[HN Gopher] A Modest Proposal About Ransomware
___________________________________________________________________
A Modest Proposal About Ransomware
Author : gmcharlt
Score : 33 points
Date : 2021-07-15 17:24 UTC (5 hours ago)
(HTM) web link (blog.dshr.org)
(TXT) w3m dump (blog.dshr.org)
| everdrive wrote:
| >"The US always claims to have the best cyber-warfare capability
| on the planet, so presumably they could do ransomware better and
| faster than gangs like REvil. The US should use this capability
| to mount ransomware attacks against US companies as fast as they
| can."
|
| I wonder why it is presumed that the US has the best cyber-
| warfare capability? Why do we think this is true?
| karaterobot wrote:
| It isn't presumed, it's claimed by the U.S., and the
| presumption the author is making comes from granting that claim
| for the sake of his(facetious) argument.
|
| Whether it's true or not doesn't matter. I don't think you'll
| find many countries making claims of weakness on defense-
| related topics. In the same way that no country would just
| announce that they have the 11th or 12th greatest military in
| the world, they'd never say they have the 2nd best cyber-
| warfare capability either.
| cookie_monsta wrote:
| Here in Australia I think most people would agree that our
| capabilities are are, ahh... y'know... not too shabby.
|
| But then we like to walk softly and carry big sticks :)
| irq-1 wrote:
| > The US always claims to have the best cyber-warfare capability
| on the planet, so presumably they could do ransomware better and
| faster than gangs like REvil. The US should use this capability
| to _mount ransomware attacks against US companies_ as fast as
| they can.
|
| As ridiculous as this sounds, a private sector version could
| work. Imagine 'hacking' companies that audit municipal services
| and private companies. The hackers would have to be motivated to
| win, by payment, not just go through a security checklist.
| Insurance and law could demand this sort of active and ongoing
| security check. This would also create diversity in hacking
| systems instead of one governmental set of tools and strategies.
| muricula wrote:
| This exists: https://en.wikipedia.org/wiki/Penetration_test
| oh_sigh wrote:
| The US wouldn't maintain their capabilities for long if they
| were burning all of their zero-days on defensive posturing.
| tedunangst wrote:
| Vulnerabilities Equities Process!
| ralfd wrote:
| What is the proposal?
| _wldu wrote:
| Companies could also stop creating monoculture networks that are
| easy to manage and also easy to compromise. When every device is
| a domain joined Windows 10 machine running some low level, 3rd-
| party centralized remote management system, it's just a matter of
| time before you are completely owned.
|
| This is the "Encryption Backdoor" problem in Computer Science
| (aka "Exceptional Access System"). It is impossible to build an
| exceptional access system and then ensure it is only used by good
| people to do good things.
| majormajor wrote:
| Non-computer-experts were sold computers and the internet as
| tools that would help them run their business.
|
| I find it hard to blame them too much for unexpected
| unadvertised technical problems.
|
| I propose something simpler: disconnect most computers from the
| internet, and don't put them places strangers can access them.
| Then build out the tools that work in that environment.
|
| I don't actually think it would work in practice, though,
| because it's a race to the bottom. The company continuing to do
| all their shit over the public internet with commodity PCs is
| going to be doing things more quickly and more cheaply
| initially, and may thoroughly beat the competition before
| getting hit by an attack.
| ozim wrote:
| Unfortunately companies cannot afford to build messy
| environments.
|
| Fixing small issues, on-boarding new people, explaining
| existing setups to already employed, adding new servers. That
| is nontrivial amount of money burned there "day in and day out"
| when networks are monoculture with centralized access. Making
| it a little bit of this flavor a little bit of other, will make
| those costs grow 100x in no time. This way you have 100x
| operational costs to prevent something that may or may not
| happen.
|
| Having messy environment also brings other risks like some
| operator might mess up easier because of being tired fighting
| that mess.
| eikenberry wrote:
| I believe the terminology for what you'd like to see is the
| zero-trust security model, and it is gaining acceptance as the
| new standard.
|
| https://www.nist.gov/publications/zero-trust-architecture
| lima wrote:
| Some of this monoculture and attack surface is necessary (line-
| of-business software, standard productivity tooling, the OS
| itself...) for the company to function.
|
| At least with remote management, you can respond at scale if
| one of those gets compromised.
| _wldu wrote:
| The problem is the entire thing will be compromised.
| Exchange, SharePoint, clients, servers, domain controllers,
| etc. That's what happens to monocultures. You must have
| diversity at every level (OS, DB, network, apps, etc.)
