[HN Gopher] MOVEit body count closes in on 400 orgs, 20M+ indivi...
___________________________________________________________________
MOVEit body count closes in on 400 orgs, 20M+ individuals
Author : LinuxBender
Score : 62 points
Date : 2023-07-23 13:52 UTC (9 hours ago)
(HTM) web link (www.theregister.com)
(TXT) w3m dump (www.theregister.com)
| jeroenhd wrote:
| > The May 31 bug - a SQL injection vulnerability - was the first.
| Progress patched this one, tracked as CVE-2023-34362, the next
| day. A second bug, CVE-2023-35036, came to light on June 9, and
| was also patched the next day.
|
| > Progress disclosed a third hole, CVE-2023-35708, on June 15.
|
| > Finally (we hope), three additional vulnerabilities -
| CVE-2023-36934, CVE-2023-36932, and CVE-2023-36933 - were spotted
| and fixed on July 5.
|
| It seems like fixes came out the same day or the day after the
| problems were discovered. Yet an estimated 23% of customers are
| still vulnerable to the recent CVEs.
|
| It seems to me that there's more going on than just shitty
| security practices by Progress Software, as reported on by this
| article. The fixes are out, the problems are known, and the fixes
| are available.
| IronWolve wrote:
| Over and over, so much middleware software is abandoned due to
| the high level of customization and expense to replace it.
| Everyone knows old databases still being kept around, a spaghetti
| mix of highly configured software packages/vendors nobody wants
| to touch or pay to get replaced.
|
| And the high expense of contractors to customize and migrate,
| keeps the legacy tech debt around.
|
| But that is also what keeps an entire industry making money, and
| many legacy mom/pop shops employed for decades.
| throwaway894345 wrote:
| SQL injection is super trivial to prevent, right? How are we
| still falling for this? Is there any compliance audit regime that
| would catch this (presumably DoE has some pretty strict
| compliance protocols?), or is all compliance stuff just security
| theater?
| johntiger1 wrote:
| Unfortunately with security exploits, you're looking for the
| weakest link in a chain of X million people. All you need is
| one careless dev/analyst and you get compromised
| throwaway894345 wrote:
| That makes sense, but the aerospace industry seems to be able
| to solve for sloppy devs. Why can't we secure our national
| infrastructure similarly? (To be clear, I don't think we need
| aerospace-grade correctness for every piece of DoE software,
| but surely we can solve for low hanging fruit like "SQL
| injection attacks")
| Dalewyn wrote:
| >SQL injection is super trivial to prevent, right? How are we
| still falling for this?
|
| Because the bug is super trivial to fix, it's also super
| trivial to do. Not to mention, the human mind is naturally
| inclined to not care about trivial stuff, which leads to
| careless mistakes at many levels and thus Bobby Tables dropped
| out of school.
| dontlaugh wrote:
| In most environments, it's more effort to interpolate values
| into queries than to use parameters.
| magicalhippo wrote:
| Not only more effort, but also the only way in certain
| cases as not everything supports parameterization. The IN
| operator for example is one where we fall back to string
| interpolation, though not directly with user values.
| silon42 wrote:
| Huh, no?
|
| Tt's very easy to do it incorrectly.
|
| It's at best equal... unless there is some SQL
| driver/client somewhere that disallows hardcoded strings
| everywhere (that would actually really help).
| perlgeek wrote:
| Basically all these file transfer solutions are crap, from a
| quality and security perspective.
|
| Procurement works by ticking off features of a list, possibly
| comparing prices. Quality and security are hard to quantify,
| and often cannot really assessed by the purchase managers
| themselves, so they don't play a major role in purchasing
| decisions.
|
| Thus, vendors aren't really incentivized to make robust,
| reliable and secure software, they are incentivized to sell
| their software.
| badrabbit wrote:
| That aside, a WAF would have stopped this.
| brrtbrrt wrote:
| [dead]
| social_quotient wrote:
| Side note: The use of the term "body count" here is a bit
| cringey. It's either insensitive to human suffering or bro click
| bait.
|
| Do others agree or am I being hyperbolic?
| hollerith wrote:
| I agree.
| Gimpei wrote:
| I can't see how anyone is harmed by this usage. Seems more
| hyperbolic to me, or rather obsessive compulsive, which I say
| as someone who has struggled with OCD in the past. The impulse
| to constantly monitor and revise the minutiae of language for
| the slightest whiff of offense seems unhealthy to me, but maybe
| that's just because of my predispositions.
| [deleted]
| paulddraper wrote:
| Seems unclear.
|
| Did the victims die?
| tekla wrote:
| Hyperbolic
| pnw wrote:
| The Register has always had very click bait titles. It's like
| The Sun but for tech.
| sebazzz wrote:
| Imagine that some LLM starts to communicate body counts due to
| these types of writings.
| SkyMarshal wrote:
| It's not the clearest title, but it's taken directly from the
| original source who seem to assume the reader has been
| following their reporting on it and know what it means.
| shrubble wrote:
| Body count has different connotations depending on context, but
| in the sense of "compromised information about a person" I have
| never come across this usage previously.
| mrweasel wrote:
| Agree, but it's The Register, they've always had a pretty
| unique and mostly humorous writing style. Not to dissimilar to
| The Economist, but learning slightly more into the humor.
