42 comments

[ 3.4 ms ] story [ 99.6 ms ] thread
Restore from backup?
as if they have backup hahaha (indonesian here)
Although they do have a backup, unfortunately, it got hacked as well.
Connected storage, then?

That ain't no backup

If it’s not on magnetic tape…
To those reading: 3-2-1 backups: https://www.backblaze.com/blog/the-3-2-1-backup-strategy/

Also, Amazon Glacier is a pretty cool service, and it's incredibly cheap.

Glacier pricing is very convoluted though, although the pricing structure does make it attractive as an absolute last resort https://www.arqbackup.com/aws-glacier-pricing.html
Tarsnap, while optimal for essential, mainline data, it really needs a file-based QoS feature where it can use or migrate to/from cheaper options like RRS or Glacier.
If anyone could make it work it's Dr. Percival, but I wouldn't want to be the one trying to figure out how to avoid astronomical charges for hydrating and transferring data, or accidentally making too many calls.
Cheap as long as you never need to read the data!
They call it “legit ransomware”
Come on don't be like that just look at the quality of indihome and telkomsel they surely have it under control ;)
Backup is encrypted too
Yep. Where it only lives temporarily exposed from an on-prem HSM in some extra-security "no go" caged area, and the the unlock passphrase is split into 2 pieces spread amongst managers and senior engineers.
What if it's a self-hack to make incriminating evidence go away?
Why does everything in the world require a conspiracy theory?
One of these days, people will learn that using data diodes, to prevent egress of control, and multilevel secure operating systems are good things...

but first, offline full backups that get tested.... why doesn't anyone do this any more?

(comment deleted)
Because backups are exceedingly tedious and cost tons of money.

Many people and organizations decide it's cheaper to not spend money against a potential threat or risk, and to their credit it is in fact cheaper.

That is, of course, until the threat or risk becomes real rather than potential. Suddenly you have Lady Luck staring you down at your front door, invoice in hand demanding immediate payment of principal and all interest accrued.

Incidentally, this is why (at least at the consumer level) cloud storage and backups have become so prominent and in many cases forcefed by hardware, software, and service providers: Because it's hands-free and cheap data security for most consumers. Unfortunately, this doesn't always scale to large enterprise organizations.

Back-ups are also not going to save you if the infection is time-delayed.
Then you confused backups for replication and don't understand how business continuity planning / disaster recovery work.
You might have a good backup from say a week ago which is great to recover from but then you still have to sift out what may have been compromised transaction-wise if the attackers were clever in hiding their attack
That's not how reimaging compromised systems and restoring only data works.
I think they mean the scenario where the attacker sneaks in and adds a persistent backdoor / sets up privileged accounts for themselves to use / generally makes themselves comfortable, and then sits on their thumbs for a long period of time before activating the ransomware. If the victim restores from the previous day / week / months backup, the attacker can then sneak right back in and re-exploit whatever vulnerability.

The proposition then becomes "Our last non-compromised (as far as we know) backup is half a year old, can we afford to lose months of progress, or should we just pay the ransom?".

Or perhaps the attacker doesn't have a persistent foothold, but can make a credible claim that they do - do you take the risk? Keeping in mind that every moment you burn investigating and trying to discover the extent of the compromise is another moment you're down and burning money.

You're conflating offsite data backups with some sort of system backups. Then you have to start over with fresh, sterile, secured systems and good data by having multiple, regular data backups. Don't bother trying undo compromised systems because you'll never win that game.
I'm not following. Are you implying that malware can't infect data and remain undetected?
Governments can fund counter-terrorist teams to take out terrorists and bank robbers, and have a whole complicated infrastructure of water to deal with fires, but paying someone to copy files into a briefcase every day is too expensive.
DR/BCP is harder now than it was with cloud storage and SaaS making it more difficult, but not impossible.

Every business-critical system and service, including every user account used, first needs to be inventoried and then inventoried on an ongoing basis.

With that, data can be roughly sized and classified with a business impact analysis - "How much money do we lose if X?".

From that, backup jobs/agents, retention schedules, and other forms of mitigation investments can be made.

PS: It's heartening to see CommVault is still in business.

EDIT: I once bought a FireKing smaller 3-hour data safe and implemented a barcoded LTO GFS policy using Iron Mountain as the offsite vaulting vendor. Sadly, FK no longer make safes for tape media anymore. It looks like IBM/HPE/Quantum LTO-9 tapes and drives are about the only games in town, and around $80 for 18 TB making them half the gross cost of circular spinning rust. Amazon's Glacier uses low-speed circular spinning rust like Facebook does for colder storage.

it's the first time I heard about this concept of data diode. Is it physical ? if yes how does it work ?
Oh yeah[1], it's a simple concept... a single directional optical link. Laser --> Photodiode.

You set up 2 servers on either side of it, and you mirror the data across the link, repeating the state of the buffer with forward error correction.

A typical use would be to allow remote monitoring an industrial control system, collecting logs, etc. The data diode assures data can egress, but control can never ingress.

[1] https://en.wikipedia.org/wiki/Unidirectional_network

I wonder if they do not have a contingency plan for this kind of scenario.
$8M seems rather small for a country of such a size.
Do you GDP?
I hear it doesn’t matter anymore
> According to the president, Indonesia's central and regional governments together operate a fleet of 27,000 apps, many of which overlap or aren't integrated.

!?

I'm guessing lucrative contracts are handed out to well-connected people for app development, most of which aren't used.
Population of 280 million. So about 10k users per app... Not actually that weird if you think of scale.
As an Indonesian working as a software developer, I can say that integration is more akin to a jargon than something actually planned and properly implemented here in Indonesia. The apps number continue to grow because almost every time the head of an institution changes (on whatever level it is), the new one would be more likely to create a new app from scratch as a form of achievement.
I thought they'd just make new apps because the previous vendor lock-in made it too expensive to modify it.