25
Nov 15

Breach at IT Automation Firm LANDESK

LANDESK, a company that sells software to help organizations securely and remotely manage their fleets of desktop computers, servers and mobile devices, alerted employees last week that a data breach may have exposed their personal information. But LANDESK employees contacted by this author say the breach may go far deeper for the company and its customers.

landeskThe South Jordan, Utah-based LANDESK makes and markets software that helps organizations manage all users, platforms and devices from a single digital dashboard. The company’s software specializes in automating and integrating IT systems management, endpoint security management, service management, IT asset management, and mobile device management.

On Nov. 18, 2015, LANDESK sent a letter to current and former employees warning of an intrusion, stating that “it is possible that, through this compromise, hackers obtained personal information, including names and Social Security numbers, of some LANDESK employees and former Wavelink employees.”

LANDESK declined to answer questions for this story. But the company did share a written statement that mirrors much of the text in the letter sent to affected employees:

“We recently became aware of some unusual activity on our systems and immediately initiated safeguards as a precaution and began an investigation. As part of our ongoing investigation in partnership with a leading computer forensics firm, we recently learned that a small amount of personally identifiable information for a limited number of our employees may have been accessible during the breach. While no data compromises of personally identifiable information are confirmed at this point, we have reached out with information and security resources to individuals who may have been affected. The security of our networks is our top priority and we are acting accordingly.”

“The few employees who may have been affected were notified promptly, and at this point the impact appears to be quite small.”

According to a LANDESK employee who spoke on condition of anonymity, the breach was discovered quite recently, but system logs show the attackers first broke into LANDESK’s network 17 months ago, in June 2014.

The employee, we’ll call him “John,” said the company only noticed the intrusion when several co-workers started complaining of slow Internet speeds. A LANDESK software developer later found that someone in the IT department had been logging into his build server, so he asked them about it. The IT department said it knew nothing of the issue.

John said further investigation showed that the attackers were able to compromise the passwords of the global IT director in Utah and another domain administrator from China.

“LANDESK has found remnants of text files with lists of source code and build servers that the attackers compiled,” John said. “They know for a fact that the attackers have been slowly [archiving] data from the build and source code servers, uploading it to LANDESK’s web servers, and downloading it.”

The implications are potentially far reaching. This breach happened more than a year and a half ago, during which time several versions and fixes of LANDESK software have been released. LANDESK has thousands of customers in all areas of commerce. By compromising LANDESK and embedding a back door directly in their source code, the attackers could have access to large number of computers and servers worldwide.

The wholesale theft of LANDESK source code also could make it easier for malware and exploit developers to find security vulnerabilities in the company’s software.

A LANDESK spokesperson would neither confirm nor deny the date of the breach or the source code theft, saying only that the investigation into the breach is ongoing and that the company “won’t comment on speculation.”

Update, 6:51 p.m. ET: Landesk just posted a statement on its support site. The relevant bit is here: “Given the recent online speculation about the security of our product, we want to reassure you about the security of our products and provide some best practices to help you increase your security posture if needed.  We can’t comment on the specifics of the investigation, but based on the information we know so far, we have not confirmed a risk to our customers’ environments, and there are no known primary attack vectors using LANDESK software.”

Tags: ,

61 comments

  1. This seems likely to turn out to be a case of garden variety industrial espionage, carried out by one of their competitors.

    • Regardless of the cause(s) – security, and ultimately management. is responsible.

    • By one of their competitors? Extremely doubtful. By a state-sponsored group looking for a new and incredibly powerful attack vector? Extremely likely.

      If you find a vulnerability in Landesk’s source code, you could push malicious code to any workstation in a corporate network using Landesk that you wanted.

      • Think about if a defense contractor or 2… or 3 manage their software via landesk and some Iranian hackers figure out how to push malware out to landesk clients. I’m already probably in the OPM breach, I’d prefer it if they didn’t own a company like Lockheed too

        • Funny you mention Lockheed, because the Lockheed breach is actually a perfect analog to this one. They first breached RSA in order to get information needed to successfully bypass Lockheed’s use of RSA tokens.

        • Why “Iranian”? Why not Chinese, or Russian, etc?

