Major and fast spreading cyber attack
June 27, 2017 12:32 PM Subscribe
A quickly spreading ransomware attack is hitting countries across the world including Ukraine, Russia, Spain, France and the United States, just weeks after a ransomware attack known as “WannaCry.”
A number of companies — including the Danish shipping giant Maersk; Rosneft, the Russian energy giant; Saint-Gobain, the French construction materials company; and WPP, the British advertising agency — also said they had been targeted.
And in the first confirmed cases in the United States, Merck, the drug giant, confirmed that its global computer networks had been hit, as did DLA Piper, the multinational law firm.
The automatic radiation monitoring system at the Chernobyl nuclear power plant was also hit.
Some technology experts said the attack appeared consistent with an “updated variant” of a virus known as Petya or Petrwrap, a ransomware that locks computer files and forces users to pay a designated sum to regain access.
But analysts at cyber security firm Kaspersky Labs said they had traced the infections to “a new ransomware that has not been seen before”. The “NotPetya” attack had hit 2,000 users in Russia, Ukraine, Poland, France, Italy, the UK, Germany and the US, Kaspersky said.
A number of companies — including the Danish shipping giant Maersk; Rosneft, the Russian energy giant; Saint-Gobain, the French construction materials company; and WPP, the British advertising agency — also said they had been targeted.
And in the first confirmed cases in the United States, Merck, the drug giant, confirmed that its global computer networks had been hit, as did DLA Piper, the multinational law firm.
The automatic radiation monitoring system at the Chernobyl nuclear power plant was also hit.
Some technology experts said the attack appeared consistent with an “updated variant” of a virus known as Petya or Petrwrap, a ransomware that locks computer files and forces users to pay a designated sum to regain access.
But analysts at cyber security firm Kaspersky Labs said they had traced the infections to “a new ransomware that has not been seen before”. The “NotPetya” attack had hit 2,000 users in Russia, Ukraine, Poland, France, Italy, the UK, Germany and the US, Kaspersky said.
Don't panic Michael Fallon gonna bomb 'em!
posted by fearfulsymmetry at 12:37 PM on June 27, 2017 [3 favorites]
posted by fearfulsymmetry at 12:37 PM on June 27, 2017 [3 favorites]
I will be beseeching the Omnissiah for aid and protection against the minions of the Ruinous Powers.
posted by Samizdata at 12:46 PM on June 27, 2017 [4 favorites]
posted by Samizdata at 12:46 PM on June 27, 2017 [4 favorites]
Don't panic Michael Fallon gonna bomb 'em!
posted by fearfulsymmetry at 2:37 PM on June 27 [+] [!]
Given my current level of frustration with these folks and a high level of surgical precision, I am not opposed entirely to such a solution.
posted by Samizdata at 12:50 PM on June 27, 2017 [1 favorite]
posted by fearfulsymmetry at 2:37 PM on June 27 [+] [!]
Given my current level of frustration with these folks and a high level of surgical precision, I am not opposed entirely to such a solution.
posted by Samizdata at 12:50 PM on June 27, 2017 [1 favorite]
Tom's Hardware has some helpful info on what to do, and is also worth it for this line:
posted by furtive at 12:54 PM on June 27, 2017 [3 favorites]
...most other shelled out between 0.12 and 0.13 bitcoins, just about $300. But one clearly angry victim paid 0.0000666 bitcoins, about 16 U.S. cents, from the nonstandard address "1F[*]ckYouRJBmXYF29J7dp4mJdKyLyaWXW6"
posted by furtive at 12:54 PM on June 27, 2017 [3 favorites]
Collateral damage done by a cyberweapon.
The initial vector was a company called MeDoc (although they deny this on their facebook page) that got hacked and pushed a large update via their automatic updates feature.
This MeDoc accounting software is mandated in energy businesses in Russia and Ukraine, and is also in use at Maersk.
Coincidentally, this happened on the same day that a Car bomb kills senior Ukrainian intelligence officer in Kiev
If you create a file "C:\Windows\perfc.dat" that's read-only, the malware will not execute; thinking that it's already executed on this system. Otherwise, if it gets in, it will LSAdump your domain controller and use psexec and wmic to move laterally to otherwise patched systems.
Also, in "WE WERE HELPING, I SWEAR!" news, Email Provider Shuts Down Petya Inbox Preventing Victims From Recovering Files , which will be extra frustrating for anyone that sent in a payment expecting to get their files back; something that seems increasingly unlikely.
However, if you're lucky to catch it in the act of "fake chkdsk", you can power the machine off and recover the files by putting the disk in an uninfected system (but don't boot it!)
At this time, 30 people have attempted to pay the ransom. I doubt they're having much luck with that.
It's been one of those days.
posted by Xyanthilous P. Harrierstick at 1:00 PM on June 27, 2017 [39 favorites]
The initial vector was a company called MeDoc (although they deny this on their facebook page) that got hacked and pushed a large update via their automatic updates feature.
This MeDoc accounting software is mandated in energy businesses in Russia and Ukraine, and is also in use at Maersk.
Coincidentally, this happened on the same day that a Car bomb kills senior Ukrainian intelligence officer in Kiev
If you create a file "C:\Windows\perfc.dat" that's read-only, the malware will not execute; thinking that it's already executed on this system. Otherwise, if it gets in, it will LSAdump your domain controller and use psexec and wmic to move laterally to otherwise patched systems.
Also, in "WE WERE HELPING, I SWEAR!" news, Email Provider Shuts Down Petya Inbox Preventing Victims From Recovering Files , which will be extra frustrating for anyone that sent in a payment expecting to get their files back; something that seems increasingly unlikely.
However, if you're lucky to catch it in the act of "fake chkdsk", you can power the machine off and recover the files by putting the disk in an uninfected system (but don't boot it!)
At this time, 30 people have attempted to pay the ransom. I doubt they're having much luck with that.
It's been one of those days.
posted by Xyanthilous P. Harrierstick at 1:00 PM on June 27, 2017 [39 favorites]
Those who pay are asked to send confirmation of payment to an email address. However, that email address has been shut down by the email provider...
...“This is not an experienced ransomware operator,” said Ryan Kalember, senior vice-president of cybersecurity strategy at Proofpoint.
Oh fuck this is just keystone cops at work at this point. For the love of god Email Provider, turn the mailbox back on.
posted by Annika Cicada at 1:01 PM on June 27, 2017 [1 favorite]
...“This is not an experienced ransomware operator,” said Ryan Kalember, senior vice-president of cybersecurity strategy at Proofpoint.
Oh fuck this is just keystone cops at work at this point. For the love of god Email Provider, turn the mailbox back on.
posted by Annika Cicada at 1:01 PM on June 27, 2017 [1 favorite]
It is 2017, and journalists still love the word "cyber" so so much
posted by thelonius at 1:05 PM on June 27, 2017 [21 favorites]
posted by thelonius at 1:05 PM on June 27, 2017 [21 favorites]
I like thinking about the cyber. so much cyber. cyber on the beach, cyber on a plane, cyber on a train...
posted by Annika Cicada at 1:10 PM on June 27, 2017 [11 favorites]
posted by Annika Cicada at 1:10 PM on June 27, 2017 [11 favorites]
When WannaCry hit, I defended IT departments that hadn't yet patched their systems. IT is often neglected, perpetually underfunded and understaffed. When you need to test each new patch with your company's quirky in-house business-critical software on top of running from emergency to emergency keeping your PCs up and running, it's understandable that you might get a few weeks behind. But we're a month and a half after WannaCry was world-wide news, and major international corporations are somehow still vulnerable to EternalBlue. How did every IT head in the world not show their boss a newspaper and say "if we don't push this patch, this could happen to us?"
posted by skymt at 1:12 PM on June 27, 2017 [5 favorites]
posted by skymt at 1:12 PM on June 27, 2017 [5 favorites]
thinning the herd, skymt, thinning the herd. If your business hasn't recognized that technology investment and innovation is a core business initiative then well, you gonna get owned. hard. until you are no longer a business.
posted by Annika Cicada at 1:14 PM on June 27, 2017 [12 favorites]
posted by Annika Cicada at 1:14 PM on June 27, 2017 [12 favorites]
How did every IT head in the world not show their boss a newspaper and say "if we don't push this patch, this could happen to us?"
