 Tom here for more systems and we're gonna talk about screen connect or also known as ConnectWise control. So this is a tool we've been using for a number of years. I've done a review on it We really like the product. It's pretty solid But it was purchased by ConnectWise and we've continued to use it after its purchase Where the issue comes in is the security now security is said by many people and anyone who works in the industry Understands this good security is a team sport. We're all on the same team There are security researchers poking at products and they properly go through the process to disclose those vulnerabilities And that is the case that happened with Bishop Fox Bishop Fox said there's been a lot of attacks against MSPs Let's dig deeper into their software and take a look at it and see if there's a flaw in the software is being exploited Because unfortunately one there's not a ton of information to we don't always know exactly how the bad Actors got in and took over some of the MSP software MSP software is an excellent target because well Our software has control to many many things therefore if you take control over the MSPs tools It makes deploying this different mailware or whatever the goal of the threat actor is very easy These same tools that make it easy for me to patch a thousand machines makes it really easy to Do something else like deploy bad tools on a thousand machines as well And that has been the case many many times over i've talked about it on my channel a few times But when bishop fox reached out to connect wise control the word litigation came up That is where the problem is and so the way the story broke was connect wise control MSP security vulnerabilities are severe According to bishop fox and there's a few cross site scripting vulnerabilities I'm gonna leave links to all these too so you can read through there's an advisory summary There's a lot of details what version they tested and then to go a step further our friends over at hentris labs here Worked with crn and also with connect wise validating these claims that bishop fox made the security research company And you know right here validating bishop fox's top notch research They flat out said this was some top notch research This is Country slabs as well respected bishop fox is respected the problem really came into the way connect wise responded to this And I didn't find out from an email from connect wise. I'm a paid licensed user of their software And my notifications were oh, wow look a news article about the tools I use having a flaw and I'll even go a step further and share the output Of their connect wise control update list Nowhere in their update list doesn't even tell me when they fixed these vulnerabilities Now the good thing is they've been fixed and we keep our systems up to date and patch But I never got a notification of any of this That is very bothersome to me and I'm really hoping connect wise does better Now the good news is they have responded and we do have a entire letter Leave link this as well from the connect wise ceo Saying that they're going to do better saying that they're gonna Solve these probably solve the vulnerabilities. We're going to solve the way they handle it So I hear them saying it and this is going to come down to we're going to have to see them doing it I think more and more of these companies that are In the space of providing tooling for msp's are just going to have to kind of look at the bigger marketplace They are maybe old school thinking. I'm not sure exactly What causes them to behave the way they do the fact that they say things like litigation when a security researcher is doing A vulnerability disclosure to them through proper channels The problem is if they don't behave so to speak if they keep treating security researchers like also bad guys You're going to find someone just dropping zero days for the ha ha's. They're going to do it for the lulls They're just going to go look at this you guys wouldn't follow me. I'm going to drop it This has been done when other people have not been listened to in a security world It's not something that should happen It does happen and when companies have an immature security process in terms of how they handle it And this is more of a management problem than a coding problem This is not the technicians the fingers on the keyboard This is the management not understanding things maybe an old way of thinking Because in the early days of the hacking community, this was a common problem of do we disclose the vulnerability? Will we get sued for doing it? Will we end up in litigation or will we have a federal agency knock on our door because Even in the earlier days of microsoft, this was something that occurred. They would not close the vulnerability They would threaten against threaten legal action against the security people trying to you know Share this knowledge with them in a proper disclosure. So my concern is the fact that one I Never got an email on any of this. I never got a notification even though I'm paid up to date You know with my license and everything I'm on their mailing list. I get other notifications for things And it's not in the output stream So I'm not sure when the problem happened or when it was fixed But I did do some digging in because we run the self-hosted version and we have the cross site Disabled for the way we do it in a self-hosted with a reverse proxy and