The Risky Business podcast #624 talks about pretty much all your questions if your want to listen to it. But here's some relevant info: Hardening can help, but we'll always have new exploits and some of the time the intrusion comes from standard fishing rather than automation, so tech can't solve it. Crypto coins enable payment at scale, but Russia enables the operation to not worry about consequences (a lot of ransomware will disable itself on Russian computers to avoid local prosecution).
And in my opinion it's only a matter of time till something so crucial will be affected that the big guns will be rolled out. (I.e. targeted 3 letter agencies efforts) The podcast argued that touching the energy delivery / pipeline was already it - Fox asking daily how the current administration fails to deal with securing energy may be the point when some real action happens.
This mentality of "there will always be new exploits" bothers me. Yes, there will always be exploits, but we can do a hell of a lot better at preventing them than we are. We know how to design systems that are really hard to get into – we just don't do that. Blaming a lack of IT funding is misguided in my opinion too.
> but Russia enables the operation to not worry about consequences (a lot of ransomware will disable itself on Russian computers to avoid local prosecution).
I remember reading how supposedly adding a Russian or a few other keyboard layouts might fool some of the malware to ignore the machine [1].
I guess one idea for the Western intel agencies could be to play off of that, and somehow disable that check (infect their malware) such that it can and does attack the Russian infrastructure.
If the goal is to put them the crosshairs of their own government's law enforcement. However, that said, in those parts the line between law enforcement and criminal organization is pretty gray and fluid.
Another issue I don't see discussed much is how cryptocurrencies basically enable the business of ransomware. It's not like we're less secure than we were 20 years ago, the difference is now hackers can actually get paid.
This level of corporate hacking existed prior to cryptocurrencies, the difference is that it was used for stock market manipulation and profiting on short or long positions. It appears that this is even more profitable than ransomware, in the hundreds of millions or possibly even billions of dollars. [1][2]
From my memory the profits from such attacks were remarkably low. In particular it's very striking that the hackers who compromised JP Morgan couldn't find anything more profitable to do with that access than send basic scam emails to their client lists.
Your comment makes it sound like stock markets were manipulated by hacking the companies that issued the stock. In one of your stories brokerage accounts were compromised and used to pump penny stocks. In the other someone hacked a few companies that distributed press releases to get early access to them and traded on the information. Stocks weren't even manipulated in that case, they simply placed trades based on how they thought the market would react to the news. That was a targeted attempt to get information, not a destructive attack on the entire company network.
Yes, so both manipulation and put/calls were leveraged by hacking as I specified. I think there is a disconnect in my communications. In these cases the penetration (hacking) was the same but there was no data destruction.
Ransomware appears to be a less profitable and less clever use of hacking.
It wouldn’t surprise me at all if our systems are on average far less secure simply because so much more is online now, to speak nothing of increases in the complexity of and opportunities for errors and misconfigurations in today’s systems.
Because twenty years ago computer security was an absolute and utter shambles. Exploiting a vulnerability today is orders of magnitude harder than it was twenty years ago. Massive strides have been made.
Just a couple years ago, the largest botnet in history infected IOT devices using default passwords in order to DDOS Minecraft servers, so perhaps these strides haven't been so massive.
IOT isn't datacenter server technology. IOT is basically in the state of software security from 20 years ago. Often running crappy proprietary stuff. Your average server running a recent Linux kernel is Fort Knox comparatively. There have been massive strides in many places in software security but IOT and embedded security in general is very lacking unless your talking things going into space or military.
Linux has a far wider attack surface than my baremetal embedded firmware. Like 10^6 wider. There's a single mqtts service mostly, or just passive senders (sensors, controllers). Zero attack surface.
Linux is way too big, with thousands of drivers, services and patches.
> Because twenty years ago computer security was an absolute and utter shambles. Exploiting a vulnerability today is orders of magnitude harder than it was twenty years ago. Massive strides have been made.
Yes but once an exploit is found it can be tried on a whole lot more systems and the weakest link becomes a target. There is also a lot more interest hence brains in hacking/ransomware.
I lot of critical systems should simply be airgapped
Vulnerabilities may have been easier but the scope for damage was reduced. Certainly in my organisation (local government housing) the impact even just five years ago of all our systems being unavailable was a lot less than it would be now (mainly because we've spent the last five to ten years getting people to abandon paper processes). More than this, we used to have various "systems" which weren't really connected together in a way that could be usefully exploited. We had hundreds of dialup modems in sites which were probably terribly insecure but all they were connected to was a single building component. Now, there's a management console (and related database) which gives you access to hundreds of sites over the internet.
It's a bit of the "we have X at home" meme situation. Sure, ransomware existed before, but the scale was not even close to that. You can't move hundreds of millions in gift / prepaid cards without getting found. It's a completely different level of comfort for the operators.
Granting your premise, but: what is there to discuss about it? Cryptocurrencies are good for this, yes.
I am inferring (perhaps incorrectly) that you're saying this is an argument against cryptocurrencies. I think that's beside the the point: even outright outlawing cryptocurrencies wouldn't stop the technology from existing, and wouldn't discourage extortionists from using it to anonymously receive payments.
It would make it harder to pay, since you'd have to go outside of safe, legal channels to get money into the system.
If the best strategy when being extorted is to never pay or negotiate, then I suppose that could be a benefit. But, in that case it would be more efficient to just make it illegal to cooperate with extortion in the first place.
For all I know, this is already true. If not, let's try that first. If it is, it doesn't seem to matter, since people are paying ransomware hackers. Still, if paying at all is illegal, but people still do it, then making paying less convenient probably won't make much of a difference: they'll still ask for payment in crypto, and leave the logistics up to the victim.
An easy way to blunt such attacks is to have physical write-enable switches on drives used for backups. Then, when restoring from backup, it cannot get corrupted.
Of course, even better would be a physical switch for incremental backups, so a disk drive works like tape - it can physically only be appended to if that switch is "off".
Come on, security professionals. None of this has any technical or cost barriers. Demand it from drive vendors. My older drives have such a switch.
Anticipate a problem with your IT staff leaving the write-enable switch on? Have the drive maker add a (again, physical) clock circuit (could just be an RC delay) to turn it off again automatically.
(Even if you don't anticipate a problem with your IT staff, it's just good engineering to automatically turn off the write-enable. Nobody's perfect. I've gone to the airport without my passport once. It really sux when you do that.)
This is a system I put together at my first IT job.
Backups get pushed from devices between 1AM and 3AM each day, so the primary backup server enables it's network card at 1 and disables it at 3.
Primary backup server also has a second network card, that in turn is attached to a small subnet containing it and the secondary backup server only. The secondary backup server pulls a copy from the primary on a weekly basis in a similar manner as the primary, disabling it's network card once it has finished.
Maybe they can hit the primary if the infection takes place overnight, but the odds of getting the secondary are pretty low.
The odds of hitting the secondary are zero if you've got a hardware write enable switch!
One thing you could do is get one of those mechanical lamp timer clocks from the hardware store, and have it turn the power on/off the network card on schedule.
Many ransomware attacks are not sophisticated. They may be targeted but the procedure is fairly simple: blast targets with phishing emails/texts, get them to click, done. It seems that zero-days are often not required because targets lag behind in applying patches.
Many (if not most) companies have file shares with fairly wide-open access and/or a complete lack of backups so peer-to-peer spreading within the company is enough to cause a lot of trouble.
At its root these are technological problems that we could choose to solve:
1. The program is not the user. Code running as a user shouldn't necessarily have permission to access everything the user can access.
2. New code is not treated with suspicion when it should be. New code should have its file access throttled in proportion to how many files it accesses.
3. Our systems do a terrible job of spotting unusual behavior. How many processes actually need to rewrite every file the user has access to? Almost none... rewriting 10% of the user's files should trigger an automatic throttle/stop and raise red flags.