What makes you think they didn't and that it wasn't the boss who shrugged it off? It's hard enough getting bosses to agree to adhere to governmental regulations. I have literally witnessed bosses spend more time negotiating a way out of or around regulations than trying to work out a functional budget to implement them.
posted by fraula at 1:15 PM on June 27, 2017 [21 favorites]
What makes you think they didn't and that it wasn't the boss who shrugged it off? It's hard enough getting bosses to agree to adhere to governmental regulations. I have literally witnessed bosses spend more time negotiating a way out of or around regulations than trying to work out a functional budget to implement them.
posted by fraula at 1:15 PM on June 27, 2017 [21 favorites]
My company's on the verge of expelling Windows over to Ubuntu on account of this.
posted by ocschwar at 1:20 PM on June 27, 2017 [8 favorites]
posted by ocschwar at 1:20 PM on June 27, 2017 [8 favorites]
It is 2017, and journalists still love the word "cyber" so so much
After seeing the return of Doctor Who's Cybermen last weekend, I understand the appeal. But didn't they originate in the 1960s?
posted by oneswellfoop at 1:21 PM on June 27, 2017
After seeing the return of Doctor Who's Cybermen last weekend, I understand the appeal. But didn't they originate in the 1960s?
posted by oneswellfoop at 1:21 PM on June 27, 2017
My company, based in Munich (I'm in the U.S), has shutdown all outside email. Only intracompany email for now.
posted by Grumpy old geek at 1:23 PM on June 27, 2017
posted by Grumpy old geek at 1:23 PM on June 27, 2017
For the love of god Email Provider, turn the mailbox back on.
It is seriously better for everyone if paying money for ransomware does not unlock the files, because it makes ransomware less profitable next time.
It sucks for those 30 people who paid, but it doesn't really suck any worse than if their computer were lost or destroyed, which happens to many more people than that, every day.
posted by aubilenon at 1:26 PM on June 27, 2017 [6 favorites]
It is seriously better for everyone if paying money for ransomware does not unlock the files, because it makes ransomware less profitable next time.
It sucks for those 30 people who paid, but it doesn't really suck any worse than if their computer were lost or destroyed, which happens to many more people than that, every day.
posted by aubilenon at 1:26 PM on June 27, 2017 [6 favorites]
you know if a hospital that I was in was stupid enough to get hit by this while I was under their care I DGAF, pay the fucking 500 dollars per system.
posted by Annika Cicada at 1:42 PM on June 27, 2017
posted by Annika Cicada at 1:42 PM on June 27, 2017
How does anti-virus software not catch ransomware?
Anti-virus software is reactive. With the traditional signature-based detection method, an AV company needs to obtain a sample of the malware, analyze it, generate a signature, and deliver it to the signature database on your machine so your AV can identify and block the malware. By that time, the first wave of victims have already had their files encrypted, and the attacker may even have a new version of the malware ready to unleash, at which point the whole process repeats. That's not even getting into techniques like self-modifying code, viruses that modify their signature each time they infect a new host. Signature-based detection is a model designed for a world where viruses spread over months on floppy disks.
All that is why AV companies are betting hard on heuristic techniques that attempt to identify software that "acts like" malware. However, heuristics are prone to false positives that prevent legitimate software from running, so they tend to err on the side of permissiveness. There's also nothing stopping malware developers from testing their pre-release code against the major AV engines, reverse-engineering the heuristics and tweaking their malware until it's allowed to run.
posted by skymt at 1:53 PM on June 27, 2017 [13 favorites]
Anti-virus software is reactive. With the traditional signature-based detection method, an AV company needs to obtain a sample of the malware, analyze it, generate a signature, and deliver it to the signature database on your machine so your AV can identify and block the malware. By that time, the first wave of victims have already had their files encrypted, and the attacker may even have a new version of the malware ready to unleash, at which point the whole process repeats. That's not even getting into techniques like self-modifying code, viruses that modify their signature each time they infect a new host. Signature-based detection is a model designed for a world where viruses spread over months on floppy disks.
All that is why AV companies are betting hard on heuristic techniques that attempt to identify software that "acts like" malware. However, heuristics are prone to false positives that prevent legitimate software from running, so they tend to err on the side of permissiveness. There's also nothing stopping malware developers from testing their pre-release code against the major AV engines, reverse-engineering the heuristics and tweaking their malware until it's allowed to run.
posted by skymt at 1:53 PM on June 27, 2017 [13 favorites]
The attack affected a regional healthcare system in the greater Pittsburgh metro area that forced them to cancel elective procedures and turf out all urgent care today. (My news station has been covering this all day so I won't self-link but "Heritage Valley" will get you info.) No word if actual patient records and personal data have been compromised or if it was just ("just") a hacker locking the metaphorical door without stealing the files inside.
Living in a Stephenson novel minus the fun parts is getting weirder every day.
posted by none of these will bring disaster at 1:56 PM on June 27, 2017 [26 favorites]
Living in a Stephenson novel minus the fun parts is getting weirder every day.
posted by none of these will bring disaster at 1:56 PM on June 27, 2017 [26 favorites]
I don't work in IT and have no clue what's going on - is there a layman's explanation of this and how it spreads?
posted by windbox at 1:58 PM on June 27, 2017
posted by windbox at 1:58 PM on June 27, 2017
the best lines of defense are weekly patching and a really good defense in depth strategy that's operationalized by a well-run security operations center, IE, a security program.
posted by Annika Cicada at 1:59 PM on June 27, 2017 [1 favorite]
posted by Annika Cicada at 1:59 PM on June 27, 2017 [1 favorite]
you know if a hospital that I was in was stupid enough to get hit by this while I was under their care ...
Funny you should mention that....
The Latest: Pennsylvania hospital system hit in cyberattack
posted by Xyanthilous P. Harrierstick at 2:00 PM on June 27, 2017
Funny you should mention that....
The Latest: Pennsylvania hospital system hit in cyberattack
posted by Xyanthilous P. Harrierstick at 2:00 PM on June 27, 2017
yup. hospitals are caught in a really bad place right now because how do you patch healthcare systems that are networked across campuses and managed by medical device manufacturers who measure releases and patch cycles in years, not months or weeks?
posted by Annika Cicada at 2:03 PM on June 27, 2017 [12 favorites]
posted by Annika Cicada at 2:03 PM on June 27, 2017 [12 favorites]
is there a layman's explanation of this and how it spreads?
Okay. So.
1) a company got hacked (speculation?) and their auto-updates pushed a system encryptor ("ransomware" [1]) to what are presumably the real targets, or very near to the real targets of the attack... because...
2) the malware then runs, and begins scanning the network for systems vulnerable to the previously leaked NSA Weapon "ETERNALBLUE". It also extracts credentials from the local system and attempts to use those via two different system administration and management tools to spread the malware to systems that are patched so as to not be vulnerable to ETERNALBLUE.
3) ... Said scanning and lateral movement makes the malware get out of control and become worldwide.
4) The malware then writes code to the master boot record of the system and reboots it. this is the piece that actually does the encrypting of the system.
[1] I'm not convinced you can call it ransomware without actual victims being recovered by paying said ransom. It might just be destructive malware that pretends to be ransomware.
posted by Xyanthilous P. Harrierstick at 2:07 PM on June 27, 2017 [8 favorites]
Okay. So.
1) a company got hacked (speculation?) and their auto-updates pushed a system encryptor ("ransomware" [1]) to what are presumably the real targets, or very near to the real targets of the attack... because...
2) the malware then runs, and begins scanning the network for systems vulnerable to the previously leaked NSA Weapon "ETERNALBLUE". It also extracts credentials from the local system and attempts to use those via two different system administration and management tools to spread the malware to systems that are patched so as to not be vulnerable to ETERNALBLUE.
3) ... Said scanning and lateral movement makes the malware get out of control and become worldwide.
4) The malware then writes code to the master boot record of the system and reboots it. this is the piece that actually does the encrypting of the system.
[1] I'm not convinced you can call it ransomware without actual victims being recovered by paying said ransom. It might just be destructive malware that pretends to be ransomware.
posted by Xyanthilous P. Harrierstick at 2:07 PM on June 27, 2017 [8 favorites]
Hospitals need to learn from this and have isolated networks, like yesterday. Your billing desk and admit desk systems do NOT need to be on the same network segment as your MRI machines and your IV drip pumps.
Hospitals need to take the "Commander Adama" approach. No networks. Sorry. Paper is awesome.
posted by Xyanthilous P. Harrierstick at 2:08 PM on June 27, 2017 [28 favorites]
Hospitals need to take the "Commander Adama" approach. No networks. Sorry. Paper is awesome.
posted by Xyanthilous P. Harrierstick at 2:08 PM on June 27, 2017 [28 favorites]
There have always been vulnerabilities in software, and always will be if you look hard enough. The thing that is really driving these attacks is the availability of Bitcoin as a completely anonymous payment method. At this point it looks like cryptocurrencies are only useful for wild currency speculation and crime/money laundering.
