Irish health service hit by cyber attack
bbc.co.ukI have a feeling there is a very short security-hygiene checklist that, if followed, could prevent the vast majority of the ransomware attacked that we have seen in the last few years.
* Keep all systems up to date with the latest patches.
* Have a DR plan and test it regularly.
* Make frequent backups, verify them, and keep them offline.
Historically organizations have been so bad at backups that the advice has been to automate them as much as possible, to try to ensure that a recent backup at least exists. But I am increasingly of the opinion that the next level of backup maturity is to dial back on the automation and invest manual effort in airgapping the backups.
Fully automated backups are necessarily part of the software attack surface.
If you have to hire more ops people to rotate tapes by hand every day, that will have to be a cost of doing business safely.
It looks that the majority of recent ransomware is stealing and publishing private data, instead of blocking access to data. So DLP like solutions are required in addition to posture management.
I would like to also add: A system to lower privileges based on last use.
Companies often have IAM/ssh/keys all over the place. If you centralize things to IAM you can lower permissions based on their last use. EG. A frontend dev needs access to GCP to configure things in firebase. This frontend developer hasn't used these IAM permissions in 3 months. This persons IAM permissions should automatically have these permissions removed.
Probably one of the easiest yet most powerful thing to implement in cloud sec ops AND probably never done.
https://cloud.google.com/iam/docs/recommender-managing
Example script to automate it: https://github.com/james-ransom/auto-apply-gcp-iam-recommend...
It's easy to be healthy, just eat right, exercise more, sleep enough and lower your stress levels. Tadaa! The secret to being healthy!
You are both correct and incorrect. By following simple procedures you can likely stop the majority of ransomware attacks that have occurred recently, but that is because most of the ransomware attacks were likely done with a budget on the order of $1k-$10k since that is all you need to get a $1M payout from these organizations. No point in running a mission impossible style attack when walking in the front door works just as well.
The problem is that they are getting $1M payouts on a $10k budget. That is a staggering ROI of 100! If you could magically improve the security of every system on the market by 1000% you would wipe out the current forms of attack, but it would still be insanely profitable to run $100k attacks to get $1M payouts. To actually stop attacks from continuing to escalate exponentially at their recent pace of >100% per year that any VC darling would be proud to achieve, you need to make it cost more on average to attack than they can get.
We are literally orders of magnitude away from that in the average case at current returns. And even worse returns per attack keep escalating. Just 4 years ago during WannaCry the ask was $300 per computer which can be a painful chunk of change for an individual which is who most ransomware attacks were targeting before, but nothing for any company. They were attacking companies for ~$10k payout and still making enough money to expand their operations doing it.
As the focus has moved to industry the payouts have increased exponentially since there are many companies whose operations are so valuable that they are willing to pay millions or tens of millions or even hundreds of millions per day. At those payouts there are 0 commercial IT systems that can make attacks unprofitable. So, when those attacks become the ones with the best risk-adjusted ROI you better believe they will occur. And when the attackers have a $10M budget simple defenses and techniques that worked on $10k attacks will not work because the attackers will have literally 100,000% more resources at their disposal in much the same way that defenses that work against a rock thrown at 10 m/s do not work against a ICBM traveling 1000x faster at mach 30.
So yes, simple mitigations would stop the simple successful attacks now, but do not solve the actual problem that it would still be profitable to attack even if they were all implemented everywhere since payouts are so much higher than cost.
To be honest, it seems like a lot of part-time hobby projects created by single engineers have better security practices than whole government agencies.
And there’s a good reason for that - security is a human activity as well as a technology, and the more people involved in an organization, the greater the opportunity for miscommunication and diffusion of responsibility.
It’s easier to get it right when you can put your arms around the whole thing.
Very good points. I would add these as well.
There is another facet to all of this. Money. Just plain old money. It takes time and money to buy and maintain this sort of software.
The 'hobbyist' also has plenty of time and access to the tools. Whereas an org may only have so much budget for it. Which in effect restricts time to do it, and or how many people you can pay to do it. Also depending on the org you may not even have access to the correct tools and documentation.
From a pure user 'end point' usage the security stuff is either in the way or 'just works'. Fixing security is background and does not get you anything new. So it often gets forgotten or downgraded in a budget game for something more shiny as the user lets out their inner verruca salt.
Can't speak to the HSE specifically but when I see government jobs come up the pay is vastly lower than private sector.
The Critical Security Controls [1] are a good place to start. Alas, it's neither free or necessarily straightforward to implement them - which is why breaches persist.
I would like to add a couple of ideas to the list.
* Also ensure your Production and DR do not use the same automation, or that there is full segmentation in your automation so that if automation goes sideways, or is compromised, your Production and DR are not simultaneously blown away or encrypted.