4. As a variation on #3, most OSes these days ship parsers for a lot of common file formats... if the OS sees lots of user documents being rewritten and the parsers can no longer parse them stop allowing new rewrites and alert the user. If the user is encrypting their content on purpose they can approve it. If not you can at least limit the damage.
5. Similarly a network user that usually accesses a limited set of files should not be able to suddenly start rewriting thousands of files without some kind of intervention.
6. Our systems completely fail to take advantage of ancient technology called "file versions" (see VMS). Excess disk space should store old versions of files in a way that cannot be deleted (or the ransomware would just call that API or generate random writes to consume the space). Combine with 2/3: when there is suspicious activity on the system move into CoW mode and preserve previous versions of all files or an entire system snapshot and don't allow purging the snapshot without special intervention (eg rebooting into a special mode).
7. To go along with all of the above code should be tagged with its provenance in a system-tracked way. If a process writes a new binary to disk track that responsibility. Track it all the way back to the URL or email it came from. This entire audit trail should be attached to any of the mechanisms listed above. It should also be attached to any sort of activity monitoring program that shows you disk accesses, including historical accesses. If I see 50GB of disk reads/writes from a process group "JGjthjsfgl.exe, downloaded from p0wnme.example.farts" that is a huge red flag. Let me suspend that entire process group with a single click.
I'm sure smarter people could come up with even better ideas... but ransomware is absolutely something we can and should make nearly impossible. We could engineer operating systems to be resilient and limit the damage (eg: macOS prompting you to approve access to Desktop/Documents/Downloads) but it means giving up some sacred beliefs about how desktop operating systems should work that tends to make a subset of the HN audience extremely angry.
The sophistication of the major ransomware attacks happens at the "done" step of your "blast targets with phishing emails/texts, get them to click, done" description. The initial foothold is often done randomly by various attackers, but the execution after that takes some skill and effort and often is done by a limited number somewhat sophisticated groups who buy the initial footholds from a larger number of random attackers. The lateral movement is not generally done through "file shares with fairly wide-open access", but the attackers often (at least in most of the major attacks) manage to obtain full domain administration privileges to the whole network, so if the backups can be easily disabled or destroyed by your administrators, attackers can do the same.
Zero days are indeed often not required, however, IMHO the initial attack is less preventable than that lateral movement and further exploitation - if attackers are in your systems for a week while they spread everywhere and kill your backups preparing to pull the switch to "ransomcrypt" everything at once, then that was your opportunity to detect it and kick them out, but the victim organizations obviously were not capable of that. This needs to be fixed, perhaps by methods similar as you describe.
As an alternative question, how much is this worth stopping?
As how much is being spent on these payments overall each year? How would that compare to the massive IT fortification project people are demanding?
We don't meaningfully fight bike theft for this reason. The cost of doing so relative to the benefits is just too high. We can debate whether that is reasonable, but that is essentially what has been decided as a society. Most low level crime is not meaningfully investigated.
We don't meaningfully fight bike theft for this reason.
And this erodes trust in society and rule of law, and gradually leads to vigilantism, privatization of security, and segregation due to middle-class flight from high-crime areas.
As I said, we can dislike it, but as a society we have basically decided that anything short of reasonably straightforward violent crime/extreme violent crime and high value property crime and easy to prosecute drug crime is not worth the effort.
I don't disagree, but I hear very little discussion about low solve rates for smaller crimes.
> As I said, we can dislike it, but as a society we have basically decided that anything short of reasonably straightforward violent crime/extreme violent crime and high value property crime and easy to prosecute drug crime is not worth the effort.
No, I would say that a few counties have decided this, but the majority of counties have not. In most places, you do get arrested for property crimes, you still serve prison time for this, police still do things like use bait cars and exert resources to catch those who steal, and the idea that property crime should not result in jail time is not widely accepted by the majority of the population.
I am talking about counties in the U.S. There are a handful of extremist district attorneys that follow the view that non-violent crime should not result in prosecution or prison. To my knowledege, there are no countries anywhere that have adopted this view, and only a few local district attorneys are advocating for it. There are differences in the severity of non-violent crime needed to get prison sentences, but that was always the case.
Historical precedent (e.g. white flight), personal experience with losses of thousands of dollars of my former startup's equipment to theft, and forward-looking projections from other HN threads about people who chose to leave the Bay Area.
How does a physical switch prevent you from writing backups of infested machines? Most organizations don't realize they are infected until they can't open any of their files.
Presumably one has rolling backups. Something line N backup drives, and every day you back up to the next one in line. Then there are rolling monthly backups, etc. The idea is hopefully you notice the problem before all are corrupted.
With the way I understand ransomware works, merely connecting a backup to the system will corrupt it. This is where a write-enable switch really comes into play, it cannot corrupt the backup when you're trying to restore from it. And if you have online archival databases, they can't be corrupted, either. After all, how much of your company data really needs to be writable? Certainly not last week's payroll records.
With append-only incremental backup systems, enforced by hardware, it'll take a lot longer to need to recycle the backups and risk them. Tape backup already does this inherently.
Another thing you can do with a backup drive, is attempt to read it from a clean system that has never been connected to the network. If you can read it, it isn't corrupted. Then, have a process where once a week see if the backup can be read. Then your worst case is a week lost.
First, adding manual steps to backups is a terrible idea. People already don't do them (which, since you missed it, you should know is actually the problem), and you're suggesting making them error-prone and manual.
Second, where is this idea coming from that corrupted backups are the issue? You're solving a problem that doesn't exist and creating a real one.
> Second, where is this idea coming from that corrupted backups are the issue?
When I read about how ransomware encrypted every drive attached to it, and encrypted the backup drives when they were attached. This was why the ransomware waited some length of time before shutting off access to the user - they wanted to get the backup drives encrypted, too.
Ah, you're talking about home user backups, then sure. I was confused because I thought we were talking about corporate backups and no corporation which does backups does them anything like how you're describing them.
The answer to your (somewhat leading) questions is just no.
War analogies are inapplicable, privateer analogies are inapplicable. Create the incentives, organizational and software structure required to stop this or it will continue. Holding single companies accountable shifts the burden without solving the problem.
Have standards, standards bodies, defensive organizations.
Ban them how? Ban the on-ramps in the US so that companies can't legally purchase cryptocurrency with which to pay the ransom? Is that fundamentally different than making it illegal to pay the ransom in any currency? It seems that in either case, what you've done is push a company into breaking the law if they want to pay the ransom, which would probably deter most of them from doing it.
Or do you mean banning both the US on-ramps and the foreign off-ramps? Are you optimistic that the US could get, for instance Russia, to enforce such a ban?
I'm not necessarily opposed to this "just ban cryptocurrency" talking point, but I'm never sure I understand what people mean by it in practice.
Laws can be made very broad and can generally lay out a ban and leave it up to those impacted to figure out how to comply with the law. A hypothetical law could criminalize possession of all cryptocurrency wallet keys for all US citizens and all corporations that operate in the United States, with a regulatory agency tasked with adding to the list of “cryptocurrencies” each time someone launches a new one. There’s no reason in principle that a law couldn’t treat cryptocurrency wallet keys the same way that the law currently treats child porn, i.e. destroy all of your keys by X date or go to jail if you are discovered to still be in possession of them after the date the law goes into effect.
This would immediately destroy the entire cryptocurrency industry, and mining power in most or all networks would collapse to the point that the networks would essentially be defunct. Transaction volume and coin price on surviving networks could collapse to the point that it would be infeasible to pay an $XX million ransom, and ransomware developers would be back to where they were circa 8 years ago, with no real mechanism to untraceably receive millions of dollars.
What constitutes "possession" of a key? How do we treat multi-signature arrangements?
What differentiates a cryptocurrency key from a non-cryptocurrency key? Would this criminalize the holding of any private key at all, even if intended for non-cryptocurrency applications?