    • Seems like high-risk/low-reward for corporate espionage. Back door into customer systems isn’t very useful for competitor, and it’s not like LANDESK has some secret techniques which no one else can duplicate, so not that much to gain. And getting criminal/civil penalties for busted are high risk for any competitor.

      Risk/reward ratio is reversed for a black-hats. Back door is hugely useful to enable other illegal acts while risk/consequence of getting caught is much lower for low-profile non-US hackers.

      • You’re *assuming* they’re looking for or planted a backdoor into customer systems, which appears to be pure speculation at this point. The known facts are, someone broke into a software company’s systems and copied their code repository. There are plenty of reasons for a software company to want a peek at a competitor’s source code.

  2. Shades of The Cuckoo’s Egg.

  3. Considering their management software deployment includes a Windows rootkit-like agent, this could be a Very Bad Thing.

  4. we looked at this suite a few years ago, way too clunky for our environment needs.

    So we went with Dell KACE instead.

    best decision ever.

    wasn’t it last year at this time SONY got whacked.

    oh well. so much for security.

    ¯\_(ツ)_/¯

  5. Rusty Shackleford

    “The Cuckoo’s Egg” indeed. I hadn’t thought of it, but the parallels between this and the many recent similar breaches are all reminiscent of Cliff Stoll’s experience. Sadly, we seem to have learned little in all that time.

  6. Not only the servers and workstations – what about the trouble call logs? It can reveal alot of data about who is having issues, and what type of issue.

    If the tickets can be viewed proprietary info can be exposed, also personal info included in each ticket and the list of possibilities go on.

    It be interesting to see if the Feds or a 3rd party cyber security company can find some new / variant malware that’s now imbeded on everything that loaded the software or RDP’ed into a clients machine.

    =\

  7. @Rusty Shackleford

    What, Russians paying German “hackers” to try default passwords against computers that only have user/passwords to track accounting in a time when security was barely considered in the hope of finding sensitive documents?

    Personally, I’m struggling to see the parallels. It all looks thoroughly modern to me.

    • Data was slowly transferred out, although, that was mostly due to link count/latency and the hacker being a small team individually collecting targets.

      The attacks on passwords aren’t really very different today than they were then. Downloading a password database or running a cracking tool.

  8. I wish firms would cease using the word, “hackers,” as a synonym for criminal. Maybe they should use the word criminal, ad it is more elucidating.

    • The people I used to run with called them “crackers”, but I guess that is just me now – everyone has given up on the popular expression.

      • It got meme’d to death: Crackers – we prefer to be called white folk.
        It was fitting though. Now we should just call them criminals.

        Hacker = anyone that makes something do what it was not designed to. Like hacking a toaster to burn jesus onto bread.

        • Or make an iPhone run the code the owner wants it to run, instead of the code that Apple deigns to allow it to run. First sale doctrine, what’s that?!

    • aww geez not this sh*t again

    • Brian likes the term “miscreant.” Somehow that just doesn’t quite cover it. I like “criminal.”

  9. Brian, you didn’t say if Landesk was going to offer credit monitoring services to all their corporate customers. I think you should pose that question to them when you get a chance. That will make it all ok for them then, right? :-)

    • Steve: literally laughing out loud at credit monitoring for all the LANDesk customers and their people.

      Everything sounds more profound when said in Latin and I’m reminded of Quis custodiet ipsos custodes?

      The colloquial translation is who monitors the monitors?, a concern about proper checks and balances to avoid the accumulation of unrestrained power.

      The literal translation is Who will guard the guards themselves?, a concern about who extinguishes fire at the firehouse.

      It will not be good for a firm who sells management and security software to have been hacked for more than a year without detection. Unless they are not using their own software, which raises another eyebrow.

      Jonathan @NC3mobi

      PS: “Miscreant” is a GREAT word. It includes all people who behave badly including criminals, crooks, culprits, delinquents, evildoers, hoodlums, lawbreakers, malefactors, offenders, reprobates, villains, wrongdoers, etc.

  10. “Given the recent online speculation about the security of our product, we want to reassure you about the security of our products and provide some best practices ”

    Methinks they aren’t the best people to be providing “best practices.”

  11. Management and see level individuals should really take notice. There are consequences for replacing IT personnel with automated, remote, cloud based, never-see-anyone-but-pay-the-bill type so-called ‘services’. It is not a smart way to go when people that have direct personal interest in a company lose their job to things like LANDESK. These outside out-sourced entities do NOT have your best interest in mind. They say they do. But then, politicians always say that too.