* If you can't keep backups offline, at least write them to a write-only destination and/or have an enforced vaulting policy that keeps {n} copies in multiple locations and can't even be deleted by super-users. Deletion must require multiple VP's using MFA to log into a thing and "turn a key" so to speak.
I typically work in situations where the entire data to be backed up (file storage, database) is on the order of 10-100Gb. The projects I’m working on don’t fit the high profile of a Colonial but I’d rather err on the side of safety.
Is there a service that could regularly fetch data from s3 or even connect to postgres, and regularly send a physical copy of the data by mail?
Does it make sense to offer airgapped backups as a service to smaller companies? Over mail?
Why not just buy a tape drive and a few tapes? They are offline and air gapped the moment they are out of the machine and, if you have a small company, they can be stored in the owners house.
That gives you quick retrieval of of-site backups.
The only reason I haven't done something like that for all my personal data is that tape machines are terribly expensive. Tape drives are pretty cheap.
Yeah, that definitely sounds reasonable.
I was hoping for something SaaS-like that would be automated (so that an external company would be responsible to not forget to do the backups) and no entry cost. As you say, tape drives are expensive.
I was starting to imagine how automable it would be to have machines that downloaded and encrypted data, and small robots popping 128/256Gb (up to 1Tb) SD cards in and out, and even dropping them in envelopes with labels automatically printed out. Then the envelopes would be dropped into a chute as the outgoing mail :)
One obvious issue is that an 128gb card is about $30, so sending one every day would be too expensive. And if you sent one once a week that would mean up to 6 days of lost data.
Then there’s the issue of having access to so much customer data — this imaginary backup company would itself become a potential liability if it was hacked.
Would small companies even be interested?
To clarify. a tape reader is about 5k, a tape is cheaper than a hard drive at the same storage capacity and can be stored for a long time without issue.
If you use mail consider if your restore time will be less than your acceptable down time.
This can be avoided by offering a same-day backup restoration engineer deployed on-site with your last X backups? In fact, this sounds like exactly the kind of thing my managers would want.
> dial back on the automation and invest manual effort in airgapping the backups
Can we please call it The Department of Redundancy Department?
Jokes aside it seems that the DR, backups, and system images (i.e. installation including patches) that you mention are all related and it could make sense to dedicate a role or team to it. We split out things like networking and security into their own teams when we want them to be taken seriously.
Complete, tested tape backups would cure many, many ills. They're out of fashion, but..
The bigger IMO problem with ransomware attacks isn't necessarily that they're holding your data hostage, it's that they can and will publish it. You might be able to tell them to kiss your ass because you have backups, but then they'll publish that information. It's a bit more of a rock-and-a-hard-place situation than most people realize.
Eh. From my understanding the people that pay do fine. As sick as it is, these crews following through is good for business. These crews are making tons of cash. If word gets out they don't unencrypt and do publicly publish - people will just stop paying: period. Hell. Some of these crews have a help desk. [1]
https://www.macworld.co.uk/cmsdata/features/3659100/how_to_r...
This is a public health service. It's paid for out of taxation.
Which if you pay the ransom, means also relying on the word of the people that are actively extorting you.
Scary, scary place to be. Especially for a health service.
> Which if you pay the ransom, means also relying on the word of the people that are actively extorting you.
As weird as it sounds, reputation matters for these guys. If you have a track record of taking the money and publishing data anyway, no one is ever gonna bother paying you in the first place. Why would they? Your data is gonna get published no matter what, may as well save the ransom money.
You can flip it around (if you're a pessimist):
This seems like a stable equilibrium.1. If you *don't* pay, then you know bad things will happen. 2. So you might as well pay, regardless of their reputation, because your chances are strictly better even if they are nearly nothing. 3. Knowing that, there is no incentive for them to maintain a reputation by honoring the ransoms.
Tape backups are ok but still mean significant operational downtime because recovery from tape is slow. This is better for long term data storage than rapid recovery.
For recovery, you need more accessible backups. And to test your backup plan.
The time to restore from backups after a ransomware attack is more about figuring out how they got in and closing any back doors then cleaning out the existing systems, applying the latest security updates etc., rather than actually restoring the backups from tape or whatever.
The last thing you want is for your backup to restore whatever back door they installed a few weeks before they launched the actual attack, or to leave the unpatched system (or whatever it was) open and immediately have the attackers encrypt all your files again.
High end tape reads sequentially faster than a typical spinning HDD, so it should be possible to design for rapid full restores. Rapid restores of specific files (e.g. to recover from accidental deletion) would be slow from tape though, so are probably best served by online snapshots rather than the DR backup.
I would be amazed if the Irish health service had advanced beyond tape storage. I mean primary storage. (I'm Irish btw)
A lot of these articles don't actually mention specifically how the systems were compromised.
