38 comments

[ 4.4 ms ] story [ 100 ms ] thread
It's a war and most haven't even noticed. So far Western governments aren't actively forcing anything but are merely reacting. And so they're always at least a step behind.
> aren't actively forcing anything

You mean like a worm destroying Iranian PLCs?

That wasn't just the USA, and it turned into a boondoggle which embarrassed the perpetrators and gave the appearance that targeted cyberattacks were high-cost/low-impact.

I suppose that it is a diplomat's job to appear stupid until they have stolen your shoes, but I'm not sure anybody can act that well. My confidence in the West's ability to perpetuate an offensive cyber war is pretty low. Our main advantage is the quantity of servers/data that reside in/flow through our borders, but that's not too hard to dodge. Cryptocurrencies also erase the hammer of losing access to US financing.

The Iranian government is not a significant source of ransomware, to my knowledge, so I don't see how that's relevant at all.
Stuxnet was/is a worm that attacked air gapped PLC systems at Iran’s Natanz nuclear enrichment facility. It was the most sophisticated piece of malware ever discovered, allegedly by US/Israeli operatives.
How would we even know if they were acting, though? It's not like they're going to broadcast all the security steps they're taking. Just because we don't hear a strategy doesn't mean there isn't one.
The targets of those attacks are large numbers of private companies whose IT employs many of HN subscribers. If something was being done by the government to fix (or, more likely, mandate fixing) those networks, this community would see it.
The war is just beginning... they need to unplug critical systems even if a dropped USB stick could circumvent that.

Someone I know was happy because he could do his job remotely... controlling an hydroelectric plant... (that should not be possible).

How on Earth do you react with reasonable latency if you're N milliseconds away from all sources of truth, and or on a residential-class Internet connection without all kinds of SLAs?

That's a security problem in and of itself.

Humans don’t react on those timescales. These systems where operators are doing things remotely have low latency things for any automation. It’s the “management” interface we’re talking about here.
>So far Western governments aren't actively forcing anything

What would you call the regular use of sanctions or the recent "trade war" with China?

I don't agree with the statement that criminal hackers mean we are at war, but if you consider that kind of damage war the US has been an aggressor for years.

Remember 6 months ago when Christopher Krebs insisted that DHS had successfully protected US infrastructure? Since that time, we've discovered the Solar Winds breach which had gone on for 9+ months and then the Colonial Pipeline. And those are just the ones we know about. :|

However behind/compromised we think the US Feds+private infrastructure is, seems like it's even worse.

> Remember 6 months ago when Christopher Krebs insisted that DHS had successfully protected US infrastructure?

I remember his statements about election integrity specifically, but not a general one about infrastructure... what was his statement exactly? Protected what against what?

Krebs didn't say anything about infrastructure. He said:

> Chris Krebs: I have confidence in the security of this election because I know the work that we've done for four years in support of our state and local partners. I know the work that the intelligence community has done, the Department of Defense has done, that the FBI has done, that my team has done. I know that these systems are more secure. I know based on what we have seen that any attacks on the election were not successful.

https://www.cbsnews.com/news/election-results-security-chris...

Based on op's post history this is some odd attempt at turning a thread about infrastructure security into "the election was stolen" nonsense. I doubt you'll get a response because there appears to be 0 evidence to back up that claim.

No, I don't believe and have never promoted that the election was stolen. Paper ballots - as noted by Krebs - are a great audit trail.

I believe DHS Cybersecurity didn't know - and still doesn't know - the depth and severity of what's going on or even how to get a handle on it as evidenced by the last year+. Therefore, when that agency makes a claim, we should be skeptical until there's evidence otherwise.

>Therefore, when that agency makes a claim, we should be skeptical until there's evidence otherwise.

"I'm not saying the election was stolen, I'm saying we should investigate whether it was stolen" is a tired and repeated talking point. This has been investigated exhaustively and in every instance the system worked exactly as it was supposed to. Continuing to cast doubt without a shred of evidence quickly ventures into the grounds of morally questionable behavior.

You also have failed to provide any quote from Krebs to backup the original claim. If you want people to assume you're acting in good faith, this isn't the way to go about it.

> This has been investigated exhaustively and in every instance the system worked exactly as it was supposed to.

It has? The vast majority of court cases were thrown out on procedural issues, not basis of fact.

If there was nothing to see, there wouldn't be near the fireworks over the audit in Arizona as is currently happening :p

>It has? The vast majority of court cases were thrown out on procedural issues, not basis of fact.

If by "procedural issue" you mean a complete lack of evidence, I suppose?

https://lawandcrime.com/2020-election/rudy-giulianis-disgrac...

