Colonial Ransom
May 11, 2021 3:31 AM   Subscribe

 
It's nice of them to apologize.
The next 'Criminal Group' (/North Korea) might not be so kind. Which makes this, as proof of concept, such a worrying development.
posted by From Bklyn at 3:40 AM on May 11, 2021 [10 favorites]


From what I've seen in my career, most organizations, in general, have shockingly bad digital security. The suits just can't be persuaded to care about anything that doesn't directly impact the bottom line – so security gets treated as a nice-to-have luxury. The engineers, in turn, learn that there's no point in sticking their necks out to argue for better security, so they just shrug and accept the status quo.

Any given organization will have to suffer a couple of attacks like this before they'll take it seriously, and a few more before they'll figure out how to do it semi-competently.

(Forgive my cynicism.)
posted by escape from the potato planet at 4:04 AM on May 11, 2021 [38 favorites]


I found the comments interesting - discussing how the ransom groups often have very good customer service, because if word gets out that they don't unlock when paid, people will stop paying.

There was a subsequent suggestion that someone just needs to set up a few ransomware groups that don't unlock when they are paid, to make everyone doubt that paying is worth it and taint the reputations of all the groups.
posted by Stark at 4:31 AM on May 11, 2021 [18 favorites]


For apology, read "Ahhh, we just realized that we took down a major part of US critical national infrastructure by mistake, and that elevates us from being wanted by the FBI to being hunted by the CIA, not to mention all the other country's agencies who would like to know how we did it, and we'd very very very much like to back out of that situation as fast as humanly possible and just go back to robbing people. Is that cool? Please say that's cool."

The moment they realized that they had chosen the wrong target must have been quite bracing.
posted by DangerIsMyMiddleName at 4:34 AM on May 11, 2021 [110 favorites]


a few more before they'll figure out how to do it semi-competently

More than a few, in my experience. Rather a lot more. After all, the C*eroles now have a plethora of security-theatre snake-oil salesmen to be ripped off by before they can be bothered to make even slight alterations to their own appallingly lax practices.

There are an awful lot of Highly Paid Executives whose entire motivation for being a Highly Paid Executive is to avoid having anybody boss them about, and who accordingly remain enormously resistant to the idea that reality is everybody's boss.
posted by flabdablet at 4:37 AM on May 11, 2021 [33 favorites]


There was a subsequent suggestion that someone just needs to set up a few ransomware groups that don't unlock when they are paid, to make everyone doubt that paying is worth it and taint the reputations of all the groups.

I'm not sure this would solve the underlying problem, though, as it seems like the answer would be for attackers to switch to crypto-based smart contract ransomware.
posted by howfar at 4:41 AM on May 11, 2021 [5 favorites]


anecdata: my employer got hit last year. 1800 person consulting firm. payoff in the millions. "yes, we're insured. once." And people still have the gall to complain if our IT processes get more arduous as a consequence.
posted by hearthpig at 4:43 AM on May 11, 2021 [16 favorites]


Well, and consider the actions of the gang who targeted the police in D.C. and then realized what they had done: https://therecord.media/babuk-gang-says-it-will-stop-ransomware-attacks-after-dc-police-incident/
posted by wenestvedt at 4:45 AM on May 11, 2021 [3 favorites]


On the Risky Business podcast a couple of weeks ago, they were talking about how genuinely professional and tight the hackers gangs are getting. They move so fast!
posted by wenestvedt at 4:47 AM on May 11, 2021 [3 favorites]


Does anyone else have this process in their industry?

1. Buy a very expensive PC that controls some critical piece of infrastructure.
2. Write an annual check for vendor support for the PC and crap it controls.
3. Have vendor claim the PC cannot be upgraded or patched due to . . . reasons (regulatory, trade secret, whatever).
4. Jump through hoops making sure this gaping hole has as much duct tape over it as possible.

An ounce of planning and just a half-assed exploit toolkit can grind the country to a halt.
posted by cmfletcher at 5:01 AM on May 11, 2021 [22 favorites]


Also: Tay speaks for all of us.
posted by wenestvedt at 5:15 AM on May 11, 2021 [8 favorites]


The suits just can't be persuaded to care about anything that doesn't directly impact the bottom line – so security gets treated as a nice-to-have luxury.

Sometimes not even a nice-to-have. I was straight up told by a security engineer several years ago that the higher ups in his firm would never be bothered to spend money on security, even after a very well-publicized breach. Why not? They had studied retail sales patterns afterward, you see, and in-store sales had not been adversely affected. So why bother?

(Forgive my cynicism.)

There's nothing cynical about it at all, unfortunately, and it's the reason I made a gradual, oblique pivot away from infosec as a career. Well, that and a whole lot of other dumb stuff in the field that doesn't bear directly on this story.
posted by jquinby at 5:22 AM on May 11, 2021 [6 favorites]


1. Buy a very expensive PC that controls some critical piece of infrastructure.
2. Write an annual check for vendor support for the PC and crap it controls.
3. Have vendor claim the PC cannot be upgraded or patched due to . . . reasons (regulatory, trade secret, whatever).
4. Jump through hoops making sure this gaping hole has as much duct tape over it as possible.
Car multimedia systems are often highly outdated Android distributions. Hyundia/Kia is 4.2, Honda and GM are both still on 6.0, and even the Polestar 2, the primo Android Auto flagship, is still on Android 10 circa September 2019. I shudder to think about the attack surfaces on these multimedia systems. Some of them are even connected to LTE.

Our cars are basically IoT ticking time bombs at this point.
posted by Your Childhood Pet Rock at 5:28 AM on May 11, 2021 [15 favorites]


I'm not sure where I heard it first but "The S in IoT stands for security!"
posted by cmfletcher at 5:31 AM on May 11, 2021 [64 favorites]


Why not? They had studied retail sales patterns afterward, you see, and in-store sales had not been adversely affected. So why bother?

That is a totally reasonable position though, and it reflects badly on the security team for not understanding their institutional priorities, not the leadership for focusing on them.
posted by mhoye at 5:31 AM on May 11, 2021 [2 favorites]


Not to be a spoilsport about this, but the number of computer security professionals in the world who think their job is to secure computers is too damn high. Security is a set of practices, process, norms and standards that exist to support a set of personal or institutional priorities, not a thing that you have, or do, for its own sake.
posted by mhoye at 5:46 AM on May 11, 2021 [18 favorites]


To be clear, the pipeline is undamaged and could function normally, however Colonial has chosen not to release any product:

https://twitter.com/KimZetter/status/1391584162545496066

"Colonial’s op network controls flow of fuel from pipeline to distributors then passes info to ticketing system on IT network to automatically invoice distributors. If ticket system is locked and pipeline is still flowing Colonial can't monitor flow and send invoices to get paid."
posted by The Pluto Gangsta at 5:51 AM on May 11, 2021 [14 favorites]


Capitalism: it's just ransom all the way down.
posted by rikschell at 5:54 AM on May 11, 2021 [52 favorites]


In the countries that haven't nationalized the oil industry, the industry has nationalized the country
posted by eustatic at 5:57 AM on May 11, 2021 [18 favorites]


If ticket system is locked and pipeline is still flowing Colonial can't monitor flow and send invoices to get paid."

Then oh gosh, gas prices go up because of the mean hackers, not our fault (but we'll take the profit)
posted by sammyo at 6:00 AM on May 11, 2021 [12 favorites]


Does anyone else have this process in their industry?

Every industry. Every single one.

More commonly: they don’t know there is some out of date, POS PC quietly humming along running a critical piece of infrastructure, running Windows 95 and has not been rebooted in years. The guy who set it up retired; the person trained was laid off six rounds ago. So when it inevitably dies, no one will even know what to look for.
posted by MrGuilt at 6:02 AM on May 11, 2021 [40 favorites]


promise to ransom less controversial targets in future

Oh, like the children's hospitals you've been doing up till now, cool cool
posted by saturday_morning at 6:04 AM on May 11, 2021 [24 favorites]


Security is a set of practices, process, norms and standards that exist to support a set of personal or institutional priorities, not a thing that you have, or do, for its own sake.

