I ran into this news article that claims a major U.S. oil pipeline has been shut down by a ransomware attack:

https://www.theregister.com/2021/05/10/colonial_pipeline_ransomware/

The article was uncertain on what, if any, effect this will have on fuel availability on the U.S. east cost. Besides, y'all do keep a full tank of gas in your vehicles, right?

I ran into this news article that claims a major U.S. oil pipeline has been shut down by a ransomware attack:

https://www.theregister.com/2021/05/10/colonial_pipeline_ransomware/

The article was uncertain on what, if any, effect this will have on fuel availability on the U.S. east cost. Besides, y'all do keep a full tank of gas in your vehicles, right?

This is very bad in terms of fuel availability to the eastern and southeastern portions of the USA. Not just passenger vehicles; this impacts passenger jets as the Colonial pipeline also serves airports like Atlanta's Hartsfield (ATL). I topped off this morning on my way to the office per my usual practice and asked my wife to do the same with her vehicle. The last time the Colonial pipeline went down was from storm-related damage, and fuel prices doubled for a week or so.

I ran into this news article that claims a major U.S. oil pipeline has been shut down by a ransomware attack:

https://www.theregister.com/2021/05/10/colonial_pipeline_ransomware/

The article was uncertain on what, if any, effect this will have on fuel availability on the U.S. east cost. Besides, y'all do keep a full tank of gas in your vehicles, right?

36 gallons on Friday :cool:

36 gallons on Friday :cool:

You gotta get up pretty early in the morning to beat this guy...

https://i.pinimg.com/originals/f7/ba/f1/f7baf1f5eee880f5aa2015298191da11.png

and asked my wife to do the same with her vehicle.

My wife has a fuel genie that fills her car. I hear he looks just like me.

All jokes aside, I'm as far from the pipeline as possible, and premium was $4.699 yesterday. Or so the genie said.

So after my first thought of "Oh Hell!", my mind immediately went to thoughts of what kind of punishment would fit this crime, assuming they actually could catch someone?

Is this considered terrorism?

My source said “Their corporate network got hit with ransomware. Ironically the gang that did it realizes they screwed up and went after someone they shouldn’t have. I don’t think any of their pipeline infrastructure was impacted directly, but oil companies are all about ordering and billing. I bet those systems were impacted.”

So after my first thought of "Oh Hell!", my mind immediately went to thoughts of what kind of punishment would fit this crime, assuming they actually could catch someone?

Is this considered terrorism?

Cyber terrorists. From Russia with love. We're moving back to the pre-internet stone age.

Joe better get a handle on this soon or just about anything automated by servers on the internet is going to be attacked.

My personal experience is with my bank. I won't go into details but they lost a lot of money through a cyber attack. A lot. Most people wouldn't believe me if I told them the amount and they sure as hell won't make that public knowledge.

We need John McClane and a computer nerd stat.

I would be curious to hear from a cyber security expert what could theoretically be done to damage our systems and infrastructures in the event of a total cyber war.

Are we much more vulnerable than we think? It seems that F***ing about with supply chain logistics alone could send us into a scary place; so too local power supply networks. Does anyone here have the benefit of the real .gov perspective that is not classified that they could share?

I think given the CCP of China's mandate to take over Formosa, and given that they are alleged to reach a realistic capability to facilitate same between 2030-2050, I can see a scenario where their use of asymmetric warfare (such as cyber attacks) might be deemed an acceptable means of discouraging ANZAC/US/Japan military support for Taiwan.

I would be curious to hear from a cyber security expert what could theoretically be done to damage our systems and infrastructures in the event of a total cyber war.

Are we much more vulnerable than we think? It seems that F***ing about with supply chain logistics alone could send us into a scary place; so too local power supply networks. Does anyone here have the benefit of the real .gov perspective that is not classified that they could share?

I think given the CCP of China's mandate to take over Formosa, and given that they are alleged to reach a realistic capability to facilitate same between 2030-2050, I can see a scenario where their use of asymmetric warfare (such as cyber attacks) might be deemed an acceptable means of discouraging ANZAC/US/Japan military support for Taiwan.

I’m not in IT and am by no means a security expert but this is my layman’s understanding. We pretty much know that a the majority of our infrastructure can be shutdown by cyber attacks. We have toassume that systems that are not physically separated from the internet are either vulnerable or already compromised. That means gas,water, oil, electricity, most anything you can think of.

It’s reasons like this (and living in an earthquake prone zone) that I keep my tank 50% or better full all the time and keep 13.5 gals in cans.

It’s reasons like this (and living in an earthquake prone zone) that I keep my tank 50% or better full all the time and keep 13.5 gals in cans.

Growing up in a snowy area taught me to always fill up when the gas gauge got near "1/2" indicated. That came in handy once on the Ohio Turnpike when I got to sit for three hours in sub-zero temps due to a tractor-trailer overturning. Being able to run the engine to generate some heat combined with a blanket and a good book made the time pass much more pleasantly.

Since my current AO is prone to tornados, I have kept up the habit. I even keep the cold weather gear in the trunk.

The best I can say is I know one very smart person who is fighting this war. He seems confident that he can protect the important stuff in his AO.


I would be curious to hear from a cyber security expert what could theoretically be done to damage our systems and infrastructures in the event of a total cyber war.
... power supply networks. Does anyone here have the benefit of the real .gov perspective that is not classified that they could share?

I would be curious to hear from a cyber security expert what could theoretically be done to damage our systems and infrastructures in the event of a total cyber war.

Are we much more vulnerable than we think? It seems that F***ing about with supply chain logistics alone could send us into a scary place; so too local power supply networks. Does anyone here have the benefit of the real .gov perspective that is not classified that they could share?

I think given the CCP of China's mandate to take over Formosa, and given that they are alleged to reach a realistic capability to facilitate same between 2030-2050, I can see a scenario where their use of asymmetric warfare (such as cyber attacks) might be deemed an acceptable means of discouraging ANZAC/US/Japan military support for Taiwan.

China and Russia have been investing in cyber warfare for decades. They know they cant match us with conventional military abilities and equipment (an nobody wants a nuclear war), so it makes total sense they would pursue asymmetrical cyber warfare with reckless abandon. We have never had an all out cyber war, and the damage it could cause is theoretical, however there have been many 'proof of concept' type exercises that make it clear that we have a real serious problem. Read up on STUXNET if you want an example of what has happened in the real world.

STUXNET spun the Iranian uranium enrichment centrifuges beyond their rated ability, causing small stress fractures that eventually caused them to disintegrate, all while reporting to the operators on their consoles that everything was running within operational parameters. They thought they were being sold defective equipment, until some Belarus cyber security company discovered the Windows component of the STUXNET malware. They didn't know what to make of it, so enlisted Symantec who were able to identify four "zero days" (flaws that the vendor and security community are unaware of) that allowed the malware to breach Windows security and establish itself on their PC's (which were "air gaped" from the rest of the network, no physical connection). There was another component that Symantec couldn't figure out called Siemans Step 7 programming. That's the interface that programs the Programmable Logic Units that actually control hardware, like valves or whatever. They enlisted a specialist named Ralph Langner, who specialized in SCADA security, and he was able to figure out what was up. Brilliant. It put the Iranians back years with their uranium enrichment program, without having to drop bombs.

