I continue to wonder why more companies aren't utilizing application whitelisting. Most, if not all, of the attacked companies run Windows, and Windows have been able to restrict system to only running whitelisted application for ages.
Sure, whitelisting is annoying to say the least, but these are critical systems, you don't need to install new software daily or even monthly.
A federal ban on paying ransomeware would reduce the incentive to commit these attacks.
Interesting -- I was just in Woods Hole earlier today, and in fact saw this article pop up on Hacker News while walking by the Steamship Authority. Always strange to see your small slice of the world crop up in places like this. On that note, the Steamship Authority is such a fascinating choice of target for such an attack. Probably very low friction, as I can't imagine they have any sort of sophistication behind their technology stack.
I wonder if this will mean an increase in cyber security related postings in industries that have otherwise not had to worry about cyber security before (I.E the Steamship Authority, Meat industry etc)
The US is going to end up tracking and assassinating these people, if we're not already. Messing with the old money usually doesn't turn out well for whoever's doing it.
This isn't news anymore, its weather. If your company does not have a full time cybersecurity team, they soon will, even if they say they don't need it.
How exactly are the ransoms even paid out? I would assume cryptocurrencies, but before those existed how did they pay out?
I'm not sure what it would be called, but has there been any investigation in a sort of "transparent by default" database system? Ideally if this were possible people wouldn't need to care about data being stolen (though in this case it's unclear what the attack did, but many times it's more like we'll reveal/block your data unless you pay up)
Well, I’ve been shouting this from the rooftops for a while now, and finally they got my lifeline.
Ransomware in cryptocurrency could be easy to stop naturally. Miners just need to know that there is a nonzero chance of their blocks being forked off if they help them. It’s a technical problem of out-of-band governance protocols among miners, not unlike what is already being done for positive gain (MEV) by FlashBots. That’s the incredible possibility of cryptocurrency. It’s designed to turn selfishness into a public good, with no coercion, recognition, or good will. And sure, they could include a massive reward to convince miners to include the block, but then that also goes for every coinbase and transaction afterward, until there is nothing left, and no incentive at all for ransomware.
The present reality, of course, is that miners are just not that sophisticated. For the most part they’re just aping the repos that are released by the foundations. But the foundations certainly should understand that it’s in their interest to protect their currency by at least giving the miners information about transactions in the mempool or utxos, and perhaps some kind of out-of-band signaling mechanism to indicate unwillingness to accept blocks that include them. Perhaps better yet, a price for inclusion demanded in the form of an MEV burn added to the next block, which would of course fetch its own price. There is some criticism of the foundations here, as there is also some criticism of some PoS implementations that do not allow fork selection, but ultimately I think that they can solve it.
So that takes care of economic hackers. I’m far more concerned with non-economic or peri-economic agents. There is a doctrine of “unrestricted warfare” that everybody should know about. It explains many things about how and why things do not make sense. It is because we are under attack, and it’s a truly brilliant offensive, for which all of our defenses only work in their favor. I don’t have the answers for this. But it does give a warning. The effect they seek is not the damage they’ve done, but our reaction to it. Our reaction, by regulation that cripples our competitiveness, by restricting our own freedoms, could be disastrous to our country and our way of life, which is exactly what they want. And these attacks, although they may be carried out by economic agents, almost certainly find their roots in exploits created by long-standing programs of infiltration. Nature too, has learned this trick; SARS kills by turning the immune system against the host.
Interesting how everybody focuses on the things that they know about: technical solutions, legal solutions aiming at the victims, payment options and so on.
When the real failure is somewhere else: bringing these perps to justice. The fact that they can get away with this over and over again hiding behind anonymity is what enables these crimes.
Clearly they are messing with the wrong people from Martha's Vineyard :).
Cyber privateers sounds like an interesting idea. Except instead of hunting criminals they hunt for victims. The government pays them bounties, then goes to the victims and says "We're fining you $X, and $Y per day until you fix this."
Has anyone looked at or tried to quantify the effects of paying ransoms for kidnap victims in the middle east and north africa? That's the most comperable thing I can think of...
I'm curious if seeing headlines like this causes other companies to invest more in security.
Or is it more like "well as long as it doesn't hit us we don't care"
So why is HN steaming over this?
It's the classic antagonist to the Colonial pipeline hysteria, which stopped their pumps because they would not be able to account for the exact gallons delivered to which customer. So they rather stopped a critical infrastructure. Hilarious. Plus Windows.
Here again the Windows office PCs were affected, but the steamships themselves didn't care much. They kept going, you only had to pay for your ticket onboard, not online. Online reservations were not honored.
Oh, that's going to annoy some rich people.
this is getting a little out of hand
Well, the Steamship Authority, what did you expect?
As someone who works specifically in this subgenera of computer security (ir) I can say a few things that might add to conversation in a meaningful way.
1.) There is a cottage industry in this space that sells kits for these randomware compromises. Everything provided is off the shelf, this is why you’re seeing such an emergence in this space. It’s not that the barrier to exit from a ransomware attack cost decreased (cryptocurrency). The barrier to entry lowered, any jerk can pay a small amount of funds to buy a software kit and instructions on how to do it.
Furthermore this is also why you’re seeing so many public defacement go politically neutral (ironic given the times). It’s simply a relatively lucrative, with a low amount of risk, and only requires the technical aptitude of someone capable of using BitTorrent/Tor/Warez.
2.) Hiring / Managing security teams - unless you’re in technology or selling security as a part of a product you can’t afford a quality team/tools. Most business are trying to optimize their cost centers to maximize their profits. As such most of the time that means it’s a race to the bottom to get them to be “insurable”. Salary + Software is expensive. 500k minimum investment for an meat processing company or whatever is not the easiest pill to swallow.
