[HN Gopher] Massachusetts Steamship Authority hit by ransomware ...
___________________________________________________________________
Massachusetts Steamship Authority hit by ransomware attack; ferries
delayed
Author : SocksCanClose
Score : 107 points
Date : 2021-06-02 18:47 UTC (4 hours ago)
(HTM) web link (www.nbcboston.com)
(TXT) w3m dump (www.nbcboston.com)
| sebyx07 wrote:
| MS Windows is 100% to blame. How can a worm spread that easily in
| 2021 to pcs across the network? 0day trash windows exploits
| tibbydudeza wrote:
| Clearly they are messing with the wrong people from Martha's
| Vineyard :).
| burkaman wrote:
| The rich people on Martha's Vineyard don't use the ferries,
| they have their own yachts or helicopters to get there.
| dredmorbius wrote:
| At some point they're affected. Staff, service workers,
| guests, neighbours.
| tibbydudeza wrote:
| Yes who is going to serve the champagne and canapes ???.
| throwaway0a5e wrote:
| Most of Worcester county and Bristol county would probably
| disagree.
|
| Just like when they hit the vehicle inspection system in March,
| the wealthy hemmed and hawed about how nobody should get away
| with thumbing their nose at state authority but the little guys
| were just happy it wasn't them getting the shaft for once.
| uses wrote:
| I'd really like to see/hear/read a breakdown of some of related
| issues from some experts.
|
| Even on HN it's the same knee-jerk reactions every time one of
| these stories hit.
|
| This is one of the most pressing technology issues of this moment
| and the discourse just sucks.
|
| * Does banning ransom payments do anything? Good idea/bad idea?
| Historical analogues?
|
| * Do we need to pay rewards to cyber privateers to take down
| cyber criminals?
|
| * Is this an issue that can only be solved at the geopolitical
| level because of the role states play in enabling this activity?
|
| * Will the hardening brought about by this eventually outpace the
| crappy attacker software?
|
| * Is this a phase or the new reality?
|
| * How much of this is enabled by technology vs the geopolitical
| situation?
| WalterBright wrote:
| An easy way to blunt such attacks is to have _physical_ write-
| enable switches on drives used for backups. Then, when
| restoring from backup, it _cannot_ get corrupted.
|
| Of course, even better would be a _physical_ switch for
| incremental backups, so a disk drive works like tape - it can
| physically only be appended to if that switch is "off".
|
| Come on, security professionals. None of this has any technical
| or cost barriers. Demand it from drive vendors. My older drives
| have such a switch.
| WalterBright wrote:
| Anticipate a problem with your IT staff leaving the write-
| enable switch on? Have the drive maker add a (again,
| _physical_ ) clock circuit (could just be an RC delay) to
| turn it off again automatically.
|
| (Even if you don't anticipate a problem with your IT staff,
| it's just good engineering to automatically turn off the
| write-enable. Nobody's perfect. I've gone to the airport
| without my passport once. It really sux when you do that.)
| willcipriano wrote:
| This is a system I put together at my first IT job.
|
| Backups get pushed from devices between 1AM and 3AM each
| day, so the primary backup server enables it's network card
| at 1 and disables it at 3.
|
| Primary backup server also has a second network card, that
| in turn is attached to a small subnet containing it and the
| secondary backup server only. The secondary backup server
| pulls a copy from the primary on a weekly basis in a
| similar manner as the primary, disabling it's network card
| once it has finished.
|
| Maybe they can hit the primary if the infection takes place
| overnight, but the odds of getting the secondary are pretty
| low.
| colechristensen wrote:
| Paying ransoms can be illegal if it is happening with a
| sanctioned entity.
|
| We need to start holding companies criminally liable having
| security vulnerabilities that get breached. It is true that
| there will always be exploits but the issues are usually much
| more wildly irresponsible security practices and not "didn't
| know about the latest 0day"
|
| There needs to be a statutory liability to customers and
| required insurance. Let the insurance company figure out the
| regulations instead of bureaucrats and politicians, insurance
| company rules are optional and noncompliance is just more
| expensive.
|
| It is an increasing trend but the current uptick in awareness
| is mostly media coverage. This stuff has been going on forever,
| a few particularly newsworthy things happened now everyone is
| going out of their way to report each new instance. Trends in
| reporting instead of trends in exploits (to a degree)
| rsj_hn wrote:
| Curious, how do you know that you are paying ransom to a
| sanctioned entity? Do they publish lists of bitcoin addresses
| of sanctioned entities that you can check? If not, how do you
| check the identity of the payee?
| mannerheim wrote:
| > Historical analogues?
|
| 'Don't negotiate with terrorists' or:
|
| > It is wrong to put temptation in the path of any nation,
|
| > For fear they should succumb and go astray;
|
| > So when you are requested to pay up or be molested,
|
| > You will find it better policy to say:--
|
| > "We never pay any-one Dane-geld,
|
| > No matter how trifling the cost;
|
| > For the end of that game is oppression and shame,
|
| > And the nation that plays it is lost!"'
| viraptor wrote:
| The Risky Business podcast #624 talks about pretty much all
| your questions if your want to listen to it. But here's some
| relevant info: Hardening can help, but we'll always have new
| exploits and some of the time the intrusion comes from standard
| fishing rather than automation, so tech can't solve it. Crypto
| coins enable payment at scale, but Russia enables the operation
| to not worry about consequences (a lot of ransomware will
| disable itself on Russian computers to avoid local
| prosecution).
|
| And in my opinion it's only a matter of time till something so
| crucial will be affected that the big guns will be rolled out.
| (I.e. targeted 3 letter agencies efforts) The podcast argued
| that touching the energy delivery / pipeline was already it -
| Fox asking daily how the current administration fails to deal
| with securing energy may be the point when some real action
| happens.
| wmf wrote:
| Good 2FA (e.g. U2F) can solve most phishing.
| https://krebsonsecurity.com/2018/07/google-security-keys-
| neu...
| joe_the_user wrote:
| The answer to your (somewhat leading) questions is just no.
|
| War analogies are inapplicable, privateer analogies are
| inapplicable. Create the incentives, organizational and
| software structure required to stop this or it will continue.
| Holding single companies accountable shifts the burden without
| solving the problem.
|
| Have standards, standards bodies, defensive organizations.
| alksjdalkj wrote:
| Another issue I don't see discussed much is how
| cryptocurrencies basically enable the business of ransomware.
| It's not like we're less secure than we were 20 years ago, the
| difference is now hackers can actually get paid.
| karaterobot wrote:
| Granting your premise, but: what is there to discuss about
| it? Cryptocurrencies are good for this, yes.
|
| I am inferring (perhaps incorrectly) that you're saying this
| is an argument against cryptocurrencies. I think that's
| beside the the point: even outright outlawing
| cryptocurrencies wouldn't stop the technology from existing,
| and wouldn't discourage extortionists from using it to
| anonymously receive payments.
|
| It would make it harder to pay, since you'd have to go
| outside of safe, legal channels to get money into the system.
|
| If the best strategy when being extorted is to never pay or
| negotiate, then I suppose that could be a benefit. But, in
| that case it would be more efficient to just make it illegal
| to cooperate with extortion in the first place.