That's a hardware example, the Solar Winds hack is a good example of software. The attackers were able to insert their malware code during compilation (translation human readable code to binary computer code) after the code was verified as unmolested. That was thought to be impossible, but it got done anyway.

I did network security as part of my Unix admin jobs over the years, which is why I know this stuff. Not an "expert", but I understand enough to know the potential of a cyber war.

What a tangled web we weave.

If we could find out who they are with certainly I wonder if the ransom would be any more than a contract with the Russian Mafia?

Is this considered terrorism?

The policy question of "At what point does a cyber-incident warrant a kinetic response?" has been lingering in the US since the late-2000's. I wouldn't be the least bit surprised if that line has already been crossed and the public just never heard about the response.


I would be curious to hear from a cyber security expert what could theoretically be done to damage our systems and infrastructures in the event of a total cyber war.

Ukraine is the present case study for this. Two (https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/) articles (https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/) that might be worth mentioning, although the second is behind a paywall.

ETA: Some of the crew thought to be responsible for both the power grid attack and NotPetya were indicted last year (https://arstechnica.com/tech-policy/2020/10/six-russians-accused-of-the-worlds-most-destructive-hacks-indicted/).

Ukraine is the present case study for this. Two (https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/) articles (https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/) that might be worth mentioning, although the second is behind a paywall.

ETA: Some of the crew thought to be responsible for both the power grid attack and NotPetya were indicted last year (https://arstechnica.com/tech-policy/2020/10/six-russians-accused-of-the-worlds-most-destructive-hacks-indicted/).

The wired article you linked is well worth the read.


“This had to be a well-funded, well-trained team. … [B]ut it didn’t have to be a nation-state,” he says. It could have started out with cybercriminals getting initial access to the network, then handing it off to nation-state attackers who did the rest.
This sort of resonates as very plausible in terms of Russia; hard to imagine they don’t have strong control over their hackers.

What saved Ukrainians from a greater catastrophe was that they have manual backup, evidently, whereas we don’t typically have them anymore.

I read Lights Out by Ted Koppel a few years and it scared the crap out of me.

Basically a cyber attack on the power grid is well within the capabilities of most countries and would kill tens of thousands of people as food, water, medicine, etc all need power and could be out for months.

https://www.amazon.com/Lights-Out-Cyberattack-Unprepared-Surviving/dp/0553419986

I read Lights Out by Ted Koppel a few years and it scared the crap out of me.



My significant other read that book upon release, and it changed her (and by extension, our) approach ever since.

Our current policy on retaliation for weapons of mass destruction is "A gas is a germ is an atom". Meaning we treat them all the same, and the opponent gets a thermonuclear dose of canned sunshine in response. We do not discriminate between chemical, biological or radiological/nuclear weapons.

How long before our resources are so crucial, that a policy becomes "A gas is a germ is an atom is an electron"? And not necessarily policy. There were very serious discussions amongst our Congresscritters about how do we respond to the Solarwinds/Solarigate/Nobelium/Hafnium attacks. So if we decide to respond to those (if we have not already) and Comrade Zi or Putin decide to mash a different button?

That is the thing that really scares me. The Ukraine was relieved of it's nuclear weapons and we assisted with this. Would Russia be making them their bitch if they still had nukes? Likely not.

I'm really, really going to watch out for the analysis of the attack on Colonial. If this was yet another ransomware attack that was similar to the attacks on healthcare and utilities for the last 18 months or so, I'm less worried. But if it was deliberately designed to go after the air-gapped SCADA systems as Tabsaco mentioned. A buddy wrote his master's thesis on STUXNET when he was at CMU when it was initially discovered. I still have a copy of his paper.

I got to talk to Andy Greenberg a while back, after he released his book called Sandworm. I'd definitely encourage my fellow nerds to read it.

You gotta get up pretty early in the morning to beat this guy...

https://i.pinimg.com/originals/f7/ba/f1/f7baf1f5eee880f5aa2015298191da11.png

That dude is in the market at 2 am. He doesn't sleep at night.

That dude is in the market at 2 am. He doesn't sleep at night.

And yet 2 a.m. is pretty early in the morning.

I've been retired a few years now, so no current info, but FWIW:

We all just assume that water will come out of the tap. electricity will come out of the socket, and out email will get delivered. That doesn't just happen by default. For decades I was the guy who got the 2AM phone call that one of the IMAP servers had shit the bed, and I drove in and spent 0300 to 0600 improvising so your mail was all in your inbox at 0600. I know people today at the power company who are working the wee hours to keep the power on. I'm sure that the water plant and sewer plant have people getting up and sticking their fingers in the dike.

So, for example, when everyone was freaking out over Y2K, my prediction was 'this will be a nonevent ... lotsa people like me will just deal with whatever comes along'. That turned out to be an accurate prediction.

It's not like I don't worry - a Carrington Event could wreak real havoc. Stuxnet did real damage. But, generally speaking, I expect that the people filling my shoes will again improvise in the face of adversity, and largely keep things running. If that means yanking stuff off networks and reverting to SneakerNet for updates, I expect they will do that.

Don't get me wrong - I surely encourage everyone to ask themselves what they would do it water didn't come out of the tap or electricity didn't come out of the plug for a few months, and do whatever they can to ride that out. But, generally speaking, I think that my replacements are smart people, and will do what they always do - improvise in the face of adversity, and kinda sorta keep things working.

From The New York Times (https://www.nytimes.com/2021/05/08/us/politics/cyberattack-colonial-pipeline.html):


Bringing down the pipeline operations to protect against a broader, more damaging intrusion is fairly standard practice. But in this case, it left open the question of whether the attackers themselves now had the ability to directly turn the pipelines on or off or bring about operations that could cause an accident.

The ransomware attack is the second known such incident aimed at a pipeline operator. Last year, the Cybersecurity and Infrastructure Security Agency reported a ransomware attack on a natural gas compression facility belonging to a pipeline operator. That caused a shutdown of the facility for two days, though the agency never revealed the company’s name.

Our current policy on retaliation for weapons of mass destruction is "A gas is a germ is an atom". Meaning we treat them all the same, and the opponent gets a thermonuclear dose of canned sunshine in response. We do not discriminate between chemical, biological or radiological/nuclear weapons.

How long before our resources are so crucial, that a policy becomes "A gas is a germ is an atom is an electron"? And not necessarily policy. There were very serious discussions amongst our Congresscritters about how do we respond to the Solarwinds/Solarigate/Nobelium/Hafnium attacks. So if we decide to respond to those (if we have not already) and Comrade Zi or Putin decide to mash a different button?

That is the thing that really scares me. The Ukraine was relieved of it's nuclear weapons and we assisted with this. Would Russia be making them their bitch if they still had nukes? Likely not.

