Recent searches
Search options
Interesting - did anybody keep a list of tweets by CrowdStrike staff during the start of the incident? This one has been deleted. https://x.com/brody_n77/status/1814186136149037459
US House committee calls on CrowdStrike CEO to testify on global outage https://www.washingtonpost.com/technology/2024/07/22/house-committee-calls-crowdstrike-ceo-testify-global-outage/
Crowdstrike are touting auto remediation of blue screen as an opt in feature.
However, I just tried it - it’s not very successful, most boots still blue screen of death. I think CS need to be careful on messaging about this as it sounds like they’re offering it as a silver bullet. It only works if networking kicks in and the agent updates before Windows finishes booting.
https://www.reddit.com/r/sysadmin/comments/1e9nqyn/just_exited_a_meeting_with_crowdstrike_you_can/
Delta cancelled another 20% of US flights yesterday as they struggle to recover from CrowdStrike incident https://www.bankinfosecurity.com/blogs/crowdstrike-disruption-restoration-taking-time-p-3673
CrowdStrike have published a video on YouTube about how to remediate PCs: https://www.youtube.com/watch?v=Bn5eRUaMZXk
(Despite the name, Self-Remediation, it is manual).
Upguard have published a list of companies they say are impacted by the CrowdStrike 'Global IT Outage', based on public reporting.
https://www.upguard.com/crowdstrike-outage
Edit: obviously it’s missing most companies as most companies aren’t disclosing publicly.
If anybody wonders what the file that took down 8.5 million Windows systems looks like.. it was 41kb in size. The only validity checking I can see CrowdStrike driver does is to check the first few bytes match the pattern seen in the screenshot before loading and executing.
The US Department of Transport has opened an investigation into Delta over the disruption related to CrowdStrike incident.
Good luck to the CrowdStrike account manager for Delta.
The initial Post Incident Review is out from CrowdStrike. It’s good and really honest.
There’s some wordsmithing (eg channel updates aren’t code - their parameters control code).
The key take away - channel updates are currently deployed globally, instantly. They plan to change this at a later date to operate in waves. This is smart (and what Microsoft do for similar EPP updates).
https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/
By ‘this is smart’ I mean ‘this is smart… now’. Obviously they shouldn’t have been globally, simultaneously deploying kernel driver parameter changes across all customers: it was waiting to go wrong.
They still are btw, as it will take a while to engineer the correct way of doing it.
On insurance and CrowdStrike, Parametrix claim amongst just the Fortune 500 companies, they are facing $5.4bn in losses, of which around 10% will be covered by insurance.
https://www.theguardian.com/technology/article/2024/jul/24/crowdstrike-outage-companies-cost
CrowdStrike have won this year's Pwnie Award for Epic Fail, which will please @qwertyoruiop.
If you want to know something crazy:
- This year TCS migrated their EDR to CrowdStrike
- Then they announced a strategic partnership with CrowdStrike
- Then they lost all their systems
- They’re just finishing recovery today, 6 days in
- Then they got a $10 Uber Eats voucher
- …which got cancelled due to Uber flagging CrowdStrike’s account as fraudulent
Questions for your EDR providers (do not assume they are experts in availability):
- What are your different update processes?
- How do you test them?
- Do you dogfood test them?
- Do you roll them out in waves? What are the details, eg what percentages and when?
- Do you monitor failures and roll back?
CrowdStrike staff members are selling CrowdStrike monopoly sets they were given on eBay.
CrowdStrike filed at 8-K with the SEC on July 22nd for a cybersecurity incident. https://www.board-cybersecurity.com/incidents/tracker/20240722-crowdstrike-holdings-inc-cybersecurity-incident/
Almost a week in, CrowdStrike say 97% of devices are back online. https://www.axios.com/2024/07/25/crowdstrike-97-percent-systems-online
Microsoft are talking about changes to Windows after the CrowdStrike incident. Good.
https://www.theverge.com/2024/7/26/24206719/microsoft-windows-changes-crowdstrike-kernel-driver
There’s a really good discussion on @riskybusiness’s YouTube show about the CrowdStrike incident.
About the 3 minute mark @alex made me realise I was far too kind to CrowdStrike. He rightly rips them apart.
Delta are looking to sue CrowdStrike and Microsoft. HT @hrbrmstr
Re the Delta case - the lawyer they’ve hired successfully sued Microsoft previously on behalf of the US government, and the decision was upheld on appeal too. The ruling almost lead to the breaking up of Microsoft.
The following US government backed out of the case.
Bill Gates said at the time the lawyer was “out to destroy Microsoft”.
So there’s a chance here the CrowdStrike incident may end up having implications across vendor industry around warranties etc, we’ll see.
