When stores are forced to close in SF because of rampant theft, nobody suggests that Walgreens or Target should hire armed guards.
If a mall were to be bombed, nobody would suggest that malls should just be built to resist bombing attacks.
The entire point of a government is to provide security and protect the rights of citizens. It is the government's job to solve / prevent / deter crime. If we are willing to put the burden of security on the individual, then why would we organize into states at all?
I think there could be "IT security codes" just as there are "building codes" to enforce security good practices. But "survive impact from a 747" is not part of our building codes, and similarly "be resilient to targeted, state sponsored cyberwarfare" should not the responsibility of the individual.
We expect buildings to be able to resist termite damage by taking reasonable means to block them. We should also expect software to resist self-propagating worms and other attacks. If you build a building in a tough neighborhood (or a warzone), that building has to have security and stability features that match the demands placed on it by its environment. The Internet is basically a termite-infested warzone.
We know that threats exist, we have things like OWASP and other sources of improving best practices to prevent common entrypoints for attacks. We have to expect software and networks to do better, just as we expect governments to find and stop the attackers.
That means they won't be stopped for long by static infrastructure. And in the same way, "best practices" are a moving target, so they'll always be applied unevenly across companies at any given point in time.
In fact, the more economically damaging the hack, the truer this is: the biggest ransoms and the greatest national security risks are mostly caused by actors that employ dozens or hundreds of motivated professionals to find gaps in an organization's infrastructure. And that means the "force of nature" model is especially inaccurate when we weigh incidents by economic impact (which arguably we ought to do).
Wee know exactly one way of blocking intelligent, motivated adversaries from getting what they want at our expense. And that's to have at least equally motivated, at least equally intelligent folks on the other side who are continually trying to stop them. And that doesn't sound entirely unlike a fairly reasonable line item in a national defense budget.
Hackers are not a force of nature, they are criminals. This is absolutely no different than someone picking the lock to your front door and stealing all you own. Even if you forgot to lock your door, or failed to install steal bars over your windows, its still not your fault if your house is broken into.
It is no longer interesting that there's a pattern of comments on HN that attacks some nebulous aspect of other comments on the site and/or article - such as this one. Neither is it interesting that these comments generally try to use emotionally manipulative language (like "victim blaming") and attempt to shame other HN users in place of (or occasionally in addition to) sound logic.
> victim blaming
There's more than one victim here - users, consumers, and other people who use the services of these organizations are also victims. These companies that were compromised had a responsibility to protect their users' data and continue to provide them services - that they failed to uphold due to their own lax IT infrastructure.
> The entire point of a government is to provide security and protect the rights of citizens.
Even given this model, the government still is not responsible for directly administering the IT systems of companies. They're responsible for that, and the government penalizes them when they fail.
We're still not under that system (I'm still waiting for a law that penalizes companies for leaking, sharing, or losing user data), but my argument holds anyway.
This is HN. It's filled with people whose job is building secure systems, or at the very least are aware of best practices to prevent these attacks. Of course you're going to read that they should have done this or that.
> When stores are forced to close in SF because of rampant theft, nobody suggests that Walgreens or Target should hire armed guards. If a mall were to be bombed, nobody would suggest that malls should just be built to resist bombing attacks.
Have you tried asking that in different places?
It basically is for skyscrapers now.
https://global.ctbuh.org/resources/papers/download/1017-evol...
These hackers are fulfilling a market inefficiency whether users here would like to acknowledge that or not.
It’s not the mean hackers or bitcoins fault. The blame should be squarely be placed at the doorstep of all the brilliant engineers who are responsible for the creation of the system architecture but for whatever reason are nowhere to be found when it’s starts to degrade.
This is a major issue with software development that is simply not convenient to discuss because the incentives to frog hop from job to job massively outweigh the benefits of staying on board for the years the job actually requires.
And yes, people will tell you, especially on here, that air tight code is a pipe dream. And maybe so, but the amount of severe deficiencies in code bases that millions of people rely on every day are simply unacceptable. When your earnings report is in the upwards of hundreds of millions, it’s really hard to play stupid.
Start holding companies responsible for their shitty priorities and then things may change. Until then, this is doing the equivalent of yelling at retail workers for company policy. They are not the responsible party here. That responsibility starts at the C-suite and filters down.
We would obviously care and do something about people streaming (physically) through neighborhoods to test every door/window/mailbox on every building.