Was it a malicious email attachment that propagated through unsecured networks or outdated OS versions? And what data was encrypted? Are we talking regular excel files or actual databases?
It would be interesting to have some more detail or case studies so others could know how to fortify infection points and limit the blast radius of their own systems.
So I don't have details on this specific case, but I did work in cybersecurity and can comment on the vast majority of similar cases I saw, including some which made the front page. Every single one I remember came from unpatched OS vulnerabilities for which the patch was already available.
Regular patching is necessary hygiene for corporate IT, but often the department is understaffed, or frankly told by management to prioritize shiny things instead.
Most corporate machines aren't directly on the internet though... How do attackers get through corporate firewalls to access said unpatched machines?
I would guess the easiest way is to phish a login to the corp VPN or to send an email with a malicious attachment to give the attacker something inside the corp firewall as a place to start their port scan of the internal network and begin their attacks.
MITREs ATTaCK [1] matrix is a great resource for describing incidents like these. To answer your question, it is a combination of Initial Access and Lateral Movement techniques that depend upon an attackers aims. They're by no means the only activities involved of course.
Missed patching on what, is my question. Windows, MacOS, Linux, routers, servers, networking, etc. - what exactly is being attacked? Sure you should patch everything, but clearly something is being attacked more than others.
We don't usually get those details published in the case of events, but as someone who's seen more ransomware than I want to admit to, nearly every case comes down to either a word macro, or a .js file inside a zip file. Both of which are easily blocked with a GPO.
These guys do a lot of honeypot writeups that are pretty consistent with my experience: https://thedfirreport.com/
My guess is that it's not mentioned because they don't know (yet).
A lot of places that get crippled by ransomware have outdated or underfunded IT departments (health care is particularly bad at this), so that kind of insight is barely on the table at the best of times.
Even when a postmortem is eventually done, companies don't want to have to admit the attack could have been prevented, or at least minimized, with better investment in security.
The media are keen to cover the story ASAP. It can take some time to do an investigation.
I had a hospital appointment this morning, physio said that the attack happened in one hospital and all IT systems were shutdown to prevent it spreading. They were back to paper to manage all appointments. She said the big issue was bed allocation, live count of available beds no longer available and people running between different departments to see if people can be admitted and/or ringing other hospitals to find available beds. Luckily ambulance and COVID vaccination systems not impacted.
Ransomware: Another great "feature" of difficult to trace digital currencies.
Ransomware: another great feature of cryptography.
The crypto-revolution and its consequences were a disaster for the human race...
What specifically do you mean by the crypto-revolution?
It's a reference to the Unabomber's Manifesto
Christ..
I have always understood that all payments were traceable with digital currencies. Am I wrong?
Not all cryptocurrencies but it's true for something like Bitcoin. The problem is you can trace the transaction to the attackers wallet, but where does it go from there? It might sit there, they might throw the money in a tumbler, maybe they sell it for cash... If or when it shows up in a KYC-compliant exchange it could have changed hands many times already and it might not be possible to say anything about the actual criminal at that point.
So it's up to the individual to make sure they're not accepting dirty money. Shouldn't be hard to write software to accomplish that. The exchanges can do it --- flag incoming dirty money. Average users don't accept btc from strangers as a payment for goods or services anyway.
Yes, but for example when you use a tumbler (mixer) the whole idea is to receive random coins back. Also you can not rely on everyone to know and care about this. And not all dirty money is publicly known anyway. So there will always be ways to get rid of dirty BTC.
The non-fungibility of bitcoins can be seen as an advantage or one of its largest flaws, depending on how you look at it. Either way it's the reason quite a few people have switched to Monero and other completely fungible coins.
>Shouldn't be hard to write software to accomplish that
There are startups offering exactly this as a service already.
apparently the traceability of digital currencies is proving effective in tracking down criminals that might otherwise operate in just cash.
Cryptocurrencies are what allows criminals to scale these attacks. They also significantly decrease the risk of getting caught, compared to accepting cash in a briefcase.
I’m not sure what point you are trying to make.
im saying the traceability/digitalization is a double-edged sword.
So, did they get the people that r'wared the US pipeline then?
Infosec Twitter this morning seems to imply that perhaps they did.
https://twitter.com/hashtag/REvil?src=hashtag_click&f=live
caveat that this world is full of rampant speculation and lies so take it with a grain of salt. ;-)
If they haven't yet, give it a little time. Fucking with US oil supplies is a really good way to get the opportunity to feel the full engine of US intelligence and military might.
Ransomware: Another great "feature" of computers.
Said the medieval King:
Ransom: Another great "feature" of difficult-to-trace personal gold coinage
What you're actually saying is:
Bad thing: Another great "feature" of any kind of positive development in personal sovereignty
Or
Bad thing: Another great "feature" of any kind of progress
---
Progress comes with pitfalls. Sharp knives prepare food and also kill people.
