[HN Gopher] [New York] MTA Is Breached by Hackers as Cyberattack...
___________________________________________________________________
[New York] MTA Is Breached by Hackers as Cyberattacks Surge
Author : perihelions
Score : 41 points
Date : 2021-06-02 20:57 UTC (2 hours ago)
(HTM) web link (www.nytimes.com)
(TXT) w3m dump (www.nytimes.com)
| tibbydudeza wrote:
| This seems rather suspicious all these reports of a sudden - are
| they plotting to bring back the Clipper chip V2 ???.
| andred14 wrote:
| Just like Klauss Schwab from the World Economic Forum says the
| "cyber pandemic" is coming.
|
| First they test the idea at Cyber Polygon (similar to event 201
| which simulated a virus pandemic just before the fake "cov1d"
| outbreak)
|
| https://cyberpolygon.com/
|
| And then they will just do it. Problem is, just like cov1d - IT'S
| ALL FAKE
| JohnWhigham wrote:
| Is there any group at all lobbying our limpwrist Congress to do
| something about these?
| lupire wrote:
| National Defense is the realm of the Executive.
| lumost wrote:
| The executive branch using a crises to seize power is
| dubious. In the US the legislative branch has the authority
| to declare war, make laws, create, and direct agencies. Power
| is delegated to the President by congress (a progressively
| more common occurrence)
| madcow2 wrote:
| > limpwrist Congress
|
| That's quite the choice of adjective given the month.
| kick_in_the_doo wrote:
| That doesn't necessarily have to be a gay slur. Could refer
| to somewhere sitting around all day doing...that.
| nathanaldensr wrote:
| Just curious if "ties to China" means "an IP address that may or
| may not be allocated to Chinese geography, and may or may not
| simply be a Tor exit node or a VPN service."
|
| People are far too trusting of these claims of where these
| attacks originated. Very few people in the world, including
| journalists, know how IP networks work.
| hn8788 wrote:
| To give them the benefit of the doubt, they said "a hacking
| group believed to have links to the Chinese government", which
| makes me think they probably used tools and techniques
| associated with a known group.
| vmception wrote:
| Cyberattack day!
|
| This one happened over a month ago, its obvious this is a
| trending headline likely not organically, so make sure to
| separate the dates before thinking we are under a coordinated
| attack all at once right now
| booleandilemma wrote:
| The media needs something to scream about after corona is over.
| It looks like Russian and Chinese hackers are on the menu.
| FridayoLeary wrote:
| Corona isn't over and we should still be screaming at the top
| of our lungs at the Chinese for answers. Instead of going out
| to the shops and buying brooms to sweep the topic under the
| carpet (which are also recent buys).
| weaksauce wrote:
| I think on HN this has always been a trend. a headline sparks
| more headlines of similar stories regardless of date. I've seen
| it happen quite frequently.
| FridayoLeary wrote:
| I've also noticed. I think once interest is sparked in a
| topic, any topic, people are thirsty for more. I don't think
| it's the most useful way to orderly accumulate knowledge of a
| subject but there it is, i'm as guilty as the next guy.
| FredPret wrote:
| Perhaps a pentester or security person can help answer this.
| Could a list of minimum network safety standards be made that:
|
| a) would help the ransomware & hacking crisis, and, b) is
| practically enforcable at scale?
| rantwasp wrote:
| there are standards and operating procedures that can be used.
| it's not that hard.
|
| it comes down to training and cost cutting. If the penalty for
| failing miserably is 0 you won't see any change. I would hold
| the companies responsible for things like this liable to the
| point they would be put out of business after an event like
| this. If the cost of being sloppy is that you no longer have a
| business people will start paying attention really quickly.
| wyager wrote:
| > there are standards and operating procedures that can be
| used
|
| 99% of these standards are completely useless and exist only
| to reduce legal liability. The other 1% are only incidentally
| slightly useful.
|
| You will never ever create a secure company by following some
| stupid checklist, unless the checklist is so extreme as to be
| useless to most orgs. "Step 1: only run OpenBSD..."
| madcow2 wrote:
| > Perhaps a pentester or security person can help answer this
|
| Not one of those but since they are [apparently] inadequate
| anyway...
|
| I read an analogy that pinning this on "cyber security" is like
| accusing a mugging victim of having a lack of personal security
| guards. That's just not how _civil_ society works.
|
| Minimum safety standards: laws and ability to enforce them.
