Critical code-execution flaw was under exploitation 2 months before company disclosed it.
See full article...
See full article...
China state hackers infected 20,000 Fortinet VPNs, Dutch spy service says
- Thread starter JournalBot
- Start date
infernal666
Ars Praefectus
There really needs to be some legal consequences when the C suite decides to hide shit from their customers and the government,I'm leaning towards public flogging and forfeiture of 90% of their personal wealth.
Upvote
130
(132
/
-2)
If China has control of 20,000 Fortinet VPNs, geo-restrictions aren't going to help you all that much.
Upvote
111
(111
/
0)
What is it with these black box edge and VPN devices touted as a security measure with obscure os and software, and obscure configurations using nothing more than the smoke and mirrors of security by the aforementioned obscurity being so popular??
The c suits who buy these things are part of the problem. The shysters these people use to sell the damned snake oil are a bigger part!
</rant>
[Edit] and reading up these shits they are not above stealing from others todevelop their product line their pockets (infringing copyrights by breaching the licensing terms of others' licensed software). Assholes like this don't give a crap about others, clearly.
The c suits who buy these things are part of the problem. The shysters these people use to sell the damned snake oil are a bigger part!
</rant>
[Edit] and reading up these shits they are not above stealing from others to
Last edited:
Upvote
31
(41
/
-10)
josephhansen
Smack-Fu Master, in training
Any VPN packets that are kind enough to accurately report their geolocation, at least (so definitely not the dangerous ones)
Upvote
54
(55
/
-1)
As long as it’s criminal for the execs and others who participate, and civil against the company. Leave the personal civil liability to the most ravenous piranhas of all: the shareholders.
Upvote
11
(15
/
-4)
I am not sure US and EU governments understand how much of a threat China is.
Until they can figure it out, the only thing we can do is stop buying cheap crap produced there.
Stop sending billions to China.
Until they can figure it out, the only thing we can do is stop buying cheap crap produced there.
Stop sending billions to China.
Upvote
59
(68
/
-9)
Does it seem like Fortinet has had more than its share of missteps? They’ve had a bunch of bad bugs exploited, and reporting seems to be an issue. Has anyone run any numbers on >9.0 vulnerabilities, reporting time, and number of installed units?
Upvote
30
(30
/
0)
Missteps... More like don't give 2 fucks until the money train stops rolling in. Had to use them when corp had no fucking wah plan few years back and threw that shit show together. Spent more time troubleshooting their disaster of a VPN than actual using it, glad someone sitting back in the c suite had 2 working brain cells that made the decision pulled that shit from use... probably saw all the ot costs and shit their pants worrying about how it would effect their bonuses. Well that and all the vulnerabilities it had coming to light.
Upvote
12
(16
/
-4)
The primary source of attacks in your threat model should be cloud or botnets.
Upvote
27
(28
/
-1)
90% of their personal wealth will still leave them better off than most of us will ever get.
What we need is mandatory minimum periods of imprisonment for members of the C suite when this happens.
Upvote
42
(42
/
0)
I thought Scandinavian based companies were more trustworthy when it comes to security. I know the Swiss are more held in high regard when it comes to cyber security but the Scandinavians generally are too.
We have a few clients that use Fortinet firewalls and VPN clients. I'll let our network engineer worry about it lol.
We have a few clients that use Fortinet firewalls and VPN clients. I'll let our network engineer worry about it lol.
Upvote
-16
(0
/
-16)
take everything, put their asses in jail. The damage done by this is enormous.
Upvote
2
(5
/
-3)
Security? I don't know that they have that reputation. Privacy, maybe.
Upvote
4
(5
/
-1)
Like everywhere else can't know everything about all their employees and probably outsource to lowest bidders. Just one leak is enough.
Upvote
1
(2
/
-1)
The culture at Fortinet is downright shameful for a "security" company. Not disclosing a vulnerability, intentionally hiding it. They dabble in too many different product lines to focus where they really should, on security.
In my experience their strategy is woo the C-suite with meaningless impressive-sounding statistics and fearmongering, then dump all the FortiShovelware they can manage within budget.
In my experience their strategy is woo the C-suite with meaningless impressive-sounding statistics and fearmongering, then dump all the FortiShovelware they can manage within budget.
Upvote
18
(19
/
-1)
My company has been pushing Fortinet pretty hard, over Cisco as well, as there does frequently seem to be more device flexibility comparitively in at least some specific comparisons. Hard sell sometimes, as many places have just been Cisco in house for years and it's what they know.
I've not been a fan of Fortinet as a non-business potential client on two separate occasions, in part because of their sales model. Maybe it was bad timing, but multiple sales people could not answer basic questions about what packages were available for a specific device at a specific teir. It took weeks to get someone in engineering that could confirm information. At that point, a year or two ago over a 6 month period, they had done another shift of the tier system as well, so had different information in multiple places and being passed by different sales reps. On top of that, independent sales contractors had differing policies, in many cases with additional contract pages making it seem as if you were obligated to sign up for some services that absolutely weren't necessary, but Fortinet doesn't track, govern, or care about that happening, regardless of the customers experience. Reporting things like that did absolutely nothing.