What happens if I generate a key for non-cryptocurrency use and then someone later sends cryptocurrency to it? Am I going to jail? Do I need to rekey immediately? Is it my duty to monitor for this situation? If I'm evil, can I cause trouble by "spoiling" an enemy's known public keys in this way?
Here's an exhaustive list of all bitcoin keys; you're now in possession of all bitcoin in circulation: https://lbc.cryptoguru.org/dio/
> What constitutes "possession" of a key? How do we treat multi-signature arrangements?
These are solved legal problems. Cryptographic possession is a well understood legal concept that comes up all the time in contexts like custody of financial instruments or digital evidence.
> What differentiates a cryptocurrency key from a non-cryptocurrency key? Would this criminalize the holding of any private key at all, even if intended for non-cryptocurrency applications?
Intent, primarily, so no. The applicability of intent to the criminality of an action is also a well understood legal principle.
> What happens if I generate a key for non-cryptocurrency use and then someone later sends cryptocurrency to it? Am I going to jail? Do I need to rekey immediately? Is it my duty to monitor for this situation? If I'm evil, can I cause trouble by "spoiling" an enemy's known public keys in this way?
In this thought experiment with this hypothetical ban, this feels analogous to mailing cocaine to someone's house. Again, well-understood legal principles around intent cover this without issue. Based on relevant precedent for physical contraband, you'd presumably have no obligation to monitor for it, but you would have an obligation to report it if you discovered it and turn it over to authorities.
Blockchain ledger technology makes relinquishing contraband very straightforward. Once you discover that you are in possession of cryptocurrency, you can simply send it directly to a government-controlled blackhole address, and investigators will be able to trivially verify that this transaction is the only one you initiated while in possession of the cryptocurrency.
> Here's an exhaustive list of all bitcoin keys; you're now in possession of all bitcoin in circulation: https://lbc.cryptoguru.org/dio/
The legal system has been around the block on this one. The concept of criminalization of the possession of certain bit sequences when they correspond to some meaningful embedding is well understood. Child pornography is the classic example. Any arbitrary sequence of bits could in principle be child porn expressed in some highly unusual binary format, and yet somehow the legal system has successfully avoided criminalizing the possession of arbitrary random numbers. But if you happen to have a decoder for said highly unusual binary format, then you are going to jail.
Likewise if you happen to know that your "random numbers" are in fact cryptocurrency-controlling key pairs and you harbor an intent to traffic in cryptocurrencies, lo and behold, those "random numbers" suddenly transmute into a cognizable thing that can be criminalized.
> Once you discover that you are in possession of cryptocurrency, you can simply send it directly to a government-controlled blackhole address
Previously you said I had to destroy the key. When is key destruction necessary and when is transfer to government necessary?
What if the transaction to my address is timelocked to 5 years in the future? Does that create any custody responsibilities on my end between now and 5 years from now when it becomes spendable and I can surrender it to the government?
What if I'm sent $50,000 worth of "dust" outputs that are only spendable by paying a $49,500 miner fee? Do I really need to pay miners to incur $49,500 worth of carbon emissions in order to cleanse my secp256k1 private key of $500 worth of bitcoin-ness so that I may continue using it in peace?
> Child pornography is the classic example. Any arbitrary sequence of bits could in principle be child porn expressed in some highly unusual binary format, and yet somehow the legal system has successfully avoided criminalizing the possession of arbitrary random numbers
This is true only because the "child pornography-ness" of the data is a property of the data itself, even if it's in an obscure format. Any arbitrary cryptographic key can be imbued with "cryptocurrency-ness" by anyone else, which means that revealing your non-cryptocurrency public keys now exposes you to risk, as long as some cryptocurrency out there uses the same type of public key.
If we're dead-set on banning it, why ban "possession" instead of use? If it's illegal to send cryptocurrency, but still legal to "possess" it, a lot of these problems go away. Making it illegal to sign a bitcoin transaction is a lot simpler than creating a new class of illegal number, and seems like it would be just as effective at ending the behavior it's trying to end. Maybe even better at it, since it would not incentivize additional "surrendering coins to government" transactions.
Paying ransoms can be illegal if it is happening with a sanctioned entity.
We need to start holding companies criminally liable having security vulnerabilities that get breached. It is true that there will always be exploits but the issues are usually much more wildly irresponsible security practices and not “didn’t know about the latest 0day”
There needs to be a statutory liability to customers and required insurance. Let the insurance company figure out the regulations instead of bureaucrats and politicians, insurance company rules are optional and noncompliance is just more expensive.
It is an increasing trend but the current uptick in awareness is mostly media coverage. This stuff has been going on forever, a few particularly newsworthy things happened now everyone is going out of their way to report each new instance. Trends in reporting instead of trends in exploits (to a degree)
Curious, how do you know that you are paying ransom to a sanctioned entity? Do they publish lists of bitcoin addresses of sanctioned entities that you can check? If not, how do you check the identity of the payee?
You can create a Bitcoin address simply with random data, and since you can transfer Bitcoin without an intermediary it’s trivial to bypass any list of suspect addresses.
Further, you don’t throw a party with a list of people not invited. It’s super ineffective to try to globally block an infinite list of bad.
Fungibility of a currency is actually important for it to be effective as a store of value. If my 1 USD is somehow worth more at the supermarket because it previously was owned by Elon Musk.
That said it’s not entirely impossible to track the source of origin of a Bitcoin transaction. It’s just computationally very expensive. Since you can programmatically create wallets and transactions that can obfuscate the origin of transactions. So by the time the funds reach any exchange the money has changed hands too many times for them to reasonably be able know if the origins of digital coin came from illegal activity. Then, by the time they do know it was stolen the funds are gone.
Here’s the punchline though, since most exchanges do in fact keep records and the blockchain is an immutable list it’s only a matter of time till the software/computing resources adapt.
> That said it’s not entirely impossible to track the source of origin of a Bitcoin transaction
We're asking how to tell if the destination of a bitcoin payment is on the restricted list, not the source origin. You are not going to be able to fine/sue someone for making a bitcoin payment to an anymous address by claiming the address is on a sactions list. This is my point. Thus any such laws banning the payment of ransom to restricted entities are unenforceable.
This is true even if, after the payment is made, it is discovered who the wallet belongs to, as the person making the payment under US jurisdiction didn't know who they were paying.
I continue to wonder why more companies aren't utilizing application whitelisting. Most, if not all, of the attacked companies run Windows, and Windows have been able to restrict system to only running whitelisted application for ages.
Sure, whitelisting is annoying to say the least, but these are critical systems, you don't need to install new software daily or even monthly.
The initial foothold exploits - where application whitelisting would help the most - generally are not "critical systems", they are the daily workstations of random employees. By the time the attackers reach your critical systems, they most likely can attack them with stolen credentials without running any exploits that whitelisting would prevent.
To protect your company, application whitelisting needs enough usability to be easily supportable for the workstations of your accountant, office receptionist, and the VP of Marketing (those three are all good examples of valuable entry points for targeted attacks), which all may get management approval to throw out application whitelisting if it inconveniences them enough - there's no reasonable tradeoff between security and usability, you must get both as usability is mandatory and usability deficiencies will result in security features getting removed in all but the most critical circumstances.
What makes app whitelisting hard to use on an employee's corporate issue laptop? They shouldn't install anything that doesn't have a business purpose, and these days there are hardly any native apps people want to install anyway.
In practice it's quite common to run (and sometimes install) software that isn't whitelisted officially, even if it's outside strict IT rules.
Otherwise have fun editing scripts with Notepad++ because IT never cared to allow VSCode, unzipping using Windows Explorer's feature because your request for 7zip was denied since the feature exists on paper, navigating the web without content blocker, being restricted to Python 3.1 because the responsible doesn't care about updates, not being able to run your own compiled scripts, being unable to run your keyboard macros, having to manage your passwords in a txt file, having only Excel to analyze data…
Nothing, in theory. There is a lot of clerical office work, or fixed flow work (like CNC machining) that doesn't need new programs. But there is also a fair amount of IT work that is hampered enough by whitelisting that IT is the one that does not want to do the whitelisting.
