Breach of F5 requires “emergency action” from BIG-IP users, feds warn

Risks to BIG-IP users include supply-chain attacks, credential loss, and vulnerability exploits.

See full article...

 

[Wernher von Grün]

Anyone surprised?

 

[Oh look spaces]

I believe Vodafone use F5.. Interesting that their entire UK data network (broadband and mobile) with 18M customers went down yesterday for about 3 hours.

Their netblock just went offline, apparently due to BGP.

Massive hack or jr dev vibe coding live. Who knows these days?

 

[Old_Fogie_Late_Bloomer]

Wow, I just recently started working on a project that uses this service. Should be a fun few weeks.

 

[Oh look spaces]

Good thing there’s massive teams of government experts on hand to fix asap.

/s

 

[Amiga4000T]

The fallout from this won’t be pretty…

 

[Frodo Douchebaggins]

F5, but not refreshing.

 

[JoHBE]

So is this a Cat 6 ?

 

[Nilt]

Anyone surprised?

I'm shocked. Shocked, I say!

 

[EricM2]

I believe Vodafone use F5.. Interesting that their entire UK data network (broadband and mobile) with 18M customers went down yesterday for about 3 hours.

Their netblock just went offline, apparently due to BGP.

Massive hack or jr dev vibe coding live. Who knows these days?

Installing another firewall in front of their F5's?

 

[Fatesrider]

F5, a Seattle-based maker of networking software, disclosed the breach on Wednesday. F5 said a “sophisticated” threat group working for an undisclosed nation-state government had surreptitiously and persistently dwelled in its network over a “long-term.” Security researchers who have responded to similar intrusions in the past took the language to mean the hackers were inside the F5 network for years.

For years, huh? Seems to me this kind of discovery is more and more common. It's ALMOST as if these companies set up things, and then don't look in the right directions to detect intrusions ever again. There's always some blind spot where people think, "Naw, they'd never be able to do that!", and ultimately, that's where they find out how wrong that assumption was.

Once again, the weak link is Dave, but corporate policy or perhaps security training and education, played a role, too.

Howsoever it's parsed, it's just another day that ends in a Y. After all, people catch fish every day. This is just a bigger one than normal.

 

[akial]

For years, huh? Seems to me this kind of discovery is more and more common. It's ALMOST as if these companies set up things, and then don't look in the right directions to detect intrusions ever again. There's always some blind spot where people think, "Naw, they'd never be able to do that!", and ultimately, that's where they find out how wrong that assumption was.

Once again, the weak link is Dave, but corporate policy or perhaps security training and education, played a role, too.

Howsoever it's parsed, it's just another day that ends in a Y. After all, people catch fish every day. This is just a bigger one than normal.

Its tough to argue that you should budget someone auditing stuff routinely when he doesnt find any problems ever. You can say "what if one day he does find a problem" and the exec can say "what if he never does and we spent all these resources for nothing".

Ive tried all kinds of responses to that, but never found anything that works reliably. To them I seem paranoid and not respectful of the bottom line. I can link a hundred articles like this and theyll just scoff and say "pfft they probably suck, not like THIS outfit!!!"

 

[Leaping Gnome]

When are we going to start treat cyber attacks as actual attacks? And when are we going to start holding these companies accountable? I hope all of their customers sue them or they get fined so big they go under. Maybe then security will become an actual priority for vendors and not just checkbox lip service. And they must have known about this for a while and not alerted their customers if they were ready to show that multiple other companies had already done audits and certifications about the breach.

 

[stormcrash]

F5, but not refreshing.

Ctrl + F5 isn't helping either!

 

[Frodo Douchebaggins]

Its tough to argue that you should budget someone auditing stuff routinely when he doesnt find any problems ever. You can say "what if one day he does find a problem" and the exec can say "what if he never does and we spent all these resources for nothing".

Ive tried all kinds of responses to that, but never found anything that works reliably. To them I seem paranoid and not respectful of the bottom line. I can link a hundred articles like this and theyll just scoff and say "pfft they probably suck, not like THIS outfit!!!"

I can tell you pretty confidently, based on my n=1 experience, that saying "The man with a golden parachute telling the people he saddled with backpacks full of plutonium not to worry doesn't actually stop them from worrying" isn't helpful.

 

[clackerd]

Ctrl + F5 isn't helping either!

Well there's your problem, you need Fn + F5

 

[Pervis]

Whelp, looks like I know what I’ll be patching tonight.

 

[dzid]

Its tough to argue that you should budget someone auditing stuff routinely when he doesnt find any problems ever. You can say "what if one day he does find a problem" and the exec can say "what if he never does and we spent all these resources for nothing".

Ive tried all kinds of responses to that, but never found anything that works reliably. To them I seem paranoid and not respectful of the bottom line. I can link a hundred articles like this and theyll just scoff and say "pfft they probably suck, not like THIS outfit!!!"

What if he never does? It's money well spent. Yeah, I know that's not going to fly with the execs, but it's still true.

 

[Bigdoinks]

CISA has ordered all federal agencies it oversees to immediately take inventory of all BIG-IP devices in networks they run or in networks that outside providers run on their behalf.

Uh oh, hopefully Trump and Republicans didn't fire all the people responsible for implementing these fixes, right?
...Right?

 

[ZYMHAN]

This is really bad. Their devices and software are at the core of so many networks. They handle all of the traffic in many cases, and have access to multiple segregated networks.

 

[plugh]

Its tough to argue that you should budget someone auditing stuff routinely when he doesnt find any problems ever. You can say "what if one day he does find a problem" and the exec can say "what if he never does and we spent all these resources for nothing".

Ive tried all kinds of responses to that, but never found anything that works reliably. To them I seem paranoid and not respectful of the bottom line. I can link a hundred articles like this and theyll just scoff and say "pfft they probably suck, not like THIS outfit!!!"

