not more than if you would see a list of Microsoft customers for example).
I’m not in favour of having public client lists, especially when you’re a critical software vendor — but this list is just terrifying. There are a lot of big there, and I won’t be surprised to hear of more incidents in the coming days.