Before Ransomware Attack, Kaseya Was Warned of 'Critical' Security Flaws, Ex-Employees Say (engadget.com) 22
"The giant ransomware attack against Kaseya might have been entirely avoidable," writes Engadget:
Former staff talking to Bloomberg claim they warned executives of "critical" security flaws in Kaseya's products several times between 2017 and 2020, but that the company didn't truly address them... Employees reportedly complained that Kaseya was using old code, implemented poor encryption and even failed to routinely patch software. The company's Virtual System Administrator, the remote maintenance tool that fell prey to ransomware, was supposedly rife with enough problems that workers wanted the software replaced.
One employee claimed he was fired two weeks after sending executives a 40-page briefing on security problems. Others simply left in frustration with a seeming focus on new features and releases instead of fixing basic issues. Kaseya also laid off some employees in 2018 in favor of outsourcing work to Belarus, which some staff considered a security risk given local leaders' partnerships with the Russian government.
Kaseya has declined to comment...
The company's software was reportedly used to launch ransomware at least twice between 2018 and 2019, and it didn't significantly rethink its security strategy.
Engadget adds the Kaseya's software "was reportedly used to launch ransomware at least twice between 2018 and 2019, and it didn't significantly rethink its security strategy."
One employee claimed he was fired two weeks after sending executives a 40-page briefing on security problems. Others simply left in frustration with a seeming focus on new features and releases instead of fixing basic issues. Kaseya also laid off some employees in 2018 in favor of outsourcing work to Belarus, which some staff considered a security risk given local leaders' partnerships with the Russian government.
Kaseya has declined to comment...
The company's software was reportedly used to launch ransomware at least twice between 2018 and 2019, and it didn't significantly rethink its security strategy.
Engadget adds the Kaseya's software "was reportedly used to launch ransomware at least twice between 2018 and 2019, and it didn't significantly rethink its security strategy."
Yeah, "Managed Security Providers" are a thing... (Score:3)
So a company gets set up to provide "managed security" and does a crappy job. How is this a surprise?
Someone obviously said "We'll just to set up a company for the sole purpose of taking the customers' money. All we have to do is promise security and LOOK good for a while. When this all goes pear-shaped, we transfer the capital offshore and head for the hills. Screw the customers and the staff."
Caveat emptor.
Re: (Score:2)
Indeed. The thing is managed security is only cheaper than in-house, if you do generic things and as little company specific stuff as possible. And even then, it is a stretch. Apparently these fuckers decided on the side of better profits a few times too often.
Re:Yeah, "Managed Security Providers" are a thing. (Score:5, Insightful)
So a company gets set up to provide "managed security" and does a crappy job. How is this a surprise?
Same reason anything should be a surprise when you pay someone to do something. Or do you expect for every single thing you pay for to be done incorrectly. If you get your car serviced and the mechanic fucks it up, do you say "oh well, that's what happens when you get a car service, it comes back fucked up". Or do you go back angrily because you didn't get what you paid for?
The world is full of expertise. Rather than saying "how is this a surprise", let's call out bullshit and fraud when we see it, sue the fuckers into oblivion so that others don't peddle the same ineptitude masked as expertise.
Re: (Score:2)
It's called business. The difference between how much you spend on security and how much you sell that security for, that's called profit and profit first, last and everything in-between, until they are busted because no one trusts them any more because they were too greedy and pushed for to big a gap between how much they were spending on security and how much they were selling that security for.
It is quite clear they can not be trusted and any corporation that deals with them is stupid and likely just goi
disincentivize bad security (Score:5, Interesting)
Experts have known for years that it's a bad idea to connect SCADA or equivalent control systems to internet-connected networks. But executives keep doing it, because it doesn't affect the one bottom line they really care about, which is their own personal salary.
So obviously that will be the most effective lever to influence behavior. Start with disincentives to connecting critical infrastructure to the internet. Same for paying ransoms. Probably the way to do it is to put a personal fine on the C-executive responsible for IT security bad outcomes. That will change behavior pretty quick.