Some of this can be blamed on Windows IT admins finding it normal to download random binaries and run them for diagnostic information or configuration management, but that is not an easy problem to solve.
There's no real reason except for basic incompetence and lack of resources. I expect that over the next few years most small and medium enterprises will essentially be forced to outsource their IT infrastructure to a few huge cloud vendors with the scale to build and maintain secure systems.
How are you proposing to stop fileless malware with application whitelisting? How about popping shells on firewalls with memory corruption, then using the creds to pivot live-off-the-land style? Solarigate style supply chain attacks?
Whitelisting is the cool buzzword again, but it doesn't do much against human operated ransomware. It's a huge effort to implement (I know you want to say it isn't; try it and learn) and it's not very useful.
Writing a law that prevents this sort of pass-through is trivial. Hold all parties responsible. Don't even require first-hand knowledge that a ransom was paid.
Writing a law with proper disincentives is also trivial -- forget about fines. Proper jail time for senior execs and board members.
Execs and boards will be damn sure not to pay ransoms, and additionally damn sure that any company they hire to help knows in no uncertain terms that they are also not to pay any ransoms.
It really isn't that hard to write laws that disincentivize paying ransoms and aren't possible to route around with wink-and-nod bullshit.
Laws that disincentive paying ransoms don’t seem to necessarily be that simple to implement and uphold, at least as long as cryptocurrencies are in the equation.
Someone may have paid into that wallet, but who? Was it the attackers themselves, to make it seem to observers as if they succeeded? Did some consultant happen to keep a stash of crypto? Maybe the boss of the hacked organization wisely maintained a wallet for that purpose, funded by embezzling?
One might not need to buy cryptocurrency all at once after the hack nor do it with visible corporate money, CEO can own a crypto wallet not connected to them in any way, there are mixers/anonymizers, etc. The range of possibilities is much broader in that land.
I think a lot of the HN crowd think of laws like computer code- that it needs to be very exact. Most laws are fairly generalized with broad coverage, and the cases where they're not tend to be the exception, not the rule.
Libertarians have substantial, though I think not majority, representation on HN. Certain themes always seem to repeat that seem related to this. For instance, likening any form of prohibition to the failed prohibition of alcohol to suggest that all forms of prohibition are similarly doomed. This argument relies on the reader neglecting to consider the myriad of prohibitions that are going well, like CFC bans or the prohibition on building unsafe firetrap buildings. They point out one failure and ask us to extrapolate from only that datapoint, ignoring the rest.
As in this case, pointing out a hypothetical way a law could fail, to insinuate that all laws would fail.
Would it? For some businesses, the reality is going to be that paying is necessary to continue to exist. What happens when that option, as crappy as it is, is off the table?
You won't even be able to get private insurance if the industry has to insure against complete destruction of a given business. Are you expecting the US gov to backstop every business regardless of size against ransomware? Who is going to pay for that?
Additionally, how do you protect against the obvious opportunities for fraud and abuse (business deliberately attacks itself to collect the insurance payout, business hits their competitors to drive them out of business, etc)?
Fire and flood insurance protect against discrete or regional risks whereas ransomware will potentially disrupt operations globally, and actually most private insurers won't offer flood insurance to large swaths of the US because the risk has been deemed to be too high. The US gov insures against coastal flooding at GREAT expense to the tax payer.
I wonder what the biggest company is that's totally dependent on a single location (or locations in the same flood zone) and at the same time is usefully insured against such destruction.
Various providers of "cyber insurance" are right now busy getting rid of ransomware coverage because it turns out offering that isn't working for them. and yes, they do require companies to have cyber security infrastructure and audits.
It suggests it is a difficult problem to stop. As I understand it, attackers now frequently perform an initial compromise and then manually escalate privileges before launching a ransomware attack for greater impact. Alternatively, the attacker will sell privileged access to a ransomware group. This isn't someone from HR opening a malicious attachment and getting the whole company owned via eternal blue.
At least it suggests that the current standards and auditing practices are not sufficient, and apparently formulating testable requirements is difficult.
How about, companies who pay ransoms get a fine that's 10x the ransom. It slides up toward 1000x over two years. Kind of like deprecating an API slowly by decreasing its responsiveness.
Sounds like maybe not the best for people who work at the company and whose livelihoods depend on it (especially, of course, those whose purview has nothing to do with cybersecurity).
Aside from the desire to impart chaos via these attacks.
There is definite economic attack damage incentive still in place.
In fact - if ransoms are banned - then it would seem that such types of attacks become more of a state sponsored attack to affect the economy of your enemy/competition
What if it were apple attacking FB or something like that. Surely we will see this in the future, just as originally foretold in Neuromancer.
You can imagine it just being easier to code indiscriminate attacks where they only review the results to pick who it is worth collecting the ransom from.
Unencrypting for vicitims in the US that couldn't pay would just add more exposure risk to them of getting caught, so they would have no incentive to actually do it. It would take a large bit of money out of the system, but it seems like you need all countries to coordinate and that one country doing so on its own, enforcing a no pay out rule, won't have much effect on non-targeted attacks.
How many of these attacks are fully automated in the initial attack/encrypt phase vs. human operators explicitly working to more fully infiltrate a target?
> How many of these attacks are fully automated in the initial attack/encrypt phase vs. human operators explicitly working to more fully infiltrate a target?
Given the effectiveness of social engineering in hacking's history, that's a very good question. I wouldn't be surprised if randomized attacks are used to create a "sales funnel" of high value targets with poor IT ops/outdated equipment/etc that can be exploited for big payouts. All it takes is a few hundred or thousand dollars to bribe a low level employee so the vast majority of the cost is likely in finding targets. Once they've identified a target, the exploitation process is probably mechanical.
I feel like a checklist is just part of it. The truth is that a secure software development lifecycle needs to be taken seriously at every stage, and this costs a lot of money. During prototyping and requirements gathering you need to be setting security requirements, vetting planned dependencies, and prototyping things like authentication and authorization. Each design should include threat modeling and threat mitigations. Implementation time should include mandatory code review, static analysis and secure code checklists. Testing needs to include manual penetration testing and dynamic scanning. Finally, maintenance is another area where things fall apart. Who is going to handle patching? Who will be accountable in 4 years when that version of Tomcat is EOL? None of these things are trivial, and people that have the skills to execute on them are rare. Getting a company fully willing to spend the money and time on them is even rarer. I had an old boss who aptly said once "Security is a black hole where money goes to die".
> people that have the skills to execute on them are rare
This is the limiting factor in secure coding. We need more efficient ways of scaling out the few teams doing top tier work, as it only takes a single bad code review to open a security hole.
Teams should not need to implement their own authentication mechanism. Most companies should not need to implement their own mechanism. Authentication providers should explicitly and automatically verify that their clients have implemented auth correctly.
Those are best practices in hardening a system but those are just table stakes. Good security requires having observability of your systems and following up and/or checking on any anomalous activity you detect.
For the most part determined actors (many of them state sponsored) are going to be hard to prevent if they target you. Your best defense is early detection and reaction to the initial breaches. If you only do the hardening part and leave out the monitoring/observation part you are going to get owned.
This is meant sincerely, not glibly: How? How can cryptocurrencies be banned in any meaningful sense?
We can "ban" them in a legal sense ("Use of cryptocurrencies are illegal after 1 Jan 2022"), great. But how can they be practically banned so long as computers themselves are not invaded by governments to observe every detail of their operation and private overlay networks are still technically feasible?
> This is meant sincerely, not glibly: How? How can cryptocurrencies be banned in any meaningful sense?
The main avenue would be by getting rid of the sanctioned on/off ramps for crypto (that is, crypto exchanges), leaving only the illegal on/off ramps which I'm sure exist.
