A Modest Proposal About Ransomware
July 15, 2021 10:36 AM Subscribe
Digital preservationist David Rosenthal suggests that the U.S. government has been slacking in its response to ransomware and should take more active measures.
The fundamental problem is that neither the software vendors nor the insurers nor their customers are taking security seriously enough because it isn't a big enough crisis yet. The solution? Take control of the crisis and make it big enough that security gets taken seriously.
IOT suicide pact. We took fully operable medical and infrastructure systems and some salesman razzle-dazzled us into cutting employees and connecting critical equipment online.
The internet is a superhighway, would you connect your open wound to a superhighway?
Part of security is better software, support, chains of custody/trust and training, but part of security is not putting so many important eggs into a basket marked " please don't stomp these eggs they are worth a lot of money to us" then putting that basket on the side of a highway.
posted by anecdotal_grand_theory at 10:52 AM on July 15, 2021 [32 favorites]
The internet is a superhighway, would you connect your open wound to a superhighway?
Part of security is better software, support, chains of custody/trust and training, but part of security is not putting so many important eggs into a basket marked " please don't stomp these eggs they are worth a lot of money to us" then putting that basket on the side of a highway.
posted by anecdotal_grand_theory at 10:52 AM on July 15, 2021 [32 favorites]
Bold of Mr. Rosenthal to assume that the U.S. doesn't have a vested interest in letting sleeping dogs lie cough NSA cough
posted by The Ardship of Cambry at 10:59 AM on July 15, 2021 [4 favorites]
posted by The Ardship of Cambry at 10:59 AM on July 15, 2021 [4 favorites]
the gangs write their software to avoid encrypting systems that have default languages from the former USSR.
my modest proposal is to just force all hospitals to operate in Russian
posted by BungaDunga at 10:59 AM on July 15, 2021 [7 favorites]
my modest proposal is to just force all hospitals to operate in Russian
posted by BungaDunga at 10:59 AM on July 15, 2021 [7 favorites]
As much as I am against government interference in free markets and as much as I do not trust the government with technology solutions (backdoors!), this is an interesting suggestion. I am not sure we can trust the government hackers to be benevolent/white hat (pretty sure we cannot) but what is an alternative solution besides trusting companies to act in their own best financial interest? It is proven that greed will exceed spending. This even comes down to a C-level compensation issue. Are bonuses tied to profits in the short run?
While reading the previous comments and writing the above it occurred to me that one alternative solution is to have CEO' sign off on some level of assurance that their systems have been tested and are up to date on all patches like how a CEO has to sign off on compliance issues for the SEC. The CEO has personal liability if they sign off and the work was not done. When I worked briefly in compliance at a large broker-dealer, the CEO was motivated by fear of being sued and fear of losing bonuses. It was the only operating detail I ever saw him get involved in. wenestvedt is on the right track.
posted by AugustWest at 11:18 AM on July 15, 2021 [6 favorites]
While reading the previous comments and writing the above it occurred to me that one alternative solution is to have CEO' sign off on some level of assurance that their systems have been tested and are up to date on all patches like how a CEO has to sign off on compliance issues for the SEC. The CEO has personal liability if they sign off and the work was not done. When I worked briefly in compliance at a large broker-dealer, the CEO was motivated by fear of being sued and fear of losing bonuses. It was the only operating detail I ever saw him get involved in. wenestvedt is on the right track.
posted by AugustWest at 11:18 AM on July 15, 2021 [6 favorites]
It is interesting that the newtorks/servers/workstations' operating systems that ransomware hits aren't somehow involved for this liability. I mean, is it the OS or the browser or the whatever, that allowed the intrusion would make assigning culpability in a legal sense difficult. But I am surprised some affected party, or their insurance company, hasn't raised claims/issues/lawsuits. about this.
posted by Windopaene at 11:29 AM on July 15, 2021
posted by Windopaene at 11:29 AM on July 15, 2021
There's a long history of "ethical hackers should attack systems using the same exploits the bad guys use" proposals, The general answer is "no that would cause more problems than it would solve" but I'm not so convinced. Rosenthal's proposal is perhaps a bit aggressive but you could imagine a gentler form of detection and notification.
Personally I'm a fan of just breaking the fingers of anyone caught running a malware operation. Make sure they can never program again. Might have to remove their tongue too, speech recognition is getting pretty good these days.
I also propose, as a more practical solution, that someone try to turn whatever the DNC did to protect themselves after 2016 into a method. Would require documentation first, a book. But as we know part of why the Democrats lost the 2016 presidential election is that foreign intelligence services hacked DNC computers to help Trump. Afterwords the DNC got serious about security, hired a real expert, and cleaned up house. It seems to have worked or at least the DNC looks a lot more secure now than it has been. The remarkable thing is they had to do this across a lot of different organizations and IT systems, it's not like one sysadmin controls all the assets used by the Democratic party.
cough NSA cough
Your occasional reminder that for the past few years, a lot of malware has been based on software from the NSA. Your tax dollars at work! Well, working for Russian extortionists.
posted by Nelson at 11:34 AM on July 15, 2021 [7 favorites]
Personally I'm a fan of just breaking the fingers of anyone caught running a malware operation. Make sure they can never program again. Might have to remove their tongue too, speech recognition is getting pretty good these days.