I'm really, really going to watch out for the analysis of the attack on Colonial. If this was yet another ransomware attack that was similar to the attacks on healthcare and utilities for the last 18 months or so, I'm less worried. But if it was deliberately designed to go after the air-gapped SCADA systems as Tabsaco mentioned. A buddy wrote his master's thesis on STUXNET when he was at CMU when it was initially discovered. I still have a copy of his paper.

I got to talk to Andy Greenberg a while back, after he released his book called Sandworm. I'd definitely encourage my fellow nerds to read it.

The big problem here that you did not mention (and I'm sure you are aware of) is attribution.

Imagine the hypothetical of Russian hackers using commonly known techniques that are used by North Koreans--TTPs are commonly used for attribution. Imagine there's a purposefully left artifact that may imply Korean as the language of the malware coder. This is a famous attack that had such indicators. (https://www.darkreading.com/vulnerabilities---threats/advanced-threats/korean-speaking-cyberspies-targeting-corporate-execs-via-hotel-networks/d/d-id/1317361)

Keylogger used in the attacks appears to be written by a Korean-speaking developer, and the data discovered on the command and control servers used in the attacks have Korean language in the data strings. "You've got a number of individuals involved here who are Korean-speaking and the attacks are happening in the APAC region." And when they infect a Korean-speaking target, the attackers delete the malware -- an indication that they are avoiding friendly fire.

A relatively less sophisticated example was the United Cyber Caliphate, which purported to be ISIS hackers was in actuality Russian nation-state actors.

So while part of the power grid is down or whatever the scenario is, you also have to make sure you're shooting back at the right people, or you risk shooting at uninvolved countries and creating a "multi-theater" cyber conflict. One could think of a Sum of All Fears (the movie) situation where a third party tries to provoke a cyber war between two other nation-states.

I've been retired a few years now, so no current info, but FWIW:

We all just assume that water will come out of the tap. electricity will come out of the socket, and out email will get delivered. That doesn't just happen by default. For decades I was the guy who got the 2AM phone call that one of the IMAP servers had shit the bed, and I drove in and spent 0300 to 0600 improvising so your mail was all in your inbox at 0600. I know people today at the power company who are working the wee hours to keep the power on. I'm sure that the water plant and sewer plant have people getting up and sticking their fingers in the dike.

So, for example, when everyone was freaking out over Y2K, my prediction was 'this will be a nonevent ... lotsa people like me will just deal with whatever comes along'. That turned out to be an accurate prediction.



I had that exact experience, one of the reasons I'm "retired" (at least from IT, sort of, or at least running email servers anyway).

The thing about Y2K was that it was a known issue. I worked at a large European investment bank, and there was a huge effort to be Y2K compliant. To get us IT folks interested, they sent us a book by a former COBOL programmer Ed Yourdon, called "Timebomb 2000". It made me aware of 'just in time' inventory, issues with the power grid, etc. Really got me thinking. In the end, most companies achieved compliance, and it was no big deal (I read the NRO lost track of it's satellites for awhile). My guess is that Y2K would have been a real issue had we not dealt with it, but we saw it coming and acted accordingly. Back then, our reliance on internet connected stuff was much less. I shudder to think of the result of disruptions today.

... My guess is that Y2K would have been a real issue had we not dealt with it, but we saw it coming and acted accordingly. ....

For some values of 'real issue', sure. But I think some of it was overplayed. I remember hearing things like 'the pumps at the water treatment plant are computer controlled, so come Y2K the water won't flow!'. And that seems unlikely to me - if the clock ticked over and the computer controlling the pumps failed, for example, I'd guess you could generally get the water flowing again by setting that computer's date to 1990, and then dealing with the implications of that as they came.

Every fall we set the clocks back an hour. If worse came to worse, we could have, society wide, set the clock back by a year. That would have been a fustercluck of epic proportions as, say, banking systems tried to deal with deposits that had occurred in the future, but I don't think it would have been 'the grid is down for months' bad.

That's not to say it wouldn't have been bad ... bad things could happen if it took too long to fix the reactor cooling systems or whatever. But not, IMHO, as bad as some of the hype predicted.

Among other reasons, when you want to do an upfront fix so Y2K doesn't break the payroll system, the way risk averse bureaucracies work is 'form a committee to asses the various mitigation strategies, first meeting will be in 8 weeks followed by monthly meetings ...'. When the system is broken because it is saying 'age = YY - birthYY' and when YY=02 (2002) and birthYY=80 (1980), and the person isn't negative 78 years old, someone will suggest following that with 'if age<0: age = YY + 100 - birthYY', and implement it that afternoon. In other words, IMHO, fixing Y2K would have taken a lot less time that averting it (that's not saying we shouldn't have done the work to avert it, just that 'we spent 50 man years replacing the XYZ system so it was Y2K proof' doesn't imply 'if we had been surprised by Y2K, getting XYZ running again would have taken 50 man years').

As the old saying goes, 'nothing focuses the mind like the prospect of being hung at dawn'. Similarly, when payday is tomorrow, it's amazing how quickly the payroll system gets fixed.

The worst case scenarios for a Carrington Event are really, really bad. I just didn't see Y2K reaching that state of things. I might be all wet, and I'm glad we didn't have to run the experiment :-).

Some of the statements on the attack are contradictory. One version of the story states that the pipeline controls were not impacted; the impact was to the admin systems that process orders, supply direction, and handle billing. That is less concerning to me even though the net result is the same -- not knowing how much of what to send to whom. But that is better that not being able to move fuel.

Other versions state the actual pipeline controls were impacted. That would be very bad, like Stuxnet levels of bad.

I also do not believe that the Russian government is unaware of the target. The Colonial pipeline is a big deal, and anyone taking it down has to realize the impacts. The real question is, "Why did the Russian government authorize/allow this?" For propaganda value, to gauge a response, and/or to make a point with another nation-state?

Some of the statements on the attack are contradictory. One version of the story states that the pipeline controls were not impacted; the impact was to the admin systems that process orders, supply direction, and handle billing. That is less concerning to me even though the net result is the same -- not knowing how much of what to send to whom. But that is better that not being able to move fuel.

Other versions state the actual pipeline controls were impacted. That would be very bad, like Stuxnet levels of bad.

I also do not believe that the Russian government is unaware of the target. The Colonial pipeline is a big deal, and anyone taking it down has to realize the impacts. The real question is, "Why did the Russian government authorize/allow this?" For propaganda value, to gauge a response, and/or to make a point with another nation-state?

I wonder if it was an automated attack via botnet, rather than directed by some human entity. The Windows PC's that run the SCADA system are infected, drives encrypted and whoever runs (or rents) the botnet sees a whole network of ransomwared PC's, and later figures out that those ransomed PC are in the Colonial network and they have effectively shut it down. They (the "hackers") admit it was unintentional, but they don't seem to be coughing up the encryption keys for free so who knows. In this scenario, the SCADA equipment wouldn't be affected, just the PC's that control and maintain/manage the pipeline.

