[HN Gopher] Fujifilm shuts down network after suspected ransomwa...
___________________________________________________________________
Fujifilm shuts down network after suspected ransomware attack
Author : jmull
Score : 39 points
Date : 2021-06-02 20:09 UTC (2 hours ago)
(HTM) web link (www.bleepingcomputer.com)
(TXT) w3m dump (www.bleepingcomputer.com)
| sschueller wrote:
| Let's see if fujifilm has better network security and backups
| than others. Cutting the network seems like a good way to gain
| time to figure out what is affected and how.
| slver wrote:
| Brought to you by cryptocurrency.
| samatman wrote:
| Brought to you by a culture of insecurity in computer
| programming and network engineering.
|
| I understand the temptation to blame cybercoins, because the
| actual explanation is a stunning inditement of our entire
| profession.
|
| But, no, the insecurity is optional, and comes from an entire
| culture of "good enough", which is manifestly not good enough.
|
| Cybercoins provide a general-purpose medium to profit from
| exploiting this insecurity. But the insecurity was already
| there, with plenty of economic and political reasons to exploit
| it; the pre-Bitcoin status quo was chock full of data breaches
| and state actors siphoning off anything they wanted to, and we
| just put up with it because we're lazy and arrogant.
| jonny_eh wrote:
| We're ruining the environment to enable ransomware attacks.
| slver wrote:
| 20th century consensus: centralized stupidity is a threat, we
| must decentralize
|
| 21st century consensus: decentralized stupidity is worse,
| turns out
| sebyx07 wrote:
| Powered by Microsoft
| rantwasp wrote:
| really? crypto is to blame? not the weak security and culture
| of passing the buck?
|
| do you know what is the currency involved in most number of
| crimes in the world? i'll let you guess.
| vmception wrote:
| and underpriced bug bounties.
| slver wrote:
| That's like a gang attacking you on the street, and someone
| remarking you should've hired (more) bodyguards.
|
| No infrastructure is perfectly secure. This is why it's
| illegal to attack infrastructure and blackmail the owners.
|
| However "illegal" doesn't mean anything to cryptocurrency,
| because it's beyond anyone's control. Before crypto, there
| was no direct way to pay the blackmailers, unless they were
| nearby, and willing to send someone to get cash in a
| briefcase. Which involves a lot of risk, obviously.
|
| With crypto anyone in the world can attack you, and get paid
| risk-free.
| boringg wrote:
| And that someone happens to have a lot of bodyguards for
| sale / is a body guard
| vmception wrote:
| But its _more like_ the incentives to crowdsource security
| improvements can be improved with bug bounties more closely
| reflecting the value of the system or bounty
| slver wrote:
| I can play your game. But I'll make it fair.
|
| I'll pay you to find bugs in my system. I'll pay you a
| lot. But if it gets hacked:
|
| 1. You return all money.
|
| 2. You're personally responsible for all negative
| financial and legal outcomes.
|
| 3. And I don't mean I get to take your Nintendo Wii and
| your half-eaten donut. I mean you need to prove you have
| a whole lot of money, like how much I stand to lose. And
| if I lose them due to a hack you failed to prevent, I
| take all your money.
|
| 4. Also you can't have contracts with other people,
| unless you have a separate pile of money for them when
| they get hacked.
|
| You game? Sign here, here and here.
| vmception wrote:
| orrrrr just use the existing bug bounty systems with
| higher payouts and less arbitrary nature of whether a
| payout will occur or not, as they already have sorted out
| liability exemptions and the limit of what the hacker
| will do.
| slver wrote:
| Bug bounty programs help when you want to gradually
| improve the quality of your system, but no single bug can
| be used to blackmail or halt your entire business.
|
| You see, your proposal's math doesn't work. Acme has a
| system worth 100 million. This means a blackmailer can
| ask for 100 million if they find one bug (let's keep
| things simple).
|
| Obviously Acme can't offer 100 million in a bug bounty
| program for every bug found. So let's say they offer
| 100k, they're very generous. This means after 1000 bugs
| found, they've transferred their entire worth to bug
| bounty hunters.
|
| So while Acme had to create a system worth 100 million,
| they own 0 of it now. They gave everything to bounty
| hunters. Is this fair? No. What happened is that instead
| of one blackmailer, there were 1000 blackmailers saying
| "we're the good guys, we help you find bugs in your
| system, OR ELSE".
|
| When a health industry keeps raising the prices on you,
| because they keep saying "we're the good guys, we help
| you not die of cancer, give us your house, OR ELSE" we
| love them right?
|
| But that's not the end of the story.
|
| Did the good guys who took all your money found all the
| bugs? Well a blackmailer still stands to gain 1000x more
| than anyone on the bug bounty program, if they can find a
| bug before the bug bounty hunters have leeched the host
| dry of their last drop of blood. So a malicious hacker is
| motivated to be faster, and financed to be better, with
| more people, better equipment, and so on.
|
| So the bug bounty program is absolutely inadequate
| solution to the problem. Paying more to match what a
| blackmailer would ask, turns the bug bounty hunters into
| blackmailers. Except they also can't guarantee shit. And
| they can't cover losses for shit if they miss something
| either. They just take your money and leave you almost as
| vulnerable as you were.