Replacing an XDR platform at scale takes some time, so if you’re wondering what the translation of Elon’s tweet about Crowdstrike is:
Elon: can we replace Crowdstrike?
Somebody: yes, we’ll begin looking into it but..
Elon: job done
Of course.. given how the Twitter takeover happened maybe he just got them to uninstall it and #yolosec
Delta’s CEO has confirmed they plan to take legal action against CrowdStrike after incurring a $500m loss
6 minute video interview: https://www.cnbc.com/2024/07/31/delta-ceo-crowdstrike-microsoft-outage-cost-the-airline-500-million.html
CrowdStrike made a net loss of $845m between 2018 until this year, and has taken on $743m of debt during this period.
Spirit Airlines in the US anticipates a $7.2 million hit to its third-quarter operating income due to operational disruptions caused by the CrowdStrike incident, which forced the carrier to cancel 470 flights.
Here's the Delta boss on his thoughts about the CrowdStrike incident.
They had 40k Windows Server boxes alone, all with BitLocker full disk encryption enabled, all of which wouldn't boot and weren't fixable without manually unlocking BitLocker. That had gone all in with CrowdStrike + Microsoft's most premium offerings.
He has a really good point about how tech companies have become obsessed with growth as their only metric of success, and customer satisfaction is not on the radar.
There's a really mad moment in that interview where they ask them what assistance CrowdStrike have offered, and he essentially says nothing, not even a lunch voucher.
What a time to be alive.
CrowdStrike complained to Cloudflare about a CrowdStrike parody site… and Cloudflare took it down. Without a court order. https://clownstrike.lol/crowdmad/
Cloudflare recently announced they have become a strategic partner with CrowdStrike: https://www.cloudflare.com/en-gb/press-releases/2024/crowdstrike-and-cloudflare-announce-expanded-strategic-partnership-to-secure/
Additionally to loop this in, CrowdStrike submitted a takedown for a parody label (they’ve since rescinded it after being called out).
We’ve reached the part of the brand cycle where people are using CrowdStrike as an excuse https://www.theverge.com/2024/8/2/24212298/mrbeast-beast-games-crowdstrike
360 takes a look at the Crowdstrike kernel drivers - finds they implement an eBPF like system, contain a wide attack surface, don’t check validity of update files (eg no signing of updates) and claim they contain conditions for LPE and RCE vulnerabilities. https://mp.weixin.qq.com/s/uD7mhzyRSX1dTW-TMg4UhQ
Before people write this off as ‘the Chinese’, I’ll give you a hint: there really, really should be security research about the security of security products across all vendors. I’ve seen things.
Previously on Crowdstrike Falcon vulnerability research, check out this timeline where they tried to use NDAs to avoid disclosure, then fixed it without telling anybody. https://modzero.com/modlog/archives/2022/08/22/ridiculous_vulnerability_disclosure_process_with_crowdstrike_falcon_sensor/index.html
EFF are calling for antitrust action after the CrowdStrike incident https://www.eff.org/deeplinks/2024/07/crowdstrike-antitrust-and-digital-monoculture
Bloomberg report a vast majority of the CrowdStrike losses reported by customers will be judged by insurance as not covered by policies. https://www.bloomberg.com/news/articles/2024-08-02/billions-in-damages-from-crowdstrike-outage-to-go-uninsured
CrowdStrike are publicly threatening their customer, Delta. https://www.theverge.com/2024/8/5/24213521/crowdstrike-refutes-blame-delta-outage-litigation
I've written up a bit about CrowdStrike's latest bold strategy.
Microsoft have now queued up to try publicly throw their customer under the bus, claiming (without evidence) Delta’s CrowdStrike woes were due to non-Windows systems. The CrowdStrike issue only impacted Windows systems so I hope somebody at Microsoft knows what they are doing.
https://www.theverge.com/2024/8/6/24214371/microsoft-delta-letter-crowdstrike-response-comments
If anybody wants the subtext of what is happening here, CrowdStrike and Microsoft both really do not want to get sued by Delta and have it go to court as it would potentially be explosive for both orgs and the wider security industry.
The customers are always plebs to be milked, as is status quo.
CrowdStrike incident root cause analysis is out.
Overall, good… but.
It is very verbose but doesn’t say much. Some of the wording will confuse people - eg it talks about rings (waves) in a way which makes you think it is already implemented. It isn’t. They’re saying they plan to implement it later.
Channel updates weren’t tested on a real Windows PC prior to deployment, they relied on automated bespoke code testing. They don’t mention that and it’s the real reason.
Risky Business take on CrowdStrike root cause report is good.
You can see the confusion the report provides in this discussion I think, eg some of the things are talked about as being implemented - but they’re down as findings for improvement. It’s the way the report is worded, to make you believe certain things existed.. that don’t yet.
