Irish health service hit by cyber attack(bbc.co.uk) |
Irish health service hit by cyber attack(bbc.co.uk) |
* Keep all systems up to date with the latest patches.
* Have a DR plan and test it regularly.
* Make frequent backups, verify them, and keep them offline.
Historically organizations have been so bad at backups that the advice has been to automate them as much as possible, to try to ensure that a recent backup at least exists. But I am increasingly of the opinion that the next level of backup maturity is to dial back on the automation and invest manual effort in airgapping the backups.
Fully automated backups are necessarily part of the software attack surface.
If you have to hire more ops people to rotate tapes by hand every day, that will have to be a cost of doing business safely.
Companies often have IAM/ssh/keys all over the place. If you centralize things to IAM you can lower permissions based on their last use. EG. A frontend dev needs access to GCP to configure things in firebase. This frontend developer hasn't used these IAM permissions in 3 months. This persons IAM permissions should automatically have these permissions removed.
Probably one of the easiest yet most powerful thing to implement in cloud sec ops AND probably never done.
https://cloud.google.com/iam/docs/recommender-managing
Example script to automate it: https://github.com/james-ransom/auto-apply-gcp-iam-recommend...
The problem is that they are getting $1M payouts on a $10k budget. That is a staggering ROI of 100! If you could magically improve the security of every system on the market by 1000% you would wipe out the current forms of attack, but it would still be insanely profitable to run $100k attacks to get $1M payouts. To actually stop attacks from continuing to escalate exponentially at their recent pace of >100% per year that any VC darling would be proud to achieve, you need to make it cost more on average to attack than they can get.
We are literally orders of magnitude away from that in the average case at current returns. And even worse returns per attack keep escalating. Just 4 years ago during WannaCry the ask was $300 per computer which can be a painful chunk of change for an individual which is who most ransomware attacks were targeting before, but nothing for any company. They were attacking companies for ~$10k payout and still making enough money to expand their operations doing it.
As the focus has moved to industry the payouts have increased exponentially since there are many companies whose operations are so valuable that they are willing to pay millions or tens of millions or even hundreds of millions per day. At those payouts there are 0 commercial IT systems that can make attacks unprofitable. So, when those attacks become the ones with the best risk-adjusted ROI you better believe they will occur. And when the attackers have a $10M budget simple defenses and techniques that worked on $10k attacks will not work because the attackers will have literally 100,000% more resources at their disposal in much the same way that defenses that work against a rock thrown at 10 m/s do not work against a ICBM traveling 1000x faster at mach 30.
So yes, simple mitigations would stop the simple successful attacks now, but do not solve the actual problem that it would still be profitable to attack even if they were all implemented everywhere since payouts are so much higher than cost.
It’s easier to get it right when you can put your arms around the whole thing.
* Also ensure your Production and DR do not use the same automation, or that there is full segmentation in your automation so that if automation goes sideways, or is compromised, your Production and DR are not simultaneously blown away or encrypted.
* If you can't keep backups offline, at least write them to a write-only destination and/or have an enforced vaulting policy that keeps {n} copies in multiple locations and can't even be deleted by super-users. Deletion must require multiple VP's using MFA to log into a thing and "turn a key" so to speak.
Is there a service that could regularly fetch data from s3 or even connect to postgres, and regularly send a physical copy of the data by mail?
Does it make sense to offer airgapped backups as a service to smaller companies? Over mail?
That gives you quick retrieval of of-site backups.
The only reason I haven't done something like that for all my personal data is that tape machines are terribly expensive. Tape drives are pretty cheap.
Can we please call it The Department of Redundancy Department?
Jokes aside it seems that the DR, backups, and system images (i.e. installation including patches) that you mention are all related and it could make sense to dedicate a role or team to it. We split out things like networking and security into their own teams when we want them to be taken seriously.
For recovery, you need more accessible backups. And to test your backup plan.
Was it a malicious email attachment that propagated through unsecured networks or outdated OS versions? And what data was encrypted? Are we talking regular excel files or actual databases?
It would be interesting to have some more detail or case studies so others could know how to fortify infection points and limit the blast radius of their own systems.
