VPN

single-point-of-software-failure-could-hamstring-15k-car-dealerships-for-days

Single point of software failure could hamstring 15K car dealerships for days

Biz & IT, car dealers, car dealerships, Cars, cdk global, crm, ransomware, SaaS, Security, venture capital, VPN / /

Virtual Private Failure —

“Cyber incident” affecting 15K dealers could mean outages “for several days.”

Updated

Ford Mustang Mach E electric vehicles are offered for sale at a dealership on June 5, 2024, in Chicago, Illinois.

Enlarge / Ford Mustang Mach E electric vehicles are offered for sale at a dealership on June 5, 2024, in Chicago, Illinois.

Scott Olson / Getty Images

CDK Global touts itself as an all-in-one software-as-a-service solution that is “trusted by nearly 15,000 dealer locations.” One connection, over an always-on VPN to CDK’s data centers, gives a dealership customer relationship management (CRM) software, financing, inventory, and more back-office tools.

That all-in-one nature explains why people trying to buy cars, and especially those trying to sell them, have had a rough couple of days. CDK’s services have been down, due to what the firm describes as a “cyber incident.” CDK shut down most of its systems Wednesday, June 19, then told dealerships that evening that it restored some services. CDK told dealers today, June 20, that it had “experienced an additional cyber incident late in the evening on June 19,” and shut down systems again.

“At this time, we do not have an estimated time frame for resolution and therefore our dealers’ systems will not be available at a minimum on Thursday, June 20th,” CDK told customers.

As of 2 pm Eastern on June 20, an automated message on CDK’s updates hotline said that, “At this time, we do not have an estimated time frame for resolution and therefore our dealers’ systems will not be available likely for several days.” The message added that support lines would remain down due to security precautions. Getting retail dealership services back up was “our highest priority,” the message said.

On Reddit, car dealership owners and workers have met the news with some combination of anger and “What’s wrong with paper and Excel?” Some dealerships report not being able to do more than oil changes or write down customer names and numbers, while others have sought to make do with documenting orders they plan to enter in once their systems come back online.

“We lost 4 deals at my store because of this,” wrote one user Thursday morning on r/askcarsales. “Our whole auto group uses CDK for just about everything and we are completely dead. 30+ stores in our auto group.”

“We were on our own server until a month ago because CDK forced us to go to the cloud so we could implement [Electronic Repair Orders, EROs],” wrote one worker on r/serviceadvisors. “Since the change, CDK freezes multiple times a day… But now being completely down for 2 days. CDK I want a divorce.”

CDK benefits from “a rise in consolidation”

CDK started as the car dealership arm of payroll-processing giant ADP after ADP acquired two inventory and sales systems companies in 1973. CDK was spun off from ADP in 2014. In mid-2022, it was acquired by venture capital firm Brookfield Business Partners and went private, following pressure from activist public investors to trim costs.

Brookfield said at the time that it expected CDK “to benefit from a rise in consolidation across the dealership industry,” an industry estimated to be worth $30 billion by 2026. Analysts generally consider CDK to be the dominant player in the dealership management market, with an additional 15,000 customers in the trucking industry.

Under CEO Brian McDonald, who returned to the firm after its private equity buyout, the company pushed most of its enterprise IT unit to global outsourcing firm Genpact in March 2023.

CDK released a report on cybersecurity for dealerships in 2023. It noted that dealerships suffered an average of 3.4 weeks of downtime from ransomware attacks, or potentially an average payout of $740,144 (or even both). Insurer Zurich North America noted in a 2023 report that dealerships are a particularly rich target for attackers because “dealerships store large amounts of confidential, personal data, including financing and credit applications, customer financial information and home addresses.”

“In addition,” the report stated, “dealership systems are often interconnected to external interfaces and portals, such as external service providers.”

Ars contacted CDK for comment and will update this post if we receive a response. As of Thursday morning, the firm has not clarified if the “cyber incident” is due to ransomware or another kind of attack.

This post was updated at 2 pm to note a message indicating that CDK’s outage could last several days.

Listing image by Scott Olson / Getty Images

Single point of software failure could hamstring 15K car dealerships for days Read More »

ivanti-ceo-pledges-to-“fundamentally-transform”-its-hard-hit-security-model

Ivanti CEO pledges to “fundamentally transform” its hard-hit security model

Biz & IT, ivanti, ivanti connect secure, jeff abbott, pulse connect secure, Security, VPN, vpns / /

Ivanti exploits in 2024 —

Part of the reset involves AI-powered documentation search and call routing.

Red unlocked icon amidst similar blue icons

Getty Images

Ivanti, the remote-access company whose remote-access products have been battered by severe exploits in recent months, has pledged a “new era,” one that “fundamentally transforms the Ivanti security operating model” backed by “a significant investment” and full board support.

CEO Jeff Abbott’s open letter promises to revamp “core engineering, security, and vulnerability management,” make all products “secure by design,” formalize cyber-defense agency partnerships, and “sharing information and learning with our customers.” Among the details is the company’s promise to improve search abilities in Ivanti’s security resources and documentation portal, “powered by AI,” and an “Interactive Voice Response system” for routing calls and alerting customers about security issues, also “AI-powered.”

Ivanti CEO Jeff Abbott addresses the company’s “broad shift” in its security model.

Ivanti and Abbott seem to have been working on this presentation for a while, so it’s unlikely they could have known it would arrive just days after four new vulnerabilities were disclosed for its Connect Secure and Policy Secure gateway products, two of them rated for high severity. Those vulnerabilities came two weeks after two other vulnerabilities, rated critical, with remote code execution. And those followed “a three-week spree of non-stop exploitation” in early February, one that left security directors scrambling to patch and restore services or, as federal civilian agencies did, rebuild their servers from scratch.

Because Ivanti makes VPN products that have been widely used in large organizations, including government agencies, it’s a rich target for threat actors and a target that’s seemed particularly soft in recent years. Ivanti’s Connect Secure, a VPN appliance often abbreviated as ICS, functions as a gatekeeper that allows authorized devices to connect.

Due to its wide deployment and always-on status, an ICS has been a rich target, particularly for nation-state-level actors and financially motivated intruders. ICS (formerly known as Pulse Connect) has had zero-day vulnerabilities previously exploited in 2019 and 2021. One PulseSecure vulnerability exploit led to money-changing firm Travelex working entirely from paper in early 2020 after ransomware firm REvil took advantage of the firm’s failure to patch a months-old vulnerability.

While some security professionals have given the firm credit, at times, for working hard to find and disclose new vulnerabilities, the sheer volume and cadence of vulnerabilities requiring serious countermeasures has surely stuck with some. “I don’t see how Ivanti survives as an enterprise firewall brand,” security researcher Jake Williams told the Dark Reading blog in mid-February.

Hence the open letter, the “new era,” the “broad shift,” and all the other pledges Ivanti has made. “We have already begun applying learnings from recent incidents to make immediate (emphasis Abbott’s) improvements to our own engineering and security practices. And there is more to come,” the letter states. Learnings, that is.

Ivanti CEO pledges to “fundamentally transform” its hard-hit security model Read More »

3-vpn-features-you-should-use-to-avoid-vpn-blocks

3 VPN Features You Should Use to Avoid VPN Blocks

Georestriction, Highlights, Online Privacy, Online Security, Security, VPN / /

internal/modules/cjs/loader.js: 905 throw err; ^ Error: Cannot find module ‘puppeteer’ Require stack: – /home/760439.cloudwaysapps.com/jxzdkzvxkw/public_html/wp-content/plugins/rss-feed-post-generator-echo/res/puppeteer/puppeteer.js at Function.Module._resolveFilename (internal/modules/cjs/loader.js: 902: 15) at Function.Module._load (internal/modules/cjs/loader.js: 746: 27) at Module.require (internal/modules/cjs/loader.js: 974: 19) at require (internal/modules/cjs/helpers.js: 101: 18) at Object. (/home/760439.cloudwaysapps.com/jxzdkzvxkw/public_html/wp-content/plugins/rss-feed-post-generator-echo/res/puppeteer/puppeteer.js:2: 19) at Module._compile (internal/modules/cjs/loader.js: 1085: 14) at Object.Module._extensions..js (internal/modules/cjs/loader.js: 1114: 10) at Module.load (internal/modules/cjs/loader.js: 950: 32) at Function.Module._load (internal/modules/cjs/loader.js: 790: 12) at Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js: 75: 12) code: ‘MODULE_NOT_FOUND’, requireStack: [ ‘/home/760439.cloudwaysapps.com/jxzdkzvxkw/public_html/wp-content/plugins/rss-feed-post-generator-echo/res/puppeteer/puppeteer.js’ ]

3 VPN Features You Should Use to Avoid VPN Blocks Read More »