Scientific Wild Ass Guess

Edit to add:

Forgot about Brian Krebs, checked out his site and found this:

https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/

Some of the statements on the attack are contradictory. One version of the story states that the pipeline controls were not impacted; the impact was to the admin systems that process orders, supply direction, and handle billing. That is less concerning to me even though the net result is the same -- not knowing how much of what to send to whom. But that is better that not being able to move fuel.

Other versions state the actual pipeline controls were impacted. That would be very bad, like Stuxnet levels of bad.

I also do not believe that the Russian government is unaware of the target. The Colonial pipeline is a big deal, and anyone taking it down has to realize the impacts. The real question is, "Why did the Russian government authorize/allow this?" For propaganda value, to gauge a response, and/or to make a point with another nation-state?

Agreed there is a big difference security-wise between operational issues and administrative issues. But practically (a) it may take some time and effort to investigate & establish / confirm the distinction, and (b) even if the operational system is not affected if they can't reliably account for what is being transported it may be necessary to shut down anyway, at least until they can build some sort of ad-hoc system to provide the necessary accounting.

I am not an expert in this area, but listening to people that are suggests to me that legacy SCADA systems are unlikely to have adequate security, intrusion detection and monitoring features, and some of these are running on unsupported hardware and software, with institutional knowledge rapidly disappearing. In most cases they were never intended to be connected to any sort of public network, but evolved to this in a haphazard and insecure manner over a period of time, operated by various companies / people, using various technologies, none of which are necessarily focused on security from this type of attack.

I hope Colonial and other operators can regain / retain control of their systems (which they will) and I really hope that something tragic happens to the people that are doing this.

This is a major terrorist for profit attack on the infrastructure of the United States not an IT problem. It's not like the company's IT manager decided to not purchase the next McAfee upgrade. It's a lot more sophisticated. The more the best security software engineers work to develop more secure software the the more the hackers work in defeating it. They both have the same tools. Those that perpetrated this act should be treated as common terrorists. Every one of them should be hunted down, captured of killed by the US. The current weak response by the feds, treating it like an individual company's cyber security problem, will only encourage others to do the same. The penalty for attacking the US infrastructure needs to be swift and severe if we want others to refrain. One of the first major military actions taken by the United States involved ransom. It was fought to protect trade interest by capturing and killing pirates on the Barbary Coast who were commandeering US flagged merchant ships, attempting to extort ransom for the lives of the captured sailors and for payment of tribute to avoid further attacks. After the Barbary Coast War, all US flagged merchant ships were safe in the region.

This is a major terrorist for profit attack on the infrastructure of the United States not an IT problem. It's not like the company's IT manager decided to not purchase the next McAfee upgrade. It's a lot more sophisticated. The more the best security software engineers work to develop more secure software the the more the hackers work in defeating it. They both have the same tools. Those that perpetrated this act should be treated as common terrorists. Every one of them should be hunted down, captured of killed by the US.

The flip side to this argument is: "The government should spend tax dollars to conduct extrajudicial murders of people that disrupt business interests."

If corporations want people abroad killed without trial, they should follow established practice and pay themselves.

The flip side to this argument is: "The government should spend tax dollars to conduct extrajudicial murders of people that disrupt business interests."

If corporations want people abroad killed without trial, they should follow established practice and pay themselves.

That isn’t the flip side. This is a national security crisis. They aren’t ransoming something like further production of Oreo cookies causing some Americans minor inconvenience. It’s a disruption of energy delivery which can be catastrophic. The flip side would be the US nationalizing energy and the power grid. That would be the flip side of having private companies operate while being protected by the US.

“The government should spend tax dollars to conduct extrajudicial murders of people that disrupt business interests."

Yes, agreed, true fact. America has been doing exactly that and protecting American interest since 1798. It’s one of the reasons we have a global military force currently deployed.

DarkSide dudes & similar have chosen attacks on Colonial et al as their business model because (a) they have money and might pay (sometimes quietly) and (b) there are basically no consequences of doing this other than _maybe_ some travel sanctions or even indictments that will never be followed by arrests, trials, convictions, incarcerations or anything else.

Unless this changes in a way that causes a reconsideration of targets and consequences the best we can hope for is an ongoing battle between defenders and attackers. Defenders have to win every single time, especially if attackers can try, fail, try again, etc.

I have no inside knowledge of this incident but it seems Colonial (a) realized there is no way to keep this quiet, and/or (b) took an ideological position that doing a quiet payoff is wrong, and instead pressed the big red STOP button, firstly to ensure the safety of their system but also possibly to bring some .gov attention to bear on the situation.

It seems to me the .gov is at least somewhat obliged to protect the business activities under its jurisdiction, but I am not sure how that translates into what can be done especially when attribution and the normal legal process is hampered by distance, (some) anonymity, lack of treaties and protocols, etc.

The only good hacker is a ...

It seems to me the .gov is at least somewhat obliged to protect the business activities under its jurisdiction, but I am not sure how that translates into what can be done especially when attribution and the normal legal process is hampered by distance, (some) anonymity, lack of treaties and protocols, etc.

Check out the link showing Instances of Use of United States Armed Forces Abroad, 1798 - 2020:

https://fas.org/sgp/crs/natsec/R42738.pdf

As you scroll through the list note, how many uses of armed forces were for "protecting American interest." This is a list of only the documented and publicly known uses of forces abroad. An energy provider and the power grid are of vital American interest.

Think these DarkSide dudes would try and pull this kind of thing off with an energy company in Israel? I don't believe they would. They are doing it to this energy company, inside of this country, at this very moment in time for a reason.

I also do not believe that the Russian government is unaware of the target.

I think the Russian government not being aware of what was happening is completely plausible. There are so many cyber-ne'er-do-wells operating out of Russia that I doubt self-reporting or any real command-and-control is a thing. And it definitely wouldn't be the first time a ransomware gang exploited a target without giving broader consequences any consideration.

If it turns out that the pipeline's infrastructure was targeted directly, different story. But most of what's being said publicly sounds like it was ransomware gone awry. And as someone mentioned up thread, maybe concern for the pipeline itself is completely tertiary: if all of your systems are down, you don't know who you're supposed to be delivering fuel to, or have any way of accepting payment for fuel, et cetera.

Stopped by the usual place on tonight's commute home to fill up. No gas. Next place had it, but I was surprised.

Does anybody have petroleum riots on their 2021 bingo cards?

Considering that our guys are burning gas all day long this might be problematic for the company I work for if it drags out too long. And in the immediate future suck for a day or two if there is a short term shortage.

The US gov't isn't going to retaliate because they don't know who to retaliate against. Even if they did they wouldn't do anything because these jokers are either in China, N. Korea or Russia. A military response is totally out of the question as we will see.

Just get ready for more shortages and be prepared to pay a lot more for everything.

Check out the link showing Instances of Use of United States Armed Forces Abroad, 1798 - 2020:

https://fas.org/sgp/crs/natsec/R42738.pdf

As you scroll through the list note, how many uses of armed forces were for "protecting American interest." This is a list of only the documented and publicly known uses of forces abroad. An energy provider and the power grid are of vital American interest.