|
| So, no. Companies won't have bigger bug bounty programs.
|
| Instead they'll do something that might help. Like move
| off the internet, making things more inconvenient for
| everyone, and insure heavily anything they put online.
| vmception wrote:
| Great points
|
| My primary rebuttal is that enough hackers don't want
| 1000x more than anyone else in the bug bounty program,
| they don't want the liability associated with
| reintegrating that money back into society
|
| Somewhere in between bug bounties pricing and payouts
| now, and the incentive to cripple/steal everything for
| ransom, is the more accurate medium
| slver wrote:
| The problem with your rebuttal is that there is ZERO
| liability in asking Bitcoin to be moved into an anonymous
| wallet. And when you include the whole world into your
| scenario, you need to realize there are a whole lot of
| countries that can't give a flying fuck about America, or
| Japan, or basically any other country than theirs,
| especially when for example the target country is
| dropping bombs on their heads, or crippling their economy
| with sanctions.
|
| You think we're all good guys and we'll get along, see?
| But actually, Bitcoin has enabled a new type of
| international warfare. And thinking positive thoughts
| will do nothing to prevent that.
| vmception wrote:
| I can make the same observations as you, the difference
| is that this doesn't bother me.
|
| The concept will never go away. The concept of computing
| a hash client side under an agreed upon set of conformity
| for eventually addition to a globally stored list of
| hashes. Although you haven't argued for making it go
| away, people that talk like you typically are arguing for
| the idea that the state can successfully make it go away.
| This concept works whether institutional exchanges say
| each hash is part of a unit worth $60,000 a pop or those
| institutions don't exist and the market says the units
| are worth $2 a pop.
| slver wrote:
| The concept of deciding something that's rare is valuable
| will never go away. It's just revision #987192 of the
| "tulip craze" phenomenon.
|
| But this will keep getting worse and worse until
| cryptocurrencies are outlawed. And this will not stop
| their use completely, but their value hinges on their
| trade value, which in large part depends on their
| legality. So the value will collapse to nothing. So now
| blockchains have no incentive to exist either. Poof.
| vmception wrote:
| > Although you haven't argued for making it go away,
| people that talk like you typically are arguing for the
| idea that the state can successfully make it go away.
|
| and there it is.
| slver wrote:
| Yeah I read this the first time around.
|
| My point was to explain why a trade tool's value is
| determined by its ability to trade with it, and
| demonstrate why legality of the currency itself matters.
|
| If you don't understand this, you don't understand the
| concept of currency in the first place. Something being
| rare is not sufficient for it to have trade value.
| christophilus wrote:
| It's more like you move to a high crime area and don't lock
| your front door and then blame the break in on your wife's
| diamond necklace.
| swensel wrote:
| Blockchain forensics are already used for tracking
| transactions and these will get more advanced over time. I
| think saying "risk-free" is a big stretch. Yes, this is
| made possible with cryptocurrency, the transactions are
| irreversible and are not controlled by a central authority
| (generally). However, many blockchains are also public
| ledgers, and you have to also figure in fiat gateways if
| the attackers don't just want to keep the money in
| cryptocurrency.
| slver wrote:
| Asking for ransom and getting the payment are, yes, 100%,
| absolutely, no ifs, no buts, no exceptions: risk-free.
| Zero risk.
|
| So it will happen with increasing frequency, thanks to
| cryptocurrency.
|
| What you're talking about, actually laundering the coin
| so it's usable, is a problem. But it's a problem that
| comes AFTER. And you probably realize criminals don't
| just sit idle, until they can plan out their crime 50
| years ahead to perfect detail.
|
| Also you can do all the forensics you want, if that coin
| ends up scattered around the world in tiny bits, what are
| you going to do, jail everyone?
|
| What if I hate person X, and send him some of my publicly
| dirty Bitcoin, $1 million worth? I can put him in jail
| then.
|
| What if person Y wants to put person X in jail? So person
| Y buys my painting for $1M cash. And I send $1M dirty
| Bitcoin to the target and put him in jail. I just
| laundered $1M in a completely untraceable way. "Fuck your
| blockchain forensics" is what criminals have to say about
| all this.
|
| You have no idea how infinite the ways to use and launder
| that money is, ONCE you have it. And to have it, again...
| is RISK-FREE.
| swensel wrote:
| You realize that law enforcement will continue to track
| blockchain transactions, including ones that happened in
| the past? When you transfer a coin it's not like you
| never owned that coin before. Selling crypto for artwork
| does not wash it of all previous owners and transactions
| (including timestamps). I could see perpetrators have
| action taken against them in the future.
|
| To me it seems like you really don't like crypto, and
| that is fine, you are welcome to hold that opinion.
| madcow2 wrote:
| So some poor soul gets stuck with the hot potato down the
| road(Ie their funds frozen for no apparent reason when
| the forensics flags them). The criminals know this and
| will cash out immediately as much as possible. How is
| that a good thing?