I also propose, as a more practical solution, that someone try to turn whatever the DNC did to protect themselves after 2016 into a method. Would require documentation first, a book. But as we know part of why the Democrats lost the 2016 presidential election is that foreign intelligence services hacked DNC computers to help Trump. Afterwords the DNC got serious about security, hired a real expert, and cleaned up house. It seems to have worked or at least the DNC looks a lot more secure now than it has been. The remarkable thing is they had to do this across a lot of different organizations and IT systems, it's not like one sysadmin controls all the assets used by the Democratic party.
cough NSA cough
Your occasional reminder that for the past few years, a lot of malware has been based on software from the NSA. Your tax dollars at work! Well, working for Russian extortionists.
posted by Nelson at 11:34 AM on July 15, 2021 [7 favorites]
I like the idea of greater personal accountability for senior management in a Sarbanes-Oxley-like scenario.
I also think there's room for an escalating series of health department like inspections of system security -- warnings followed by escalating fines followed by disallowing a business from continuing to operate under the current management if they will not or cannot comply. I'm not sure any step along that path looks like *actually* executing a ransomware style encryption of their data, but there are regulatory models for ensuring ongoing compliance that could and should be exercised in this sphere.
posted by jacquilynne at 11:46 AM on July 15, 2021 [1 favorite]
I also think there's room for an escalating series of health department like inspections of system security -- warnings followed by escalating fines followed by disallowing a business from continuing to operate under the current management if they will not or cannot comply. I'm not sure any step along that path looks like *actually* executing a ransomware style encryption of their data, but there are regulatory models for ensuring ongoing compliance that could and should be exercised in this sphere.
posted by jacquilynne at 11:46 AM on July 15, 2021 [1 favorite]
That's a positively Swiftian level of satire...I hope
Given that he references "A Modest Proposal" in the article, I think we can assume it's satire.
posted by It's Never Lurgi at 12:07 PM on July 15, 2021 [2 favorites]
Given that he references "A Modest Proposal" in the article, I think we can assume it's satire.
posted by It's Never Lurgi at 12:07 PM on July 15, 2021 [2 favorites]
On this week's Risky Business infosec podcast, this came up yet again. It's episode # 630, titled "We tried the carrot, it's time for the stick."
One thing that Adam Bioleau suggested was a two-fold approach: first, software publishers should create a manifest of all the third-party software that their products incorporate, which can be scanned for known-vulnerable libraries. (*cough* Java deserialization *cough*)
The second thing was for the U.S. government to require that software have been set up in a testbed and actively scanned, before it can be bought. The lack of realistic environments for white hats to use as scanning targets is a big impediment to doing credible tests.
It won't solve everything, of course, but this combination of "prove you're clean" at purchase time, coupled with SEC penalties for companies who don't keep themselves patched & tightly-configured, could go a looooong way.
posted by wenestvedt at 12:08 PM on July 15, 2021 [2 favorites]
One thing that Adam Bioleau suggested was a two-fold approach: first, software publishers should create a manifest of all the third-party software that their products incorporate, which can be scanned for known-vulnerable libraries. (*cough* Java deserialization *cough*)
The second thing was for the U.S. government to require that software have been set up in a testbed and actively scanned, before it can be bought. The lack of realistic environments for white hats to use as scanning targets is a big impediment to doing credible tests.
It won't solve everything, of course, but this combination of "prove you're clean" at purchase time, coupled with SEC penalties for companies who don't keep themselves patched & tightly-configured, could go a looooong way.
posted by wenestvedt at 12:08 PM on July 15, 2021 [2 favorites]
Disallow ransom payments as a deductible business expense and the problem would get fixed very quickly.
posted by BrotherCaine at 12:19 PM on July 15, 2021 [33 favorites]
posted by BrotherCaine at 12:19 PM on July 15, 2021 [33 favorites]
I wonder if forcing public utilities, hospitals to maintain a mirror of their actual systems, but not hooked up to anything dangerous or containing personal information that people are encouraged to attack and find weaknesses in?
That or, for a certain class of utilities simply mandate that they must a) be air gaped and b) software vendors ARE liable for errors in security.
I mean, when I was at Chalk River the nuclear reactor was still running 1970s era computers and code, since they were VERY sure that by now they'd found all the bugs and it did what it needed to, and it had been gone over line by line and checked multiple times. Why they heck are we not treating the rest of our critical infrastructure like that? No internet access, minimal program that does only exactly what it needs to do, and you hire a CS department to go over the code line by line and verify it does exactly what the documentation says (McMaster's CS department was hired to do this for a nuclear reactor once according to one of my profs when I was there).
Yes, this would make things a lot more difficult for critical infrastructure, but it is freaking critical. It is right in the *name*.
posted by Canageek at 12:19 PM on July 15, 2021 [8 favorites]
That or, for a certain class of utilities simply mandate that they must a) be air gaped and b) software vendors ARE liable for errors in security.
I mean, when I was at Chalk River the nuclear reactor was still running 1970s era computers and code, since they were VERY sure that by now they'd found all the bugs and it did what it needed to, and it had been gone over line by line and checked multiple times. Why they heck are we not treating the rest of our critical infrastructure like that? No internet access, minimal program that does only exactly what it needs to do, and you hire a CS department to go over the code line by line and verify it does exactly what the documentation says (McMaster's CS department was hired to do this for a nuclear reactor once according to one of my profs when I was there).