Cut off that anonymity and this crime will disappear overnight, however changing cryptocurrencies so that they keep a trail of all transactions ever made by every person has a lot of orwellian implications too, so there is no easy answer that I can see.
posted by Lanark at 2:15 PM on June 27, 2017 [1 favorite]
Cut off that anonymity and this crime will disappear overnight, however changing cryptocurrencies so that they keep a trail of all transactions ever made by every person has a lot of orwellian implications too, so there is no easy answer that I can see.
posted by Lanark at 2:15 PM on June 27, 2017 [1 favorite]
Your billing desk and admit desk systems do NOT need to be on the same network segment as your MRI machines..
In most hospitals I think this is already the case, but just closing down the admin systems is enought to cause chaos, you dont know which patients are arriving, you dont know which appointment slots are free, you dont know which staff are rostered to work on which days. It can also be impossible and/or illegal to dispense drugs without the relevant computer systems running.
posted by Lanark at 2:19 PM on June 27, 2017 [6 favorites]
In most hospitals I think this is already the case, but just closing down the admin systems is enought to cause chaos, you dont know which patients are arriving, you dont know which appointment slots are free, you dont know which staff are rostered to work on which days. It can also be impossible and/or illegal to dispense drugs without the relevant computer systems running.
posted by Lanark at 2:19 PM on June 27, 2017 [6 favorites]
makes the malware get out of control ...
Also, the whole out of control worldwide infection thing done by an amateur ransomware author is a good cover story for hiding something that was actually intended to destroy a bunch of ukrainian government computers. (speculation on my part, and.. other people's parts as well, but.. we're all uninvolved parties and literally do not know shit from shinola.)
posted by Xyanthilous P. Harrierstick at 2:19 PM on June 27, 2017 [13 favorites]
Also, the whole out of control worldwide infection thing done by an amateur ransomware author is a good cover story for hiding something that was actually intended to destroy a bunch of ukrainian government computers. (speculation on my part, and.. other people's parts as well, but.. we're all uninvolved parties and literally do not know shit from shinola.)
posted by Xyanthilous P. Harrierstick at 2:19 PM on June 27, 2017 [13 favorites]
however changing cryptocurrencies so that they keep a trail of all transactions ever made by every person has a lot of orwellian implications too
that's basically what the blockchain is
posted by indubitable at 2:21 PM on June 27, 2017 [10 favorites]
that's basically what the blockchain is
posted by indubitable at 2:21 PM on June 27, 2017 [10 favorites]
but just closing down the admin systems ... [ long sob story redacted ]
Hospitals got along for many many years before computers were invented. I remain unmoved by this argument.
posted by Xyanthilous P. Harrierstick at 2:21 PM on June 27, 2017 [3 favorites]
Hospitals got along for many many years before computers were invented. I remain unmoved by this argument.
posted by Xyanthilous P. Harrierstick at 2:21 PM on June 27, 2017 [3 favorites]
that's an unreasonable expectation unless you expect every hospital record to have a paper backup - you literally don't have your appointment and patient info without your files
posted by idiopath at 2:22 PM on June 27, 2017 [7 favorites]
posted by idiopath at 2:22 PM on June 27, 2017 [7 favorites]
> Hospitals need to take the "Commander Adama" approach. No networks. Sorry. Paper is awesome.
This advice is about as useful as "the only secure computer is one that's not turned on." You can't change the extent to which people have come to depend on networked information systems overnight just because some systems got popped. Going back to paper is simply not practical and would have massive impacts on every industry that decided to do so that make the damage done by these attacks pale in comparison.
posted by tonycpsu at 2:23 PM on June 27, 2017 [16 favorites]
This advice is about as useful as "the only secure computer is one that's not turned on." You can't change the extent to which people have come to depend on networked information systems overnight just because some systems got popped. Going back to paper is simply not practical and would have massive impacts on every industry that decided to do so that make the damage done by these attacks pale in comparison.
posted by tonycpsu at 2:23 PM on June 27, 2017 [16 favorites]
that's basically what the blockchain is
Current block chanins are anonymous, I'm talking about adding an identifier ID or something that will tie it to actual people - it seems an obvious step that governments will push for, rightly or wrongly.
posted by Lanark at 2:27 PM on June 27, 2017
Current block chanins are anonymous, I'm talking about adding an identifier ID or something that will tie it to actual people - it seems an obvious step that governments will push for, rightly or wrongly.
posted by Lanark at 2:27 PM on June 27, 2017
So, Xyanthilous, I think you're proposing a medium-to-long-term solution. How long would it take to return to a paper system? Months, if everybody hurries? Years?
I'm very sympathetic to an absolutist "I will not have networked computers on my ship" line---and in fact, I think that until we collectively develop the skill and discipline to write secure software, that's the right attitude. (I may or may not have started watching Galactica at an impressionable age.) But getting there (pen and paper) from here (heavy dependence on networked computer systems) is pretty non-trivial.
posted by golwengaud at 2:27 PM on June 27, 2017 [5 favorites]
I'm very sympathetic to an absolutist "I will not have networked computers on my ship" line---and in fact, I think that until we collectively develop the skill and discipline to write secure software, that's the right attitude. (I may or may not have started watching Galactica at an impressionable age.) But getting there (pen and paper) from here (heavy dependence on networked computer systems) is pretty non-trivial.
posted by golwengaud at 2:27 PM on June 27, 2017 [5 favorites]
Just stop using Windows.
posted by Segundus at 2:31 PM on June 27, 2017 [12 favorites]
posted by Segundus at 2:31 PM on June 27, 2017 [12 favorites]
Xyanthilous P. Harrierstick: "Hospitals got along for many many years before computers were invented. I remain unmoved by this argument."
Come work at a hospital for a few days and then try again. WannaCry caused havoc at my facility because access to OFFSITE EMAIL was blocked. Over the last summer we had some email outages that were caused by flooding in a comms substation, and we had people who could do LITERALLY NOTHING for DAYS.
Remember that this was EMAIL ONLY... And I work in RESEARCH, for god's sake. The poor people in primary care would be straight fucked if our systems were down. Patient records, histories, billing, scheduling, timekeeping, control of most if not all of the machines in use, it's all in the computer. No computer, no facility. Electronic health records are mandated: not a "nice-to-have", but a "must-have". And our electronic record has been in use for literally decades, so it's not like we have paper to fall back on any recently than say 1970 or so.
posted by caution live frogs at 2:31 PM on June 27, 2017 [17 favorites]
Come work at a hospital for a few days and then try again. WannaCry caused havoc at my facility because access to OFFSITE EMAIL was blocked. Over the last summer we had some email outages that were caused by flooding in a comms substation, and we had people who could do LITERALLY NOTHING for DAYS.
Remember that this was EMAIL ONLY... And I work in RESEARCH, for god's sake. The poor people in primary care would be straight fucked if our systems were down. Patient records, histories, billing, scheduling, timekeeping, control of most if not all of the machines in use, it's all in the computer. No computer, no facility. Electronic health records are mandated: not a "nice-to-have", but a "must-have". And our electronic record has been in use for literally decades, so it's not like we have paper to fall back on any recently than say 1970 or so.
posted by caution live frogs at 2:31 PM on June 27, 2017 [17 favorites]
> -and in fact, I think that until we collectively develop the skill and discipline to write secure software, that's the right attitude
We have not developed the road and transit systems required to get people to and from their places of work or vacation destinations without automobile or air accidents, but we've all decided that getting in the car / plane is worth the risk. The problem is that the cost/benefit calculations aren't as simple with computer security, but generally speaking, people get more out of using these systems than they lose when they go down or their information is lost/stolen, so they're going to keep using them. Asking people to return to pen and paper is preposterous at this point.
posted by tonycpsu at 2:33 PM on June 27, 2017 [4 favorites]
We have not developed the road and transit systems required to get people to and from their places of work or vacation destinations without automobile or air accidents, but we've all decided that getting in the car / plane is worth the risk. The problem is that the cost/benefit calculations aren't as simple with computer security, but generally speaking, people get more out of using these systems than they lose when they go down or their information is lost/stolen, so they're going to keep using them. Asking people to return to pen and paper is preposterous at this point.
posted by tonycpsu at 2:33 PM on June 27, 2017 [4 favorites]
Just stop using Windows.
seriously just rewrite all your one-off legacy software for ChromeOS or whatever. boom problem solved
also do it in rust
posted by indubitable at 2:35 PM on June 27, 2017 [43 favorites]
seriously just rewrite all your one-off legacy software for ChromeOS or whatever. boom problem solved
also do it in rust
posted by indubitable at 2:35 PM on June 27, 2017 [43 favorites]
Pen and paper: bad idea.
Air-gapping critical IT infrastructure: a better idea.
Having redundant, physically distinct datastores for critical information: critical.
posted by grumpybear69 at 2:36 PM on June 27, 2017 [12 favorites]
Air-gapping critical IT infrastructure: a better idea.