This obviously wouldn't stop everybody, but it would certainly be a deterrent for all but the most motivated and well-connected of buyers. At that point, exchanging a large amount of crypto would be similar to laundering a large sum of dirty money; possible, but not trivial and certainly not an "easy out" for a major corporation experiencing a ransomware attack.
Drugs are illegal for Americans to buy, sell, and produce.
Laws are how you prevent this.
Can you imagine the Massachusetts Steamship Authority paying in cocaine?
Why would paying in Bitcoin be any different?
Bitcoin is parroted largely by a bunch of libertarian speculative grifters that think they're above the authority of our government to manage the monetary supply. They want to soak up all the advantages of building and controlling an economy.
If you look through the covers, it's all speculation and hype. There's noting "decentralized" or "democratic" about it. Bitcoiners are fine with letting social services and the underserved slip through the cracks as long as they get their reward that they feel they earned.
The US is a democracy, and theoretically it helps people of all backgrounds and socioeconomic statuses. It might not be evenly distributed, but at least we can toss out the bad players. Bitcoin is not a democracy. It rewards the Ponzi schemers at the top and leaves everyone else out to dry.
And now look at what it's gotten us -- unprecedented crime from across international boarders that we can't stop. All brought to you by the remarkable "governmentless decentralization".
Just wait until the kidnappings start. Or the murders for hire.
Fucking good for nothing bitcoin. The world was better before it existed.
> Drugs are illegal for Americans to buy, sell, and produce.
Are you seriously using the war on drugs as an example of a successful policy? Drugs are easier to get and more numerous than ever, even though we have these magical laws in place for decades.
>Bitcoiners are fine with letting social services and the underserved slip through the cracks as long as they get their reward that they feel they earned.
>The main avenue would be by getting rid of the sanctioned on/off ramps for crypto (that is, crypto exchanges), leaving only the illegal on/off ramps which I'm sure exist.
From what I've read it seems its only the stupidest of criminals who are using exchanges like Coinbase to cash out, because that's the easiest way to get caught.
What you want to attack is the on-ramps, not the off-ramps. Make it really hard to legally acquire cryptocurrency, to the point where a company would probably have to break a law or two just to get their payment together. That, plus criminalizing ransom payments, would go a very long way to stemming this tide.
Cryptocurrencies are basically securities. If it's difficult or impossible to exchange fiat currency for cryptocurrency and vice-versa, the value of cryptocurrency drops to basically nothing. What's the point of owning a security you can't sell to pay your taxes/mortgage/electric bill?
Even if cryptocurrency<->fiat transactions continue to be legal in other jurisdictions, making it illegal to trade USD for $crypto would make it very hard for a US company to pay cryptocurrency ransoms making such schemes much less lucrative.
> How can cryptocurrencies be banned in any meaningful sense?
By banning them? In the law? Enforcement would probably pay for itself, plus some. Throw in a whistleblower bonus, like the SEC has, if you want it to run on autopilot.
More aggressive: level repeated 51% attacks. This is well within the budget of any of the G7.
> This is meant sincerely, not glibly: How? How can cryptocurrencies be banned in any meaningful sense?
The only way to buy or sell cryptocurrency for the vast majority of people is through exchange companies that have the blessing of the US to continue operating. Even LocalBitcoins goes out of their way to follow KYC laws.
They can easily ban all exchanges which convert USD <-> BTC from operating within the US. If that is enforced, Bitcoin will effectively be dead in the country.
Not that I am supporting this, but technically and legally just blackhole all IPs detected to run a Bitcoin/Ethereum/etc node, just like governments do right now with malware command centers.
You don't need to. Absolutely, if you ban cryptocurrencies, only criminals will have cryptocurrencies. It will, however, add friction - and make it harder to acquire and launder the funds involved.
I think a complete ban on cryptocurrencies is unlikely to succeed, for much the same reasons that the US hasn't banned guns and that the war on drugs is such a shitshow. A punitative tax: 10% of every transaction, for example, would still make cryptocurrencies viable for some extreme schemes, but would make the practice much harder and help establish the "real identity" -> Bitcoin address audit trail. Al Capone was busted on tax evasion, after all.
They possibly could but a lot of executives would probably prefer that their soon to be ex-company took a hit than that they became personally liable for breaking a federal law.
“We purchased security consulting services who were able to decrypt our ransomware-infected files. We’re not sure of the exact method they used but it worked.”
Lawmakers have dealt with this problem for a long time. It’s well solved.
If they wanted to prevent this kind of behavior there are two straightforward approaches:
- make it also illegal for the consulting company to pay a ransom.
- attach Strict Liability to any ransom payment, even if made through an intermediary. The executives quoted above from the paying company could still face criminal liability for such a payment disguised with plausible deniability https://en.m.wikipedia.org/wiki/Strict_liability
Interesting -- I was just in Woods Hole earlier today, and in fact saw this article pop up on Hacker News while walking by the Steamship Authority. Always strange to see your small slice of the world crop up in places like this. On that note, the Steamship Authority is such a fascinating choice of target for such an attack. Probably very low friction, as I can't imagine they have any sort of sophistication behind their technology stack.
I wonder if this will mean an increase in cyber security related postings in industries that have otherwise not had to worry about cyber security before (I.E the Steamship Authority, Meat industry etc)
Cybersecurity is not a technology problem. It's a policy and enforcement problem. Ground and mid-level operating convenience will always destroy any attempt to create security unless strong standards of behavior are created and ruthlessly enforced. I've never seen it happen successfully outside of technology corporations staffed by nerds who actually care or the military. All it takes is one guy who knows a guy and then the admin password is on a notepad on the desk. All it takes is one guy who doesn't get a 4G signal in one room so he brings a router from home and plugs it into the network.
This is one of the important reasons for audits such as HIPAA, SOX, SAS70 etc...
To ensure that you don't have holes in your security posture... The technology you deploy is important, but also important that your security and governance model on top of the technology is also in place.
I saw a badly written headline yesterday that combined the meat industry hack with something about colonial pipeline, and it briefly brought to mind a mental image of a liquefied meat slurry/pink goo pipeline.
The US is going to end up tracking and assassinating these people, if we're not already. Messing with the old money usually doesn't turn out well for whoever's doing it.
Not just the US. A lot of countries care. Western Europe (not sure about the east) does as well and will do something even if they aren't as violent as the US. (In fact they are probably going to claim the moral high ground of not assassinating people only because they give evidence to the US and look the other way). South America, South Asia, and Africa will all have at least some helping out, though it isn't clear who will do what.
Most of the blame is going to Russia, though North Korea is a possible source of this, as are a few random countries scattered around. Most stand to lose more than they gain from allowing such crime. (their military might be interested in the ability, but those will be more careful about who they target)
Are there actual examples of the US "assassinating" bad actors in this way? That seems farfetched, as opposed to just going after them in the judicial system.
I don’t know exactly how public any instances would be, but presumably the large and well funded intelligence complex of the US would have the cyber forensic capabilities to potentially trace bad actors. Pairing this with the physical intelligence agencies, if the US truly wanted to find these individuals and take them out I’m sure they could. Recommended reading on the history of only one of these intelligence agencies (and the somewhat extrajudicial way in which they often operate) is Legacy of Ashes by Tim Weiner, which is a fantastic history of the CIA.
This isn't news anymore, its weather. If your company does not have a full time cybersecurity team, they soon will, even if they say they don't need it.
In a lot of situations we've heard about, the cybersecurity team could consist of one person with a bullhorn walking around shouting "don't connect critical infrastructure to the Internet".
Whether they'd listen to them still is another matter but that's the same with a regular cybersecurity team.
And that is to say we have institutional standards where unsafe practices are considered OK and will be followed because they save X dollars and time now.
I don't agree - that won't work as critical infrastructure can't be not connected to internet; perhaps we have a different understanding of what "critical infrastructure" means? You can have disconnected industrial networks, but the ransomware cases aren't really about those.