You argument effectively reduces to: never innovate.
Your argument reduces to: "progress" is always good, even if it's bad.
I think we're perfectly allowed to discuss whether we think a particular kind of change is a good or bad thing.
I'm not making an argument "for progress" at all. I actually 100% agree that we are allowed to, and should, discuss the ramifications of any kind of change.
My point is only that the original comment didn't attempt make any argument, other than the reduced one I outlined.
That's not really a reduction... more of a random association to a generality you feel strongly about.
You "reduced" difficult to trace digital currencies to "any kind of positive development in personal sovereignty."
No need to keep defending a mistake. Just reread your own comment and the OP's. Respond to the comment itself, not other discussions you've had on the topic. If you think the argument implies something you disagree with, make the connection. Don't just assert that the argument reduces to this. Besides being mistake prone, it's unfriendly and unproductive.
I've made plenty of comments myself that I don't/shouldn't stand behind, in short retrospect. I suspect this is one of yours. Minor foul. Happens. Shake hands and make good.
I genuinely appreciate your comment and the direction it provides - it's rare to see this when people disagree.
When re-reading the OP's comment just now, I just can't interpret it any other way other than "see! crypto bad". Maybe I'm missing something.
I'd accept that my responding, effectively in-kind ("see! your position bad"), isn't particularly useful other than potentially alerting them to the fact (my intention), and I'd no doubt do better to provide some examples of benefits at least (as I see the current top-voted reply did, that is otherwise identical to mine).
My admission of that however, does not indemnify the original commenter - at least, in terms of my interpretation of their comment, which is really all I can be responsible for.
Cheers mate.
The original comment linked ransomware to crypto, which isn't too controversial. There are good things about crypto, which may outweigh that... certainly discussable.
Personally, I don't see either point as representing the most substantial positive or negative of crypto... so I don't really have a dog in this one.
No need do indemnify or vilify anyone. It's perfectly ok to hold any of these views. It's also fine to make an unconvincing argument... it just may not be convincing.
But they did. They said that digital currencies are difficult to trace and lead to an increase in ransomware. The closest thing to a response you made was "Progress comes with pitfalls".
> You argument effectively reduces to: never innovate.
You chose to reduce it to that. There is no need to reduce every argument to its black and white extreme, although that is the easiest interpretation.
Bitcoin in particular requires truly ridiculous amounts of compute and has made hacking a far more profitable enterprise than before.
There are already digital currencies tackling the first problem, the 2nd could potentially also be solved.
So a more charitable interpretation might be, more innovation is needed to get digital currencies right.
What does your argument reduce to, assuming someone who disagrees does the reducing?
This was done before crypto currencies.
But it only became a serious problem because of them.
Ransomware: Another great "feature" of non-backdoored encryption.
See how silly you sound?
that's malware, not new.
the ransom part, at the scale possible with cryptocurrency, is new.
those who sound "silly" are the ones elaborately pretending that this formerly obscure class of electronic extortion didn't suddenly explode into an epidemic with the concomitant rise of cryptocurrency.
true, though arguably it's a good thing. In the sense that it moves more of the costs of malware to the organisations that are meant to be securing the data. Previously, these costs were more borne by customers/clients/etc, and thus not taken as seriously - abstract costs and externalities.
Putting a clear number of the cost of poor cybersecurity should push more organisations to actually do something about it.
no. mugging is not "good" because it incentivizes people to take karate classes.
what an inhumane and cynical take.
Theft was happening anyway via malware, it's just fewer of the costs were being borne directly. And as data collection increases, those indirect costs are getting higher.
Now the organisation has more at to lose at first pass, rather than just data subjects.
This is what-about-ism. There are valid reasons for strong encryption, e.g. protecting the very data that has been compromised here.
It is not a whataboutism; it's a reductio ad absurdum.
For those concerned about privacy violations, this should be rammed home as an argument against centralized collection of medical health data.
I believe that if all health records leaked tomorrow, the world would end up a better place.
Sure, someone might get more expensive insurance quotes or made fun of for having ADHD, HIV or acne treatment...
But I think that would be outweighed by health benefits by combing the data for correlations and causations that have been unidentified in the past. Being able to shut down things that are poisoning millions of people, but to such a minor extent it isn't immediately obvious, would have a big benefit for society.
> I believe that if all health records leaked tomorrow, the world would end up a better place
Let's say I'm a Saudi National, who worked in the United States. While there I disclosed to a doctor that I'm gay. I return to Saudi Arabia. This document gets leaked. How exactly does this make the world a better place?
Summary of possible outcomes:
https://en.wikipedia.org/wiki/LGBT_rights_in_Saudi_Arabia#Su...
