Obviously even if someone did have that link they should not post it here. Giving wider visibility to this makes the problem worse, though I'm all for releasing the names of those companies.
No, because the data affects the data subjects but the names of the companies just affect the companies and gives their customers a fighting chance at limiting the damage.
They're not just outing them, they're dumping their data. That changes the risk dynamic significantly. Before, if you didn't pay, you didn't get your data back. Now, you don't pay, they expose all your data to the world. For some companies, that will be a significantly more compelling reason to pay the ransom.
There are legal avenues you can use for that. the bigger danger (for most cases at least) is raised by your sibling, you can't trust the data anymore to be the same either innocently or maliciously.
Kidding aside, these are serious breaches and it would be good to at least have the names of the companies out there. By law they were required to report anyway and the local authorities in turn would publish / fine.
So downloading this data would be strictly off-limits but the names of the companies should be public so that people at least have a chance to know that they have been affected.
Does encryption really help? If they've compromised your system well enough to lock you out of it, aren't they likely to have nabbed your passwords in the process? Even if you were incredibly careful, there's not much you can do about a keylogger. If you could prevent a keylogger, you could lock them out entirely.
Maybe? AFAIK having more walls will result in less intrusions... Like, I imagine that you can delete/encrypt all the files simply by having a local username / network filesystem accesss. Doesn't necessarily mean you also managed to hack usernames/passwords/databases/source code... Each wall is another barrier to pass/hack!
You can have 25 walls if you want but all it takes is Sally in accounts who thinks it's a good idea to open this one email attachment...If went rogue I'd probably be able to hack my company left and right and I'm not even remotely someone with those skills.
Relying on every employee to not do something "stupid" (i.e. stupid to us but how would a non-programmer know without extensive training) is a fundamentally flawed approach... Companies need to think about this, need to adapt processes to account for failure at as many levels as possible. "bus factor" and so on.
If you're letting arbitrary attachments in and allowing arbitrary executables to run then Sally is the victim of gross incompetence.
Everyone has jobs to do and they can't do them effectively if you need them to think through information security for every interaction. You have to build the rails and create a safe work area. User education is truly the last layer because if everything fails maybe the user will remember something we said.
Rogue employees require a lot more traditional security and trust. Someone could always just physically destroy company property, and Sally could always approve fraudulent transactions, so you have to start there and it'll get you pretty far.
It does but it isn't a panacea, if you leave the keys accessible or the wrong subsystems vulnerable it won't save you but a properly isolated encrypted repository greatly mitigates the damage possibilities to 'rendered inaccessible' or 'exposed but it will take decades before they can even think about decrypting it with a multi-billion dollar budget'.
How come keystrokes aren't encrypted yet? I don't really have the foggiest idea how my computer interprets the data that comes from me turning on and off a bunch of switches in rapid succession but it's odd to me that we all kind of accept that we're screwed if a bad actor starts logging our keystrokes.
Wouldn't that be impossible? One time pad and E2E wouldn't work because the pad and both ends would be on the same compromised machine. In the end you need info to get from the user to the infected machine and at some it will be unencrypted.
It's the equivalent of having a camera above the keyboard. Really not much you can do there.
I guess encrypt isn’t really the right word but I was imagining something similar to how you can program autocorrect and autocomplete on the iPhone. So when I log go to gmail.com and go to the password box I’d type “gmailP@ssword” (and presumably any keyloggers on my machine would capture gmailP@ssword) and then the computer would correct it to the real password.
But like I said, I know nothing about the computer magic behind my keystrokes.
Shouldn't any breach like that automatically be treated as data breach? I mean, maybe the crooks wouldn't publish the data, but they certainly had access to it and could resell it to whoever is willing to pay anyway, even if you paid the ransom. There's no way to ensure that doesn't happen.
Is this not a confession, anyone connected to the domain and the hosting asn and the ISP is going to have good opsec or not ever travel outside certain countries.
>anyone connected to the domain and the hosting asn and the ISP is going to have good opsec
Why would the hosting company/ISP be at risk? Just run it from a non-US extradition friendly country, and say that you won't take any action unless there's a court order from your local court.
Some of us mentioned that this would happen once GDPR came out. Not disclosing breaches is now a punishable offense, and this becomes a weapon in the hands of malicious hackers.
Agreed, but a lawyer who thought it is a rational policy may be right. And if the IT admin is arguing against the counsel he is unlikely to win that argument.
As admin you must then document the communications and escalate until you're heard. If even CEO won't listen you're either wrong or need to report to authority outside org through established means.
> Not disclosing breaches is now a punishable offense, and this becomes a weapon in the hands of malicious hackers.
