523 comments

[ 5.2 ms ] story [ 198 ms ] thread
“That if once you have paid him the Dane-geld, You never get rid of the Dane.”

It’s going to be a tough few years being in security in the industrial control field for the next few years.

https://www.poetryloverspage.com/poets/kipling/dane_geld.htm...

I was thinking that now is a good time to go INTO computer security, you now have a solid example to use justifying your actions.

In the past we worried about exfiltration of data, now we'll be worried about infiltration of control.

Good point. If only they paid software engineers who work on critical infrastructure the same as they paid software engineers who work on ads.
Every corporation in the US should be lobbying to abolish Bitcoin. It’s an existential threat that could be eliminated if they pooled their financial and political resources.
Maybe we should abolish the USD so US patent trolls can't be paid?
Isn't it better that these networks are getting hardened in exchange for a small cryptocurrency payment, instead of waiting for all the exploits to be used by an adversary in World War Three?
idk, considering humans are the weakest link and socially engineering them is easy, I don't think they're going to end up much safer. A determined nation state will always be able to get in, at least with how computers currently work.
How are they getting hardened?? Magically??
Bitcoin has nothing to do with this news? It seems like you have an unrelated axe to grind.
Not sure if I agree with the sentiment or not, but I think he has a point that crypto currencies can make paying ransoms to international ransomware gangs much easier. Using the traditional banking system would have been extremely difficult and have a low chance of success for that gang.

I could definitely see this reasoning being used as justification for anti crypto currency laws in the future.

They paid the ransom in Bitcoin.
It'd have to be an international effort as there are big mining operations are in Russia, Switzerland, China, Iceland as well as the US.

Being legal means that you can run big mining operations, so you could clamp down on those and slow mining. That would not stop it, though.

Being legal means that it can be used to trade goods and services, and you could clamp down on that and harm its value as a currency.

And being legal means that legal businesses can exchange it for other currencies, so clamping down on that harms its liquidity.

Even if you can make it broadly illegal across the globe, it's hard to see how effective that would be. Illegality has made anything else on the black market go away, after all, and the whole point of a crypto-currency is to thrive despite government suppression.

We should start calling Bitcon etal cyber crime futures, since that's what it is. The only people that have to use it are crime victims and the people who are making money on it are criminals and speculators.
I had a feeling this was the case and even had a discussion with some colleagues about whether they paid up or not. Like the article says, they couldn't afford not to.
>The company paid the hefty ransom in untraceable cryptocurrency within hours after the attack

in Monero? Wonder how they converted USD.

I'm wondering too. Now in TFA I read:

"The company paid the hefty ransom in difficult-to-trace cryptocurrency within hours after the attack..."

I don't know why you got "untraceable" and I get "difficult to trace" when reading the article.

Bitcoin ain't exactly difficult to trace. I wonder if Colonial took the "discount" of 30% and paid in Monero or if they paid in Bitcoin.

Oh well it looks at least one company is going to give a bit more sh-t about its IT security ; )

And another thing: often these news are followed, a few weeks/months later by "How the hackers who got a $5m ransom from Colonial got caught".

Waiting for that one...

So they paid a penetration-testing firm a consultancy fee to help harden their network.
Well, all we really know for sure is that they paid a penetration-testing firm a consultancy fee to identify where the network needs to be hardened. No guarantee they'll actually prioritize doing it.
Not even that.

Well, all we really know for sure is that they paid a penetration-testing firm a consultancy fee to identify THAT the network needs to be hardened.

Could you elaborate on where you see the hardening taking place? Colonial had a threat actor in their network and by paying the ransom, they supposedly left without doing any more damage. I don’t think they patched a lot of systems or hardened their servers.
They "helped harden", as in they verified that the network needs hardening.

/s

Too many companies prefer to skimp on security since it has no apparent payoff until it's too late.

What I want to know are the circumstances of the hack; how did it work, what systems did it affect, what security were they lacking. Sadly these details are often ignored or hidden from view. Attacks of this kind should get a public report so that other companies can learn or at least be shamed into changing.

It seems like it's more important to cover up your inadequacy and not help the next victim.

We need something like a fire diamond for software and data:

some tuple like ((fails to)conform to spec/testing(and production) only (ie contains PII or is garbage data)/(permissive,restrictive,free) license/(un)safe library calls or language) or so.

Some stuff is pretty subjective but so are the fire diamond numbers sometimes, plus we can pick objective boundaries (calls to gets cannot be safe for example.) I think it could probably work.

(comment deleted)
Part of the problem is it's very hard to value security because, frankly, so much security is theatrics and snake oil.

For instance, look at the consumer market, which is where an executive without security knowledge is coming from. All the big VPN vendors make security promises that are, frankly, false advertising. AV products are notorious for including warnings for viruses that pad their counts. That's not counting all the security applications that are malware.

And if they talk to someone familiar with the industry side, they should hear some skepticism. All the static analyzers are full of flags for things that are there to drive up their numbers. There have been a few HN stories on junk CVEs that are filed so people can put them on their resume. I had to set up a WAF at work that proudly said it mitigated the OWASP top-ten (why the top ten? is #11 not important?) which include recommendations like logging that a WAF is plainly not doing. And then I tested its defense against SQL injection and it was trivial to bypass.

And if a business that isn't a tech company hires contractors to fix security issues, most of the time, those guys will do a lot of check the box BS. It's fundamentally difficult, from a business operations perspective, for a company to do security because: 1. the horizon problem that you bring up 2. it's a cost-center 3. it's not their core expertise 4. if you even ask what secure looks like, you either get filibustered with long lists of best practices, or a lot of hand waving but strident proclamations.

The fact that are so many ads and info sessions about IT-sec are from people who seem to have never written a line of code in their entire life is worrying.
Paying ransom should be illegal.

Ransom funds illegal activities. Not indirectly, like buying coffee or poppyseed or whatever, but literally money that is directly reinvested in criminal activity- like ransomware.

I feel the same way. It seems like the government wouldn't do it, but was practically encouraging the company to pay.
Ransoms would still be paid. We just wouldn't know about it. I think it's better to allow companies to be transparent.
The next group will want more than $5 million, and so on. If the lottery didnt allow advertising of big wins that were made, a lot less people would buy lottery tickets.
No, there's a hard upper limit on ransoms; the cost of recovery.
What about when the cost of having the data exposed to the public is higher than that of recovery
That requires you to have that kind of data. The company could have be operating legally and not have compromising stuff. The ransomware team gains nothing if a company refuses to pay and has everything to lose by hacking. If there price is to high they are taking on a lot of risk for no reason. Hacks are smart people (I find breaking the law to be a bad decision but if one does it knowing the consequences and mitigations then they aren't dumb just unethical)
Yeah, I was pushing that all under "recovery." Say it all sums to $C.

Arguably the bigger problem is you don't know that the ransomer will actually give you a valid key, but suppose you guess a likelihood P that they do.

Now you have some scenarios:

1. Don't pay. We're out $C.

2. Do pay, and get a valid key. We're out $R.

3. Do pay, and get no key. We're out $R + $C.

So the limit is at scenario 1 being equal to the combination of 2 and 3.

Set C = PR + (1-P)(R + C), and your max ransom R = CP

(You could probably work in additional costs for cleaning up even if the ransom is paid.)

I mean them publishing your data not you getting it back
Ransomware actors could easily punish such legislation. By continuing ransomware attacks they would place many companies in an impossible situation, either break the law by paying or face imminent collapse.

How many jobs are you willing to lose in order to stop ransomware attacks?

One ransomware attack probably costs the ransomware operation a few thousand dollars, any legislation would have to be extremely successful to result in a negative ROI.

It's as direct any other revenue => business activity connection. More direct than how buying coffee causes fields to be planted with coffee trees.

Of this $5M, expect $4M to be spent on salaries in the next year or 2, funding 20 person-years of malicious hacking. 20 skilled people paid to hurt the internet instead of building it up. A terrible crime.

