and urged customers to migrate to a newer product "built on an entirely different code base."
That doesn't mean it's safer, it means it has different bugs.
A CAD drawing of a radar antenna stolen and leaked online by criminals is of a military radar system produced by defense contractor Leonardo and fitted to a number of US and UAE aircraft, The Register has learned. The purloined blueprint was dumped on the dark web by the Clop ransomware'n'extortion gang as part of the …
The EoL announcement is rather odd.
It explicitly states that the product remains supported, though licences cannot be renewed after April 30, 2021 and yet also says For the past three years, Accellion has been attempting to move its existing FTA customers over to our modern and more secure platform, kiteworks®.
Which raises interesting questions about what "support" means if they're actively trying to move customers to something "more secure" - and indeed why their customer resisted their entreaties.
The EoL is blamed on the end of support for Centos 6 on which the product is based rather than any specific problems with the FTA code.
There is a surprising amount of information available on Accellions website - just search for "FTA"
Interestingly, it seems fewer than 50 customers are running FTA.
I like this observation, based on their recent experience:
" In 2021, every software security provider must not only demonstrate secure software architecture but must also be proficient at cyberwarfare."
From the article it was a "Accellion file-transfer appliance" that was breeched. I suspect from the rest of the paragraph, Bombardier failed to maintain (apply security updates) or upgrade the appliance.
This is a real problem, I suspect many people install appliances and simply run them until they fail. For example, when was the last time you checked for firmware updates to your home router? I also wonder how many ISP's actually maintain their routers ie. how many people are still running a 10 year old ISP supplied router which hasn't had any over-the-wire updates for some years...
"how many people are still running a 10 year old ISP supplied router which hasn't had any over-the-wire updates for some years."
I would hazard a guess to all of them. My recent experience of EE, Virgin and Vodafone is that you can't apply firmware updates at all, ISP supplied or otherwise [*]. The exception being the updates that get forced on you without asking, and invariably have "solved" a problem by simply removing the function that they couldn't be bothered to fix or make secure.
[* At least not without having to solder some header pins onto the board to get access to the serial port and cock about with telnet/ftp. ]
Hah! Is that an oblique reference to the BT / PlusNet HomeHub 5 type A? Once unlocked and reflashed with a suitable Linux kernel (which does require some soldering annoyingly), that makes a phenomenally capable single board computer which costs peanuts. Dual core MIPS with plenty of ram and disk space (ample space and horsepower for a full Python 3 install), three 2.4GHz radios, two 5GHz radios and USB2.
"when was the last time you checked for firmware updates to your home router?"
Never. It does it automatically itself.
"I also wonder how many ISP's actually maintain their routers"
Now that's an entirely different (and pertinent) question. Given my experience (Orange France), they seem to actively support the last two or three models, but the updates are not very frequent. They seem to like to roll out updates in early August. You can tell because stuff that used to work is suddenly broken until (a few weeks later) they push out an update that works. Must be the summer trainee doing the testing...
UK ISP's often send firmware updates to their routers. Sometimes a few times a week when they get it wrong the first times.
Often around midnight to 2am they would update and reboot, causing a smart device in the bedroom to flash brightly to tell me it had no wifi access and causing some random wifi lights not to reconnect.
Removing ISP's routers out the equation solves 99/100 problems
So far, it sounds to me like they got their hands on external CAD data, data which is sufficiently detailed (useful for fit check etc) that it can be requested only after signing a NDA , but not sufficiently detailed to enable reverse engineering. There may be more undisclosed data, but this may just as well be criminals tring their best to inflate the percieved value of what they stole.
There's really little point paying up for the promise of your data not being released. In these situations, you'd be very foolish to rely on the word of an 'honest' thief, and it's not likely you can sue them is it. Accept your data is now public, learn and move on. At least you will have the satisfaction that you didn't pay anything to fund them, and that they will be pissed off as a result.
Okay, they might well have accessed more recent designs but, on the other hand, I doubt they have the technical ability to choose designs that are old before revealing more recent ones.
Of course, the creation date of the files might render that argument moot.
If they only got their hands on decade-old tech, maybe it doesn't matter so much ? It has surely been replaced by more recent tech. Sure, it's still a bad thing for the companies involved and their customers, but it might make it easier to decide not to pay them - which, ideally, should never happen.
Obviously, even 10-year-old tech designs could be very interesting for some third parties, so yeah, it's still a bad thing. This is military hardware though, those thieves might want to start looking over their shoulders in the future. The CIA can reach pretty far when it wants to.
There are benefits to being an honest thief: your next victim is more likely to pay up. Or more precisely, there are disadvantages to being dishonest: your next victim is _less_ likely to pay up. As they now appear to have a brand, there is some value associated with that brand.
Biting the hand that feeds IT © 1998–2021