Really good piece about CrowdStrike (technically CSC) misusing DMCA takedown notices over trademark disputes.
CrowdStrike probably want to have a word with CSC about this and Cloudflare should tighten process as DMCA isn’t supposed to be used for this. I know CSC do it.. but they shouldn’t be.
Wider point: cyber industry abusing process in takedowns.
CrowdStrike have responded to two claimed vulnerabilities in CrowdStrike Falcon, including one made by a former staff member: https://www.crowdstrike.com/blog/tech-analysis-addressing-claims-about-falcon-sensor-vulnerability/
There may be more to come on this one..
CrowdStrike vs Delta vs Microsoft continues to play out in public, now with SEC filings
@GossiTheDog their Desaster PR is the next PR Desaster 
Also, what are they actually complaining? Delta is pursuing claims, right? So ultimately, it's in the courts anyways, which have to be considered "just". So CS is pro-actively trying to bully Delta from having the law clarify what they are owed?
@DJGummikuh @GossiTheDog I mean, it's probably a life or death situation for the company, not surprised they push that :D
@sheogorath @GossiTheDog well yeah but if they are as contractually solid as they seem, they wouldn't need to huff and puff. In either case, it makes them seem desperate rather than confident
@DJGummikuh @GossiTheDog Not completely sure, if they get 100s of court cases, maybe they'll face problems with hiring enough lawyers?
@GossiTheDog This is starting to be very yummy. 
@GossiTheDog Probably just postering on both sides to try to force a deal somehow. Doesn’t mean we can’t get a bit of popcorn and enjoy the show though 
@GossiTheDog fetching the popcorn is still too soon?
@GossiTheDog I'm wondering who the target audience for the reminder that their liability is limited is.
I would say it's for their shareholders.
The same way Delta's CEO was pretty clear he was forced by his own shareholders in suing Crowdstrike.
I mean, Crowdstrike's terms of service were pretty clear that operating a plane company was incompatible and not recommended for their products...
@GossiTheDog And Delta's CEO asking why this interruption is Windows only shows he should find ways to mitigate this risk. He's shooting in his own foot.
By his own public admission, a responsible company would not / should not be using Windows computers for critical operations.
@enthraxxx @GossiTheDog Terms of service that say “don’t use for anything important” are not particularly reassuring.
@GossiTheDog you have what I assume is a typo in the article's lead off - "In July, CrownStrike caused a global IT"
@GossiTheDog If I needed yet another reason to hate Cloudflare…
@GossiTheDog you would think their legal team have better things to do right now
@GossiTheDog
Interesting that they have self-insight enough to realize they can easily be mistaken for a prank site.
They should obviously sue copy-cats.
@GossiTheDog If the First Rule of Holes is "Stop Digging", the Second Rule should be "stop, look around, and think about what your predicament looks like to the regulators standing at the top of the hole".
You're gonna need to call them and ask them to toss down a rope eventually. Might as well make that call while they're still laughing.
(to be clear: unless they're performong surgery at their offices, I don't think I have any regulatory authority here)
@GossiTheDog If they’ve lost $845m over the past 6 years, *and* have taken on a similar magnitude of debt, how were they a viable business even before this? And how can they possibly survive the massive lawsuits to come (even if they will the legal bills will be huge)?
@GossiTheDog alternatively titled “When you feel the need to raise the stakes after sending a $10 Uber voucher”
Comparing them to clowns might be going too far.
Clowns are hardworking professionals who take their craft very seriously. Comedy is a serious business 
@GossiTheDog I wonder if it came to that if https://support.microsoft.com/en-us/windows/protect-yourself-from-tech-support-scams-2ebf91bd-f94c-2a8a-e541-f5c800d18435 would be introduced as evidence
"Microsoft does not send unsolicited email messages or make unsolicited phone calls to request personal or financial information, or to provide technical support to fix your computer. If you didn't ask us to, we won't call you to offer support."
@GossiTheDog IANAL, but with the antitrust ruling against Google this week, the heat is especially on in avoiding court and any legal questions about monopolies and widespread global impacts
@kamenrunner @GossiTheDog They are terrified that a US court will rule that the software industry approach to quality of "no care protected by unlimited disclaimer of warranty" will break down. And it should.
@GossiTheDog brave strategy as EDR costs in an org budget is insignificant (relative to other parts)
However this shitty attitude now generates an incentive not to allocate it to Crowdstrike.
@GossiTheDog I was involved in another issue where an organization wanted to sue a couple of people for fraud. Their lawyers told them, "Well, the problem here is that your bookkeeping practices and approvals showed you knew exactly what was happening, so you would be held liable as well."
That' is what would happen with Delta if they sued. Theyr own negligence contributed to the scale of the problem, after others had resolved it.