    • Not exactly true. Humans are lest testable and trustworthy than automation. In the cloud I have forensic grade offsite logs of every single action down to individual API calls made against the service — can’t do that onsite or with humans all that easily. On top of that because our entire cloud infrastructure is controlled via APIs I can regularly run dynamic inventories of *everything* that claims to exist in my cloud footprint and then run 24×7 governance and compliance checks against every route table, network ACL, subnet role and security group to ensure that the “as-built” state matches the security requirements. Any change to any route table, ACL or security rule triggers multiple log entries and alerts to human.

      The level of infrastructure security, logging and compliance/penetration testing features I’ve got in IaaS clouds goes way beyond what people can do onsite with on-premise kit.

      My personal experience is that the IT people fighting against the cloud fall into 2 camps:

      (1) IT admins who can’t script which means in the new devOps world where scripting and automation are essential they are going to have career troubles. Sysadmins who can’t code a little bit are going to be valueless in the near future.

      (2) IT management fighting to protect their little empires of people and capEx dollars

      Best personal anecdote is visiting a datacenter for a company where the IT people claimed the cloud was too insecure for business and finding the datacenter loading dock door propped open with a stick so they could sneak out for smoke breaks.

      My $.02 of course

      • …..sounds more like an advertising spot to me.

        If your going to knowingly and willing hire smokers, then proper smoking breaks should be considered so that “sneaking” is not the way things happen.

        What your ultimately describing is interesting in that the difference comes down to level of access and level of control. If your people can’t script, then my question becomes….why are you not training them? The ability to script seems rather important to me. But then, an over abundance of political posturing gets in the way from people further up the ladder that have unrealistic expectations. This article and the problems that it describes should serve as an example. As should so many other security breaches/problems that get discussed on this site.

        • Sales-pitch vibe was unintentional. I work as an outside consultant in a niche scientific computing area and get to see the inside of a few dozen shops each year ranging from startups to giant multinationals to .edu to government. Being inside so many shops makes me a bit cynical especially when it comes to security — the truth on the ground is way different than what the suits say about their environment and capabilities.

          The politics and org charts are wildly different even in groups that have the same business goals or mission. Right now in my niche area it’s maybe a 60% mix of on-premise work and 40% that has gone to IaaS clouds.

          Good comment on training – I’ve actually been pushing hard in assessment recommendations to train up existing internal IT staff. The personal motivation is I am starting to see more and more age discrimination against older IT professionals who can’t script or get into the automation stuff. The driver I use to convince management is more competitive – they need the same skills that Google/Amazon/Apple/Twitter/Facebook are seeking and it’s hard to recruit against some of the giants and their perks. Training up the internal staff is a better route for almost all of the new skill requirements.

          • It is mildly amusing to find javascript in a webpage that will call up individual .js files that in-turn handle all the cookie scripts and what-not. Basically hiding things so that antivirus/antimalware software can’t see them and filter them out. Hiding things with code embedded in code so that no-script can’t see them to filter them out. Javascript that separates “https:” from “/suchandsuch” from “.com” and only puts them together according to a math equation.

            What is even more interesting is the javascript that hides other javascript by only rendering the code during the rendering of the page. Thereby preventing anyone or anything from ever knowing anything even happened until it is too late.

            It has been said that the best place to hide something is in plain site. What a pitty there is no right-click on eye-pads. Is this the level of coding that your after in your employees? Just curious? Would it interest you to know that this is part of how I acquire new addresses to filter out of networks that I control…..just to maintain a safe environment? Or would this ruffle to many feathers in the advertising department? Has anyone noticed the ads that Krebs puts on this site, that they are largely ‘local’ files?

            • They are almost entirely local files for a reason. Poke around the site, you’ll see comments from Brian Krebs that the only ads he allows on the site are ‘dead content’ ads, locally hosted to minimize malicious software payloads.

              Given how much malicious software is distributed through ads hosted on advertising banner services, I applaud the approach taken here.

      • Been there, seen that! Most systems and process are driven by humans, and there will always be at least one weak link. Layers and layers and layers, only protection that works, but at what cost to operational usability? And cost itself… these are businesses after all and risks will be taken if that is more cost effective.

