Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
CISA directs federal agencies to disconnect Ivanti products by Friday midnight (cisa.gov)
97 points by tsujamin on Feb 1, 2024 | hide | past | favorite | 49 comments


More info in a directive from 1/14/24, https://www.cisa.gov/news-events/directives/ed-24-01-mitigat...:

> CISA has observed widespread and active exploitation of vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure solutions, hereafter referred to as “affected products.” Successful exploitation of the vulnerabilities in these affected products allows a malicious threat actor to move laterally, perform data exfiltration, and establish persistent system access, resulting in full compromise of target information systems.


> Agencies running the affected products must assume domain accounts associated with the affected products have been compromised.

This looks like a right shitshow.

Ross Anderson did a big group research "The Changing Cost of Cybercrime" [0]. I forget the number but it came out at several trillion.

After Solarwinds and the UK Horizon Post Office scandal I am wondering, how does cybercrime compare against simple incompetence and hopelessly broken software engineering? How can we measure that to see just how bad things really are?

[0] https://weis2019.econinfosec.org/wp-content/uploads/sites/6/...


question is cyclical because cyber crime doesn't exist without incompetence.

There's very little cyber crime that happens by bribing someone. Most of it is just walking past an open door.

> How can we measure that to see just how bad things really are?

hence, cost of incompetence = cost of all cybercrime + n.


Cyber crime definitely exists without incompetence.

Defense is a costly vast landscape compared to attacking. Sure incompetence causes issues and major drives my blood pressure, but the problem doesn’t go away if incompetence goes away.


> Defense is a costly vast landscape compared to attacking

Yes. But.

There are many defensive tactics that are not free but are cheap.

Keeping system software updated is one

https://infosec.exchange/@wdormann/111880313720252008


It's interesting when you put it that way.

In the Horizon case, and no doubt in many cases to come, the crime is committed by a company against the public. They tried to pass it off as incompetence, and blame "systems" but I expect the public enquiry will lead to criminal proceedings against Fujitsu now.

Big companies may laugh at fines for treating their customers badly, but I hope to see many more ruinously brought to book for their criminal incompetence.

> hence, cost of incompetence = cost of all cybercrime + n.

Where n is at least as large as the other part. Scary!


> There's very little cyber crime that happens by bribing someone

If competence was the norm the bribes, violence, etc. become the preferred tactics


This is a really excellent point.

Someone on Bruce Schniere's site noted that about the Anderson study... that the increase in cyber-crime perfectly tracks the decrease in street crime. As online fraud goes up, robberies go down.

If crime remains a constant then having shitty software security is a safety valve - and fixing computer security means physical crime would rise again.

Interesting hypothesis.


I don't think we can ever really "fix computer security" because there's so much software being written all the time by just about anyone and the demand keeps growing.

Hacking computers is usually just a means to an end: fraud or theft. Competence is more than just preventing hacks.


> I don't think we can ever really "fix computer security"

But we can do much better


This sort of implies the street criminals become cyber criminals, which seems to not be a matching skill set. Call me skeptical of the study I admittedly haven't read.


> This sort of implies the street criminals become cyber criminals,

Does it? I never considered that. It seems obvious to me that they aren't the same actual people.

We have more EV cars on the road displacing ICE vehicles, but that doesn't imply that the old cars "transformed" into electric ones.


You literally wrote "If crime remains a constant then having shitty software security is a safety valve" - so there is some implication otherwise how would that work? Why would crime become constant? If these are two different groups of people, why don't we have increase in both? This explanation seems too simplistic to me.


I can only respond to the part of your question that is coherent to me. The "how would that work?" part feels ill-formed and something I've already answered.

But "Why would crime become constant?" is very interesting. For that we turn to "criminology" [0,1]. Roughly, there are three "layers", biological, psychological and sociological. All of these are either fixed, or very slow and hard to change.

Indeed the biggest factors in "how much crime there is" are laws and reporting, how visible the crime is. Obviously we could make crime disappear overnight by declaring all behaviours legal. Really, the justice system can only absorb and respond to what the underlying social and economic conditions set.

Most crimes are resource motivated [2]. Violent crime makes headlines, ruins lives, changes votes and is generally undesirable. "Soft" crimes are less visible and have less impact, especially when they are against actors that are so immensely wealthy they do not even care (for example big-tech companies that see huge fines as simply the cost of doing business as usual)

When we have a fixed pool of criminal potential (set by these structural conditions), which would you choose as a new criminal entering the "market"?