|
| For all I know, this is already true. If not, let's try that
| first. If it is, it doesn't seem to matter, since people are
| paying ransomware hackers. Still, if paying _at all_ is
| illegal, but people still do it, then making paying _less
| convenient_ probably won 't make much of a difference:
| they'll still ask for payment in crypto, and leave the
| logistics up to the victim.
| lvs wrote:
| But the genie is out of the bottle now. It's not going back
| in.
| mandelbrotwurst wrote:
| How do you know that we're not less secure?
|
| It wouldn't surprise me at all if our systems are on average
| far less secure simply because so much more is online now, to
| speak nothing of increases in the complexity of and
| opportunities for errors and misconfigurations in today's
| systems.
| user-the-name wrote:
| Because twenty years ago computer security was an absolute
| and utter shambles. Exploiting a vulnerability today is
| orders of magnitude harder than it was twenty years ago.
| Massive strides have been made.
| mannerheim wrote:
| Just a couple years ago, the largest botnet in history
| infected IOT devices using default passwords in order to
| DDOS Minecraft servers, so perhaps these strides haven't
| been so massive.
| Grimm1 wrote:
| IOT isn't datacenter server technology. IOT is basically
| in the state of software security from 20 years ago.
| Often running crappy proprietary stuff. Your average
| server running a recent Linux kernel is Fort Knox
| comparatively. There have been massive strides in many
| places in software security but IOT and embedded security
| in general is very lacking unless your talking things
| going into space or military.
| xkyf wrote:
| That gets discussed every time, hackers were using prepaid
| cash services. Ransomware predates cryptocurrencies by
| decades.
| viraptor wrote:
| It's a bit of the "we have X at home" meme situation. Sure,
| ransomware existed before, but the scale was not even close
| to that. You can't move hundreds of millions in gift /
| prepaid cards without getting found. It's a completely
| different level of comfort for the operators.
| anonymousDan wrote:
| Do you have evidence for this claim? I'm almost certain
| it's no longer true.
| f38zf5vdt wrote:
| This level of corporate hacking existed prior to
| cryptocurrencies, the difference is that it was used for
| stock market manipulation and profiting on short or long
| positions. It appears that this is even more profitable than
| ransomware, in the hundreds of millions or possibly even
| billions of dollars. [1][2]
|
| [1] https://www.wired.com/2010/03/manipulated-stock-prices/
| [2] https://www.reuters.com/article/us-cybercybersecurity-
| hackin...
| xenadu02 wrote:
| Many ransomware attacks are not sophisticated. They may be
| targeted but the procedure is fairly simple: blast targets with
| phishing emails/texts, get them to click, done. It seems that
| zero-days are often not required because targets lag behind in
| applying patches.
|
| Many (if not most) companies have file shares with fairly wide-
| open access and/or a complete lack of backups so peer-to-peer
| spreading within the company is enough to cause a lot of
| trouble.
|
| At its root these are technological problems that we could
| choose to solve:
|
| 1. The program is not the user. Code running as a user
| shouldn't necessarily have permission to access everything the
| user can access. 2. New code is not treated with suspicion when
| it should be. New code should have its file access throttled in
| proportion to how many files it accesses. 3. Our systems do a
| terrible job of spotting unusual behavior. How many processes
| actually need to rewrite every file the user has access to?
| Almost none... rewriting 10% of the user's files should trigger
| an automatic throttle/stop and raise red flags. 4. As a
| variation on #3, most OSes these days ship parsers for a lot of
| common file formats... if the OS sees lots of user documents
| being rewritten and the parsers can no longer parse them stop
| allowing new rewrites and alert the user. If the user is
| encrypting their content on purpose they can approve it. If not
| you can at least limit the damage. 5. Similarly a network user
| that usually accesses a limited set of files should not be able
| to suddenly start rewriting thousands of files without some
| kind of intervention. 6. Our systems completely fail to take
| advantage of ancient technology called "file versions" (see
| VMS). Excess disk space should store old versions of files in a
| way that cannot be deleted (or the ransomware would just call
| that API or generate random writes to consume the space).
| Combine with 2/3: when there is suspicious activity on the
| system move into CoW mode and preserve previous versions of all
| files or an entire system snapshot and don't allow purging the
| snapshot without special intervention (eg rebooting into a
| special mode). 7. To go along with all of the above code should
| be tagged with its provenance in a system-tracked way. If a
| process writes a new binary to disk track that responsibility.
| Track it all the way back to the URL or email it came from.
| This entire audit trail should be attached to any of the
| mechanisms listed above. It should also be attached to any sort
| of activity monitoring program that shows you disk accesses,
| including historical accesses. If I see 50GB of disk
| reads/writes from a process group "JGjthjsfgl.exe, downloaded
| from p0wnme.example.farts" that is a huge red flag. Let me
| suspend that entire process group with a single click.
|
| I'm sure smarter people could come up with even better ideas...
| but ransomware is absolutely something we can and should make
| nearly impossible. We could engineer operating systems to be
| resilient and limit the damage (eg: macOS prompting you to
| approve access to Desktop/Documents/Downloads) but it means
| giving up some sacred beliefs about how desktop operating
| systems should work that tends to make a subset of the HN
| audience extremely angry.
| PeterisP wrote:
| The sophistication of the major ransomware attacks happens at
| the "done" step of your "blast targets with phishing
| emails/texts, get them to click, done" description. The
| initial foothold is often done randomly by various attackers,
| but the execution after that takes some skill and effort and
| often is done by a limited number somewhat sophisticated
| groups who buy the initial footholds from a larger number of
| random attackers. The lateral movement is _not_ generally
| done through "file shares with fairly wide-open access", but
| the attackers often (at least in most of the major attacks)
| manage to obtain full domain administration privileges to the
| whole network, so if the backups can be easily disabled or
| destroyed by your administrators, attackers can do the same.
|
| Zero days are indeed often not required, however, IMHO the
| initial attack is less preventable than that lateral movement
| and further exploitation - if attackers are in your systems
| for a week while they spread everywhere and kill your backups
| preparing to pull the switch to "ransomcrypt" everything at
| once, then that was your opportunity to detect it and kick
| them out, but the victim organizations obviously were not
| capable of that. This needs to be fixed, perhaps by methods
| similar as you describe.
| [deleted]
| MattGaiser wrote:
| As an alternative question, how much is this worth stopping?
|
| As how much is being spent on these payments overall each year?
| How would that compare to the massive IT fortification project
| people are demanding?
|
| We don't meaningfully fight bike theft for this reason. The
| cost of doing so relative to the benefits is just too high. We
| can debate whether that is reasonable, but that is essentially
| what has been decided as a society. Most low level crime is not
| meaningfully investigated.
| WalterBright wrote:
| > how much is this worth stopping?
|
| Having a physical write-enable switch on the backup devices
| costs about three cents.
| MattGaiser wrote:
| And the guy required to set that all up is 100K.
| nitrogen wrote:
| _We don 't meaningfully fight bike theft for this reason._
|
| And this erodes trust in society and rule of law, and
| gradually leads to vigilantism, privatization of security,
| and segregation due to middle-class flight from high-crime
| areas.