Notice the first line:
Same-sex sexual activity: Fines, prison time up to life, and capital punishment.
How does this refute OP's point? He proposed that the benefits outweighed the downsides, not that there weren't any downsides. Your point is that there are ultra-low frequency, high salience risks. This doesn't speak to the argument at all.
> He proposed that the benefits outweighed the downsides
I thought it was self-evident. Killing someone innocent for the good of others is never acceptable; people are ends in themselves. This is a general precept in most ethical systems with the notable exception of Millian Utilitarianism. To be clear, I am not making an argument against justifiable self-defense, as that is almost always accepted as a different kind of situation.
Example: we allow people to be killed for the good of others as long as their death allows the survival of more people. This is the poster's argument distilled. As such, it would be morally justifiable to kill random people for their organs, as one person contains enough organs to keep dozens of people from dying. If you need a liver, and your neighbor needs a spleen, then there would be nothing wrong about abducting the first person you see, butchering them, and taking what you need.
This argument is essentially that we should allow people to be killed, harmed, maimed because the number of people it help would outnumber the number of people harmed. They are the same argument. They both treat people as means rather than ends.
There are many nations in the world where you can be brutally killed for being gay, or any number of other things which shows up in medical records. If we include imprisonment, the number rises. The cost isn't just "some people might get embarrassed". It's a lot more like "hundreds of thousands of people will be brutally murdered by others or their state".
The argument is that it saves more lives than it kills.
>Killing someone innocent for the good of others is never acceptable
You make this trade off all the time by e.g. not giving all your money to charity.
>The argument is that it saves more lives than it kills
Which I've said is unacceptable. If anyone dies as a consequence of this, it's not acceptable. That's my response to that argument. Their position is "the good outweighs the bad" and mine is that "the bad is not the sort of bad that can be counter-balanced", or more clearly "no, it does not".
> You make this trade off all the time by e.g. not giving all your money to charity.
This is a completely nonsensical, borderline facetious argument. This is equivalent to saying that by sleeping at night rather than going out to help the homeless, I'm killing people. Or that standing still and not acting is killing people. To kill is a violation of an individual's inherent right to life. It is the result of an action of an agent. It is not, however, a violation to someone's inherent right to life not to prevent their death insofar as I have not caused their death. For instance, if I have a life preserver, I have not killed you by keeping it for myself, but should I have taken it away from you, then I have.
Clearly there's a difference here. The active action of releasing a medical document is the proximate cause of the harm, therefore not allowable. The first event is strictly necessary for the second.
Me not donating money to prevent someone's rights being stripped is not the proximate cause of the wrong doing, therefore not subject to ethical calculus. There is no strict necessity given this lack of causality. The action which is subject to ethical calculus is the proximal cause of the deprivation of the individual's rights. That which is strictly necessary for the consequence is all that can be reasoned about.
>If anyone dies as a consequence of this, it's not acceptable
Right, then you are just down some bizarre philosophical rabbit hole if you truly believe that.
Under this logic policing is unacceptable, vaccine research is unacceptable, driving a car is unacceptable, etc.. They all make trade-offs between number of deaths caused vs. some benefit (sometimes lives saved).
> you are just down some bizarre philosophical rabbit hole if you truly believe that
What I've said isn't anything radical, and like I've mentioned above, this is a common tenant of pretty much every ethical system that life is an end in itself. This perspective is outlined in Nozick, Kant, Scanlon, Nagel, Rawls and countless others. Some of these authors have influenced the legal systems of entire nations. Rawls and Kant, for example, are considered "main stream" ethical theorists.
> Under this logic policing is unacceptable
No, because as I've already stated, justified self-defense is a different situation entirely. The situation of extrajudicial killings by police is, however, unacceptable.
> vaccine research is unacceptable, driving a car is unacceptable
This is a false equivalency. The key difference here is the informed consent that's associated with the actions. Nobody is consenting to having their confidential data released. In the above situations you listed, one of the stipulations of engaging in, say, a vaccine trial, is a clearly stated risk. A vaccine trial on someone unwilling is wrong. Someone who willingly agrees to 'open-source' their data and gets killed as a result is also in a different situation that the one we are discussing.
To pretend that someone who's willingly engaged in a dangerous activity and died has experienced the same sort of wrong as someone who'd date was leaked against their will, and as a consequence was murdered, is just nonsensical. Notice how I said "if anyone dies as a result of this" not "anyone dying makes any situation automatically wrong".
If I walk on a sidewalk and get hit by a car, I am the one who decided the sidewalk's risks were worth it. There was no gun to my head. As my life is mine, I can dispose of it and use it as I see fit. That's not something anyone else can do or decide for me.
You are inadvertently trivializing the consequences.
If someone has to pay a bit more for insurance or whatever, that may not sound like a big deal and also morally justifiable if you assume someone is always willing and able to evaluate risk accurately.
