Static Credentials and SolarWinds
Kim Zetter’s excellent autopsy of the SolarWinds supply-chain attack gives a blow-by-blow dissection of both the attack and the discovery of the intrusion. As Ms. Zetter points out, the initial vulnerability that was the point of discovery was the sending out of a one-time access code to credentialed devices, which led to the discovery of a rogue device masquerading as a phone. The hackers had used a program called Teardrop to steal account credentials to gain access to sensitive systems and email.
The underlying vulnerability, which is not explored in the article, is the ever present authenticating credential, which is exploitable by the hacker who has gained access to it. This reminds me of the anonymous poem:
For want of a nail the shoe was lost.
For want of a shoe the horse was lost.
For want of a horse the rider was lost.
For want of a rider the battle was lost.
For want of a battle the kingdom was lost.
And all for the want of a horseshoe nail.
The operating assumption is that we must accept that the exploitable authenticating credential is simply a fact of life. That may have been true in the case of the SolarWinds supply-chain hack, but no longer. QWERX has eliminated this previously inherent vulnerability. QWERX QESP replaces the static, exchanged, stored credential with an ephemeral credential that is never exchanged or stored, is used only once, and rotated as frequently as multiple times a second. QWERX QESP automatically rejects any attempt to insert a rogue device on to a network. QWERX QESP detects and rejects any attempt to misuse an authenticating credential.