Maybe that wasn't meant as such, but it comes across, at least to me, as an argument that making non-disclosure punishable was a bad idea. If that was the argument, then I'd point out that the same thing can be said of criminalising any offence at all.
Any entity that settles without making the required disclosure of the breach (see my other post) puts itself at risk of being blackmailed over that non-disclosure.
Definite and limited. Once you take the cover-up route, the potential cost escalates unpredictably, and there is nothing definite about the ultimate cost.
(12) ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
So it seems that a ransomware attack is considered a breach - as it should be - and neither exfiltration nor disclosure is necessary for that to be the case.
Any sort of access is a weapon in the hands of a malicious hacker. Penalties for allowing it to happen are weapons in the hands of those trying to do something about it.
security is notoriously asymmetric and a continuous arms race, so it's rarely a case of "allowing it to happen". There is a case to be made for making it unprofitable for hackers to run such operations. The law here does the opposite by making it more lucrative.
i think the best thing to do is to minimize sensitive data completely, no logs no nothing. But then you move the burden of security to the end user (e.g. they 'll have to re-enter their credit card every time), which is probably higher risk.
If everyone adopted your solution, the issue that you originally posted about would no longer be an issue, so the best way to get everyone to your solution would be increase the penalties until nothing else is viable!
The reality is that you are creating a false dichotomy / straw man here. While reducing the amount of personal information that is gathered and stored should be the first response, that which remains can be handled appropriately with encryption and defense-in-depth.
For many businesses that's not really possible. For your standard e-commerce website the majority of the data you have is what people are ordering. How do you end-to-end encrypt that? What about internal documents and memos? User names and email addresses (not as valuable as passwords but still useful if you join it against other data sets)?
Yes, it's very hard. They would have to completely re-architecture their systems.
For e-commerce, the client can sign his or her address with the shipper's public key, so that only the shipper and the recipient are guaranteed to know the address. To the user, this could happen transparently without any change in UX, where the e-commerce website acts like a keyserver.
For email addresses, phone numbers, names, etc. it is more difficult. You can't just store a hash of the email address if you want to ever be able to email your customers.
Internal documents can be more trivially end-to-end encrypted. Imagine the whole company shares a WhatsApp group chat. Nobody has to ever hold a plaintext copy of an internal document. Only permit access on company devices which hold the keys in hardware.
Yes, but public leaks of customer data are a GDPR violation that you get fined for. If the data is end-to-end encrypted, this mitigates the risk substantially.
I would bet most of this users clicking things they should not. recently my company put out a phishing email and people clicked on it and then started a thread on the internal forums about how mad they were the company would do this (they had to take extra training if the fell for it). Another co worker was telling me about his old position where he put the thumb drives in parking lots and people would pick them up and plug them into their work computer, and the would get mad that their security team did this exercise and caught them.
Yes a lot can still be done with security on machines and traffic, etc.... But the human factor is hard to control and fix. If someone sent out a phishing email with a link that said "click here to see magical unicorns jumping over a rainbow", someone would click it, i know poeple i work with who would click it. It gets, frustrating at least for me, since i have a lot to do with security where i am at.
What's frustrating is that we're still dealing with systems where these kinds of simple and obvious actions are not safe.
What reasonable person thinks that clicking on a link is a potentially dangerous act? That's how everything is done these days, and we're not supposed to trust that it is a safe operation?
We're not supposed to plug in a USB drive to see what's on it? That's pretty much all they're for!
Encryption will do nothing to stop this. If a user clicks a link and gets the malware, the malware will be doing it's damage inside of the encryption envelope or encrypting already encrypted data which has the same effect.
If you had good backups, you didn't had to pay until now.
But to make the data public, they have to download all the data first. This might be detected.
I know from several companys who did set up the complete network again.
The most prominent company I know at moment is Pilz (pilz.com). There website was almost down for a month. Now after 2 months it possible to download datasheets and manuals again.
To be fair, if you are taken over by ransomware, it's probably the best decision to start from scratch and redesign your network so that this sort of thing is mitigated in the future.
Because if it's an insider threat then you should have protections in place to identify bad actors so that they know they will be caught if they even try. If you don't then what are you even doing?
What needs to become the norm for the US Govt response to these gangsters is for them to get in the habit of doing what they did in the Evil Corp case: Once the offenders are positively identified, get the Treasury to issue financial sanctions on them that prevent the crooks from transacting with people and businesses outside their home country.