  12. Another case of questioning the varsity of closed source. If my company were using this product I would now be asking serious questions and doing a thorough review of my security.

    If they can’t keep black hats out of their own network with their product then why should anyone trust it.

    • “If they can’t keep black hats out of their own network with their product then why should anyone trust it.” – Gary

      And there in lies the problem. This level of mentality puts many companies at risk for breaches and successful attacks. People like you Gary fail to understand that if it is man made, then it can be broken by man. Case in point is the Edward Snowden leaks of 2013 to present. The data he stole was locked up pretty tight some would say, however, he was still able to walk out the door with it. Not many companies are aware of their network security posture, and when it comes to cyber attacks we are all in a new stadium with constantly changing rules and teams. You can have the most secure house in the world such as the White House yet you still get people climbing over the fence and on one occasion made it into the white house. if you are constantly under cyber attack eventually your wall will be cracked and then the attacker(s) will have unfettered access to your network.

      • Point and point. Any outomated system still needs the watchful eyes of humans that can respond to alerts. All the “magic” software and or “black” boxes can only do what they are programed to do. Humans are still needed to understand and respond with appropriate actions, after all the black hats on the other end are humans in control of technology they use. Vigilance and that takes people.

        • One of the best comment exchanges I’ve seen on this site!
          Thanks for the affirmation of my own thoughts.

      • The best strategy is a moving strategy with internal audits and universal policy enforcement. The zombies (aka hackers, aka crackers, aka criminals) are not only trying to climb the fences they are also sitting at the dinner table, cleaning the bathrooms, emptying the trash, and checking the oil in the car.

        Change the authentication and encryption policies at random, conduct vulnerability audits on servers and vpn appliances, and hold everyone accountable, admins and executives alike. And don’t let the zombies eat your grandmother’s nest egg, she deserves the same protection and education as your ceo.

  13. Kinda shows the risk we all face running our remote management platforms in the cloud.

  14. Landesk are huge but there are plenty of competitors out there who have not been breached who will probably be willing to take on business of worried customers.
    Any breaches no matter how small are still breaches and I am sure that companies like Symantec, Lumension, Sophos, Heat Software, Kaspersky, Manage Engine etc… will be more than willing to jump on this.
    Although I know that Kaspersky were also compromised so the list is getting smaller in terms of where you lay your trust.

  15. Is there a *reason* why customers of Bell Canada now are blocked from visiting this site, with each attempt producing either no response, a nearly-blank yellow page with a red outline rectangle at the top and no text, an RST packet (often after a long delay), or a phony 504 Gateway Timeout (provably phony because *that* one often appears almost instantly, long before any reasonable timeout interval could have elapsed)?

    Because of this I am having to visit via Tor. Note that whichever Bell Canada customer abused your site and whom you are trying to keep out can circumvent your ban in the same way. So your ban is a) ineffective, as well as b) dishonest — it’d be much more respectful to serve Bell customers with a page with text on it saying “due to abuse from one Bell customer, we regret to inform you that we cannot serve Bell users at this time”, though it’d be much more respectful *still* to not punish millions (I’m not exaggerating, Bell Canada has that many users) of people because of the actions of *one* of them…

    Try a firewall rule that is narrowly specific to whatever malicious traffic it is that’s got your panties in a wad, rather than a blanket ban on an IP range used by millions of people, next time.

  16. Let’s see

  17. 17 months ago?! Talk about being asleep at the switch!

  18. One common attribute about nearly all the security breaches we read about in krebsonsecurity.com is, nobody comes clean with details. Which made me curious – What are the conditions leading to the security breakdowns for criminals and miscreants to pull off these breaches?

    And since I could find nobody to come clean with real facts, I fictionalized a realistic story based on current headlines and long, painful experience. And yeah, this is a shameless plug, but if we could persuade a few senior managers to read my new book, “Bullseye Breach,” maybe some would recognize a few of the characters in the book and maybe change their attitudes around security. And with an attitude change at the top, these breaches would stop.

    So here is the book website, http://www.bullseybreach.com. Take a look and if you like what you see, then help support an author trying to do something about the problem.

    • Greg – I’m no fan of companies that risk our data, but at the time of discovery the facts are not always known. Giving them time for analysis is reasonable. A larger question is do they EVER come clean and repair the damage done to their customers? You know, US?

