back to article France's cyber-agency says Centreon IT management software sabotaged by Russian Sandworm

France’s Agence nationale de la sécurité des systèmes d'information (ANSSI), the nation’s cyber-security agency, has identified a years-long campaign to infiltrate IT monitoring platform Centreon. Centreon (the company) claimed that Centreon (the software) is a spiffing open-source IT monitoring tool. “Organizations must keep …

  1. Potemkine! Silver badge

    All I want is a secure system where it's easy to do anything I want

    Is that so much to ask?

    1. Stuart Castle Silver badge

      Re: All I want is a secure system where it's easy to do anything I want

      Theres an old adage in IT security worlds. I can't remember the exact phrasing, but the general idea is "Security, Features, Ease of use: Pick two..."

      1. nijam Silver badge

        Re: All I want is a secure system where it's easy to do anything I want

        > Pick two...

        In some cases you're lucky to get one.

      2. Danny 5

        Re: All I want is a secure system where it's easy to do anything I want

        I like the BOFH quote myself "security is a journey, not a destination"

    2. Version 1.0 Silver badge
      Alert

      Re: All I want is a secure system where it's easy to do anything I want

      All internet connected system can be secure, it's no problem at all ... just turn the power switch off. Let's face it, the internet has become a hacking tool, originally designed to reliably share information - these days it seems to imply that everyone can share your information.

      El Reg, we need a "security" icon ... a pair of wire cutters please.

      1. Michael Wojcik Silver badge

        Re: All I want is a secure system where it's easy to do anything I want

        That's not secure, unless your requirements for the system are that it do nothing.

        People not in the field often forget that "accomplishing its purpose" is an aspect of a system's security. There are various formulations of this. One is the third property of the "CIA" triad: Confidentiality, Integrity, Availability. Another is the principle that a secure system does what it is intended (by the "owner", itself a problematic concept) to do, and only that.

        In reality there's no such thing as a secure system. There are systems which are more or less secure, a relative measurement which is only meaningful when defined using various metrics such as the cost, probability, or risk of a successful attack under a given threat model.

  2. Aladdin Sane

    Did they try walking without rhythm?

    1. Dr_N Silver badge

      Les <<marteleurs>> ne fonctionnaient pas.

  3. Pascal Monett Silver badge

    And it continues

    Another provider to many important companies has its software compromised. Okay, through its customers' fault, granted, but still.

    I think it is time to have a general review of high-profile software being used by companies that serve many other companies. We've basically stumbled across an underground trend that has been going on for years thanks to SolarWinds123's stupidity, but now it is time to take stock of the true situation and every company that operates in the Network Management market should be reviewing its published code with a fine comb and checking all of its code repositories to ensure that it is still offering secure code.

    1. Robert Carnegie Silver badge

      Re: And it continues

      Do you even -want- to know which Flash version we're using? :-)

  4. sitta_europea

    "...some have clearly run old and vulnerable versions..."

    No! Really? I can't believe it! I'm shocked! Who would have thought that?

  5. JClouseau
    Headmaster

    "rusty high school French and online translation services"

    ...or you could go straight to the English version ;-)

  6. WolfFan Silver badge

    They actually named it that?

    The first thing I thought when seeing that acronym was that someone had misspelled Anansi and I wondered where the spider was… Anansi comes from West Africa, including the likes of Senegal, Cote d’Ivoire and other bits of Francophone Africa, so they should have known this… being associated with Anansi is, perhaps, not the best look for a security organization.

    1. Robert Carnegie Silver badge

      Re: They actually named it that?

      Quite an early adventure in the 21st century version of "Danger Mouse" involves an issue with the World Wide Web in which I think they accidentally wake up the World Wide Spider. Arachno fans look away, because our heroes get a really really big vacuum cleaner......

      Anyway... you didn't think that they misspelled "ANSI" then? As in, ANSI, WinCE, ... All these moments will be lost in time, like tears in rain.

      How do you tear rain anyway...

  7. YetAnotherJoeBlow Bronze badge

    Eventually...

    Until there is legislation with a true and meaningful penalty clause, this charade will never end - and it will get worse. It is like Google said; view every network and endpoint as an adversary.

    I hate to think what the exploit will do that finally spurs action. All sorts of horrors come to mind. If we do not step up to the plate here, it is our fault to bear the burden of failure with the remedies that will follow.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022