Now we have one less critical piece of infrastructure that could be trivially knocked out by a hostile state.
How do you know that? What evidence is there that it's any more secure than it used to be?
These pirates have committed to not hitting the same target again?
But they could have made holes in the system or not disclosed all system holes which other hackers might take advantage of in the future
Ah yes, the code of the pirates. The epitome of ethics and morality.
I dont think it's a code. It's more of a guideline.
I’m sure at some point they must have just asked if they’d give them the password for free on account of all the collateral damage.. but it looks like they were disinclined to acquiesce to the request.
Can you name some examples of orgs getting hit twice?
As someone who had their home broken into twice in the same week, probably by the same people, I prefer to subscribe to the theory that there's no honor among thieves.
The 5M ransom plus all the other damage such as reputation loss, increased government scrutiny and potential damages to pay to partners (I'm sure they provide some sort of SLA for their oil delivery services?) is a good enough deterrent from allowing this to happen again.
5M is nothing to that pipeline management firm. I think nothing will change because the "fine" is tiny and later, when a VP of opsec gets to decide between a massively expensive hardening of security which includes big recurring costs to keep an opsec team on payroll and just pocketing a multimillion dollar bonus for optimizing the opsec budget, he will choose the latter. There's no risk of getting jail time and any reputation damage won't be to his personal reputation, but to that firm he will have left long ago.
> keep an opsec team on payroll and just pocketing a multimillion dollar bonus for optimizing the opsec budget

This is not how companies actually work. This is a fun “incompetent executive” fantasy that floats around but in real businesses you don’t pocket a huge bonus solely by cutting costs.

You’re gonna have a lot of explaining to do on why that money was being spent in the first place and why it’s not needed now.

They are installing more software from the hacker voluntarily after paying the ransom. At this rate it looks more like they just hired a competent and highly unethical vendor..
That’s one hell of a way to provide “red-team” security testing services
They didn’t need security experts for that- all they had to do was not connect it to the Internet ...
(comment deleted)
I understand the sentiment, but you'd end up re-victimizing the victim. Someone who felt like they had no choice but to pay could later be prosecuted, while the the actual criminal walks free in anonymity.
That is an acceptable outcome. Let the victims suffer. That protects the rest of us, and serves as an object lesson in proper cyber security.
So let people who aren’t experts at physical security suffer break-ins, and physically weak people get beaten up?

We have law enforcement so everyone can be free to focus on their own value-add in life without having to learn 1000 skills to cover their own ass. I love security but 99% of people don’t, and shouldn’t

> So let people who aren’t experts at physical security suffer break-ins, and physically weak people get beaten up?

First, in many jurisdictions, paying protection money for physical security is illegal.

Second, Colonial Pipeline has an operating revenue of $1.32 billion. I suppose in the USA it's technically a person, but... it's not actually a person.

> We have law enforcement so everyone can be free to focus on their own value-add in life without having to learn 1000 skills to cover their own ass. I love security but 99% of people don’t, and shouldn’t

I submit that oil pipeline operators, hospitals, and large corps are part of that 1%.

You have a point. They should do minimum due diligence to harden their networks.

However... how much do you want to bet that the CEO of a pipeline company has the knowledge to make this happen? One has to be an intelligent customer to make something like this happen.

Well then, perhaps there should be minimum requirements to become CEO of a large corporation in regulated areas like pipelines? If the alternative is large harm to the public, this seems like a no-brainer to me for future legislation.
It’s probably cleaner and easier to run this if the spooks set up a bureau of cyber security standards and fine strategically important companies for non-compliance. The gov can do security audits on these corps.
So should the president of the United States be an expert on tactical jet engines? And also have a PHD in economics? And also be an expert in immunology? And power plant operations? How about the national airspace system?

People are quick to conclude that Colonial’s security was “bad.” But do we know that to be true? A sophisticated, potentially state-sponsored organization initiated this attack. The best security in the world is not 100% secure. It might be wise to get the facts before rushing to judgement.

He's a CEO. His job is to ask others to find him the experts needed and manage them. He doesn't need to know any actual security engineering.
He needs to know the basics. How does he know someone is a real expert?
So, you are saying that there are jurisdictions where home security systems are illegal? Night watchmen/security guards and body guards are illegal? Where would these jurisdictions be located?
I don't think that's even close to what I'm saying. I'm not even really sure what you are trying to communicate here; are you insinuating that ADT or Ring hire roving bands of bandits who break into houses that aren't protected by their security systems? If not, I genuinely don't know what you're trying to say here.
That's a non sequitur. Certainly law enforcement should aggressively pursue criminals who engage in assault, burglary, and extortion. But that has nothing to do with paying off ransomware gangs.
Yes it does, it’s a crime, in this case a class of crime perpetrated, prosecuted, and prevented by experts. It falls under law enforcement
> We have law enforcement so everyone can be free to focus on their own value-add in life without having to learn 1000 skills to cover their own ass.

No, that's why we have division of labor. Law enforcement is just another brick in the wall. If a company is already making massive profits from the public by running critical services, why should tax payers fund their lack of diligence? Should we just fund their entire payroll while we're at it?

That's pretty easy to say when it's not e.g. your child being held for ransom.
I don't think people here are considering all forms of ransoms, but you hit on an interesting aspect of it all the same.

It's why, I think, such a law wouldn't pass Constitutional review.

If your person is threatened with imminent danger, you have a right to self-defense, we'll even let you commit intentional homicide if the threat is serious enough.

And self-defense also covers your property and livelihood to a lesser extent.

I think it'd be extremely hard to convince courts that this right to self-defense doesn't include negotiating with an attacker. Imagine if it were a crime to toss some money at a mugger and run away, for instance.

The US Constitution contains no explicit right to self defense. There are a variety of state and federal laws covering justifiable use of force but none of them are even remotely applicable to paying ransoms. If you disagree then please cite a specific legal case.

https://www.natlawreview.com/article/us-government-warns-com...

US law derived from common law, which recognized a right to self defense. All 50 states, DC, and federal jurisdictions then codified that right as law. While the 2A is not directly about self-defense, it plainly guarantees an individual right to maintain the means for self-defense, which implies a right to self-defense.

There are cases covering a justifiable use of force because intentionally killing or harming a person is illegal, and self-defense is a defense against those charges.

It's normally perfectly legal to pay someone whatever you want. You don't need a defense against something that's not a crime. There's no conflict in paying a ransom, so there's no case law.

Regarding OFAC, as your link points out:

> One issue is that victim organizations are required to check the list of sanctioned entities; however, many times the true identity of the cybercriminals are not known.

I'm guessing there's no case law regarding paying ransoms to SDNs because nobody has an identity they can check.

But do we need case law when OFAC says:

> OFAC will consider a company’s self-initiated, timely and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining the enforcement outcome if the situation is determined to have a sanctions nexus.

If someone wanted to make a law against paying ransom, it would be quite novel and courts would have to look for applicable doctrine. I think the doctrine of self-defense would be a roadblock.

This would only protect those without proper cyber security. Why is it acceptable to let random targets suffer as opposed to everyone without proper security?
Here we have a coordination problem, like the prisoner’s dilemma. People who pay ransom are the defectors, improving their situation at the cost of making the problem much worse for everyone.

If fewer people paid ransom, ransomware would be less profitable and would happen less often and we’d all be better off.

The government can help coordination by making defecting more costly (with criminal penalties).

> The government can help coordination by making defecting more costly (with criminal penalties).

not just sticks, but also carrots: The federal government should commit to doing all it can to help organizations that refuse to pay ransoms. This would include help from 3-letter agencies as well as bringing in alternative IT infrastructure. Obviously the federal government doesn't have all of these capabilities now, but this should be a priority going forward.

Nobody in their right mind will consider a lot of attention by three letter agencies a reward or help. They may, and can, do a lot more damage than 0.4% of revenue, and can do a lot of damage to the individuals making the decisions as well.

Even if they help out, it will alert everyone and everything in 5 governments to all details about their firm.

Three letter agencies have used (and destroyed) companies for unrelated reasons and then left everyone without any recourse. With smaller companies, this happens regularly.

Those governments will have representatives from their lenders, from their investors, from their large clients and so on in them, who will get a lot of details they wouldn't normally get access to.

This is not happening.

It's the 3-letter agencies where the expertise lies. Maybe a new agency needs to be created outside of the intelligence agencies?
Yes, at least a 16-letter agency consisting of uppercase lowercase letters and special characters would be much better ;)
I like to use foreign letters like ß and ö in my passwords.

Good luck guessing that password. I'm not even German.

I think criminal penalties is too much. I think at some point paying ransom is better than not paying, for example, in case of attacks on hospitals. People can literally die.

What needs to happen is that when an organization that skips IT security practices, it should have large monetary penalties and its executives held responsible, no golden parachutes for them. You can imagine any factory where they don't practice OSHA safety guidelines will get in major trouble.

> in case of attacks on hospitals. People can literally die.

Setting aside the appeal to emotion, there are a couple of things to unpack. In real-world ransom kidnappings, life and death was always at stake and the government still errs on the side of not paying.

Second, you presume ransomware authors are prepared to commit murder. If a hospital cannot legally pay, the only thing to gain by shutting it down is murder.

Kidnapping for ransom is basically a dead enterprise in the US because of laws essentially forbidding the paying of ransom. Your appeal to emotion is exactly the sort of thing that ransomware gangs want people to hear because its how they make money. In the long run though its a terrible idea.
>Kidnapping for ransom is basically a dead enterprise in the US because of laws essentially forbidding the paying of ransom.