|
| Yes, it is more difficult to manage a diverse environment,
| but when you survive the next big ransomware attack you'll
| see why it's so important (while your competition struggles
| to recover).
|
| This holds true for crops, people, animals, financial
| investing and everything else. Diversity makes us strong and
| resilient. Monocultures make us weak.
|
| Monocultures are easier to manage, audit and predict, but
| their weaknesses outweigh those benefits IMPO.
| TheDong wrote:
| We have finite energy and knowledge.
|
| I know how to configure a firewall on linux. I don't know
| how to on plan9 and windows.
|
| Should I run Windows, Plan9, Solaris, FreeBSD, NetBSD, and
| Linux on my 5 servers to ensure I have diversity?
|
| To me, that makes it seem 5x as likely that I make a
| configuration error that leads to a critical vulnerability
| if I have to figure out 5 different ways to setup a
| firewall and sandbox.
|
| What about using software that historically has been shown
| to have vulnerabilities? For example, wordpress has had a
| lot of vulns in the past, so should I host one of my blogs
| on ghost, one using jekyll, one using wordpress, or should
| I only use a static site made with jekyll because I know
| static sites are more secure?
|
| If I'm allowed to eliminate wordpress there, why can't I
| eliminate diversity at other layers? I know linux is more
| secure than windows IME, so can't I just not run any
| windows hosts by the same argument that I won't use
| wordpress?
|
| You mentioned "diversity at every level (network)". Do you
| mean I should run wireguard VPN for some of my networks,
| cisco for others, unencrypted for others, just so I have
| more diversity?
|
| I'm genuinely curious because the model I've heard
| advocated so far is that a monoculture is more secure
| because you can eliminate less secure things (use wireguard
| instead of unencrypted traffic), and gain mastery of a
| small surface area to ensure it is harder to attack.
|
| Adding diversity just for the sake of it, by its nature,
| adds more attack surface and requires more expertise to
| secure, so it seems to fly in the face of the common advice
| I normally hear.
| throw0101a wrote:
| > _Should I run Windows, Plan9, Solaris, FreeBSD, NetBSD,
| and Linux on my 5 servers to ensure I have diversity?_
|
| Running Windows and Linux would be a good start. Plenty
| of business-y software runs on POSIX systems: perhaps
| your business processes don't have to run the same
| operating system as your desktops?
|
| Having a file share appliance (e.g., TrueNAS, NetApp)
| would be a good step after that (if things get encrypted
| just revert to the last snapshot).
| TheDong wrote:
| You may have missed the point of the question. All my
| machines (business and servers) are currently linux
| because I know how to update and secure linux.
|
| The parent poster is arguing for diversity for the sake
| of it. To me, moving from my linux monoculture to a
| linux+windows diaspora seems less secure.
|
| I'm talking specifically about the idea of security
| through diversity, not about this specific incident, so
| backup recommendations aren't really related to this
| thread.
| only_as_i_fall wrote:
| I assume this proposal is at least somewhat tongue in cheek based
| on the title, but if the US really wanted to nip this in the bud
| could they not instead make it a crime punishable by jail to pay
| the ransom?
| jszymborski wrote:
| The main perverse incentive I see here is that it encourages
| companies to hide the fact that they've had a breach so they
| could pay the ransom w/o consequence.
|
| I do think regulation making ransoms hard/impossible to collect
| is the way to stopping the immediate problems posed by
| ransomware.
|
| More disturbingly, however, is that such hacks just underpin
| how vital infrastructure is exposed to nation states. When the
| motivation isn't collecting a ransom but rather to disable a
| country's vital infrastructure, such regulation would do
| little.
| shkkmo wrote:
| Couldn't you make disclosure mandatory and impose
| significantly higher (business ending levels) on failure to
| disclose?
| mcguire wrote:
| " _I do think regulation making ransoms hard /impossible to
| collect is the way to stopping the immediate problems posed
| by ransomware._"
|
| That's rather difficult to do in the current cryptocurrency
| environment.
| andrewla wrote:
| That will work fantastically well if the goal is to reduce the
| number of reported ransomware cases.
| pvg wrote:
| For one thing the bud has already bloomed into a vast field.
| For another, criminalizing the behaviour of the victims is
| rarely all that effective, especially when difficult to track
| and enforce.
| wmf wrote:
| That may or may not help. If a company has a choice between
| going out of business or some probability of the CIO going to
| jail you know what they're going to choose.
| ithkuil wrote:
| The CIO can resign instead of going to jail. It all depends
| on how strictly the law gets e forced. If only a few get
| caught, then it becomes a dishonor to not have "the balls" of
| just risking it, and you'd not get a new job as CIO if you
| didn't want to play it out. But if it's guaranteed to get
| caught, nobody would do it.
