EEVblog Electronics Community Forum
Products => Computers => Security => Topic started by: windsmurf on May 27, 2019, 05:38:07 am
-
https://www.nytimes.com/2019/05/22/us/baltimore-ransomware.html (https://www.nytimes.com/2019/05/22/us/baltimore-ransomware.html)
-
Hacks like that will only grow in popularity.
And it seems they aren't being greedy and setting the level at something that they know they might pay just to make the hassle go away.
-
Yeah the reasonable sum of money makes it easier for them to pay up, get this mess over with and get back to business. So the hack was probably done with profit as the goal.
Tho i wonder if these bitcoins are any more difficult to spend since places accepting payment could see they came from this transaction if the city makes the transaction id public. That is ignoring the part about the police likely watching the flow of it to try and find the person behind this.
-
Tho i wonder if these bitcoins are any more difficult to spend since places accepting payment could see they came from this transaction if the city makes the transaction id public. That is ignoring the part about the police likely watching the flow of it to try and find the person behind this.
They must have a way to launder the bitcoins.
-
Hacks like that will only grow in popularity.
And it seems they aren't being greedy and setting the level at something that they know they might pay just to make the hassle go away.
Doubly so when the security firms which provide ransomware solutions do so by just paying the hackers:
https://features.propublica.org/ransomware/ransomware-attack-data-recovery-firms-paying-hackers/
They must have a way to launder the bitcoins.
That is not difficult to do. The people who get caught did not bother.
-
In Baltimore and Beyond, a Stolen N.S.A. Tool Wreaks Havoc: https://www.nytimes.com/2019/05/25/us/nsa-hacking-tool-baltimore.html (https://www.nytimes.com/2019/05/25/us/nsa-hacking-tool-baltimore.html)
Doesn't Baltimore install patches? Nearly two years ago Microsoft published the patch for EternalBlue, even for out-of-support XP.
-
Doesn't Baltimore install patches?
Patches were as current as their backups apparently.
Epic fail. Hopefully a few people lose their jobs
-
Unfortunately the only people likely to lose their jobs over this are some low level people, not the people actually responsible for making the decision not to patch - or just being so ignorant as to not think about patching at all. Which, being a government job, is all too likely a scenario.
-
Unfortunately the only people likely to lose their jobs over this are some low level people, not the people actually responsible for making the decision not to patch - or just being so ignorant as to not think about patching at all. Which, being a government job, is all too likely a scenario.
Or not knowing why it should be patched at all, even tho it works just fine right now. The people that make the decisions probably have no clue about technology.
This is the sort of people that push for a law to force companies running messaging apps with end to end encryption to hand over the users chat logs. Then being explained that that's impossible according to mathematics and then responding with "Well they should hand over the logs anyway". If they could do that, whats the point of having encryption in the first place?
-
Doesn't Baltimore install patches? Nearly two years ago Microsoft published the patch for EternalBlue, even for out-of-support XP.
While it may not apply in this case, Microsoft has gained an appalling tendency to include feature updates with their patches which break things leading to a justified distrust in patching any system unless absolutely required.
-
If it is important, it needs backups.
-
Think of their IT department and mix in electronic voting. Insert train wreck here...
-
Think of their IT department and mix in electronic voting. Insert train wreck here...
I hear Putin laughing. >:D
-
Doesn't Baltimore install patches? Nearly two years ago Microsoft published the patch for EternalBlue, even for out-of-support XP.
While it may not apply in this case, Microsoft has gained an appalling tendency to include feature updates with their patches which break things leading to a justified distrust in patching any system unless absolutely required.
I thought Apple had a clear lead in breaking stuff with updates. >:D
-
I thought Apple had a clear lead in breaking stuff with updates. >:D
In that case you have probably not used Windows 10 yet.
-
I have had no issues with Win10 updates thus far.
There have been well known attacks in the past that ALSO exploited holes that were long patched - the old IIS "Hacked by Chinese" and one of the SQL ones, both of which I logged hitting my systems at home many years ago, but not actually doing anything because I had long prior applied the patches.