Yes, this would make things a lot more difficult for critical infrastructure, but it is freaking critical. It is right in the *name*.
posted by Canageek at 12:19 PM on July 15, 2021 [8 favorites]
Hospital IT is terrrrrible on its own, but it still has to be tied into so many third parties: insurance companies, medical transcriptionists, billing companies, the doctors' practices, etc., etc. (To say nothing of the jillion wifi devices brought in by patients, or the Windows XP-era diagnostic devices!)
An air-gapped hospital system would be great, but it simply couldn't work for very long. :7(
posted by wenestvedt at 12:24 PM on July 15, 2021 [5 favorites]
An air-gapped hospital system would be great, but it simply couldn't work for very long. :7(
posted by wenestvedt at 12:24 PM on July 15, 2021 [5 favorites]
Every time I go to a doctor, they tell me to sign up for MyChart, and every time, I take the time to explain why such a thing is an absolutely horrible idea and they couldn't pay me to sign up for it.
Literally none of them give one shit.
posted by deadaluspark at 12:35 PM on July 15, 2021 [7 favorites]
Literally none of them give one shit.
posted by deadaluspark at 12:35 PM on July 15, 2021 [7 favorites]
Information security is a solved problem in computer science. We figured it all out back in the punch card days. Take the ATM network for example. The problem isn't that the machines are vulnerable, the problem is that Bob can write his PIN on the damn card.
posted by adept256 at 12:58 PM on July 15, 2021 [2 favorites]
posted by adept256 at 12:58 PM on July 15, 2021 [2 favorites]
Inter-hospital communications still run on fax machine protocols. So at least they're fax-gapped.
posted by RobotVoodooPower at 1:01 PM on July 15, 2021 [6 favorites]
posted by RobotVoodooPower at 1:01 PM on July 15, 2021 [6 favorites]
So at least they're fax-gapped.
I know this was a joke, but... fax machines use literally zero encryption, anyone intercepting the communication can see everything sent.
posted by deadaluspark at 1:02 PM on July 15, 2021 [3 favorites]
I know this was a joke, but... fax machines use literally zero encryption, anyone intercepting the communication can see everything sent.
posted by deadaluspark at 1:02 PM on July 15, 2021 [3 favorites]
Oh boy. Imagine another Trumpian demagogue using the ability to take down a company by encrypting their data and shutting down operations for a "compliance" issue. I'm down with security audits, financial penalties for being negligent with users data etc.. but letting the government encrypt/alter your resting data without your permission.. get out of here.
posted by pleem at 1:13 PM on July 15, 2021 [6 favorites]
posted by pleem at 1:13 PM on July 15, 2021 [6 favorites]
but letting the government encrypt/alter your resting data without your permission.. get out of here.
It doesn't even have to be malicious, there can be all kinds of honest mistakes made that lead to this. What if they send the attack to the wrong set of IP's? Off by a single bit?
posted by deadaluspark at 1:16 PM on July 15, 2021 [2 favorites]
It doesn't even have to be malicious, there can be all kinds of honest mistakes made that lead to this. What if they send the attack to the wrong set of IP's? Off by a single bit?
posted by deadaluspark at 1:16 PM on July 15, 2021 [2 favorites]
Disallow ransom payments as a deductible business expense and the problem would get fixed very quickly.
Outlawing use of cryptoscrip may help limit its application for underwriting crime, along with limiting the ecological damage. It won't eliminate the problem, but if criminals can't be paid as easily as they can now, it will make that form of crime less attractive.
posted by They sucked his brains out! at 1:33 PM on July 15, 2021 [7 favorites]
Outlawing use of cryptoscrip may help limit its application for underwriting crime, along with limiting the ecological damage. It won't eliminate the problem, but if criminals can't be paid as easily as they can now, it will make that form of crime less attractive.
posted by They sucked his brains out! at 1:33 PM on July 15, 2021 [7 favorites]
Bold of Mr. Rosenthal to assume that the U.S. doesn't have a vested interest in letting sleeping dogs lie cough NSA cough
I thought he laid into the NSA pretty hard.
posted by mr_roboto at 1:34 PM on July 15, 2021
I thought he laid into the NSA pretty hard.
posted by mr_roboto at 1:34 PM on July 15, 2021
I wonder if forcing public utilities, hospitals to maintain a mirror of their actual systems, but not hooked up to anything dangerous or containing personal information that people are encouraged to attack and find weaknesses in?
But in hospitals, personal information is all of the important information.
Hospitals do have backups, but what are you going to do when someone has come along and wiped the physical hard drive of every PC in the building? There is, I suppose, a world in which every PC in the building is a thin client, and you have a series of generational hot backups of the EHR server that you can just swap out if the current one gets disabled. But then the ransomware will go after other network infrastructure like routers and use them to cripple the thin clients instead. There's no foolproof option other than going Battlestar Galactica.
Literally none of them give one shit.
The HITECH act incentivizes providers to demonstrate "meaningful use" of electronic health record systems, and one way to do that is to show how many people are using a patient portal, and so providers want to sign up every single one of their patients for MyChart or equivalent that they can.
posted by BungaDunga at 2:01 PM on July 15, 2021 [3 favorites]
But in hospitals, personal information is all of the important information.