They're hiring consultants to confirm that they've met the requirements of some checklist, which requirements may include "have a plan to fix this obvious problem.... someday. You do? OK, then you're fine". That's much cheaper and is 100% management-class controlled.
You would likely end up with better security. Would it be good enough to prevent breaches? Doubt it.
You can practice things that make recovery fast and reduce the impact of breaches though. Isolate data, encrypt it, only grant necessary access, have robust backups and test recovery regularly. These things take time and money though, and most companies are unwilling to do them sufficiently.
Happens with military/infrastructure spending all the time - get a cheap initial quote and then get screwed long-term.
And with covid. Govs didn't have the courage to lock down early and fast / close borders and cost themselves a lot of money in the short term.
https://m.independent.ie/irish-news/serious-and-sophisticate...
The information surrounding the current pandemic within Ireland is heavily scewed in one direction, there is no room for any questions, without being labled as something. What if, someone decided to check the information for themselves. Just a thought, [removes crazy hat made from tinfoil]
And with ransomware you don't have to hear the crying of your victims.
Plus if you show mercy on someone people can identify with, like a single mom barely getting by, you can go on draining pensioner's bank accounts like your fucking Robinhood.
The less data is actually leaked and sold the better, of course, but societies and especially politicians don't seem to learn that easily.
That, and all the high security cloud hosting in the world will not help the most commonly exploited security issues: unpatched wordpress plugins, world readable storage buckets, poorly secured privileged accounts, ransomware, phishing... A shoddily managed on-prem enteprise IT infra moved into the cloud will be just this: a poorly managed AWS infra, just as exploitable as before, but now also 10x as expensive to run.
However, the latter requires a huge mindset and experience shift from the very top of the organisation. And groups and individuals of that organisation having strong interest in their survivability are, of course, not going to change that.
Cloud documents like Word and Google docs seem less susceptible, as writing a content parser for each file format to encrypt it would be a higher bar. Or am I missing something there?
It also suggests there could be a market for cryptocurrency futures as a form of insurance. This is one extreme situation where you are forced to buy a currecy at market prices, but I suspect it's the first of more.
The entire technology industry is built on a foundation of limited liability and has a tradition of being ok with defects (eh, it's a small bug). When do we get hardware that is guaranteed to perform and be safe, operating systems, languages and compliers that are safe? It's going to be very difficult to deal with liability in a strict sense. Who's at fault? The OS that had a bug, the library that made the syscall, the code that called the library, the script that ran the program, the network router that allowed the egress, or the user that pushed the button? (edit: fixed typo)
$ curl -sI https://imgs.xkcd.com/comics/voting_software.png | grep Modified
Last-Modified: Wed, 08 Aug 2018 16:59:09 GMT2. Terrorism has similarly precise definitions, usually along the lines of "the act has to be in pursuit of political aims". Just because its a big and important target does not make it political, ransomware is an economic crime.
For anyone with time on their hands, the "Talinn Manual" has a lot of detail on this:
https://www.kobo.com/ie/en/ebook/tallinn-manual-2-0-on-the-i...
This is not true. For example major countries like the United States and the United Kingdom are not nation states but can still commit acts of war under international law.
Regular patching is necessary hygiene for corporate IT, but often the department is understaffed, or frankly told by management to prioritize shiny things instead.
I would guess the easiest way is to phish a login to the corp VPN or to send an email with a malicious attachment to give the attacker something inside the corp firewall as a place to start their port scan of the internal network and begin their attacks.
These guys do a lot of honeypot writeups that are pretty consistent with my experience: https://thedfirreport.com/
A lot of places that get crippled by ransomware have outdated or underfunded IT departments (health care is particularly bad at this), so that kind of insight is barely on the table at the best of times.
Even when a postmortem is eventually done, companies don't want to have to admit the attack could have been prevented, or at least minimized, with better investment in security.
I’m not sure what point you are trying to make.
Ransom: Another great "feature" of difficult-to-trace personal gold coinage
What you're actually saying is:
Bad thing: Another great "feature" of any kind of positive development in personal sovereignty
Or
Bad thing: Another great "feature" of any kind of progress
---
Progress comes with pitfalls. Sharp knives prepare food and also kill people.
You argument effectively reduces to: never innovate.
I think we're perfectly allowed to discuss whether we think a particular kind of change is a good or bad thing.