For example, let's look at the recent major Colonial Pipeline case. Their pipeline systems weren't connected to the Internet, and did not get compromised. What got compromised was their business billing and customer communications systems - and those do need to be connected to internet, that's their whole point, and they apparently were critical enough to make them shut down the (uncompromised) pipeline anyway.
It doesn't matter if your meat packing plant machinery SCADA systems are isolated, your inventory, logistics and sales systems are critical for your operations and need to be connected to the internet, so a ransomware attack will kill you even if your plant equipment works fine.
It doesn't matter if your chemical plant sensor network is isolated, your payroll and shift scheduling system is critical to your operations and needs to be connected to the internet.
Heck, for so many companies their email systems are critical to their operations (and leaking the contents would cause a massive liability) and those obviously need to be connected to the internet.
Not connecting is helpful in some cases, but it's nowhere close to a sufficient solution.
Their pipeline systems weren't connected to the Internet, and did not get compromised. What got compromised was their business billing and customer communications systems - and those do need to be connected to internet, that's their whole point, and they apparently were critical enough to make them shut down the (uncompromised) pipeline anyway.
When Colonial attack happened, there was a person posting who described Colonial's situation from the inside. Colonial shutdown because their system their billing was compromised and their pipleline could have been compromised.
The pipeline was connected two way in hardware but one-way in software. But software can be compromised. Why not one way in hardware? 'cause the company was. Once billing was compromised, they had to assume the pipeline was compromised.
Not connecting is helpful in some cases, but it's nowhere close to a sufficient solution.
Sure, my comment above involves some hyperbole. The main point is that companies allow a ragbag of profligate connections between various subsystems to be default OK because this saves them money now and costs other people money later. And then expect outsourced security to solve this.
I'm sure a lot of the companies hit by the solarwinds exploit had cybersecurity teams. It's just these teams can't say something like "don't allow some shitty third party to autoupdate their software into your system - if you view security as important, as maybe a government agency should."
and as a parallel to modern industry standard infosec best practices, a good offsite/off-line backup system, disaster recovery program, tested backups/recovery methodology. A lot of the companies I've seen badly affected by a cryptolocker malware would have been equally in a dire situation if their head office/datacenter had burned down.
Defined process to run things without systems, if at all possible. That would sound obvious to me. May take lot of effort but with critical sectors such plans should be mandatory.
Seeing some of the mess that IT-support is for enterprise customers I wonder would they really do better. On other hand SLA could be a real thing and kill the incompetent providers.
How exactly are the ransoms even paid out? I would assume cryptocurrencies, but before those existed how did they pay out?
I'm not sure what it would be called, but has there been any investigation in a sort of "transparent by default" database system? Ideally if this were possible people wouldn't need to care about data being stolen (though in this case it's unclear what the attack did, but many times it's more like we'll reveal/block your data unless you pay up)
I suspect it changes the profile of who gets hit. Individual-level targets would get extorted for maybe a couple hundred bucks - sums that are reasonable to transact in iTunes cards or whatever. Those numbers are low both because it's what that category of target is willing/able to cough up financially, and what they were able to transact irreversibly. Conversely, your meat-packing CEO isn't going down to the corner store for $11m in phone credits, so it was less worth it to go for targets with deep pockets, that might be better-protected, instead of casting a wide net for a lot of easy small hits. The ability to irreversibly and kinda-anonymously transact large amounts definitely incentivizes going for institutional targets.
Ransomware wasn't nearly as prevalent prior to cryptocurrency because moving that kind of money was much harder.
Another interesting shift is that complete administrative takeover is often less compelling: Software is more secure covering administrative functions, but users, which have access to all of your business data, are vulnerable as ever.
The ransomware typically replaces your computer screen with a unique crypto address.
The remote server knows to unlock your computer and cleanse it of the ransomware upon receipt of payment.
Many also leave a marker on your system/network preventing reinfection. Most ransomware is from the same vendor rented out which prevents reinfection, for now.
Well, I’ve been shouting this from the rooftops for a while now, and finally they got my lifeline.
Ransomware in cryptocurrency could be easy to stop naturally. Miners just need to know that there is a nonzero chance of their blocks being forked off if they help them. It’s a technical problem of out-of-band governance protocols among miners, not unlike what is already being done for positive gain (MEV) by FlashBots. That’s the incredible possibility of cryptocurrency. It’s designed to turn selfishness into a public good, with no coercion, recognition, or good will. And sure, they could include a massive reward to convince miners to include the block, but then that also goes for every coinbase and transaction afterward, until there is nothing left, and no incentive at all for ransomware.
The present reality, of course, is that miners are just not that sophisticated. For the most part they’re just aping the repos that are released by the foundations. But the foundations certainly should understand that it’s in their interest to protect their currency by at least giving the miners information about transactions in the mempool or utxos, and perhaps some kind of out-of-band signaling mechanism to indicate unwillingness to accept blocks that include them. Perhaps better yet, a price for inclusion demanded in the form of an MEV burn added to the next block, which would of course fetch its own price. There is some criticism of the foundations here, as there is also some criticism of some PoS implementations that do not allow fork selection, but ultimately I think that they can solve it.
So that takes care of economic hackers. I’m far more concerned with non-economic or peri-economic agents. There is a doctrine of “unrestricted warfare” that everybody should know about. It explains many things about how and why things do not make sense. It is because we are under attack, and it’s a truly brilliant offensive, for which all of our defenses only work in their favor. I don’t have the answers for this. But it does give a warning. The effect they seek is not the damage they’ve done, but our reaction to it. Our reaction, by regulation that cripples our competitiveness, by restricting our own freedoms, could be disastrous to our country and our way of life, which is exactly what they want. And these attacks, although they may be carried out by economic agents, almost certainly find their roots in exploits created by long-standing programs of infiltration. Nature too, has learned this trick; SARS kills by turning the immune system against the host.
Interesting how everybody focuses on the things that they know about: technical solutions, legal solutions aiming at the victims, payment options and so on.
When the real failure is somewhere else: bringing these perps to justice. The fact that they can get away with this over and over again hiding behind anonymity is what enables these crimes.
The internet is global and ransomware developers operation out of jurisdictions that will not prosecute them. Unless you’re proposing Mossad-style unsanctioned kidnappings and assassinations, any approach that requires apprehending or prosecuting the people responsible is not a real option.
Unfortunately this is significantly harder than you might think. The perps tend to be citizens of countries who happily turn a blind eye to their activities so long as they aren't infecting their domestic systems. What interest do Russia or post-Soviet states have in prosecuting cybergangs that destabilize Western business and infrastructure? I mean, maybe we can create such interests/motivations, but now we are talking about a major geopolitical issue.
If major infrastructure continues to be hit I think we will eventually see this happen, but we absolutely cannot count on foreign states to 'do the right thing.'
Shouldn't it at least be possible to identify them, by following the crypto addresses until someone cashes out?
I get that you might not be able to do anything about it if they are sheltered from prosecution where they cash out.
But I don't get why we can't at least, to some reasonable degree of accuracy, say Address A took the ransom and eventually it ended up with Address Z cashing out through Exchange B. Then if either Exchange B or Address Z has anything at all to do with the US-dominated international financial system, you've got serious leverage.
If I'm Coinbase, am I not worried about unwittingly laundering money for terrorists? Don't I have a staff trying to prevent that?
Most of Worcester county and Bristol county would probably disagree.
Just like when they hit the vehicle inspection system in March, the wealthy hemmed and hawed about how nobody should get away with thumbing their nose at state authority but the little guys were just happy it wasn't them getting the shaft for once.
Cyber privateers sounds like an interesting idea. Except instead of hunting criminals they hunt for victims. The government pays them bounties, then goes to the victims and says "We're fining you $X, and $Y per day until you fix this."
Has anyone looked at or tried to quantify the effects of paying ransoms for kidnap victims in the middle east and north africa? That's the most comperable thing I can think of...