This is bullshit. US laws do not prohibit ransom payments except to sanctioned and/or designated entities which tend to not operate within the US.

Civil penalties may be more palatable. If organizations are willing and able to pay a ransom, there should be no problem with paying a fine as well.
You've finally found a way to fund open source development.
The federal government should commit to doing what it can to help make organizations who refuse to pay ransoms whole again.
Why should this be a problem that the federal government is required to solve? Or in other words: why should my tax dollars go to help an organization that couldn't manage their security properly?
Because this organization endangered the economy of a significant chunk of the country by their negligence, then your tax dollars should go to setting standards and holding them liable when they fail to meet those standards.
That's not what the OP said though. That is something completely different.
Some board member resignations might be in order and being banned from being directors for 10-20 years
That role can be better handled by private insurers in the same way they make policy holders whole after physical thefts.
Let's be clear that the victims here are the public and the perpetrators are the computer operators at the pipeline firm.
The ransom payments are covered by insurance. It’s the insurance companies making the payments.
(comment deleted)
> Paying ransom should be illegal.

Perhaps instead it should not be legal to say publicly you paid a ransom but ok to pay the ransom. That would tamp down a bit the publicity that encourages more actors. That would be a quick and easy fix along the lines of insider trading.

it should be illegal if the government wants to help recoup the losses.

If a have a firm that makes $100,000,000 a year in net-profit , paying a $5 ransomware is a cost of doing business, an unfortunate one nonetheless

It incentivizes more crime and should be illegal.

Businesses don't have a right to do whatever they want just because it is profitable.

It should be illegal on another basis as well. Paying it contributes to a norm that randoms will be paid that will encourage more randomware in the future against other companies. So you're harming other people when you pay it. That's an externality that won't be factored into the decision to pay the ransom.

Suppose god handed down powers that allowed you to smite from the earth anyone who ever paid a ransom with perfect accuracy and you made a credible commitment to do so. If this fact was well known, presumably random-paying would disappear overnight and ransomware attacks would soon cease to exist as well (ironically rendering the power to smite ransom-payers redundant). We won't ever live in that world but we can move marginally toward it by severaly penalizing clear cut cases where a company or individual pays a ransom.

Indeed, not only should it be illegal, but the US Gov should offer any and all assistance for helping organizations get back online after such an attack. If organizations quit paying ransoms pretty soon the bad guys would give it up.
A greyhat should launch ransomware and then not decrypt when the ransom is paid. Make the ransomware industry unreliable.
This is the chaotic evil way of dealing with the problem
I think a lot of businesses would still pay. Pay $2M for a 50% chance of getting out of the situation, versus $200M in losses if you don’t - you’d take the gamble.
This fees will support next 1000's attacks , if someone gets attacked next i think should sue colonial pipeline
I am not a lawyer, but my understanding is that while paying a ransom is not illegal itself, anything that facilitates the payment of a ransom is. There is a chance some party that handled the ransom money broke this law by doing so.

There is another much greater chance that some party with a fiduciary duty to shareholders could be sued for misrepresenting the risk of this happening to shareholders.

Giving up your wallet while at gunpoint should also be illegal!
Imagine making it illegal to hand over your wallet to a mugger holding a gun to you.

All you are doing is incentivizing companies to not report these attacks.

If the mugger isn't bluffing, then he'll get your money one way or the other. This makes it different from paying ransoms.

Furthermore, a corporation's bottom line is not truly comparable to a human life. However it is my understanding that paying ransoms to save human lives is technically illegal to. If paying a ransom to save your family member's life is illegal, then corporations paying ransoms to protect their finances should certainly be illegal.

>However it is my understanding that paying ransoms to save human lives is technically illegal to

You are wrong.

I did some more research and it seems I am substantially correct; paying a ransom to a terrorist organization is illegal.
Substantially correct? Paying ransoms is legal except for a very limited set of payment recipients.
It would in incentivize more people to fight back rather than acquiesce, and therefore likely reduce the number of muggings.
Not a good analogy, for two reasons. First, workers who don't have equity in a company don't really have a gun to their head even if the existence of the company is at risk. The real "gun to the head" is the threat of jail time. Second, it has historically been difficult to convince dozens of people to coordinate with each other and do something illegal for little to no personal gain.
(comment deleted)
It's better to have criminals who are only interested in a relatively small payout exposing to the general public how vulnerable critical infrastructure is than people who are interested in causing mass destruction.
They should have just called it a bug bounty and then everyone would be happy.
(comment deleted)
Disclaimer: I work as a CISO in a large corporation. The interesting bit in this article is not necessarily the sum of the ransom, but that Colonial decided to pay quasi-immediately. It seems as if the attackers had full control over their network. Another possibility: Colonial staff could not be sure that if they used their backups, everything would be encrypted immediately again - possibly the backup servers as well. My bet would be on scenario 1.
I am curious what your thoughts are on other commenters making as if it is possible to prevent these types of attacks by just taking security 'more seriously'. My guess is that you know that no matter how much is spent with a large entity and many employees it's near impossible to prevent this type of attack. People make mistakes people are easily fooled people don't follow what they are told to do and so on.

I can't even begin to imagine the amount of people that could cause an issue in the size company you are a CISO at.

You cannot completely eliminate risk but you certainly can reduce it and be prepared for what to do when one of those low probability risks ends up happening.
It's certainly possible to achieve serious security but probably not practical for most private entities. I've spent most of my development career making software for the US intelligence community and their systems were definitely not going to get broken into by a ransomware gang. Security measures include multilevel air gapping plus heavily armed physical security, six foot thick concrete walls set back from the street by other concrete barriers, locating facilities on military installations, disabling USB ports on most devices, banning anything radio enabled from being anywhere near your workstations, jamming radio signals anyway, severely punishing, possibly executing, anyone caught working as an intentional insider threat, requiring multiple persons in the custody and approval chains to move any files from one network to another via write-once media like DVDs, having the transfer media itself in a separate locked cabinet in a separate locked room inside the actual classified vault serving as an office. Installing and running everything in a separately sandboxed staging environment even after it gets through all the walls and air gaps and DVDs and running it through some fairly extensive testing and analysis before putting it anywhere near a production system.

Clearly, you can never make it literally impossible, but to my knowledge, nobody has ever managed to get malicious software onto a classified production system. Information leaks are, of course, another story.

Thank you - this is the closest I have read on this thread as to the real security practises we will need in the future - if you can elaborate more that will be helpful.

Are these (i suspect not) published anywhere as "Three letter agency network security standards"?

If there’s a business need, you can secure a wooden box on the sidewalk in a way, that it is almost impossible to break in. It will be very costly, but if profit or IP depends on it, one can find a way. Taking cyber security „seriously“ always depends on who you see as a potential attacker. I don’t think any corporation on the planet has the capacity or willingness to really protect itself against dedicated state actors. This does not include ransomware gangs that are not prosecuted by the Russian Federation or DPRK, but highly specialized forces within the usual intelligence services.

The types of ransomware attacks we see today might not be preventable as well, every company on the planet will get or was already hit. But, the difference between the attacks: the amount of damage. If money is spent on security, that amount will certainly be smaller.

Having read the release by the attacker, my initial thought is that the immediacy of paying was probably due to the threat of the release of sensitive data, not the ability to restore operations.

I’m sitting here wondering what exactly about the release of their financials and internal procedures prompted them to immediately pay $4-5m in the hopes of preventing it from happening?

Just spit balling here but they have had several other pipeline shutdowns in recent years. One was blamed on a third party damaging the pipeline but I believe the others were operational issues. Perhaps there's more information on those issues than the company would like the public to know? Just a wild guess.
If this is the case, then paying the ransom will turn out to be a stupid idea.

If the threat was to release sensitive information, surely the firm would be asking the attackers for details of the sensitive information they claim to have.

If the attackers come back with nothing then it was just a bluff.

However if the attackers come back with real information then paying the ransom is just stupid, as the attacker still have the sensitive information and can repeat the payment demands ad infinitum.

If the attackers had full access, they probably broke into the financial systems, issued the bitcoin transactions and paid themselves directly. I mean, why bother going through the hassle of trying to teach people how to do all of that stuff?
There are other stakeholders involved in a transaction like this, most importantly banks. Payments, especially large ones, are heavily regulated. You cannot hack a finance department and issue a monero transaction of that size without triggering a lot of alarm bells.
> Once they received the payment, the hackers provided the operator with a decrypting tool to restore its disabled computer network. The tool was so slow that the company continued using its own backups to help restore the system, one of the people familiar with the company’s efforts said.