Hospitals do have backups, but what are you going to do when someone has come along and wiped the physical hard drive of every PC in the building? There is, I suppose, a world in which every PC in the building is a thin client, and you have a series of generational hot backups of the EHR server that you can just swap out if the current one gets disabled. But then the ransomware will go after other network infrastructure like routers and use them to cripple the thin clients instead. There's no foolproof option other than going Battlestar Galactica.
Literally none of them give one shit.
The HITECH act incentivizes providers to demonstrate "meaningful use" of electronic health record systems, and one way to do that is to show how many people are using a patient portal, and so providers want to sign up every single one of their patients for MyChart or equivalent that they can.
posted by BungaDunga at 2:01 PM on July 15, 2021 [3 favorites]
@deadaluspark: Regarding MyChart and other ‘patient portals’ - if you refusing to sign up makes you feel good, more power to you. But the information is already on the hospital’s database backend and available through various portals including the external web portal whether you sign up or not. Signing up only lets you access it - everyone else already can.
posted by sudogeek at 2:08 PM on July 15, 2021 [14 favorites]
posted by sudogeek at 2:08 PM on July 15, 2021 [14 favorites]
An air-gapped hospital system would be great, but it simply couldn't work for very long. :7(
50% of the problem with EHRs is that they're vulnerable to incursions from the internet, but the other 50% is that EHR systems can't talk to each other either. Building higher walls around EHRs is a very good idea, but an air gap is just not something modern healthcare can live with. When there aren't ways to exchange data in between sites people manually fax the information. That's much worse!
posted by BungaDunga at 2:11 PM on July 15, 2021 [4 favorites]
50% of the problem with EHRs is that they're vulnerable to incursions from the internet, but the other 50% is that EHR systems can't talk to each other either. Building higher walls around EHRs is a very good idea, but an air gap is just not something modern healthcare can live with. When there aren't ways to exchange data in between sites people manually fax the information. That's much worse!
posted by BungaDunga at 2:11 PM on July 15, 2021 [4 favorites]
R.e. Manifests of third party software libraries, there are multiple vendors that scan code or built artifacts for open source vulnerabilities and license compliance: snyk, Whitesource, Jfrog X-ray, etc. Couple of problems:
* the enterprise versions of all these are expensive as shit
* teams often hook builds up to the, but don’t fix stuff
In my company, what does help is a well-funded cloud infosec group that is smart and kind of a PITA. They tend to put up name-and-shame dashboards of which teams have the worst security, and then if no action is taken they’ll just invalidate all your AWS keys or whatever. They also have people running simulated hacks and stuff, probably because we dabble in regulated industries. It’s a ton of expense and work though, so I can’t imagine a small rural hospital or meat maker having all that. Basically it seems that teams that write software tend to have more of this review going on, and non-tech companies are at the mercy of consultants.
Also yes to finger breaking and a scarlet H on the heads of bad actors.
posted by freecellwizard at 3:09 PM on July 15, 2021 [2 favorites]
* the enterprise versions of all these are expensive as shit
* teams often hook builds up to the, but don’t fix stuff
In my company, what does help is a well-funded cloud infosec group that is smart and kind of a PITA. They tend to put up name-and-shame dashboards of which teams have the worst security, and then if no action is taken they’ll just invalidate all your AWS keys or whatever. They also have people running simulated hacks and stuff, probably because we dabble in regulated industries. It’s a ton of expense and work though, so I can’t imagine a small rural hospital or meat maker having all that. Basically it seems that teams that write software tend to have more of this review going on, and non-tech companies are at the mercy of consultants.
Also yes to finger breaking and a scarlet H on the heads of bad actors.
posted by freecellwizard at 3:09 PM on July 15, 2021 [2 favorites]
Fossil fuel companies extract oil, coal, and natural gas from the earth, then people burn it and release all sorts of stuff into the atmosphere that will almost certainly cause incalculable human and economic damage to the world this century. They made their money, and now everyone will pay for it because once it's been sold it's not their problem any more.
Textbook exernalities.
Companies that make software and hardware and don't have a plan to support security updates indefinitely do a similar thing. "That's old, we don't support it anymore." IoT, "cloud" devices: all should be sold with a minimum 10+ year support requirement on the part of the manufacturer (or much, much longer, depending on the market segment they're selling to, like healthcare). It won't prevent all issues, but you'll certainly be able to buy a lightbulb and not have your entire house bricked because the company decided it wasn't worth keeping the server running.
Just like the fossil fuel companies, these software/hardware companies have made their money, and now everyone will pay for their security flaws, because it's not their problem anymore.
It's time to make it their problem.
posted by tclark at 3:47 PM on July 15, 2021 [10 favorites]
Textbook exernalities.
Companies that make software and hardware and don't have a plan to support security updates indefinitely do a similar thing. "That's old, we don't support it anymore." IoT, "cloud" devices: all should be sold with a minimum 10+ year support requirement on the part of the manufacturer (or much, much longer, depending on the market segment they're selling to, like healthcare). It won't prevent all issues, but you'll certainly be able to buy a lightbulb and not have your entire house bricked because the company decided it wasn't worth keeping the server running.
Just like the fossil fuel companies, these software/hardware companies have made their money, and now everyone will pay for their security flaws, because it's not their problem anymore.
It's time to make it their problem.
posted by tclark at 3:47 PM on July 15, 2021 [10 favorites]
It probably wouldn't make things better, but I wonder how good the security is for the Russian government.
posted by Nancy Lebovitz at 4:00 PM on July 15, 2021 [2 favorites]
posted by Nancy Lebovitz at 4:00 PM on July 15, 2021 [2 favorites]
Ransom payments are untraceable because of the crypto currency infrastructure, which is largely designed for anonymity and money laundering. There is no legitimate use-case for crypto currency.
