'Highly sophisticated' government goons hacked F5, stole source code and undisclosed bug details Security shop F5 today said "highly sophisticated nation-state" hackers broke into its network and stole BIG-IP source code, undisclosed vulnerability details, and customer configuration data belonging to a "small percentage" of its users. "The Company is currently reviewing the contents of these files and will communicate …
Let's play buzzword bingo: nation-state, highly-sophisticated, broke-in, stole, small-percentage, discovered, China, Russia, long-term-access, critical, sensitive, threat, actor ...
It goes on an on. All the usual words. All the usual platitudes. But once again it is a company which announces itself as providing "security solutions" that can't keep its own doors closed.
Here's a new one: undisclosed vulnerability details. So, sitting on vulnerabilities rather than closing them urgently?
But being allowed to say nothing about it since early August? That's a big EFF YOU to their customers.
As I mentioned previously, average Joe has no chance. Imagine being told "use F5". OK, now we're secure as the leaky F5 bucket.
VoiceOfTruth is a Kremlin propaganda account. That much is obvious. Click on all articles posted in the last 48 hours and VoiceOfTruth posts the Kremlin propaganda line of the day and week across them all, day after day, month after month, year after year.
@El Reg - are you planning to ever investigate the account or to the needful and bock the IP range, track the users past VPN endpoints or ToR exit nodes they're clearly using? Or you don't care as long as you get the interaction. It's pathetic. It's been going on for years now and it's tiring.
Here's a new one: undisclosed vulnerability details. So, sitting on vulnerabilities rather than closing them urgently?
That sounds like standard responsible disclosure- holding the vulnerabilities from publication until the vendors have had a chance to patch it. The security industry has been doing this because back in the bad old days they'd release the PoC and it would get weaponized by script kiddies.
The other issue is that security is very, very hard to get right. You are running a machine with who knows how many millions of lines of code, and all it takes is for one of those to be wrong. Defence is far harder than offence- you need to stop every single attack, including ones you may not yet be aware of, the attacker just needs to have one payload land correctly.
You don't need the source code to find vulnerabilities - it just makes doing so more convenient and faster (which results in no practical difference when faced with a skilled enough, or attacker with enough resources).
Still, usually only attackers can be bothered to trawl through object code for vulnerabilities, while many people are happy to look through source code of free software and report vulnerabilities and sometimes even supply patches - therefore how the source code has been withheld and is going to continue being withheld has only ensured that the vulnerabilities won''t get fixed.
When they release it freely https://github.com/nginx/nginx -- am sure there are probably some closed source addon bits that F5 makes though. Certainly will be a tough situation in the near future for F5 load balancer security. Citrix (who make Netscaler, probably F5's main competitor features/performance wise) got hacked as well at some point though I don't think any source code was claimed to be taken only business data.
Not sure what defines highly sophisticated hacker or not but clearly they went for the Jackpot Bingo. Application Delivery Controller or ADC is a single point of exposure of all traffic that goes through F5 that would be a magnet for hackers. It breaks all norms of security by concentrating in the same venue all the secret keys for every service that is on-boarded to the ADC. It is a matter of time until someone gets its hands on it. Otherwise no hacker would bother to go to break F5 if the traffic that goes through it is end to end encrypted. It was unwise and dumb idea from the begining and only to support security of lax architecture in the back end. Now those all that were calling that is the only secure way to go about it are reaping their fruits. It was not at all driven from security point of view but more about sales, project check mark and also about sniffing transfers in the internal network for data loss prevention or DLP. Well those who pushed it all are not anymore around to be asked about it. Next all the secret vaults and smillar things.
Well all those students studying cybersecurity; they need some real world experience to put on their CV’s…
I remember a friend who worked as a copywriter, they had a folio of work that got shown at interview but would never otherwise see the light of day(*) - its intent was to showcase their creativity.
(*) example: pile of bodies from some African conflict, youth gun wielding men standing around all wearing Nike’s, slogan “just do it”.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