Having redundant, physically distinct datastores for critical information: critical.
posted by grumpybear69 at 2:36 PM on June 27, 2017 [12 favorites]
Why even have hospitals at all? Just something invented by capitalism to put the shamans out of work.
posted by gwint at 2:40 PM on June 27, 2017 [13 favorites]
posted by gwint at 2:40 PM on June 27, 2017 [13 favorites]
seriously just rewrite all your one-off legacy software for ChromeOS or whatever. boom problem solved
At least if you're a hospital, you have a chance to resurrect the guy who wrote that software back before he retired in 1998.
posted by Huffy Puffy at 2:42 PM on June 27, 2017 [6 favorites]
At least if you're a hospital, you have a chance to resurrect the guy who wrote that software back before he retired in 1998.
posted by Huffy Puffy at 2:42 PM on June 27, 2017 [6 favorites]
My company's on the verge of expelling Windows over to Ubuntu on account of this.
If they aren't patching Windows why will they suddenly start patching Ubuntu?
posted by markr at 3:05 PM on June 27, 2017 [11 favorites]
If they aren't patching Windows why will they suddenly start patching Ubuntu?
posted by markr at 3:05 PM on June 27, 2017 [11 favorites]
Paper health records are not idiot proof either: Hundreds of patients potentially harmed by undelivered NHS mail: "More than 1,700 people may have been harmed by an NHS contractor’s loss of almost 709,000 pieces of medical correspondence, including patient records and cancer test results, an investigation has found."
posted by carter at 3:05 PM on June 27, 2017 [4 favorites]
posted by carter at 3:05 PM on June 27, 2017 [4 favorites]
Great job, NSA! It's not bad enough you hacked American companies. You developed dangerous penetration tools, didn't notify American companies like Microsoft of the vulnerabilities, then failed to protect those weapons. And now we have a second global ransomware shakedown. Really just terrific, NSA.
One interesting side-note; the malware includes a broken digital signature. Just one copied from some Microsoft software, it doesn't validate. But I wonder if there mere presence of a signature makes it more likely that a user will allow it to run? Or maybe there's some way to make it look like it validated.. Early days.
posted by Nelson at 3:11 PM on June 27, 2017 [17 favorites]
One interesting side-note; the malware includes a broken digital signature. Just one copied from some Microsoft software, it doesn't validate. But I wonder if there mere presence of a signature makes it more likely that a user will allow it to run? Or maybe there's some way to make it look like it validated.. Early days.
posted by Nelson at 3:11 PM on June 27, 2017 [17 favorites]
It is 2017, and journalists still love the word "cyber" so so much
I think it's pretty much the US military's fault for adopting it as their official term for hacking.
posted by straight at 3:46 PM on June 27, 2017 [6 favorites]
I think it's pretty much the US military's fault for adopting it as their official term for hacking.
posted by straight at 3:46 PM on June 27, 2017 [6 favorites]
Xyanthilous P. Harrierstick: "
Hospitals got along for many many years before computers were invented. I remain unmoved by this argument."
The level of care and productivity have greatly increased since the time hospitals ran on paper. I mean one could have said in response to ESSs being hacked that the phone system got along for many years with operators plugging switch boards but that isn't a reasonable action at this time. It would take billions in capital and on going HR costs to revert to 100% paper work flow and non networked treatment devices.
posted by Mitheral at 4:09 PM on June 27, 2017 [6 favorites]
Hospitals got along for many many years before computers were invented. I remain unmoved by this argument."
The level of care and productivity have greatly increased since the time hospitals ran on paper. I mean one could have said in response to ESSs being hacked that the phone system got along for many years with operators plugging switch boards but that isn't a reasonable action at this time. It would take billions in capital and on going HR costs to revert to 100% paper work flow and non networked treatment devices.
posted by Mitheral at 4:09 PM on June 27, 2017 [6 favorites]
Going backwards is not usually effective. An independent, secure patching agency that distributes required patches in a very timely manner may be where the systems should be going. Perhaps governmental, or a highly trusted agency along the lines of UL.
Really complex issue. What if a patient facing device needs an OS update but the validation tests run for literally weeks? What happens when an OS update breaks a protocol? Updates are software too, is the update safe?
Likely a good number of these sites have poor firewall design but the best firewall is breached by a generic looking thumb drive.
posted by sammyo at 5:41 PM on June 27, 2017 [2 favorites]
Really complex issue. What if a patient facing device needs an OS update but the validation tests run for literally weeks? What happens when an OS update breaks a protocol? Updates are software too, is the update safe?
Likely a good number of these sites have poor firewall design but the best firewall is breached by a generic looking thumb drive.
posted by sammyo at 5:41 PM on June 27, 2017 [2 favorites]
-and in fact, I think that until we collectively develop the skill and discipline to write secure software, that's the right attitude
The problem is our Operating Systems, not our software, nor our skills at writing "secure" software, nor users, nor IT departments. NONE of the Operating Systems we depend on implement the concept of the Principle of Least Privilege.
A real secure OS wouldn't let anything like this get off the ground, and yet would be as usable as the stuff we're all used to. Instead of trusting applications with all of our files, the dialog box calls applications use would get replaced with a "powerbox", which would securely let the users chose files to be used, and the app would only get to work with those files, and NOTHING ELSE.
Blaming users, software vendors, or IT administrators might feel good, but its all focused in the wrong direction. Check out the Genode project, or GNU Hurd if you want to see a hint of what is possible.
We prematurely optimized on the wrong operating system model, and we're eventually going to have to shift... it'll take another Y2K scale amount of effort to finally fix things properly, and for good. Then we can use our computers safely and get stuff done.
posted by MikeWarot at 5:49 PM on June 27, 2017 [7 favorites]
The problem is our Operating Systems, not our software, nor our skills at writing "secure" software, nor users, nor IT departments. NONE of the Operating Systems we depend on implement the concept of the Principle of Least Privilege.
A real secure OS wouldn't let anything like this get off the ground, and yet would be as usable as the stuff we're all used to. Instead of trusting applications with all of our files, the dialog box calls applications use would get replaced with a "powerbox", which would securely let the users chose files to be used, and the app would only get to work with those files, and NOTHING ELSE.
Blaming users, software vendors, or IT administrators might feel good, but its all focused in the wrong direction. Check out the Genode project, or GNU Hurd if you want to see a hint of what is possible.
We prematurely optimized on the wrong operating system model, and we're eventually going to have to shift... it'll take another Y2K scale amount of effort to finally fix things properly, and for good. Then we can use our computers safely and get stuff done.
posted by MikeWarot at 5:49 PM on June 27, 2017 [7 favorites]
For we users at the bottom, what are the most important things we need to do to prevent attacks like this on our devices and to press on friends and family? Keep updated, don't open stupid emails or programs... what else is there for a a home security elevator pitch? What classes of protection utilities are there now?
For instance, I remember antivirus and antimalware were different programs and usually even different developers entirely, but now they seem to be more rolled up. I know Windows has included a firewall for a while, and while it looks like Mac OS has one too it is not turned on by default. Are there any other classes or types or protection we should look for beyond those?
To start off, there are AVG and Avast, both solid antivirus/malware utilities, for Windows, Mac, iOS, and Android, both with free and paid versions. Both have a firewall, but only in the paid versions, and I don't know of a good free one offhand. I've used both, and the paid version of Avast because I liked the name better, but even with a paid account the various ads for upgraded services seemed heavy handed.
There is also KeePass and KeePassX. A descroption:
Anything else for the shortlist?
posted by Evilspork at 6:05 PM on June 27, 2017 [2 favorites]
For instance, I remember antivirus and antimalware were different programs and usually even different developers entirely, but now they seem to be more rolled up. I know Windows has included a firewall for a while, and while it looks like Mac OS has one too it is not turned on by default. Are there any other classes or types or protection we should look for beyond those?
To start off, there are AVG and Avast, both solid antivirus/malware utilities, for Windows, Mac, iOS, and Android, both with free and paid versions. Both have a firewall, but only in the paid versions, and I don't know of a good free one offhand. I've used both, and the paid version of Avast because I liked the name better, but even with a paid account the various ads for upgraded services seemed heavy handed.
There is also KeePass and KeePassX. A descroption:
KeePass and KeePassX are open source (published under the GNU General Purpose Licence 2) secure (using AES or Twofish) data storage programs, using a single database file to store (mainly) passwords, or pretty much any data you'd like e.g. user names, passwords, urls, attachments and comments.Why two? From the same answer above:
Currently, the biggest difference between KeePass & KeePassX seems to be the appearance and "feel" of each program, especially on Linux or Mac OS X where KeePassX doesn't rely on [Microsoft porting tool] Mono, so matches the look of other native programs closer. And, KeePassX's version 0.4.x & 2.x display issues.And when searching for those I found this site which seems pretty comprehensive, but I'm no expert. A general guide.