| only_as_i_fall wrote:
| But the choice is really between a personal risk of going to
| jail or a personal risk of finding a new job. As long as the
| individual risk outweighs the collective reward the incentive
| to lie should be small.
|
| Besides, unless 2 or 3 execs can also implement the recovery
| procedure without any of their engineers catching wind I
| don't think it's likely that the secret would remain well
| kept.
| ttul wrote:
| This is by far the most effective solution to the problem. The
| foreign corrupt practices act [1] was highly effective at
| stopping US businesses from paying bribes in foreign countries,
| with many other developed nations following suit with similar
| laws. Such a law for ransomware would no doubt also be
| effective. Companies pay lawyers specifically to audit their
| processes around FCPA compliance because the penalties are so
| severe. No executive wants to go to prison because a
| salesperson hires some "consultant" in Thailand to win a
| deal...
|
| [1] https://en.wikipedia.org/wiki/Foreign_Corrupt_Practices_Act
| mcguire wrote:
| How do you know it was highly effective? Do the audits
| enhance compliance or just ensure non-compliance is well
| concealed? The SEC's enforcement actions page shows a
| continuous stream of actions against large corporations ("
| _Goldman Sachs Group, Inc. - The firm agreed to pay more than
| more than $1 billion to settle SEC charges that it violated
| the anti-bribery, books and records, and internal accounting
| controls provisions of the FCPA in connection with the
| 1Malaysia Development Berhad (1MDB) bribe scheme. See related
| action against Tim Leissner (10 /22/20)._") since they ramped
| up enforcement in 2007. How do you know that's not just the
| tip of the iceberg?
|
| [edit] URL: https://www.sec.gov/enforce/sec-enforcement-
| actions-fcpa-cas...
| michaelt wrote:
| The theory behind banning ransom payments is an attacker won't
| go to the risk and expense of kidnapping someone if they know
| there's only a 1% chance they'll get paid.
|
| But if the attack is an automated bulk exploitation of
| thousands of computers all around the world - why should an
| attacker stop targeting US computers just because US companies
| are banned from paying?
| qzw wrote:
| There already are "security consultants" who will do the dirty
| work of paying the ransom and handing the victim the decryption
| key. Pretty hard to stop that sort of thing, no?
| only_as_i_fall wrote:
| And then what? You hand your engineers a decryption key and
| hope they don't ask questions?
| qzw wrote:
| More likely the "consultants" will handle the decryption
| process, and the company's own engineers, who are probably
| already shell-shocked and under huge pressure, will be told
| to just be thankful that the experts have secret,
| proprietary technology to deal with the ransomware. Even if
| the engineers want to be whistleblowers (at the risk of
| sacrificing their own jobs/careers), it'll be pretty hard
| to get enough conclusive evidence that a ransom was paid.
| gruez wrote:
| Make it strict liability? ie. if you paid for a "consultant"
| and it just so happens that he paid off the ransomware
| operators without your knowledge, you'll still be liable
| qzw wrote:
| That's going to be nearly impossible to enforce, because
| the first thing that will probably happen is that companies
| will stop reporting ransomware attacks. And these
| "consultants" could be based anywhere, as well as further
| outsource their work to independent contractors, shell
| companies, etc. So getting hard evidence that's there's
| been a ransom payment will likely be a wild goose chase.
| viraptor wrote:
| That would run against law as it stands in most places
| https://en.wikipedia.org/wiki/Mens_rea
| mcguire wrote:
| That would be the "strict liability" part.
| easterncalculus wrote:
| "The US always claims to have the best cyber-warfare capability
| on the planet, so presumably they could do ransomware better and
| faster than gangs like REvil. The US should use this capability
| to _mount ransomware attacks against US companies_ as fast as
| they can. "
|
| This is totally ridiculous. If anything, the US government needs
| to hack people _less_ , stop dropping broken DLLs[1] and focus on
| defense. Security needs to be built up and incentivized, not
| punitively broken down. Practically all of the organizations hit
| by these huge attacks were not doing basic measures. Many of them
| not by CVEs from this year as this post implies.
|
| It also isn't even "ransomware" in this case since there's no
| _ransom_. It 's just the government hacking your computer because
| the military-industrial complex (MITRE) doesn't like you. No hate
| towards them or CVE, but that's not a good look or policy.
|
| ---
|
| [1] https://blog.malwarebytes.com/threat-
| analysis/2021/01/cleani...
