[Ars Technica] Feds issue emergency order for agencies to patch critical Windows flaw

[Space Lynx]

Feds issue emergency order for agencies to patch critical Windows flaw

Agencies that don't update must disconnect all domain controllers from networks.

arstechnica.com

The US Department of Homeland Security is giving federal agencies until midnight on Tuesday to patch a critical Windows vulnerability that can make it easy for attackers to become all-powerful administrators with free rein to create accounts, infect an entire network with malware, and carry out similarly disastrous actions.


Yikes. I'll never understand why we keep important infrastructures online instead of LAN only. They existed offline for decades just fine. Edit: Can anyone explain to me why we do this instead of doing offline LAN setups?

 

[Bill_Bright]

This appears to be about Windows "server". Home users using W10 need not worry.

Security Update Guide - Microsoft Security Response Center

portal.msrc.microsoft.com

 

[Space Lynx]

This appears to be about Windows "server". Home users using W10 need not worry.

Security Update Guide - Microsoft Security Response Center

portal.msrc.microsoft.com

Yeah, I read that in the comments in the Ars article. Also it says this patch was released almost 6 months ago? lol I will never understand IT Tech stuff. I am glad I chose a different field. I don't understand how people in such important positions could risk so much when they have so much notice to update... just seems odd to me.

 

[Bill_Bright]

I don't understand how people in such important positions could risk so much when they have so much notice to update... just seems odd to me.

Fortunately - in some cases it is being treated as criminal negligence too.

Equifax Just Got Fined Up To $700 Million For That Massive 2017 Hack

Remember the uber hack of Equifax in 2017 that hit 147 million people across the world? The company’s finally been fined by the FTC. But it's no way near as big as the $5 billion Facebook penalty.

www.forbes.com

 

[windwhirl]

Yeah, I read that in the comments in the Ars article. Also it says this patch was released almost 6 months ago? lol I will never understand IT Tech stuff. I am glad I chose a different field. I don't understand how people in such important positions could risk so much when they have so much notice to update... just seems odd to me.

In some cases, because of the risk of breaking mission-critical stuff or because the IT staff needs to change something else to accommodate for that update. Other times, laziness or staff being overloaded with something else.

I'd like to know why AFIP (the revenue service of Argentina) still uses Apache 2.2.14 (which is old as dust these days) in their systems, for that matter. Specially since a lot of sensitive information goes through there...

Can anyone explain to me why we do this instead of doing offline LAN setups?

Convenience? Police officers can carry phones to get access to information that is sent from those previously LAN-only networks, for example.

 

[Space Lynx]

Fortunately - in some cases it is being treated as criminal negligence too.

Equifax Just Got Fined Up To $700 Million For That Massive 2017 Hack

Remember the uber hack of Equifax in 2017 that hit 147 million people across the world? The company’s finally been fined by the FTC. But it's no way near as big as the $5 billion Facebook penalty.

www.forbes.com

Didn't they also get several billion extra in funding from Congress that same year to help fix their security issues?

 

[R-T-B]

Didn't they also get several billion extra in funding from Congress that same year to help fix their security issues?

Heh, yep. There is so much corruption. It's just profitable to be bad.

 

[Bill_Bright]

In some cases, because of the risk of breaking mission-critical stuff or because the IT staff needs to change something else to accommodate for that update.

That's a valid excuse to delay the update for a couple days - perhaps until the next weekend. But not for months and months. And that's where company executives are 100% to blame, not the IT staff. The C-level execs, in particular the CIO and CSO, need to put in place policies to ensure timely updates for critical security updates. And they need to give the IT Staff the resources and the authority to get it done, not just the responsibility.

I agree there is always the risk of breaking mission critical stuff, but that's why you schedule downtime and plan ahead, with a plan that includes a quick roll back should something break.

Even if something during the scheduled outage goes wrong, and that outage goes past the expected times, unscheduled outages, especially due to malicious activities, typically result in much longer, and much more inconvenient downtimes - not to mention rolling heads of scapegoats and others.

Didn't they also get several billion extra in funding from Congress that same year to help fix their security issues?

I don't think so. At least I never heard of that and can't find any reference to that.

 

[R-T-B]

I don't think so. At least I never heard of that and can't find any reference to that.

I believe it wasn't so much to fix their security issues as part of the bailouts that happened during COVID. But yeah. They ended up with a netgain for basically no advancement anyways. A lot of companies did. And all we got was a crappy check.

 

[Bill_Bright]

They ended up with a netgain for basically no advancement anyways. A lot of companies did. And all we got was a crappy check.

I've been looking and I don't see where they got any money, not even a loan. Got a link?

 

[R-T-B]

I've been looking and I don't see where they got any money, not even a loan. Got a link?

It's second-hand info, so it very well may be BS in hindsight.

I can't find anything either. Probably should know better than to pass off streetrumor as fact, my apologies.

"It sounds true, therefore it IS true." is a terrible instinct residing within us all. Fight it.

 

[Space Lynx]

I looked myself, couldn't find it. I could have swore I read after the breach in 2017 that Congress funded several billion to help improve security right after, maybe I dreamed it? lmao I seriously searched hardcore and couldn't find anything on it. Wow. Really weird. Maybe I just saw it on Reddit or something and it was just some bs, that was probably what happened. I have a bad habit of browsing Reddit too much.

 

[pavle]

The problem is always people don't want to "invest" in another network card per PC to make LAN separate from internet access NIC. Meh. A non-issue for the conscious.

 

[R-T-B]

The problem is always people don't want to "invest" in another network card per PC to make LAN separate from internet access NIC. Meh. A non-issue for the conscious.

Why would they? We have routers and firewalls for that. It'd be fixing a problem that does not exist.

 

[moproblems99]

Why would they? We have routers and firewalls for that. It'd be fixing a problem that does not exist.

Nor would it prevent anything in the long run.

 

[R-T-B]

Nor would it prevent anything in the long run.

Exactly. The infected system via whatever would use both adapters to spread, lol.

 

[moproblems99]

Exactly. The infected system via whatever would use both adapters to spread, lol.

 

[Bill_Bright]

I looked myself, couldn't find it. I could have swore I read after the breach in 2017 that Congress funded several billion to help improve security right after, maybe I dreamed it?

This is a WAG but I think I remember Equifax asking for $billions because they feared they were going to get the pants sued off them - but after it was learned they knew about the vulnerability for nearly 6 months, had the patch that fixed or prevented it from being exploited but negligently failed to apply it, Congress wisely said no. However, I bet the only reason for that was a couple hundred members of Congress had their personal data compromised too. Otherwise, Equifax probably would have skated off scot free.

Edit comment: fixed typo by adding an important "but".

 

[Space Lynx]

This is a WAG but I think I remember Equifax asking for $billions because they feared they were going to get the pants sued off them - but after it was learned they knew about the vulnerability for nearly 6 months, had the patch that fixed or prevented it from being exploited negligently failed to apply it, Congress wisely said no. However, I bet the only reason for that was a couple hundred members of Congress had their personal data compromised too. Otherwise, Equifax probably would have skated off scot free.

thank you for clarifying this, at least we don't live in a completely failed nation state just yet. lol