However, some diagnoses are treated as "unknown unknowns" rather than quantifiable risks. In that case, it's likely that there will simply be nobody to accept them at all.
The discrepancy between this treatment of a risk as effectively infinite, because nobody will take it on, versus the fact that it is really finite, constitutes economic destruction that would be caused by the disclosure of the diagnosis.
Right now there are restricted circumstances where things have to be disclosed. But it's relatively tolerable because it's limited. For instance, you might not be able to get life insurance, but at least you can hold a job, have health insurance, live where you like, etc.
Taking all that away from millions of people seems not a lot kinder than just liquidating them.
The upsides may come. The downsides will come.
I am pessimistic on this one.
You don't think the upsides of releasing the largest and most complete dataset on human health in history would be inevitable? I'd say the upsides and downsides would both certainly come
In other words, you can't imagine this disclosure of data being useful for research, if it is done in such a way that individual identities cannot be recovered to it for the purposes of discrimination?
it's actually an argument in favour of well-protected centralized collection. It's more probable that smaller entities arre less protected than bigger ones even if the data they can disclose is more limited.
> It's more probable that smaller entities arre less protected than bigger ones
Size of an organization is not a good proxy for quality of security. Evidence: Colonial Penn, the DC Metro Police Department, Experian, Target, etc...
One can do ZFS snapshots so one does not need do insanely huge backups all the time. Just transfer off the diffs as needed. If an attack happens it's pretty easy to roll-back to a known good state. It's also not that complex to set some process in place that does random checksum verification of some files to trigger an alarm that such an attack has taken place. It is really perplexing me that very large institutes don't do this
Large institutions aren't solving their security problems by hiring a small clutch of FreeBSD elves.
They're hiring consultants to confirm that they've met the requirements of some checklist, which requirements may include "have a plan to fix this obvious problem.... someday. You do? OK, then you're fine". That's much cheaper and is 100% management-class controlled.
Snapshots, RAID, etc are not substitutes for backups
There's a trend of paying these ransomware attacks which are sometimes in the order of millions. Imagine if those millions were _proactively_ invested into the computer security of these systems?
I tried to imagine, but my mind told me that a couple of millions would not prevent these issues. Did I imagine it wrong?
You would likely end up with better security. Would it be good enough to prevent breaches? Doubt it.
Most ransomware is pointless where regular reliable backups are in place. A situation like this where there are privacy and outage concerns is a bit different. We may eventually discover that the operators of the system discussed in TFA really were backing up that system, although probably for less than "a couple of millions". Still, ransomware payments are usually a penalty for not doing backups.
I think preventing breaches is a losing battle. There will always be new vulnerabilities.
You can practice things that make recovery fast and reduce the impact of breaches though. Isolate data, encrypt it, only grant necessary access, have robust backups and test recovery regularly. These things take time and money though, and most companies are unwilling to do them sufficiently.
The difference is it is not the attacked company that is paying the ransom, typically. It an insurance agency. So the company that was compromised still only pays $X a month, which is probably less than any million-dollar investment.
I hope this train of thought becomes more mainstream.
Politicians always seem to be scared to front-load costs.
Happens with military/infrastructure spending all the time - get a cheap initial quote and then get screwed long-term.
And with covid. Govs didn't have the courage to lock down early and fast / close borders and cost themselves a lot of money in the short term.
This is rational behavior. Voters cannot distinguish proactive spending from embezzlement. Politicians need to allow the problem to occur to prove that the money is actually needed.
In the case of covid - it would have happened everywhere else. So they would just have looked incredible le smart.
But with IT stuff, yeah it’s tough to justify - but maybe after things like this happen it will be easier. Sometimes you need a Pearl harbour to get stuff done!
A bit more detail in The Irish Independent. References the Conti ransomware.
https://m.independent.ie/irish-news/serious-and-sophisticate...
What kinda scummy scrote you have to be to attack health services during a pandemic. This is a new low.
Disclaimer: I dont really beleive this, however...
The information surrounding the current pandemic within Ireland is heavily scewed in one direction, there is no room for any questions, without being labled as something. What if, someone decided to check the information for themselves. Just a thought, [removes crazy hat made from tinfoil]
Well, it was either this or human trafficking.
And with ransomware you don't have to hear the crying of your victims.
Plus if you show mercy on someone people can identify with, like a single mom barely getting by, you can go on draining pensioner's bank accounts like your fucking Robinhood.
To be honest, at this point I'm in favour of attacks on all health services all the time, to drive home the point that acceptable long-term data protection in this kind of infrastructure doesn't exist and that all data will be stolen at some point, before everything is collected everywhere.
The less data is actually leaked and sold the better, of course, but societies and especially politicians don't seem to learn that easily.