In the Before Times I used to get to the office way too early, and there was one morning when the only other person in the office stopped by my cube to ask how to format an SD card in Windows. So I told him, and then he was walking away he casually mentioned how lucky he was to find a then moderately expensive SD card on the floor in the publicly accessible lobby....

I ran after him, asked if he had put it in his work computer (not yet, thankfully), and then demanded that he hand it over and that we wait until someone more senior arrive before we did anything. After a security camera footage review, we were able to identify who dropped it and determine that it was an innocent accident* which was a) was the best outcome but also b) kind of minimized how dangerous it was to have employees who thought nothing about pocketing random SD cards and sticking them in work computers.

* At least from our perspective. For the other company in the building whose employee dropped it, the SD card could have been a data leak if someone else had found it.
posted by RonButNotStupid at 6:15 AM on May 11, 2021 [25 favorites]


Children's hospitals gen-er-al-ly aren't owned by oligarchs who have Blackwater on speed-dial.
posted by seanmpuckett at 6:15 AM on May 11, 2021 [4 favorites]


Within the context of everything in the world going to shit, and me being, basically, a terrible person: this is hilarious.
posted by pompomtom at 6:33 AM on May 11, 2021 [14 favorites]


they don’t know there is some out of date, POS PC quietly humming along

I read that initially as a Point Of Sale PC, but usually those are visible. Gotcha.
posted by heatherlogan at 6:39 AM on May 11, 2021 [5 favorites]


Colonial has chosen not to release any product

They are also apparently being difficult on cooperation with federal officials on investigating the break-in and securing their systems.

Colonial was also responsible last year for one of the largest gasoline spills in US history, and the largest in North Carolina history.

I wonder how much the previous administration helped to minimize this earlier story, and if Colonial is refusing help in order to limit news exposure for past malfeasance, as much as its responsibility for what is going on now.
posted by They sucked his brains out! at 6:39 AM on May 11, 2021 [14 favorites]


Why not? They had studied retail sales patterns afterward, you see, and in-store sales had not been adversely affected. So why bother?

That is a totally reasonable position though, and it reflects badly on the security team for not understanding their institutional priorities, not the leadership for focusing on them.


I disagree with this - there are serious systemic issues with security/software patching, and even if executives are 100% behind, it still cannot necessarily be solved without a level of integration that just doesn't exist in enterprise software.

I mean, security issues are discovered weekly for most software products, and some patches break other contracted software, or at best is untested, which creates serious business risk.
Also there are aren't patching processes that can handle large companies and large numbers of servers without serious investment.

That's one reason the company I work for is ditching its own data centers and going with a managed solution - because patching OSs at an enterprise level is a legitimately difficult business problem that is better to farm off on Amazon or MicroSoft or whomever.
posted by The_Vegetables at 7:09 AM on May 11, 2021 [4 favorites]


I'm not sure this would solve the underlying problem, though, as it seems like the answer would be for attackers to switch to crypto-based smart contract ransomware

It figures that "more effective criminaling" is a use case for crypto smart contracts.
posted by Mr.Encyclopedia at 7:10 AM on May 11, 2021 [9 favorites]


The gang operates out of Russia. Surely FSB knows who they are. As long as they piss outside the tent they don't stop them. Are they state-sponsored? I'd argue yes. I suspect it's no accident that this happens as we are ramping up to confront Russia.
posted by hypnogogue at 7:11 AM on May 11, 2021 [8 favorites]


When I was doing small business IT from around '05 to '10, there were a few times I had to track down replacement PCs with a freaking ISA slot on their mobos to replace failing equipment controllers running Win '95.

At least then I wasn't being asked to put those machines on the network -- if they needed to sync with some vendor system, they literally phoned home over a modem, and were generally not configured to accept inbound calls. I suspect that might no longer be the case, can't imagine many vendors are still maintaining modem banks.
posted by snuffleupagus at 7:14 AM on May 11, 2021 [2 favorites]


I read that initially as a Point Of Sale PC, but usually those are visible. Gotcha.

It might very well be some POS POS PC that was sitting idle and repurposed. That would very much be on brand for this scenario.
posted by MrGuilt at 7:14 AM on May 11, 2021 [9 favorites]


My company is trying to take stuff like this seriously, since all it takes is one employee clicking an email link without paying attention and then the whole company can be halted or even nuked. Happened to Boeing. Happened to Hyundai. Happened to Kia.

So now the trend is to test employees by sending them mocked-up emails that try to get you to click on them and then report you to management (or, more commonly, schedule you for retraining) if your digital hygiene is less than stellar. But, how do you test them seriously, and not just with some rando email saying "hiya here are some pictures of my cute cat! loveya, rando198212"?

West Midlands Trains in the UK tried this by doing an email/phish test with a subject line promising a bonus for their hard work during COVID. And now the workers' union is pissed. Not because so many people failed the test, but that the promised bonus was a lie.

In summary, cyber security is too hard for any of us to comprehend and we're all doomed and thanks for listening to my TED talk.
posted by JoeZydeco at 7:16 AM on May 11, 2021 [23 favorites]


So now the trend is to test employees by sending them mocked-up emails that try to get you to click on them and then report you to management if your digital hygiene is less than stellar.

Yeah, my company's been doing this all year, with particularly ham-handed efforts. They'll misspell Microsoft and generally pack the thing with clues that really should tip you off that this isn't real. The problem is, they're still catching people out. Lots of them multiple times. Some people will apparently click on anything come hell or high water. So they keep layering on more and more idiot-proof security which makes it increasingly challenging for the rest of us to just do our jobs.

I imagine Hearthpig has a few pithy words for me right about now.
posted by Naberius at 7:21 AM on May 11, 2021 [14 favorites]


My company is trying to take stuff like this seriously, since all it takes is one employee clicking an email link without paying attention and then the whole company can be halted or even nuked.

I just installed a Meraki router at my parents' place this weekend -- which does content filtering and IDS, and which I can manage remotely -- because my Dad is hopeless when it comes to phishing and malicious notifications, etc, and even my reasonably tech-savvy mom has started managing to pick up malware -- on OS X, yet.

And of course they have all their essential logins and passwords stored in their phones and browser caches, and a roadmap to their assets in their browser history and auto-logged-in gmail.
posted by snuffleupagus at 7:22 AM on May 11, 2021 [3 favorites]


The group behind the ransomware that took down Colonial Pipeline late last week has apologized for the “social consequences,” claiming that its goal is to make money, not cause societal problems.

I have been staring at this comment box for twenty minutes, but the laws of thermodynamics do not permit a sufficiently hot take on this sentence to exist in the universe.
posted by automatronic at 7:27 AM on May 11, 2021 [32 favorites]


They'll misspell Microsoft and generally pack the thing with clues that really should tip you off that this isn't real.

Yeah, the thing I forgot to add is that now the emails are getting more convincing but my coworkers have figured out that the phishing tests have extra headers in them, like "X-PHISHING-TEST: 123456578". Insert eyeroll here.

So everyone is trading Outlook filters to catch these and automatically delete them, since nobody wants to be scheduled for Reeducation. Which puts us back to where we started.
posted by JoeZydeco at 7:35 AM on May 11, 2021 [20 favorites]


yeehaw GPO Outlook meltdown '21

scheduled for Reeducation

"We have detected an unauthorized filter in your email client. Is it safe?"
posted by snuffleupagus at 7:36 AM on May 11, 2021 [5 favorites]


Hyundia/Kia is 4.2,

It seems it's worse than just multimedia systems. So Many Hyundais And Kias Are Stolen In Milwaukee That Police Are Giving Out Steering Wheel Locks. The article doesn't go into ANY detail of the exploit, but there seems to be some flaw where thieves are starting and stealing Hyundais and Kias without their key fobs.
posted by hwyengr at 7:38 AM on May 11, 2021 [6 favorites]


And of course they have all their essential logins and passwords stored in their phones and browser caches, and a roadmap to their assets in their browser history and auto-logged-in gmail.