| mrhyyyyde wrote:
| Source to support your statement?
| nitrogen wrote:
| Historical precedent (e.g. white flight), personal
| experience with losses of thousands of dollars of my
| former startup's equipment to theft, and forward-looking
| projections from other HN threads about people who chose
| to leave the Bay Area.
| MattGaiser wrote:
| As I said, we can dislike it, but as a society we have
| basically decided that anything short of reasonably
| straightforward violent crime/extreme violent crime and
| high value property crime and easy to prosecute drug crime
| is not worth the effort.
|
| I don't disagree, but I hear very little discussion about
| low solve rates for smaller crimes.
| rsj_hn wrote:
| > As I said, we can dislike it, but as a society we have
| basically decided that anything short of reasonably
| straightforward violent crime/extreme violent crime and
| high value property crime and easy to prosecute drug
| crime is not worth the effort.
|
| No, I would say that a few counties have decided this,
| but the majority of counties have not. In most places,
| you do get arrested for property crimes, you still serve
| prison time for this, police still do things like use
| bait cars and exert resources to catch those who steal,
| and the idea that property crime should not result in
| jail time is not widely accepted by the majority of the
| population.
| arduinomancer wrote:
| I'm curious if seeing headlines like this causes other companies
| to invest more in security.
|
| Or is it more like "well as long as it doesn't hit us we don't
| care"
| madcows wrote:
| Companies should be lobbying the federal government for
| protection. Otherwise the government is as complicit as they
| would be for "looking the other way" while the mafia extorts
| local businesses. And in this case, that mafia may even be an
| arm of foreign adversaries, making this ever more urgent and
| damaging.
| bluGill wrote:
| I'm sure the government is already feeling pressure. However
| the criminals are good at hiding their tracks. There is
| reason to believe they are being protected by Russia (or
| other country that nobody wants to go to war with).
| madcows wrote:
| With the US under a constant barrage of attacks it makes sense to
| trash the "space force" and create a legitimate "cyber security
| force."
|
| This may be our last chance to maintain global power through the
| use of force at all, given that so many competitors are gaining
| foothold in every other area.
|
| We need bullet proof IT infrastructure, instant backtracing, and
| effective retaliatory responses ready to deploy, yesterday!
|
| Why the hell isn't the attacker's computer compromised when they
| access the data? (rhetorical)
| dicomdan wrote:
| What does it have to do with space force? These are two
| separate issues.
| madcows wrote:
| Conservation of energy. I'd love to suggest that we just do
| everything all of the time, but that's unsustainable and
| fodder for another dissenting comment, so instead I suggest
| reallocation instead of creation.
| nradov wrote:
| Merging the Space Force back into the Air Force wouldn't
| conserve any energy. It's still the same people doing the
| same things with the same equipment.
| willcipriano wrote:
| Why is the space force the first thing off the table and
| not say the endless wars in the middle east?
| [deleted]
| tomp wrote:
| Great example of short-term thinking! Your enemies distract you
| and make you fight the current fight to make you miss the next
| war.
| madcows wrote:
| "Uhh... Houston, we still don't have control of the ship's
| navigation, will someone send those Russians the damn BTC so
| we can continue to fight this space war!"
|
| ... Right.
| echelon wrote:
| We need both a space force and a "cyber security" force.
|
| We have to protect our satellites, see what other nations are
| up to (perhaps even intercepting their sat comms), and make
| sure our hypersonic game is on point.
|
| It's worth noting that "cyber warfare" is what the NSA already
| does.
| cduzz wrote:
| This sort of crime is only possible because the criminals act
| from within regions where they're not going to be punished
| (beyond being asked for the house's vig).
|
| The countries protecting these criminals are behaving like the
| taliban when they controlled Afghanistan.
|
| Poisoning dissidents, hijacking airplanes, crashing hospitals
| and pipelines, we'd better be careful because eventually
| someone's going to get hurt.
| owlbynight wrote:
| The US is going to end up tracking and assassinating these
| people, if we're not already. Messing with the old money usually
| doesn't turn out well for whoever's doing it.
| lvs wrote:
| Unless there have been classified changes, EO 12333 bans such
| activity.
| vecter wrote:
| Are there actual examples of the US "assassinating" bad actors
| in this way? That seems farfetched, as opposed to just going
| after them in the judicial system.
| ncallaway wrote:
| Operation Condor is a good starting point for some truly
| horrific US involvement in torture, terrorism, and targeted
| killing
| lnwlebjel wrote:
| This would suggests that there are not actual examples: https
| ://en.wikipedia.org/wiki/Targeted_killing#Use_by_United...
| bluGill wrote:
| Not just the US. A lot of countries care. Western Europe (not
| sure about the east) does as well and will do something even if
| they aren't as violent as the US. (In fact they are probably
| going to claim the moral high ground of not assassinating
| people only because they give evidence to the US and look the
| other way). South America, South Asia, and Africa will all have
| at least some helping out, though it isn't clear who will do
| what.
|
| Most of the blame is going to Russia, though North Korea is a
| possible source of this, as are a few random countries
| scattered around. Most stand to lose more than they gain from
| allowing such crime. (their military might be interested in the
| ability, but those will be more careful about who they target)
| tobesure wrote:
| Why not China? I always have problems with these attributions
| - they inevitably depend on "signatures" like timestamps and
| language encodings that would be trivial to deliberately fake
| by a competent team - and some of these hacks indicate
| competence.
| the-dude wrote:
| Well, the _Steamship Authority_ , what did you expect?
| user-the-name wrote:
| Time to ban bitcoin.
|
| https://newrepublic.com/article/162589/ban-bitcoin-cryptocur...
| bdamm wrote:
| Isn't this like banning cash to stop muggings?
| mrweasel wrote:
| It is, and it has proven very effective. Robberies against
| banks and stores have been cut in half during the last ten
| years, as cash is getting harder to access.
|
| Many store open after 19:00 don't have much cash on hand so
| robbing them is not really attractive any more. There are
| almost no bank robberies, as even banks doesn't actually have
| cash.
|
| The people who get mugged are normally forced to go to an ATM
| to withdraw cash.
|
| I'm not suggesting we just randomly ban stuff to avoid the
| criminals from exploiting it, but it is working.
| bluGill wrote:
| Banks have long had tricks like giving robbers cash with an
| "exploding" ink packet inside - the criminal then has to
| deal with bills that are marked. Also banks have security
| cameras (that normally are operational), and silent alarms
| that ring the police station. In the end odds are anyone
| robbing a bank is caught, and even if you are not banks
| keep plenty of small bills on hand, so you get a bag full
| of money, but not a lot of real value inside the bag.
|
| Stores don't generally have as much protection, but even
| then they never have a large amount of money on hand.
| Robbing a store and getting $300 isn't really worth the
| risk.
| Workaccount2 wrote:
| That's not a function of banning cash however, its on
| account of the rise of credit cards. No one sacrificed or
| was inconvenienced to get here, it was just natural
| progression with good side effects.
| cduzz wrote:
| They banned enormous denomination bills to prevent this sort
| of crime.
|
| By "Ban" I mean they no longer make them, and possibly
| destroy them once they get circulated back to the central
| bank. They're still legal tender.