Also, KeePassX doesn't support plugins (there are several plugins for KeePass), as the user Grief points out in their answer so do upvote it too.
Anything else for the shortlist?
posted by Evilspork at 6:05 PM on June 27, 2017 [2 favorites]
Dude, just tell me if it's safe to turn on my Xbox yet.
posted by Slarty Bartfast at 7:02 PM on June 27, 2017 [1 favorite]
posted by Slarty Bartfast at 7:02 PM on June 27, 2017 [1 favorite]
A friend of mine who does computer consulting has started making clones of his drives using Clonezilla every few months, leaving the fresh clone as the running system, and putting the old disk in a drawer for just this possibility. This way he knows he has a bootable, somewhat updated copy of the system ready to go. Today he was hit with something that killed his machine, he pulled out his old drive, plugged it in, updated windows and virus scanner, and was good to go.
No reinstalling OS and applications.
In the really old days, circa 1982 or so, your OS and data were on a set of easily copied floppy diskettes... today you can do similar things, but you have to use Hard Drive cloning program instead of diskcopy A: B:
I think this is just at the edge of something anyone can do at home, if sufficiently motivated.
posted by MikeWarot at 8:15 PM on June 27, 2017 [6 favorites]
No reinstalling OS and applications.
In the really old days, circa 1982 or so, your OS and data were on a set of easily copied floppy diskettes... today you can do similar things, but you have to use Hard Drive cloning program instead of diskcopy A: B:
I think this is just at the edge of something anyone can do at home, if sufficiently motivated.
posted by MikeWarot at 8:15 PM on June 27, 2017 [6 favorites]
Pretty much every modern OS has built-in backup functionality. The laziest thing to do would be to buy a simple NAS (like Apple's Time Capsule or one of Buffalo's things) or USB drive, point your OS' backup thingy at it, and just leave it connected forever.
Some of the ransomware out there today will seek out shared storage and encrypt it, though, so that's no guarantee.
The slightly less lazy version would be to leave your NAS off or USB unplugged most of the time and just turn it on/plug it in once a night or something to let the backup run. If the NAS isn't running, your data on it is safe from ransomware that might infect your primary computer. This is perfectly fine for like 99% of individual users, unless they're super unlucky and get hit literally in the middle of backing up.
The opposite end of the spectrum would be API-based immutable archive servers. Which is to say that, rather than attaching a drive directly to your computer via USB or a network share, your backup software sends the files over the network to a storage server that creates a new copy (or, more commonly, just stores the difference between the two copies). The advantage of this is that, barring catastrophically bad security on archive server, there's no way for an infected machine to destroy data. The worst it can do is waste storage space on the server. Obviously, this uses a lot of disk and is harder to configure than a local solution like a USB/NAS shared drive, so you mostly see it at medium-large companies or offered as a cloud-based service. (Although it might actually be the case that Apple's Time Capsule works this way as well? And I think you can try to configure Buffalo NAS devices this way as well. But with Buffalo, at least, it's definitely more overhead.)
Anyway, point being, there is Stuff That Can Be Done to preserve your data, whatever scale you're at. The hospitals affected by these recent attacks are almost certainly using an archive service and are probably making tape backups as well. But that doesn't do anything to mitigate the denial of service, it just means there's something to restore from afterward.
posted by tobascodagama at 8:55 PM on June 27, 2017 [1 favorite]
Some of the ransomware out there today will seek out shared storage and encrypt it, though, so that's no guarantee.
The slightly less lazy version would be to leave your NAS off or USB unplugged most of the time and just turn it on/plug it in once a night or something to let the backup run. If the NAS isn't running, your data on it is safe from ransomware that might infect your primary computer. This is perfectly fine for like 99% of individual users, unless they're super unlucky and get hit literally in the middle of backing up.
The opposite end of the spectrum would be API-based immutable archive servers. Which is to say that, rather than attaching a drive directly to your computer via USB or a network share, your backup software sends the files over the network to a storage server that creates a new copy (or, more commonly, just stores the difference between the two copies). The advantage of this is that, barring catastrophically bad security on archive server, there's no way for an infected machine to destroy data. The worst it can do is waste storage space on the server. Obviously, this uses a lot of disk and is harder to configure than a local solution like a USB/NAS shared drive, so you mostly see it at medium-large companies or offered as a cloud-based service. (Although it might actually be the case that Apple's Time Capsule works this way as well? And I think you can try to configure Buffalo NAS devices this way as well. But with Buffalo, at least, it's definitely more overhead.)
Anyway, point being, there is Stuff That Can Be Done to preserve your data, whatever scale you're at. The hospitals affected by these recent attacks are almost certainly using an archive service and are probably making tape backups as well. But that doesn't do anything to mitigate the denial of service, it just means there's something to restore from afterward.
posted by tobascodagama at 8:55 PM on June 27, 2017 [1 favorite]
There is a middle road too where you rotate two or more drives during your nightly backups. This protects somewhat from malware sophisticated enough to delay and mask the effects of the encryption. IE: a really viscous ransom ware would encrypt then silently decrypt your files for a relatively long period of time, say a few weeks. This would allow it to encrypt backups as well.
posted by Mitheral at 9:16 PM on June 27, 2017 [2 favorites]
posted by Mitheral at 9:16 PM on June 27, 2017 [2 favorites]
I am not opposed entirely to such a solution.
As I remember things:
Sony's 'attack from North Korea' data exfiltration was done at a bit transfer rate of a USB 2 memory stick.
The Russian attack on a water plant in Vermont(?) was someone using their Yahoo! email that happened to trigger a virus signature.
Various weddings are being bombed as terrorist gatherings over the years.
A camera man is shot because someone thought the camera was a weapon.
A baby food plant is bombed because it was claimed to be making chemical weapons.
So somehow "we" should trust the right party is gonna get fingered? Then lethal force will be properly applied?
Attribution is hard. Why does anyone think THIS time the people who wanted to use "remote viewer testimony" in a criminal trial have things right if you are going for lethal force?
There is a middle road too where you rotate two or more drives during your nightly backups.
Or you start using a real filesystem like ZFS. Or place your documents in a document management system. Hell, even using something like OSSEC and a logging system like logstash and then ACTUALLY READ THE REPORTS on what is being transferred and touched.
posted by rough ashlar at 11:26 PM on June 27, 2017 [1 favorite]
As I remember things:
Sony's 'attack from North Korea' data exfiltration was done at a bit transfer rate of a USB 2 memory stick.
The Russian attack on a water plant in Vermont(?) was someone using their Yahoo! email that happened to trigger a virus signature.
Various weddings are being bombed as terrorist gatherings over the years.
A camera man is shot because someone thought the camera was a weapon.
A baby food plant is bombed because it was claimed to be making chemical weapons.
So somehow "we" should trust the right party is gonna get fingered? Then lethal force will be properly applied?
Attribution is hard. Why does anyone think THIS time the people who wanted to use "remote viewer testimony" in a criminal trial have things right if you are going for lethal force?
There is a middle road too where you rotate two or more drives during your nightly backups.
Or you start using a real filesystem like ZFS. Or place your documents in a document management system. Hell, even using something like OSSEC and a logging system like logstash and then ACTUALLY READ THE REPORTS on what is being transferred and touched.
posted by rough ashlar at 11:26 PM on June 27, 2017 [1 favorite]
which would securely let the users chose files to be used, and the app would only get to work with those files, and NOTHING ELSE.
Like FreeBSD jails?
Part of the issue is the decision to run a Microsoft product. Now they've gotten WAY better than they were but if you have a problem you are trying to solve and you solve it with Windows now you have 2 problems to solve.
posted by rough ashlar at 11:32 PM on June 27, 2017 [5 favorites]
Like FreeBSD jails?
Part of the issue is the decision to run a Microsoft product. Now they've gotten WAY better than they were but if you have a problem you are trying to solve and you solve it with Windows now you have 2 problems to solve.
posted by rough ashlar at 11:32 PM on June 27, 2017 [5 favorites]
Cut off that anonymity and this crime will disappear overnight
Please explain how the blockchain of bitcoin is "anonymous"?
Now there are attempts at getting an anonymous state and one of 'em is "cloakcoin" and if that is 'anonymous' it will become the medium of choice and validate the claim that anonymity is tied to crime.
posted by rough ashlar at 11:42 PM on June 27, 2017
Please explain how the blockchain of bitcoin is "anonymous"?
Now there are attempts at getting an anonymous state and one of 'em is "cloakcoin" and if that is 'anonymous' it will become the medium of choice and validate the claim that anonymity is tied to crime.
posted by rough ashlar at 11:42 PM on June 27, 2017
I do IT security for a living. Amazon S3 will be the next layer of hell on earth.
posted by Annika Cicada at 11:54 PM on June 27, 2017 [6 favorites]
posted by Annika Cicada at 11:54 PM on June 27, 2017 [6 favorites]
Having redundant, physically distinct datastores for critical information: critical.