Oh...er...

*looks side to side*

Yeah, I guess I’d better take care of that...
posted by darkstar at 7:38 AM on May 11, 2021 [3 favorites]


Yeah, my company's been doing this all year, with particularly ham-handed efforts. They'll misspell Microsoft and generally pack the thing with clues that really should tip you off that this isn't real.

I "fell" for this, in that it was so stupid I told my friends about it on FB. "Hey friends check this out, I got a spam email that is so bad it's laughable ... the return email is literally 'spammer@fakecompany.com' and it says 'Dear Dave' instead of 'Dear Melismata,' can you believe how dumb the spammers are these days??" About two minutes later I realized it was a fake spam from my company.
posted by Melismata at 7:41 AM on May 11, 2021 [7 favorites]


can you believe how dumb the spammers are these days??

That is all quite deliberate, and the reasoning behind it has a sinister elegance to it that's hard not to respect. It's not the spammers that are dumb, not at all; it's that their time is valuable, and they are carefully selecting for only the most gullible respondents to maximize the return on their investment of time and effort.
posted by mhoye at 7:47 AM on May 11, 2021 [28 favorites]


Our organization allows their security test emails into our system by turning off our security mechanisms for that email, so now we can't trust that those mechanisms work.

I got a small Amazon gift card email from my boss the morning after my annual evaluation which I clicked. I subsequently got chastised for the amount of swearing I did about the test.
posted by idb at 7:51 AM on May 11, 2021 [3 favorites]


Gullible, but also vulnerable. Whether due to literal senility, or category mistakes in confusing notifications by the operating system with notifications from getphished.lol by forwarding from some domain they typoed (or forged emails that are styled to look like they're from a trusted entity, like Apple, Google or a bank).
posted by snuffleupagus at 7:54 AM on May 11, 2021 [4 favorites]


Obligatory xkcd
posted by Mogur at 7:56 AM on May 11, 2021 [19 favorites]


so everyone is trading Outlook filters to catch these and automatically delete them

Ahahaha, this is amazing.
posted by ryanrs at 7:57 AM on May 11, 2021 [7 favorites]


That a criminal gang hacked a crucial piece of US infrastructure, threatening regional and national economies, then posted an apology *on their website* is the most cyberpunk thing I've read today.
posted by doctornemo at 8:25 AM on May 11, 2021 [35 favorites]


Reportedly from Twitter some regions are just... entirely out of gas, after a run on gas stations.
posted by LSK at 8:32 AM on May 11, 2021 [3 favorites]


Seems like a missed opportunity to negotiate a deal with an extreme environmental activist group who would be excited to take credit in order to generate press.

One might argue that regulating critical industries and, say, requiring that they have regular offline backups and the ability to do a bare-metal re-install in a day might not be a terrible idea.
posted by eotvos at 8:35 AM on May 11, 2021 [2 favorites]


That a criminal gang hacked a crucial piece of US infrastructure, threatening regional and national economies, then posted an apology *on their website* is the most cyberpunk thing I've read today.

Dead ^Ass Sec

posted by snuffleupagus at 8:46 AM on May 11, 2021 [2 favorites]


Given the overlap of Mafia and Government in Russia, it would be interesting to be a fly on the wall during the meetings in the Pentagon about this.
posted by Bee'sWing at 9:10 AM on May 11, 2021 [4 favorites]


For the last two years I have been collaborating on a pretty interesting super secret project to have layers of firewalls to minimize the damage an attack like this could cause to a company.

My role is kind of like devil's advocate in the sense that I demand that every new change and feature has, apart from the super interesting 150 page technical design document, a couple of short paragraphs explaining the benefit to sales, upper management, marketing, etc... And if there is no tangible short term benefit, to at least make it very very easy for the Vice President of Being Very Busy and Very Important to follow the process.

The engineers complain a lot, it slows down the project and we have to make compromises, but we've seen like 10% of the resistance from management that I have seen in similar projects in the past.

If the hardcore no-nonsense super rational engineer I was 20 years ago could se what I have become they would be so disgusted.
posted by Dr. Curare at 9:22 AM on May 11, 2021 [26 favorites]


When I was doing small business IT from around '05 to '10, there were a few times I had to track down replacement PCs with a freaking ISA slot on their mobos to replace failing equipment controllers running Win '95.

Last time I struck this issue it was at a plastics shop with a huge and rather beautiful CNC router table cabled to a mysterious proprietary ISA card in a suddenly and thoroughly deceased Windows 95 box that had been running an ancient and completely unlicensed version of some proprietary toolpath generation package.

That software perfectly suited the purposes of the guy who owned the shop. He had spent positively geological amounts of time learning it, had become highly proficient and productive with it, and had zero interest in acquiring or learning anything else. But we couldn't find a replacement ISA-slot mobo for love nor money.

Close examination of the mysterious ISA board revealed a 16550A UART and few optocouplers, which convinced me that it was a 20mA current loop comms board and would probably be presenting to Windows as a standard COM device. And fortunately, the shop owner still had the original installer disc for the toolpath software. Unfortunately, it flat refused to run on any version of Windows with an NT kernel.

So what I ended up doing for him was installing VirtualBox on his laptop, installing Windows 98SE as a guest OS, installing the toolpath software onto that, and connecting a USB to RS232 external comm card to the laptop and a RS232 to 20mA current loop converter to the comm card.

VirtualBox was able to present the USB comms hardware to the guest OS as an emulated 16550A on COM3, and after a bit of fiddling to get the right wires connected to the right terminals on the 20mA box it all worked. The ancient software ran way smoother on his nice new laptop than it ever had on the original Win95 box, and we gave the guest OS access to a shared drive on the laptop so he didn't need to ship stuff on floppies from his former CAD box to the now-dead former toolpath box any more.

That was maybe five years ago and as far as I know he's still using it.
posted by flabdablet at 9:41 AM on May 11, 2021 [69 favorites]


I used to work in corporate acquisitions and, inevitably, we never managed to convince our deal team to involve the IT group pre-closing ("for confidentiality reasons"). We discovered SO MANY post-closing gifts, typically in the form of the aforementioned POS PCs running in a closet ("that's our customer data server", "that's our ERP") and also the aforementioned POS POS PCs running unsecured in a retail location closet, admin password written on a post-it note, many times with customer information including credit card details in an unprotected excel sheet on the desktop.

I hope the Colonial pipeline controls systems are airgapped. I can understand why they aren't able to "sell" product without the invoicing system; the transfer of ownership of petroleum products is heavily hedged, regulated, taxed, and controlled; unwinding that hairball if they did it w/o systems would be literally unsurmountable.
posted by some chick at 9:52 AM on May 11, 2021 [6 favorites]


I hope the Colonial pipeline controls systems are airgapped

you made a funny
posted by flabdablet at 9:56 AM on May 11, 2021 [15 favorites]


though on further reflection I guess a fifty-years-obsolete hellscape of PLCs and rat's nest wiring upon which running a TCP/IP stack could never be more than an operator's fever dream and for which almost all the documentation has been eaten by cockroaches might plausibly count as airgapped.
posted by flabdablet at 10:07 AM on May 11, 2021 [6 favorites]


"Because, with all our faults,
We love our fossil fuel supply chain!"
posted by Zed at 10:07 AM on May 11, 2021 [5 favorites]


flabdablet, I would consider that going above and beyond, and I hope you got paid handsomely. Though I suspect you didn't.
posted by tigrrrlily at 10:22 AM on May 11, 2021 [5 favorites]


A friend told me his dad's bank does regular phishing tests and publishes the results of whoever failed. (Internally, he pointed out, as opposed to having a public list of the employees that are easiest to hack.)
posted by little onion at 10:41 AM on May 11, 2021 [2 favorites]


Oh, like the children's hospitals you've been doing up till now, cool cool

In this particular instance "The criminals responsible, Darkside, are a relative newcomer to ransomware, but have an intriguing “code of conduct.” They will not extort hospitals, funeral homes, non profits."