|
| See also 500 euro note... (edited to clarify "ban" meaning)
| coolspot wrote:
| Crypto is realistically the only way to accept a payment for
| high-profile ransomware attack.
|
| Imagine encypting whole Maersk network and then asking ransom
| in cash? Wherever you decide to do the exchange there will be
| couple Apache/Eurocopters/Mis hovering around and watching
| you. With crypto just send them your XMR address, then wait
| couple years for heat to come down before mixing/cashing out.
| mnd999 wrote:
| Nope, no point banning the thing the criminals use, because
| they don't follow the law anyway. Ban paying ransoms, the
| corporations are much more likely to follow the law.
| user-the-name wrote:
| If the victim has no way to pay the ransom, there will be no
| point in trying to blackmail them.
|
| If you ban paying ransoms, desperate people will just do it
| in secret, something bitcoin works hard to enable.
| meltedcapacitor wrote:
| For large companies "paying in secret" is pretty difficult
| given public accounts. The typical CFO would rather get a
| new job elsewhere rather than risk prison because his CTO
| colleague did a poor job securing the IT. They just work
| there.
|
| A ban on ransomware payment also has the nice side effect
| of banning ransomware insurance, which has been making the
| problem worse so far.
| OminousWeapons wrote:
| I don't think this is going to work. Time is on the side of
| the attackers. All the attackers have to do is wait and
| repeatedly restate that they will fully restore operations if
| the victim pays a small fee and when losses grow large enough
| investors / shareholders will apply enough pressure to
| management to make it happen, whether it is legal or not. No
| one is going to eat massive losses for the greater good.
| There are plenty of policies against negotiating with
| kidnappers and terrorists, and yet people still do it for
| this exact reason.
|
| Banning crypto exchanges is actually a much more effective
| solution to the problem because it at least forces someone to
| show up in person to collect the money.
| meowface wrote:
| Of the three most common ransomware-combating suggestions
| I've been observing over the past few months, I'm strongly
| opposed to the first two (banning cryptocurrencies or banning
| ransom payments) and would instead strongly advocate for the
| third: reinstitute letters of marque for privateers.
|
| Enable activity instead of futilely trying to ban activity.
| Instead of focusing on punishing the victims and unrelated
| third parties, focus on punishing and disrupting the
| perpetrators.
|
| Or if not letters of marque, they could at least just issue a
| notice that certain activity will have a blind eye turned
| towards it, to mirror the policy of some of the governments
| that bear most of the responsibility for ransomware activity.
| boomboomsubban wrote:
| So your answer to the problem is to encourage more
| ransomware attacks? You don't think ransomware itself is
| bad, you just take issue with the idea that you may be the
| victim? Training more people to use it's probably going to
| backfire on you then.
| x86_64Ubuntu wrote:
| They don't have to ban BTC, they will just squeeze any
| company that provides a fiat off-ramp for BTC. The government
| has done this for decades, just ask the legal MJ business or
| sex adjacent workers.
| COGlory wrote:
| I have to wonder:
|
| Are there CTOs or IT heads going into board meetings or other
| meetings, and telling people that these systems are secure?
| Because if so, they need to be tried for fraud.
|
| If it's on the internet, it is not secure.
| x86_64Ubuntu wrote:
| It's not the IT workers saying that their secure, it's us
| telling the business that we need X dollars to mitigate risk of
| Y. And then the accounting people are like "But it hasn't
| happened yet, why would we pay to prevent something that hasn't
| happened yet!???"
| COGlory wrote:
| Can we go after these decision makers for negligence, then?
| tyingq wrote:
| It feels like a chicken-egg problem. The actual
| consequences to the business aren't often serious, so it's
| difficult for them to get support to spend serious money on
| it.
|
| Maybe mandatory high-cost, high-limit cyber insurance, with
| dramatically lower rates provided you can prove x/y/z,
| would make for an incentive?
| x86_64Ubuntu wrote:
| Probably not. We can't even go after businesses when they
| do something that's clearly awful. Much less when the thing
| they most hurt is their bottom line.
| MattGaiser wrote:
| I would be surprised if this kind of thing makes it to any
| significant managerial level before an attack.
| gilbetron wrote:
| I think more often it is the rest of executives demanding CTOs
| and IT heads prove to them in absolute terms that more security
| is needed when nothing bad has happened yet.
| OminousWeapons wrote:
| So your solution to transient disruptions in availability is to
| make your services permanently unavailable?
| COGlory wrote:
| Services can be available, and not reliant on internet
| connected services.
|
| Imagine if all the hacks we've seen in the last year happened
| all at once. We'd be screwed.
| OminousWeapons wrote:
| How are you going to sell customers tickets remotely
| without an internet presence? How are you going to field
| customer service complaints or general inquiries without
| email? How are your employees going to do work at multiple
| sites without VPNs? If you pitch "lets do everything by
| phone" you will be laughed out of the room.
|
| I agree that things should be kept off the internet unless
| they absolutely need to be there, but realistically
| companies need to have internet connected services to be
| able to do business.
| wearywanderer wrote:
| > _How are you going to sell customers tickets remotely
| without an internet presence?_
|
| With this wacky invention known as a telephone. Merely
| three years ago I used a telephone to order tickets on
| the Alaska Marine Highway (a ferry service operated by
| Alaska) while driving through BC. No websites needed; it
| was utterly painless.
| COGlory wrote:
| How are they going to sell tickets with their
| infrastructure offline to a ransomware attack?
|
| I'm not sure a perfect solution, but the standard of
| living was pretty good before the internet. Doing away
| with reliance on infrastructure for critical things like
| food processing, energy, and transit does not seem like a
| high price to pay to avoid a Thanksgiving turkey
| conundrum.
|
| All these services are going to go unhacked, until
| they're hacked. And it's a complete skewed problem. We
| get minor conveniences for having them online. We suffer
| massively when they go offline.
| OminousWeapons wrote:
| > How are they going to sell tickets with their
| infrastructure offline to a ransomware attack?
|
| They get by temporarily by doing things manually until
| they get their services back up, and they get compensated
| by insurance, but a few day partial loss of business
| pales in comparison to how much revenue they would lose
| by going offline. A vast swath of their current and
| potential users wouldn't even know they existed without
| them having an online presence. The only solution would
| be buying that knowledge from someone else such a travel
| agent. Even with that knowledge, it would be orders of
| magnitude more inconvenient to book and receive tickets,
| there would be a lot more fraud, and everything would
| move much more slowly.
|
| > We get minor conveniences for having them online. We
| suffer massively when they go offline.
|
| We get MASSIVE convenience by them being online and we
| suffer transient, relatively painless outages when they
| go offline. The most serious outage we suffered was that
| pipeline going down, and it was down for under a week.
| RobRivera wrote:
| this is getting a little out of hand
| FridayoLeary wrote:
| But entirely predictable. I might as well have bought shares in
| popcorn. It's almost a weekly occurrence now, and those are
| just the ones we hear about.
| tobesure wrote:
| Do these recent attacks (pipeline, meat plants, steamship) have
| anything in common? Do they share exploits? Are they related to
| or enabled by the solar winds hack? Or is this just media
| amplifying what are otherwise routine events now?
