CrowdStrike issue causes mass global tech disruptions

[DoggyDaddy]

No idea, I'm over 20 years out of date in tech nerd babble. I just know one is compliant and one isn't.

Yeah, that's what they're saying, but "compliant" is really just another way of saying, "we want it done this way".

 

[jsx1043]

What if it was the grand scale version of bleachbitting the hard drives and smashing them with a hammer?

 

[BehindBlueI's]

Yeah, that's what they're saying, but "compliant" is really just another way of saying, "we want it done this way".

In this case, 'compliant' means 'CJIS compliant'. Nobody was looking to change for the sake of change.

 

[wtburnette]

Yeah, that's what they're saying, but "compliant" is really just another way of saying, "we want it done this way".

After 10+ years in InfoSec, I'm pretty sure "compliant" means "paid someone the right amount of money for the certification" which does not necessarily equate to being "secure".

 

[Ziggidy]

Getting ready for the November election.

 

[jkaetz]

Even people in our own agency couldn't get to our local shared drive. Everyone and their brother can get to OneDrive. How is that more secure? SharePoint is another one I hate and mostly for the same reasons.

Inaccessible doesn't necessarily mean secure. The idea of making it hard to reach a digital asset as a means of security is fading away as it is mostly security by obscurity. And as you point out typically makes it hard for legitimate people to access as well. The shift to cloud storage is driven by the desire to reduce administrative load (no more file servers to manage/scan/etc...) and the tools provided by the cloud providers allowing monitoring and scanning of the data in storage for known sensitive (SSN/CC/etc...) info and report on it. I imagine the network based security that was always in place for file servers will be replaced by monitoring the usage/connectivity patterns of users similar to credit card fraud monitoring. It shouldn't be hard at this point to recognize the typical user login patterns from the stolen credentials logins.

 

[DoggyDaddy]

Inaccessible doesn't necessarily mean secure. The idea of making it hard to reach a digital asset as a means of security is fading away as it is mostly security by obscurity. And as you point out typically makes it hard for legitimate people to access as well. The shift to cloud storage is driven by the desire to reduce administrative load (no more file servers to manage/scan/etc...) and the tools provided by the cloud providers allowing monitoring and scanning of the data in storage for known sensitive (SSN/CC/etc...) info and report on it. I imagine the network based security that was always in place for file servers will be replaced by monitoring the usage/connectivity patterns of users similar to credit card fraud monitoring. It shouldn't be hard at this point to recognize the typical user login patterns from the stolen credentials logins.

Well... I still don't like it!

 

[jkaetz]

Well... I still don't like it!

There are certainly downsides. Personally I hate that the web browser has become the defacto application interface for everything. I want to have an application for my e-mail/documents/spreadsheets/presentations that stands out from my web searching.

 

[DoggyDaddy]

There are certainly downsides. Personally I hate that the web browser has become the defacto application interface for everything. I want to have an application for my e-mail/documents/spreadsheets/presentations that stands out from my web searching.

Yeah, we have some documents that are stored on Teams. When you open one, it opens in Sharepoint on a web browser. Spreadsheets, Word documents, pdf's, whatever.

 

[Eric66]

We only have 1 pc affected here at my factory, everyone else leaves their pc on and has auto updates turned off. Has there been a fix announced yet?

The updated update was pushed out yesterday.

As a side note, turning off updates in Windows does nothing for CrowdStrike. They actually use a backdoor to push their updates and there is no way to stop it short of unplugging from the internet. The only other way is to not have CrowdStrike installed. If a particular computer did have CrowdStrike installed, but did not have their Falcon package installed then it would have ignored the update since it was only for Falcon. Also understand that while CrowdStrike is a cloud based service, the machines and data it protects are not necessarily in the cloud. All of the systems I am responsible for are hosted in house.

All of our systems went down just after production had finished running at about 1:30am, so we got lucky. We were able to get the systems back online with all of the needed data corrections with only a 3 hour delay to the start of the next shifts production, 9am instead of 6am.

 

[Hop]

The updated update was pushed out yesterday.