So while a lot of ransomware attackers have focused on critical systems such as hospitals in order to maximize their leverage, this particular group seems to be trying for a combination of "high reward, low risk of blowback".
posted by jedicus at 10:54 AM on May 11, 2021 [3 favorites]


Regarding email and phishing security: Many years ago I made the horrible mistake of choosing a very short and/or easily guessed email address.

And, sure, a lot of this has to do with the problems of how email works and how permissive it is.

On a weekly if not daily basis I receive not only any number of dozens or hundreds phishing or scam emails that aren't just outright spam - but legitimate emails sent to the wrong person ranging from the fairly innocuous if annoying Snapchat, Instagram or other social media account signups, but also the much less innocuous like brick and mortar or online shopping store receipts complete with names and shipping addresses, private emails including family photos and personal information, legal documents and more.

I have never, ever had a Facebook account but I could probably take control of dozens of Facebook accounts using my email to reset passwords.

In the case of some of these social media services I used to beg and plead to get them to blacklist my email from ever being used on their services to save everyone a lot of hassle and it's never, ever worked out like that. Snapchat is especially bad about this to the point that I've seriously considered filing for damages in a local small claims court and wring some money out of them when they would likely entirely fail to appear or send a representative.

Lately I've taken to taking control of those accounts, resetting the password to a random string and then abandoning the accounts.

I have been unwittingly subscribed to at least a dozen youth team sports email lists where they're sending out player rosters complete with names, addresses and practice schedules. I have spent an enormous amount of time trying reaching out to the admins/coaches of these groups that they're sending out enormous amounts of personally identifying information about minors and their families, and more often than not after trying more polite contact I've had to resort to hitting the "reply all" button and publicly shaming the admin and entire group into action to remove me from their address books or email list. And even then, more than once after someone did remove my email address I ended up back on their list because someone hit reply all to a group email and I'm somehow added back to the group list, likely through email address auto-harvesting on the admin's email client or something.

And more than a few times I've been accused by dumbasses of being a hacker for being on their email list or group or something even though I'm trying to help them not leak information.

I have also straight up called people's phone numbers for repeat offenders that kept using my email address for things like pizza delivery restaurants and store receipts and the like. "Hi, is this Mr. Doe? You live at 123 Street? Stop using my email address. I know where you live and work."

I have also received an alarming amount of medical information.

I've also had many people try to take over my email account using password reset attempts like that's the solution to the fact that they entered the wrong email when signing up for something. Like, these were super obvious, easily identifiable attempts to steal my account where there would be a sign up email for something, then several attempts at a password reset or account access - immediately followed by someone trying to do a password reset or multiple resets on my email account. Often with corroborating geographic information.

Wait, there's more, and much worse.

I have had to deal with the fraud departments of major US banks at least a dozen times now when someone has signed up for a new account and even these major banks don't really seem to verify email account ownership. (Looking at you right now, US Bank! Get your shit together!)

I could have theoretically taken control of any number of these bank accounts and drained them. No, I've never bothered to even try logging in to these accounts because I'm allergic to prison, but also because I have very strong ethics and it's maybe the most valuable trait I have.

But these unsecured and errant emails are so pervasive that if I didn't have any ethics at all I could probably make a tidy sum of money and a criminal career by going rogue and just letting people hand me their personal information and control of any number of accounts.

Or if I was charging a very reasonable contract or consulting hourly rate for all of the time I've spent doing this in the last 10-15 years I could probably pay my rent for a year or more, maybe even have enough of a down payment for a small, affordable house.

It is FUCKING BONKERS to me how little anyone seems to care about it. I think I've been sincerely thanked about 3 times in hundreds/thousands of incidents I've reported. The number of times I've been thanked for doing the right thing is some small percentage of the number of times I've been chewed out by ignorant, defensive asshats or wrongly accused of hacking them and just trying to cause trouble.

Out of those several times I've been thanked for reporting the errant emails, one was someone's kind grandma sending an online gift card. Another was someone just trying to send an e-card to someone else in their family. Another was someone sending new baby pictures out to their family.

I think out of content or online provider on the server side of things I've been thanked exactly once for bringing it to their attention.

I can't help but wonder what someone with zero ethics would do in my situation, how many people have been scammed or had bank accounts compromised because no one seems to actually give a shit about computer security or doing the right thing.
posted by loquacious at 11:05 AM on May 11, 2021 [31 favorites]


Just in case anyone else runs into the ISA issue: legacy motherboards (nixsys.com)
posted by snuffleupagus at 11:14 AM on May 11, 2021 [11 favorites]


Big lines at the pumps here today
posted by thelonius at 11:17 AM on May 11, 2021 [6 favorites]


This convinces me that the government must shut crypto currency systems down unless they can be redesigned to be a lot less anonymous. Take away their payment network and these crimes become a lot less hard to get paid on.
posted by interogative mood at 11:18 AM on May 11, 2021 [4 favorites]


Aaaand just as I hit post on that last comment someone used my email for their IoT home security system. Joy.
posted by loquacious at 11:19 AM on May 11, 2021 [23 favorites]


@snuffleupagus

This is the link I didn't know I needed and wanted. Thank you.
posted by deadaluspark at 11:22 AM on May 11, 2021 [2 favorites]


Almost nothing makes me blink as much as looking over some network NMap output and seeing SGI Irix v5.x (or whatever version). "Oh yeah we have a special system and printer that does all the pharmacy labels for all the meds we ship - been here for longer than any of us.....". I mean not that getting labels on thousands of pill bottles could ever be critical. No one's packaging exploits for Irix since forever ago, but.....more blinking still follows...
posted by inflatablekiwi at 11:29 AM on May 11, 2021 [11 favorites]


snuffleupagus, those are crazy expense prices for 20 year old boards. That said, if that’s what you need to run your shop, it’s a bargain at twice the price.

OTOH, it may just be kicking the can down the road. But, not my problem–I’ll be retired by the.
posted by MrGuilt at 11:32 AM on May 11, 2021 [4 favorites]


Exactly. For a while they weren't available at all, except as difficult to find surplus in uncertain condition.

But now it's long enough that they're a speciality product.
posted by snuffleupagus at 11:36 AM on May 11, 2021 [6 favorites]


After a year of successfully working from home, our company is making noises about having us work from home, at least part of the time, permanently. Fine. But there's been nothing about how that exactly is going to work. We're a medical device company. My wi-fi at home is whatever Xfinity gave me with my cable package five years ago. If you think Xfinity cares one iota about security, then I have a bridge to sell you.
posted by Melismata at 11:37 AM on May 11, 2021 [4 favorites]


If you think Xfinity cares one iota about security, then I have a bridge to sell you.

Thanks to lax security on the bridge ownership registry database, you may actually be able to do so.
posted by FishBike at 11:39 AM on May 11, 2021 [34 favorites]


This convinces me that the government must shut crypto currency systems down unless they can be redesigned to be a lot less anonymous. Take away their payment network and these crimes become a lot less hard to get paid on.

Have you wondered if the powers that be (in the form of money, oligarchs, banksters, etc) are actually publicly or secretly in favor of cryptocurrency precisely because it's a really handy way to launder, obfuscate and move large quantities of money?