| Decabytes wrote:
| I wonder if this will mean an increase in cyber security related
| postings in industries that have otherwise not had to worry about
| cyber security before (I.E the Steamship Authority, Meat industry
| etc)
| swiley wrote:
| The pessimist in me thinks it will mean an increase in McAffee
| sales and pen tester fees followed by regulation that makes
| them mandatory.
| causality0 wrote:
| Cybersecurity is not a technology problem. It's a policy and
| enforcement problem. Ground and mid-level operating convenience
| will always destroy any attempt to create security unless
| strong standards of behavior are created and ruthlessly
| enforced. I've never seen it happen successfully outside of
| technology corporations staffed by nerds who actually care or
| the military. All it takes is one guy who knows a guy and then
| the admin password is on a notepad on the desk. All it takes is
| one guy who doesn't get a 4G signal in one room so he brings a
| router from home and plugs it into the network.
| samstave wrote:
| This is one of the important reasons for audits such as
| HIPAA, SOX, SAS70 etc...
|
| To ensure that you don't have holes in your security
| posture... The technology you deploy is important, but also
| important that your security and governance model on top of
| the technology is also in place.
| walrus01 wrote:
| I saw a badly written headline yesterday that combined the meat
| industry hack with something about colonial pipeline, and it
| briefly brought to mind a mental image of a liquefied meat
| slurry/pink goo pipeline.
| swiley wrote:
| https://xkcd.com/1649/
| walrus01 wrote:
| imagine the retail value in dollars per liter of an HP
| inkjet printer ink pipeline
| FridayoLeary wrote:
| Imagine how much a leak would cost them! Printer ink is
| among the most expensive liquids in the world.
| endisneigh wrote:
| How exactly are the ransoms even paid out? I would assume
| cryptocurrencies, but before those existed how did they pay out?
|
| I'm not sure what it would be called, but has there been any
| investigation in a sort of "transparent by default" database
| system? Ideally if this were possible people wouldn't need to
| care about data being stolen (though in this case it's unclear
| what the attack did, but many times it's more like we'll
| reveal/block your data unless you pay up)
| ocdtrekkie wrote:
| Ransomware wasn't nearly as prevalent prior to cryptocurrency
| because moving that kind of money was much harder.
|
| Another interesting shift is that complete administrative
| takeover is often less compelling: Software is more secure
| covering administrative functions, but users, which have access
| to all of your business data, are vulnerable as ever.
| exhilaration wrote:
| Before cryptocurrency you had to buy things from shady online
| pharmacies or send/fund Visa gift cards. Source:
| https://www.varonis.com/blog/a-brief-history-of-ransomware/
|
| Crypto is really what's made ransomware at the scale we see it
| now possible.
| stevemk14ebr wrote:
| Crypto makes it more efficient. It would still occur without
| crypto just fine. Your talking about a black market worthy
| many millions, maybe billions.
| livueta wrote:
| I suspect it changes the profile of who gets hit. Individual-
| level targets would get extorted for maybe a couple hundred
| bucks - sums that are reasonable to transact in iTunes cards
| or whatever. Those numbers are low both because it's what
| that category of target is willing/able to cough up
| financially, and what they were able to transact
| irreversibly. Conversely, your meat-packing CEO isn't going
| down to the corner store for $11m in phone credits, so it was
| less worth it to go for targets with deep pockets, that might
| be better-protected, instead of casting a wide net for a lot
| of easy small hits. The ability to irreversibly and kinda-
| anonymously transact large amounts definitely incentivizes
| going for institutional targets.
| x86_64Ubuntu wrote:
| I've only heard of ransomware over the past 8 years or so.
| Crypto, has done a lot for making such payment processes more
| palatable to criminal orgs.
| vmception wrote:
| The ransomware typically replaces your computer screen with a
| unique crypto address.
|
| The remote server knows to unlock your computer and cleanse it
| of the ransomware upon receipt of payment.
|
| Many also leave a marker on your system/network preventing
| reinfection. Most ransomware is from the same vendor rented out
| which prevents reinfection, for now.
| mrweasel wrote:
| I continue to wonder why more companies aren't utilizing
| application whitelisting. Most, if not all, of the attacked
| companies run Windows, and Windows have been able to restrict
| system to only running whitelisted application for ages.
|
| Sure, whitelisting is annoying to say the least, but these are
| critical systems, you don't need to install new software daily or
| even monthly.
| PeterisP wrote:
| The initial foothold exploits - where application whitelisting
| would help the most - generally are not "critical systems",
| they are the daily workstations of random employees. By the
| time the attackers reach your critical systems, they most
| likely can attack them with stolen credentials without running
| any exploits that whitelisting would prevent.
|
| To protect your company, application whitelisting needs enough
| usability to be easily supportable for the workstations of your
| accountant, office receptionist, and the VP of Marketing (those
| three are all good examples of valuable entry points for
| targeted attacks), which all may get management approval to
| throw out application whitelisting if it inconveniences them
| enough - there's no reasonable tradeoff between security and
| usability, you must get both as usability is mandatory and
| usability deficiencies will result in security features getting
| removed in all but the most critical circumstances.
| nradov wrote:
| There's no real reason except for basic incompetence and lack
| of resources. I expect that over the next few years most small
| and medium enterprises will essentially be forced to outsource
| their IT infrastructure to a few huge cloud vendors with the
| scale to build and maintain secure systems.
| king_magic wrote:
| Ransomware attacks against the United States should be met with
| covert assassinations against these hacking groups on foreign
| soil.
|
| Enough of this insanity - these are acts of war, and those
| responsible should be dealt with through military strikes.
| JumpCrisscross wrote:
| A federal ban on paying ransomeware would reduce the incentive to
| commit these attacks.
| heavyset_go wrote:
| It wouldn't reduce the incentive for state-level or state-
| funded attackers to target foreign infrastructure, though.
| JumpCrisscross wrote:
| > _wouldn 't reduce the incentive for state-level or state-
| funded attackers to target foreign infrastructure_
|
| No, that's what our military is for. That said, we have
| limited evidence any of these recent attacks were state
| backed.
| lvs wrote:
| No, it would just push such payments into the shadows.
| MattGaiser wrote:
| Would this result in not paying or them hiring consultants who
| pay on their behalf and just invoice them for "resolution
| services"?
| whimsicalism wrote:
| I wonder where this pop-understanding of the law that seems
| prevalent on HN comes from.
|
| Loopholes exist, but in general the government is not
| terrible at figuring out basic schemes like this and adapt
| administration of the law.
| dharmab wrote:
| I think a lot of the HN crowd think of laws like computer
| code- that it needs to be very exact. Most laws are fairly
| generalized with broad coverage, and the cases where
| they're not tend to be the exception, not the rule.
| wearywanderer wrote:
| Libertarians have substantial, though I think not majority,
| representation on HN. Certain themes always seem to repeat
| that seem related to this. For instance, likening any form
| of prohibition to the failed prohibition of alcohol to
| suggest that all forms of prohibition are similarly doomed.
| This argument relies on the reader neglecting to consider
| the myriad of prohibitions that are going well, like CFC
| bans or the prohibition on building unsafe firetrap
| buildings. They point out one failure and ask us to
| extrapolate from _only_ that datapoint, ignoring the rest.