Companies should be lobbying the federal government for protection. Otherwise the government is as complicit as they would be for "looking the other way" while the mafia extorts local businesses. And in this case, that mafia may even be an arm of foreign adversaries, making this ever more urgent and damaging.
I'm sure the government is already feeling pressure. However the criminals are good at hiding their tracks. There is reason to believe they are being protected by Russia (or other country that nobody wants to go to war with).
It's the classic antagonist to the Colonial pipeline hysteria, which stopped their pumps because they would not be able to account for the exact gallons delivered to which customer. So they rather stopped a critical infrastructure. Hilarious. Plus Windows.
Here again the Windows office PCs were affected, but the steamships themselves didn't care much. They kept going, you only had to pay for your ticket onboard, not online. Online reservations were not honored.
But entirely predictable. I might as well have bought shares in popcorn. It's almost a weekly occurrence now, and those are just the ones we hear about.
As someone who works specifically in this subgenera of computer security (ir) I can say a few things that might add to conversation in a meaningful way.
1.) There is a cottage industry in this space that sells kits for these randomware compromises. Everything provided is off the shelf, this is why you’re seeing such an emergence in this space. It’s not that the barrier to exit from a ransomware attack cost decreased (cryptocurrency). The barrier to entry lowered, any jerk can pay a small amount of funds to buy a software kit and instructions on how to do it.
Furthermore this is also why you’re seeing so many public defacement go politically neutral (ironic given the times). It’s simply a relatively lucrative, with a low amount of risk, and only requires the technical aptitude of someone capable of using BitTorrent/Tor/Warez.
2.) Hiring / Managing security teams - unless you’re in technology or selling security as a part of a product you can’t afford a quality team/tools. Most business are trying to optimize their cost centers to maximize their profits. As such most of the time that means it’s a race to the bottom to get them to be “insurable”. Salary + Software is expensive. 500k minimum investment for an meat processing company or whatever is not the easiest pill to swallow.
3.) companies that pay this are not good judges of security talent. They don’t know if the herjavec group really is an effective detection company. They judge almost entirely on feeling. Same with that one fast talking hoodie wearing self proclaimed hacker talking out of their ass.
Not understanding what you’re hiring for also creates friction, since any deviation from the fantasy security hire they imagined will be met with extreme resistance. “I thought they were going to sure up our servers, why do we have to log in on our email every 8 hours now”. Often times when an executive leader does not understand why security trade offs are made they just make the decision themselves (pro tip they’ll accept the risk) and you’ve failed regardless as an employer and employee.
4.) the industry does very little in a practical sense in preparing people for these job functions (with a few exceptions). Security engineers often have technical skills in spades.However, if they don’t understand anything outside of security they are going to fail. Civil Communication/ debate, the ability to navigate political issues, understanding the business etc are actually super important. The biggest tragedy was that someone internally probably saw this coming but couldn’t actually get the messaging across.
When you combine all of these elements you have a confluence of shit. It’s once again getting less expensive to perform a wide attack with little know how intersecting an industry that has yet to course correct.
There are threats which emerge when a viability threshold is crossed and realised.
For cities, recurring plauges began occurring during Roman times and limited maximum city populations to about 1 million until the advent of modern sanitation, hygiene, public health, waste removal, and food quality. (Actual medical care and treatment had little to do with this, though vaccines and antibiotics helped.)
Industrial pollution lagged industrial development by about 50--100 years, with air and water quality and material contamination (heavy metals, asbestos, organic solvents, synthetic hormone disruptors and other bio-active contaminants, etc.).
Increases in travel, transport, and communications almost always directly facilitate fraud. The Greek/Roman gods Hermes/Mercury represented communication, messages, travel, transportation, commerce, trickery, and theives. The term "Confidence Man" arose from Herman Melville's novel of the same name, set on the first great highway of the United States, the steamboat-plied Mississippi.
Mail begat mail fraud. Telegraph and telephones begat wire fraud. Cheap broadcast radio and television, payola and game-show fraus. Email begat spam and phishing.
The 1990s and 2000s computerised business practices employed computers with shitty security, but those systems were saved by the general lack of networking, the relatively small size of global computer networks, limited disk storage, limited network bandwidth, and the effectual air-gapping of paper-driven steps in processing. Billing might be submitted or computed electronically, but a paper check still had to be cut and signed. Draining accounts or data simply wasn't possibly without running up against the inherent limitations of computer infrastructure at the time even had a payment mechanism similar to today's cryptocurrencies been available.
If my assessment is correct, we'll be seeing much more of this.
Attackers have low costs. Victims have highly-interconnected, but poorly-defended systems, comprised of multiple components, each complex on its own, and lacking any effective overall security accountability. End-to-end automation exists, facilitating both productive work and effective attacks. A viable and tracking-resistant payment mechanism exists. Regions from which attacks can be made with impunity exist, and are well-connected to global data networks.
Backups alsone are not an effective defence as these protect against data loss but not data disclosure. Full defence will require radically different thinking, protection, risk assessment, and law-enforcement capabilities.
Until then, get used to more of this, at both large and small scales.
There are some potential bright lights.
- I suspect attackers aren't targeting specific facilities but are instead conducting automated and scripted attacks against vulnerable facilities.
- For data-encryption ransom attacks, this means that the decryption key is all but certainly derivable from information on the attacked system, perhaps encoded as filenames or contents. Determining this mechanism may at least allow for data recovery. (It of course does nothing against data disclosure, long-term surveillance, or access denial attacks.) The likelihood that attackers have some database of victims + passwords seems low.
- Attackers are themselves subject to trust and suspicion attacks, and turning members or safe-harbours against attackers is probably a useful countermeasure.
- State-level sanctions, flling short of military attacks, may also prove effective.
/The likelihood that attackers have some database of victims + passwords seems low./
My impression is that most of these start with phishing, and probably even tailored phishing for larger organizations. A particular phishing campaign then just needs to include an encryption key, while the decryption key is kept elsewhere; this process is still quite easy to automate.
Hell, you could even just let loose lots of malware with different encryption keys, with the decrypting keys stored in a spreadsheet. When one succeeds, display a hash of the encryption key to the victim, and have them read it back to you when they call in to negotiate. And then just look up the paired decryption key when it's needed. No need to track anything, or bother with command+control.
At some point there's a functional mapping from key to indicia.
Releasing "lots of malware" either means a finite keyset, or a key-generation mechanism. At least as I see it.
(I'd really like to find a detailed analysis of the malware software. There was an earlier version of the Darkside attack which used a weak mechansim for key generation.)
They would normally use a key-generation mechanism, but knowing that is not helpful at all.
A typical key-generation mechanism would be for each malware copy to have a serial number and the keys to be generated by encrypting the serial number, e.g. with AES, using another secret key.
Even if you know precisely the serial number of a copy and how the per-copy keys are generated by the attacker, you do not know the attacker's secret key used for key generation, so this is a dead end.
With the US under a constant barrage of attacks it makes sense to trash the "space force" and create a legitimate "cyber security force."
This may be our last chance to maintain global power through the use of force at all, given that so many competitors are gaining foothold in every other area.
We need bullet proof IT infrastructure, instant backtracing, and effective retaliatory responses ready to deploy, yesterday!
Why the hell isn't the attacker's computer compromised when they access the data? (rhetorical)
This sort of crime is only possible because the criminals act from within regions where they're not going to be punished (beyond being asked for the house's vig).
The countries protecting these criminals are behaving like the taliban when they controlled Afghanistan.
Poisoning dissidents, hijacking airplanes, crashing hospitals and pipelines, we'd better be careful because eventually someone's going to get hurt.
"Uhh... Houston, we still don't have control of the ship's navigation, will someone send those Russians the damn BTC so we can continue to fight this space war!"
Conservation of energy. I'd love to suggest that we just do everything all of the time, but that's unsustainable and fodder for another dissenting comment, so instead I suggest reallocation instead of creation.