You'd have to think that sooner or later they are going to get into one of the big cloud providers and cause havoc.
(Usually) - Those cloud providers know what they're doing though and de-couple things as much as possible, reducing and entire system compromise. It's their bread and butter, I would much prefer them managing the systems than the HSE.
But they still make mistakes (ask me how I got into Google /rpcz pages by shodan dorking and slightly mangling an HTTP header...). And just a few of these mistakes strewn together can have a massive blast radius if exploited by a motivated entity.
That, and all the high security cloud hosting in the world will not help the most commonly exploited security issues: unpatched wordpress plugins, world readable storage buckets, poorly secured privileged accounts, ransomware, phishing... A shoddily managed on-prem enteprise IT infra moved into the cloud will be just this: a poorly managed AWS infra, just as exploitable as before, but now also 10x as expensive to run.
Sure, I don't disagree. But in many cases the value of the data lost even over a short period can dwarf the size of a ransom, as can losses from downtime before getting operations up and running again. Can you imagine if they managed to take down e.g. S3, even for a day? The incentive to pay would be high, which in turn increases its attractiveness as a target. Not saying they would pay of course.
One of the major issues I've seen while working with large organisation on software development is one of mindset. These are organisations who predominantly think: "We are an 'x' organisation that happens to develop software". The more productive and safer way of thinking is: "We are a software development organisation that is within 'x' market".
However, the latter requires a huge mindset and experience shift from the very top of the organisation. And groups and individuals of that organisation having strong interest in their survivability are, of course, not going to change that.
What if software development isn't the most technically challenging aspect of their operation? Say spaceX or a nuclear physics lab?
Or healthcare?
That too. Although if they are making medical equipment, software (if you include the algorithms, which you should) is probably their main challenge. Everyone is not a software development company, but I agree security is every developers responsibility.
Odd effect of this is that it would be difficult to distinguish encrypted backups from ransomware encrypted files being backed up.
Cloud documents like Word and Google docs seem less susceptible, as writing a content parser for each file format to encrypt it would be a higher bar. Or am I missing something there?
It also suggests there could be a market for cryptocurrency futures as a form of insurance. This is one extreme situation where you are forced to buy a currecy at market prices, but I suspect it's the first of more.
I love the increase in these kind of attacks, eventually there will be enough pressure for liability legislation for companies to take security seriously.
The first response will be to make laws to punish the perpetrators and to pass knee-jerk cybersecurity laws that create the illusion that something is being done.
The entire technology industry is built on a foundation of limited liability and has a tradition of being ok with defects (eh, it's a small bug). When do we get hardware that is guaranteed to perform and be safe, operating systems, languages and compliers that are safe? It's going to be very difficult to deal with liability in a strict sense. Who's at fault? The OS that had a bug, the library that made the syscall, the code that called the library, the script that ran the program, the network router that allowed the egress, or the user that pushed the button? (edit: fixed typo)
I have limited faith in our legislators to fix computer security.
On one hand I'm excited about all the good things that e-health can enable for us, but then again, I'm super scared to leave a trail of my health history in IT systems.
That's not the first attack on health.. in the context of a worldwide struggle I find the operation against medical institution utterly despicable. God.
Not really suprising given that during most of the pandemic, track and trace was done through pen and paper and not through the computer system.
I imagine, to use our vernacular, some chancing gobshite is talking his way our of responsibility for their shitty tender as we speak.
It's the HSE no one's going to be held accountable; in fact someone will probably get a nice bonus this year for 'managing' the situation
The NIST 800 series and the CNSSI 1253 series cover pretty much everything you need to worry about.
Ever-relevant XKCD: https://xkcd.com/2030/
OT: In my recollection that comic ends with the 'That's terrifying' panel. Does XKCD ever update comics or is that a new iteration?
I’m not aware of XKCD updating comics after they’ve been published. The HTTP response header for the PNG indicates that it hasn’t been modified since 2018 (which seems like original publication date):
$ curl -sI https://imgs.xkcd.com/comics/voting_software.png | grep Modified Last-Modified: Wed, 08 Aug 2018 16:59:09 GMT
wouldn't disrupting healthcare services be an act or terrorism or even war?
1. It can only be an act of war if it was done by a nation state. Even though the US likes to declare war on abstract concepts like "drugs" and "crime", that is not how it works in international law.
2. Terrorism has similarly precise definitions, usually along the lines of "the act has to be in pursuit of political aims". Just because its a big and important target does not make it political, ransomware is an economic crime.
1 is not strictly true. A nation harbouring actors like this has a duty to intervene or they could be deemed responsible.
For anyone with time on their hands, the "Talinn Manual" has a lot of detail on this:
https://www.kobo.com/ie/en/ebook/tallinn-manual-2-0-on-the-i...
