Vulnerabilities

Discussion:

From more than 100 million people hit by the staggering AT&T Snowflake storage account intrusion, to the latest marketing claims of AI coming to save our systems from attacks […]

On a somewhat (I believe) related note… I went to pick up the younger kid from summer practice the other day. I put the school into Google Maps; I know the route(s) very well, but there’s lots of construction in between, so one route might be better than another depending on what time it is etc. So imagine my surprise when the ostensible directions to the high school kept directing me to some random address much closer to our house, & in the wrong direction. I submitted a correction, “no the high school is way over here,” & it accepted it right away. But the fact that Google allowed that kind of change in the first place suggests all kinds of possible shenanigans - some of it prankful (“now the County GOP is at the sewage treatment plant”), but some nefarious ("well let’s move my ex’s therapist’s office over here…)

A Crowdstrike update is crashing systems worldwide.

If this is a supply chain attack, then either the attacker messed up, or a bigger attack is under way.

I note that “Mac and Linux hosts are not affected”.

Jinx.

Great, those guys can pick up the slack!

It’s not an attack. My experience of their product is that they like to push frequently, and they aren’t always as stable as one would hope. It doesn’t break things often, and in theory system admins are supposed to stage updates to test them, but they come frequently enough that it takes some effort to keep up with them, and the people who are tasked with doing so, the Cybersecurity team, are typically the sort of folks who are trained to install patches first and ask questions later, so typically they just let everything through, test in prod, and let the sysads deal with the rest.

It’s always worked before.

You have ascribed to malice something which is more easily explainable by a simple cockup. A cockup in a single-point of failure for many many many really large orgs across the planet.

You know how most things still work? We did.

(I don’t hold it against the Windows folks: it could just as easily have been Linux taken out, and I don’t even want to think about what could have happened then. It wasn’t the OS’s fault.)

I saw the “it’s not an attack” claims. OK. If it was an attack, it might look like this, depending on the attacker and the motives.

If I were looking for an attack vector, that would be exactly the type of habituation I would target.

If it were a supply side attack, then if I were exploiting it, I’d want to be installing a backdoor. The whole point of Crowdstrike Falcon is that it runs with as close to kernel level privs as possible, and if you have access at the management level, it’s trivial to run whatever you want as root/admin/whatever you like.

Turning it into a global DoS attack is impressive, but if you wanted to do real damage, you’d do damage, not something which can be fixed (as these things go) really quite simply.

If it was an attack, it was showy, but done in such a way as it can’t be done like that again.

I totally agree with habituating just installing everything as soon as it’s available as a problem, but I don’t think that’s an attacker’s fault, that’s something the Cybersecurity profession seems to have done to itself.

That’s because it’s become difficult to nigh impossible to separate the detection portion and the function portion of updates now these things have LLMs embedded, and detection updates require update engines, also you have to install as quickly as possible as the updates they push out are often for in the wild exploits and vulnerabilities…

heh, according the furiously updating wikipedia page on (all things) CrowdStrike, merely rebooting just gets you more rebooting. It’s suspected that a temporary cure amounts to: rebooting to secure mode, then a journey into the crowdstrike system files and a deleting of one naughty little file …maybe. (oh, and maybe you want to try to sell your shares in CrowdStrike)