You chose to reduce it to that. There is no need to reduce every argument to its black and white extreme, although that is the easiest interpretation.
Bitcoin in particular requires truly ridiculous amounts of compute and has made hacking a far more profitable enterprise than before.
There are already digital currencies tackling the first problem, the 2nd could potentially also be solved.
So a more charitable interpretation might be, more innovation is needed to get digital currencies right.
See how silly you sound?
the ransom part, at the scale possible with cryptocurrency, is new.
those who sound "silly" are the ones elaborately pretending that this formerly obscure class of electronic extortion didn't suddenly explode into an epidemic with the concomitant rise of cryptocurrency.
Sure, someone might get more expensive insurance quotes or made fun of for having ADHD, HIV or acne treatment...
But I think that would be outweighed by health benefits by combing the data for correlations and causations that have been unidentified in the past. Being able to shut down things that are poisoning millions of people, but to such a minor extent it isn't immediately obvious, would have a big benefit for society.
Let's say I'm a Saudi National, who worked in the United States. While there I disclosed to a doctor that I'm gay. I return to Saudi Arabia. This document gets leaked. How exactly does this make the world a better place?
Summary of possible outcomes:
https://en.wikipedia.org/wiki/LGBT_rights_in_Saudi_Arabia#Su...
Notice the first line:
Same-sex sexual activity: Fines, prison time up to life, and capital punishment.
If someone has to pay a bit more for insurance or whatever, that may not sound like a big deal and also morally justifiable if you assume someone is always willing and able to evaluate risk accurately.
However, some diagnoses are treated as "unknown unknowns" rather than quantifiable risks. In that case, it's likely that there will simply be nobody to accept them at all.
The discrepancy between this treatment of a risk as effectively infinite, because nobody will take it on, versus the fact that it is really finite, constitutes economic destruction that would be caused by the disclosure of the diagnosis.
Right now there are restricted circumstances where things have to be disclosed. But it's relatively tolerable because it's limited. For instance, you might not be able to get life insurance, but at least you can hold a job, have health insurance, live where you like, etc.
Taking all that away from millions of people seems not a lot kinder than just liquidating them.
I am pessimistic on this one.
Size of an organization is not a good proxy for quality of security. Evidence: Colonial Penn, the DC Metro Police Department, Experian, Target, etc...
There is another facet to all of this. Money. Just plain old money. It takes time and money to buy and maintain this sort of software.
The 'hobbyist' also has plenty of time and access to the tools. Whereas an org may only have so much budget for it. Which in effect restricts time to do it, and or how many people you can pay to do it. Also depending on the org you may not even have access to the correct tools and documentation.
From a pure user 'end point' usage the security stuff is either in the way or 'just works'. Fixing security is background and does not get you anything new. So it often gets forgotten or downgraded in a budget game for something more shiny as the user lets out their inner verruca salt.
The last thing you want is for your backup to restore whatever back door they installed a few weeks before they launched the actual attack, or to leave the unpatched system (or whatever it was) open and immediately have the attackers encrypt all your files again.
https://twitter.com/hashtag/REvil?src=hashtag_click&f=live
caveat that this world is full of rampant speculation and lies so take it with a grain of salt. ;-)
But with IT stuff, yeah it’s tough to justify - but maybe after things like this happen it will be easier. Sometimes you need a Pearl harbour to get stuff done!
I was hoping for something SaaS-like that would be automated (so that an external company would be responsible to not forget to do the backups) and no entry cost. As you say, tape drives are expensive.
I was starting to imagine how automable it would be to have machines that downloaded and encrypted data, and small robots popping 128/256Gb (up to 1Tb) SD cards in and out, and even dropping them in envelopes with labels automatically printed out. Then the envelopes would be dropped into a chute as the outgoing mail :)
One obvious issue is that an 128gb card is about $30, so sending one every day would be too expensive. And if you sent one once a week that would mean up to 6 days of lost data.
Then there’s the issue of having access to so much customer data — this imaginary backup company would itself become a potential liability if it was hacked.
Would small companies even be interested?
The non-fungibility of bitcoins can be seen as an advantage or one of its largest flaws, depending on how you look at it. Either way it's the reason quite a few people have switched to Monero and other completely fungible coins.