      One in recent history did. The 10/14/15 disclosure of a major hiccup at RushCard was a disaster for many people on a financial edge. On 10/30 the co-founder said “we’re focused on making customers whole” and “We will make it right and go a little bit further.” see http://www.NC3.mobi/2015-summary/#20151014

      One is not enough, but it is a stellar example of intent to “make it right” sadly lacking in the “We take your security seriously” crowd.

      Jonathan @NC3mobi

  19. I’m glad RushCard did the right thing.

    I am right there with you on the “We take your security seriously” crowd. I’m amazed that CEOs still trot out that line and expect the public to believe it.

    Read “Bullseye Breach” and you’ll recognize many of the characters we see over and over again in real-life breaches.

    – Greg

  20. When I read the official response did I miss something? I never saw a specific denial that the product source code could have been exfiltrated or tampered with.

    Marketing response indeed!

  21. Reading all of the comments (really…even the sarcastic ones), I thought I would actually for once leave a comment.
    As a former employee of the referenced company that was breached, I was not notified. Yes, I am not happy and Yes I will be taking the proper steps to ensure my families PII is safe. On that note….please define safe. Or….does safe exist?
    Back to the breach. Not stepping into the jobs vs technology discussion. Most companies do not simply protect themselves from breaches as it a) costs $$, b) causes people to change and c) costs $$. The breach was found when the “internet connection was slow” – I assume due to the miscreants (I like that term…) downloading files from the referenced company’s public accessible ftp site. Putting aside what was and what was not taken (which scares the $%^& out of me!!), I am also concerned with the lack of internal security tools & policies that allowed passwords to be stolen AND used…for many months. For those that groused about LANDesk tools being used or not…..I am sure they are being used internal. But LANDesk tools are not designed or intended for this type of attack. Which brings up MANY enjoyable topics for conversation, speculation, rumors and sales FUD.
    So….Am I surprised? No, it is only a matter of time before any company is breached. I am concerned about the uncertainty of what was taken!
    In the end, all I can do (as all of us should) is to be prepared for the possible scenarios and be vigilant for MANY years….
    Like it or not, Welcome to the cloud. Now go and update your security tools!! https://www-01.ibm.com/marketing/iwm/dre/signup?source=swg-WW_Security_Organic&S_PKG=ov37658&cm_mmc=Blog_SI-_-Sec_Int-_-Organic-_-IBM-is-a-leader-again-in-2015-gartner-magic-quadrant-for-SIEM&cm_mmca1=000000MI&cm_mmca2=10000090&ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US

    J

    ‘If I had asked people what they wanted, they would have said faster horses’ – Henry Ford.

    • ‘Faster horses’ is exactly what the world received.

    • Being a former employee as well, it is not surprising to hear about this in the least. While being employed their, I found it strangely odd that your lab (servers, software, etc.) was at your cubicle. You build out your own domain, DNS, etc., build what you can to best replicate potential support call. You build, not the company, your own environment to maintain, support, and use for support calls with little guidance to best practices, security or otherwise. Now, within the same workspace, one jack over, unfettered access to the Internet to do as you please on your break time, WoW anyone (the choice game to play while taking a long support call, or during your break). Many support staff, to save time, installed games and tools that were intended to be used over the unrestricted network on their support PC. This all happening with management approval (carelessness), and in most cases, doing the same thing. I can’t tell you the amount of times I observed support engineers put customers on hold, or mute, to quickly carry over a task for their online games. I find it laughable at times since changing jobs to organizations who have used, or are using, LANDesk software solutions. In telling other IT members I work(ed) with the stuff that LANDesk support was doing while “taking your call”, they took pause wondering if they had been one of those techs caught up in one of those support moments with LANDesk. Mind you, this was a perk they discussed with me during my interview phase, to have such a casual environment, free to play games at your desk, etc. Could you imagine anything going wrong?

  22. As a years long customer of LANDesk’s this doesn’t surprise me. I’ve observed their pro services consultants taking insecure actions on numerous occasions, have had to chastise them on multiple occasions for doing dumb, insecure things and reported the issues to their manager, no longer at LANDesk. The response was basically, “ok, thanks.” This incident reflects a corporate security culture problem and their current response reflects that.