Not to mention take part in wealth extraction by whales and major players taking part in the grand Ponzi scheme and using the unregulated industry to manipulate markets wholesale. (See: Tether and Bitfinex. Tether has been printing billions of fake BTC/USD to manipulate BTC specifically.)

Most of the cryptocurrency systems (especially Bitcoin/BTC itself) aren't anonymous at all. There's a whole industry that's developed around tracking and extracting information about transactions on the blockchain, including tracing "mixed" coins. Some of the major exchanges now block mixed coins of unknown provenance in what is likely a half-assed attempt to cover their own asses.

So it really comes down to an international crime and legal jurisdiction requirement and, as discussed in this thread, target selection by ransomware hackers. Finding lucrative targets too small to fight back or attract international law enforcement or direct state force.

I've said this in previous crypto-adjacent threads and topics but the concept and use of cryptocurrency isn't going anywhere any time soon.

For better and worse (mostly worse!) it's a very effective viral idea or - in the traditional Dawkins definition - social meme that is almost impossible to regulate or outright ban without breaking fundamental and structural parts of the internet, like the use of encryption as we know it.

Even more terrifying it's also very clearly compatible with capitalism and it's becoming increasingly clear the end result of cryptocurrency isn't really going to change the face of capitalism at all, but it's just more of the same horseshit but even worse.
posted by loquacious at 11:40 AM on May 11, 2021 [9 favorites]


The gang operates out of Russia. Surely FSB knows who they are. As long as they piss outside the tent they don't stop them. Are they state-sponsored? I'd argue yes. I suspect it's no accident that this happens as we are ramping up to confront Russia.

The apology is not meant to mollify any companies or Law Enforcement Agencies. It is a propaganda move to try and get the libertarian reddit idiots, tech bros and trumpists/American russian loyalists to downplay the seriousness of international incursions into critical, or even any, infrastructure.

I very strongly suspect the Biden admin is going to go extra hard after ransomware now. They were already escalating their pursuit from practically the moment they entered office. Particularly, Russian based ransomware.

The US is already cutting a lot of Russian dependencies like phasing out dependency on the Russian rocket program for ISS support. Biden also has experience of Russian intransigence from the Obama admin in Ukraine and Syria. Fair to say he isn't sexting with Putin late at night the way Trump might have been.
posted by srboisvert at 11:42 AM on May 11, 2021 [15 favorites]


My wi-fi at home is whatever Xfinity gave me with my cable package five years ago.

As of last year, cable companies are required to let you use your own router with their modem, and may not charge you rent for a company router you're not using. Should you want to swap it out for something (hopefully) less terrible.

Although having a company-managed router handling all of your home networking isn't great either.

It's possible to put a VPN endpoint behind an ISP router, and offer a second wifi network that will pass all of its traffic through the encrypted tunnel. (Separate the channels they're using.)
posted by snuffleupagus at 11:43 AM on May 11, 2021 [4 favorites]


In this particular instance "The criminals responsible, Darkside, are a relative newcomer to ransomware, but have an intriguing “code of conduct.” They will not extort hospitals, funeral homes, non profits."

If you're going to have a forest full of brigands anyway, they might as well be Robin Hood.
posted by mhoye at 12:05 PM on May 11, 2021 [2 favorites]


Main reason I went the virtual machine route instead of going in super hard on trying to resurrect the existing hardware was that doing so actually solves the hardware obsolescence and associated fragility issues while also tidily encysting the mouldy old software stack and any attendant vulnerabilities. Restart from Last Snapshot mitigates a multitude of security flaws.

And no, the payment wasn't particularly handsome, but there were a lot of otherwise obsolete skills involved in making it work that I hadn't had the opportunity to exercise for some while and that made it a very gratifying success.

In fact I've been in the lucky position of having made enough out of being a "proper" software developer to be free to spend about fifteen years solving a multitude of gnarly problems for people who really couldn't afford to pay more than a sub-McD's-trainee hourly for IT support. That was a really pleasant way to downshift into what's turning out to be an equally pleasant retirement. I have no complaints.
posted by flabdablet at 12:09 PM on May 11, 2021 [22 favorites]


I spent much of 2019 doing biz dev (govt contracts) for a relative’s cyber security consulting company while I looked into what it would take to get certified in CISSP. I went into it as an arrogant hand-wavy Mac user who suspected the entire cyber field was a racket. It took me maybe 6 months to realize just how screwed we all are when it comes to securing the United States infrastructure. Water, gas pipelines, electrical grid, 911 systems, literally everything mission critical we come into contact on a daily basis is likely sort of secure to totally insecure. What most Americans don’t realize is that these ransomware attacks have been ongoing for years and don’t get any attention because most private companies just pay the attackers. The things I learned about state actors like Russia and North Korea scared me. To think that US Cyber Command is also pen testing other countries power grids, election systems and who knows what else tells me it’s just a matter of time before something big like a power grid gets taken offline here in the US in retaliation.

The most important thing I learned was it doesn’t matter how secure your network is when you ignore least privilege policies. CEO of the company gets pissed that he can’t access a folder on the network and reams IT. IT gives him access and it turns out his password was literally “password” and now you have ransomware on your network. I’ve heard so many stories and every one of them is terrifying when you start thinking about the worst-case scenarios.
posted by photoslob at 12:15 PM on May 11, 2021 [19 favorites]


though on further reflection I guess a fifty-years-obsolete hellscape of PLCs and rat's nest wiring upon which running a TCP/IP stack could never be more than an operator's fever dream and for which almost all the documentation has been eaten by cockroaches might plausibly count as airgapped.

A previous company was massively hacked and only stopped because a particularly vital machine was SO incredibly out of date the hackers couldn't get through it. We found the hackers' discussions online showing their enormous disbelief that we were running said system.. but we were grateful we (accidentally) were!
posted by some chick at 12:15 PM on May 11, 2021 [14 favorites]


so many stories and every one of them is terrifying when you start thinking about the worst-case scenarios

The one that really churned my guts was that whole business about JBIG2 compression being the "normal" setting in photocopy machines, making them randomly photocopy sixes as eights and vice versa. I'd never really thought of lossy image compression, in and of itself, as having any particular relevance to security or safety but fuck knows how much stuff has ended up built wrong because of that.
posted by flabdablet at 12:23 PM on May 11, 2021 [12 favorites]


I’m always fascinated by how LITTLE security everything seems to have once you scratch the surface. I have precious little knowledge of these types of things but man alive does it keep most iot things out of my house and inform a healthy triplicate backup system running...

Has there ever been a good faith argument or exploration that legalizing or decriminalizing phishing scams/and ransomware could just lead to better security naturally? Like, if your org falls for a scam and doesn’t have good security in place, tough shit?
posted by furnace.heart at 12:40 PM on May 11, 2021 [3 favorites]


Insurers refusing to cover repeated incidents without a sufficient hardening is probably the closest thing to that, and in my mind is enough.

It's useful as a thought experiment, but legalizing predation to get rid of the 'weaker' and unlucky members of the herd isn't actually security.
posted by snuffleupagus at 12:45 PM on May 11, 2021 [5 favorites]


Insurers refusing to cover repeated incidents without a sufficient hardening

That’s an interesting idea; I was honestly unaware that an insurance company would cover this kind of situation at all (and especially without known gardening against such an attack).
posted by furnace.heart at 12:47 PM on May 11, 2021 [1 favorite]


If you think Xfinity cares one iota about security, then I have a bridge to sell you.

Xfinity might not care, but I haven't forgotten that infamous June morning when their predecessor in these parts--MediaOne--suspended our service because fourteen-year-old-me had been running an open (and unlicensed, natch!) WinGate. The day began with a cablemodem that wasn't completing block/sync (which in those days took a couple minutes) and what started as an innocent call to tech support took a dramatic turn when they decided to escalate the ticket to a specialist immediately after reviewing our file...

