Kaseya CEO - "This sucks"

He seems contrite, but I also call bullshit. In video address, exhausted Kaseya CEO announces relaunch dates

Kaseya was hit with an attack which filtered down to their customers and their customers' customers. Because Kaseya makes software for managed service providers. 1500 companies were hit. (That is an early estimate.)

“We’re doing what we can do,” he said, “I assure you no one at Kaseya wanted this to happen. None of you want it. We love our customers and it pisses me off when we do things to hurt them.”

CEO Fred Voccola seems to be saying the right things. But...

Early reports said that you KNEW you were under attack, and you said nothing. Damn you. You. Said. Nothing.

Oh and then there is the fact that Kaseya required that all of the directories used by its software be bypassed by anitvirus and/or malware-detection software. This was a requirement, because we can't have our customers bothered with false positives from those damn antivirus programs. So the bad guys could drop what they wanted and know that they would not be detected by antivirus. It was probably one of the reasons that Kaseya was targeted.

Voccola said that the company has “locked down” all vulnerabilities leveraged in the attack. However, consultants assisting in the recovery suggested additional new layers of security that Voccola decided to put in place before release.

“This was probably the hardest decision that I’ve had to make in my career,” he said.

It was so HARD to decide to include SECURITY in a software upgrade. Apparently he hates security, or thinks it is a waste of time, except that he has egg on his face for ignoring security. I wonder if Kaseya has a bug-bounty program, and if not, why not. If they do pay a bounty for bugs, I wonder what they have paid out in the last year. Not enough.

This is not the day that corporations will begin to take security seriously.