This is perhaps the most effective tool in law enforcement’s hands to combat cybercrime — short of apprehending the bad guys. None of these dudes want to be stuck in Russia, and they sure as hell don’t want all their money kept their either. Rather, they tend to launder it by investing in properties and other businesses outside their own country. Making it a crime for others to accept their money is an extremely effective way of frustrating these criminals.
On the other hand, many nations are making a concerted effort to undermine America's position as the global financial hegemon (e.g. Europe's INSTEX). What would America's recourse be were she to lose her control over global financial markets?
There is a ton of dirty money seeking a laundering opportunity floating around, plenty of start-ups are at risk of ending up with an investor that may have an entirely different idea about what constitutes a good investment than your regular Angel/VC/PE entity. Always beware when the money comes looking for you.
> KrebsOnSecurity was able to verify that at least one of the companies listed on the site indeed recently suffered from a Maze ransomware infestation that has not yet been reported in the news media.
I'd bet 90% of companies never publicly acknowledge they paid.
Another checkmark in the category of not making paying ransoms illegal. This whole new data-dump threat vector just doubles down the threat to keep it quiet and pay it out.
Law enforcement will rarely catch enough of these companies who do pay to make it meaningful. Most of these are small time private businesses who are more than capable of keeping it quiet, without information release obligations to investors.
We need public education campaigns for backing up company data offsite and encouraging more companies investing in security firms to up the bar for these attacks. It's the only way they'll slow down.
I thought the big advantage of ransomware (for "the gangs") was that it didnt actually require them to be able to extract the data. To impact a company you only needed to be able to get your malware on their device; extracting the data was not necessarily for you to acquire a ransom.
If my company is beset by ransomware, and they claim they will release it I can either assume:
1. They have extracted the data and therefor have to assume they arent just going to delete it because I sent them a check.
2. They are bluffing and have only encrypted my data.
Just imagine how much Facebook would pay up if a hacker had exfiltrated the database of all private Facebook messages, and was threatening to release them.
Facebook is so big and so much money is involved there that I think a hacker wouldn't be able to get much out of Facebook. When you steal billions from people then rules sometimes get bent when dealing with you.
this could be a two fold disaster. correct me if I'm wrong, but isn't NOT reporting a breach a pretty heavy fine in some countries today? Worst, if they are dumping the data, people in the EU could be hit by GDPR fines as well if the exposed data shows they weren't keeping up with guidelines.
Absolutely, and this is problematic because now we end up with a set of incentives that works against the public interest. This will make it more likely for the companies affected to pay up. The one bit of light here is that it will show up in their accounting and auditors tend to have reporting obligations if they come across evidence of a crime.
If you've been infiltrated and your systems have been compromised, it has always been the case that your data may also have leaked. A responsible organization in this situation would take that possibility seriously, including the potential disclosures and legal ramifications that may come along with it.
Attempting to sweep such an incident under the rug should never have been a serious option, but of course organizations in this situation are usually looking to do as little as possible. So here we are. This is just taking that latent possibility and making it real and explicit.
If I understand correctly you are already required to report the data loss according to GDPR and you'll be fined accordingly, whether the data is then leaked or not.
Isn't the clear course of action then to report, pay the fine and tell the criminals to get lost?
100 comments
[ 3.3 ms ] story [ 158 ms ] threadAren't these mutually exclusive positions?
Kidding aside, these are serious breaches and it would be good to at least have the names of the companies out there. By law they were required to report anyway and the local authorities in turn would publish / fine.
So downloading this data would be strictly off-limits but the names of the companies should be public so that people at least have a chance to know that they have been affected.
First, the message was "backup your data". Now, they also added "encrypt your data"!
Everyone has jobs to do and they can't do them effectively if you need them to think through information security for every interaction. You have to build the rails and create a safe work area. User education is truly the last layer because if everything fails maybe the user will remember something we said.
Rogue employees require a lot more traditional security and trust. Someone could always just physically destroy company property, and Sally could always approve fraudulent transactions, so you have to start there and it'll get you pretty far.
How come keystrokes aren't encrypted yet? I don't really have the foggiest idea how my computer interprets the data that comes from me turning on and off a bunch of switches in rapid succession but it's odd to me that we all kind of accept that we're screwed if a bad actor starts logging our keystrokes.
It's the equivalent of having a camera above the keyboard. Really not much you can do there.
But like I said, I know nothing about the computer magic behind my keystrokes.
Compartmentalization is a guiding principle for things like spy networks. It's also how you make critical equipment able to survive failures.
Why would the hosting company/ISP be at risk? Just run it from a non-US extradition friendly country, and say that you won't take any action unless there's a court order from your local court.