Here's another, rather more modest proposal: anyone caught using a crypto coin for any purpose be exiled to Siberia for life.
posted by monotreme at 4:16 PM on July 15, 2021 [10 favorites]
Here's another, rather more modest proposal: anyone caught using a crypto coin for any purpose be exiled to Siberia for life.
posted by monotreme at 4:16 PM on July 15, 2021 [10 favorites]
>you hire a CS department to go over the code line by line and verify it does exactly what the documentation says
Well, they'd be pragmatic software engineers not hypothetical computer scientists and they'd have an arsenal of fornally-verified code they plug together to make the plumbing for your data, plus training and documentation so that they leave your organisation able to play their game at their level.
Plus: Documentation?!? What documentation!?! The software industry is about a race to get to market and be the rent-seekers for the businesses you enable, there's precious little documentation and plenty of explosive levels of complexity within systems and between systems. Thankfully there are ways to recover from this, and we're going a long way with the the living documentation of intent found in the automated test suite in version control next to your working code.
posted by k3ninho at 4:17 PM on July 15, 2021 [1 favorite]
Well, they'd be pragmatic software engineers not hypothetical computer scientists and they'd have an arsenal of fornally-verified code they plug together to make the plumbing for your data, plus training and documentation so that they leave your organisation able to play their game at their level.
Plus: Documentation?!? What documentation!?! The software industry is about a race to get to market and be the rent-seekers for the businesses you enable, there's precious little documentation and plenty of explosive levels of complexity within systems and between systems. Thankfully there are ways to recover from this, and we're going a long way with the the living documentation of intent found in the automated test suite in version control next to your working code.
posted by k3ninho at 4:17 PM on July 15, 2021 [1 favorite]
My mom's company got hit with one of these attacks. There was nothing they could do but pay up, but they reported it to the FBI... not that that'll do much good if they're not in America.
posted by showbiz_liz at 5:50 PM on July 15, 2021
posted by showbiz_liz at 5:50 PM on July 15, 2021
Our expectation on how the world should work (real time! convenient! mobile! global! interconnected! social! intelligent! user-friendly! digital! agile! innovative! disruptive! automated! personalized! cheap! free!) has resulted in an attack surface so large and changing that we struggle to even enumerate it let alone secure it - we just try and keep risks to a tolerable level and sometimes it fails. And we build this all on layer upon layer upon layer of software and hardware from multiple project teams, individuals, companies, and open source projects, and maintain and support it by layers upon layers of internal projects, individual effort, third parties and partners, and service providers who themselves have layers upon layers of the same complexity. And it all gets used by people - who are grumpy that they need to login 25 times a day so just click yes to each MFA login request on their phone, or open that attachment on the phishing email that arrives at 9:01am Monday morning marked “urgent 2nd request” from “Corporate Compliance”.
And this attack surface exists in the reality where some humans are just bad actors, or are smart kids who live in comparative poverty where one or two digital ransoms could equal a lifetime in comfort, and with nation states that either have larger issues (hello Covid and climate change) to deal with than policing cyber activity, or even worse actively use cyber attacks as a weapon or for actual national revenue generation. These threats get to pick and choice which crack to exploit in the attack surface - be it human, logical, or physical.
There are companies that spend hundreds of millions of dollars on cybersecurity each year who still get popped. They have large security testing programs ( SAST! DAST! RASP! binary analysis! SCA! pentesting! IAST! threat modeling! container scanners! CPSM! shift-left secdevops!). They have EDR and UEBA and SIEMs and SOCs and blue teams and red teams. They can show you SOC2 reports and SSPs and PCI attestations, and have zero-trust initiatives. But they still get popped.
I sat in a corporate leadership meeting once where someone proposed we offer a multi-million X-Prize type award for “solving Cyber”. Someone much more quick-witted than I said “errr…so go back to pen and paper, right?”
posted by inflatablekiwi at 7:22 PM on July 15, 2021 [9 favorites]
And this attack surface exists in the reality where some humans are just bad actors, or are smart kids who live in comparative poverty where one or two digital ransoms could equal a lifetime in comfort, and with nation states that either have larger issues (hello Covid and climate change) to deal with than policing cyber activity, or even worse actively use cyber attacks as a weapon or for actual national revenue generation. These threats get to pick and choice which crack to exploit in the attack surface - be it human, logical, or physical.
There are companies that spend hundreds of millions of dollars on cybersecurity each year who still get popped. They have large security testing programs ( SAST! DAST! RASP! binary analysis! SCA! pentesting! IAST! threat modeling! container scanners! CPSM! shift-left secdevops!). They have EDR and UEBA and SIEMs and SOCs and blue teams and red teams. They can show you SOC2 reports and SSPs and PCI attestations, and have zero-trust initiatives. But they still get popped.