Kinda fair, but "duty to intervene" is heckin' vague. A nation can easily claim to have tried but failed. In any case, with all due respect to the Irish military I don't think they are quite up to invading any of the usual suspects when it comes to harboring extensive cyber operations.
If the attackers are acting under the protection or tacit approval of a foreign government then you can bet that somewhere, someone is prepping a policy paper for kenetic responses. Given the recent pipeline issue and its national security implications I am not going to be surprised at all if some hackers in Russia end up dead from 'accidents' that are so obviously not accidents that no one is fooled.
> If the attackers are acting under the protection or tacit approval of a foreign government then you can bet that somewhere, someone is prepping a policy paper for kenetic responses.
You could but you probably would lose that bet. This has been done for decades now, especially between friendly countries (see https://www.independent.co.uk/news/uk/politics/eu-mi6-brexit...) without any sort of repercussion.
Diplomatic posturing aside ("We will treat any intrusion attempt on our networks as an agression"), literally no government actually wants to go to war over a hack.
> Given the recent pipeline issue and its national security implications I am not going to be surprised at all if some hackers in Russia end up dead from 'accidents' that are so obviously not accidents that no one is fooled.
This is even more nonsensical. Certainly governments would benefit way more from hiring those hackers and/or buying vulns from them than killing them. Especially in less-friendly countries like Russia.
> no government actually wants to go to war over a hack
The war started more than a decade ago. Like the Cold War that preceded it, there is little value in pretending the conflict does not exist nor that escalation is impossible.
> literally no government actually wants to go to war over a hack.
well, this is not just an "hack" this blocks the entire national healthcare IT, it could cost lives.
Here I was thinking about how wonderful it would be to live in a nation like Ireland, where hacks can happen without interested parties attempting in pathetic fashion to cover their asses by invoking the specter of RussiaRussiaRussia... I should have known someone would break the spell.
Not talking about the Irish attack, but rather the Colonial Pipeline one. The ransomware group in that case are a well-known Russian gang who ended up putting out a press release apologizing for the inconvenience to everyone and that they just wanted money. Sometimes that specter isn't a phantom but actually exists; the only spell to be broken here was your own delusion.
So, do you believe the press release? They clearly disavow connection to any of the dozens of national governments on earth who are subject to USA sanctions: "We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined goverment and look for other our motives." Do you only believe part of that press release? How did you decide which part to believe? Maybe just the parts that threaten to cause global thermonuclear war?
Of course I knew what you were talking about; the war media has been beating this drum for at least a week even though it was obvious from the start that Colonial do shit work and grasp at any straw to excuse that. Anyone who wants to see more of that CYA bullshit can find plenty to see, so your jingoistic and warmongering comment has no place in this thread. Foment war among nuclear powers elsewhere.
I believe the actual professionals who do assessments on these actors and who specialize in analysis and attribution. Then again, I happen to know some of them and know the field. You apparently know little about this subject but seem desperate to turn this into some sort of political fight. Your intentions and objectives are quite clear: it is more important for you to deflect blame from Russia or Russian hackers (even those who may only be acting with the protection of some wing of the government and not being directed by same) and truth is of little consequence.
What a complete waste of time it is discussing anything on HN that you touch.
Wow it seems a lot of thought has been devoted to my "intentions and objectives". Let's dial the discussion back a bit and strive for a bit more objectivity.
You might want to ask the "actual" [?] "professionals" who "specialize in attribution" whether attribution has anything to do with this episode. (Not the episode in TFA, remember, but rather the one you decided [for political reasons?] to talk about instead.) You concede that Darkside are the authors of the hack, and credit at least some of their communication about it. What attribution remains to be done? The actual expertise in attribution among computer security professionals is in identifying and profiling tools and techniques. The amateur psychology and geopolitical analysis we sometimes see quoted in the war media as "attribution" is just bullshit.
If you're in this thread discussing TFA which does not contain the string "Russia" for the obvious reasons, then you are indeed wasting your time. If you're just trying to clear up some intellectually debilitating confusion, then please continue the discussion.
> It can only be an act of war if it was done by a nation state
This is not true. For example major countries like the United States and the United Kingdom are not nation states but can still commit acts of war under international law.
True, the definition of nation state is a bit vague. I'm pretty sure a ransomware group is not included in it though.
You’d think these attacks would be worth some tit for tat. If people and companies were physically raided by groups, the govt would likely take action. I’m not sure what the difference is. (And to those saying it’s not international law, that’s just made up anyways so I’m not sure why that’d matter now).
disrupting healthcare systems is likely to provoke physical damage to patients. To me this is even worse than a physical attack to a company because it affects those who deserve it the least. It's morally disgusting and would deserve serious counter measures. If backed by a state it is worth some serious sanctions or worse.