For some reason, when it comes to the metaphorical "buildings" of our digital spaces, the general consensus seems to be a half-sarcastic: "If you can't install and maintain impenetrable state-of-the-art locks on all your stuff, you had better just give up and move into the Facebook highrise."
Not obviously. Burglary/theft clearance rates are very low (in most countries). At least in developed countries violent crimes have highest priority and small property crimes are almost ignored. I doubt police will do anything meaningful if you report a person who is going door to door and checking if they are open.
These standards that are out there aren't difficult to implement or put in place. For example if we look at PCI-DSS standards some of them include
1 - Changing default passwords
2 - Having a firewall
3 - Encrypting PCI information at rest
4 - Using encrypted communication channels for PCI (https).
This is just some of the standards and none of them are very hard, all of them are trivial to implement.
So sure it's a bad thing if you get robbed while out on errands, but you're going to get a whole lot less sympathy if it turns out you left the front door open with a sign that said, "I'm not home right now."
EDIT:
To be clear I am not talking about SMB mom and pop shops necessarily in this comment, I am talking about the massive Fortune 1000 companies that are getting hit with this over and over again.
Problem is the threat model of IT and building is way too different. Imagine that major buildings are frequent target of arsons and the arsons can remotely set the fire. That mean buildings need to defend again all possible arsons, from random amateur folks to folks comparable to special forces.
It's kind of quandary. "allow umpteen third parties to update their crap into your system" really is the current "security standard". And it's a standard that's gone along with the entirety of outsourcing as approach to cost-effectiveness. It's hard to be sympathetic to the organizations that have lived and died by this. On the other hand, you're right. One can't do this company by company, one needs standards.
The question is whether the same companies that are now suffering would be complaining tomorrow if actual standards were imposed.
Network Border Protection Agency, NBPA. A nation level firewall, much like China’s. Plus KYC rules for renting compute inside the country.
I'm sure the computer security industry wouldn't like this.
> victim blaming
That's a frame that carries a negative connotation. Why? Shouldn't builders construct houses that are safe enough? Or are you telling me that the government should prosecute the people responsible for the hacked systems?
Just like an electrician is liable if your house burns down and their wiring wasn’t up to code [and caused the fire].
We need similar laws/codes for software. It’s time.
Yes, which is why I mentioned building codes. I suppose "safe enough" is where the disagreement is.
Should you be prosecuted if a thief smashes your window and steals something you borrowed from a friend?
How incredibly irresponsible of you, to have a window in your home! When will we take security seriously? It is your fault that you were a victim of a crime and you should go to jail for it. /s
There is no reason to blame corporate victims if they show that they have locked things up properly and follow good practices.
Governments should also be blamed, of course. Promoting infrastructure with backdoor's and weaknesses because "think of the children and terrorists" rhetoric is not helpful.
In a nut shell, here's why things are so screwed up IMHO:
1) Most of these companies have had audits, but they're being done by 3rd rate or very inexperienced external consultants.
2) The companies limit the scope of the tests. Real hackers don't give a shit about your scope of work, they have no rules, only goals.
3) Even when a test is properly done the exec management looks for silver bullet product solutions instead of changing across people/process/technology
My company solves #1, but we can't do anything about #2 or #3 :-/
Add some funding / IT cost center, no value add language in there as well.
The only way to get secure software is to increase liability of parties involved.
My suggestion: Start with the ability of any customer to return any purchase (hardware/software) which contains software with a disclosed but unfixed CVE after 90 days without a patch. If this doesn't get rid of the Internet of Shit, I don't know what will.
Next, set a minimum damage rate of 100 USD per user for each data-breach that involves personal information and 1000 USD for any special kinds of personal information (credit cards, etc) and 10000 USD for any protected health information breach.
To include the liability of the attackers, which I think will ultimately be more scalable and effective than punishing the victims. Not saying there aren't incentives for the victims to "do better", but I think that will only get us so far.
History paints a picture of societies evaluating the effectiveness of better walls vs. owning the landscape, and deciding on the latter as being a more beneficial approach. It's how we get the saying that "Rome conquered the world in self-defense". I would bet that's where this ends up after enough material losses.