I sat in a corporate leadership meeting once where someone proposed we offer a multi-million X-Prize type award for “solving Cyber”. Someone much more quick-witted than I said “errr…so go back to pen and paper, right?”
posted by inflatablekiwi at 7:22 PM on July 15, 2021 [9 favorites]
There is no legitimate use-case for crypto currency
As long as you're not doing something heinous like anything sex work related, you have nothing to worry about. Your friendly credit card processing companies are there for you 100%!
posted by tigrrrlily at 7:25 PM on July 15, 2021 [7 favorites]
As long as you're not doing something heinous like anything sex work related, you have nothing to worry about. Your friendly credit card processing companies are there for you 100%!
posted by tigrrrlily at 7:25 PM on July 15, 2021 [7 favorites]
Get the lawyers on it. Allow companies to sue their IT suppliers for security issues. A few Kaseya-type bankruptcies might help tighten things up.
posted by storybored at 7:50 PM on July 15, 2021 [1 favorite]
posted by storybored at 7:50 PM on July 15, 2021 [1 favorite]
The current attack surface for ransomware is huge and getting bigger every minute. It is not possible to write 100% bug free large scale software systems and connect those systems to each other in a bug free way.
The only practical solution is to terminate money laundering services (crypto currencies), with extreme prejudice, before civilization collapses.
posted by monotreme at 8:20 PM on July 15, 2021 [5 favorites]
The only practical solution is to terminate money laundering services (crypto currencies), with extreme prejudice, before civilization collapses.
posted by monotreme at 8:20 PM on July 15, 2021 [5 favorites]
I think that the boat has already sailed on cryptocurrency unfortunately, when companies are legitimately buying mothballed power stations to run server farms, you can invest in crypto funds, and ridiculous dollars are going into it and associated things like NFT.
But it would be interesting if a whole bunch of threat actors discovered the meaning of “real-world kinetic impact” in a very publicly visible way regularly. I don’t support the death penalty or extrajudicial and extraterritorial killing….but fuckers who take down entire health systems and cause resultant death and suffering for a few Bitcoin…well…
posted by inflatablekiwi at 8:58 PM on July 15, 2021 [3 favorites]
But it would be interesting if a whole bunch of threat actors discovered the meaning of “real-world kinetic impact” in a very publicly visible way regularly. I don’t support the death penalty or extrajudicial and extraterritorial killing….but fuckers who take down entire health systems and cause resultant death and suffering for a few Bitcoin…well…
posted by inflatablekiwi at 8:58 PM on July 15, 2021 [3 favorites]
Oh hey this is all painfully relevant to my last few weeks.
Hospital IT is terrrrrible on its own
You have no idea.
Hospitals do have backups, but what are you going to do when someone has come along and wiped the physical hard drive of every PC in the building?
Also keep in mind that backups are completely useless when half the machines on your network are compromised and the other half are at high risk of being compromised. You can't risk restoring anything until every computer in your system is fully clean and patched, which is a very time- and labor-intensive process. Until it's finished you're SOL. Hope you brought pen and paper because that's your computer now.
Disallow ransom payments as a deductible business expense and the problem would get fixed very quickly.
Some institutions have explicit policies against paying ransoms. It doesn't make them any better at security. There's lots of reasons. IT systems may be partially ad hoc and/or have legacy parts. There's institutional inertia that constrains change. It can be difficult to convince management that a high-risk, low-probability event can even happen. Until one day it suddenly does. People suck at this kind of calculus.
I wonder if forcing public utilities, hospitals to maintain a mirror of their actual systems, but not hooked up to anything dangerous or containing personal information that people are encouraged to attack and find weaknesses in?
We do have a mirror system used for testing updates prior to roll-out. Only for the EMR, though, not the wider PC network it runs on, and I strongly doubt anyone bothers pen-testing it. Maybe the vendor does, I don't know, but no one in our IT department has that kind of competence or forethought.
Inter-hospital communications still run on fax machine protocols. So at least they're fax-gapped.
Our platform for "faxes" is computer/internet based rather than literal fax machines talking over phones lines. Which meant it went down with everything else. We do however have standard office copy machines with fax capabilities, and these proved absolutely vital for in-house communication during the crisis. Thank god they never digitized the phone system.
posted by dephlogisticated at 9:24 PM on July 15, 2021 [5 favorites]
Hospital IT is terrrrrible on its own
You have no idea.
Hospitals do have backups, but what are you going to do when someone has come along and wiped the physical hard drive of every PC in the building?
Also keep in mind that backups are completely useless when half the machines on your network are compromised and the other half are at high risk of being compromised. You can't risk restoring anything until every computer in your system is fully clean and patched, which is a very time- and labor-intensive process. Until it's finished you're SOL. Hope you brought pen and paper because that's your computer now.
Disallow ransom payments as a deductible business expense and the problem would get fixed very quickly.
Some institutions have explicit policies against paying ransoms. It doesn't make them any better at security. There's lots of reasons. IT systems may be partially ad hoc and/or have legacy parts. There's institutional inertia that constrains change. It can be difficult to convince management that a high-risk, low-probability event can even happen. Until one day it suddenly does. People suck at this kind of calculus.
I wonder if forcing public utilities, hospitals to maintain a mirror of their actual systems, but not hooked up to anything dangerous or containing personal information that people are encouraged to attack and find weaknesses in?
We do have a mirror system used for testing updates prior to roll-out. Only for the EMR, though, not the wider PC network it runs on, and I strongly doubt anyone bothers pen-testing it. Maybe the vendor does, I don't know, but no one in our IT department has that kind of competence or forethought.
Inter-hospital communications still run on fax machine protocols. So at least they're fax-gapped.