I thought the protocol for these attacks was to send the decryption keys, not provide a "decrypting tool."

If some kind of software was provided by the attackers, and Colonial installed it, this could be far from over.

Also, if the company has backups, then why not use them instead? If they're incomplete, then that's the real problem.

Probably a reporter/reporting issue. No company that just have been hacked would run a binary received from the hackers in order to restore the systems, they cannot be that stupid. But then again, they did pay the ransom and also seemingly can't restore their systems from backups, so who knows how stupid they really are?

More charitable reading is that the encryption key was sent over, and they started restoring with that but using standard OSS tooling.

> More charitable reading is that the encryption key was sent over, and they started restoring with that but using standard OSS tooling.

That would make a lot more sense but I also bet there's a non-zero chance that in a day some dumb media outlet will conflate those tools as "hacker tools" and the headline will be "Hacker tools used in Colonial pipeline hack available freely on Internet. News at 10."

These inane arguments didn't kill GTA, or virtually anything else. How are they going to kill OSS that hasn't needed mainstream appeal and still doesn't? So, maybe some high school kids end up on the github pages and become 1337 hackers? Quite a stretch..
What? No, the ransomware people truly do send a decryption tool, or the decryption functionality is built into the ransomware. Do you think they are sending people some AES key and then everyone goes off and builds some python tool to decrypt his data?

This is a fundamental misunderstanding of the ransomware business. The whole reason people pay up is because the hackers don't run and leave you hanging; if you pay they will decrypt your data. Trust and convenience are essential to making this work.

(comment deleted)
Great, we should get the word out then that some don't.

Perhaps a few cases of high-profile companies falsly claiming „wow, what a load of shit! we got ransommed and after paying up the hackers disappeared! we had to restore from backup, AND the money is gone“.

What are the hackers gonna do, sue those companies? :-)

Oh I don't know. Maybe the hackers will hold their operation hostage for ransom? Get the money and get some nice PR all at the same time!
I would also fear retribution by colleagues: one bad actor that does not keep his end of the bargain is bad for business for the rest.
> No company that just have been hacked would run a binary received from the hackers in order to restore the systems, they cannot be that stupid.

Uh, why? The system is already compromised. They’re already in.

Well if the company is already that messed up to not have backups and desperate that they paid criminals...

One would hope they'd just run the decryption program on each computer, not connected to the network. Or maybe hire some experts to extract the decryption key.

> they cannot be that stupid

Oh yes they can.

Also, assume you have the key - what you do with it? You don't know how the files were encrypted, in which way they were stored afterwards, etc. There are many ways one can encrypt and write data, even with the same key - you obviously need the algorithm, but also there are often parameters (e.g. block sizes), storage formats etc. The easiest way to deliver all that is to provide a program.

Otherwise, what a random "press any key" IT person would do with an encryption key? They probably don't even have any tools that can do encryption on any of the systems. Do they have to write those themselves? Use OSS tools - which ones? With which parameters? What if it doesn't work?

How do they decrypt it then?? Just show the key to the computer??
Pretty hilarious to see all these comments from people who have no idea what they are talking about.

Thinking $5m is a "high" ransom, thinking that there is no way they would send a decryption binary rather than a key.

Why don't you just actually research how these schemes function before commenting? The team that did this has a pretty consistent MO and five million was a massive discount.

The ransomware typically has both the encrypter and decryptor built in.

It's a simple matter of copy-pasting the key into a box, and the decryption will happen.

Over a slow network link (like a VPN to a remote NAS), I could totally imagine it taking days/weeks/months to scan every file though...

> If some kind of software was provided by the attackers, and Colonial installed it, this could be far from over.

To be fair, malicious code has already ran on the affected machines, so if the ransomware authors wanted to do further damage they wouldn't need a malicious decryptor to do that.

So you'd either:

1) not trust the ransomware authors, rebuild everything from scratch (potentially paying the ransom and reverse-engineering the decryptor or running it isolated from the internet) and make sure to not carry over any executable code that could allow potential malware to persist

2) trust the ransomware authors and not rebuild everything, in which case you may as well run their decryptor

I don’t think the hacking group would want to show future targets that paying the ransom won’t get them un-hacked. People would stop paying them. It would be bad for business.

If anything they’re working on speeding up their decrypting tool for the next release :)

Don't rely on technical details from Bloomberg.
I’ve only helped people pay a couple of times but they always provided a shoddy .exe decryptor.

Consider that most victims are small fry who would not know what to do with just a key.

> I thought the protocol for these attacks was to send the decryption keys, not provide a "decrypting tool."

Fair, but anyone who pays me $5M and wants a powershell script gets one, and an air freshener of their choice.

It could be something as simple as decrypting some files with PGP or some open source tool
All that money and lawlessness that went into enabling security agencies must be crowned as the worst investment ever
That has nothing to do with this the FBI presumably cannot enforce security on a company.

Maybe for some industries they need to start mandating Security Clearances and background checks and no outsourcing of certain critical systems work.

I am not familiar with any details of this hack that could point to employees or contractors. Also, I am not sure what exactly are the roles of FBI and NSA when it comes to protecting US infrastructure, can you clarify?
I am not a Natsec expert - and where does "employees or contractors. " come into this?

I was suggesting that certain industries would have to be stricter in future in who they hire for sensitive roles.

Many of those agencies seem more interested in making systems less secure so they can get in easily than in protecting systems from outsiders.
nobody hacked Colonial Pipeline, its a insider trading racket. which idiot would connect a oil Pipeline to the internet .

its impossible. 5M in ransom show me the transaction

- Got Hacked by installing malware for free.

- Liked it so much, sent 5M to download another program from the same people.

It should be noted that Colonial had several infosec openings at the time of the attack. While having those filled might not have prevented this attack, it also might have or at least put them in a better response position.

There are lots of infosec openings across the country but compensation doesn't seem to be rising in response. It appears that companies are fine with leaving these positions open for long periods of time. As long as the position actually exists, they're not all that concerned with filling it. This might be complacency creep. Everyone staffed up after the cluster of breaches that happened around the time of the Target and Equifax breaches. A lack of other high profile breaches or attacks might be why many companies have become lax in keeping their staffs full.

I mean, if you ignore how H1B's work, yeah you could call it complacency.
You don't need infosec staff to know that you should have backups of the data on your important computers/servers.

Being hit by ransomware is not an indicator of total IT incompetence.

Having no good options but to pay the ransom absolutely is.

All ransomware is doing is exposing the existing hope-based DR plans (that is to say, lack thereof) in the industry.

Being hit by ransomware is not an indicator of total IT incompetence. Having no good options but to pay the ransom absolutely is.

Part of paying the ransom is the promise that the ransomer will not just unlock your system, but will also delete all the data they downloaded (which often includes a pile of PII that the ransomee doesn't want published).

I wouldn’t even pin it on IT. I’d be willing to bet there’s some poor IT person, or perhaps a lot of them, cleaning up this mess who have been begging management to beef up info sec for a long time.
I used to deploy backup systems, and I had to explain to many customers that data protection is a security feature also. Very few "got" this.
Note that the attackers can also threaten to release data. Backups are no protection against that. They could also corrupt data and not tell you which part was corrupted and when, so even if you have backups you don't know which ones are corrupted unless you have some way of verifying all the data. One example of this would be to plant a backdoor, leave it in place and unused for months, then trigger the ransomeware encryption. The company decides not to pay, they restore from backup, and the attackers use the backdoor to encrypt it all again and demand even more. They could also use access to destroy hardware, say on a timer that triggers after the payment deadline. Backups won't protect against that if you can't get all your systems offline fast enough, or if taking them offline triggers the destruction.
Are there enough Infosec people to fill every open job for it in the USA? I would imagine that it is like software development, where the unemployed software devs are the kind that can't figure out git.
This is basically accurate but with an added problem. When devs do their job, the product is software. When security does their job, the product is “not getting hacked”, so if you act busy enough, it’s easy to appear as though you’re doing important work, until it’s too late.

Then, paradoxically, you aren’t actually punished, but usually rewarded, when you do get hacked. That’s the one time you’re needed most, and you get to act like the hero for saving the company.

I doubt there are enough infosec people which means in theory that compensation should rise which will then attract more people into the field. Until they're trained and experienced, whoever provides the best place to work (compensation and intangibles that lead to satisfaction) would get the help they need while others would be more vulnerable to attack. But from what I've seen, this isn't happening. There's lots of complaints about there not being enough workers but instead of boosting compensation and/or quality of employment, the positions simply stay open for extended periods of time.
What would be the solution to this?

If I’m a leader in a company with a culture and intangibles not yet optimized for the people working in the infosec roles, how would I aproach changing the environment for the better?

