Page 6 of 9 FirstFirst ... 45678 ... LastLast
Results 51 to 60 of 87

Thread: U.S. oil pipeline shut down by ransomware

  1. #51
    A pretty old read, but one that I think of often: https://spectrum.ieee.org/telecom/se...es-of-cyberwar

    Some more recent ponderings: https://spectrum.ieee.org/podcast/te...s-cyberwar-war

    That being said, I find it totally believable that this is not the act of a state, but merely folks out to make a buck. Ransomware attacks have been rising globally, it was only a matter of time before someone ends up potentially hitting too big a target.

  2. #52
    Site Supporter
    Join Date
    Aug 2014
    Location
    Northern Virginia
    I'm nearly 5 years out of actual security operations (previously ran a global SOC) and am currently involved in pre-sales governance and new product launch. It just so happens one of the security service launches I'm involved in is a new Operational Technology Threat Monitoring service. Talk about relevant and timely...

    Chris

  3. #53
    Revolvers Revolvers 1911s Stephanie B's Avatar
    Join Date
    Mar 2014
    Location
    East 860 by South 413
    Quote Originally Posted by ccmdfd View Post
    So after my first thought of "Oh Hell!", my mind immediately went to thoughts of what kind of punishment would fit this crime, assuming they actually could catch someone?

    Is this considered terrorism?
    More like piracy or extortion. But I like the idea of deeming this “cyber-piracy”.
    If we have to march off into the next world, let us walk there on the bodies of our enemies.

  4. #54
    Member
    Join Date
    Nov 2013
    Location
    northern Virginia
    https://wtop.com/dc/2021/05/ransomwa...olice-records/

    The DC Police Department was hit by ransomware. According to this article, the criminals wanted $4M, and the PD offered $100k. The criminals turned down that offer, and released the personnel files of 20 officers. The school district my wife works in was hit last year. After the initial news came out, it got very quiet. I don't know if the county ever paid or not, but I'm starting to get the impression that a lot of the ransom demands are paid. I understand the bad position that the people are in, but if they keep getting paid, the criminals will continue to do this. Criminal prosecutions seem very rare.

    At what point are the software developers responsible for this? I'm sure some attacks are enabled by weak security, but if the hackers are exploiting vulnerabilities in the OS, shouldn't the Microsofts of the world be liable for some damages? Yeah, the end user license probably absolves them of responsibility. Is it truly impossible to build a bulletproof system?

  5. #55
    Site Supporter Hambo's Avatar
    Join Date
    Aug 2014
    Location
    Behind the Photonic Curtain
    Quote Originally Posted by blues View Post
    The only good hacker is a ...
    I'll bring the shovels.
    "Gunfighting is a thinking man's game. So we might want to bring thinking back into it."-MDFA

  6. #56
    Site Supporter
    Join Date
    Aug 2014
    Location
    Northern Virginia
    Quote Originally Posted by trailrunner View Post
    At what point are the software developers responsible for this? I'm sure some attacks are enabled by weak security, but if the hackers are exploiting vulnerabilities in the OS, shouldn't the Microsofts of the world be liable for some damages? Yeah, the end user license probably absolves them of responsibility. Is it truly impossible to build a bulletproof system?
    There is possibly that, but there's also user and admin behaviors involved. Users click things they shouldn't, admins don't use good security practices, the wrong tools are used because it's convenient or because a sales person was nice to them, etc.

    It's not possible to build a completely bulletproof system if the human element continues to poke holes in the security model.

    ETA: Vulnerabilities are an unavoidable thing. New exploits, newly designed weaknesses, etc come out all the time. What was an unbreakable cypher a decade ago is now so weak you shouldn't use it (but the admin selects it anyway). It takes layered security and an informed user to mitigate this. You also can't stop just because it's secure enough today. You have to always be keeping up with trends, exploits, and the vulnerabilities being discovered in your tools. Everybody hates doing updates, but if you don't, you'll find yourself vulnerable to things that were patched weeks, months, even years ago and are now being exploited by any "hacker" with an internet connection.

    Chris

  7. #57
    Member
    Join Date
    Nov 2013
    Location
    northern Virginia
    Quote Originally Posted by mtnbkr View Post
    There is possibly that, but there's also user and admin behaviors involved. Users click things they shouldn't, admins don't use good security practices, the wrong tools are used because it's convenient or because a sales person was nice to them, etc.

    It's not possible to build a completely bulletproof system if the human element continues to poke holes in the security model.

    ETA: Vulnerabilities are an unavoidable thing. New exploits, newly designed weaknesses, etc come out all the time. What was an unbreakable cypher a decade ago is now so weak you shouldn't use it (but the admin selects it anyway). It takes layered security and an informed user to mitigate this. You also can't stop just because it's secure enough today. You have to always be keeping up with trends, exploits, and the vulnerabilities being discovered in your tools. Everybody hates doing updates, but if you don't, you'll find yourself vulnerable to things that were patched weeks, months, even years ago and are now being exploited by any "hacker" with an internet connection.