Does this not also just kill tech? CVEs pop up decades after products have died. Now every tech product is just one unsupported CVE away from losing _all_ lifetime revenue. I just can't see how anyone would ever invest again...
edit: to clarify further the fact that any CVE triggers this, no matter how small, seems egregious to me. The idea of there being no lifetime on the liability seems wild given how CVEs are often the result of other developers breaking ABIs. Imagine a profitable product that was last sold 10 years ago having it's full lifetime revenue refunded because of some change in glibc.
We already know its neigh impossible to ensure software is bug and vuln free. We have to reckon with the fact that secure software is possible, but extremely hard and impractical to achieve with any regularity.
Because of well known computer science problems such as the Halting Problem[0] and more that I am totally ignorant of, the only alternative is extremely thorough verification like happens in planes[1]. The rub is that unlike aerospace and other critical controls, we cannot define the software security problem as closely as is possible in those other critical systems. Doing so will undo the benefits of our general technology solutions.
The reason I claim it is nonetheless not a software problem is: In case after case of these troubling examples of security failures, there are only a few organizational commonalities that link them all together. Time after time, there are shocking misconfigurations, corners cut, best practices eschewed, warnings ignored, processes disregarded or absent and swept under the rug.
C-Suite execs, as has been well noted, opt for the checkbox-style silver-bullet-whiz-bang, because they can understand the value proposition of one-problem-one-fix and it is easy to communicate to stakeholders. They are totally ignorant to and uninterested in the details of actually providing a quality product. Their product is often not what they are selling; They are getting their bonus, and they are gonna exercise those stock options.
The only way to make a dent in this security problem is to require adequate processes for infrastructure the way we require adequate lighting, or fire protection devices, or plumbing. Until it is a business requirement to provide appropriately managed processes, infrastructure, testing, and finally development practices to go along with it all, there is no hope.
Will your school or hospital be shut down next? Will it be your bank that is defrauded when your cardholder details are skimmed at the local gas station or stolen from a multinational retailer? Will it be your government's top secret clearance database, your municipal water, your child's photos from their phone or social media?
Our only real hope is that the next victims of this heinous, Steinbeckian, tragedy are the Congress, Senate, and whoever else it takes to get a fucking grip.
[0] - Computerphile https://www.youtube.com/watch?v=macM_MtS_w4
[1] - Examples of aerospace validtion https://scholarworks.sjsu.edu/cgi/viewcontent.cgi?referer=ht...
Having classic ASP pages hosted on a production system in 2021 seems like a pretty strong indication of a lack of codebase maintenance and auditing.
AFAIK classic ASP pages can be as secure as those in any other framework. The vulnerabilities (most commonly SQL injection) are known and are addressable.
I know it chafes at some (Microsoft marketers esp.?) that ASP pages are still around. But classic ASP is yet another example of that old adage "If it ain't broke, don't fix it!"
I watched one organization assign an entire division of programmers to develop a moderately-sized ASP.NET application: they went through orientation and training in ASP.NET and then planned, designed, coded and rolled out ...nothing! After two years there was literally nothing!
A perceptive manager in another division approached his sole ASP developer and asked if she could write some ASP code to "demo" that same project. She looked at the specifications and then quietly wrote an entire system!
Weeks later, when the department heads saw her "demo", they thought the ASP.NET developers had completed it. Imagine their surprise to find that what they were looking at was done, not by the ASP.NET group funded millions of dollars but by someone in another division: a single focused classic ASP developer quietly working downstairs.
Nonetheless IIRC ASP pages reach end-of-life support by Microsoft in 2025 so it might make sense to migrate. But b/c classic ASP was written in a manner consistent with early web standards (CGI/APACHE) migration of classic ASP to one of the various classic ASP-like frameworks in PHP, Perl, Ruby et al would likely be easier, faster and cheaper. Migration would be mostly translation and much, if not all, could be automated.
In contrast, moving classic ASP to ASP.NET would be more fraught with problems. The underlying models of the WWW are inconsistent.
Old and well maintained software can be reliable and secure, it just rate to encounter it. Maintenance is underappreciated. People don't get rises and promotions for successful maintenance of an old system. But they get it for new projects even if this project is rewriting of an old system in a new language/framework (even if a rewrite introduces new bugs, vulnerabilities and drops some old features).
So if an organization has money to spare, the software will be re-written every several years to flow the fashion and if doesn't have money security will suffer too.
Or we show that we can deliver safely and resist business pressure to deliver fast and cut costs, or the government is going to do it for us.