The higher tier tech support person was very stern (my parents were warned about permanent suspensions if this ever happened again) but accommodating (they explained how to unbind the proxies from the external interfaces). And after 24 hours the connection was back up, but I felt wrecked for weeks. I think this was the moment when teenage cyberpunk script kiddie me died. I stopped fantasizing about hackers and hanging out on IRC for hours griefing channels I thought had it coming to them. I started looking into this 'Linux' thing and it's support for something called 'IP Masquerade' as a legit replacement for the parade of (illicitly obtained) Windows-based proxy servers I had been using since starting on dialup. It's weird to think how different I ended up because at the time my ISP actually cared about enforcing security....
posted by RonButNotStupid at 12:51 PM on May 11, 2021 [13 favorites]


I was honestly unaware that an insurance company would cover this kind of situation at all

even my tiny professional liability policy (I'm a one person operation) has built in some "cyber-risk" or "data breach" coverage as of the last few years. Or, here's Berkshire's offering at the other end of the spectrum.

But, yeah, they're not going to pay out as easily a second time.

(Also, hearthpig's comment above).
posted by snuffleupagus at 12:51 PM on May 11, 2021 [2 favorites]


Or even pay out first time.
posted by inflatablekiwi at 12:54 PM on May 11, 2021 [4 favorites]


I don't think this event is getting the press it should. We are ill-prepared/ protected. Is there Net Security funding in the Biden Plans?
posted by theora55 at 1:06 PM on May 11, 2021 [4 favorites]


I’m always fascinated by how LITTLE security everything seems to have once you scratch the surface.

This mirrors physical security. Most physical security is "exploitable" by any miscreant who just doesn't give a fuck armed with a rock.
posted by Mitheral at 1:11 PM on May 11, 2021 [13 favorites]


It's possible to put a VPN endpoint behind an ISP router, and offer a second wifi network that will pass all of its traffic through the encrypted tunnel. (Separate the channels they're using.)

This. My work laptop is managed by unseen admins whom I've never met and it's exposure surface includes an entire outside network which I don't control care of the company VPN. For all intents and purposes it's a hostile device and so it gets it's own completely separate VLAN and wifi network.

I'm surprised there hasn't been more of an effort to educate people on using any available 'Guest Network' features on their internet routers when they connect with their work laptops.
posted by RonButNotStupid at 1:17 PM on May 11, 2021 [6 favorites]


they might as well be Robin Hood

It's a pretty thin definition of "Robin Hood". For those who know their Ian Dury, some words might come to mind:

"Hello Mrs Wood, this boy looks familiar,
they used to call him Robin Hood..."
posted by howfar at 1:47 PM on May 11, 2021 [1 favorite]


Every little thing gets the galleries shouting for "MOAR SECURITAH".
It's another scam on top of scams.
This situation: the ransomware took over some office PCs. These machines do NOT have access to the controls to the pipeline equipment (though, per the grauniad article, pull data from them). The company made the call and shut down the equipment themselves. As noted, this has the "unintended consequence" of raising prices, benefiting the company. Oopsie!

MOAR SECURITAH always leads to more funding for cops, guards, private militias, etc. under R or D administrations. Do you thing Tough Guy Biden will do differently when pressured by the bosses? He'll don his aviators, puff out his chest, and strut around just like W did.

I see kids on Reddit and people here and elsewhere speculating about "state sponsorship". 'OMG SCADA attacks are so hard ONLY a state-sponsored actor would bother to try' they say.
If only it were true. I don't know much about SCADA (idustrial controls) nor CANBUS (automotive and other machines) myself, but from watching vids from HOPE conf I understand they are pretty trivially exploitable, and hence usually airgapped.

This ransomware attack is most likely an attack of opportunity, like most of its ilk. It's relatively rare for ransomware attacks to be targeted to a particular org. I have not seen any evidence that this one was, nor any information about the initial infection vector.
posted by Rev. Irreverent Revenant at 2:01 PM on May 11, 2021 [3 favorites]


"We are apolitical, we do not participate in geopolitics"

Well then fuck you. Fucking participate you greedy little shits.
posted by howfar at 2:27 PM on May 11, 2021 [3 favorites]


Since no one else has said it, I will: people that fuck with stuff on the internet that isn’t theirs should be sequestered deep beneath the earth in sealed chambers. Regardless of why. Also, there should be zero tolerance for ISPs hosting Pirate Bay type stuff. Like, how can we not shut this shit down? Waah waah I want to be a rebel, waah waah I can’t get corporate media for free. You needed to ransom ware my 88 year old dad because you can’t find a job? TOUGH SHIT.

How do we know so much about this particular group but have no way of stopping them?
posted by freecellwizard at 3:25 PM on May 11, 2021 [2 favorites]


Ah, yes, all people who have watched an unlicensed upload on Youtube are exactly equal to ransomware attackers.

That'll definitely get you what you want, and doesn't just make reasonable people double down against the actually-workable parts of your request.
posted by sagc at 3:32 PM on May 11, 2021 [12 favorites]


I’m just saying that there doesn’t seem to be much discussion about this group being bad and needing to have massive resources thrown and finding them and taking them down. Like basically, it’s a tough world *shrug*

Of course companies need better security - I work in IT. But it seems that’s victim blaming. Their systems got hacked, but look how they were dressed! And yes I absolutely think that applies to state actors. I’m in the US and I don’t think we have any business probing North Korea’s computer systems. Sorry for the DRM derail ... I grew up before YouTube so my default setting is still “of course I haven’t seen the new episode. It’s not out yet and/or I can’t afford Disney+.” I’m aware that society has collectively decided that’s not a big deal. I was thinking more about the overlap in dark web content (maybe it’s not much) between people just wanting stuff for free, or to trade illegal stuff, and providing a mechanism for worse stuff like this.
posted by freecellwizard at 3:42 PM on May 11, 2021


I’m just saying that there doesn’t seem to be much discussion about this group being bad and needing to have massive resources thrown and finding them and taking them down.

You do know that US justice system organizations have limited power or effectiveness outside of the US, and in particular, in foreign countries with which the US has a somewhat hostile political relationship such as Russia, right?
posted by eviemath at 4:12 PM on May 11, 2021 [5 favorites]


How do we know so much about this particular group but have no way of stopping them?

Not to derail, but it occurs to me that you could legitimately ask the same question about the Taliban, al-Q, ISIL etc. 20 years since the start of Afghan war this year, and something around maybe two trillion dollars spent. Yet 85+ people - mostly young school girls - were killed in just one bomb blast this past week, and no one seems very confident that the Taliban won’t just roll into power as soon as the US departs. It’s the same asymmetric problem in cybersecurity - the cyber threat gets to pick and choice their target from the universe of all targets and wait out the defender in between - and it would take an incredible amount of time, money, and effort to resolve - with no guarantee of success (or even an end).

Genuinely hard problems with few really good solutions that have enough support to work, and a bunch of asshole threat actors with the motivation to adapt and find the cracks.
posted by inflatablekiwi at 4:17 PM on May 11, 2021 [9 favorites]


Mmmmno, I'm pretty sure equating the call for better security to rape apologia is not the way I would have gone with this.
posted by tigrrrlily at 4:25 PM on May 11, 2021 [12 favorites]


Yeah, the thing I forgot to add is that now the emails are getting more convincing but my coworkers have figured out that the phishing tests have extra headers in them, like "X-PHISHING-TEST: 123456578".

How did my password end up and the value of that header?
posted by ryoshu at 5:12 PM on May 11, 2021 [9 favorites]


What password? I just see asterisks. Try typing it in again.
posted by pompomtom at 5:22 PM on May 11, 2021 [16 favorites]


The criminals responsible, Darkside, are a relative newcomer to ransomware, but have an intriguing “code of conduct.” They will not extort hospitals, funeral homes, non profits.
What is the consequence? Every one we capture says he's an orphan. The last three ships we took proved to be manned entirely by orphans, and so we had to let them go. One would think that Great Britain's mercantile navy was recruited solely from her orphan asylums — which we know is not the case.
posted by DanSachs at 7:49 PM on May 11, 2021 [7 favorites]


I can't fathom what motivation an actual criminal cyber extortion gang would have for making apologies or claiming a "code of conduct." It's waaaaaay beyond naive to suppose that such PR would alter the way powerful adversaries might react.