@GossiTheDog Microsoft killed the Action Pack. That was the last straw. We ride at dawn.
@GossiTheDog I suppose this is a somewhat general cautionary tale about "don‘t get smart with your testing".
@GossiTheDog Like most modern day corpo comms, the Crowdstrike "root cause analysis" was about 95% buzzword enhanced meat filling and 5% actual content. That's also on par with the food content percentages in a modern day "taco" from Taco Bell.
@GossiTheDog one things I also noticed is they dont mention a more general reliable improvement, like what happens when the next horrible update happens and the agent crashes, how to allow recovery from that?
@GossiTheDog Also: sanitize your inputs
@sigi714 @GossiTheDog I think the problem was precisely on a change in their "input sanitizer" which made them check for more input than usual (I'm probably saying this wrong anyway)
@pedroperez @GossiTheDog@cyberplace.socil Seems correct:
"[…] the mismatch between the 21 inputs validated by the Content Validator versus the 20 provided to the Content Interpreter […]"
Sanitizing wrong still isn't sanitizing ;)
@GossiTheDog always have a test roll and rollback plan
(D.Burch) 
@GossiTheDog I wonder how the whole Microsoft 
CrowdStrike Delta throwdown will play out?
@GossiTheDog I think its summary is "our tests design sucks".
@GossiTheDog But only mentioning a single test that failed to catch this makes it easier to blame only one person at the end of the food chain, while it’s in fact a matter of management, not to have integration and end-to-end testing.
@GossiTheDog Love how they shoehorned "AI" into the report as well as still kinda lauding their product...I struggled to continue reading after that first paragraph...ugh 
@GossiTheDog The report is intended to divert the attention towards some topics and away from other topics.
There are still gaping holes in the explanation you could smuggle several Kaijus through.
E.g. did the file ever get tested in a complete environment?
I could easily write down several of such questions they don't want to answer.
@GossiTheDog 
the internet will internet. Unbelievable how many PR people still don't understand the streisand effect.k
@GossiTheDog I love how so many of us have said "I didn't know that parody site existed until I saw the news about the DMCA"
Have CSC never heard of the Streisand Effect?
@GossiTheDog I've read one of the reports they are talking about. I didn't post about it here, because I found its arguments tenuous at best, although I could have misunderstood them, given that I can't read Chinese and automatic translation usually makes a mess of it.
However, there are places in CrowdStrike's refutation of it that make me go "Hmmm".
@GossiTheDog 1) Certificate pinning will ensure integrity of the delivered content but would do nothing to preserve this integrity of the content once stored on the disk. So, yeah, a MitM attach might not be possible but it's a bit disingenuous to talk about it in the same breadth while "refuting" that the downloaded files can be tampered with on the disk.
@GossiTheDog 2) "A malicious network proxy might block traffic destined for CrowdStrike servers" - no, schmucks, if you respect the proxy settings, a malicious proxy CAN block traffic to and from CrowdStrike's servers.
@GossiTheDog 3) Checksum validation helps ensuring the integrity of the delivered content but is not robust enough to ensure the integrity of the content already delivered, because whoever modifies it on the disk, can modify the checksum too, despite the handwavy "it's stored in a secure location". Like, where? Surely not in the TPM?
@GossiTheDog 4) Yeah, bypassing the ACLs would require that the attacker gains admin rights first - but how many users run with admin rights and isn't the proper question to ask "what harm can the attacker do to and with our product if he gains such rights"?
@GossiTheDog 5) The question of whether the regular expressions that CrowdStrike's product uses are Turing-complete or not is tenuous at best. We'd need to know exactly what kind of pattern matching they use. Standard regexes are indeed not Turing-complete, see
https://www.perlmonks.org/?node_id=809842
But once you get to context-free grammars and higher in the Chomsky hierarchy, things start getting dicer... Anyway, I can't answer this question authoritatively without more information about their searching language.
@GossiTheDog 6) Even assuming a very simple pattern matching language, we have to ask ourselves "what damage can the attacker cause if he can control the pattern?". Is CrowdStrike's product detection-only - or does it try to do any kind of removal/quarantine/etc.?
Surely you wouldn't want the attacker to supply a search pattern that would result in the removal of the contents of the Windows System32 directory?
@GossiTheDog Anyway. My point isn't that their product is vulnerable - my point is that their refutation of some of the points raised by the researchers is tenuous in some places and I would have preferred a better and more clear wording.
@GossiTheDog
They have the benefit of the doubt until a wild PoC appears
@GossiTheDog
The did deliver. On a Friday. They didn't delay the update to test it or other such nonsense. They delivered.
@GossiTheDog I mean technically they were true to their word; they promised to be a "provider that delivers without compromise" and they sure didn't compromise on delivering their borked update to a global fleet of devices 