The old-sysadmin saying from the mainframe days, "It's not data until it's backed up", yet once again....
posted by mikelieman at 12:19 AM on June 28, 2017 [2 favorites]
The old-sysadmin saying from the mainframe days, "It's not data until it's backed up", yet once again....
posted by mikelieman at 12:19 AM on June 28, 2017 [2 favorites]
We have 2100 years of experience at using and communicating with paper. We have something like 48 years of experience with networked computers.
I'm not sure why we expect the latter to be as reliable as the former, and I used to implement "paperless office"-type workflow systems for a living. The majority are, frankly, somewhere between 'fragile' and 'dangerous.' But hey, they're also cheap: that's why people implement them, not because they like watching the Windows Update screen. It's almost always a cost-savings argument (and those arguments almost always win, because cost savings are the easiest way to increase profitability in nearly any business), not because microcomputers and digital-only data storage are really better. I spent a good bunch of years ripping out systems based around paper and fax machines and microfilm and aperture cards, and in the end looking back on it, I can't really say with any great degree of confidence that the systems that replaced them (sometimes storing data in literal 'black boxes' that some vendor pinky swears are immutable) are really better. But they're a lot cheaper to operate and that's the fastest way to a nice year-end bonus. (C'est le capitalisme: We knew not what we did. And we had mortgages, after all.)
As for a solution: if you increased business' liability for data loss, you wouldn't see so many lazy, underfunded, corner-cut IT implementations. Make businesses financially responsible for data breaches and losses -- make the buck stop where the data resides -- and you'd suddenly see the ROI calculus change.
I am enough of an optimist to think that we actually do, as a civilization, have the ability to produce digital systems that are pretty good. But market forces don't necessarily lead to businesses actually buying such things if you can externalize the costs of them failing. Similarly, I think we have the ability to build textiles factories that don't dump toxic sludge in the nearest river, but nobody built those either until they were told to cut it out with the fucking sludge in the river already -- or else.
Nothing's going to change until we develop the will to shut down or punitively fine companies who practice poor IT security in the same way we became willing to shut down or punitively fine companies with lax pollution controls, or worker safety, or anything else that costs money that they'd rather not do.
posted by Kadin2048 at 1:26 AM on June 28, 2017 [7 favorites]
I'm not sure why we expect the latter to be as reliable as the former, and I used to implement "paperless office"-type workflow systems for a living. The majority are, frankly, somewhere between 'fragile' and 'dangerous.' But hey, they're also cheap: that's why people implement them, not because they like watching the Windows Update screen. It's almost always a cost-savings argument (and those arguments almost always win, because cost savings are the easiest way to increase profitability in nearly any business), not because microcomputers and digital-only data storage are really better. I spent a good bunch of years ripping out systems based around paper and fax machines and microfilm and aperture cards, and in the end looking back on it, I can't really say with any great degree of confidence that the systems that replaced them (sometimes storing data in literal 'black boxes' that some vendor pinky swears are immutable) are really better. But they're a lot cheaper to operate and that's the fastest way to a nice year-end bonus. (C'est le capitalisme: We knew not what we did. And we had mortgages, after all.)
As for a solution: if you increased business' liability for data loss, you wouldn't see so many lazy, underfunded, corner-cut IT implementations. Make businesses financially responsible for data breaches and losses -- make the buck stop where the data resides -- and you'd suddenly see the ROI calculus change.
I am enough of an optimist to think that we actually do, as a civilization, have the ability to produce digital systems that are pretty good. But market forces don't necessarily lead to businesses actually buying such things if you can externalize the costs of them failing. Similarly, I think we have the ability to build textiles factories that don't dump toxic sludge in the nearest river, but nobody built those either until they were told to cut it out with the fucking sludge in the river already -- or else.
Nothing's going to change until we develop the will to shut down or punitively fine companies who practice poor IT security in the same way we became willing to shut down or punitively fine companies with lax pollution controls, or worker safety, or anything else that costs money that they'd rather not do.
posted by Kadin2048 at 1:26 AM on June 28, 2017 [7 favorites]
Cut off [Bitcoin's] anonymity and this crime will disappear overnight...
Yes, because fuck privacy, right?
Seriously, if you take away anonymous cryptocurrency, a dozen other things-one-can-ransom-with will take its place. More dangerous things, too.
(Maybe because I'm an old person from the wild west of online perhaps-dogs, this sounds way too much like Facebook's inherent argument against online anonymity, an argument I've never been a fan of. Look how it completely prevented to stop, and even enabled, the fake-news bubbles of the last US election.)
posted by rokusan at 1:29 AM on June 28, 2017
Yes, because fuck privacy, right?
Seriously, if you take away anonymous cryptocurrency, a dozen other things-one-can-ransom-with will take its place. More dangerous things, too.
(Maybe because I'm an old person from the wild west of online perhaps-dogs, this sounds way too much like Facebook's inherent argument against online anonymity, an argument I've never been a fan of. Look how it completely prevented to stop, and even enabled, the fake-news bubbles of the last US election.)
posted by rokusan at 1:29 AM on June 28, 2017
The Internet as existential threat by Raph Koster:
When we are in the larger network, though… it’s likely to our individual benefit not to permit it to reach too high a level of interconnection, specialization and sophistication. It simply means we’re each more vulnerable to the failure of some strongly interconnected node way up the line — just like the tendon in our toe is screwed if our nervous system gets shut down.posted by metaquarry at 5:31 AM on June 28, 2017
Hospitals need to take the "Commander Adama" approach. No networks. Sorry. Paper is awesome.
Who amongst us in America doesn't keep a printed medical file in a folder somewhere?
posted by srboisvert at 5:53 AM on June 28, 2017
Who amongst us in America doesn't keep a printed medical file in a folder somewhere?
posted by srboisvert at 5:53 AM on June 28, 2017
Is there any reason why the impact of this couldn't be limited to a few hours' downtime with a good nightly disk-image backup along with a good plan for a rapid restore from backup? Maybe you lose a day if you get shot down at 10am and have to spend the day restoring to the state of the network as of this morning, but like - why isn't something like this standard?
posted by Dysk at 6:05 AM on June 28, 2017
posted by Dysk at 6:05 AM on June 28, 2017
Is there any reason why the impact of this couldn't be limited to a few hours' downtime with a good nightly disk-image backup along with a good plan for a rapid restore from backup?
Not sure about this incident, but ransomware extortionists are trying hard to corrupt backups before corrupting primary images, to make such plans moot. It's only a matter of time before a ransomware victim finds this out the hard way,.
posted by ocschwar at 6:20 AM on June 28, 2017 [1 favorite]
That would require the main systems to have access to backups, which they absolutely shouldn't have in any circumstances other than during the backup process itself. Also maybe run your backup systems on different operating systems to the rest of your network, to reduce the likelihood of both being hit by the same thing.
posted by Dysk at 6:39 AM on June 28, 2017 [1 favorite]
posted by Dysk at 6:39 AM on June 28, 2017 [1 favorite]
That would require the main systems to have access to backups, which they absolutely shouldn't have in any circumstances other than during the backup process itself.
If the system is trojaned, the intruder can identify the backup process, corrupt it, and spoof success. Run that long enough for your tail of backups to be 100% corrupt.
Then encrypt the live copy.
Done.
posted by ocschwar at 7:37 AM on June 28, 2017 [1 favorite]
If the system is trojaned, the intruder can identify the backup process, corrupt it, and spoof success. Run that long enough for your tail of backups to be 100% corrupt.
Isn't the possibility that backups are silently failing (for whatever reason) why administrators are supposed to have a schedule for testing restores? I think DBAs are supposed to be doing that, for example.
posted by thelonius at 7:45 AM on June 28, 2017 [1 favorite]
Isn't the possibility that backups are silently failing (for whatever reason) why administrators are supposed to have a schedule for testing restores? I think DBAs are supposed to be doing that, for example.
posted by thelonius at 7:45 AM on June 28, 2017 [1 favorite]
If the system is trojaned, the intruder can identify the backup process, corrupt it, and spoof success. Run that long enough for your tail of backups to be 100% corrupt.
Then encrypt the live copy.
Done.
So let's say you keep two weeks worth of backups. You've now got two weeks for someone else, anyone else, to get hit by this and alert the world and you to the possible infection, and get it patched. That's a hell of a lot better than getting the three minutes or whatever it takes to run on the MFT to try and catch it. Maybe even keep a month's backups on hand is you're running something as critical as a hospital.
posted by Dysk at 7:57 AM on June 28, 2017
Then encrypt the live copy.
Done.
