Podcast: Play in new window | Download | Embed
8 thoughts on “Defensive Security Podcast Episode 233”
Just some follow up comments in regards to Kaseya and Connectwise. I work in the MSP sector and there are a number of MSP solutions that are designed to manage all your customers. These include Kaseya, MSP RMM, NinjaRMM, Labteck, Autotask PSA and others. All of these have agents that provide remote system level access. All of these are cloud-connected or have internet facing logon portals. Its very much standard practice for MSPs. In our instance, we have over 1000 PCs and 100 servers and we are a very small MSP provider.
Thanks for the information. I guess I am not up to speed on how MSPs work these days.
Hi, in case you do not know. All the source links provided are hotlinked to the securityweekly webpage of the first link.
Thank you! I will fix them.
Another msp here. Although we use Connectwise we do not use Kaseya. Connectwise does the helped tickets and had inventory and asset tagging and Kaseya would be the automation server. The two are linked so as tickets are entered the configuration items for the machines in Connectwise can be tagged to the machines in Kaseya. The flaw allowed any command to be run against the Kaseya system using statements similar to download grandcrab.exe and run on all machines from client pc table.
Connectwise apparently notified their users but I first heard about the issue after the story broke. A couple of days later I got a pop up notification in Connectwise to tell me that there was a problem and ensure I was patched. Something that they should have used a long time ago.
The plug-in was written by Connectwise so I am very concerned about similar code reuse with their other plugins that we might used.
They don’t exactly have the best security process when a mitm vulnerability reported on their Mac client was apparently responded to with noone else sees this as a problem so we won’t patch it.
Thanks for the details. This brings up a great question: vulnerability management for opaque plugins and components of other software like Connectwise.
Agreed – we’re removing one plugin after loading the dll into notepad, looking at the text and without giving away too much information, lets just say it gave away too much information!
On another point I am interested on the proofpoint and safelink rewriting. We have a couple of clients on Proofpoint Esssentials and it’s frankly horrible. The email limits and parsing are very limited and support is terrible and slow.
As to the safelink urls – just how do users know whether a link is safe to click on or not if everything points to proofpoint.com? To me it seems to be making life harder for users. After all, if computers can’t work out that obvious spam is spam, I’m not so sure that their url protection is going to be much better – user recognition for bad sites has to be much better along with password managers to ensure that similar urls are not used for login pages.