Asleep at the wheel - from Ars Technica:
More US agencies potentially hacked, this time with Pulse Secure exploits
At least five US federal agencies may have experienced cyberattacks that targeted recently discovered security flaws that give hackers free rein over vulnerable networks, the US Cybersecurity and Infrastructure Security Agency said on Friday.
The vulnerabilities in Pulse Connect Secure, a VPN that employees use to remotely connect to large networks, include one that hackers had been actively exploiting before it was known to Ivanti, the maker of the product. The flaw, which Ivanti disclosed last week, carries a severity rating of 10 out of a possible 10. The authentication bypass vulnerability allows untrusted users to remotely execute malicious code on Pulse Secure hardware, and from there, to gain control of other parts of the network where it's installed.
Security firm FireEye said in a report published on the same day as the Ivanti disclosure that hackers linked to China spent months exploiting the critical vulnerability to spy on US defense contractors and financial institutions around the world. Ivanti confirmed in a separate post that the zero-day vulnerability, tracked as CVE-2021-22893, was under active exploit.
No complex software is 100% bug free. Shit happens. Still, there is no reason they need to be relying on complex software for doing a simple task like establishing a Virtual Private Network and managing a decent level of encryption. There are plenty of established open source packages to do that. This software has been picked over with a fine-tooth comb and is secure. Creeping featuritis is catnip to bugs and exploits.
"Could you add just this one little feature"
NO
Shit like this is why.
Leave a comment