Is it viable to cooperate with other companies to share best practices? Wouldn’t they hesitate to share?

Would doing deep interviews with potential employees get me the right information?

Would some hr consultancy provide this info? Arent’t they too old-fashioned for this field yet?

For many companies, security threats are all theoretical, but they are required to have the positions to meet some compliance requirement. They need to have them, but don’t really want them, which would explain the lack of enthusiasm (as demonstrated by the low salaries) in getting the jobs actually filled.

Also, a lot of infosec positions are just chugging through audits and ticking boxes to say whether you have some control in place or not. Those are more clerical positions that don’t require deep technical knowledge that could command a higher salary.

The issue is less about people unwilling to take those wages, and more about a lack of people whose breath can even fog a security mirror so to speak. I work in security and have been involved with hiring at several “brand name” companies including FAANGs in hot tech markets, and it’s always been a talent pipeline issue more than anything. Given how difficult it is for the biggest players to keep security staffed up, and they still get hacked routinely, I can’t imagine how low quality the applicant pool is at Colonial, and doubt it would have made a difference. Almost every company of moderate size perpetually has openings for security roles.

The other problem is that the industry has an oversupply of by-the-book certified security people who can configure firewalls and run scanners, but who have never dealt with live hackers or hacked anything themselves. But hackers are clever and artistic, and defending against them isn’t like following a recipe for baking a cake.

And as an employer looking to introduce security, there is no way to really evaluate a good security leader vs a charlatan, and then it’s either bad hires all the way down, or talented people on the bottom who lack leadership and are ineffective in the bureaucracy.

The problem I see is that there are tradeoffs between security and usability, and again between developing security vs developing features. Security doesn't make money next quarter, while features and ease of use do.

Any software engineer can do security if they spend time learning and working on it. But executives don't seem to care about it.

Weird to see this downvoted, it’s completely accurate and pretty basic economics. Security is a cost center, product development is a revenue multiplier. Investing in the latter as much as you can get away with is the most rational way to allocate resources.
Is being a "good" security person really more involved than:

* making sure you have all your ports locked down

* limit connectivity between all instances to only the bare minimum

* any public access is via protocols such as ssh which have zero-to-none vulnerabilities

* any 3rd party software you dont know is secure should never be public

* routinely run employee training on how not to let themselves get hacked via social engineering

I'm sure I'm missing other stuff, but I feel like if you follow these "best practices", you have just made yourself a very hard target and hackers will probably skip over you unless they have some weird reason to target your org specifically. So for 95% of companies out there, this level of security should be sufficient.

I'm legitimately asking - is this sufficient? Or are hackers so creative that even following these basic rules will still not make you a hard target?

This stuff seems fairly easy to do but I agree you need training or an info-sec person making sure your dev teams are doing it all. You can't have any slip ups. Your devs / managers have to take it seriously.

Yes, it is a lot more involved.

In particular, "routinely run training" might reduce the probability of a breach due to social engineering, but it probably won't.

You also didn't really cover client machine security, which is how compromises often happen. Your awesome security isn't worth much if the admin's machine is compromised.

Your employees need to use computers to do their job. As part of that, they will need to browse the web, which they will do with one of the major browsers. This browser has unknown 0-day vulnerabilities. Whatever security measures you implement must not disrupt business.

They may also need to plug in USB drives. These can come with malware. Whatever security measures you implement must not disrupt business.

They may also need to open documents, possibly with macros. Whatever security measures you implement must not disrupt business.

Your "basic rules" will at best prevent the - still extremely common - social engineering based attacks, but they still won't reliably keep an attacker out of your network. The attacker will compromise a random person, find some company-wide writeable shared network drive (that you didn't even know about) where a team shares their executables, replace one of those, compromise more machines, escalate to domain admin credentials through one of the many ways that exist, then use your own fleet management system to push their backdoor to your entire fleet.

For good security, you need for example:

- an overview of what assets (computers etc.) you actually have

- a decent way to manage these assets

- monitoring so you can hopefully detect when (not if) a compromise happens

- many layers of defense in depth that slow down attackers and limit what they can do once they've compromised one part of your company

- technical barriers to prevent social engineering attacks (binary whitelisting, strong multi-factor authentication)

- protection against insider risks

- physical security

and that's just a few things that popped into my head, the actual list would probably not fit whatever post length limits HN has. And of course all of this needs to be implemented with the limited budget the company is willing to give you, without disrupting the business, etc.

Thanks for the great response! Very informative. I assumed I was way simplifying the problem. It seems like what works for my small remote only startup is not even close to what you need for a large in-person org running who-knows-what software.
I'm sorry, but this just doesn't work in the real-world.

As the "security guy", you're seen as the troll under the bridge. Someone to get past via any means necessary, including lying.

But lets say you get your way.

"making sure you have all your ports locked down"

You can't imagine how much work this actually is on a network with 1,000+ servers running at least 10,000 distinct pieces of software. Most of which don't document their firewall requirements.

Oh, did you know that Active Directory domain controllers -- the single most valuable attack targets -- require essentially all ports open to all computers on the network?

What is your firewall going to do when all modern software communication is over HTTPS and "looks the same"?

How are you going to firewall off just one modern server with 200 Gbps Ethernet? Do you have any idea how much you'd have to spend with CheckPoint or Juniper or Cisco or whomever to do that?

"limit connectivity between all instances to only the bare minimum"

That lasts right up to the point that the shouty guy in finance that talks directly to the CxOs wants PowerBI on his desktop to be able to pull in data directly from all the databases. Did I say desktop? I meant a laptop on unencrypted airport WiFi.

"any public access is via protocols such as ssh which have zero-to-none vulnerabilities"

You don't get to choose the software. Windows doesn't use SSH for anything, and can't be made to.

Also, if you know anything about ransomware attacks, you would know that protocol encryption does nothing to even slow them down. If anything, it makes detecting attacks harder!

"routinely run employee training on how not to let themselves get hacked via social engineering"

Meet Mr Bell's Curve, and its unavoidable left hand side. Some people are just incorrigibly stupid and will routinely fall for phishing attacks, no matter how much training they receive. At any large corporation -- the type worth ransoming -- these people are inevitable. You, Mr Security Person, don't work in HR and don't make hiring and firing decisions.

"I'm sure I'm missing other stuff"

You're missing the fundamentals of the problem, which is that as a security guy:

- You must come up with security solutions that work in the face of morons.

- You must be able to secure software written by morons with no interest in, or ability to write secure code.

- You must do this without impacting the business in any material way, because if you stand in the way of anyone more senior than you -- even once -- you'll never be listened to again.

"Or are hackers so creative that even following these basic rules will still not make you a hard target?"

Currently, for any large org above about 1K staff, security against targetted attacks is basically impossible. Certainly not financially viable. Your competition will not spend the money, make more profit, pay out the ransom, and come out ahead of you.

Thanks for the great response! Very informative. I assumed I was way simplifying the problem. It seems like what works for my small remote only startup is not even close to what you need for a large in-person org running who-knows-what software.
> The issue is less about people unwilling to take those wages, and more about a lack of people whose breath can even fog a security mirror so to speak. I work in security and have been involved with hiring at several “brand name” companies including FAANGs in hot tech markets, and it’s always been a talent pipeline issue more than anything.

Oh come on. It is just an excuse. Look up what FAANG pays for those jobs ( total compensation ). Pay 2x. Get people from FAANG to work for you.

Game theory says nah, just do enough so the other guy gets hit first. I mean I could spend the kids' college fund turning the house into an impenetrable fort with bulletproof glass, booby traps, 2 ton doors and concrete walls; or I can spend a few thousand and get a really grumpy window cat so a burglar moves on to an easier target.
That’s a pretty silly way to look at it. There are a lot of reasons, but the most obvious is that you just moved people around, you didn’t get any new ones. It’s zero sum in the short term, because there are many many years of latency to correct the talent pipeline on something like security.
From my experience, the problem is that most infosec positions are powerless to do anything to increase security at the company, and are primarily there for PR or compliance reasons. The positions seem to be mostly filled with people who wanted to make a career change for the money; experienced people usually leave to work at private security companies, or FAANG sized companies.
This. A million times this. I can’t tell you how many netsec roles are staffed by people that are content being a butt in a seat and have zero effect on the overall security of a corporation.
I mean, let's address the elephant in the room: there is no such thing as computer security. As we see with new leaks and hacks and vulnerabilities every single week, the idea that a computer that is connected to the Internet can be secure is a joke. The whole industry is built on protocols and tools that assume there will never be any bad actors, and we're reaping the rewards of that now. It will take decades of layering on band-aids to approach anything like security, and more likely we will have to rebuild the entire industry from the ground up without that assumption. Both will take a very long time and a lot of money. Hiring some guy with an infosec cert would not have stopped this attack, because there is no way to stop this kind of attack.
There are companies that get hacked a lot and there are companies that don't. It is for sure true to say everyone is vulnerable, but it's also true to say that you can reduce your risk without reducing your revenue.
> Idea that a computer that is connected to the Internet can be secure is a joke. The whole industry is built on protocols and tools that assume there will never be any bad actors

This is just flat out wrong.