|
| As in this case, pointing out a hypothetical way a law
| could fail, to insinuate that all laws would fail.
| willcipriano wrote:
| It's illegal to fund terrorism, I don't think paying someone
| to fund terrorism is a defence in a court of law.
| throwawaygh wrote:
| Writing a law that prevents this sort of pass-through is
| trivial. Hold all parties responsible. Don't even require
| first-hand knowledge that a ransom was paid.
|
| Writing a law with proper disincentives is also trivial --
| forget about fines. Proper jail time for senior execs and
| board members.
|
| Execs and boards will be damn sure not to pay ransoms, and
| additionally damn sure that any company they hire to help
| knows in no uncertain terms that they are also not to pay any
| ransoms.
|
| It really isn't that hard to write laws that disincentivize
| paying ransoms and aren't possible to route around with wink-
| and-nod bullshit.
| user-the-name wrote:
| It would cause companies to pay secretly and illegally instead,
| something which cryptocurrencies enable.
|
| Ban cryptocurrencies. They are the cause of the ransomware
| epidemic.
| kache_ wrote:
| I have a better idea, we should make ransomwaring illegal.
| That'll definitely stop it from happening.
| COGlory wrote:
| Unless they were globally banned, companies could secretly
| and illegally pay ransoms in them anyways.
| ghaff wrote:
| They possibly could but a lot of executives would probably
| prefer that their soon to be ex-company took a hit than
| that they became personally liable for breaking a federal
| law.
| sokoloff wrote:
| "We purchased security consulting services who were able
| to decrypt our ransomware-infected files. We're not sure
| of the exact method they used but it worked."
| ncallaway wrote:
| Lawmakers have dealt with this problem for a long time.
| It's well solved.
|
| If they wanted to prevent this kind of behavior there are
| two straightforward approaches:
|
| - make it also illegal for the consulting company to pay
| a ransom.
|
| - attach Strict Liability to any ransom payment, even if
| made through an intermediary. The executives quoted above
| from the paying company could still face criminal
| liability for such a payment disguised with plausible
| deniability
| https://en.m.wikipedia.org/wiki/Strict_liability
| Jtsummers wrote:
| > Ban cryptocurrencies.
|
| This is meant sincerely, not glibly: How? How can
| cryptocurrencies be banned in any meaningful sense?
|
| We can "ban" them in a legal sense ("Use of cryptocurrencies
| are illegal after 1 Jan 2022"), great. But how can they be
| practically banned so long as computers themselves are not
| invaded by governments to observe every detail of their
| operation and private overlay networks are still technically
| feasible?
| heavyset_go wrote:
| > _This is meant sincerely, not glibly: How? How can
| cryptocurrencies be banned in any meaningful sense?_
|
| The only way to buy or sell cryptocurrency for the vast
| majority of people is through exchange companies that have
| the blessing of the US to continue operating. Even
| LocalBitcoins goes out of their way to follow KYC laws.
| helen___keller wrote:
| > This is meant sincerely, not glibly: How? How can
| cryptocurrencies be banned in any meaningful sense?
|
| The main avenue would be by getting rid of the sanctioned
| on/off ramps for crypto (that is, crypto exchanges),
| leaving only the illegal on/off ramps which I'm sure exist.
|
| This obviously wouldn't stop everybody, but it would
| certainly be a deterrent for all but the most motivated and
| well-connected of buyers. At that point, exchanging a large
| amount of crypto would be similar to laundering a large sum
| of dirty money; possible, but not trivial and certainly not
| an "easy out" for a major corporation experiencing a
| ransomware attack.
| echelon wrote:
| Drugs are illegal for Americans to buy, sell, and
| produce.
|
| Laws are how you prevent this.
|
| Can you imagine the Massachusetts Steamship Authority
| paying in _cocaine_?
|
| Why would paying in Bitcoin be any different?
|
| Bitcoin is parroted largely by a bunch of libertarian
| speculative grifters that think they're above the
| authority of our government to manage the monetary
| supply. They want to soak up all the advantages of
| building and controlling an economy.
|
| If you look through the covers, it's all speculation and
| hype. There's noting "decentralized" or "democratic"
| about it. Bitcoiners are fine with letting social
| services and the underserved slip through the cracks as
| long as they get their reward that they feel they earned.
|
| The US is a democracy, and theoretically it helps people
| of all backgrounds and socioeconomic statuses. It might
| not be evenly distributed, but at least we can toss out
| the bad players. Bitcoin is not a democracy. It rewards
| the Ponzi schemers at the top and leaves everyone else
| out to dry.
|
| And now look at what it's gotten us -- unprecedented
| crime from across international boarders that we can't
| stop. All brought to you by the remarkable
| "governmentless decentralization".
|
| Just wait until the kidnappings start. Or the murders for
| hire.
|
| Fucking good for nothing bitcoin. The world was better
| before it existed.
| [deleted]
| loveistheanswer wrote:
| >The main avenue would be by getting rid of the
| sanctioned on/off ramps for crypto (that is, crypto
| exchanges), leaving only the illegal on/off ramps which
| I'm sure exist.
|
| From what I've read it seems its only the stupidest of
| criminals who are using exchanges like Coinbase to cash
| out, because that's the easiest way to get caught.
| nneonneo wrote:
| What you want to attack is the on-ramps, not the off-
| ramps. Make it really hard to legally acquire
| cryptocurrency, to the point where a company would
| probably have to break a law or two just to get their
| payment together. That, plus criminalizing ransom
| payments, would go a very long way to stemming this tide.
| coolspot wrote:
| Not that I am supporting this, but technically and legally
| just blackhole all IPs detected to run a
| Bitcoin/Ethereum/etc node, just like governments do right
| now with malware command centers.
|
| Legal/technical framework is already here.
| AlexandrB wrote:
| Cryptocurrencies are basically securities. If it's
| difficult or impossible to exchange fiat currency for
| cryptocurrency and vice-versa, the value of cryptocurrency
| drops to basically nothing. What's the point of owning a
| security you can't sell to pay your taxes/mortgage/electric
| bill?
|
| Even if cryptocurrency<->fiat transactions continue to be
| legal in other jurisdictions, making it illegal to trade
| USD for $crypto would make it very hard for a US company to
| pay cryptocurrency ransoms making such schemes much less
| lucrative.
| JumpCrisscross wrote:
| > _How can cryptocurrencies be banned in any meaningful
| sense?_
|
| By banning them? In the law? Enforcement would probably pay
| for itself, plus some. Throw in a whistleblower bonus, like
| the SEC has, if you want it to run on autopilot.
|
| More aggressive: level repeated 51% attacks. This is well
| within the budget of any of the G7.
| paxys wrote:
| They can easily ban all exchanges which convert USD <-> BTC
| from operating within the US. If that is enforced, Bitcoin
| will effectively be dead in the country.
| GauntletWizard wrote:
| You don't need to. Absolutely, if you ban cryptocurrencies,
| only criminals will have cryptocurrencies. It will,
| however, add friction - and make it harder to acquire and
| launder the funds involved.