Maybe that wasn't meant as such, but it comes across, at least to me, as an argument that making non-disclosure punishable was a bad idea. If that was the argument, then I'd point out that the same thing can be said of criminalising any offence at all.
and this law does give an incentive to cover up, as long as the ransom is < fines .
(12) ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
So it seems that a ransomware attack is considered a breach - as it should be - and neither exfiltration nor disclosure is necessary for that to be the case.
Any sort of access is a weapon in the hands of a malicious hacker. Penalties for allowing it to happen are weapons in the hands of those trying to do something about it.
i think the best thing to do is to minimize sensitive data completely, no logs no nothing. But then you move the burden of security to the end user (e.g. they 'll have to re-enter their credit card every time), which is probably higher risk.
The reality is that you are creating a false dichotomy / straw man here. While reducing the amount of personal information that is gathered and stored should be the first response, that which remains can be handled appropriately with encryption and defense-in-depth.
Either lose the pennies you would've made from data mining or lose real millions from getting ransomed. Your choice.
It works only for storage service basically (or messaging, where the two have the keys).
For e-commerce, the client can sign his or her address with the shipper's public key, so that only the shipper and the recipient are guaranteed to know the address. To the user, this could happen transparently without any change in UX, where the e-commerce website acts like a keyserver.
For email addresses, phone numbers, names, etc. it is more difficult. You can't just store a hash of the email address if you want to ever be able to email your customers.
Internal documents can be more trivially end-to-end encrypted. Imagine the whole company shares a WhatsApp group chat. Nobody has to ever hold a plaintext copy of an internal document. Only permit access on company devices which hold the keys in hardware.
Yes a lot can still be done with security on machines and traffic, etc.... But the human factor is hard to control and fix. If someone sent out a phishing email with a link that said "click here to see magical unicorns jumping over a rainbow", someone would click it, i know poeple i work with who would click it. It gets, frustrating at least for me, since i have a lot to do with security where i am at.
What reasonable person thinks that clicking on a link is a potentially dangerous act? That's how everything is done these days, and we're not supposed to trust that it is a safe operation?
We're not supposed to plug in a USB drive to see what's on it? That's pretty much all they're for!
0-day bugs and lacking updates make promiscuous internet use hazardous, yet people expect browser to do everything a PC can.
But to make the data public, they have to download all the data first. This might be detected.
I know from several companys who did set up the complete network again.
The most prominent company I know at moment is Pilz (pilz.com). There website was almost down for a month. Now after 2 months it possible to download datasheets and manuals again.
People demanding death sentences and that Iran/China/Russia/North Korea be nuked, over private business data leaks?
It's like the problem of attribution never has existed, nowadays the "smoking cyber guns" are apparently everywhere.
https://krebsonsecurity.com/2019/12/ransomware-gangs-now-out...
What needs to become the norm for the US Govt response to these gangsters is for them to get in the habit of doing what they did in the Evil Corp case: Once the offenders are positively identified, get the Treasury to issue financial sanctions on them that prevent the crooks from transacting with people and businesses outside their home country.
https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-...
This is perhaps the most effective tool in law enforcement’s hands to combat cybercrime — short of apprehending the bad guys. None of these dudes want to be stuck in Russia, and they sure as hell don’t want all their money kept their either. Rather, they tend to launder it by investing in properties and other businesses outside their own country. Making it a crime for others to accept their money is an extremely effective way of frustrating these criminals.
You can, like, exchange one currency for another. How do you think people buy oil with every currency other than the dollar?
Another checkmark in the category of not making paying ransoms illegal. This whole new data-dump threat vector just doubles down the threat to keep it quiet and pay it out.
Law enforcement will rarely catch enough of these companies who do pay to make it meaningful. Most of these are small time private businesses who are more than capable of keeping it quiet, without information release obligations to investors.
We need public education campaigns for backing up company data offsite and encouraging more companies investing in security firms to up the bar for these attacks. It's the only way they'll slow down.
If my company is beset by ransomware, and they claim they will release it I can either assume:
1. They have extracted the data and therefor have to assume they arent just going to delete it because I sent them a check.
2. They are bluffing and have only encrypted my data.
I dont think I can count on #2.
I'd rather just call them "criminals".
The "cyber" prefix is generally unnecessary, and sometimes even misleading.
Spiderterrorism
Spider-espionage
Spiderspace
Spidercrime
Yep, terrifying.
Maybe it's time for an update? :)
Attempting to sweep such an incident under the rug should never have been a serious option, but of course organizations in this situation are usually looking to do as little as possible. So here we are. This is just taking that latent possibility and making it real and explicit.
https://customernotice.lifelabs.com/
Isn't the clear course of action then to report, pay the fine and tell the criminals to get lost?