Think these DarkSide dudes would try and pull this kind of thing off with an energy company in Israel? I don't believe they would. They are doing it to this energy company, inside of this country, at this very moment in time for a reason.

Exactly. And while Colonial may not have a John Clark type on the payroll I am sure they could find and hire one, but likely very concerned about the backlash when it leaks. So (perhaps) instead they go public with the shutdown, maybe hoping to push the .gov into doing what needs to be done. But again a huge potential backlash from the anti-energy, anti-business, anti-stomping on the enemy crowd. I wonder if the admin has what it takes to deal with this.

The US gov't isn't going to retaliate because they don't know who to retaliate against. Even if they did they wouldn't do anything because these jokers are either in China, N. Korea or Russia. A military response is totally out of the question as we will see.

Just get ready for more shortages and be prepared to pay a lot more for everything.

I agree there will not be overt retaliation, or it will be inadequate.

But with the right thinking in the .gov – which is possible because there are plenty of very smart and very tough people still in there despite what may have happened at the political level – things could be done, and done in such a way as to strongly discourage the next / remaining dudes who think they can get away with this type of thing. And most of us will never know about it, which is fine - no need to make a fuss.

farscott how are things looking up north? Down here in the ‘ham half the stations are sold out and there are lines into the streets at the stations that still have gas. The temporary panic has set in, I think the last time I saw lines like this was right before hurricane Ivan hit.

farscott how are things looking up north? Down here in the ‘ham half the stations are sold out and there are lines into the streets at the stations that still have gas. The temporary panic has set in, I think the last time I saw lines like this was right before hurricane Ivan hit.

… and finally I know where away, away, away, down is located.

Can anyone tell me the where a bouts of Justin Trudeau during the cyber attack, maybe he is sending the President a message on the importance of the Keystone?

@farscott (https://pistol-forum.com/member.php?u=2197) how are things looking up north? Down here in the ‘ham half the stations are sold out and there are lines into the streets at the stations that still have gas. The temporary panic has set in, I think the last time I saw lines like this was right before hurricane Ivan hit.

So far, we still have gas. Prices have increased by a dime overnight, lines are getting long, but not much in the way of shortages. I expect we will see $3.50 per gallon of regular in the next few days if the pipeline is not operational.

Looks like I spoke too soon. Just heard from one of my team that two stations he stopped at were out of fuel.

The worst part about having to relive the Carter Years is that the music we have now really sucks.
At least we had Steely Dan, the Who, Pink Floyd, Marvin Gaye, and similar to get us through the Malaise. Heck, I'd even take the BeeGees over the modern tripe.

Can anyone tell me the where a bouts of Justin Trudeau during the cyber attack, maybe he is sending the President a message on the importance of the Keystone?

The Albertans are celebrating the East Coasters freaking out. It also puts Michigan Gov. Gretchen Whitmer in a terrible spot on her threat to shutdown the Enbridge Line 5 crude oil supply to the East Coast. https://www.detroitnews.com/story/news/local/michigan/2021/05/11/refinery-workers-protest-against-line-5-closure-deadline-looms/4996179001/

As for cyber speculation, I would suggest focusing on the government recommendations to prevent ransomware. No indications that Colonial was that special, just not serious. Many government agencies are failing too, City of Tulsa quite recently.

2020 incident - https://us-cert.cisa.gov/ncas/alerts/aa20-049a
Colonial - https://us-cert.cisa.gov/ncas/alerts/aa21-131a

In TX, some people are filling up, even though we're at the supply end of the pipeline where the product that can't be shipped will pile up with nowhere to go.

A pretty old read, but one that I think of often: https://spectrum.ieee.org/telecom/security/its-time-to-write-the-rules-of-cyberwar

Some more recent ponderings: https://spectrum.ieee.org/podcast/telecom/security/is-cyberwar-war

That being said, I find it totally believable that this is not the act of a state, but merely folks out to make a buck. Ransomware attacks have been rising globally, it was only a matter of time before someone ends up potentially hitting too big a target.

I'm nearly 5 years out of actual security operations (previously ran a global SOC) and am currently involved in pre-sales governance and new product launch. It just so happens one of the security service launches I'm involved in is a new Operational Technology Threat Monitoring service. Talk about relevant and timely...

Chris

So after my first thought of "Oh Hell!", my mind immediately went to thoughts of what kind of punishment would fit this crime, assuming they actually could catch someone?

Is this considered terrorism?

More like piracy or extortion. But I like the idea of deeming this “cyber-piracy”.

https://wtop.com/dc/2021/05/ransomware-gang-threatens-release-of-dc-police-records/

The DC Police Department was hit by ransomware. According to this article, the criminals wanted $4M, and the PD offered $100k. The criminals turned down that offer, and released the personnel files of 20 officers. The school district my wife works in was hit last year. After the initial news came out, it got very quiet. I don't know if the county ever paid or not, but I'm starting to get the impression that a lot of the ransom demands are paid. I understand the bad position that the people are in, but if they keep getting paid, the criminals will continue to do this. Criminal prosecutions seem very rare.

At what point are the software developers responsible for this? I'm sure some attacks are enabled by weak security, but if the hackers are exploiting vulnerabilities in the OS, shouldn't the Microsofts of the world be liable for some damages? Yeah, the end user license probably absolves them of responsibility. Is it truly impossible to build a bulletproof system?

The only good hacker is a ...

I'll bring the shovels.

At what point are the software developers responsible for this? I'm sure some attacks are enabled by weak security, but if the hackers are exploiting vulnerabilities in the OS, shouldn't the Microsofts of the world be liable for some damages? Yeah, the end user license probably absolves them of responsibility. Is it truly impossible to build a bulletproof system?

There is possibly that, but there's also user and admin behaviors involved. Users click things they shouldn't, admins don't use good security practices, the wrong tools are used because it's convenient or because a sales person was nice to them, etc.

It's not possible to build a completely bulletproof system if the human element continues to poke holes in the security model.

ETA: Vulnerabilities are an unavoidable thing. New exploits, newly designed weaknesses, etc come out all the time. What was an unbreakable cypher a decade ago is now so weak you shouldn't use it (but the admin selects it anyway). It takes layered security and an informed user to mitigate this. You also can't stop just because it's secure enough today. You have to always be keeping up with trends, exploits, and the vulnerabilities being discovered in your tools. Everybody hates doing updates, but if you don't, you'll find yourself vulnerable to things that were patched weeks, months, even years ago and are now being exploited by any "hacker" with an internet connection.

Chris

There is possibly that, but there's also user and admin behaviors involved. Users click things they shouldn't, admins don't use good security practices, the wrong tools are used because it's convenient or because a sales person was nice to them, etc.

It's not possible to build a completely bulletproof system if the human element continues to poke holes in the security model.