| adhesive_wombat wrote:
| It's a riff on British tabloid headlines, which will squeeze
| a pun, tortured analogy or a breathless overstatement into
| literally everything. The original clickbait before there
| were clicks involved.
| thomastjeffery wrote:
| I was definitely less able to comprehend the title, because it
| implied a very different context than the actual subject
| matter.
|
| It would have been much more readable to write "victim count".
| mattnewton wrote:
| Not hyperbolic, the title is very charged and I had to reread
| the opening paragraph multiple times to make sure I wasn't
| missing who died.
| 23B1 wrote:
| It's safe to say that headlines and headline writers (usually
| editors) are some of the biggest contributors to the culture
| wars and all-up dishonesty in modern discourse.
|
| If you think about it, it was inevitable when incentives became
| more aligned with quick 'hot takes' and volume over
| signal/noise ratio.
|
| The darkpattern of our times.
| d11z wrote:
| Especially since many (most?) don't even bother reading past
| the headline.
| 23B1 wrote:
| ...and strangely, even quality sites like HN take the given
| headline instead of the lede. Some subreddits have a way to
| indicate 'misleading headline' - could be a great feature
| across all consolidators/curatorial social media.
| Natsu wrote:
| The mods here do sometimes change sufficiently misleading
| headlines, but that takes time and getting their
| attention.
| 23B1 wrote:
| Which is good, but it almost feels like it should be a UX
| convention at this point. Of course, that'll be abused as
| well. Remember eTrust badges? :'D
| projektfu wrote:
| I read "body count 400+ orgs" and thought that so many
| companies had been put out of business, didn't notice the
| individuals part too. Not knowing what MOVEit is, I assumed it
| was some kind of boycott. Kind of surprised that it meant that
| 400 organizations and possibly 20 million customers data
| exposed. Definitely bad wording for the headline.
|
| Of course, it's the Register, they try to be clever with every
| headline.
| PedroBatista wrote:
| Are you carefully analyzing a title from the El Reg?
|
| Would you say it's "problematic"? :)
|
| Funny and "cringey" titles are a staple of the Register since
| the beginning.
| LinuxBender wrote:
| I read it as another derivation of _victims_ with an emphasis
| on the human impact. I am just guessing but they probably used
| that wording as so many sites are hacked every week we probably
| don 't associate it with the human suffering _in terms of
| financial, job losses and data leakage leading to more
| financial losses_ it can cause especially when so many
| businesses are exposed by a significant vulnerability. I don 't
| know if Jessica [1] has an account here but their email is
| listed.
|
| [1] - https://www.theregister.com/Author/Jessica-Lyons-
| Hardcastle
| darkclouds wrote:
| > Despite being one of the compromised companies, the TJX
| spokesperson added: "We do not believe there was any unauthorized
| access to any customer or associate personal information on TJX's
| systems or any material impact to TJX."
|
| I love how legislators have upped the ante for (big) businesses
| to survive, to the point some will appear to perjure themselves
| in public as the lessor evil. https://gdpr-info.eu/issues/fines-
| penalties/#:~:text=For%20e....
|
| However, are legislators trying to kill the golden goose, has the
| money printing exercise called quantitive easing given them an
| unfounded level of hubris for their central bank purchased
| national debt?
| ackondro wrote:
| I'm not saying this is how it happened, but this is why they
| may be able to say that. When working with similarly sized
| companies, I am required to encrypt the files (PGP zip) and
| transmit over a secure encrypted channel (SFTP). Normally,
| those companies will use a feature of Moveit to automatically
| do the PGP encryption/decryption.
|
| However, TJX could have written their security policy such that
| their Moveit server was not allowed to use that feature, so
| they used a different piece of software to do the
| encrypt/decrypt outside of Moveit. Thus, hacking the TJX server
| would only get a bunch of unencrypted reports and encrypted
| files with personal info in them. Again, I'm not saying this
| was what actually happened.
| KyleSanderson wrote:
| The thing that's missing from the article is that they did no
| security advisory announcement for the July 5th release (they
| have a mailing list), and instead hid it in a service pack.
| Overall just terrible behaviour around security.
| nerdchum wrote:
| Louisianas ENTIRE DMV records were comoromised. Basically the
| entire state.
|
| Every single aspect of a persons confidential info.
|
| Everything from SSN to eye and hair color.
| cratermoon wrote:
| Aren't monocultures great? Remember back 20 years ago, when a
| dumb VBScript macro virus like Melissa or ILOVEYOU could spread
| across the entire ecosystem in a couple of days?
| formerly_proven wrote:
| Remember back a few weeks ago, when a single compromised
| Microsoft key allowed anyone to read everyone's mails?
| h2odragon wrote:
| or "Code Red" melting down the whole net for a day and a half
| with propagation traffic
| waihtis wrote:
| Seems we've finally entered the era people were expecting in late
| 2020 - i.e. that Russian and US diplomatic ties being vaporized
| would lead into open mass exploitation of vulnerable US infra
| fullspectrumdev wrote:
| The Cl0p group have been doing mass exploitation of globally of
| MFT products for quite a while, MOVEit is just their latest
| one.
___________________________________________________________________
(page generated 2023-07-23 23:02 UTC)