And not surprisingly, Pew Research polls showed "violent and property crimes declined by 51% and 54%, respectively, between 1993 and 2018."

Therefore the hypothesis I was curious about was whether Removing the opportunity for cyber crime (via better security) would have the unintended side effect of shifting crime back into physical robbery and theft with its attendant violence.

What do you think?

[0] https://www.britannica.com/science/criminology/Major-concept...

[1] https://en.wikipedia.org/wiki/Criminology

[2] https://online.maryville.edu/blog/types-of-crimes/


If I understand your point correctly (I'm trying to solve the "crime rate is constant but these are not the same people" conundrum), we assume there is a fixed pool of criminal potential, with some of these people inclined more to violent crime and others for soft crime, and today we have more favorable conditions toward the latter. If so, I'd arrive to the opposite conclusion: if, instead of removing the opportunity for cyber crime, we also relaxed laws related to violent crime, cyber crime wouldn't magically dwindle trying to stick to some magical constant, because even though the pool might be more or less stable, the types of people for both are mostly different.


so far no word on ivantis website about the CVE or exploit, or even a fix.

forcing CISA to walk out of the gate with a nuclear-option mitigation is pretty insulting to the corporations/governments that spend millions on this hokum each year to achieve certification or ATO.

then again SolarWinds was effectively crucified before their customers and somehow --unaccountably-- still manages to hold a 4.5 in the gartner ratings and enjoys widespread use still to this day in government and private industry.

it feels like security certification at this level is mostly a performative art.


Most Government and Corporate security / IT just aren't some awesome hacker or security analyst. Most just follow some corporate flow chart for security. I once worked at a company that allowed IE only as a browser for security reasons, eventually they allowed Chrome, but not Firefox again for security reasons, their reasoning was: Microsoft and Google are Billion dollar companies. If you try and bring some solid open source software, well where is the X certification? Even though just from using the corporate certified software for 10 seconds you can tell its not good.


That is a reasonable argument about Chrome! That's not hokum; even some people who have worked on and are invested in the Firefox security and isolation model will concede that Chrome has historically had a material edge there, and it has been reflected in browser vulnerability prices (I don't want to cite the obvious chart here because I think the audience for that thing is message boards and not people working in the field, but it's directionally correct).

There's also the benefit of having one set of controls with respect to profiles and extensions.


You've been known for your hot takes past and present, but this one threw me for a curve.

Is there empirical data on this? I think many in the security industry believe this. I ironically use FF if we can accept personal beliefs since I believe people attack the Chrome sandbox as a badge of honor and I can use containers to isolate state to different personas. That said also anecdata bullshit take on my part.


(1) I think public exploit price lists are bullshit, and mostly about marketing, but directionally they consistently put Chrome >2x of Firefox. You can choose not to take that seriously.

(2) The fact that people attack Chrome as a badge of honor is a reason to use it, not to avoid it. It's why exploits for Firefox would be cheaper.

(3) I don't think my take is spicy at all? I haven't refreshed it in a few years, but when last I did, I don't think I talked to anybody on either side of browser security who felt that Firefox outclassed Chrome (I got a long, valuable Slack thread from a FF security person that I wish I'd saved that built a claim that FF was approaching parity with Chrome architecturally). I have spicy takes, to be sure, but I think I'm giving you a pretty mainstream take from software security land.

(4) Even if you believed Firefox and Chrome (or Chrome and Safari) were at parity, it makes a great deal of sense to standardize browsers, for the reasons I gave previously. The right way to think of your browser "fleet" is as multiple single points of failure; diversity isn't helping you at all. This is one of those "put all your eggs in one basket and guard it" situations.

I don't have any particular personal reason to love Chrome. I'm a Mac person, so I guess the best outcome for me would be for Safari to be perceived as the best browser. Certainly my batteries would last longer! Every couple of years I talk to people about what the landscape looks like; if I ever get different answers, I'll be sure to update my take.


Point made, I meant this take threw me for a curve (not that it this too was spicy), re your point 3. I didn't make that clear. I just know your other takes so I was being cute about it. I don't know you that well so 1-4 are valid, and I am famously not a Mac user in my personal life. I know I am full of anecdata and that shit doesn't matter, but I appreciate the detailed follow up to confirm: 616c, your choices are great but not so empirical, here is what I think.


> their reasoning was: Microsoft and Google are Billion dollar companies.

Did you ever see that written down. Or was it an assumption or rumour?