But, you can't fix stupid - only guard against it. Fear of patches is no excuse for not having good backups. We had a client who used shared logins for a large subset of users - account names and passwords were commonly stuck on the monitor with a post it, too - even though this was always the same user name and the password never expired. People STILL couldn't remember this - something they used literally every day at their job. In at least one case, the password was "Password". It didn't take hackers long to infiltrate when they already had a standard account to sit in and attempt other attacks. This all ended with a massive cryptolocker attack that wiped most of their systems. Despite these serious lapses in common sense security, they DID have good backups, secured and off site. So they basically told the hackers to stuff it with their ransom demands and they rebuilt the network from the ground up, using proper security techniques this time, and restored the data. A massive project, to be sure, but at least they learned their lesson, if only the hard way.
-
If users can't remember their login credentials they shouldn't use computers. >:D Maybe we need a "computer driving license", since it's easy to create disasters with any PC. All it takes is a highly skilled moron.
-
I have had no issues with Win10 updates thus far.
I have.
1. I start a computation which will take days and then Windows 10 helpfully reboots to apply updates wasting days of work and time. So I restart the computation and Windows 10 does it again, and again. This has been a repeating problem.
2. The Windows 10 update helpfully resets the configuration of installed programs or removes them entirely.
3. Or the update simply breaks stuff ... like being able to boot.
-
I have had no issues with Win10 updates thus far.
I have been using Win 10 for about 3 years at work because they ran out of Win 7 licenses and a lot of the problems i had with it had to do with updates. Here are some of them:
To get me some Win7 functionality back i installed a tweaker utility that changes a bit how the task bar works. That got broke by one update and needed reinstalling
To get more Win 7 functionality back i installed Gadgets from Win 7, a different update broke that at some point and after some fiddling about it started working again.
At some point a update made my Win 10 machine wake up from sleep due to just moving the mouse by a fraction of a milimiter. I fixed that later on trough the command prompt to disable sleep wakeup for all devices exept keyboard. Now about 2 years later my keyboard doesn't wake it up anymore all of a sudden, only the power button can wake it from sleep now. I still have to go and fix that.
I had a case where i had unsaved data when i left for the day and came back the next day to a empty desktop. It decided to do an update at night while in sleep mode without asking. Any programs that show a "Do you want to save?" dialog seamed to have gotten terminated when they refused to close so that the update could begin. This is functionally the same as getting a random BSOD that forces you to reboot. To disable updates i had to dig trough the registry and system services in order to kill it in a way that windows doesn't secretly re-enable them behind my back.
Once i came to my PC and had a completely different color theme set. When i went to select my old one i found out that its already set to it and selecting it again did nothing. Turns out i had to select a diferent theme, close the settings window, open it again and then select my old theme to get it back.
At some point i came to my PC finding the default web browser changed to Edge
At another point i noticed that Altium designer started showing multiple windows as two separate applications in the taskbar, this behavior seams to have disappeared by now.
Etc...
-
This feature forced in server 2003 sp2
https://blogs.technet.microsoft.com/onthewire/2014/01/21/tcp-offloadingchimney-rsswhat-is-it-and-should-i-disable-it/
And of course any non-production server where sp2 was tested didn't have the problem because they didn't have a high load for long enough for it to show the issue.
-
I was hit by ransomware a few years ago. It was a computer I didn't care about, but I did some research into the matter.
Never pay the hackers. Sometimes they just take the money and run (without decrypting your files). They keep their word just enough to keep people paying up. Sometimes they are unable to decrypt your files due to bugs so you get screwed anyway. There are benevolent groups who are sometimes able to reverse engineer the hacks, and make fixes. The hackers hang out in and listen to forums where people go for help.
Backup, backup, backup ...
-
I was hit by ransomware a few years ago. It was a computer I didn't care about, but I did some research into the matter.
Never pay the hackers. Sometimes they just take the money and run (without decrypting your files). They keep their word just enough to keep people paying up. Sometimes they are unable to decrypt your files due to bugs so you get screwed anyway. There are benevolent groups who are sometimes able to reverse engineer the hacks, and make fixes. The hackers hang out in and listen to forums where people go for help.
Backup, backup, backup ...
I never had such an attack so far but i am certainly fearful of them since it could potentially cause massive damage if it can spread trough the LAN.
I backup things to a NAS server. Its a Linux machine so much less likely to get infected itself, but its shearing everything trough Samba SMB since everything else are Windows machines. The data there is more valuable than the on machines themselves. It would be useful to have some sort of protection mechanism that could detect malicious activity and kill the server. Something like deleting or modifying too many files in a given time window. The limit would have to be set reasonably high to avoid false positives so it would still be able to eat some data, but loosing a GB is better than losing a few TB.