It makes more sense in the context of propaganda, firehose-of-falsehood style.
posted by Western Infidels at 7:03 AM on May 12, 2021


It makes perfect sense when you understand the business model, which is to extract ransom payments from insurers without upsetting the authorities enough to give the least bit of a shit.
posted by wierdo at 7:58 AM on May 12, 2021 [3 favorites]


I was idly wondering if any large, critical-infrastructure-type firms in Russia have been victims of this group, but was not terribly surprised to find that the answer was "no."
posted by jquinby at 8:06 AM on May 12, 2021 [3 favorites]


Mmmmno, I'm pretty sure equating the call for better security to rape apologia is not the way I would have gone with this

Fair point. Yeesh, once you go down the derail road it's hard to get back. The reality is we live in a bad world where bad things happen and wishing for one where there were no malevolent hackers or ransomware gangs is not gonna happen. It's especially depressing that the nation-states who should be working together to combat this are actively doing it too (maybe even this case).

More relevant question: How will it be possible to have a smart grid and post-fossil fuel distributed infrastructure with cyberattacks so prevalent, and no agreed standards or accountability around security? For example, I would absolutely not want solar panels and some in-house energy optimization system if it was controlled by an internet phone app or sent a bunch of data to some central place. Are there solutions to this being discussed?
posted by freecellwizard at 9:41 AM on May 12, 2021


I would absolutely not want solar panels and some in-house energy optimization system if it was controlled by an internet phone app or sent a bunch of data to some central place.

My house already has a smart meter that sends half-hourly grid consumption and panel export data to my electricity network operator, who then passes it along to my excellent electricity retailer (one I strongly recommend, if you're in Australia), who makes a phone app available so I can monitor it too. I have no problem with any of that. If my retailer couldn't see my energy consumption they wouldn't know what to bill me for and I don't mind at all if they're looking at that every half hour instead of whenever they can be bothered to send around the little man in the van.

Something inside my house that pulls a live feed of current and predicted spot prices and makes local decisions about what to turn on and off and when, according to policy that I've set via some interface exposed only on my LAN? I'd be completely fine with that.

What I would not want is any Internet of Shit device controllable from outside my house that could make decisions about what appliances get access to juice inside it. A black hat with access to that would be a pain in the arse, even assuming that the device didn't have the customary array of horrible IoT security flaws to facilitate exploits against the rest of my LAN.

If I wanted that kind of functionality - for example, to be able to crank the heating early so it was all nice and toasty by the time I got home - I'd be doing it with a Raspberry Pi whose only exposure to traffic from outside was via passwordless (i.e. key-only) ssh on a nonstandard high-numbered TCP port.

The high-numbered port trick is a layer of cheap and nasty security-by-obscurity that actually helps way more than it has any right to; for years it's been keeping my network logs far less cluttered with incoming probes than I've ever seen at sites that expose ssh on port 22.
posted by flabdablet at 11:03 AM on May 12, 2021 [1 favorite]


How will it be possible to have a smart grid and post-fossil fuel distributed infrastructure with cyberattacks so prevalent, and no agreed standards or accountability around security?

My guess is it'll probably come down to best efforts and occasionally failing, and more globally through implementation of practices for cybersecurity and requirements under large customs/trade and associated regulatory programs (e.g. at some hypothetical point in time if you want to sell your smart home / IOT systems into the EU, then you may need to meet certain minimum cyber safeguards, guarantee to provide security updates for X period of time after sale, meet certain standards for cloud services supporting the products, follow guidelines for supply chain security in your products etc.) Not informed enough to know how much of that is planned/in-place already - and how much is voluntary / leading practices versus mandatory now or in the future, but someone else here may be.

There are standards orgs and testing bodies that are establishing programs for qualifying smart / IOT / products etc. An example would be the Underwriters Laboratory 2900 series of cybersecurity standards - with a random example of a certified IOT device) , and various industries are more regulated (like FDA requirements for medical devices, NERC CIP for Critical power grid infrastructure etc.) and have standards (country by country, industry by industry so its patchy). Not that a certification or a standard guarantees a system/device is secure - just that it has controls around its lifecycle that enable cybersecurity and have meet a certain set of minimums.....a zero day exploit/misconfiguration/poor cyber-hygiene etc. can still happen and give you a bad day.
posted by inflatablekiwi at 11:26 AM on May 12, 2021 [1 favorite]


The high-numbered port trick is a layer of cheap and nasty security-by-obscurity that actually helps way more than it has any right to; for years it's been keeping my network logs far less cluttered with incoming probes than I've ever seen at sites that expose ssh on port 22.

Fire up a Cowrie instance and wait about...uh...10 minutes. It's a laugh-riot. I do the high-weird port/ssh key trick as well (along with an instance of PiVPN). Works a treat.
posted by jquinby at 11:36 AM on May 12, 2021 [3 favorites]


So are we literally at the point in this story where entire East Coast states are starting to run out of gasoline and the pipeline owner can turn on the spigot but won't because that would mean they couldn't bill properly for it? Talk about an invisible hand.
posted by gwint at 12:36 PM on May 12, 2021 [3 favorites]


Yeah, it feels a bit like the power plants in Texas that refused to go online because the spot price of nat gas was wild. The system is collapsing, but at a local level these decisions are working as intended.
posted by ryanrs at 12:51 PM on May 12, 2021 [3 favorites]


It's more stupid than that, even. Fax machines and paper records, requested from the consignor and/or the recipient if necessary, could solve the billing problem immediately. Surely they still have a few people working there who remember how they did business before the EDI systems were in place?
posted by wierdo at 1:37 PM on May 12, 2021 [2 favorites]


Most physical security is "exploitable" by any miscreant who just doesn't give a fuck armed with a rock.

But the metaphor doesn't stretch very far - a physical person still has to enter a physical space for us to consider the security exploited rather than just vandalized.

Conversely, almost anyone can smash a window with a rock, and the percentage of the population who can actually even perform basic no-hacking-needed phishing exploits is comparably much smaller; the number of groups who can pull off something like the Colonial hack, while still far too large, is small enough that IIRC people already suspected who it was before anyone took credit.
posted by aspersioncast at 2:27 PM on May 12, 2021


Colonial Pipeline Begins to Restart Flow of Fuel

The company that operates the pipeline said it will take several days before the supply of energy returns to normal.
posted by They sucked his brains out! at 2:49 PM on May 12, 2021 [2 favorites]


I hadn't appreciated that the fuels travel 3-5 mph in the pipelines - and just how long it will take once the fuel enters the pipeline to get where it needs to go. In my head it's all gasoline and just sloshed along like water with the aid of pumping stations every so often - but hadn't been thinking the oil moves at basically walking speed.
There are actually two pipelines, one 40-inches diameter for gasoline, another 36 inches for jet fuel, diesel fuel, kerosene and home heating, which are similar products.

The fuels flow at 3-5 mph. A barrel of oil drawn into the pipeline in Houston reaches New Jersey 15-20 days later. 100 million gallons of petroleum products are delivered on a typical day. Currently, nothing is flowing.
posted by inflatablekiwi at 3:22 PM on May 12, 2021 [6 favorites]


Here's a simplified version of pipeline finances to show you why pipeline security is not going to get fixed.

Pipelines make money by moving volumes of product from point A to point B. Since they're like a monopoly, they're regulated, i.e., the prices they can charge are set by some government entity. Those rates come about by the pipeline saying to the entity "here's how much it costs us to operate, this is a reasonable profit, so we want to charge X", and that entity either agreeing to X or saying no, you can charge Y, where Y is less than X.