I ask because I specifically advise against that thinking and debunk the "big company = trustworthy" fallacy. But what I find is that actually there is appropriate low trust of US big-tech amongst the C level, but they are compelled to use Microsoft or whatever for non-technical/non-security reasons.


The list of 'approved' software vendors doesn't say it's because their billion dollar companies, but if it's from a company on the list that's enough. No further vetting required.


It very much feels like a "no one ever got fired for buying IBM" type of scenario sometimes.


Yes indeed.

I think where this goes wrong is when Bob in purchasing confuses can use this approved supplier with must use this supplier and fails to notice said supplier about to be bankrupted in court over a multi-billion security scandal, and goes ahead anyway.

Voila! We just bought a couple million IoT bricks and doorstops that will be in a landfill next week.


In this case, a financial company, yes the reasoning written down on the intranet was that they had the backing of billion dollar companies.


This. CYA by ticking the boxes.

We once had a city IT guy block our deployment because we were vulnerable to CVE-whatever - turned out to be a minir vulnerability in the DuckDuckGo browser


Certifications (and specifically paying to get certified) are about legally throwing liability on another party, because nobody wants to end up with the hot ball in their hands.

The assumption is that shit will or already has hit the fan, and the question is how to reduce your own liabilities as much as possible by throwing what you can on someone else.

Certifications were and are never about practical or literal security.


It reminds me of the old quote by Keynes:

A sound banker, alas, is not one who foresees danger and avoids it. But one who, when he is ruined, is ruined in a conventional and orthodox way with his fellows, so that no-one can really blame him


There is a forum post from a few weeks ago:

https://forums.ivanti.com/s/article/Recovery-Steps-Related-t...

(Linked from TFA)


It's on their website and has been for days. https://www.ivanti.com/blog/security-update-for-ivanti-conne... That latest update is a follow up from Jan 10


I heard CMMC 2.0 will fix everything in govcon.


Is this the same legacy product which used to be Pulse which used to be Juniper which used to be Netscreen?


Yes


isn't it ironic how crapware sold in the name of "security" effectively increases your attack surface?


By definition, everything installed increases your attack surface. The decision to use it or not should be a risk-based one considering the value of what you get from using the product against the additional exposure. Having a single, properly secured and managed VPN appliance is much better than many unmanaged or kinda-managed entry points into a network.


It's not VPN vs. no VPN. It's crapware like Ivanti and Zscaler vs. sane things like OpenVPN and WireGuard.


Maybe I've missed it (very likely), is there an enterprise-grade product that allows easy management of WireGuard or OpenVPN for say 20-30k users/endpoints and that integrates easily with Active Directory and a centralized MFA provider? Do these products provide support agreements?

To be fair, I have no love for Ivanti or Zscaler, but I do understand why companies choose them over some standalone, open source products.


Tailscale? Unless I'm misunderstanding the use-case (which I probably am)


Tailscale et al probably doesn't give kickbacks on large contracts like Ivanti et al do.


vpn its just small part of what zscaler does. its a bunch of security related products


Yes, but the VPN is the only useful part. The rest is what makes it crapware.


the rest is what companies need and pay money for. vpn is door opener


This is the question I heard constantly when I was working in IT.

You know what it led to? Us using trash like Ivanti and Solarwinds.


My advice tends to be using SASE things like AppProxy - you can have your less-than-stellar enterprise business apps exposed outside of the LAN without putting them up as a target on the public internet


While you are right there is one pretty important additional point: the whole concept of network entry point. Building this kind of security perimeter invariable leads to internal security becoming ignored and everything inside the network having some completely informal and random trust relationships with other devices in the network (and usually when thats get documented for the purposes of setting up internal firewalls you get three versions: what really happens, which is subset of how the firewalls are configured and then how that is documented).

And this kind of Enterprise VPN with bunch of buzzwords products tend to be correlated with exactly this approach of totally ignoring what is inside the perimeter and replacing careful design of that with some other “Enterprise Endpoint Security Non-solution”.


Indeed. Always keep in mind that there is no such thing as computer security. The more computer you introduce, the less security you have. Period.


What is Ivanti Secure Access?

it is where you make administrative changes/adjustments for user access. it sits on your edge and controls what users connect to on the lan. the "ivanti secure access client" is the client-side software used to create a vpn/l4 connection to the corporate network via the appliance (physical or virtual)


Ah, again Ivantis. Just like on 12/2023 and after. "support your local ransomware group"




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: