CrowdStrike

Cybersecurity researcher Troy Hunt – who runs the HaveIBeenPwned website – predicted that the CrowdStrike failure would set a record as the largest IT outage in history, and the numbers seem to back him up.

Cyber insurance company Parametrix has put together some estimates of the cost of the outage, with healthcare companies worst hit, and airlines not far behind …

Last week’s CrowdStrike outage wreaked havoc on global society in a way that few tech events can. It also, with no effort on Apple’s part, managed to inadvertently serve as one of the best ad campaigns for the Mac.

The House Homeland Security Committee has written to CrowdStrike CEO George Kurtz, asking him to testify before Congress. The letter says the committee wants Kurtz to explain how the global IT outage happened, and what steps it is taking to prevent any repetition.

The demand comes as companies around the world struggle to recover from the global IT outage, with Delta saying that it has cancelled 4,000 flights since Friday and expects disruption to continue for another couple of days …

The CrowdStrike aftermath is seeing IT teams around the world struggle to restore the 8.5 million Windows PCs taken out by the bug. The mess included thousands of flights cancelled, health centers unable to make appointments, retailer payment terminals down, and even some 911 services unavailable.

Macs weren’t affected thanks to protections put in place by Apple, but Microsoft has reportedly claimed that antitrust law means it’s unable to take the same approach …

The sheer scale of the global IT outage caused by a faulty software update has left many wondering how one update to one company’s security software could have such massive impact.

Ironically, the effect of the CrowdStrike flaw has been almost identical to the very thing it’s intended to prevent …

A huge mistake by cybersecurity company CrowdStrike has caused a global IT outage on a massive scale, with airlines, banks, health services, and more affected – including some 911 centers.

United, Delta, and American Airlines are among the airlines who have been forced to ground flights. Broadcaster Sky News was taken off-air for several hours. Many retailers have been unable to accept payments. In short, it’s chaos out there …

Update: Apple says an OS X fix is coming soon.

Yesterday Apple released iOS update 7.0.6 alongside new builds for iOS 6 and Apple TV  that it said provided “a fix for SSL connection verification.” While Apple didn’t provide much specific information on the bug, it wasn’t long before the answer was at the top of Hacker News. It turns out that minor security fix was actually a major flaw that could in theory allow attackers to intercept communications between affected browsers and just about any SSL-protected site. Not only that, but the bug is also present in current builds of OS X that Apple has yet to release a security patch for.

Researchers from CrowdStrike described the bug in a report:

“To pull off the attack an adversary has to be able to Man-in-The-Middle (MitM) network connections, which can be done if they are present on the same wired or wireless network as the victim. Due to a flaw in authentication logic on iOS and OS X platforms, an attacker can bypass SSL/TLS verification routines upon the initial connection handshake. This enables an adversary to masquerade as coming from a trusted remote endpoint, such as your favorite webmail provider and perform full interception of encrypted traffic between you and the destination server, as well as give them a capability to modify the data in flight (such as deliver exploits to take control of your system),”

Adam Langley, a senior software engineer at Google, also wrote about the flaw on his blog ImperialViolet and created a test site to check if you have the bug (pictured above):
Expand
Expanding
Close