People just don’t take virtual things as seriously, unless they involve conspiracies.
*edit: when I say "people", I mean the end-users who would otherwise demand change.,
I sound like a broken record but it bears repeating: Most of these attacks are successful because companies neglect best practices. Whitelisting, security awareness training, UEBA, etc go a long way.
I would hope the free market would prune companies without proper cybersecurity but regulatory capture means it probably won’t. Equifax and its executives are doing just fine.
I don’t know how you coordinate this without regulation and something like P.Eng type certification (which comes with it’s own problems).
It's far less the programmers than the business plans that demand minimal investment. These are classic externalities that serve to damage society at large.
I’m not sure what the answer is but better security and a rethinking of user authorizations seems to be in order.
The key to the current spree of ransomware is the massively improved ability to monetize digital hostage-taking. I don't really understand how financial watchdogs have let this go through, but cryptos have become a massive loophole in kyc and anti-laundering regulations. Recent moves in that sector seem to hint that this party is about to end and, hopefully, will create enough friction to reduce ransomware activity.
Of course, the internet would lose its mass appeal. Maybe it wasn't meant to be.
To me, this is more of a foreign policy issue. I’d say the damages caused by an attack like this can be requantified in loss of American life, and treat it like such. What should we do if Russia were killing 20 US civilians every few weeks?
It just costs a very significant amount of money. Many businesses just don't see the lowered risk to be worth the expense.
When ignorance becomes so widespread that it is enforced by law, and wise action is actively punished, and one cannot really blame rational actors for taking the CYA approach. One can hope that some of them take a principled stand and the risk of punishment to do more; alternatively, we can expect to collapse and be replaced by a smarter, if more brutal regime. One way or another, the bleeding always stops.
Is there any evidence that this happens? I feel like there's a lot of these kind of spooky 21st century "folk-wisdom"(s) out there and if you actually trace it back its like the McDonald's hot coffee case or whatever.
This is totally unacceptable and legitimately dangerous. Dialysis machines are hooked up to this trash right now!
We require enforcement, jail, fines, and civil liability for this gross, aggravated negligence.
A lot of the "security best practices" just become checklists of what people thought were good ideas 20 years ago and enforced by auditors that only know how to check boxes.
Blue teams are behind from the start due to the nature of the security landscape. They are further hindered by misguided application of the "move fast and break things" method. You aren't supposed to break your C.I.A. and expose customers and everybody else to huge liabilities.
Security needs to be baked into the infrastructure and IT management practices from the start. This requires enforcement, jail, and civil suits.
Office of Personnel Management, Ashley Madison, Target and countless other retaikers, Dams and Pipelines and Water, Maersk, Linkedin, all these supply chain hacks and schools and hospitals across the country and the world.
This has been going on for decades now, with no accountability at all. It just doesn't seem to be a priority.
What in the hell are we doing? Why do MMORPGs have better security than the hospital??
aka sales & marketing.
I wonder if the background of senior leadership is predictive in these sorts of situations. E.g., Equifax had a CISO with a non-technical background at the time of their breach, and Kaseya's leadership is dominated by MBAs and accountants.
Sometimes I feel like the idea is just to kill productivity.
Seems to me like a centralized system is fine, as long as it’s properly designed and implemented. The problem is how a business can know that an IT security system is properly designed and implemented.
The only solution I see is to couple insurance with an IT security system. If you’re certain your system protects against IT threats you should be willing to compensate your customer in case it fails to do so. Otherwise your customer has a very hard time determining whether your IT security system actually works.
Removing the "remote" from "remote administration". It's more expensive but probably still not cost-prohibitive -- driving around to client sites and installing updates is not particularly skilled labor. Plus even the worst-case scenarios are far less worse because you already have a local workforce who can do site visits to manually recover systems locked down by ransomware attacks. Data might get stolen, but at least you have continuity of business.
We have narrowed the attack surface of networks drastically, the solution is not to undo that, but to keep narrowing it. There's a lot of room for improvement especially in service accounts, admin accounts, and crucially, more intelligent behavior detection.
Despite Microsoft's best cloud security capabilities, it still doesn't seem to mind if a senior citizen's Outlook.com account is suddenly logged into in Nigeria, and even after "securing the account", it doesn't clear their devices they connected while they were in the account... That's a consumer example, but there's so much room for more intelligent behavior detection, and it to make it down to base-level products, and not expensive add-ons or upgrades. Even the big companies don't do a good job at it on their own systems, much less the systems they sell to other people.