Our platform for "faxes" is computer/internet based rather than literal fax machines talking over phones lines. Which meant it went down with everything else. We do however have standard office copy machines with fax capabilities, and these proved absolutely vital for in-house communication during the crisis. Thank god they never digitized the phone system.
posted by dephlogisticated at 9:24 PM on July 15, 2021 [5 favorites]
I know this was a joke, but... fax machines use literally zero encryption, anyone intercepting the communication can see everything sent.
My fax line used to be 1 digit off of a pharmacy .... I got more faxes with people's prescriptions on them than ones I actually needed
posted by mbo at 11:30 PM on July 15, 2021 [2 favorites]
My fax line used to be 1 digit off of a pharmacy .... I got more faxes with people's prescriptions on them than ones I actually needed
posted by mbo at 11:30 PM on July 15, 2021 [2 favorites]
My first reaction:
Shutting down the exchanges would work.
Ransomware attacks are profitable because of how cryptocurrencies facilitate pament of the extortion. The profits get reinvested into the technology chain that manages the attacks and the collection of payments. Like drug cartels subsidised by the "war on drugs", the malware-cryptocurrency gangs will get stronger the longer they operate.
In the end, however, cryptocoin needs to be turned into government-backed currency aka cash. And the exchanges are both public gateway and constrained bottleneck for turning crypto into cash. Malware teams may be distributed and anonymous and unreachable, but cryptocurrency exchanges need to have postal addresses and bank accounts.
Also, a modest proposal:
I'm not a fan of American military power bombing places abroad but, if they're going to have to do it because they have too many bombs or something, there are few more deserving targets that cryptocurrency mining operations. Just saying. Win/win.
posted by kandinski at 3:06 AM on July 16, 2021 [2 favorites]
Shutting down the exchanges would work.
Ransomware attacks are profitable because of how cryptocurrencies facilitate pament of the extortion. The profits get reinvested into the technology chain that manages the attacks and the collection of payments. Like drug cartels subsidised by the "war on drugs", the malware-cryptocurrency gangs will get stronger the longer they operate.
In the end, however, cryptocoin needs to be turned into government-backed currency aka cash. And the exchanges are both public gateway and constrained bottleneck for turning crypto into cash. Malware teams may be distributed and anonymous and unreachable, but cryptocurrency exchanges need to have postal addresses and bank accounts.
Also, a modest proposal:
I'm not a fan of American military power bombing places abroad but, if they're going to have to do it because they have too many bombs or something, there are few more deserving targets that cryptocurrency mining operations. Just saying. Win/win.
posted by kandinski at 3:06 AM on July 16, 2021 [2 favorites]
(I'm not even commenting on the article because it's so stupid that I felt my brain shrivel while the tab was open. )
posted by kandinski at 3:07 AM on July 16, 2021 [1 favorite]
posted by kandinski at 3:07 AM on July 16, 2021 [1 favorite]
my modest proposal is to just force all hospitals to operate in Russian
Installing the Russian language pack on your computers is easy to do and recommended by Krebs.
posted by hypnogogue at 6:52 AM on July 16, 2021 [3 favorites]
Installing the Russian language pack on your computers is easy to do and recommended by Krebs.
posted by hypnogogue at 6:52 AM on July 16, 2021 [3 favorites]
Ransom payments are untraceable because of the crypto currency infrastructure, which is largely designed for anonymity and money laundering.
Their traceability matters a lot less when they're going to groups in Russia, who are not going to be extradited even if we know who they are. If we could physically get our hands on these guys, the problem would be a lot more straightforward to solve.
posted by BungaDunga at 8:16 AM on July 16, 2021
Their traceability matters a lot less when they're going to groups in Russia, who are not going to be extradited even if we know who they are. If we could physically get our hands on these guys, the problem would be a lot more straightforward to solve.
posted by BungaDunga at 8:16 AM on July 16, 2021
IoT, "cloud" devices: all should be sold with a minimum 10+ year support requirement on the part of the manufacturer
the problem has gotten so much bigger than that. people are getting pwned by supply-chain attacks on their software vendors. You break into the vendor, you insert your backdoor into the vendor's software, clients update their software, and now you've pwned all of the client businesses. It's ransomware on a literally industrial scale. Yes, out-of-date IoT devices are a great way to get into a network, but pwning whoever is providing ongoing support for cloud devices can be even better.
posted by BungaDunga at 8:31 AM on July 16, 2021 [2 favorites]
the problem has gotten so much bigger than that. people are getting pwned by supply-chain attacks on their software vendors. You break into the vendor, you insert your backdoor into the vendor's software, clients update their software, and now you've pwned all of the client businesses. It's ransomware on a literally industrial scale. Yes, out-of-date IoT devices are a great way to get into a network, but pwning whoever is providing ongoing support for cloud devices can be even better.
posted by BungaDunga at 8:31 AM on July 16, 2021 [2 favorites]
There is no legitimate use-case for crypto currency.
It’s a rough spot being pro-tax and also pro-drugs.
posted by atoxyl at 9:16 AM on July 16, 2021 [1 favorite]
It’s a rough spot being pro-tax and also pro-drugs.
posted by atoxyl at 9:16 AM on July 16, 2021 [1 favorite]
You only need to make illegal the usage of crypto in paying a ransom. Part of the problem is that crypto is anonymous and also untraceable. Cash is anonymous but you can watch cash being exchanged and take down whoever is holding the bag. You can't watch an electronic transaction but the transaction isn't anonymous. Crypto is both anonymous and unwatchable. You can't watch who picks up a crypto transaction.