| redler wrote:
| The article is attempting to follow in the satirical tradition
| of Jonathan Swift's "A Modest Proposal", which suggested
| feeding children to the poor in 18th century Ireland.
| f38zf5vdt wrote:
| Indeed. :) This is as much about encouraging US ransomware
| attacks as much as A Modest Proposal was about eating babies.
| easterncalculus wrote:
| I've read it, but I find the line hard to see with this
| article. There are several, maybe most, of the other claims
| that are actually true. Governments in general really do
| breach systems and drop malware like this, and most
| ransomware attacks aren't being performed with big zero day
| exploits. Jonathan Swift didn't cite his previous articles or
| actual newspapers, as I remember at least. After a couple
| more reads I should have picked up on them "shortening the
| grace period", that seems obvious. I got burned by this one.
| cjensen wrote:
| Sure, we could fix the flaws in every accessible software on the
| planet. Or we could outlaw non-traceable payment methods like
| Bitcoins so that there is no profit in ransomware. What are they
| going to do? Ask for payment of a million dollars in iTunes gift
| cards?
| hermes19 wrote:
| Couldn't they still demand ransom in BTC? I assume if BTC is
| largely banned in the US, it will still exist. Exchanges will
| still exist (in some countries) and it'll still be traded.
|
| Couldn't attackers still say, "Go get some BTC and deposit it.
| Where do you get some? Not our problem."
|
| Maybe there's something I'm missing.
| kyleee wrote:
| Bitcoin is quite traceable; but I take your point. To flesh out
| your position, are there any circumstances in which you believe
| two parties should be able to transact securely and privately?
| bin_bash wrote:
| It's trivial to make Bitcoin untraceable. See tumblers.
|
| I think people also have this strange idea that the bitcoin
| ledger must represent all bitcoin transactions. But think for
| a minute that I can just email you a wallet and the coins
| just changed hands without putting anything on the ledger.
| rspeele wrote:
| > But think for a minute that I can just email you a wallet
| and the coins just changed hands without putting anything
| on the ledger.
|
| I won't trust that you destroyed your own copies of the
| keys, so I'll want to transfer the coins to another wallet
| first thing with a real transaction recorded on the ledger.
| Otherwise I'm risking that at any time you could take the
| coins back from me.
| user-the-name wrote:
| Doesn't matter much if it is traceable, as long as it can be
| converted into actual money. And it can, thanks to dodgy
| exchanges turning a blind eye or being actively complicit.
| f38zf5vdt wrote:
| That solves ransomware, which is bottom of the barrel in the
| hacker world. The reason talk about this is so much about
| _defense_ lately is because if people as untalented as
| ransomware operators can make it into US corporate and
| government infrastructure, imagine how deep in state-employed
| hackers must be. In the past decade US government
| infrastructure has been deeply penetrated multiple times, with
| catastrophic consequences.
|
| https://en.wikipedia.org/wiki/Office_of_Personnel_Management...
|
| https://www.wired.com/story/the-full-story-of-the-stunning-r...
|
| https://en.wikipedia.org/wiki/2020_United_States_federal_gov...
| [deleted]
| w-j-w wrote:
| A ban on Bitcoin isn't really enforceable, though. What might
| work better is banning companies from paying up in ransomware
| attacks.
| amackera wrote:
| Bitcoin seems highly resistant to centralized control; I
| suspect attempts to outlaw it would be easily thwarted.
| resfirestar wrote:
| I'm sure speculators and drug buyers would go on using
| Bitcoin, but businesses can only be persuaded to do these
| ransom payments because they can buy Bitcoin legally with a
| normal wire transfer.
| mdoms wrote:
| Crypto "currency" is the worst thing that has happened to the
| internet. Without crypto "currency" there's no ransomware.
| imglorp wrote:
| > The NSA routinely hoards 0-days, preferring to use them to
| attack foreigners rather than disclose them to protect US
| citizens (and others). This short-sighted policy has led to
| several disasters, [...] Unless they are immediately required for
| a specific operation, the NSA should disclose 0-days it discovers
| or purchases
|
| The author too charitably positions NSA here. When one considers
| the hoarding of 0-days, weakening of encryption standards,
| wrecking trust in US businesses by forcing compliance, failing to
| intervene in years of breaches, and many other malicious
| activities, it soundly refutes any claim of concern for
| protecting the country. How many billions has this cost in
| business terms, on top of the billions they're paid for the
| privilege?
|
| So if defense isn't their actual mission, maybe it's actually
| population control.
|
| https://reason.com/2014/07/11/total-population-control-is-ns...
___________________________________________________________________
(page generated 2021-07-15 23:02 UTC)