ETA: Vulnerabilities are an unavoidable thing. New exploits, newly designed weaknesses, etc come out all the time. What was an unbreakable cypher a decade ago is now so weak you shouldn't use it (but the admin selects it anyway). It takes layered security and an informed user to mitigate this. You also can't stop just because it's secure enough today. You have to always be keeping up with trends, exploits, and the vulnerabilities being discovered in your tools. Everybody hates doing updates, but if you don't, you'll find yourself vulnerable to things that were patched weeks, months, even years ago and are now being exploited by any "hacker" with an internet connection.

Chris

Thanks for your insight. It just seems like a lot of burden is placed on the end user, rather than the software developer. If the software was perfect when it was released, then updates wouldn't be required. I know that will never happen, so the process we have now is one that requires continued updates and patches and layers. I am way, way out of my field on this, but it just seems like a lot of responsibility is placed on the end user. But maybe it isn't that hard to keep up. I dunno. I guess I don't know if these hacks are occurring against systems that are completely updated and have all possible defenses in place, or if only the out of date systems are being hacked.

Thanks for your insight. It just seems like a lot of burden is placed on the end user, rather than the software developer.
Ultimately the user is the last line of defense. Don't click strange links or open documents/files you aren't expecting.


If the software was perfect when it was released, then updates wouldn't be required.
That's not possible with anything created by man. Additionally, vulnerabilities are introduced at all levels. The code written by the application developer may be perfect, but the libraries he used were flawed. Or the hardware introduces weaknesses. Or the admin implemented it poorly. I can buy the best firewall in the world, but if I install it with a crappy ruleset, who is ultimately at fault? If I give everyone admin rights and no training, is it Microsoft's fault or mine or the user's?

Also, what is impossible today with today's computing capabilities becomes easy when Moore's Law takes effect. DES used to be a strong(ish) cypher. Now it might as well be an open door.


I know that will never happen, so the process we have now is one that requires continued updates and patches and layers. I am way, way out of my field on this, but it just seems like a lot of responsibility is placed on the end user. But maybe it isn't that hard to keep up. I dunno. I guess I don't know if these hacks are occurring against systems that are completely updated and have all possible defenses in place, or if only the out of date systems are being hacked.
It's hard and not hard to keep up with. It's not hard to "do the right thing" in terms of user behavior. But, it is hard to develop strong systems and keep them updated. It takes effort and awareness and is seen as outside the core mission of most organizations.

It's a team responsibility and no one player can relax their standards or awareness. Organizations need to understand and accept that security is a key competency for every organization, even those that don't think they have anything worth protecting (degrees of separation and all, the mom & pop shop might have Kevin Bacon's agent's daughter's phone number). Personally, I'd love to see more standards with teeth like HIPAA or the various non-medical privacy standards become formalized into law so organizations start taking this stuff seriously. It's just "data" to the muggles, but it's your personal data, mine, and everyone else's at risk. As a FedGov employee, how many years of free credit monitoring do you now have as a result of poor security? I haven't been in the FedGov space in over a decade and I'm still impacted by some of the breaches that take place in that space. :mad:

Chris

https://wtop.com/dc/2021/05/ransomware-gang-threatens-release-of-dc-police-records/At what point are the software developers responsible for this? I'm sure some attacks are enabled by weak security, but if the hackers are exploiting vulnerabilities in the OS, shouldn't the Microsofts of the world be liable for some damages? Yeah, the end user license probably absolves them of responsibility. Is it truly impossible to build a bulletproof system?

There's blame enough to spread around. A lot of attacks would be prevented or mitigated by corporate admins using the tools and best practices that have been at hand for a lot of years. The problem is best practices are hard. They're inconvenient. They require investing time and money into activities that are not visibly contributing to day to day revenue to defend against what executive management frequently sees as black swan risks. They require monitoring and tuning and can sometimes cause issues for end users. There is always a balance to strike between usability and security but the bias is almost always towards usability. It creates less friction and consumes less resources. In a lot of ways developers are less the issue, today, than CEO'S, CFO's, and your own IT team.

Ultimately the user is the last line of defense. Don't click strange links or open documents/files you aren't expecting.

That's sort of what I'm getting at - why is the system vulnerable to me clicking a strange link? Why is it my responsibility to detect a genuine email or a legitimate attachment? If a system can be compromised that easily, maybe it's the system's fault?

I'm sincerely asking these questions and not trying to poke at anything or anyone. These are just questions I've had for a while. My computer science education ended in the punch-card era. I'm sure it's not as simple as I'm making it, because I know there are a lot of very smart people on the good side.




As a FedGov employee, how many years of free credit monitoring do you now have as a result of poor security? I haven't been in the FedGov space in over a decade and I'm still impacted by some of the breaches that take place in that space. :mad:


Yep, my information has been stolen several times. Not only me, but for my family members that I had to document. I still get notices from the monitoring service. My wife gets it from when the county got hacked.

OK, you've convinced me that the next time I have to reset my password for my timesheet system, I will do it with a smile. ;)

That's sort of what I'm getting at - why is the system vulnerable to me clicking a strange link? Why is it my responsibility to detect a genuine email or a legitimate attachment? If a system can be compromised that easily, maybe it's the system's fault?
My company puts all employees through regular training to detect these sorts of attacks. They're generally quite easy to spot. But, a perfectly written piece of software can be vulnerable to poor implementation or lax user environment standards.

Think of it this way, your entire enterprise IT environment is set up to a reasonable standard, but VP Snowflake demands admin access on his workstation so he can install whatever he wants whenever he wants. A direct violation of policy, but he's VP Snowflake, so he compels the poor IT guy to make it happen. VP Snowflake then gets a Spearphishing/Whaling email containing a suspicious file. Because he's important and doesn't do his yearly user security training, he opens the email, opens the file that is a poorly disguised attack, and has his system compromised. Because he's a VP, the attackers now have access to all sorts of data, as well as access to other systems. Because the organization hasn't implemented inter-system controls, such as Zero Trust (because it makes it slightly tedious for VP Snowflake to get to a document on a server in another department), the attack starts spreading horizontally throughout the enterprise, infecting other systems. Then there is a weakness in a boundary security system between the IT environment and OT environment because the OT systems weren't designed with security in mind because they were purchased 30 years ago, not intended to be connected to the IT network, and haven't been replaced because "we can't afford the investment or downtime". Now the attacker has access to systems that can actually impact human safety or critical operations...

That's not science fiction, but how it happens day in, day out. An easy mitigation would be to not allow VP Snowflake to have admin rights and to enforce user security training even for the "important" people. Not connecting OT to IT or making sure there are strong controls and monitoring in place would reduce the risk.


I'm sincerely asking these questions and not trying to poke at anything or anyone. These are just questions I've had for a while. My computer science education ended in the punch-card era. I'm sure it's not as simple as I'm making it, because I know there are a lot of very smart people on the good side.
Things have changed very significantly in the last decade alone. The stakes have increased and technology is being weaponized like never before. I'm starting to see why there are prohibitions against computers in the Battlestar Galactica and Dune universes. You can't hack what isn't connected. :)

Chris

In a private business there is often a struggle between IT and the res of the Org. IT can easily lock everything down and make it 99% secure, but then no one can actually do their job. It's a careful balance between letting people do their job quickly and with autonomy vs. taking no risk and slowing down the entire business.