You have to have a certain tier of premium Azure cloud-based subscriptions to get reasonably decent security controls, while if you have a Windows Server-based network, your security options are the same as you had back in 2008.
Geo-IP services are routinely inaccurate. I'm in the Southern US, the IP I used to get used to get me tagged as if I was from Quebec City. It was like that for over two years. A friend's house a few neighborhoods over showed up as some small town in Kansas. I could go from my home network-wise in allegedly Quebec City to my cell phone which showed as a town about 50 miles away from my actual location to Kansas in 10 minutes. If places banned based on these kinds of Geo-IP databases I'd be banned from most of the internet.
It seems like centralized, locked-down IT combined with security that's mere security theater while allowing third-parties to willi-nilli update their stuff.
Try to get Windows 10 to have an uptime of more than two weeks without an Windows Update and reboot cycle.
Email viruses aren't really a thing like they were back then too.
Well didn't their Cyberdefense playbook have anything to say about simple ACLs protecting those internet facing systems that were vulnerable to SQL injections? I mean even a very broad ACL allowing an entire country geoip block would be better than nothing.
Yea. You have money somewhere, but when you go to get it they’ll find you.
Crypto laundering has made that trivial now. So, no, I don’t believe the NSA has back doors in “everything”.
(Nor would I consider the NSA to be unequivocal “good guys” who selflessly help businesses and employees)
The first thing being hard is evidence that the second thing is not true, and people just like saying it because they enjoy posting the most cynical take they can.
This kind of illicit capital flow totally makes a mockery of AML regulations. All the rules that were created after 9/11 are out the window - this time it's money to pay for zero days, but it's not a huge leap for this kind of illicit capital flow to end up paying for a huge terror op, paramilitary coup, etc. We'll be reading the next blue ribbon commission's retrospective findings for some horrific event in a few years and it'll be obvious what we failed at.
That said, every once in a while a larger fish is caught. Right now a huge topic in Turkey is about a local businessman laundering about $1B of a US Mormon sect that stole the money from the US by faking business activity and receiving subsidies.
In this case, the Americans are in prison and the Turkish guy is in Austria, awaiting extradition.
Shortly before things got sour, the guy had access to the highest Turkish officials and was the darling of the media.
On the US side of the things, apparently the criminals were partnering with a high ranking CIA official to pull this off.
Here is a video on the topic: https://youtu.be/BPZIX5oBrUc
It’s already out of date as more money and connections were revealed since then but if you Google the names, more juicy stuff comes out. Sezgin Baran Korkmaz is the name of the Turkish guy allegedly laundered their money, now under arrest in Austria. Erdogan scrambled to remove his photos with the guy from the internet.
It has been revealed that they bought old Turkish companies that were under financial troubles and used these to move the money.
Why Turkey? Because Turkey is in economic turmoil and to motivate people bring money in the country they passed a law so the state doesn’t ask the origin of the money and politicians facilitate the bureaucratic process(allegedly for a substantial commission).
Pretty straightforward laundromat.
Once the money is in the Turkish system, they have access to EU, USA and pretty much everywhere because according to the paperwork the money is coming from legit companies, some a century old.
I bet you, Turkey is not the only rough agent here.
...but won't see any particular repercussions until they get hit with a few million dollars ransom and some short-term bad PR.
So glad to not be at that job anymore , this is 100% the approach my previous employer took ( who had 99 out of the fortune 100 companies as customers ).
Vast majority of these attacks don't work with 0days. They work with malformed IAM policies, social engineering/phishing, and poor asset registries and cloud vis.
Keseya being a 0day is an outlier in many ways.
Do you think it will be an outlier in a year? In two years?
If a zero-day can gain you millions, tens of millions, maybe a hundred million dollars? Do you think we can keep operating the way we have been up until now?
But with Manafort’s pardon, we might not see Deutsch Bank’s full culpability in failing to kyc. So, if Manafort’s pardon was inevitable, then would you consider the big players in laundering to be sufficiently protected by a political movement/coup inside a major party?
Is it a wild thing that if you permit a safe mechanism of extortion a sprawling economy quickly develops around it, dunno.
For me to visualize the problem, I came up with this here: honeypot.