>If there was nothing to see, there wouldn't be near the fireworks over the audit in Arizona as is currently happening :p

There are fireworks in Arizona because of the way the recount is occurring with massive gaps in normal procedure. All of the things we have learned over the years and put in place to ensure there is no fraud, are being completely ignored for the recount. In other words: the recount is introducing gaps that would allow fraud to occur that never existed during the actual election. If you wanted to be assured that the original tally was correct, this is literally the exact opposite of what you're asking for.

>One of the biggest red flags for her, she told me, came not during the counting, but afterwards, when workers entered the aggregated total tallies from counts into computers. Morrell was deeply worried that there was only a single person responsible for entering the data and no one to check that they weren’t inadvertently entering a wrong number or accidentally switching the candidates.

>“There’s nobody verifying that what they entered was correct. There’s no reading out. These are things that you would typically see in an election office whether they were doing an audit, recount, where you want some sort of quality control mechanism in place,” she said.

https://www.theguardian.com/us-news/2021/may/13/arizona-audi...

It doesn’t seem like it’s worse for anyone in the industry. It’s readily apparent to see how underfunded cyber security departments are. Doesn’t take a genius to figure out that a single man hired for the entire department isn’t going to do an adequate job.
Not to mention all the recent attacks on hospitals.[1] My local hospital's electronic patient records systems were down for literally a month[2] after a cyberattack.

You can probably imagine how disruptive that is when it's the largest hospital in the state. Sorry, but we lost everyone's prescription information! We can't look up anybody's drug allergies, either! I guess we'll just have to guess the details of what treatments our current dialysis and cancer patients need? It was quite the mess.

[1] https://newsroom.ibm.com/2021-02-24-IBM-Security-Report-Atta...

[2] https://vtdigger.org/2020/11/23/a-month-after-cyberattack-uv...

That amount of downtime isn't acceptable. Modern incremental backups should protect against ransomware at least.

Out the box solutions are expensive, but it would have been the good investment for this downtime alone.

It’s pretty trivial to setup Postgres with very high frequency wal shipping to append-only S3 which gives you point in time recovery and prevents your data from being ransomed.
As with all forms of backup, it's difficult to do retroactively.
>Remember 6 months ago when Christopher Krebs insisted that DHS had successfully protected US infrastructure?

No, maybe you should edit your post by linking to what you’re referring to. Seems like a broad claim to make.

No words on whether SolarWind was install on electronic ballot machines.
You can assume electronic voting machines were compromised.
They were compromised. Look up what a certain agency does to foreign nations.

One of the funniest things I heard in awhile is when Kreb's said the election was the 'most secure history'

Let's see some proof for that claim.
Default password is still “SolarWind!23”.
Good news is that most ballot machines have been updated to print paper receipts or are simply scanners.

And the machine results were audited by a hand count, in some cases a full hand count (e.g. Georgia), and shown to be accurate.

You can accurately count invalid ballots all you want - still doesn't mean the votes mean anything.

Witness all the fireworks that suddenly explode onto the scene when signature validation comes up.

Case in point - Gavin Newsom suddenly got really concerned about signature validation - but only for his recall election :p

“Invalid ballot” allegations you’re talking about have nothing to do with machines or hacking. Those are physical ballots.

The absentee ballot envelope signatures in Georgia were hand-validated by staff. The results were then audited by another hand validation by different staff later and found correct. https://www.thegeorgiasun.com/2020/12/29/georgias-signature-...

Regarding signature validation on ballot petitions, that’s a normal part of petitioning. The process for gathering petition signatures is very different from absentee ballots and usually results in the collection of a lot of invalid signatures in every political cycle (either real people who signed but accidentally broke some obscure rule, signed multiple petitions, etc, or just fraud on the part of the paid petitioners who are paid based on the number of signatures they gather).

Companies doing business, at least with the DoD, are already required to report: https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204....

What the hell is the government going to do? The government can't even protect it's own systems, they sure as hell aren't going to be helicoptering in to save some power company from malware...

> What the hell is the government going to do?

I can't help but think - if a person has a car accident with more than $500 (?) damage, they're required to report it. The government doesn't have to take action on anything, but it can. Also insurance companies.

Insurance companies require reporting already, also. And many of the companies getting nailed have insurance, which is, in some respects, driving the increase: companies get a 'free' payout for the ransomware.

If you get physical shit stolen, and buy it back, do you have to report it?

Of course DHS isn't getting good reporting. If you report a break-in or a vulnerability to DHS, they don't do much.
Slightly off-topics but I'd like to know if there is some kind of turn-key solution for small business or home use which uses a Raspberry Pi with attached USB HD, that connects to other PCs via the network and pulls the files to be backed up. The idea being that the Pi and the HD themselves are never writeable from the outside and thus can't be encrypted themselves, 1) if using some suitably long retention time for older backups and 2) some kind of semi-smart monitoring system that can give warnings like "Hey, your data changed a lot suddenly. Might wanna have a look at that".