3.) companies that pay this are not good judges of security talent. They don’t know if the herjavec group really is an effective detection company. They judge almost entirely on feeling. Same with that one fast talking hoodie wearing self proclaimed hacker talking out of their ass.
Not understanding what you’re hiring for also creates friction, since any deviation from the fantasy security hire they imagined will be met with extreme resistance. “I thought they were going to sure up our servers, why do we have to log in on our email every 8 hours now”. Often times when an executive leader does not understand why security trade offs are made they just make the decision themselves (pro tip they’ll accept the risk) and you’ve failed regardless as an employer and employee.
4.) the industry does very little in a practical sense in preparing people for these job functions (with a few exceptions). Security engineers often have technical skills in spades.However, if they don’t understand anything outside of security they are going to fail. Civil Communication/ debate, the ability to navigate political issues, understanding the business etc are actually super important. The biggest tragedy was that someone internally probably saw this coming but couldn’t actually get the messaging across.
When you combine all of these elements you have a confluence of shit. It’s once again getting less expensive to perform a wide attack with little know how intersecting an industry that has yet to course correct.
There are threats which emerge when a viability threshold is crossed and realised.
For cities, recurring plauges began occurring during Roman times and limited maximum city populations to about 1 million until the advent of modern sanitation, hygiene, public health, waste removal, and food quality. (Actual medical care and treatment had little to do with this, though vaccines and antibiotics helped.)
Industrial pollution lagged industrial development by about 50--100 years, with air and water quality and material contamination (heavy metals, asbestos, organic solvents, synthetic hormone disruptors and other bio-active contaminants, etc.).
Increases in travel, transport, and communications almost always directly facilitate fraud. The Greek/Roman gods Hermes/Mercury represented communication, messages, travel, transportation, commerce, trickery, and theives. The term "Confidence Man" arose from Herman Melville's novel of the same name, set on the first great highway of the United States, the steamboat-plied Mississippi.
Mail begat mail fraud. Telegraph and telephones begat wire fraud. Cheap broadcast radio and television, payola and game-show fraus. Email begat spam and phishing.
The 1990s and 2000s computerised business practices employed computers with shitty security, but those systems were saved by the general lack of networking, the relatively small size of global computer networks, limited disk storage, limited network bandwidth, and the effectual air-gapping of paper-driven steps in processing. Billing might be submitted or computed electronically, but a paper check still had to be cut and signed. Draining accounts or data simply wasn't possibly without running up against the inherent limitations of computer infrastructure at the time even had a payment mechanism similar to today's cryptocurrencies been available.
If my assessment is correct, we'll be seeing much more of this.
Attackers have low costs. Victims have highly-interconnected, but poorly-defended systems, comprised of multiple components, each complex on its own, and lacking any effective overall security accountability. End-to-end automation exists, facilitating both productive work and effective attacks. A viable and tracking-resistant payment mechanism exists. Regions from which attacks can be made with impunity exist, and are well-connected to global data networks.
Backups alsone are not an effective defence as these protect against data loss but not data disclosure. Full defence will require radically different thinking, protection, risk assessment, and law-enforcement capabilities.
Until then, get used to more of this, at both large and small scales.
There are some potential bright lights.
- I suspect attackers aren't targeting specific facilities but are instead conducting automated and scripted attacks against vulnerable facilities.
- For data-encryption ransom attacks, this means that the decryption key is all but certainly derivable from information on the attacked system, perhaps encoded as filenames or contents. Determining this mechanism may at least allow for data recovery. (It of course does nothing against data disclosure, long-term surveillance, or access denial attacks.) The likelihood that attackers have some database of victims + passwords seems low.
- Attackers are themselves subject to trust and suspicion attacks, and turning members or safe-harbours against attackers is probably a useful countermeasure.
- State-level sanctions, flling short of military attacks, may also prove effective.
Do these recent attacks (pipeline, meat plants, steamship) have anything in common? Do they share exploits? Are they related to or enabled by the solar winds hack? Or is this just media amplifying what are otherwise routine events now?
With the US under a constant barrage of attacks it makes sense to trash the "space force" and create a legitimate "cyber security force."
This may be our last chance to maintain global power through the use of force at all, given that so many competitors are gaining foothold in every other area.
We need bullet proof IT infrastructure, instant backtracing, and effective retaliatory responses ready to deploy, yesterday!
Why the hell isn't the attacker's computer compromised when they access the data? (rhetorical)
Ransomware attacks against the United States should be met with covert assassinations against these hacking groups on foreign soil.
Enough of this insanity - these are acts of war, and those responsible should be dealt with through covert, proportional military strikes.
I have to wonder:
Are there CTOs or IT heads going into board meetings or other meetings, and telling people that these systems are secure? Because if so, they need to be tried for fraud.
If it's on the internet, it is not secure.
MS Windows is 100% to blame. How can a worm spread that easily in 2021 to pcs across the network? 0day trash windows exploits
Time to ban bitcoin.
https://newrepublic.com/article/162589/ban-bitcoin-cryptocur...
I'd really like to see/hear/read a breakdown of some of related issues from some experts.
Even on HN it's the same knee-jerk reactions every time one of these stories hit.
This is one of the most pressing technology issues of this moment and the discourse just sucks.
* Does banning ransom payments do anything? Good idea/bad idea? Historical analogues?
* Do we need to pay rewards to cyber privateers to take down cyber criminals?
* Is this an issue that can only be solved at the geopolitical level because of the role states play in enabling this activity?
* Will the hardening brought about by this eventually outpace the crappy attacker software?
* Is this a phase or the new reality?
* How much of this is enabled by technology vs the geopolitical situation?