|
| I think a complete ban on cryptocurrencies is unlikely to
| succeed, for much the same reasons that the US hasn't
| banned guns and that the war on drugs is such a shitshow. A
| punitative tax: 10% of every transaction, for example,
| would still make cryptocurrencies viable for some extreme
| schemes, but would make the practice much harder and help
| establish the "real identity" -> Bitcoin address audit
| trail. Al Capone was busted on tax evasion, after all.
| JumpCrisscross wrote:
| > _companies to pay secretly and illegally instead, something
| which cryptocurrencies enable...Ban cryptocurrencies_
|
| In what world does a ban on paying ransoms get wantonly
| evaded while a ban on cryptocurrencies does not?
| ceejayoz wrote:
| "Banning doesn't work, they'll just do it secretly. The
| solution is to ban something else that's even harder to
| stop."
| samstave wrote:
| Aside from the desire to impart chaos via these attacks.
|
| There is definite economic attack damage incentive still in
| place.
|
| In fact - if ransoms are banned - then it would seem that such
| types of attacks become more of a state sponsored attack to
| affect the economy of your enemy/competition
|
| What if it were apple attacking FB or something like that.
| Surely we will see this in the future, just as originally
| foretold in Neuromancer.
| not_kurt_godel wrote:
| Would it? For some businesses, the reality is going to be that
| paying is necessary to continue to exist. What happens when
| that option, as crappy as it is, is off the table?
| orblivion wrote:
| How about, companies who pay ransoms get a fine that's 10x
| the ransom. It slides up toward 1000x over two years. Kind of
| like deprecating an API slowly by decreasing its
| responsiveness.
| JumpCrisscross wrote:
| > _the reality is going to be that paying is necessary to
| continue to exist. What happens when that option, as crappy
| as it is, is off the table?_
|
| Insurance. Back-ups. Bail outs. Go out of business. That
| ransom paid has negative externalities that manifest
| nationally.
| OminousWeapons wrote:
| You won't even be able to get private insurance if the
| industry has to insure against complete destruction of a
| given business. Are you expecting the US gov to backstop
| every business regardless of size against ransomware? Who
| is going to pay for that?
|
| Additionally, how do you protect against the obvious
| opportunities for fraud and abuse (business deliberately
| attacks itself to collect the insurance payout, business
| hits their competitors to drive them out of business, etc)?
| samstave wrote:
| >"insure against complete destruction of a given
| business."
|
| Isnt that what fire/flood insurance is for?
| OminousWeapons wrote:
| Fire and flood insurance protect against discrete or
| regional risks whereas ransomware will potentially
| disrupt operations globally, and actually most private
| insurers won't offer flood insurance to large swaths of
| the US because the risk has been deemed to be too high.
| The US gov insures against coastal flooding at GREAT
| expense to the tax payer.
| detaro wrote:
| I wonder what the biggest company is that's totally
| dependent on a single location (or locations in the same
| flood zone) and at the same time is usefully insured
| against such destruction.
| Workaccount2 wrote:
| You would be able to get affordable private insurance if
| you had a cyber security team.
| detaro wrote:
| Various providers of "cyber insurance" are right now busy
| getting rid of ransomware coverage because it turns out
| offering that isn't working for them. and yes, they do
| require companies to have cyber security infrastructure
| and audits.
| Workaccount2 wrote:
| That would imply that cyber security isn't effective in
| mitigating these attacks then, no?
| OminousWeapons wrote:
| It suggests it is a difficult problem to stop. As I
| understand it, attackers now frequently perform an
| initial compromise and then manually escalate privileges
| before launching a ransomware attack for greater impact.
| Alternatively, the attacker will sell privileged access
| to a ransomware group. This isn't someone from HR opening
| a malicious attachment and getting the whole company
| owned via eternal blue.
| detaro wrote:
| At least it suggests that the current standards and
| auditing practices are not sufficient, and apparently
| formulating testable requirements is difficult.
| [deleted]
| [deleted]
| [deleted]
| api wrote:
| A few businesses die. The rest get the message that security
| matters. The ransomware industry is deprived of revenue.
| MattGaiser wrote:
| This is a government agency.
|
| https://en.wikipedia.org/wiki/Steamship_Authority
| api wrote:
| The physical ferries still exist, right? Transfer them to
| a new agency.
| orblivion wrote:
| The followup controversy will be government agencies and
| massive companies getting "too big to fail" exemptions.
| DFHippie wrote:
| If we're allowing government agencies to fail we're in
| pretty crappy shape.
| cma wrote:
| You can imagine it just being easier to code indiscriminate
| attacks where they only review the results to pick who it is
| worth collecting the ransom from.
|
| Unencrypting for vicitims in the US that couldn't pay would
| just add more exposure risk to them of getting caught, so they
| would have no incentive to actually do it. It would take a
| large bit of money out of the system, but it seems like you
| need all countries to coordinate and that one country doing so
| on its own, enforcing a no pay out rule, won't have much effect
| on non-targeted attacks.
|
| How many of these attacks are fully automated in the initial
| attack/encrypt phase vs. human operators explicitly working to
| more fully infiltrate a target?
| akiselev wrote:
| _> How many of these attacks are fully automated in the
| initial attack /encrypt phase vs. human operators explicitly
| working to more fully infiltrate a target?_
|
| Given the effectiveness of social engineering in hacking's
| history, that's a very good question. I wouldn't be surprised
| if randomized attacks are used to create a "sales funnel" of
| high value targets with poor IT ops/outdated equipment/etc
| that can be exploited for big payouts. All it takes is a few
| hundred or thousand dollars to bribe a low level employee so
| the vast majority of the cost is likely in finding targets.
| Once they've identified a target, the exploitation process is
| probably mechanical.
| 0xdba wrote:
| They used to target individuals, but have moved to larger
| institutions with likely big insurance payouts. Schools,
| companies, government agencies.
| xwdv wrote:
| A federal regulation requiring decent cybersecurity measures
| would be better.
| JumpCrisscross wrote:
| > _regulation requiring decent cybersecurity measures would
| be better_
|
| For those of us who make money when cybersecurity dollars are
| spent, yes. Practically, you'd get a federal agency writing
| checklists.
| lumost wrote:
| Good security practices are mainly checklists.
|
| Do you use https?
|
| Do you store password hashes instead of passwords?
|
| Is the DB storing passwords in a firewalled network?
|
| Is access to the DB restricted to only "need to know
| individuals"?
|
| Does the DB send password hashes to other services?
|
| Have you had a penetration test of your authentication
| system?
|
| Do you sanitize the SQL you send to your DB?
|
| etc.
|
| Unfortunately the majority of security incidents occur due
| to someone forgetting something pretty basic or assuming
| "no one will ever find that".
| artful-hacker wrote:
| I feel like a checklist is just part of it. The truth is
| that a secure software development lifecycle needs to be
| taken seriously at every stage, and this costs a lot of
| money. During prototyping and requirements gathering you
| need to be setting security requirements, vetting planned
| dependencies, and prototyping things like authentication
| and authorization. Each design should include threat
| modeling and threat mitigations. Implementation time
| should include mandatory code review, static analysis and
| secure code checklists. Testing needs to include manual
| penetration testing and dynamic scanning. Finally,
| maintenance is another area where things fall apart. Who
| is going to handle patching? Who will be accountable in 4
| years when that version of Tomcat is EOL? None of these
| things are trivial, and people that have the skills to
| execute on them are rare. Getting a company fully willing
| to spend the money and time on them is even rarer. I had
| an old boss who aptly said once "Security is a black hole
| where money goes to die".