-
If your PC is infected with some crypto ransomware the files on the NAS will be encrypted too. Better keep backups offline, e.g. USB disks. Also keep multiple backups of different age on different disks/tapes. If you don't detect the malware immediately it may be in the last backup, but the older backup on another disk could be ok.
-
For that reason the weekly backups from PCs are kept for the last few months, they are incremental backups so they stay stay a small size. Also allows for garbing any file from any week in case a single important file is lost due to just user error.
Keeping full copies with history of the entire NAS raid array is not as easy.
-
Part of the problem is how lacking some organizations are in very simple protections.
One local business allowed employees to carry work home on usb drives for use on their personal pc :palm:
The best system I think is the kind that implements two networks that are not connected in any way.
1 network has the systems that are critical with no access by anyone to ports of any kind.
2nd network connects to the internet and does email and such and runs on different hardware entirely.
Companies short circuit the process by thinking newer hardware, virtual machines, networking can keep it all safe and put it on the same systems.
I have an old laptop that runs windows xp, no infections, no update issues, and it works reliably, it hasn't been connected to a network though in years.
-
If users can't remember their login credentials they shouldn't use computers. >:D Maybe we need a "computer driving license", since it's easy to create disasters with any PC. All it takes is a highly skilled moron.
Some places force you to reset your password every x many days, and you cannot re-use the old ones. The USA DOD requires a new one every 60 days, drives me nuts every time I see their email about password about to expire. People either resort to password managers or start writing them down on sticky notes attached to the desk.
-
Most ransomware starts with insiders in on the scam
What's needed to slow it down is viral Youtubes showing public tar and feather and gorilla bonk :scared: of caught ransomware creeps
They'll think twice about using abusive code again and hitting on struggling PC owners for money :popcorn:
-
Regular forced password changes never really improve security. It just results in people not being able to remember passwords so they write them down in some way. Similar deal is putting silly requirements on password complexity like: Must be between X and X characters long, must contain X number of upper case, X number of lower case, X number of digits, X number of symbols (But not telling what ones) all digits can't be adjacent... etc
Another thing that will happen is that people will just put a number on the end of the password and increment it by one on every change.
-
Some places force you to reset your password every x many days, and you cannot re-use the old ones. The USA DOD requires a new one every 60 days, drives me nuts every time I see their email about password about to expire. People either resort to password managers or start writing them down on sticky notes attached to the desk.
Hopefully this nonsense will go away. NIST recently changed their PW recommendations and no longer suggests this.
-
Some places force you to reset your password every x many days, and you cannot re-use the old ones. The USA DOD requires a new one every 60 days, drives me nuts every time I see their email about password about to expire. People either resort to password managers or start writing them down on sticky notes attached to the desk.
NIST recommends to remove periodic password change requirements: https://www.alvaka.net/new-password-guidelines-us-federal-government-via-nist/ (https://www.alvaka.net/new-password-guidelines-us-federal-government-via-nist/)
-
Yeah it's pointless. Keep same password + add 2FA = sorted. https://duo.com/
-
But please don't use mobile/smart phones for 2FA. Too many reports of SIM swap attacks and scams.
-
Bit more compliated than that. Do use smartphones. Don't use SMS. Do use properly MDM controlled phones. Do use iOS. Don't use Android.
-
Don't use passwords, toss the tech, upgrade your life to poor nomad living off the land = 99.9% Security :popcorn:
Lets see hackers hack that ;D
-
Yeah it's pointless. Keep same password + add 2FA = sorted. https://duo.com/
Does duo have some advantage over other free H/TOTP apps, like google authentication?
-
Yeah it does SSO as well.
-
another city popped with bull & shit for backups.
https://www.pcmag.com/news/369122/florida-city-to-pay-600-000-to-hackers-after-ransomware-att (https://www.pcmag.com/news/369122/florida-city-to-pay-600-000-to-hackers-after-ransomware-att)
These public officials need to be drawn out to the city circle and stoned for spending $600K of tax payer money to thieves over solid IT practices.
-
It should be a criminal offense to pay the ransom. Doing so encourages the practice.