    Chris
    Thanks for your insight. It just seems like a lot of burden is placed on the end user, rather than the software developer. If the software was perfect when it was released, then updates wouldn't be required. I know that will never happen, so the process we have now is one that requires continued updates and patches and layers. I am way, way out of my field on this, but it just seems like a lot of responsibility is placed on the end user. But maybe it isn't that hard to keep up. I dunno. I guess I don't know if these hacks are occurring against systems that are completely updated and have all possible defenses in place, or if only the out of date systems are being hacked.

  8. #58
    Site Supporter
    Join Date
    Aug 2014
    Location
    Northern Virginia
    Quote Originally Posted by trailrunner View Post
    Thanks for your insight. It just seems like a lot of burden is placed on the end user, rather than the software developer.
    Ultimately the user is the last line of defense. Don't click strange links or open documents/files you aren't expecting.

    Quote Originally Posted by trailrunner View Post
    If the software was perfect when it was released, then updates wouldn't be required.
    That's not possible with anything created by man. Additionally, vulnerabilities are introduced at all levels. The code written by the application developer may be perfect, but the libraries he used were flawed. Or the hardware introduces weaknesses. Or the admin implemented it poorly. I can buy the best firewall in the world, but if I install it with a crappy ruleset, who is ultimately at fault? If I give everyone admin rights and no training, is it Microsoft's fault or mine or the user's?

    Also, what is impossible today with today's computing capabilities becomes easy when Moore's Law takes effect. DES used to be a strong(ish) cypher. Now it might as well be an open door.

    Quote Originally Posted by trailrunner View Post
    I know that will never happen, so the process we have now is one that requires continued updates and patches and layers. I am way, way out of my field on this, but it just seems like a lot of responsibility is placed on the end user. But maybe it isn't that hard to keep up. I dunno. I guess I don't know if these hacks are occurring against systems that are completely updated and have all possible defenses in place, or if only the out of date systems are being hacked.
    It's hard and not hard to keep up with. It's not hard to "do the right thing" in terms of user behavior. But, it is hard to develop strong systems and keep them updated. It takes effort and awareness and is seen as outside the core mission of most organizations.

    It's a team responsibility and no one player can relax their standards or awareness. Organizations need to understand and accept that security is a key competency for every organization, even those that don't think they have anything worth protecting (degrees of separation and all, the mom & pop shop might have Kevin Bacon's agent's daughter's phone number). Personally, I'd love to see more standards with teeth like HIPAA or the various non-medical privacy standards become formalized into law so organizations start taking this stuff seriously. It's just "data" to the muggles, but it's your personal data, mine, and everyone else's at risk. As a FedGov employee, how many years of free credit monitoring do you now have as a result of poor security? I haven't been in the FedGov space in over a decade and I'm still impacted by some of the breaches that take place in that space.

    Chris

  9. #59
    Quote Originally Posted by trailrunner View Post
    https://wtop.com/dc/2021/05/ransomwa...olice-records/At what point are the software developers responsible for this? I'm sure some attacks are enabled by weak security, but if the hackers are exploiting vulnerabilities in the OS, shouldn't the Microsofts of the world be liable for some damages? Yeah, the end user license probably absolves them of responsibility. Is it truly impossible to build a bulletproof system?
    There's blame enough to spread around. A lot of attacks would be prevented or mitigated by corporate admins using the tools and best practices that have been at hand for a lot of years. The problem is best practices are hard. They're inconvenient. They require investing time and money into activities that are not visibly contributing to day to day revenue to defend against what executive management frequently sees as black swan risks. They require monitoring and tuning and can sometimes cause issues for end users. There is always a balance to strike between usability and security but the bias is almost always towards usability. It creates less friction and consumes less resources. In a lot of ways developers are less the issue, today, than CEO'S, CFO's, and your own IT team.
    no one sees what's written on the spine of his own autobiography.

  10. #60
    Member
    Join Date
    Nov 2013
    Location
    northern Virginia
    Quote Originally Posted by mtnbkr View Post
    Ultimately the user is the last line of defense. Don't click strange links or open documents/files you aren't expecting.
    That's sort of what I'm getting at - why is the system vulnerable to me clicking a strange link? Why is it my responsibility to detect a genuine email or a legitimate attachment? If a system can be compromised that easily, maybe it's the system's fault?

    I'm sincerely asking these questions and not trying to poke at anything or anyone. These are just questions I've had for a while. My computer science education ended in the punch-card era. I'm sure it's not as simple as I'm making it, because I know there are a lot of very smart people on the good side.



    Quote Originally Posted by mtnbkr View Post
    As a FedGov employee, how many years of free credit monitoring do you now have as a result of poor security? I haven't been in the FedGov space in over a decade and I'm still impacted by some of the breaches that take place in that space.
    Yep, my information has been stolen several times. Not only me, but for my family members that I had to document. I still get notices from the monitoring service. My wife gets it from when the county got hacked.

    OK, you've convinced me that the next time I have to reset my password for my timesheet system, I will do it with a smile.

User Tag List

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •