We’re literally talking ../ directory traversal, no security Perl scripts allowing writes and vendor backdoors. These were problems when I began in late 90s. These are easily solvable issues, too. Basic mitigations exist.
Prikaži ovu nit
Some of the biggest and most costly breaches in recent memory caused by 20 year old security bugs in security products by security vendors: - Fortigate SSL VPN. - Citrix ADC (SSL VPN). - Pulse Secure (SSL VPN). In each case they all lacked basic security mitigations.
-
-
-
These products are huge in enterprise, just about every large org or gov use them. It’s a genuinely huge issue, 2020 is going to be year huge companies fall due to their vendor’s lack of responsibility, and their customer’s lack of patching. Build better or buy better.
Prikaži ovu nit
Kraj razgovora
Novi razgovor -
-
-
Thankfully nobody has published working exploit code for the Palo Alto RCE yet I guess. I strongly suspect that a few groups have it given it didn't exactly take particularly long to recreate.
-
The Palo one looked quite complex to my tiny brain
- Još 2 druga odgovora
Novi razgovor -
-
-
Opinion: zero accountability makes for crap policy and remediation plans. They all knew and they all acted like addressing those issues werent a high enough priority. I didnt get to work on all three of these, but I worked the fortigate issue. Again, zero accountability.
-
I agree. There’s no accountability, there’s no check system where these vendors feel a financial balance for poor security. In an ideal world they should be putting out public blog posts saying what extra security mitigation they are investing in for their products.
- Još 4 druga odgovora
Novi razgovor -
-
-
Would be interesting to see how these were also implemented on the victims networks, i.e. VPN straight into a flat network? or VPN into some sort of DMZ?, etc
#defenceindepth -
I’ve only ever seen VPN into a proper DMZ once (at Crabbers as I implemented it) with proper firewall rules restricting access. Loads of orgs just bang these boxes in, I suspect.
- Još 3 druga odgovora
Novi razgovor -
-
-
It's especially bad when the security companies get it wrong.
-
It feels a bit minimum viable product. The issue I have is these orgs have generally been around a LONG time, and they're everywhere and highly profitable.. there needs to be a balance so they make more secure products.
- Još 3 druga odgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.