Risk cannot be eliminated but it certainly can be reduced. Also response plans for when something happens can be funded and regularly tested. You can't anticipate every possible successful attack but you can reduce the risk of being unprepared to respond to whatever attack happens.
the assumption that there is no security in open protocols is badly misinformed here.

"Hiring some guy with an infosec cert would not have stopped this attack, because there is no way to stop this kind of attack."

blovation

No. The security problem is not a lack of effort or laxness, it is a fundamental inability to solve the problem. At a $5M payout there are essentially 0 commercial IT systems in the world that can stop such an attack. The absolute best of the best commercial IT systems implemented as envisioned with full support can maybe protect up to the $10M level and I am just extrapolating upwards since I have never had any security professional or executive in a Fortune 500 company with a budget in the tens to hundreds of millions of dollars ever assess their own systems as more than $1M. With an ROI of 5 is it only a matter of time before criminal enterprises can bootstrap themselves up to exploit the entire total addressable market. At best, better, but still inadequate, security means that the thousands of hungry bears eat the slower fish in the barrel first to get the energy to reproduce and make more bears to eat the rest.

This is not a failure to live up to potential or incompetence, though there is a fair amount of both of those. We need solutions that are literally 100x better than the best systems currently available before we get to even adequate for critical infrastructure whose disruption can literally cause hundreds of millions or billions of dollars in damage let alone potential human lives. Anything less than that keeps extortion economically viable for the attackers and paying off extortion economically sound for the victims. That is how far away we are.

> At a $5M payout there are essentially 0 commercial IT systems in the world that can stop such an attack.

Even if that's true, it doesn't affect backups.

Back your fucking systems up properly, and if you are attacked by ransomware, then do a scorched earth restore.

It absolutely does affect backups. If you stand to gain $5M from an attack you can also target the backup systems and still easily end up profitable. Only if you stand to gain less than $100k does the budget actually start to get tight.

As for how you attack the backup system it depends. If it push based you send your payload during the push. If it is pull based you craft your payload in the data that will be backed up. If it is not append-only you can easily nuke the entire available history. If it is append-only, but that is only done in software you just need to take over the software. If it is in hardware you just infiltrate then silently encrypt any new data until it would be painful to revert that far back in time. Given that the mean-time to discovery is on the order of months that is quite painful. If they regularly test their backups you just silently decrypt the data on restore until it is time to strike. There are plenty of ways to beat vulnerable backup systems in that sort of budget.

Like, seriously, with a $5M budget you can literally purchase and burn multiple zero days for every system in the chain and still come out ahead. You can hire 10-50 full time software engineers for a year per attack. Most systems have serious vulnerabilities discovered by lone individuals working for a few months in their free time let alone a team of 50 people. The current backup systems survive because most of these attacks are being done with budgets closer to $10k-$100k to maximize profit and growth rate and that is not really enough money to pay for the second arm of the attack. But with a $5M return they could easily allocate a few million to capitalize on the opportunity if that is what is needed once all the juicier targets have been eaten.

I can’t speak for other industries but in the financial industry (in the US at least) periodic backups are required on physical tapes both off- and on-site.

Barring a Mr. Robot hack of the institution and Iron Mountain to burn the tapes the absolute worst-case scenario in a ransomeware attack on a financial institution is an afternoon of data lost.

If you knew in advance of the timing of the data loss you could do billions in damage to a bank.
You just hack the machines that are loading the data onto the physical tapes or the system that is collecting the data to put onto the tapes. Essentially, at some point the data goes from where it is being used to the tapes and you just takeover one of the systems in that pathway. You then wait for 6 months silently encrypting the data before you make your demands. Now the absolute worst case is that 6 months of data is lost or however long you were hiding. Industry studies indicate that the average time between infiltration and detection of an agent actively exfiltrating data is a few months, so a few months for an agent not even pushing data out over the network, just silently corrupting data going to your off-site backups that you are not looking at is very reasonable.

Backups are not the end of the story unless you are dealing with attackers with only $10k to their name which is essentially what everybody without backups is losing their minds over and being defeated by. That is a literal rounding error of a rounding error of a rounding error for the financial industry. People spend more on lunch than that. A moderately sophisticated attack with a few million behind it is literally 100x the resources of most of these attacks and that is still just a microscopic pittance compared to the financial industry. Think about that, if you want to reach the $1M level you need a system that can defend against an adversary with 100x the resources of a basic ransomware attack. The gap is so large that the capabilities fundamentally change and intuition for how to defeat a $10k attack does not generalize.

And, we have not even considered a system that would even be considered barely adequate for the financial industry. If you want to get to something barely adequate for the financial industry, like say protecting against an attack funded to a level comparable to one day of disrupted operations for JP Morgan, you would need to protect against an attack on the order of $500M, literally 500x more than those "good" systems and 50,000x better than these basic systems. The gaps are ludicrous and the lessons at one scale do not really apply when you go up another 2 or 4 orders of magnitude.

It seems appropriate to regurgitate the one about the bear and the hikers....

Two friends are in the woods, having a picnic. They spot a bear running at them. One friend gets up and starts running away from the bear. The other friend opens his backpack, takes out his running shoes, changes out of his hiking boots, and starts stretching.

“Are you crazy?” the first friend shouts, looking over his shoulder as the bear closes in on his friend. “You can’t outrun a bear!”

“I don’t have to outrun the bear,” said the second friend. “I only have to outrun you.”

In our scenario, the bear is the ransomware attackers, and Colonial Pipeline is one of the runners.

There are hundreds or thousands or tens of thousands more runners that the bear can go after.

You don't need to have perfect security over every aspect of your operation (though you should of course aspire to that). In particular you don't need to give up because in theory someone could infiltrate your offsite backups.

You just need to make things hard enough that the ransomware guys will go after an easier target.

Except that is totally wrong. You are assuming that there is one bear, that you can escape the bear forever, that the bear is not hungry enough to eat everybody, and that the bears are not multiplying ferociously due to nearly unlimited supply of delicious food.

No, reality is more like the story of the dodo. A vast quantity of delicious prey that nobody was eating because nobody knew about them. Then they were discovered and some predators showed up but there were not enough to eat all of them. But then more and more predators showed up to exploit the vast untapped resource until they were all eaten.

We are still in the middle of that process which is borne out by the fact that the frequency of attacks has been increasing on the order of >100% per year and average demands per attack have been doing something similar. That is an utterly ferocious rate of growth that will soon be enough to attack not just the juiciest targets, but every profitable target in a few years.

Being slightly faster or slightly less delicious will not help when there are finally enough bears to eat everybody.

> If it is in hardware you just infiltrate then silently encrypt any new data until it would be painful to revert that far back in time

What does "infiltrate" mean here? An insider?

> painfulthey regularly test their backups you just silently decrypt the data on restore until it is time to strike.

Interesting, I was just going to ask

> The absolute best of the best commercial IT systems implemented as envisioned with full support can maybe protect up to the $10M level

And yet Apple still manages to keep its private signing keys secure. Even from the FBI.

It’s doable.

What are you going to do with private signing keys? Compromise an iPhone? Unlock an iPhone?

Like how the FBI paid $900,000 to do so and get exactly what they wanted (at least with respect to the phone) in the San Bernardino case which you are referencing? Or how the going price for a iOS zero-click remote code execution with persistence, which basically gives you the ability to arbitrarily compromise any iPhone at any time, on Zerodium is $2M? You can get effectively the same outcome as stealing their signing keys for $2M or less in a way that is far less traceable or detectable. There are so many ways in and to get what you want that the fact that one of them, which is not even clearly the best or easiest way, being untouched is not exactly a cause for celebration or indicative of the quality of that defense. The cash register being untouched because the safe door was wide open is not exactly a very compelling security story. So, no, they do not reach the $10M level. Not even close.

Lol as if majority of those hacks aren’t just some misconfigured s3 permissions or creds that got submitted to Github or an unpatched windows machine. Those are essentially script kiddie hacks 2.0 except they now can get payed thanks to crypto (at least it’s useful for something)
Yeah this is sort of nonsensical. As someone else commented, Apple manages.

It’s well, well, well known that working in ICS security as a security engineer means aggressively lower salaries to secure horribly insecure, outdated tech in a low funding environment.

That’s just a known fact.