Unfortunately there's no good answer. As tempting as it is to say we'll just lock everything down and remove all privledges, it's not in any way practical. That type of strategy makes the Fed Govt look lean and fast.

... Is it truly impossible to build a bulletproof system?

It's pretty hard:

1)Why do people escape from prison? Why not build escape proof prisons? And the answer, of course, is that prisoners get to set there year after year thinking up that one complicated improbable way out. The designer has to think of all possible attacks up front.

2)Even with a perfect design, doing bug free software is hard, as in expensive. I have toured the Boeing avionics dev facility, and the rigorousness of their testing almost makes even a long time computer nerd willing to fly in their planes :-). But people don't want to pay the costs to put that kind of QA into the next release of their browser or Candy Crush app.

For one example, security cameras are usually a huge security hole. Today they typically run a linux kernel that is never patched (if you have one, when did you last apply security patches? ... right, never, the manufacturer doesn't even publish them).

So, for example, our security cameras are hard wired to the DVR/controller box, but that isn't connected to any other network. But that's not how people run them, they want to be able to see the video on their phones, etc, so they connect the security cams to their wifi, and now you have a bunch of unpatched systems running inside your firewall.

3)As mentioned above, people click on links, etc. The more sophisticated attackers will e.g. look at the corporate org chart, and the hacked link will come in an email that is ostensibly from your boss.

4)My 2 cents (with the disclaimer that I was a computer nerd, not a security specialist): you can't make any single piece of software hackproof. You can make the system as a whole harder to compromise in a bad way. For example, I'm typing this on my 'general purpose' computer that I use for 97% of things ... but not for financial stuff. If someone slips in a funny cat video with a zero day exploit, this machine will get hacked. I keep an older (hardware older, software up to date) linux box that is only powered on when I'm messing with money - online banking or the brokerages that have retirement money. That box never goes to p-f or LOLCats dot com or whatever, only to the financial places. So that's less convenient, but more secure. That's the usual tradeoff.

Nothing is perfect - stuxnet spent a couple of years, IIRC, to get across the air gap - but if the process control stuff in your industrial facility can be controlled from a general purpose computer where a bored graveyard shift guy is surfing lolcats sites, or clicking on random email spam, that's a risk you can avoid.

5)The place I worked had a couple of people whose full time job was to monitor for important exploits and decide whether getting out the patch on next weeks regular update cycle was good enough, or if we needed everyone to drop what they were doing and help patch everything today. They had spent the money to be able to patch a few thousand systems overnight if they had to, They spent the money to put minimal configurations on everything, i.e. each box only ran the software needed for its limited role, instead of every box running the whole suite of stuff the OS vendor enabled by default. They spent the money to have tightly controlled firewalls. They spent the money to do careful monitoring of logs and so on so hacking attempts would get noticed.

All that is hard to do if you just have one poor sysadmin at AcmeCorp trying to keep up with everything on his own.

It's sort of like 'why don't we all keep our guns in theft proof places'. And there is a big range of 'theft proof', from 'in the glove box parked on the street' to 'in a Stack-On box screwed to the studs' to 'in a TL-30 safe in a house with a monitored alarm' to 'in a bank vault' to 'in Fort Knox' (the place, not the brand of safe). AFAIK, Fort Knox is the only one of those that has never been successfully broken into. But most of us have to settle for something cheaper. Which doesn't mean the glovebox is smart :-).

Another point, related to the one previously made about Y2K...

If you do everything correct and the environment is never compromised, never suffers and outage, and always just "works", guess what?

Your IT department gets slashed because why do you need such an expensive team when nothing goes wrong?

Y2K was like that. Folks in my line of work put in a LOT of work to patch everything, update code, etc. The end result was...nothing. Virtually everything worked. As a result, "experts" today claim Y2K was a big overreaction. Oh really? :mad:

Damned if you do, damned if you don't.

Chris

The only good hacker is a ...

Send in James Reece and Raife Hastings for a HAHO from a Gulfstream.

Related news today, from Wall Street Journal (https://www.wsj.com/articles/energy-tech-firm-hit-in-ransomware-attack-11620764034):



Volue AS A, a Norwegian company that provides technology to European energy and infrastructure firms, is working to restore critical software services to customers after a ransomware attack on May 4 and 5, days before Colonial Pipeline Co. disclosed a ransomware attack that shut down the largest fuel pipeline in the U.S.

Ransomware shut down Volue's applications providing infrastructure to water and wastewater facilities in 200 Norwegian municipalities, covering around 85% of the country’s population. Seeking to prevent the ransomware from spreading to other computer systems, the company shut down all other applications that it hosts and quarantined around 200 employee devices. Volue says it has 2,000 customers in 44 countries.

Unfortunately, the full article is behind WSJ's paywalled-paywall (they have lots of paywalls...), so I don't have many details.

"In a private business there is often a struggle between IT and the res of the Org. IT can easily lock everything down and make it 99% secure, but then no one can actually do their job."

Indeed. Kevin Mitnick relates a hack in one of his books: the attackers wanted to send a fax from inside the corporate system. So they dress someone up in a suit with a briefcase and he walks around the corp. headquarters for a while. Then he comes out in the lobby, rushing like he's late for a flight or something, stops at the door, and goes back to the lobby receptionist. His story is he's running late for a flight and forgot to fax/scan/whatever something for the multimillion dollar Acme deal. Well, receptionists are generally selected to be helpful to harried executives, so she volunteers to fax/scan/whatever it for him ... on the company network. And of course, whoever got the fax/scan/whatever assumed it was legit, because it came through the corporate system.

Now, you can say 'well, we need to train company receptionists to treat everyone like hostile attackers'. But that isn't cost free ... more often than not, it will be a perfectly legit request and if the receptionist refuses to send it, you will miss out on some of the Acme deals. This is a classic problem in places where security really matters, like intelligence agencies. You can compartmentalize things so tight that one hand doesn't know what the other is doing. It may be worth the cost, or not, but it is a cost. Or, one reason that the Manhattan Project got a working bomb before the war ended was that, at Los Alamos, they were really loose with compartmentalization, so open collaboration speeded everything up. And that came at the cost that some fairly junior people could spill the beans to the Soviets. Tradeoffs everywhere.

The only good hacker is a ...


I'll bring the shovels.

I'll swing by the garden supply place and pick up a bag of quicklime.

I knew a law firm that had an isolated intranet. If you wanted to do research or email, you went to the computer room and used computers that were dedicated for those uses.

Looks like they’re going starting to bring everything back online.


Colonial Pipeline says it is restarting operations

By Will Englund
Colonial Pipeline announced that it has launched the restart of pipeline operations as of about 5 p.m. Eastern time. The company said “it will take several days for the product delivery supply chain to return to normal.” There will probably continue to be service interruptions. “Colonial will move as much gasoline, diesel, and jet fuel as is safely possible and will continue to do so until markets return to normal,” the company said.

https://www.washingtonpost.com/business/2021/05/12/gas-shortage-colonial-pipeline-live-updates/#link-YSZIV3VX35AEDFEUW4EPOAGSGM

I'll swing by the garden supply place and pick up a bag of quicklime.

