How Private Equity Debt Left a Leading VPN Open To Chinese Hackers (financialpost.com)
- Reference: 0180829188
- News link: https://it.slashdot.org/story/26/02/20/003230/how-private-equity-debt-left-a-leading-vpn-open-to-chinese-hackers
- Source link: https://financialpost.com/pmn/business-pmn/how-private-equity-debt-left-a-leading-vpn-open-to-chinese-hackers
> In early 2024, the agency that oversees cybersecurity for much of the US government issued a rare emergency order -- disconnect your Connect Secure virtual private network software immediately. Chinese spies had hacked the code and infiltrated nearly two dozen organizations. The directive applied to all civilian federal agencies, but given the product's customer base, its impact was more widely felt. The software, which is made by Ivanti Inc., was something of an industry standard across government and much of the corporate world. Clients included the US Air Force, Army, Navy and other parts of the Defense Department, the Department of State, the Federal Aviation Administration, the Federal Reserve, the National Aeronautics and Space Administration, thousands of companies and more than 2,000 banks including Wells Fargo & Co. and Deutsche Bank AG, according to federal procurement records, internal documents, interviews and the accounts of former Ivanti employees who requested anonymity because they were not authorized to disclose customer information.
>
> Soon after sending out their order, which instructed agencies to install an Ivanti-issued fix, staffers at the Cybersecurity and Infrastructure Security Agency discovered that the threat was also inside their own house. Two sensitive CISA databases -- one containing information about personnel at chemical facilities, another assessing the vulnerabilities of critical infrastructure operators -- had been compromised via the agency's own Connect Secure software. CISA had followed all its own guidance. Ivanti's fix had failed. This was a breaking point for some American national security officials, who had long expressed concerns about Connect Secure VPNs. CISA subsequently published a letter with the Federal Bureau of Investigation and the national cybersecurity agencies of the UK, Canada, Australia and New Zealand warning customers of the "significant risk" associated with continuing to use the software. According to Laura Galante, then the top cyber official in the Office of the Director of National Intelligence, the government came to a simple conclusion about the technology. "You should not be using it," she said. "There really is no other way to put it."
>
> That attack, along with several others that successfully targeted the Ivanti software, illustrate how private equity's push into the cybersecurity market [1]ended up compromising the quality and safety of some critical VPN products , Bloomberg has found. Last year, Bloomberg reported that Citrix Systems Inc., another top VPN maker, experienced several major hacks after its private equity owners, Elliott Investment Management and Vista Equity Partners, cut most of the company's 70-member product security team following their acquisition of the company in 2022. Some government officials and private-sector executives are now reconsidering their approach to evaluating cybersecurity software. In addition to excising private equity-owned VPNs from their networks, some factor private equity ownership into their risk assessments of key technologies.
[1] https://financialpost.com/pmn/business-pmn/how-private-equity-debt-left-a-leading-vpn-open-to-chinese-hackers
How is this "business model" legal? (Score:2)
Saddling entities with debt sounds like fraud to me.
Re: (Score:1)
I guess you could ask Toys"R"Us or Red Lobster, but they were PEed out of existence. You can blame the Reagan Administration and the Chicago School of Economics.
Re: (Score:2)
I just took my wife to Red Lobster the other day...
Re: (Score:2)
How embarassing for you. Do you live in the midewest but nowhere near chicago or some other place where there isn't anywhere to get good quality seafood?
Re: (Score:2)
Yes. "Fresh off the boat" seafood in Minneapolis is expensive as fuck already, and this area is a fairly major point of entry. I'm sure the Red Lobster in Rapid City SD is the only place within a day's trip that has anything that resembles fresh seafood.
Re: (Score:2)
Yes, Georgia. South of Atlanta, far from the water.
I don't eat seafood. At all, ever. Even before I worked for a seafood wholesaler.
My wife does. Not only that, but she particularly loves Red Lobster, which was a big family treat for her when growing up.