Merging the Space Force back into the Air Force wouldn't conserve any energy. It's still the same people doing the same things with the same equipment.
We need both a space force and a "cyber security" force.
We have to protect our satellites, see what other nations are up to (perhaps even intercepting their sat comms), and make sure our hypersonic game is on point.
It's worth noting that "cyber warfare" is what the NSA already does.
When was the last time covert assassinations or military strikes actually solved a problem? Mostly they inflict further suffering. Mostly they affect people other than the perpetrators.
These are unlikely to be acts of war. War requires state-level actors, who are interested in geopolitical changes, not piddling little ransoms.
What you’re talking about is revenge, not justice. Each of those done well breeds more of itself. Successful revenge breeds more violence and hatred, leading to more revenge; look up the history of vendettas. Successful justice breeds more justice. Societies should choose the virtuous cycle, not the vicious one.
Are there CTOs or IT heads going into board meetings or other meetings, and telling people that these systems are secure? Because if so, they need to be tried for fraud.
It's not the IT workers saying that their secure, it's us telling the business that we need X dollars to mitigate risk of Y. And then the accounting people are like "But it hasn't happened yet, why would we pay to prevent something that hasn't happened yet!???"
It feels like a chicken-egg problem. The actual consequences to the business aren't often serious, so it's difficult for them to get support to spend serious money on it.
Maybe mandatory high-cost, high-limit cyber insurance, with dramatically lower rates provided you can prove x/y/z, would make for an incentive?
Probably not. We can't even go after businesses when they do something that's clearly awful. Much less when the thing they most hurt is their bottom line.
I think more often it is the rest of executives demanding CTOs and IT heads prove to them in absolute terms that more security is needed when nothing bad has happened yet.
How are you going to sell customers tickets remotely without an internet presence? How are you going to field customer service complaints or general inquiries without email? How are your employees going to do work at multiple sites without VPNs? If you pitch "lets do everything by phone" you will be laughed out of the room.
I agree that things should be kept off the internet unless they absolutely need to be there, but realistically companies need to have internet connected services to be able to do business.
> How are you going to sell customers tickets remotely without an internet presence?
With this wacky invention known as a telephone. Merely three years ago I used a telephone to order tickets on the Alaska Marine Highway (a ferry service operated by Alaska) while driving through BC. No websites needed; it was utterly painless.
How are they going to sell tickets with their infrastructure offline to a ransomware attack?
I'm not sure a perfect solution, but the standard of living was pretty good before the internet. Doing away with reliance on infrastructure for critical things like food processing, energy, and transit does not seem like a high price to pay to avoid a Thanksgiving turkey conundrum.
All these services are going to go unhacked, until they're hacked. And it's a complete skewed problem. We get minor conveniences for having them online. We suffer massively when they go offline.
> How are they going to sell tickets with their infrastructure offline to a ransomware attack?
They get by temporarily by doing things manually until they get their services back up, and they get compensated by insurance, but a few day partial loss of business pales in comparison to how much revenue they would lose by going offline. A vast swath of their current and potential users wouldn't even know they existed without them having an online presence. The only solution would be buying that knowledge from someone else such a travel agent. Even with that knowledge, it would be orders of magnitude more inconvenient to book and receive tickets, there would be a lot more fraud, and everything would move much more slowly.
> We get minor conveniences for having them online. We suffer massively when they go offline.
We get MASSIVE convenience by them being online and we suffer transient, relatively painless outages when they go offline. The most serious outage we suffered was that pipeline going down, and it was down for under a week.
Crypto is realistically the only way to accept a payment for high-profile ransomware attack.
Imagine encypting whole Maersk network and then asking ransom in cash? Wherever you decide to do the exchange there will be couple Apache/Eurocopters/Mis hovering around and watching you.
With crypto just send them your XMR address, then wait couple years for heat to come down before mixing/cashing out.
It is, and it has proven very effective. Robberies against banks and stores have been cut in half during the last ten years, as cash is getting harder to access.
Many store open after 19:00 don't have much cash on hand so robbing them is not really attractive any more. There are almost no bank robberies, as even banks doesn't actually have cash.
The people who get mugged are normally forced to go to an ATM to withdraw cash.
I'm not suggesting we just randomly ban stuff to avoid the criminals from exploiting it, but it is working.
Banks have long had tricks like giving robbers cash with an "exploding" ink packet inside - the criminal then has to deal with bills that are marked. Also banks have security cameras (that normally are operational), and silent alarms that ring the police station. In the end odds are anyone robbing a bank is caught, and even if you are not banks keep plenty of small bills on hand, so you get a bag full of money, but not a lot of real value inside the bag.
Stores don't generally have as much protection, but even then they never have a large amount of money on hand. Robbing a store and getting $300 isn't really worth the risk.
That's not a function of banning cash however, its on account of the rise of credit cards. No one sacrificed or was inconvenienced to get here, it was just natural progression with good side effects.
Of course, but it doesn't invalidate the point, banning cash would have similarly reduced muggings. Just like banning bitcoin will reduce ransomware activity.
Cash is useful and widely used, unlike bitcoin. There's very little secondary harm in banning bitcoin. Instead, there are several other benefits to doing it, such as reducing environmental harm and stopping several other kinds of fraud.
Nope, no point banning the thing the criminals use, because they don’t follow the law anyway.
Ban paying ransoms, the corporations are much more likely to follow the law.
I don't think this is going to work. Time is on the side of the attackers. All the attackers have to do is wait and repeatedly restate that they will fully restore operations if the victim pays a small fee and when losses grow large enough investors / shareholders will apply enough pressure to management to make it happen, whether it is legal or not. No one is going to eat massive losses for the greater good. There are plenty of policies against negotiating with kidnappers and terrorists, and yet people still do it for this exact reason.
Banning crypto exchanges is actually a much more effective solution to the problem because it at least forces someone to show up in person to collect the money.
They don't have to ban BTC, they will just squeeze any company that provides a fiat off-ramp for BTC. The government has done this for decades, just ask the legal MJ business or sex adjacent workers.
For large companies "paying in secret" is pretty difficult given public accounts. The typical CFO would rather get a new job elsewhere rather than risk prison because his CTO colleague did a poor job securing the IT. They just work there.
A ban on ransomware payment also has the nice side effect of banning ransomware insurance, which has been making the problem worse so far.
Of the three most common ransomware-combating suggestions I've been observing over the past few months, I'm strongly opposed to the first two (banning cryptocurrencies or banning ransom payments) and would instead strongly advocate for the third: reinstitute letters of marque for privateers.
Enable activity instead of futilely trying to ban activity. Instead of focusing on punishing the victims and unrelated third parties, focus on punishing and disrupting the perpetrators.
Or if not letters of marque, they could at least just issue a notice that certain activity will have a blind eye turned towards it, to mirror the policy of some of the governments that bear most of the responsibility for ransomware activity.
So your answer to the problem is to encourage more ransomware attacks? You don't think ransomware itself is bad, you just take issue with the idea that you may be the victim? Training more people to use it's probably going to backfire on you then.
No, I'm definitely not suggesting deploying ransomware or legalizing deployment of ransomware. Apologies if I wasn't clear enough in my post.
By "enable activity" I just mean "instead of taking a general approach of trying to ban things to solve a problem, take a general approach of trying to enable certain other kinds of things to solve a problem". Not "enable ransomware activity".
Even on HN it's the same knee-jerk reactions every time one of these stories hit.
This is one of the most pressing technology issues of this moment and the discourse just sucks.
* Does banning ransom payments do anything? Good idea/bad idea? Historical analogues?
* Do we need to pay rewards to cyber privateers to take down cyber criminals?
* Is this an issue that can only be solved at the geopolitical level because of the role states play in enabling this activity?
* Will the hardening brought about by this eventually outpace the crappy attacker software?
* Is this a phase or the new reality?
* How much of this is enabled by technology vs the geopolitical situation?