In this sense, Kesaya or any other Managed Service Provider is some kind of honeypot. Let 100+ companies gather and share the same problem and exploit it.
This comparison did not occur to me for Microsoft and their Zero Day exploits. Because you did not attack Microsoft to spread the damage. You still have to find your victims.
We all gotta do our part.
An end to privateering comes with powerful institutional enforcement via the suppression of movement and committed retribution (an eventual monopoly on the exercise of force). I can only imagine what the analogy looks like - it's arguably more difficult than traditional privateers operating on the open seas if the actors in this case are safe on sovereign soil.
Perhaps the analogy to the open seas is the Internet itself. If the solution to privateering was denying bad actors the freedom to operate, the same applied solution on the Internet would be dramatic restriction of who can communicate on it.
Problem is, the supply chain attacks in this analogy are more akin to sailing under false colors. In this case sailing under false certificates. What do you do when a pirate captures a ship of your fleet, has your flag, your signal flags, and has your latest challenge/response codes? In the age of sail, it would probably mean accepting the loss of the incident, then ruthlessly hunting down the perpetrator directly with the goal of eliminating all actors capable of such sophisticated engagements - basically reducing the talent pool to near zero. If you aren't allowed in this day and age to address the actor directly, you probably have to deny the host nation itself the freedom of movement until they commit to delivering heads on plates. What does that mean? Cutting Russia off the Internet? Is that even doable these days? You could embargo the Internet for your own country like China tries to do - sad that we're having to consider that. I struggle to imagine other half-way realistic options. Kinetic war and assassination seem imprudent/impractical, to say the least.
I certainly don't think the answer is to "eliminate crypto", the equivalent to thinking "banish gold coins" in the age of sail would stop piracy. I also don't think the answer is to demand all companies "do better at security". While everyone needs to do security better, it will always be insufficient. A merchant ship in the age of sail was never expected to have the armaments of a national navy. Their solution was to convoy up and if lucky have state actors protect those convoys - a herd defense at worst. The equivalent to "convoying up" in this age would be some sort of massive crowd validation process before updates are released, slowing everything down to an impractical rate. So I struggle to see what's left other than a good offense, as much as I hate to think of what that means for the dream of the open Internet.
The merchants demanded their host nation deliver a safe operating environment, at a pretty steep collective cost.
You don't need to eliminate crypto, just heavily scrutinize/regulate/license exchanges like any other bank. Generally treat anonymous crypto the same way you'd treat someone who pulls up to a regular bank with a U-Haul full of cash and tries to make a deposit. If a wallet has ever interacted with a mixer (and generally treat mixers the same way you'd treat money launderers), blacklist the wallet. Blacklist any wallet that is linked in any way to a mixer or to wallets involved in extortion. Revoke the license of any bank that accepts funds linked to an unregulated crypto exchange.
This is all because of cryptocurrencies. They are the one single factor that enables this economical fiasco. They need to be banned, now, or this will just get worse from here on out.
Maybe we should turn the tables on the ransomware orgs. I'm sure they're getting big enough that they can't keep tabs on everyone in the org. So why not start offering million dollar prizes for people inside the org to sell out their co-conspirators? I have to imagine that if you're unscrupulous enough to be in the operation, you'd have no problems doing some entrepreneurial activity on the side.
All ccs are just a protocol which can send verifiably discrete packet w/o a central server verifying the discreteness, and with some fancy branding on the packet type. It's as if people felt very tribal about POP3 vs. IMAP, and the IMAP foundation put out branding and POP3 was a FOSS project. Protocols in that sense can't really be ever banned. It's like banning a math proof.
CCs play a role, but they are not the single factor that enables rware, by any means. For instance, it's a lot harder to pop a meat processing plant or coastal pipeline if they didn't hook up IoT to anything and everything OT-related, and ICS was awful at integrating vis b/t IT and OT networks in their plants. Or, for instance, if cyber insurance companies are forbidden from paying ransom, then the economic pot is suddenly dry. And so on...
Its a lot harder to justify giant ransomware campaigns when you're paid in Amazon gift cards instead of easily exchangeable cryptocoins.
I don’t think yours is a simple solution or the right one (banning cryptocurrency). But I do think bans on payment of the ransom are interesting.
And they won't care about if companies pay ransome or not.
Treat the cause of the sickness, not the symptoms.