I knew we could count on you! :D

https://imgflip.com/s/meme/Waiting-Skeleton.jpg

"I've got a bad feeling in my bones about this..."

I'll swing by the garden supply place and pick up a bag of quicklime.


I knew we could count on you! :D

Seems that using lime isn't a good idea (https://pubmed.ncbi.nlm.nih.gov/22030481/),

Seems that using lime isn't a good idea (https://pubmed.ncbi.nlm.nih.gov/22030481/),

I'm not reading that. How about we just pay off a friendly homicide investigator who just did 20 hours in uniform directing traffic at a gas station?

Things are looking up!


https://twitter.com/Breaking911/status/1392578567712739337/photo/1

I'm not reading that. How about we just pay off a friendly homicide investigator who just did 20 hours in uniform directing traffic at a gas station?

I can get my hands on a backhoe, and maybe even an excavator.

Or

King Mackerel season is right around the corner and those fish love chum. We could go all Fargo on the perps and feed them to the Kings.

Things are looking up!


https://twitter.com/Breaking911/status/1392578567712739337/photo/1

tempted. :D

Chris

Things are looking up!


https://twitter.com/Breaking911/status/1392578567712739337/photo/1

Somewhere, I read that a 2018 cyber security audit of them found that they were basically abysmal.

ETA: AP story on that (https://t.co/uRj1iZgtJ9).

That isn’t the flip side. This is a national security crisis. They aren’t ransoming something like further production of Oreo cookies causing some Americans minor inconvenience. It’s a disruption of energy delivery which can be catastrophic. The flip side would be the US nationalizing energy and the power grid. That would be the flip side of having private companies operate while being protected by the US.

“The government should spend tax dollars to conduct extrajudicial murders of people that disrupt business interests."

Yes, agreed, true fact. America has been doing exactly that and protecting American interest since 1798. It’s one of the reasons we have a global military force currently deployed.

Thanks for the deliberate mis-quote, and I guess subtlety is a lost art.

As an aside, no, killing foreign nationals and expecting it to accomplish anything is a non-starter. For it to work, you'd have to tell people about it. And if you're telling people you're going around popping foreign nationals that irritate you, you're in Putin/Kim territory. Remember the backlash over the Pakistant drone strikes? That times a hundred. Plus, what happens when you have to kill some dudes in London or Paris? It's a great idea if you read too many Tom Clancy novels, otherwise the problems are plainly obvious. Foreign intervention in defense of strategic interests works when you're parking slugs in the brainpans of the particular individuals that are causing the problem. It doesn't work as a deterrent. And expecting that you're going to just deter the entire world is foolish.

If you want to deal with the problem, you have to make it undesirable to support or abet these enterprises. And that is kind've a non-starter so long as people place cheap consumer goods above national security.

I'll bring the shovels.


https://www.youtube.com/watch?v=D8avWJIwyxY


Things are looking up!


https://twitter.com/Breaking911/status/1392578567712739337/photo/1

Makes you wonder... sometimes you get the competent IT folks who fight the good fight against bad practices, and sometimes you get the Equifax Special (someone completely unqualified to work in the field much less set policy and make decisions).

Things are looking up!
https://twitter.com/Breaking911/status/1392578567712739337/photo/1
Gotta wonder if this is a new position or a newly vacant one.

From the Associated Press (https://apnews.com/article/va-state-wire-technology-business-1f06c091c492c1630471d29a9cf6529d):


An outside audit three years ago of the major East Coast pipeline company hit by a cyberattack found “atrocious” information management practices and “a patchwork of poorly connected and secured systems,” its author told The Associated Press.

“We found glaring deficiencies and big problems,” said Robert F. Smallwood, whose consulting firm delivered an 89-page report in January 2018 after a six-month audit. “I mean an eighth-grader could have hacked into that system.”

How far the company, Colonial Pipeline, went to address the vulnerabilities isn’t clear. Colonial said Wednesday that since 2017, it has hired four independent firms for cybersecurity risk assessments and increased its overall IT spending by more than 50%. While it did not specify an amount, it said it has spent tens of millions of dollars.

Things are looking up!


https://twitter.com/Breaking911/status/1392578567712739337/photo/1


Dominion?

Thanks for the deliberate mis-quote, and I guess subtlety is a lost art.

As an aside, no, killing foreign nationals and expecting it to accomplish anything is a non-starter. For it to work, you'd have to tell people about it. And if you're telling people you're going around popping foreign nationals that irritate you, you're in Putin/Kim territory. Remember the backlash over the Pakistant drone strikes? That times a hundred. Plus, what happens when you have to kill some dudes in London or Paris? It's a great idea if you read too many Tom Clancy novels, otherwise the problems are plainly obvious. Foreign intervention in defense of strategic interests works when you're parking slugs in the brainpans of the particular individuals that are causing the problem. It doesn't work as a deterrent. And expecting that you're going to just deter the entire world is foolish.

If you want to deal with the problem, you have to make it undesirable to support or abet these enterprises. And that is kind've a non-starter so long as people place cheap consumer goods above national security.

I apologize if I misquoted, nothing intentional. Attacking a sovereign nation’s infrastructure, regardless of motive, in any manner, be it digitally or analog, be the perpetrator another sovereign nation or private group is an act of war. The response should equal to an act of war. Would you think differently if a group shut down a major oil pipeline within the US with explosives? Again, I can’t imagine this group or any other group choosing to commit this type of act against an energy provider in Israel. Bringing to justice the perpetrators, foreign or national, is the best deterrent. Also, no Clancy or Clancy-ish novels in my library.

From Wall Street Journal (https://www.wsj.com/articles/colonial-pipeline-expects-to-fully-restore-service-thursday-following-cyberattack-11620917499):


Colonial Pipeline Co. paid a ransom to the criminal hackers who caused the company to shut down the country’s largest conduit of fuel, according to people familiar with the matter, a payment that allowed the firm to obtain decryption tools to try to unlock its computer systems.

The ransom, paid in cryptocurrency, was approximately $5 million at the time of the transaction, one of the people familiar with the matter said.

....

Bloomberg reported earlier Thursday that Colonial had paid the hackers a sum of nearly $5 million, and that the decryption tool ultimately wasn’t effective in restoring operations. Instead, Colonial was able to recover by relying on system backups, Bloomberg reported.

The decryption tool not working is interesting. Companies will have no incentive to pay ransoms if they have no real expectation they'll be able to get their data back.

I think hunting down and annihilating the scum (clandestinely) is a much better policy.

But that's why I'm not in the business.

Really good reading if you're interested:

https://smile.amazon.com/gp/product/1476763267/ref=ppx_yo_dt_b_asin_title_o00_s00?ie=UTF8&psc=1