|
| This is a short-term win for the bad actors. Just wait until
| the next "great firewall." Well gain safety, but we'll lose
| access to those low cost eastern European dev talent. That's
| more likely than every single US business being forced to hire
| private security just to operate.
| curiousgal wrote:
| I think of it more like someone's house getting robbed
| because of them having bad or no locks-\\_(tsu)_/-
| BitwiseFool wrote:
| I don't think the analogy fits because there are so many
| ways for an attacker to compromise a system besides the
| "front door". If we want to stretch things, a member of
| your own family can unwittingly let a guest perform an
| action that enables the robbery weeks later.
| wyager wrote:
| > That's just not how civil society works.
|
| This is a cope and also irrelevant.
|
| Civil society works a certain way because of its social
| interaction dynamics. The internet works much differently
| (namely, retribution is much harder, which rules out most
| tit-for-tat transgression management strategies, and the
| scale is much larger than is possible with human
| interaction).
| bawolff wrote:
| > I read an analogy that pinning this on "cyber security" is
| like accusing a mugging victim of having a lack of personal
| security guards. That's just not how civil society works
|
| Civil society does punish businesses when bad things happen
| due to negligence. Especially when the result of the
| negligence negatively effects someone else.
| hn8788 wrote:
| A better analogy would be an armored truck full of cash
| parking overnight in a bad neighborhood with the doors
| unlocked, then crying to the media about how they were robbed
| by criminals. There has to be some level of personal
| responsibility; it's foolish to expect people to not do bad
| things just because the law says they shouldn't.
| motohagiography wrote:
| There are none. Compliance is bargaining with a universe that
| doesn't care.
|
| Hold product managers and non-tech execs accountable for
| security breaches. Stop treating IT/ops like the suckers. Since
| that's never going to happen, buy some Monero to increase your
| bargaining leverage on the ransom price.
|
| The bar is not very high, it's bike theft economics. Your stuff
| only needs to be less vulnerable than the next guys, unless you
| are a political target. If you are a political target, please
| forget my name.
| wyager wrote:
| There are definitely strategies that significantly reduce the
| cost of such an attack - one being append-only backups of a
| sufficient frequency and with a fast enough restore time. We
| have the tech to do this cheaply (mount user shares via ZFS-
| backed NFS, for example) but I'm not sure many places have the
| organizational competence to implement something so simple and
| effective. They need to spend 100x more money on something 10%
| as useful.
|
| It's also possible to eliminate these attacks entirely, but it
| probably requires corporate tech infra that looks totally
| different from what most orgs now. If it were my job to set up
| some sort of hardened corporate setup, my first step would
| probably be to restrict most employees to iPads. There's not
| really any reason a shift manager at a meat packing plant or
| whatever needs or benefits from a Windows box.
| bawolff wrote:
| The primary thing to help randsomemware would be to have tested
| backups, where you can reimage the computers and restore from
| backups reasonably quickly.
| anoyesnonymous wrote:
| And offline backups
| paperwasp42 wrote:
| And to add to that, offline backups that go back 90+ days.
| Ransomware gangs frequently use time bombs to deploy their
| encryption after sitting within a system for a month or
| two. If you get hit by one of those gangs and only keep
| backups for 45 days, you're screwed, because your backup is
| still infected.
| viraptor wrote:
| But first you have to figure out how you got owned the first
| time and fix the issue. Otherwise you'll just get owned the
| next day again...
| crummy wrote:
| I think the perpetrators are now taking data "hostage", and
| threatening to release it publically unless the ransom is
| paid - in this case backups don't help, though it depends on
| how sensitive your data is.
| geofft wrote:
| > _To gain access to the M.T.A. and other systems, the hackers
| took advantage of vulnerabilities in Pulse Connect Secure, a
| widely used connectivity tool that offers workers remote access
| to their employers' networks. [...] The hackers took advantage
| of a so-called "zero day," or a previously unknown coding flaw
| in software for which a patch does not exist._
|
| The Pulse VPN has a history of security issues (see e.g.
| https://arstechnica.com/information-
| technology/2020/01/unpat...) - so much so that the second and
| third Google autocomplete results are "pulse vpn vulnerability"
| and "pulse vpn hack". One practically enforceable at scale rule
| is to pay attention to whether your vendors have a bad security
| track record and also be meaningfully prepared to switch
| (switching VPNs is no fun, but it's doable).