| lumost wrote:
| > people that have the skills to execute on them are rare
|
| This is the limiting factor in secure coding. We need
| more efficient ways of scaling out the few teams doing
| top tier work, as it only takes a single bad code review
| to open a security hole.
|
| Teams should not need to implement their own
| authentication mechanism. Most companies should not need
| to implement their own mechanism. Authentication
| providers should explicitly and automatically verify that
| their clients have implemented auth correctly.
| zaphar wrote:
| Those are best practices in hardening a system but those
| are just table stakes. Good security requires having
| observability of your systems and following up and/or
| checking on any anomalous activity you detect.
|
| For the most part determined actors (many of them state
| sponsored) are going to be hard to prevent if they target
| you. Your best defense is early detection and reaction to
| the initial breaches. If you only do the hardening part
| and leave out the monitoring/observation part you are
| going to get owned.
| [deleted]
| dredmorbius wrote:
| There are threats which emerge when a viability threshold is
| crossed and realised.
|
| For cities, recurring plauges began occurring during Roman times
| and limited maximum city populations to about 1 million until the
| advent of modern sanitation, hygiene, public health, waste
| removal, and food quality. (Actual medical care and treatment had
| little to do with this, though vaccines and antibiotics helped.)
|
| Industrial pollution lagged industrial development by about 50--
| 100 years, with air and water quality and material contamination
| (heavy metals, asbestos, organic solvents, synthetic hormone
| disruptors and other bio-active contaminants, etc.).
|
| Increases in travel, transport, and communications almost always
| directly facilitate fraud. The Greek/Roman gods Hermes/Mercury
| represented communication, messages, travel, transportation,
| commerce, trickery, and theives. The term "Confidence Man" arose
| from Herman Melville's novel of the same name, set on the first
| great highway of the United States, the steamboat-plied
| Mississippi.
|
| Mail begat mail fraud. Telegraph and telephones begat wire fraud.
| Cheap broadcast radio and television, payola and game-show fraus.
| Email begat spam and phishing.
|
| The 1990s and 2000s computerised business practices employed
| computers with shitty security, but those systems were saved by
| the general lack of networking, the relatively small size of
| global computer networks, limited disk storage, limited network
| bandwidth, and the effectual air-gapping of paper-driven steps in
| processing. Billing might be submitted or computed
| electronically, but a paper check still had to be cut and signed.
| Draining accounts or data simply wasn't possibly without running
| up against the inherent limitations of computer infrastructure at
| the time _even had a payment mechanism similar to today 's
| cryptocurrencies been available._
|
| If my assessment is correct, we'll be seeing much more of this.
|
| Attackers have low costs. Victims have highly-interconnected, but
| poorly-defended systems, comprised of multiple components, each
| complex on its own, and lacking any effective overall security
| accountability. End-to-end automation exists, facilitating _both_
| productive work _and_ effective attacks. A viable and tracking-
| resistant payment mechanism exists. Regions from which attacks
| can be made with impunity exist, and are well-connected to global
| data networks.
|
| Backups alsone are not an effective defence as these protect
| against data loss but not data disclosure. Full defence will
| require radically different thinking, protection, risk
| assessment, and law-enforcement capabilities.
|
| Until then, get used to more of this, at both large and small
| scales.
|
| There are some potential bright lights.
|
| - I suspect attackers aren't targeting specific facilities but
| are instead conducting automated and scripted attacks against
| vulnerable facilities.
|
| - For data-encryption ransom attacks, this means that the
| _decryption_ key is all but certainly derivable from information
| _on the attacked system_ , perhaps encoded as filenames or
| contents. Determining this mechanism may at least allow for data
| recovery. (It of course does nothing against data disclosure,
| long-term surveillance, or access denial attacks.) The likelihood
| that attackers have some database of victims + passwords seems
| low.
|
| - Attackers are themselves subject to trust and suspicion
| attacks, and turning members or safe-harbours against attackers
| is probably a useful countermeasure.
|
| - State-level sanctions, flling _short_ of military attacks, may
| also prove effective.
| Animats wrote:
| Oh, that's going to annoy some rich people.
| 1970-01-01 wrote:
| This isn't news anymore, its weather. If your company does not
| have a full time cybersecurity team, they soon will, even if they
| say they don't need it.
| walrus01 wrote:
| and as a parallel to modern industry standard infosec best
| practices, a good offsite/off-line backup system, disaster
| recovery program, tested backups/recovery methodology. A lot of
| the companies I've seen badly affected by a cryptolocker
| malware would have been equally in a dire situation if their
| head office/datacenter had burned down.
| Ekaros wrote:
| Defined process to run things without systems, if at all
| possible. That would sound obvious to me. May take lot of
| effort but with critical sectors such plans should be
| mandatory.
| joe_the_user wrote:
| In a lot of situations we've heard about, the cybersecurity
| team could consist of one person with a bullhorn walking around
| shouting "don't connect critical infrastructure to the
| Internet".
|
| Whether they'd listen to them still is another matter but
| that's the same with a regular cybersecurity team.
|
| And that is to say we have institutional standards where unsafe
| practices are considered OK and will be followed because they
| save X dollars and time now.
| PeterisP wrote:
| I don't agree - that won't work as critical infrastructure
| can't be not connected to internet; perhaps we have a
| different understanding of what "critical infrastructure"
| means? You can have disconnected industrial networks, but the
| ransomware cases aren't really about those.
|
| For example, let's look at the recent major Colonial Pipeline
| case. Their pipeline systems weren't connected to the
| Internet, and did not get compromised. What got compromised
| was their business billing and customer communications
| systems - and those _do_ need to be connected to internet,
| that 's their whole point, and they apparently were critical
| enough to make them shut down the (uncompromised) pipeline
| anyway.
|
| It doesn't matter if your meat packing plant machinery SCADA
| systems are isolated, your inventory, logistics and sales
| systems are critical for your operations and need to be
| connected to the internet, so a ransomware attack will kill
| you even if your plant equipment works fine.
|
| It doesn't matter if your chemical plant sensor network is
| isolated, your payroll and shift scheduling system is
| critical to your operations and needs to be connected to the
| internet.
|
| Heck, for so many companies their email systems are critical
| to their operations (and leaking the contents would cause a
| massive liability) and those obviously need to be connected
| to the internet.
|
| Not connecting is helpful in some cases, but it's nowhere
| close to a sufficient solution.
| nradov wrote:
| Most companies should really outsource their IT infrastructure
| instead of hiring a full-time cyber security team. It will be
| cheaper in the long run.
| [deleted]
| Ekaros wrote:
| Seeing some of the mess that IT-support is for enterprise
| customers I wonder would they really do better. On other hand
| SLA could be a real thing and kill the incompetent providers.
___________________________________________________________________
(page generated 2021-06-02 23:00 UTC)