She had a wonderful time, which pleased me greatly and was the entire point of the endeavor. I had a decent steak.
Re: (Score:2, Insightful)
> Saddling entities with debt sounds like fraud to me.
When 80% of new businesses fail within 3 years in a Capitalist system, one would think being able to bet against success would be quite illegal given the ease at which one could manufacture the other 20%.
And yet..hedge funds exist.
For all the bragging Capitalism does over the other -isms, it's really nothing more than the lesser of the evils. Late-stage capitalism is no less brutal on the masses. Often because they never expect it.
We're looking at it wrong (Score:2)
Yes, there were many government secrets lost, and general mayhem, but for a brief moment, much stakeholder value was acheived. /s
Re: (Score:2)
excuses.
If you do a shitty job and vendor or supply chain evaluation and get pwned at that at least partly on you. There maybe exceptions if you are a fraud victim, like say a vendor furnished a fake 3rd party security assessment report.
Literally every place I observed using ivanti, were large enterprises that had had Juniper kit and started using it as part of the VPN solution when it was Juniper product and simply continued thru the transition to pulse, ivanti. It was there because nobody reevaluated i
Re: (Score:2)
> excuses.
Ahem - I was being sarcastic. look at the /s on the end. That is geekspeak for sarcasm.
Re: (Score:2)
"How long do these supposedly very high confidentiality government organizations and F500 enterprise get a pass on that?"
In the USA?
likely for the foreseeable future
Can't blame it all on Private Equity (Score:2)
The poor architectural decisions and lack of care when fixing vulnerabilities goes way back, before PE got involved, it seems. Fortinet decided that "encrypting" their appliance filesystem to obstruct researchers was a better use of their time than actually trying to *design* a secure architecture for their systems. Of course, it was a pointless waste of time, because the appliance decrypts itself during boot, so the keys are available.
Another of the VPN vendors had a more recent vulnerability, that turned
Re: (Score:2)
> Yeah, we might as well blame government contracts for Microsoft's security flaws -- there is just as much logic to the argument.
Did you forget that the NSA sits on 0-days so that they can exploit them?
Sure you can (Score:2)
If you build a dangerous theme park and I buy it from you, I take responsibility when kids get mangled.
And PE is absolutely a terrible model for any software with a security aspect. They will always strip maintenance to the bone and PE backwater shops don't exactly have the best and brightest banging on their doors anyway.
After we were bought by a massive firm, one of the (many) things that bugged me was losing control of my vendors. Instead of making our own deals, now I tell a centralized procurement
Sounds like treason to me (Score:1)
Off with their heads!
You can't just strip mine things to make money.
Well you can, I guess.
Private Destruction. (Score:2)
> ..Bloomberg reported that Citrix Systems Inc., another top VPN maker, experienced several major hacks after its private equity owners, Elliott Investment Management and Vista Equity Partners, cut most of the company's 70-member product security team following their acquisition of the company in 2022.
The reality of private equity-controlled companies taking any kind of negative hit to the product or reputation, is they no longer give a shit about that.
Broadcom taking the quarter-century old Citrix and purposely turning it into Shitrix is a prime example.
What Was The Outcome? (Score:2)
What was the outcome? Did anything at all happen that might penalize the firms involved, or might dissuade PE firms from future irresponsible actions like this?
Nope. What I see here is some PE firms made bank. I see a working example business process for other PE firms going forward.
Re:What Was The Outcome? (Score:4, Insightful)
The market punished them. Major customers have dumped the product.
Investors will lose money as the value of the company probably continues to decline, they have destroyed the brand.
Re: (Score:2)
The market punished the company, but the PE firms simply move on to the next money-maker.
Re: (Score:2)
It takes two to tagno. Someone has to lend these companies the money in order for them to be loaded with debt. Eventually these parties will learn to sniff out bad credit risk, at someone point no matter how rosy the proposal and outlook is lenders are going to start looking at the history of these PE firms and say you know what - nope.