|
| Another one is to ask your vendors what they're doing about
| their security track record and whether they are taking
| systematic measures to make zero days less frequent and not
| just fixing individual bugs. "Stop using memory-unsafe
| languages" is one of my favorite answers to that, but there are
| a lot of others: "use sanitizers," "test your code with
| fuzzers," "use open-source components for the privileged
| portions," "get frequent third-party audits," etc. are all
| potential answers too. Some work better than others; any of
| them is better than not having an answer.
|
| > _"The M.T.A.'s existing multilayered security systems worked
| as designed, preventing spread of the attack," said Rafail
| Portnoy, the M.T.A.'s chief technology officer. [...] there was
| "no employee or customer information breached, no data loss and
| no changes to our vital systems."_
|
| The other really good answer here is to not have an all-or-
| nothing architecture for your network, and it sounds like the
| MTA is doing that already. Don't wire the train-switching
| network to the email-checking network just because you can.
| This is much harder to practically enforce at scale in an
| environment that wasn't designed for it, but it's a great rule
| to enforce in _new_ systems. Any time you build something that
| would be worse to get taken over by hackers
| /ransomware/whatever than the rest of your company's
| computerized systems, build it separately and make limited
| interfaces for people to interact with it.
|
| The move to put everything in the cloud really ought to make
| this easier: you can make a new cloud account for new systems
| and use bastion hosts etc. for developer access to them,
| instead of throwing it in your existing account.
| IncludeSecurity wrote:
| CEO of a pentesting company here, I've participated in or
| supervised close to ~2k tests of applications and networks.
|
| Sadly I have to report what you state is possible, but not
| plausible in today's modern heterogenous enterprise.
|
| If I had a static environment with no new software or business
| processes, then NO PROBLEM. I can lock it down in every kinda
| way and it stays locked down to a known baseline.
|
| Add to that new biz processes and now I have interconnection
| internally and externally which make detection and prevention
| difficult. Things are much more difficult now.
|
| Add to that new software, ever changing dev env, OS updates,
| firmware updates, software version updates, dev env dependency
| updates, now you're talking near impossible to keep up.
|
| And that's the state we're in today. There are some generic
| mostly effective controls that if implemented correctly can
| stop most advanced attackers (the so called "20 security
| controls")
| https://www.yumpu.com/en/document/read/6582321/20-critical-s...
|
| But even in spite of that, any major nation state had an
| arsenal of "capabilities" that allow them to dominate most
| cyber warfare area of operations in the civilian sector. US can
| do it, UK, Israel, China, Russia, probably even India and
| others!
|
| Against nation states, there is no stopping nation states in
| the civ sector, despite what every F500 company's CSO wants you
| to believe.....sad but true.
| hn8788 wrote:
| No. The reality is that nobody cares about security unless it's
| their job to, so you have a handful of security people trying
| to get things fixed, meanwhile the rest of the organization
| just sees you as a speedbump in the way of implementing new
| features or buying some new SaaS product. Devs where I work
| even went to my manager and asked if I could only be allowed to
| report security findings during specific timeframes because
| they get behind schedule when they have to fix things. We even
| have a document that lists a bunch of security controls to
| cover almost every situation imaginable, and most of the time
| the devs just say it's impossible to fix the vulnerability
| without breaking the feature, so they go to management and get
| a waiver for the security issue.
|
| Realistically, the only way for an organization to actually be
| secure is if it's part of the culture from the start.
| schoolornot wrote:
| You need a "mature" security organization that can stick it's
| tentacles into everything and still be effective or embed
| security people directly on teams to gate changes like a CI
| tool does. A security team that operates at a distance is
| totally ineffective.
|
| I've worked a bunch of places that have passed various audits
| and certifications, you know, PCI, SOC, and unfortunately the
| audits of infrastructure isn't as deep as the average Joe would
| expect. They place heavier weight on processes over technical
| safeguards. It's like what they say about the CISSP exam, a
| mile wide and an inch deep.
| imglorp wrote:
| If the world had a small fraction of the will necessary to
| counterattack, seize assets, and capture perps, we could shut
| many of these clowns down quickly. The DarkSide group is an
| example of a swift law enforcement action, only days after the
| Colonial hack. Maybe that only happens if you threaten oil
| profits but we could pretend.
|
| https://threatpost.com/darksides-servers-shutdown/166187/
___________________________________________________________________
(page generated 2021-06-02 23:00 UTC)