I don't know if it will work, but I'd try focusing on the risk. What will it cost the company if we're breached while we're not looking? What if we're breached and we don't find out until our customers tell us? Maybe discuss it while a risk management person happens to be within earshot...

 

[Frodo Douchebaggins]

Well there's your problem, you need Fn + F5

I slap that f'n f5 key all day

 

[druid318]

According to their website they discovered this breach in AUGUST, and are just now bothering to inform customers.

 

[de.in.sf]

I, for one, want to know why the attackers are permitted anonymity.

 

[dcook32p]

According to their website they discovered this breach in AUGUST, and are just now bothering to inform customers.

According to a Bleeping Computer article, it's due to the government asking them to hold off.

"F5 notes that it delayed the public disclosure of the incident at the U.S. government's request, presumably to allow enough time to secure critical systems."

 

[Frodo Douchebaggins]

According to a Bleeping Computer article, it's due to the government asking them to hold off.

"F5 notes that it delayed the public disclosure of the incident at the U.S. government's request, presumably to allow enough time to secure critical systems."

or, less charitably, to allow them time to finish what they were doing in there…

 

[dave49er]

Once again, the weak link is Dave, but corporate policy or perhaps security training and education, played a role, too.

I had absolutely nothing to do with this.

 

[rwxatc]

I had absolutely nothing to do with this.

Neither did I.
- Bob

 

[Old_Fogie_Late_Bloomer]

Its tough to argue that you should budget someone auditing stuff routinely when he doesnt find any problems ever. You can say "what if one day he does find a problem" and the exec can say "what if he never does and we spent all these resources for nothing".

Ive tried all kinds of responses to that, but never found anything that works reliably. To them I seem paranoid and not respectful of the bottom line. I can link a hundred articles like this and theyll just scoff and say "pfft they probably suck, not like THIS outfit!!!"

"Our defense has to be perfect. 'Their' offense only has to be lucky."

Or maybe "There are tons of smart people at [COMPANY] too. It only takes one mistake or overlooked threat vector to end up like them."

 

[JustPassingThru]

Its tough to argue that you should budget someone auditing stuff routinely when he doesnt find any problems ever. You can say "what if one day he does find a problem" and the exec can say "what if he never does and we spent all these resources for nothing".

Ive tried all kinds of responses to that, but never found anything that works reliably. To them I seem paranoid and not respectful of the bottom line. I can link a hundred articles like this and theyll just scoff and say "pfft they probably suck, not like THIS outfit!!!"

Ask your exec if they have home insurance, life insurance, disability insurance, auto insurance, boat/yacht/aircraft insurance or any other other insurance. Be sure to keep mentioning insurance after each example. If they say yes to one or more then build your argument from there, starting with why are you paying for insurance if you are never going to need it! If he says no to all then he's either lying, such a risk taker that you have no hope or so wealthy that . He might be self bonded for some insurance but probably not all.

 

[stormcrash]

Well there's your problem, you need Fn + F5

Ctrl + Shift +Fn + F5 + Del

 

[Fred Duck]

Well there's your problem, you need Fn + F5

Do you want to enable Dictation?

Neither did I.
- Bob

Alice?

 

[stormcrash]

It's a good thing you added the sarcasm tag, I thought you actually believed the government ever had experts.

The government has experts, the administration doesn't and is actively trying to remove any experts in government

 

[multimediavt]

Its tough to argue that you should budget someone auditing stuff routinely when he doesnt find any problems ever. You can say "what if one day he does find a problem" and the exec can say "what if he never does and we spent all these resources for nothing".

Ive tried all kinds of responses to that, but never found anything that works reliably. To them I seem paranoid and not respectful of the bottom line. I can link a hundred articles like this and theyll just scoff and say "pfft they probably suck, not like THIS outfit!!!"

Remind them the same things can be said about internal legal and accounting resources. Most of the time there aren't irregularities that warrant the high salaries of a J.D. or C.P.A., but when the fit hits the shan they sure are good to have around, aren't they?

 

[Tracking turtle]

Its tough to argue that you should budget someone auditing stuff routinely when he doesnt find any problems ever. You can say "what if one day he does find a problem" and the exec can say "what if he never does and we spent all these resources for nothing".

Ive tried all kinds of responses to that, but never found anything that works reliably. To them I seem paranoid and not respectful of the bottom line. I can link a hundred articles like this and theyll just scoff and say "pfft they probably suck, not like THIS outfit!!!"

Well, why buy insurance if you never have a theft, fire, accident, medical emergency, ... ? Because if you don't buy it, and something bad happens, you will suffer a lot more. Same goes for security.

 

[stormcrash]

The government contracts experts from private enterprise because they don't have experts.

That's just what the republicans and big business want you to think. They want you to think the only "economical" solution is to constantly pay them exorbitant contacting fees instead of maintaining internal expertise.

 

[mcswell]

Ctrl + F5 isn't helping either!

Maxwell Smart here. Have you tried CONTROL 86? We've done lots of work against KAOS!

 

[ricerocket]

Ask your exec if they have home insurance, life insurance, disability insurance, auto insurance, boat/yacht/aircraft insurance or any other other insurance. Be sure to keep mentioning insurance after each example. If they say yes to one or more then build your argument from there, starting with why are you paying for insurance if you are never going to need it! If he says no to all then he's either lying, such a risk taker that you have no hope or so wealthy that . He might be self bonded for some insurance but probably not all.

It's easy to say but in reality for most companies, cyber security is an afterthought. It's a budget that constantly needs to be fought for. If a type of insurance is not required will people get it? Most likely not.

And the company could've done all their part right, but there's still so many scenarios where there is no control.