the encryption It appears that we weren't affected by this because of that the policies we have That stopped the cross-site scripting from working means it was never a threat for the self-hosted provided You had a reverse proxy provided you had a reverse proxy and had that enabled so your mods In the patchy were set up to avoid that particular setting anywhere. So Fine on all that But I'm really hoping for a better response in the future. This is not enough For those that may be asking me this next few people mess with me on this thing What are you going to switch to now that they had a problem the problem is every company is going to have a problem The more popular it is The more likely people are going to poke at it. So just using some other company because they haven't had a vulnerability doesn't mean it's not secure It's about have companies really take any time to dig in and look at those products Validation is really hard for security Going through these public audits so to speak are a really good thing because this is all you know Bishop Fox made all this public I'm hoping they get on a solid bug bounty program like they said they're going to in the ceo letter These are all things I hope to go forward But i'm going to keep in keep watching this because I don't like finding out that a tool I use in the news I want to be Hey, here's your newsletter. Here's your you should read this. It's not a marketing thing You should make sure you're up to date make sure you patch because there are companies that the only reason we get all the latest Patches and there's companies that don't do this. They don't renew their license We keep our license renewed But we've talked to other MSPs who don't and they're like well any broke don't fix it is some of the attitude Which I don't believe in at all By the way, if you're an msp and you haven't updated to the latest version and you're using self-hosted stop right now and update There are security fixes in here despite them not being in the output And i'm hoping that's what this comes out to is letting those people know and it's not a sales tactic It's a real thing like hey, you're running version 19.3. It has a couple flaws in it You should be on 19.6, which is current here in january of 2020 So we'll wait and see is my opinion. It's not enough for me to go I'm trashed in the product and moving on But obviously connectwise is going to have to mature a bit in their security response handling of things And we've seen the letter from the ceo. We hopefully they're going to be doing this But yeah, and I will mention real quick Some of me ask about this. There is a flaw was also found in the msp tooling that is Enable which is a solder winch product. We do and I've mentioned on channel before you solder wins We don't use this particular the n central slash enable tool But I will leave a link to this if you want to read about what happened in solar winds response There's big pieces missing for how this all went down because somehow the zero day got dropped on packet storm Instead of going through a responsible disclosure And I don't know the why and neither does huntress who also researched this and validated the findings But solar winds did respond swiftly To this first disabling the plug-in all together and then later diving into mitigation process for it Um, additionally, there was a screenshot highlighting how hacker might find available easy to show Dan for those not familiar with show Dan service checkout this awesome trade cap Tuesday episode with Tom Lawrence and Yeah, I did we did talk about this a little bit when I was down there I've actually spent time with the folks at hunter's labs and uh things like that So there so for any wonder are you are you a bias towards hunter's labs or anything like that? I like them they do great security research I've hung out well them got to see firsthand Some of the quality work they do so at least I'll make sure I'm always open about whatever I'm doing and uh people that are my friends in the industry and I like to connect wise people I spent some time with them I've I've met some of the screen connect people uh years ago before they were connect wise at some events I think they're good people. I think they're really committed to creating secure code I just hope the management over at connect wise uh follows up with this and puts a good bug vulnerability program together Maybe a bug bounty program. Maybe signs up a hacker one. Um, we seen the letter now We got to see the action. That's my thoughts on this. Thanks And thank you for making it to the end of the video If you like this video, please give it a thumbs up If you'd like to see more content from the channel hit the subscribe button and hit the bell icon If you like youtube to notify you when new videos come out If you'd like to hire us head over to laurance systems.com fill out our contact page And let us know what we can help you with and what projects you'd like us to work together on If you want to carry on the discussion head over to forums.laurancesystems.com Where we can carry on the discussion about this video other videos or other tech topics in general Even suggestions for new videos that are accepted right there on our forums, which are free Also, if you like to help the channel in other ways head over to our affiliate page We have a lot of great tech offers for you. And once again, thanks for watching and see you next time