So let's say you keep two weeks worth of backups. You've now got two weeks for someone else, anyone else, to get hit by this and alert the world and you to the possible infection, and get it patched. That's a hell of a lot better than getting the three minutes or whatever it takes to run on the MFT to try and catch it. Maybe even keep a month's backups on hand is you're running something as critical as a hospital.
posted by Dysk at 7:57 AM on June 28, 2017
Automated testing framework for backups would be my next startup. If only I weren't tied to my current employer for health insurance reasons.
posted by Fezboy! at 8:09 AM on June 28, 2017 [3 favorites]
posted by Fezboy! at 8:09 AM on June 28, 2017 [3 favorites]
Isn't the possibility that backups are silently failing (for whatever reason) why administrators are supposed to have a schedule for testing restores?
Supposed to, yes. Actually do it? Not as much.
There's no need to even spoof the success message, though. Just sit in wait long enough that the backups still have copies of the ransomware. You might be wrong about any individual guess as what "long enough" is, but you'll probably be right often enough to get some payouts anyway.
posted by tobascodagama at 8:10 AM on June 28, 2017 [1 favorite]
Supposed to, yes. Actually do it? Not as much.
There's no need to even spoof the success message, though. Just sit in wait long enough that the backups still have copies of the ransomware. You might be wrong about any individual guess as what "long enough" is, but you'll probably be right often enough to get some payouts anyway.
posted by tobascodagama at 8:10 AM on June 28, 2017 [1 favorite]
Malware can pick from a vast array of potential triggers and safety flags. As soon as time delayed triggering is considered a possibility, so should DNS lookup, file existence or non-existence, desktop picture, receiving emails (hopefully this idea stays far-fetched: a virus that blackmails you into marking specific messages in your spam folder as not-for-profit to mess with system filters).
The end game to prevent this entirely is the iPad-ization of all computing. Every app is isolated into a separate jail, only trusted code signed by the manufacturer is allowed to run. That level of lock in is reprehensive, but we're looking at the alternative and I don't like either of those choices.
posted by fragmede at 9:34 AM on June 28, 2017 [1 favorite]
The end game to prevent this entirely is the iPad-ization of all computing. Every app is isolated into a separate jail, only trusted code signed by the manufacturer is allowed to run. That level of lock in is reprehensive, but we're looking at the alternative and I don't like either of those choices.
posted by fragmede at 9:34 AM on June 28, 2017 [1 favorite]
There's no need to even spoof the success message, though. Just sit in wait long enough that the backups still have copies of the ransomware.
That doesn't seem like much on an issue though, the ransomware would need to be part of the backup and would somehow need to be able to detect a backup is booted and activate. And even then, unencrypted files could just be copied from the backup.
Sure, IT security is super complex and there's fascinatingly advanced malware and all kinds of things that could happen, and that's all very exciting but most of the time that's a theoretical concern and because ITSec at sufficiently many companies is so shitty that there's really no need to be super-sophisticated. A depressingly high number of attacks I've seen in five years of working as an incident responder could have been prevented with the most basic of ITSec measures, updates and backups.
posted by snownoid at 9:45 AM on June 28, 2017 [3 favorites]
That doesn't seem like much on an issue though, the ransomware would need to be part of the backup and would somehow need to be able to detect a backup is booted and activate. And even then, unencrypted files could just be copied from the backup.
Sure, IT security is super complex and there's fascinatingly advanced malware and all kinds of things that could happen, and that's all very exciting but most of the time that's a theoretical concern and because ITSec at sufficiently many companies is so shitty that there's really no need to be super-sophisticated. A depressingly high number of attacks I've seen in five years of working as an incident responder could have been prevented with the most basic of ITSec measures, updates and backups.
posted by snownoid at 9:45 AM on June 28, 2017 [3 favorites]
ocschwar: "If the system is trojaned, the intruder can identify the backup process, corrupt it, and spoof success. Run that long enough for your tail of backups to be 100% corrupt.
"
The longer the tail the greater the chance of detection.
Besides proper backups also protect against fire, theft, civil unrest, disgruntled employees and idiocy so implementing them in a malware aware fashion is essentially free.
posted by Mitheral at 11:13 AM on June 28, 2017 [2 favorites]
"
The longer the tail the greater the chance of detection.
Besides proper backups also protect against fire, theft, civil unrest, disgruntled employees and idiocy so implementing them in a malware aware fashion is essentially free.
posted by Mitheral at 11:13 AM on June 28, 2017 [2 favorites]
Significant update on Petya 2017, the version running wild right now. Despite what it says it appears to be a wiper not ransomware. It overwrites the first 24 bytes in the MBR & unlike Petya 2016 it does not save the original bytes. So if you've been infected your data is irretrievably gone, sorry.
posted by scalefree at 11:24 AM on June 28, 2017 [2 favorites]
posted by scalefree at 11:24 AM on June 28, 2017 [2 favorites]
So this just destroys the MBR and encrypts the MFT or is the rest of the disk also encrypted? I found conflicting information on that, but if it's only the former that sounds mostly like a big payday for IT forensics and data recovery people
posted by snownoid at 12:31 PM on June 28, 2017 [4 favorites]
posted by snownoid at 12:31 PM on June 28, 2017 [4 favorites]
So let's say you keep two weeks worth of backups. You've now got two weeks for someone else, anyone else, to get hit by this and alert the world and you to the possible infection, and get it patched. That's a hell of a lot better than getting the three minutes or whatever it takes to run on the MFT to try and catch it. Maybe even keep a month's backups on hand is you're running something as critical as a hospital.
My backup routine is:
Full Nightly Mon - Thu 2 sets ( 1 and 2)
Full Nightly Friday 4 sets ( Friday A - Friday D )
Month end gets pulled for posterity.
I have Month Ends forever,
A Month of Fridays
Two weeks daily.
I'd be able to restore, the only question would be "how far back..."
Automated testing framework for backups would be my next startup. If only I weren't tied to my current employer for health insurance reasons.
"Always trust your tar to the man who wears a star." Lone-tar was a thing of beauty ( Automated Bit level verifies )
Airbag for bare metal restores was even cooler...
posted by mikelieman at 12:42 PM on June 28, 2017 [1 favorite]
My backup routine is:
Full Nightly Mon - Thu 2 sets ( 1 and 2)
Full Nightly Friday 4 sets ( Friday A - Friday D )
Month end gets pulled for posterity.
I have Month Ends forever,
A Month of Fridays
Two weeks daily.
I'd be able to restore, the only question would be "how far back..."
Automated testing framework for backups would be my next startup. If only I weren't tied to my current employer for health insurance reasons.
"Always trust your tar to the man who wears a star." Lone-tar was a thing of beauty ( Automated Bit level verifies )
Airbag for bare metal restores was even cooler...
posted by mikelieman at 12:42 PM on June 28, 2017 [1 favorite]
The article about it being a wiper makes a much stronger claim about intent
One thing that's particularly troubling to me; there's a doctrine in warfare that one is supposed to avoid collateral damage. American cyberwar efforts like Stuxnet did their best to be precisely targeted and, indeed, did relatively little collateral damage. It's very upsetting to think that as a side effect of Russian sabotaging Ukrainean networks, random European hospitals and logistics networks just get shut down.
posted by Nelson at 1:33 PM on June 28, 2017 [4 favorites]
The fact of pretending to be a ransomware while being in fact a nation state attack — especially since WannaCry proved that widely spread ransomware aren’t financially profitable — is in our opinion a very subtle way from the attacker to control the narrative of the attack.Specifically the article says it's a nation state attack on Ukraine. That got my attention because there was an NPR piece today saying the same thing. Golan Ben-Oni was on and making a big point about how these attacks are stealing login credentials, not just ransoming hard drives.
One thing that's particularly troubling to me; there's a doctrine in warfare that one is supposed to avoid collateral damage. American cyberwar efforts like Stuxnet did their best to be precisely targeted and, indeed, did relatively little collateral damage. It's very upsetting to think that as a side effect of Russian sabotaging Ukrainean networks, random European hospitals and logistics networks just get shut down.
posted by Nelson at 1:33 PM on June 28, 2017 [4 favorites]
The claim that this is a nation state attack seems pretty sensationalist, or at least doesn't follow at all from the fact that this might be a "wiper". If you want to destroy data, you don't actually need to rewrite parts of some ransomware, you can just, you know, not send out any decryption keys after receiving payment.
(Also, I'm not convinced that all data cannot be decrypted if the MBR is lost, at least from a technical perspective. So much of the information on this available right now seems to be speculation/conjecture, so I guess we'll to wait to get the real story.)
posted by snownoid at 2:10 PM on June 28, 2017
(Also, I'm not convinced that all data cannot be decrypted if the MBR is lost, at least from a technical perspective. So much of the information on this available right now seems to be speculation/conjecture, so I guess we'll to wait to get the real story.)
posted by snownoid at 2:10 PM on June 28, 2017
I agree saying it's a nation state attack aimed at Ukraine is a strong claim. I'd like to see more evidence. I haven't read this story closely enough to know what evidence exists. Attribution of cyberattacks is difficult.
But Russia and Russian irregulars have attacked Ukraine's network infrastructure many times before. It's part of the war and subsequent smoldering conflict of Russia seizing Ukrainian land and influence in Ukraine. It's not a bad guess that Russia might be involved in this new malware that seems to be spreading particularly virulently in Ukraine.
The folks who really know won't be talking.
posted by Nelson at 2:39 PM on June 28, 2017 [2 favorites]
But Russia and Russian irregulars have attacked Ukraine's network infrastructure many times before. It's part of the war and subsequent smoldering conflict of Russia seizing Ukrainian land and influence in Ukraine. It's not a bad guess that Russia might be involved in this new malware that seems to be spreading particularly virulently in Ukraine.
The folks who really know won't be talking.
posted by Nelson at 2:39 PM on June 28, 2017 [2 favorites]
Talk about prophetic.
Russia's Cyberwar on Ukraine is a Blueprint for What's to Come
Wired Magazine, June 20th 2017
posted by MrVisible at 5:37 PM on June 28, 2017 [2 favorites]
Russia's Cyberwar on Ukraine is a Blueprint for What's to Come
Wired Magazine, June 20th 2017
posted by MrVisible at 5:37 PM on June 28, 2017 [2 favorites]
I don't think I should mention who I work for but reading this thread has actually made me VERY confident in my company's information security practices.
Like, every time I see a comment saying, "So, if you really want to prevent this kind of thing, you do X, Y, and Z." Makes me realize, "Oh, so that must be why the company requires X, does Y, and I had to come in on a weekend to help do Z."
posted by VTX at 5:42 PM on June 28, 2017 [4 favorites]
Like, every time I see a comment saying, "So, if you really want to prevent this kind of thing, you do X, Y, and Z." Makes me realize, "Oh, so that must be why the company requires X, does Y, and I had to come in on a weekend to help do Z."
posted by VTX at 5:42 PM on June 28, 2017 [4 favorites]
I agree saying it's a nation state attack aimed at Ukraine is a strong claim. I'd like to see more evidence. I haven't read this story closely enough to know what evidence exists. Attribution of cyberattacks is difficult.
Difficult, and best not done by anyone of consequnce.
As I'm a man of no consequence, I'll say it: Russia did this.
posted by ocschwar at 7:45 PM on June 28, 2017
Amazon S3 will be the next layer of hell on earth.
Can you expound on that a bit? S3 holds some data of mine.
posted by quonsar II: smock fishpants and the temple of foon at 9:01 PM on June 28, 2017
Can you expound on that a bit? S3 holds some data of mine.
posted by quonsar II: smock fishpants and the temple of foon at 9:01 PM on June 28, 2017
Kaspersky agrees: Petya 2017 is a wiper pretending to be ransomware.
If we compare this randomly generated data and the final installation ID shown in the first screen, they are the same. In a normal setup, this string should contain encrypted information that will be used to restore the decryption key. For ExPetr, the ID shown in the ransom screen is just plain random data.posted by scalefree at 5:28 AM on June 29, 2017 [1 favorite]
That means that the attacker cannot extract any decryption information from such a randomly generated string displayed on the victim, and as a result, the victims will not be able to decrypt any of the encrypted disks using the installation ID.
On the nation-state issue I have no inside information but my gut says it is. It feels like the distraction in every heist movie I've ever seen. While everybody's up in arms over the distraction the team is free to execute their attack on the planned target. Plus it carries a state-sponsored message as a bonus: Don't do business with Ukraine.
posted by scalefree at 5:33 AM on June 29, 2017 [1 favorite]
posted by scalefree at 5:33 AM on June 29, 2017 [1 favorite]
Here's a good follow-up on some of the elements that made this attack interesting: Why NotPetya Kept Me Awake (& You Should Worry Too).
posted by skymt at 6:16 AM on June 29, 2017
posted by skymt at 6:16 AM on June 29, 2017
Amazon S3 will be the next layer of hell on earth.
Can you expound on that a bit? S3 holds some data of mine.
I believe the implication is that, some day, someone will find a vulnerability in S3 and that allows them to orchestrate a randomware/denial-of-service attack on a truly apocalyptic scale.
posted by tobascodagama at 7:19 AM on June 29, 2017 [3 favorites]
Can you expound on that a bit? S3 holds some data of mine.
I believe the implication is that, some day, someone will find a vulnerability in S3 and that allows them to orchestrate a randomware/denial-of-service attack on a truly apocalyptic scale.
posted by tobascodagama at 7:19 AM on June 29, 2017 [3 favorites]
As I'm a man of no consequence, I'll say it: Russia did this.
true courage. i salute our brave computer troops o7
posted by indubitable at 7:50 AM on June 29, 2017
true courage. i salute our brave computer troops o7
posted by indubitable at 7:50 AM on June 29, 2017
Hacks Raise Fear Over N.S.A.’s Hold on Cyberweapons
It was as if the Air Force lost some of its most sophisticated missiles and discovered an adversary was launching them against American allies — yet refused to respond, or even to acknowledge that the missiles were built for American use.posted by Nelson at 9:26 AM on June 29, 2017
it's really weird of them to characterize security flaws as physical weapons that are manufactured and stockpiled. it's more like the CPSC found out a certain kind of crib was very prone to strangling babies and quietly redirected all exports to the Russian or Chinese or whatever market instead of, you know, telling the manufacturer to recall that shit and fix it.
posted by indubitable at 9:31 AM on June 29, 2017
posted by indubitable at 9:31 AM on June 29, 2017
Re S3: here's to hoping that some jackass at Facebook doesn't misconfigure an s3 bucket with 2 billion peoples personal information in it.
posted by Annika Cicada at 9:41 AM on June 29, 2017 [3 favorites]
posted by Annika Cicada at 9:41 AM on June 29, 2017 [3 favorites]
You mean like the recent Republican party leak of 200M people's personal information, tied to voter records?
Misconfigured S3 is only the tip of the iceberg though. The real risk is some flaw in Amazon's S3 infrastructure, or any of AWS really, that allows someone unauthorized to access the system. Who am I kidding; these flaws exist already and most likely are in the hands of the NSA. And instead of quietly helping Amazon fix the problem the NSA is probably sitting on the exploits. Let's hope they don't lose them too.
posted by Nelson at 9:54 AM on June 29, 2017 [2 favorites]
Misconfigured S3 is only the tip of the iceberg though. The real risk is some flaw in Amazon's S3 infrastructure, or any of AWS really, that allows someone unauthorized to access the system. Who am I kidding; these flaws exist already and most likely are in the hands of the NSA. And instead of quietly helping Amazon fix the problem the NSA is probably sitting on the exploits. Let's hope they don't lose them too.
posted by Nelson at 9:54 AM on June 29, 2017 [2 favorites]
F-Secure has a nice writeup as well.
But are you still skeptical about this malware being “nation state”?posted by Xyanthilous P. Harrierstick at 9:56 AM on June 29, 2017 [1 favorite]
Less and less so. We don’t think any current attribution is rock solid (attribution never really is). We feel this is definitely worth deeper investigation. And more pizza.
Twitter thread from Jessica Payne.
Short version: Petya bet that security best practices would not be followed and won that bet handily.
posted by tobascodagama at 11:30 AM on June 29, 2017 [1 favorite]
Short version: Petya bet that security best practices would not be followed and won that bet handily.
posted by tobascodagama at 11:30 AM on June 29, 2017 [1 favorite]
F-Secure says they have evidence that suggests the Petya dev team were working on the code to exploit ETERNALBLUE as early as Feb., weeks before Shadow Brokers released the key to the world. If true it would definitively link SB to Petya, pretty much locking in attribution to Russia. But they haven't said anything about the nature or provenance of their evidence so we have no way of evaluating it for now.
posted by scalefree at 5:53 PM on June 29, 2017 [3 favorites]
posted by scalefree at 5:53 PM on June 29, 2017 [3 favorites]
So I have an answer from someone at F-Secure: "Compilation timestamp on that component." That's a thing that could be faked so it's not conclusive. But I'd argue it goes against their interest to fake that & it's the kind of detail that's easy to overlook so it's at least persuasive.
posted by scalefree at 6:17 AM on June 30, 2017 [1 favorite]
posted by scalefree at 6:17 AM on June 30, 2017 [1 favorite]
« Older Coastal Canadian corvid continues campaign of... | “I Adore my Lesbian Daughters—Keep them safe.” Newer »
This thread has been archived and is closed to new comments
posted by ryanshepard at 12:36 PM on June 27, 2017 [5 favorites]