-
Agree for the most part. There are cases that this is simply the lesser of two evils. One would hope if your in a critical environment (far more than local gov), this is of little threat. Sadly, that doesn't seem to be always the case.
I'm on CERT and other ICS mailing lists. The warning of ransomware attacks on specific markets has been going out for a long time now. Any governmental body has had warnings for couple years now. Even if they ignore those, the press has been full of examples. Its criminal negligence at this point in my mind.
On the bright side, I would hope that this changes the general decline in IT budgets I see. Its a often discarded budget, yet more and more critically important area these days. Least IMO.
-
Cryptocurrency has been such a boon to the world ...
I don't see how increased IT budgets will help much as long as IT doesn't start embracing proper compartmentalization. IT security went down a wrong path early in its history and never recovered. Apart from a few security agencies and financial institutions, everyone is doing it wrong.
-
No, it's never the lesser of two evils. Paying the ransom, negotiating with terrorists, it's legitimizing their tactics and encouraging it and anyone who does so should face punishment. I don't care what the alternative is, by the time someone like that has you over a barrel it's too late.
-
Well security is not a easy thing to do.
New exploits are constantly found in software, so something that is considered pretty secure today might be vulnerable tomorrow. The IT staff have to constantly be up to date on the latest security trends and upgrade the servers as needed. It's not so easy to isolate a machine on a network. The clients will often want extra functionality and as this happens again and again there is more crap running on servers, and that crap wants to talk to other stuff etc..
But its not all about security, if someone is determined enough they can get in. Its more about having a backup of all critical systems. If a machine is important enough to be worth paying $10 000 or more to unlock it from ransomeware then that machine must have a full backup log somewhere in a safe place. And most importantly a backup need to be tested to work. It happens all too often that backups are in place, but when shit hits the fan and the machine has to be restored from a backup, it then turns out the backup image doesn't work.
-
The damages including paying a ransom might be covered by an insurance policy. Increasing IT budgets is the right starting point, but the money has to be spent reasonably. Buying one expensive big box doesn't magically provide security. The IT infrastructure needs to be migrated from a single large LAN to cooperative islands to limit any impact of malware. Apply appropriate security practices. Backup, backup and backup! Train users on basic security and asking IT support if unsure about anything. Train IT staff on best current security practices. Set up network monitoring to spot problems early and check logs.
-
The damages including paying a ransom might be covered by an insurance policy.
Since you have no idea who your paying, you cannot be sure your not funding terrorists or others under sanctions. Don't expect insurance to hand out cash blindly, it won't happen.
-
If serial cheapskate corporats don't want to employ and or pay good IT staff decent money to carry their problems 24/7, |O
then let them pay out more on the Rware instead, >:D
and pray the accountants can do something about the loss. :horse:
..Since you have no idea who your paying,
you cannot be sure your not funding terrorists or others under sanctions..
But you can be 99.9% sure of funding disgruntled employee/insiders, >:( :rant:
shafted ex IT personel and or suss temp fill in geeks,
or a partner with expensive bad habits that wants to financially cripple the business
so one of his mates or rels, or his irate loan shark can buy it for a box of donuts. >:D
-
Well security is not a easy thing to do.
New exploits are constantly found in software, so something that is considered pretty secure today might be vulnerable tomorrow.
Except for the completely incompetent ones they know where their attack surfaces are ... yet all they really do about zero days is pray it doesn't hit them and they can patch their software after they becomes non zero day.
Just let everyone browse the web ... including sysadmins with remote access to everything. What's the worst that can happen?
-
Backups...
Not complicated, not expensive, nothing remotely new. Even on the minimum budget, there is almost no reason to have a solid backup plan that would eliminate ransomware to anything more than a short term outage. If gov body isn't willing to spend a minimal amount to cover solid backup strategy, they should be subject to a public hanging.
This ignores the common HD failure or other natural event failure of their main systems that they are apparently ignoring. There is simply no reason to not have mission critical systems backed up. IT 101...hello.
-
Quickbooks cloud hosting provider popped with ransomware. Bet that's going to be a record payout if their backups are hosed.
https://krebsonsecurity.com/2019/07/quickbooks-cloud-hosting-firm-insynq-hit-in-ransomware-attack/
How safe is your data with these cloud services exactly? Small gov bodies are peanuts if these jokers can roll up a cloud provider.