>Shouldn't be hard to write software to accomplish that
There are startups offering exactly this as a service already.
My point is only that the original comment didn't attempt make any argument, other than the reduced one I outlined.
You "reduced" difficult to trace digital currencies to "any kind of positive development in personal sovereignty."
No need to keep defending a mistake. Just reread your own comment and the OP's. Respond to the comment itself, not other discussions you've had on the topic. If you think the argument implies something you disagree with, make the connection. Don't just assert that the argument reduces to this. Besides being mistake prone, it's unfriendly and unproductive.
I've made plenty of comments myself that I don't/shouldn't stand behind, in short retrospect. I suspect this is one of yours. Minor foul. Happens. Shake hands and make good.
When re-reading the OP's comment just now, I just can't interpret it any other way other than "see! crypto bad". Maybe I'm missing something.
I'd accept that my responding, effectively in-kind ("see! your position bad"), isn't particularly useful other than potentially alerting them to the fact (my intention), and I'd no doubt do better to provide some examples of benefits at least (as I see the current top-voted reply did, that is otherwise identical to mine).
My admission of that however, does not indemnify the original commenter - at least, in terms of my interpretation of their comment, which is really all I can be responsible for.
Putting a clear number of the cost of poor cybersecurity should push more organisations to actually do something about it.
what an inhumane and cynical take.
Now the organisation has more at to lose at first pass, rather than just data subjects.
I thought it was self-evident. Killing someone innocent for the good of others is never acceptable; people are ends in themselves. This is a general precept in most ethical systems with the notable exception of Millian Utilitarianism. To be clear, I am not making an argument against justifiable self-defense, as that is almost always accepted as a different kind of situation.
Example: we allow people to be killed for the good of others as long as their death allows the survival of more people. This is the poster's argument distilled. As such, it would be morally justifiable to kill random people for their organs, as one person contains enough organs to keep dozens of people from dying. If you need a liver, and your neighbor needs a spleen, then there would be nothing wrong about abducting the first person you see, butchering them, and taking what you need.
This argument is essentially that we should allow people to be killed, harmed, maimed because the number of people it help would outnumber the number of people harmed. They are the same argument. They both treat people as means rather than ends.
There are many nations in the world where you can be brutally killed for being gay, or any number of other things which shows up in medical records. If we include imprisonment, the number rises. The cost isn't just "some people might get embarrassed". It's a lot more like "hundreds of thousands of people will be brutally murdered by others or their state".
>Killing someone innocent for the good of others is never acceptable
You make this trade off all the time by e.g. not giving all your money to charity.
https://www.macworld.co.uk/cmsdata/features/3659100/how_to_r...
Scary, scary place to be. Especially for a health service.
As weird as it sounds, reputation matters for these guys. If you have a track record of taking the money and publishing data anyway, no one is ever gonna bother paying you in the first place. Why would they? Your data is gonna get published no matter what, may as well save the ransom money.
1. If you *don't* pay, then you know bad things will happen.
2. So you might as well pay, regardless of their reputation, because your chances are strictly better even if they are nearly nothing.
3. Knowing that, there is no incentive for them to maintain a reputation by honoring the ransoms.
You could but you probably would lose that bet. This has been done for decades now, especially between friendly countries (see https://www.independent.co.uk/news/uk/politics/eu-mi6-brexit...) without any sort of repercussion.
Diplomatic posturing aside ("We will treat any intrusion attempt on our networks as an agression"), literally no government actually wants to go to war over a hack.
> Given the recent pipeline issue and its national security implications I am not going to be surprised at all if some hackers in Russia end up dead from 'accidents' that are so obviously not accidents that no one is fooled.
This is even more nonsensical. Certainly governments would benefit way more from hiring those hackers and/or buying vulns from them than killing them. Especially in less-friendly countries like Russia.
The war started more than a decade ago. Like the Cold War that preceded it, there is little value in pretending the conflict does not exist nor that escalation is impossible.
well, this is not just an "hack" this blocks the entire national healthcare IT, it could cost lives.
Of course I knew what you were talking about; the war media has been beating this drum for at least a week even though it was obvious from the start that Colonial do shit work and grasp at any straw to excuse that. Anyone who wants to see more of that CYA bullshit can find plenty to see, so your jingoistic and warmongering comment has no place in this thread. Foment war among nuclear powers elsewhere.