Or I guess two new categories, because the victims are all criminals now too.
The victims won't become criminals because you'll never find a senior executive willing to go to prison to pay a ransomware ransom. And no, "pay someone to pay it" or "have a random low-level nobody pay someone to pay it" is not going to work. Judges/juries aren't that stupid and senior leadership typically know judges/juries aren't that stupid.
Criminalizing paying ransoms would work, and this particular "they'd just pay someone to pay the ransom" argument against criminalizing paying ransoms is beyond specious. Criminalizing paying has worked with other, much more serious types of ransoms. Why wouldn't it work here?
It just seems like the bill on security has come due and I recommend paying it. Otherwise you leave the economy open for much more serious attacks than asking a few million in crypto.
They might have rushed to exploit it before it was closed. Plus the long weekend. Or competitive pressure to exploit before someone else gets there first.
Your "possibly political" statement is conspiracy theory nonsense. It's entirely unsurprising that they launched the attack at the beginning of a long holiday weekend when there would be fewer eyes monitoring systems and able to pull plugs/remediate in the moment.
what does this mean exactly? could you (or anyone else who shares this sentiment) elaborate?
One look at RDP markets show that reality
Computers that you can remote desktop into are listed by location and bandwidth and price. UAS had over a million to choose from, blanketing the globe.
Millions of compromised windows hosts rented out for $5 each to anybody who shows up at some onion site? Hard to believe. At those prices buckshot randomware and cryptomining would be profitable.
What's easier to believe is that there are millions of SOCKS5 proxies out there (IoT/router/ancient-android-phone exploits) and a honeypot operation that will gladly spin up a Windows VM and let you pick which SOCKS5 proxy to use as an exit IP. And then observe everything the badguy-wannabe does with that VM.
They wouldn’t say that if they weren’t 100% certain right? /s
There was a vulnerability in the RMM server software that allowed remote code execution. The attackers used the RCE to push the ransomware out to all of the endpoints connected to the RMM server.
The attack is still being researched but it looks like there were two vulnerabilities. The first was an authentication bypass that allowed the attacker to authenticate as if it were an authorised client. That was used to upload the payload. There was as a RCE vulnerability that allowed the attacker to executed the uploaded file. The payload itself modified the SQL database of the RMM software to create a task on the remote endpoints that executed the ransomware.
Yeah. But many many small/medium businesses have been left behind in understanding how software works and how to be secure. A lot of that is because big businesses offload the cost of it onto others instead of leading the way like they should.
Where before you'd have humans interacting which would prevent massive promulgation of bad actors... now a lot of that is automated. So all it takes is one weak link in the chain.
While there are holes at all layers that lead to these types of attacks, as a runtime systems and language/compiler person, it's clear to me that unsafe languages should be abandoned, even if it costs a handful of percent of performance. The societal costs are just too great.
Security isn't boolean, and the closer to "security = 1" you get the more non-functional the system.
It's always going to be a tradeoff between doing useful things and being secure. I would agree that we need to shift the bar closer to 1, but absolute security is impossible without the world closing down.
w.r.t unsafe languages: it's not even possible to instrument and operate hardware in a "safe" way, even rust which is rather low level needs to be wrapped in unsafe in order to interact with hardware.
I believe we need to be better at: Detection, mitigation, response -- all things traditionally sysadmins dealt with.
But our industry assumes that sysadmins need not apply.
> Security isn't boolean, and the closer to "security = 1" you get the more non-functional the system.
Security isn't one-dimensional. Security can be phrased in functional requirements like "does not allow remote code execution attacks", which is of course a boolean requirement. You can slice that finer and finer such as "does not allow remote execution attacks through X, Y, or Z mechanisms" and start adding other, higher-level requirements such as "does not leak user data through APIs", etc. Security isn't boolean, but it is absolutely chock-full of boolean requirements one can pose.
> I believe we need to be better at: Detection, mitigation, response -- all things traditionally sysadmins dealt with.
I don't disagree with that, but this is the last-line-of-defense, the-horse-has-left-the-barn stage, which is basically admitting defeat because of how absolutely riddled with vulnerabilities existing software is.
Like you just said: security doesn't have to be boolean. Using more secure languages doesn't mean we have to completely banish every occurrence of unsafe in Rust. It just means we should avoid languages that force even business logic to be written using pointer arithmetic.
