Speaking of computer security, Xfinity/Comcast didn't patch, 36 mil customer accts compromised

[thewayne]

Citrix is a major player in the computer networking equipment market. And they had a major, sorry, MAJOR software flaw back in October that was exploited bigly. They patched it and announced the patch as fast as they could, and their customers patched as fast as they could.

Which brings us to Xfinity.

From the article: "Citrix disclosed the vulnerability and issued a patch on October 10. Eight days later, researchers reported that the vulnerability, tracked as CVE-2023-4966 and by the name Citrix Bleed, had been under active exploitation since August. Comcast didn’t patch its network until October 23, 13 days after a patch became available and five days after the report of the in-the-wild attacks exploiting it."

Ruh-roh!

Two weeks is far too long for a vulnerability that big to go unpatched. Care to guess what happened? Oh, I forgot. It was in this post's subject line.

To continue the article: "“However, we subsequently discovered that prior to mitigation, between October 16 and October 19, 2023, there was unauthorized access to some of our internal systems that we concluded was a result of this vulnerability,” an accompanying notice stated. “We notified federal law enforcement and conducted an investigation into the nature and scope of the incident. On November 16, 2023, it was determined that information was likely acquired.”

Comcast is still investigating precisely what data the attackers obtained. So far, Monday’s disclosure said, information known to have been taken includes usernames and hashed passwords, names, contact information, the last four digits of social security numbers, dates of birth, and/or secret questions and answers. Xfinity is Comcast’s cable television and Internet division."

Yeah. Free credit monitoring? Thoughts and prayers? There needs to be some executive job loss and demotions. But as this is Comcast, nothing will change.

Completely inexcusable.

Back in the '90s, when the I Love You email virus hit, I learned about it at about 7:15 or so in the morning. We literally unplugged our firewall from the internet as there was no patch for it at the moment. And we had no problems. You can't let shit like this go unchecked, or things like this happen.

https://arstechnica.com/security/2023/12/hack-of-unpatched-comcast-servers-results-in-stolen-personal-data-including-passwords/

Comments

[elayna]

I worked for a state agency in the 90s and the I Love You virus went on for *days,* it was horrible. They got it cleaned up and then apparently someone came back from vacation, it was still in their inbox and they started it going again, it was such a nightmare. I’m impressed you guys knocked it out right away.

[thewayne]

I was working for the police dept at the time on a 7-5 shift, and every morning the first thing that I did was fire up Slashdot.  And it was the #1 story of the day.  As soon as I saw what was going on, I went to our network guy's office, showed him the story, and we went into the server room and pulled the plug on the firewall and disconnected us from the city network and the entire outside world.  Apparently no one in the city IT dept had similar habits and they got hammered hard.  We had a couple of people who opened it, but for some reason it never spread and we never had any late infections pop up.  We got really lucky.

[silveradept]

Oh, that's inexcusable. Company-destroying, fines-to-the-point-of-bankruptcy inexcusable. They won't get hurt that much, because they can buy off whomever they need to, but someone should put an exclamation point on that so that everyone else is frightened into doing the right thing immediately.

[thewayne]

Now, this is what gets me.  You probably read my post about Binance getting fined literally BILLIONS of dollars.  Granted, they broke actual FTC rules if not laws.  Now here Comcast/Xfinity didn't break laws, but as another article that I read it looks like pretty much their ENTIRE user base got leaked!  And they'll get fined probably what, tens of millions?  That's what, maybe half a day's profit?  Fine 'em a billion dollars and see if that'll wake 'em up.  It would be nice to see them burned to the ground in fines, but that's not going to happen: the Feds and Congress are too captured by corporate lobbyists.

[silveradept]

That is genuinely one of the problems that we have in enforcement of the rules: it's impossible for any creatures of a certain size to be knocked down and destroyed fully, because they have a phylactery in bought regulators and Congresscritters.

Fine them multiple years' profits and see if they are that callous again.

[thewayne]

You hear about these big corps being fined 'tens of millions of dollars!' and the CEO holds his breath for ten seconds while looking at his watch and says 'Well, that's over!'  I say fine 'em like 5% of their GROSS for the year and see how they like that!  Their stock holders might be asking for better governance within the org at that point and be wanting to know why crap like this happens.

[disneydream06]

WOWZA!!!!!!!!!!
Talk about epic failure. :o :o :o
Hugs, jon

[thewayne]

Comcast is notorious as a very poor company when it comes to customer service.  They're just there to rake in the bucks.

[disneydream06]

It's sad that most companies are heading that way. :(

[kellan_the_tabby]

ooooookay, when I, with my tiny lil website & weensy lil customer base, with an IT department that consists of me, do a better job of keeping up with this kinda stuff than FUCKING.

COMCAST.

... there's a PROBLEM.

[thewayne]

Comcast has been a 'We don't care, we don't have to' ISP for a very long time.  I can't say that I'm terribly surprised by this.