| swensel wrote:
| Analysis of the transactions could lead law enforcement
| to the attackers before they try to cash out. Centralized
| exchanges may also flag the attackers when they attempt
| to cash out. There is no guarantee they can cash out
| without getting caught first. It's not just that some
| poor new owner is left holding the bag. Addresses get
| blacklisted by law enforcement and the exchanges. I don't
| think those coins would continue to be transferred to new
| owners.
|
| Those potential new owners would also probably just go
| trade on an exchange. If there is some big discount from
| a local party trying to get rid of the coins, wouldn't
| that raise some red flag?
|
| The transactions for most cryptocurrency blockchains are
| viewable by all members of the public. With fiat, only
| the banks (or the governments) can see transactions. If I
| was to say there is some good thing, I would say that is
| a new innovation that hasn't been possible before.
| Cryptocurrency also does enable new illegal activities
| that weren't possible before, so there are definitely
| pros / cons, but I would say there are pros / cons to
| fiat as well.
| slver wrote:
| > With fiat, only the banks (or the governments) can see
| transactions. If I was to say there is some good thing, I
| would say that is a new innovation that hasn't been
| possible before.
|
| What do you mean it hasn't been possible. It's absolutely
| possible. We don't do it because no one wants to
| advertise how much money they have and who they give it
| to, unless compelled by a specific reason.
|
| > Cryptocurrency also does enable new illegal activities
| that weren't possible before, so there are definitely
| pros / cons, but I would say there are pros / cons to
| fiat as well.
|
| So the pros are things we could do (publish our private
| transactions), but we don't want to, and the cons are
| things we could do (blackmail each other), but we don't
| want to.
|
| Lol, great.
| swensel wrote:
| For me it is that I think the general public has no
| choice in the matter now, the banks and governments do.
| That is the difference I see.
| vmception wrote:
| These are bad assumptions about what options and
| interests and motives that attackers have.
|
| Laundering is very easy with cryptocurrency. Despite the
| transparency on chain, how can anyone distuingish between
| someone buying a meme coin earlier and cashing out at
| 80,000% gains, versus someone with _two_ accounts and
| bought a meme coin with clean money (account 1) and then
| pumped that meme coin 80,000% with their dirty money
| (accounts 2 through n) coming from different addresses.
| The dirty money accounts are now saddled with the meme
| coin, and the clean money accounts as well as yours and
| every other fomo trader 's account that sold now has the
| more liquid cryptocurrency. For all reporting purposes,
| everyone has clean money and simply was a good trader. No
| investigator or government is proposing that traders are
| liable for determining who they traded against when its
| onchain or in an offchain exchange.
|
| Secondly, not everyone wants fiat currency. The attackers
| can invest in other cryptos and make any founder or fund
| popular and highly revered. They can acquire goods and
| services and access with the crypto itself. They aren't
| sitting there trying to figure out how they can buy
| multimillion dollar houses and yachts, as its not a
| priority, but if they do want a lot of fiat its always
| available.
| swensel wrote:
| I do think blockchain analysis will get more advanced
| over time and people who think they are anonymous now may
| have a rude awakening years down the line, but from what
| I can tell, you know crypto better than I do.
|
| IMO, if folks wants privacy now they should actually use
| privacy focused crypto, but I also think the public
| nature of crypto is one of the interesting parts of it. I
| know there are privacy diehards and I can understand why,
| but I'm more interested about the technology in general.
| vmception wrote:
| yeah private cryptos like the Secret Network, Monero, or
| Tornado.cash contract on the Ethereum network all have a
| way for the user to provide audits. so what you find
| interesting about the technology is still available or
| even more available. Secret Network offloads necessary
| state information into Intel SGX chips that all the
| validators have. Tornado.cash generates state information
| client side and offloads it all client side and must be
| saved by the user, for now. Monero is much more
| complicated.
|
| ultimately the only thing changing is the state's ability
| to flag electronic transactions, as there are no
| financial intermediaries for them to deputize. they
| didn't have that ability in the cash based system, and
| they temporarily got used to it in the electronic one.
| This is just a reversion to the mean.
| tibbydudeza wrote:
| Imagine if they targeted TSMC or ASML ???.
| buildbot wrote:
| I know some people who work for a TSMC subsidiary- they take
| security extremely seriously, all data is physically located in
| Taiwan and everyone remotes in, super locked down systems, etc.
|
| I can't imagine their actual production floor being connected
| to anything at all, ever. You'd need a stuxnet style airgap
| jump.
| jagger27 wrote:
| Those companies have state level adversaries to contend with.
| tibbydudeza wrote:
| Chinese hackers already hacked the NSA and stole their zero
| day exploits - it was 2014 but still.
| jbay808 wrote:
| Don't worry, I'm sure the NSA has acquired lots of fresh
| new exploits since then!
| sebyx07 wrote:
| MS Windows is 100% to blame. How can a worm spread that easily in
| 2021 to pcs across the network? 0day trash windows exploits
| Grakel wrote:
| Why is infrastructure on the internet?
___________________________________________________________________
(page generated 2021-06-02 23:01 UTC)