Correction: Consumers Paid Nearly $5M in Ransom to Hackers.
Also, like if you're not paying for something, you ARE the product, man.
One thing that this attack has proven is that if we ever reach the point where we engage in military conflict with either Russia or China we are going to be functioning as if we experienced a country wide emp within a few days. Our infrastructure is massively vulnerable.
Wait til you hear about the satellites.

A global hot war between super powers would be disastrous for everyone involved. That’s why it probably won’t happen. I’d be more worried about rogue actors, terrorists and other “mad men” who might get their hands on a dirty bomb or fry the power grid in New York in January.

So i take it that the involved crypto addresses should be in a blacklist database somewhere? Who if anyone is monitoring all these ransomware addresses? There are probably thousands of addresses by now.
In Cambodia, people buy dirt to increase their property’s elevation so that their neighbor’s house floods when the monsoon comes. Then the neighbor has to pay for more dirt and so on throughout the whole neighborhood.

It seems like the attackers are finding the paths of least resistance. Beefing up security at each organization isn’t fixing the underlying problem. It’s just making the next entity the more likely target.

I don’t even know what the underlying problem is though...

>I don’t even know what the underlying problem is though...

Lack of accountability for either criminals or negligent operators?

Monsoons are not directly caused by individuals, and they cannot be prevented.

Suppose that everyone has raised their house up on a pile of dirt. The rain comes down. It fills up the large ditches between people's houses, and leaves the houses dry.

Suppose I implement better, but imperfect, security. It now costs an attacker $6 million, in salaries, paying for exploits, whatever, to hack my system. They still can only get $5 million in ransom. The attack isn't worth doing anymore, so they find a different business.

I don't think you understand how dirt works. Especially when it gets rained on.
So when I do it I’m flood proofing my house, when the Cambodians do it they’re “buying dirt“?
> Beefing up security at each organization isn’t fixing the underlying problem. It’s just making the next entity the more likely target.

This reminds me of the old saying about locking your bicycle on the street. It won't 100% prevent yours from being stolen, but if the other bikes around yours has less secure means of locking, then the thief will likely take those bikes instead of yours.

Another form: you don’t need to outrun the lion, just the guy next to you.

This also gets taken in dark directions: you don’t even need to run faster than the guy next to you, you just need to trip him up.

(comment deleted)
I am definitely not an expert in these areas and I'm sure someone 100x smarter than I am has thought of this and discounted it already, but is there any ability to decompile the executable provided to Colonial and get to patterns of source code, then compel github to search their repositories for any patterns of that code? Not sure if that is even legal or whether a judge would authorize that fishing expedition, but it's an interesting thought exercise (in my head) assuming the code is even in GH.
> then compel github to search their repositories for any patterns of that code

Assuming we're talking private repos, compelling Github to do that is a pretty blatant fourth amendment violation unless there's a specific set of suspected repos.

are you assuming the ransomware is collaboratively coded on github?
The authors of the ransomware might have non-ransomware projects on github where an analysis of coding style gives them away. It's sounds like it would have a low probability of working but this is essentially what got the Unabomber caught. But writing styles in English might be easier to identify than in code. Maybe they'll use "cool headed logician" as a procedure name.
It's unlikely their code is hosted on GitHub because the hackers wouldn't want to leave such an obvious trace there.

I think you're right that unless there is evidence code is hosted there, the judge wouldn't authorize a "fishing" exercise to search random sources for the code. In a hypothetical, what would this even give? The IP addresses of the authors? They are likely running through a proxy anyways so it wouldn't help. The private key? It might have been generated server-side or using an algorithm outside the code so might not help.

What I'm saying is getting the code source might not even be helpful depending on how it was implemented and if only the client code can be found.

Ugh. This ransomware crap doesn't stop until the money stops. At this point, ransomware operators are bribing insiders to install their custom, AV-evading ransomware directly on company servers (e.g. https://www.secureworldexpo.com/industry-news/fbi-sting-the-...). No need to trick someone into running a malicious Word attachment when you can just wire someone $1M to do it deliberately! And, best of all, you can set this up in a totally plausibly deniable way - the employee just "accidentally" opens that attachment and off you go.

A lot of ransomware operators are on sanctions lists. Paying them is already illegal. The US DoJ might want to check if Colonial has violated any laws in making these payments - and if they have, punishing them to serve as an example could well discourage future ransomware payers. As long as ransomware operators know they can get paid for their work, they're going to keep doing it.

Realistically, ransomware will just never stop until IT systems are sufficiently hardened.
Or sufficiently backed up, right? If you’ve got a backup and quick recovery process ransomware is impotent.
This is by far the cheapest solution.
unless your data is legally required to stay confidential under HIPPA or similar law. Then a backup just keeps you operating but not immune to the threat of data publication.
While the threat of publication is a risk, the data has already been breached and you are no longer compliant with the law.
I wonder if companies still get fined if the data is just encrypted without any exfil
What data needs to be confidential in the case of the Colonial Pipeline?

I'm sure that there's proprietary data. Maybe knowing how much oil / gasoline is flowing might allow some traders to make unfairly informed trades (or maybe not: only inside trading is illegal. If someone figures out the information some other way, its not illegal IIRC).

And maybe employee data should be kept private, but there's no HIPPA requirement on that. Its not like there's payment processors on this thing either, so no PCI compliance here.

So I'm not exactly seeing why backing up data would be an issue in this case.

Not quite. The attacker still got access to the system in some way. They may have a permanent backdoor now and opportunity for messing with your backup operation.
Nowadays the attackers will threaten to disclose the sensitive data publicly, as they did in this case. So ensuring your own access to your data, i.e. backups, is not the only concern. It's still important, of course.
If hackers take the slow route, all backups may be encrypted too. Or at least, compromised.

Also, backups are often taken but rarely is their actual recoverability tested.

And if the penalty for hacking systems for malicious purpose goes up.

Hopefully every member of DarkSide ends up in court if they're US or friendly nation citizens or in Gitmo otherwise

Nah. It will never stop.

The problem is information density.

So long as billions of records that are needed for the business exist in a device the size of a shoebox, we’re fucked. An insider can always take the shoebox, lock the shoebox, etc.

Three stories of paper files in file cabinets can’t be ransomed short of a physical bomb threat.

Don’t know what the solution is. But I do know the problem. Exfiltrarion is similar: the odd quirk of technology that has enabled these massive thefts is the ability to load millions of pages in a few seconds into a thumb drive. Odd pickle we’ve got ourselves into.

Your metaphor works both ways: the ability to fit billions of records in a shoebox means that it’s perfectly manageable to keep another shoebox as a backup, under independent control.
So now there are two shoeboxes. Hasn’t solved exfiltration. In fact, you’ve just doubled the risk.

There may not be a solution if the problem is untrustworthy people.

The custodians of your ‘independent control’ will eventually get ransomwared themselves.

Then what?

It’s like cash... If you are a sophisticated criminal, do you waste time burglarizing individuals? Or, do you rob the bank where the individuals keep their money for ‘safekeeping’?

How many people at Amazon have access to the database other companies use to store info?

2? 20? 200?

I don’t know, but I bet it’s a lot. And I doubt they get paid enough to make them immune to a generous offer (or a scary threat) from a bad guy.

Seriously, how many individuals at Amazon have the ability — if they wanted - to irreparable corrupt, encrypt, or destroy data?

I thought we were talking about denying access to important files. Data exfiltration is a different threat model than what I was addressing.
There is a part of me that would like to go back to the way we dud business before the internet, and computers.

I think three daily encrypted backups mandated by law would be enough to stop the multi-million dollar ransoms.

We will still see companies paying ransom for a business days loss, but not complete shutouts? And infrastructure specific operations, like this pipe line, should be air gapped.

It’s good practice for a cash business to make daily runs to deposit daily at the bank. Stupid to leave cash laying in the till overnight.

Which is why thieves rob banks.

But, money is fungible... if it’s stolen, it can be replaced. If the bank can’t replace it without going broke, the FDIC steps in and, essentially, prints more money to make you whole (up to a point.)

But, data is unique and irreplaceable.

If everyone is backing up to a smaller and smaller number of ‘cloud’ companies, it’s just centralizing the problem... putting everyone’s eggs in one basket.

Some ransomware is time-delayed because of this, so it isn't clear which backup is still untainted.
I think ransomware is the best thing that happened in computer security in a long time.

All these companies keeping lots of people data or even being relevant to national security having completely no incentive to stay secure. Now There is incentive to test their security.

A single person being able to compromise your company when paid a lot is a security issue that needs to be addressed.