Networks need to move to zero trust models, sure, but companies need to evaluate the risks of all the systems and processes that they rely on. The problem is it’s too easy to accept the risks or downplay them, while the work to get them addressed is costly.
This isn't some ancient, underfunded open source library, this is people getting what they're actually paying for.
Of course, it is possible to do this but it requires considerable cost and diligence. External hardware that only takes data from the target machine, for example - long timeline + key transactions logged. "Backup can't protect against ransomware" statements seem to be just shorthand for "your piece of shit backup doesn't protect against ransomware", which is true but when shortened doesn't seem like the right message.
AWS S3 and Google Cloud Storage have Retention Policy Locks [1] and fuse bits in their buckets. e.g. set the retention policy on your backups bucket to 1 year and burn the fuse bit.
Now files cannot be deleted or changed in that bucket for 1 year after their creation. Not even the account root owner contacting support can get it changed. No ransomware, short of breaking into the AWS or GCP control plane is going to compromise those backups.
1. https://cloud.google.com/storage/docs/bucket-lock#policy-loc...
P.S. remember the write protect tab on old floppies/tapes ;)
For kicks, an algorithm that contacts you multiple ways if it hasn't gotten a backup OR if the backup has a suddenly has a high diff from the previous backup.
Back in the day I was using these netapp filers which had read-only snapshot volumes which were mounted on .snapshot.
It would be practically impossible to remove those snapshots as it would require root access to the filer head.
ZFS, BTRFS and lvm has similar functionality.
Is there any world where Kaseya isn't dead? This isn't Equifax, who have a monopoly and could just out-live the bad press. Kaseya is an IT security firm in a hyper competitive marketplace selling to unsophisticated clients. Reputation is everything. I imagine they're in "avoid lawsuits so we can return as much capital to ourselves/investors before closing up shop" mode.
"Kaseya Responds Swiftly to Sophisticated Cyberattack, Mitigating Global Disruption to Customers"
99.9% of businesses in the US are small businesses.
4 out of 5 businesses in the US are so small, they don't have any employees at all.
Ransomware companies are companies. They set their fees high but not so high they drive their "customers" out of business, at least not all their customers.
I hope things will change. The most likely seems like more of the same thing, which clearly won't change the situation. Also, the government huffs and puffs about arresting people somewhere.
The whole thing has "fall of the Roman Empire" vibes to it.
Aren't there 7 continents? I get ignoring Antarctica in this context, but it's still wrong to say "All 5" here. What weird phrasing.
Its hard work cutting budgets and outsourcing whatever possible to the jamaican bobsled team. So now the govt has to hire, train, feed and stable yet another army to protect these helpless overfed crybabies.
Funny though, having gone through the Y2K fix, I'm aggravated that systems are now again storing dates in the 2 digit format.
Many times data is exfiltrated beforehand, backups are deleted. If someone went the trouble of compromising a 3rd party software vendor, he knows what he is doing.
this gentleman was working at SBG a media conglomerate in America. during a troubleshooting process while they were using the system internal tools specifically TCP View(https://docs.microsoft.com/en-us/sysinternals/downloads/tcpv...). they noticed that a certain address/domain kept showing up regularly even though no code was set to talk to that address. this responsible engineer promptly told his manager only to never hear it mentioned again. 1-2 months later that was one of the addresses listed as part of the solarwinds fiasco.
another episode was when this same engineer noticed that a fellow engineer was irresponsibly and probably due to inexperience unknowingly inserting a backdoor in a process via eval on unfiltered input coming in via a command line param, a no no. this engineer was notified by the other and provided with a simple exploit only to receive yelling and gaslighting in return and statements such as "we don't care about these things at this company." eventually the manager was notified and his response was: "i have told them so many times about this" yet that also never went anywhere
security is a layered process but with stories such as these it's no wonder attacks are common, someone somewhere will behave like the characters in the stories and that is all it takes, amplify that across all the companies in business and the other side has a pretty easy time finding open doors
as long as management creates an environment where disclosure is considered "rocking the boat" managers and employees will never do the right thing.
Please tell me that my most onerous and security conscious customers weathered this just fine. You know, the folks that lock down ports by jack number, MAC address, and user. The folks that MiTM everything and instantly cauterize a port if the traffic becomes suspect. Please tell me they made it through this OK and that all the security theater was for something.