The only real way to grow your income is to put more pipe in the ground.

Pipelines go in the ground via the company getting loans and then paying off those loans. Pipeline stocks generally pay dividends, and that's what drives stock value. If you pay your dividends, your stock doesn't go down and thus you have better collateral for loans, and thus you get those loans at lower interest rates. Paying dividends is the absolute driver. Don't make dividends and everything collapses. This is why there were massive layoffs last year, it's better business to make a paper profit and still pay dividends than to pay for staff and not make dividends.

So 20-50 years ago when the pipes went into the ground there was no consideration for cybersecurity and so the pricing was based on a more primitive cost model. And now no pipeline wants to go to the regulators and say "we need a rate increase because our security is shit and we want to improve it". The only way this happens is if there's an edict from DHS or DOT in which case they can go "we got this requirement that we didn't plan for and it's gonna cost us to meet that so pay up". So far all the things coming out have been "recommendations" and "advisories", which don't have sufficient clout. Things have literally gone boom at one pipeline, everyone else gets a report on "here's what happened there and here's how to prevent it on your systems", but if the cost to do that is too high and there's no regulatory requirement nothing gets done and everyone just hopes they won't be the next to make the papers.
posted by Runes at 3:59 PM on May 12, 2021 [10 favorites]


The fuels flow at 3-5 mph. A barrel of oil drawn into the pipeline in Houston reaches New Jersey 15-20 days later. 100 million gallons of petroleum products are delivered on a typical day. Currently, nothing is flowing.

Yes, but it's not like a train where the physical product delivered in NJ is the exact same product put in in Houston. In a functioning system, if you put in an order for a barrel of oil today you don't have to wait 15-20 days to take delivery, you get it pretty much immediately. What's most likely happened is that all the storage tanks are empty and need to be filled up again to provide that elasticity.
posted by Runes at 4:24 PM on May 12, 2021 [3 favorites]


In my head it's all gasoline and just sloshed along like water with the aid of pumping stations every so often - but hadn't been thinking the oil moves at basically walking speed.

Yup. Crude oil is a comparable consistency to hot fudge, and flows accordingly. The refined products (gasoline, kerosene, etc) are much less dense and could flow in the way you’re imagining if the pipes were at a high pressure - but there are a variety of reasons you don’t want those pipelines operating at high pressures. For example, imagine high pressure jet fuel spewing out of a leak...
posted by nickmark at 4:30 PM on May 12, 2021 [3 favorites]


Sometimes I wish I hadn't lost that desk ornament from a pipeline company I used to have with a bit of their billionth barrel shipped locked inside. It always served as a good reminder of how running the things isn't quite as easy as it seems. There are some pretty obvious (and not so obvious) physical challenges, but the financial and legal arrangements are completely bizarre, even leaving aside the regulatory situation.
posted by wierdo at 6:26 PM on May 12, 2021 [2 favorites]


Looks like they paid up:

Colonial Pipeline Paid Hackers Nearly $5 Million in Ransom
posted by jquinby at 8:56 AM on May 13, 2021 [1 favorite]


I guess they'll have to fire some more people to meet their dividends?
posted by seanmpuckett at 9:24 AM on May 13, 2021


More fun ransomware insanity - apparently Darkside used to have servers in Iran, but had to publicly renounce that because the firms that negotiate ransomware payments could no longer do business with them without violating US sanctions law. ""It is probable that a portion of the proceeds from any prospective ransom payment to DarkSide would be used to pay services providers within Iran. Accordingly, we have placed DarkSide on our restricted list," Coveware CEO Bill Siegel told BleepingComputer."

Crimes, sure. Just not those crimes.
posted by true at 1:01 PM on May 13, 2021 [3 favorites]


DarkSide Ransomware Gang Quits After Servers, Bitcoin Stash Seized

More action, more quickly than I expected - but good to see. Of course a lot of other threat actors out there, and the barriers to restarting are low (assuming not currently being dragged into the back of an unmarked van somewhere....)
posted by inflatablekiwi at 11:48 AM on May 14, 2021 [2 favorites]


Is there a lot of reason to believe that's true? I mean, I can believe they are closing up shop to reappear under a different name, to make themselves a less obvious target, but I suspect the bits about "definitely, we lost all the money" might well just be lies for PR.
posted by tavella at 6:58 PM on May 14, 2021 [1 favorite]


DarkSide Ransomware Gang Quits After Servers, Bitcoin Stash Seized

A comment posted on that article is pretty insightful:
Sounds like DarkSide learned what dictators and cybercriminals alike have known for decades:
Want to shut down international logistics and shipping? Ok. Kill people by shutting down hospitals? The FBI will get around to investigating it. Commit some war crimes here and there? Maybe a condemnation and some sanctions.
Fuck with America’s oil? Get ready to learn about American liberty. And by liberty, I mean you’re going to liberated from everything you hold dear.
posted by darkstar at 11:40 PM on May 14, 2021 [5 favorites]


Bitcoin stash seized...
from the quote in the article it sounds like someone's idea of 'vengeance' was meted out. Smart on the part of the vengeance-takers, demonstrating 'this is what happens when you mess with our oil/resource : we will end your on-line existence' should be a strong deterrent to copy-cats.

Or DarkSide (why not DarkCyde? oh, right already taken) are covering their butts and slinking off into the murky. Also smart.

The 'real' story will no doubt be much less cut and dried but likely interesting as hell - gov't response or private? Excessive, very excessive or well apportioned?
posted by From Bklyn at 2:29 AM on May 15, 2021


Nice to have a little piece of my worldview confirmed by learning that Ransomware-as-a-Service has failure modes almost identical to those of Security-as-a-Service.

I also think it's completely fucking hilarious that a criminal conspiracy apparently expects its customers to abide by a Terms of Service agreement.
posted by flabdablet at 10:03 AM on May 15, 2021


this is what happens when you mess with our oil/resource : we will end your on-line existence

What evidence do we have to support the hypothesis that whatever took down Darkside was not itself another criminal enterprise? I would have thought "this is what happens when your ego trumps your opsec and you blab about holding huge amounts of ill-gotten cryptocurrency" was a reasonable take-away as well.
posted by flabdablet at 10:13 AM on May 15, 2021 [2 favorites]


gov't response

another criminal enterprise


por que no los dos
posted by snuffleupagus at 7:46 PM on May 17, 2021 [3 favorites]


Colonial Pipeline Paid Hackers Nearly $5 Million in Ransom

Rounding error, given the number of over-class people who had to pay attention for a few hours.
posted by pompomtom at 8:09 AM on May 19, 2021


Five months before DarkSide attacked the Colonial pipeline, two researchers discovered a way to rescue its ransomware victims. Then an antivirus company’s announcement alerted the hackers. -- The Colonial Pipeline Ransomware Hackers Had a Secret Weapon: Self-Promoting Cybersecurity Firms (Pro Publica, May 24, 2021) [...] Bitdefender wasn’t the first to identify this flaw. Two other researchers, Fabian Wosar and Michael Gillespie, had noticed it the month before and had begun discreetly looking for victims to help. By publicizing its tool, Bitdefender alerted DarkSide to the lapse, which involved reusing the same digital keys to lock and unlock multiple victims. The next day, DarkSide declared that it had repaired the problem, and that “new companies have nothing to hope for.”

“Special thanks to BitDefender for helping fix our issues,” DarkSide said. “This will make us even better.” DarkSide soon proved it wasn’t bluffing, unleashing a string of attacks.

posted by Iris Gambol at 11:55 AM on May 25, 2021 [1 favorite]


« Older We’ve tried a beautiful experiment here; this is...   |   Pride and Predators Newer »


This thread has been archived and is closed to new comments