CrowdStrike Highlights the Dangers of 'Security' Software

Lifewire ^ | 22 Jul 24 | Charlie Sorre

[Alas Babylon!]

It can cause more harm than good!

Key Features

·CrowdStrike shows the havoc that can be wreaked by supposed security software.
·Most people don't need third-party antivirus software.
·Most modern-day threats are aimed at exploiting humans, not computers.

---

TOPICS: Business/Economy; News/Current Events
KEYWORDS: crowdstrike; cybersecurity; falconsensor; ignorantauthor; windows

[Alas Babylon!]

"We have moved beyond the days when computer viruses merely corrupted files. Now, we face sophisticated threats that combine social engineering with malicious software, aiming to do far more than just damage your computer." Phishing attacks and other kinds of social engineering try to trick us into giving away secrets by clicking on links to cloned websites, for example.

[BBQToadRibs2]

[CodeJockey]

CrowdStrike Highlights the Dangers of 'Security' 'not testing' Software

[ShadowAce]

[Empire_of_Liberty]

I use an OLD Linux, just to be doubly safe!

[Dave Wright]

The Crowdstrike crash revealed a fundamental flaw in how security suite software is packaged with Microsoft. Because it operates at the device level in the kernel (Ring 0), it has to be packaged as a signed device driver that goes through Microsoft’s rigorous testing protocols. But because it also has to respond immediately to Zero day vulnerabilities, it can’t wait for a new signed driver to be approved.

This is why they use DEF files to patch the driver code. The signed driver code reads the DEF file to get updated p-code that must run in the kernel memory. The latest DEF file release contained bad code that caused a NULL exception in the kernel memory, resulting in a BSD.

Crowstrike’s regression testing should have caught this, and they have a lot to answer for.

[ConservativeWarrior]

This article’s argument is like saying seat belts can be removed from cars because hardly any accident victims are ejected from their vehicles these days.

The only reason threats have shifted to social engineering is because the tech has been pretty well locked down by these and other security tools that update almost constantly.

[Alas Babylon!]

That really is and should remain the province of the operating system.

Allowing 3rd party software direct access to the kernel is asking for trouble.

[ConservativeWarrior]

You want to trust MSFT with all your system security?

[algore]

One of my friends at Microsoft said he had nightmares about someone on the windows update team doing something much worse than this.

I worry about it too.

[sauropod]

+1

[Mariner]

“Allowing 3rd party software direct access to the kernel is asking for trouble.”

FWIW...When I was at Intel, no vendor... NOBODY was allowed to automatically update software. Or any equipment firmware.

They built an isolated testing environment and manually loaded ALL, ALL updates there to test. After rigorous testing, Intel would push the software themselves.

Yes, they were a little behind the curve on “zero day” exploits, but had security systems and protocols that minimized any damage.

And they NEVER had enterprise-wide outages. Never.

It’s what all responsible companies do.

All those IT Directors and Security Directors who are complaining about the bad Crowdstrike update should be fired.

[Alas Babylon!]

Yes. I used to work for them. The problem has always been the user base. And that’s been true since the first microcomputers came out. If it’s too hard, people don’t want it. I used UNIX long before Linus Torvalds made his distribution—and met him, too.

Having said that, I was an MCT for 20 years teaching IT admin and SQL server admin. I did a ton of contract work for MS writing courseware (MOC). Security always came down to the basics. As long as they were followed, you had a pretty good chance.

You could teach it to them 1,000 times, but it was always that one shortcut, that one time they forget the backups, etc. Murphy’s law.

Incidentally, I would never recommend Crowdstrike. They’re accessories to Seth Rich murder. I will always believe that.

[zeugma]

I was down all day long on my work laptop because of this. Because the idiots I work for not only insist on a complete monoculture in their supported laptops, AND,/b. because they so severely lock down access to these systems, I couldn't do anything about the BSOD, even though I KNEW what the fix was, and I'm a professional nerd that is absolutely taking care of the laptop itself.

So, I effectively had the day off to read about the crapstorm on the internet. Their loss. They pay me for my time regardless.

[9YearLurker]

Except it is CrowdStrike. So there is at least a non-zero chance it was a more intentional dry run of some sort than they claim.

[discostu]

No, it’s saying you don’t need wear a helmet in your car because it already has seatbelts and airbags.

The 3rd party virus scan thing was always of limited value. Half the software packages suck (McAffee, Norton, I’m looking at you). They slow your computer down a ton. And now Windows comes with actually pretty good virus scanning all on its own. So having a second system on there really does nothing except slow you down, and make you vulnerable to bad updates.

[fremont_steve]

I agree with this response. I am in the business and the article is dead wrong. A more appropriate statement is that a software monoculture is a dangerous model and companies that don’t practice thorough testing before deployment are dangerous.

[minnesota_bound]

I saw a youtube video where a guy who had worked at Microsoft said that the EU forced microsoft to allow access to the system32 folder.

Microsoft points finger at the EU for not being able to lock down Windows
https://www.neowin.net/news/microsoft-points-finger-at-the-eu-for-not-being-able-to-lock-down-windows/

The document states that Microsoft is obligated to make available its APIs in its Windows Client and Server operating systems that are used by its security products to third-party security software makers.