So, none of that is about this particular issue, but really all in combination to say that I honestly don't know what's better, at least for a home business user working in another country much more friendly with China where I absolutely need to securely isolate my work machines from personal machines. What alternatives to Fortinet are there for, ideally, between $500-$1500 comparitively where I can make a confident decision and know my system really is secure. Does such a thing exist, or are there honestly valid solutions/alternatives to Fortinet we can bank on? Anyone that hasn't suffered a reported breach of some sort for the last say, 5 years?
What's the solid spot? Is there one?
I've not been a fan of Fortinet as a non-business potential client on two separate occasions, in part because of their sales model. Maybe it was bad timing, but multiple sales people could not answer basic questions about what packages were available for a specific device at a specific teir. It took weeks to get someone in engineering that could confirm information. At that point, a year or two ago over a 6 month period, they had done another shift of the tier system as well, so had different information in multiple places and being passed by different sales reps. On top of that, independent sales contractors had differing policies, in many cases with additional contract pages making it seem as if you were obligated to sign up for some services that absolutely weren't necessary, but Fortinet doesn't track, govern, or care about that happening, regardless of the customers experience. Reporting things like that did absolutely nothing.
So, none of that is about this particular issue, but really all in combination to say that I honestly don't know what's better, at least for a home business user working in another country much more friendly with China where I absolutely need to securely isolate my work machines from personal machines. What alternatives to Fortinet are there for, ideally, between $500-$1500 comparitively where I can make a confident decision and know my system really is secure. Does such a thing exist, or are there honestly valid solutions/alternatives to Fortinet we can bank on? Anyone that hasn't suffered a reported breach of some sort for the last say, 5 years?
What's the solid spot? Is there one?
Upvote
29
(29
/
0)
I agree. It's damn time they started facing consequences of their own greed. There is one more group that needs to be flogged. Shareholders. It's time that limited liability stopped meaning no liability.
Upvote
6
(9
/
-3)
THIS is what’s really outrageous:
That’s beyond ridiculous. That right there is enough to make me very seriously doubt ever putting trust in them. You’re in the security business and you can’t even articulate how you communicate security vulnerabilities to your customers? What?
Upvote
54
(55
/
-1)
While I completely agree with you, if it's not going to happen when Boeing kills hundreds of people, it's definitely not going to happen because of a security flaw in software.
Last edited:
Upvote
22
(23
/
-1)
Honest question I have following the concerning mass of articles about Russian and Chinese state sponsored attacks... Are we doing the same to them ?
EDIT : meant "doing it to them" not as in revenge but as in are criminal groups and state actors engaging in this cyber war.
EDIT : meant "doing it to them" not as in revenge but as in are criminal groups and state actors engaging in this cyber war.
Last edited:
Upvote
9
(12
/
-3)
It is worth noting that both of the founders of Fortinet, Ken Xie and Michael Xie, were born and raised in China.
Upvote
-8
(8
/
-16)
Different sorts of targets, democratic governments are defensive in nature mostly targeting military & infrastructure targets whereas the CCP goes after corporate targets, trying to get their intellectual property, Putinstanis seem to be low key outside of propaganda / blackmailabke targets.
Upvote
1
(5
/
-4)
Anyone else find communist propaganda whataboutism a curious thing?
The CCP isn't a race no matter how much they claim that all Han people are under their control.
Upvote
30
(34
/
-4)
RickRoyLeonPrisZhoraRacha
Ars Centurion
Good luck. Because Companies lobby their politicians to protect them from lawsuits with laws and EULAs. While I agree that if, say, credit card companies were personally liable for theft, you bet a system would be inplace to stop theft of credit and abuse. But its all a loss and thus, a write off. Same with this, as some firm will spin up some insurance policy for breaches of product and, they can get sued but then the class action lawyers will take most of that as amount.
I blame the idea of short term...everything! Software is "get it out the door and patch it later", hardware is "get it out the door and sell them a new revision with fixes while we layoff the engineers and outsource"...
Upvote
3
(3
/
0)
Fortinet responsible disclosure policy is right here (one quick Google search found it) : https://fortiguard.fortinet.com/psirt_policy
Upvote
12
(12
/
0)
uesc_marathon
Ars Praetorian
Did Fortinet actually break the law? Because there are some disclosure laws in the US.
If not, those laws need to be fixed.
If not, those laws need to be fixed.