A more indirect route would be with payment with bonuses and company options, requiring a longer delay before exercise. If an executive gets a bonus for corners cut during this quarter, they'll take them all day long. If they get a bonus based on the health of the company in 5 or 10 years, they'll do a lot more thinking about long term risks.
Re:disincentivize bad security (Score:5, Insightful)
I think all these bad practices just need to generally be classified as gross negligence attributed to the CEO and CTO (and maybe CISO, but only after the other two) and come with automatic personal liability, even if they created that mess some tome ago and are not with the company anymore.
Re: (Score:2)
I think all these bad practices just need to generally be classified as gross negligence attributed to the CEO and CTO (and maybe CISO, but only after the other two) and come with automatic personal liability, even if they created that mess some tome ago and are not with the company anymore.
Methinks your Freudian slip is showing. :)
But seriously, it's a messy thing. Software project managers, supervisors, etc., are often the ones pushing things out the door before they're ready to be shipped. Makes me think of the 737MAX MCAS software, and the layers of management who pretty much trusted the lower layers, rather than require engineering reviews. Okay, I'm speculating a bit, but a few engineers and test pilots tried to complain, so obviously there was no path to success for whistleblowers.
Re: (Score:2)
I know it is messy, from all angles. But unless somebody with enough power hangs (figuratively) if it goes wrong _unless_ they can prove they respected the state-of-the art, had independent reviews, used competent personnel and adequate processes _and_ it was really unlikely bad luck, nothing is going to change. There is a reason that, for example, only a qualified engineer may to the math for a bridge, no matter what time and cost pressure is there. And said engineer will be in deep shit if the bridge coll
Re: (Score:2)
Not lynchings, hangings.
There once was a time when if:
The banker raped your's and other folk's daughter(s), sons(s), wive()s), and sheep and then ran out of town with your money
The railroad poisoned your wells to buy your property at desperation prices.
Out of town mining interests destroyed the local watershed with silting and heavy metal poisoning
Pitted neighbor against neighbor for profit
You all got together and called the U.S. Marshal and engaged the fed
Screwups. (Score:3)
One employee claimed he was fired two weeks after sending executives a 40-page briefing on security problems. Others simply left in frustration with a seeming focus on new features and releases instead of fixing basic issues. Kaseya also laid off some employees in 2018 in favor of outsourcing work to Belarus, which some staff considered a security risk given local leaders' partnerships with the Russian government.
In other words another day in the life of IT. This could be any kind of technology, local, remote, whatever and someone would have screwed it up.
Re: (Score:2)
If you ran one of the reported 200 companies affected by the Kaseya attack (that is the number quoted in the Engadget article), then news of a detailed report on issues would be discoverable in the event that you decided to sue Kaseya for negligence, breach of contract, wilful neglect, anything your legal team could throw at them.
Certainly the reputation all damage this event has caused will likely be a pretty devastating blow to their business but if there is any justice, a cl
After running several simulations (Score:3)
I estimate that exactly 0 executives will be held responsible for incompetence.
Belarus? (Score:3)
Re: (Score:2)
Sue the company (Score:2)
The way to get executives to pay attention to these issues is to ensure the company has to pay out for its mistakes. This makes the topic visible. When British Airways got fined for a data breach under GDPR, it was large enough to put the subject on the agenda of big companies' boards. Let hope someone is able to have a similar effect here.
https://www.theguardian.com/bu... [theguardian.com]
"outsourcing work to Belarus" ??? (Score:1)
Re: (Score:2)
russian keyboard layout (Score:1)
Unpatched? (Score:3)
How the hell does that happen?
Who to blame? (Score:1)
Sadly, MOST ransomware attacks can be avoided, if the following didn't happen:
1. General user ignorance -- not paying attention to details or not having an adequate distrust of anything public (e.g. websites),
2. Unnecessary technology -- emails do not have to be pretty to be functional (the fact that everything has to be HTML compounds the matter because links are hidden),
3. Crappy software/system development practices -- (GIGO) most developers don't check their work, either because of lack of skill/experie
Class Action? (Score:2)