As a side note, turning off updates in Windows does nothing for CrowdStrike. They actually use a backdoor to push their updates and there is no way to stop it short of unplugging from the internet. The only other way is to not have CrowdStrike installed. If a particular computer did have CrowdStrike installed, but did not have their Falcon package installed then it would have ignored the update since it was only for Falcon. Also understand that while CrowdStrike is a cloud based service, the machines and data it protects are not necessarily in the cloud. All of the systems I am responsible for are hosted in house.

All of our systems went down just after production had finished running at about 1:30am, so we got lucky. We were able to get the systems back online with all of the needed data corrections with only a 3 hour delay to the start of the next shifts production, 9am instead of 6am.

Curious how you did this? Did you go hands on & delete the offending .sys file manually?

I have hundreds of remote systems that are doing one of the following:
-Stuck at a BSOD
-BSOD but building a crash log file, crashing again before it gets to 100%, rebooting and building a log file again
-Systems displaying a bitlocker pw required page, enter the pw & it crash reboots back to the bitlocker screen

I've had to give out the bitlocker pw & a local admin username & pw then talk the users through getting into SAFE mode. Getting into SAFE mode has been a real PITA!

 

[Ziggidy]

MS Crowdstrike

 

[WebSnyper]

Yeah, we have some documents that are stored on Teams. When you open one, it opens in Sharepoint on a web browser. Spreadsheets, Word documents, pdf's, whatever.

You can choose to open it in the native app as well unless they have that locked down by policy

 

[DoggyDaddy]

You can choose to open it in the native app as well unless they have that locked down by policy

Yes, we can do that too, but by default it goes to Sharepoint.

 

[jkaetz]

Curious how you did this? Did you go hands on & delete the offending .sys file manually?

I have hundreds of remote systems that are doing one of the following:
-Stuck at a BSOD
-BSOD but building a crash log file, crashing again before it gets to 100%, rebooting and building a log file again
-Systems displaying a bitlocker pw required page, enter the pw & it crash reboots back to the bitlocker screen

I've had to give out the bitlocker pw & a local admin username & pw then talk the users through getting into SAFE mode. Getting into SAFE mode has been a real PITA!

Short of connecting the systems to an IP based KVM the only way I know of without doing this is if you have systems with Intel's AMT setup. That would effectively give you a remote console to the systems but I don't know many companies that actually leverage this functionality. I suppose another option is to have a "system restore" boot option that can be selected if the primary boot option doesn't/can't work. Could be implemented with a Linux flavor or a minimal Windows install. No good options though. Maybe booting from a Windows PE media that has remote control capability would work too. Theoretically you could build a Windows PE environment that would boot, unlock, delete, and reboot but it would take some work to get that built as well and it would have to have some way of getting the bitlocker key.

 

[BehindBlueI's]

After 10+ years in InfoSec, I'm pretty sure "compliant" means "paid someone the right amount of money for the certification" which does not necessarily equate to being "secure".

I don't doubt that in the slightest. Certifications, including for individuals, is a big business in IT. However if you're dealing with CJIS info, you have to be CJIS compliant even if the rules are the big dumb.

 

[printcraft]

What if it was the grand scale version of bleachbitting the hard drives and smashing them with a hammer?

Yep, have to erase those transactions and communications... weird timing right?

 

[jsx1043]

Yep, have to erase those transactions and communications... weird timing right?

Cleaning up:

A. Austin Private Wealth financial info
B. Crook’s digital presence
C. Deep state communications ref: J13
D. DNC comms ref FJB stepdown
E. All of the above

In this day and age, there is no such thing as a coincidence

 

[Ziggidy]

The left has some major plan and it's all coming together. There are no coincidences. "WE" need to get the vote out and even if by slim chance we win, the left is not done, it's only starting.

 

[Flingarrows]

I’m still stuck in Orlando until tomorrow night, late.

Yesterday afternoon my delta flight was cancelled 2 hours after scheduled departure. Waited in line 90 minutes to get rescheduled for tomorrow, and a hotel and meal voucher.

They will only issue vouchers one day at a time. I called in this morning. After a 2-1/2 hour wait, was told that I need to go to MCO, as only the local agents can issue the vouchers. Back to the airport for 3 hours in line.

I have never seen this many people at an airport. I despise flying and large crowds. This did not help my perception