Upvote
6
(6
/
0)
You should have a look at their VPN client software for Linux. Or rather, don't look at it. It sucks bollocks, and will fail/crash/screw up your system depending on such fun factors as having a mixed IPv4/IPv6 network, client system configuration, server system configuration, hardware configuration, etc. It has a list of issues going back years, including features being advertised as working that, in fact, don't work at all, with complaints all over the internet and zero consistently working solutions.
The Windows version is barely better, but at least won't fail randomly because the VPN client install decided to call it quits because its software update feature removes only part of the previous install instead of all of it, resulting in a broken install (also, the configuration removal option doesn't remove the config files on Linux).
Upvote
7
(7
/
0)
Yup. Their reaction to serious flaws in their VPN client software being disclosed? Hide all previous versions behind a paywall. And since new versions tend to be deployed without proper testing, you better happen to still have the previous installer for a reinstall of a working version, because otherwise you end up with a broken client and lots of privacy (due to no VPN, obviously).
Upvote
1
(1
/
0)
What I find interesting is that doing a re-install of the firmware does NOT wipe this out, which makes it seriously hard for someone to know that their patches have done anything to fix it. If you're one of the 20,000, and you now upgrade, how do you know for sure that you've gotten rid of this thing?
This is not a fortinet rant, it's a systems and hardware rant. Are they able to put a bootloader into the low level BIOS of the system boards? Have the hackers figured out a way to seriously infect the hardware to the point that it's seriously hard to get them out?
What is the underlying architecture of Fortinet? Obviously their hardware is probably based on Intel processors, and somehow they've managed to find some way to getting in deep. So how do regular end users fix this?
And is it time to get rid of all the point and click management GUIs on these devices and instead goto a model where you compile and ship the configuration to the device, so that that VPN device itself has a much smaller attack surface? And where you can actually view the rules/configuration being sent to the device? Having a device do just one thing and one thing well is the way to do better security. Layering extra stuff on top (or to the side) is just asking for trouble. But is also a business case where 50% of your users use the same features, but then random clumps of other users want features a, b, c, d, e, etc in varying levels. It's hell.
This is not a fortinet rant, it's a systems and hardware rant. Are they able to put a bootloader into the low level BIOS of the system boards? Have the hackers figured out a way to seriously infect the hardware to the point that it's seriously hard to get them out?
What is the underlying architecture of Fortinet? Obviously their hardware is probably based on Intel processors, and somehow they've managed to find some way to getting in deep. So how do regular end users fix this?
And is it time to get rid of all the point and click management GUIs on these devices and instead goto a model where you compile and ship the configuration to the device, so that that VPN device itself has a much smaller attack surface? And where you can actually view the rules/configuration being sent to the device? Having a device do just one thing and one thing well is the way to do better security. Layering extra stuff on top (or to the side) is just asking for trouble. But is also a business case where 50% of your users use the same features, but then random clumps of other users want features a, b, c, d, e, etc in varying levels. It's hell.
Upvote
8
(10
/
-2)
I will also say this is why I wish there were required options for providing the ability to load your own firmware on a device. The hardware they sell seems pretty good, but they have support policies I don’t like and when something like this happens I’d at least like the ability to put something open source on it (which may be vulnerable, but at least those things seem to get prompt announcements when discovered).
Upvote
3
(4
/
-1)
We, us/UK does it to Europe, more specifically Brussels and Angela Merkel. So most likely they do it to them as well.
Upvote
5
(5
/
0)
Sorry, but shareholders have no knowledge and very little say over the policies within ANY company and shareholders of companies listed on non-US exchanges have even less information than shareholders in companies subject to SEC regulation, such as it is. Just curious....are you saying that all of the teachers in the California State Teachers Retirement Fund need to be held accountable? Most companies that offer retirement plans of any sort offer 401-Ks. Most 401-K plans offer only mutual funds or EFTs. Most of either aren't required to disclose their holdings more frequently than quarterly and the report is typically delayed by more than 30 days. YOU might own Fortinet and not even know it.
Trying to save for retirement isn't greed. Greed isn't even the issue. Dishonesty is.
Having said that, Fortinet sounds like a company that people buy form OR INVEST IN at their own peril.
Upvote
6
(6
/
0)
This business case isn't uncommon. Airplane manufacturing has this attribute as well. Banking and insurance software in the US is subject to 51 sets of laws (50 state + federal). In the EU, any software to be used in multiple countries is subject to multiple sets of national laws and possibly standards, as well as EU laws and regulations. In the case of security appliances, there are probably multiple sets of national security laws that apply from countries including US, UK, Germany, Switzerland, Israel, Taiwan, Japan, S. Korea and Singapore.
Upvote
1
(1
/
0)
Well this is great. So my workplace's Fortinet may be infected, and there is no way to actually know?
Upvote
4
(4
/
0)
I really love how just yesterday my work ( a university ) sent out a message that they are switching us to Fortinet from Ivanti "to enhance Security". I feel safer already 
Upvote
12
(12
/
0)