This sounds like the kind of argument a ransomware developer would use to delude themselves... or quite a lot like the "Bitcoin is actually good for the environment!" people.
Maybe let's try more substantive arguments than a genetic fallacy.
Wasn't that what Jesus said about Judas Iskariot? To paraphrase: there must necessarily be evil in the world, but woe to the one who makes himself its conduit.
They could have started incentivizing after the Equifax hack. Personal data of hundreds of millions of people spilled over the web, everyone plus their dog gets to monitor their credit report or swap credit cards, yet Equifax still exists, and no meaningful consequences for anyone, including the CEO who sold his shares before the intrusion become public. Why is that even permitted?
I was going to say fine these companies a fair amount if there's a data breach;

But they would just turn around and add their costs on to the consumer.

I'll get hammered for this, but there's a part of me that would like to just outlaw all bitcoins worldwide, and even that might not work unless every country banned them?

To add, I'm pretty sure ransomware groups provide tips on how to beef up security and how they got hacked in the first place.

Like dentistry, you can pay a little upfront for a better toothbrush or you can pay the dentist way more to repair your teeth later on.

I know what you're getting at... but as far as I see it, all it means is that every company i've contracted to lately installs horrifically limiting corporate safety-dreck that ruins your battery and performance, it's really becoming a lot less fun working with computers nowadays. Everything is so slow and limited.
The proper Milton Friedman / Reagan capitalism solution is to let the hacked oil company to bankrupt, wipe out the cap table and then competent new owners can take over for cheap
(comment deleted)
Absolutely this. Paying a ransom should be illegal and company officers should face personal criminal liability for allowing it. If the CEO of Colonial was facing jail time, there is no way the payment would have happened.
I would sooner have security negligence be criminalized as there are a number of products that are critical to the economy and peoples health. Having a companies systems get wiped out can have a monumental amount of collateral damage.
Paying Ransoms should be criminalized as there is far more damage from allowing this to continue then having a few systems wiped and restored from backups.

Not taking steps to have cybersecurity in companies should be criminalized as well... I am a CEO and thinks CEO's should be held directly criminally responsible for this.

Finally, any nation that allows hackers to operate from within their borders should be subject to 100x over damages caused sanctions. Countries without strong governments to enforce this should have direct airstrikes conducted against the individual hackers.

If you think the 100X damages is overkill please reconsider within this framework:

Any nation that harbors international terrorists by not at least attempting to hold them accountable is implicitly operating an outsourced covert activities team. The actions of any such team should be considered representative of that country and thus this would be an act of guerilla warfare.

Nukem from orbit, it's the only way to be sure.
The Obama administration secretly organized an airlift of $400 million worth of cash to Iran that coincided with the January 2016 release of four Americans detained in Tehran, according to U.S. and European officials and congressional staff briefed on the operation afterward.

Wooden pallets stacked with euros, Swiss francs and other currencies were flown into Iran on an unmarked cargo plane, according to these officials. The U.S. procured the money from the central banks of the Netherlands and Switzerland, they said.

To be fair, that was Iranian money in the first place that had been frozen.
It was still a ransom. “I’ll give you money, you release our hostages.”
"I'll give you [back your] money, you release our hostages" -- but that doesn't fit the agenda as well, does it?
I’ll go to prison for some time for being their new CFO. If some cash goes to myself or a close family member after I pay the ransomware as CCO.

Obviously this would be too transparent if done in the span of a week.

I wonder how long you’d sit it out losing money before you paid. I think it’s very easy to talk a big game until you’ve lost many multiples of the ransom with no end in sight. It’s literally just a waiting game for the hackers, they have nothing to lose and everything to gain. So what if you don’t pay, you can just leave them screwed and move on to the next one.
Or if you're running a service which can't wait. Like a medical clinic with no access to patient records.
Or you know people's power, heating, electricity, ability to drive, ability for services to run generally. etc. etc.
>ransomware

I prefer to think of them as bug bounties. Too often, bugs are reported now to bug bounty programs and are either grossly underpaid for the bug's actual value, or deflected as not a real issue at all. Ransomware is ultimately the result. "Fuck you, pay me."

https://www.youtube.com/watch?v=3XGAmPRxV48

Colonial is being widely lambasted for a culture of absolutely lackadaisical security. Call me callous but numerous federal agencies exist to issue security best practices and exploit announcements. numerous vendors also exist. play stupid games, win stupid prizes.

Not paying the ransom would have been tantamount to complete dissolution of the company. it would have tirggered a much wider investigation into the company with shareholders abandoning it as the outage dragged on at the hands of an incompetent leadership.

Unfortunately it seems to have been a Pyrrhic victory as paying the ransom puts their shareholders at risk of serious sanctions and indictment from the US Dept. of the Treasury.

https://home.treasury.gov/system/files/126/ofac_ransomware_a...

You'd damn well hope so. In civilized countries, when you leave the key in the ignition the cops will go after the thieves. The next thing that'll happen is that they'll also go after you because you just made the roads unsafe.

And this isn't a car, this is infrastructure with national security implications. Someone needs to go and do time.

If the US were to be serious about corporate IT security, they'd empower and indemnify DoD, NSA, private industry red teams to pentest against everything with a US point of presence or customers, using commercial available / in the wild methods.

This would have the beneficial side effect of flushing all the incompetent paper-pushers / requirement-box-checkers out of the security industry.

If you're found vulnerable, that's a fine. If something gets accidentally broken in the exercise, that's the price of commitment.

Nothing is going to change until you increase the frequency / likelihood of breaches for these companies. If it's a yearly cost, it gets addressed. If it's a catastrophic possibility, it gets ignored.

The market has already solved this in the form of ransomware groups. No need to have the government do it and issue a fine, ransomware groups literally are doing what you said.

I guess the government could legalize ransomware hacking to encourage it, but that'll never happen.

I'd rather the money and fines flow to the US government, not random hacker groups.
But the hacker groups let me pay in crypto.
They could do it indirectly, by requiring insurance against security holes.
>If the US were to be serious about corporate IT security

What happened to the responsibility of corporations for corporate security? Including corporations that are the victims of attacks, and corporations that sell buggy operating systems and applications?

Why does the government have to provide the red teams? The general attitude is all government agencies are wasteful and incompetent, except in this circumstance where the wealthiest corporations in the history of the world apparently can't spend enough to fix their own crap. But the government not only can but should??

This just sounds like externalizing costs to the public while banking record private profits.

How about rather than subsidizing software corporations we talk about liability laws and fines, like any other physical industry that releases dangerous, broken products. Or an insurance system that is funded by a portion of the profits the software industry makes. Then we're actually making the software vendors feel some pain which will incentivize them to release higher quality code.

“Too big to fail” and investors do not get hurt.

The problem does not fix itself until the investors start truly losing money, the care, unlike the Equifax case. Until the portfolio value cannot go down 90% there is not going to be a change in corporate actionism.

They are starting to lose money, it's 5M$ today, who knows what it'll be tomorrow or how often it's going to happen.
Agree. The govt need not provide the teams as they must compete for talent like anyone else and don't have much to spare.

The govt only has a relative abundance of talent [largely interspersed with its contractors] in highly regulated activites like making nuclear weapons, where private entities don't participate.

One of the functions of the government is to educate and train its population. I think using that function could resolve the shortage or high cost of talent.
Do corporations defend their factories with their own weapons?
Well, they can. Interesting thought.
Biggest global companies definitely have their own mercenaries on retainer. But that’s mostly for international operations on continents like Africa.
I wasn’t aware of this policy. Is it totally apolitical or does the WH need to initiate the sanctions process? Consider the optics of sanctioning the domestic company providing your own country’s critical infrastructure, right after you spend a week discovering just how critical it really is.
> paying the ransom puts their shareholders at risk of serious sanctions and indictment from the US Dept. of the Treasury.

Treasury doesn’t indict anyone, that’s Justice’s job.

> paying the ransom puts their shareholders at risk of serious sanctions and indictment from the US Dept. of the Treasury

This (almost certainly) isn't true. It may put management at risk of sanctions, but shareholders are shielded by the corporate veil.

I say "almost certainly" because in some cases prosecutors can go after shareholders, but this is limited to cases where a specific shareholder is involved in decision making.

https://en.wikipedia.org/wiki/Piercing_the_corporate_veil#Un...

And yet Scripps healthcare in California is going on more than a week of all of their IT systems being down for the same reason and it’s disrupting operations enough that they’re diverting a incoming patients to other providers and a lot of their patients have no way of finding out whether their already-schedules procedures will still happen.

Since healthcare is so heavily regulated it’ll be interesting to see what repercussions come of this. The company has been mostly silent on the matter despite it being severe enough that you can’t even get to their website.

Why is everyone taking the word of colonial pipeline and all this?

I could think of several scenarios where they would want to shut down by making up the whole story. Or maybe even hired the hackers them selves.