The original comment linked ransomware to crypto, which isn't too controversial. There are good things about crypto, which may outweigh that... certainly discussable.
Personally, I don't see either point as representing the most substantial positive or negative of crypto... so I don't really have a dog in this one.
No need do indemnify or vilify anyone. It's perfectly ok to hold any of these views. It's also fine to make an unconvincing argument... it just may not be convincing.
What a complete waste of time it is discussing anything on HN that you touch.
You might want to ask the "actual" [?] "professionals" who "specialize in attribution" whether attribution has anything to do with this episode. (Not the episode in TFA, remember, but rather the one you decided [for political reasons?] to talk about instead.) You concede that Darkside are the authors of the hack, and credit at least some of their communication about it. What attribution remains to be done? The actual expertise in attribution among computer security professionals is in identifying and profiling tools and techniques. The amateur psychology and geopolitical analysis we sometimes see quoted in the war media as "attribution" is just bullshit.
If you're in this thread discussing TFA which does not contain the string "Russia" for the obvious reasons, then you are indeed wasting your time. If you're just trying to clear up some intellectually debilitating confusion, then please continue the discussion.
Which I've said is unacceptable. If anyone dies as a consequence of this, it's not acceptable. That's my response to that argument. Their position is "the good outweighs the bad" and mine is that "the bad is not the sort of bad that can be counter-balanced", or more clearly "no, it does not".
> You make this trade off all the time by e.g. not giving all your money to charity.
This is a completely nonsensical, borderline facetious argument. This is equivalent to saying that by sleeping at night rather than going out to help the homeless, I'm killing people. Or that standing still and not acting is killing people. To kill is a violation of an individual's inherent right to life. It is the result of an action of an agent. It is not, however, a violation to someone's inherent right to life not to prevent their death insofar as I have not caused their death. For instance, if I have a life preserver, I have not killed you by keeping it for myself, but should I have taken it away from you, then I have.
Clearly there's a difference here. The active action of releasing a medical document is the proximate cause of the harm, therefore not allowable. The first event is strictly necessary for the second.
Me not donating money to prevent someone's rights being stripped is not the proximate cause of the wrong doing, therefore not subject to ethical calculus. There is no strict necessity given this lack of causality. The action which is subject to ethical calculus is the proximal cause of the deprivation of the individual's rights. That which is strictly necessary for the consequence is all that can be reasoned about.
Right, then you are just down some bizarre philosophical rabbit hole if you truly believe that.
Under this logic policing is unacceptable, vaccine research is unacceptable, driving a car is unacceptable, etc.. They all make trade-offs between number of deaths caused vs. some benefit (sometimes lives saved).
What I've said isn't anything radical, and like I've mentioned above, this is a common tenant of pretty much every ethical system that life is an end in itself. This perspective is outlined in Nozick, Kant, Scanlon, Nagel, Rawls and countless others. Some of these authors have influenced the legal systems of entire nations. Rawls and Kant, for example, are considered "main stream" ethical theorists.
> Under this logic policing is unacceptable
No, because as I've already stated, justified self-defense is a different situation entirely. The situation of extrajudicial killings by police is, however, unacceptable.
> vaccine research is unacceptable, driving a car is unacceptable
This is a false equivalency. The key difference here is the informed consent that's associated with the actions. Nobody is consenting to having their confidential data released. In the above situations you listed, one of the stipulations of engaging in, say, a vaccine trial, is a clearly stated risk. A vaccine trial on someone unwilling is wrong. Someone who willingly agrees to 'open-source' their data and gets killed as a result is also in a different situation that the one we are discussing.
To pretend that someone who's willingly engaged in a dangerous activity and died has experienced the same sort of wrong as someone who'd date was leaked against their will, and as a consequence was murdered, is just nonsensical. Notice how I said "if anyone dies as a result of this" not "anyone dying makes any situation automatically wrong".
If I walk on a sidewalk and get hit by a car, I am the one who decided the sidewalk's risks were worth it. There was no gun to my head. As my life is mine, I can dispose of it and use it as I see fit. That's not something anyone else can do or decide for me.