The whole ransomware trend is being driven by the fact that you can take a bunch of coins, deposit them anonymously in an exchange, and pull the same number of completely different coins out on a different, completely anonymous set of wallets. Trying to piece together the chain of custody might not even be possible even if the exchange were compelled in some way to assist. It's basically money laundering outside the jurisdiction on extremely easy mode. It's the investigational equivalent of trying to follow a scent of someone jumping into a river with a million other people and then trying to sort through the million footprints leading away but everyone exchanged shoes.
If companies can't pay crypto and the cash needs to go somewhere the buck will stop who is left last holding the cash. That means people can possibly be caught.
posted by Your Childhood Pet Rock at 11:15 AM on July 16, 2021 [1 favorite]
The whole ransomware trend is being driven by the fact that you can take a bunch of coins, deposit them anonymously in an exchange, and pull the same number of completely different coins out on a different, completely anonymous set of wallets. Trying to piece together the chain of custody might not even be possible even if the exchange were compelled in some way to assist. It's basically money laundering outside the jurisdiction on extremely easy mode. It's the investigational equivalent of trying to follow a scent of someone jumping into a river with a million other people and then trying to sort through the million footprints leading away but everyone exchanged shoes.
If companies can't pay crypto and the cash needs to go somewhere the buck will stop who is left last holding the cash. That means people can possibly be caught.
posted by Your Childhood Pet Rock at 11:15 AM on July 16, 2021 [1 favorite]
Crypto is both anonymous and unwatchable.
This doesn’t seem like quite the way to put it given that something like bitcoin is, by design, extremely watchable. Every single transaction is recorded publicly and permanently. The tricky part is the ability to anonymize at the ends, i.e. the concealment of ownership of sending and receiving wallets is the bottleneck. In between one can trace with software and my impression is that authorities are actually starting to get pretty decent at tracking this sort of thing.
Of course, there are now crypto systems designed to obfuscate transaction flow more inherently.
posted by atoxyl at 12:32 PM on July 16, 2021
This doesn’t seem like quite the way to put it given that something like bitcoin is, by design, extremely watchable. Every single transaction is recorded publicly and permanently. The tricky part is the ability to anonymize at the ends, i.e. the concealment of ownership of sending and receiving wallets is the bottleneck. In between one can trace with software and my impression is that authorities are actually starting to get pretty decent at tracking this sort of thing.
Of course, there are now crypto systems designed to obfuscate transaction flow more inherently.
posted by atoxyl at 12:32 PM on July 16, 2021
The endpoints are definitely a problem, specifically the exchanges. For example, every time I do a transaction on coinbase, it makes a new wallet for me - all of those wallets work going forward but if I want, every transaction I make can be the only transaction that wallet ever sees. From there I can cash out and that's between me and coinbase. If coinbase doesn't cooperate with investigations (no idea if they do or not) then the money is untraceable from there.
In the beginning days of ransomware it was common to have a single bitcoin address for all payments to go to. I believe wannacry did this and that meant we could actually track how much they were making in payments (not much compared to the damage done, a pittance really. They burned down a building to steal a light bulb)
These days every mark of a scam (malware, phishing, blackmail, etc) gets an email with a unique wallet in it. We gather as many of those as we can and try to figure out the upstream wallet(s) from those and see if we can probe and find more wallets that represent payments from the targets. You can map everything out, and a lot of techniques from detecting money laundering via bank transactions apply here also, although it can be much more complicated.
posted by RustyBrooks at 1:15 PM on July 16, 2021
In the beginning days of ransomware it was common to have a single bitcoin address for all payments to go to. I believe wannacry did this and that meant we could actually track how much they were making in payments (not much compared to the damage done, a pittance really. They burned down a building to steal a light bulb)
These days every mark of a scam (malware, phishing, blackmail, etc) gets an email with a unique wallet in it. We gather as many of those as we can and try to figure out the upstream wallet(s) from those and see if we can probe and find more wallets that represent payments from the targets. You can map everything out, and a lot of techniques from detecting money laundering via bank transactions apply here also, although it can be much more complicated.
posted by RustyBrooks at 1:15 PM on July 16, 2021
Disallow ransom payments as a deductible business expense and the problem would get fixed very quickly.
Some institutions have explicit policies against paying ransoms. It doesn't make them any better at security. There's lots of reasons. IT systems may be partially ad hoc and/or have legacy parts. There's institutional inertia that constrains change. It can be difficult to convince management that a high-risk, low-probability event can even happen. Until one day it suddenly does. People suck at this kind of calculus.
The leverage I'm looking for is to make insurers pay more attention to how they price claims. If no one can afford to buy a claim against a cyber attack without jumping through a ton of security compliance hoops I think it'd improve the situation. An insurance company that makes a business out of insuring against ransomware and cyberattacks can afford the resources to learn the problem domain. I know most companies who are less invested in security and haven't been burned once already have a poor track record of actually prioritizing the threat, but if they can't even buy insurance against the liability I suspect the CFOs and investors would start getting nervous enough to press for change.
I worked in tech and I know how hard it is to get security taken seriously and there's always a tradeoff with productivity.
posted by BrotherCaine at 3:06 PM on July 16, 2021 [2 favorites]
Some institutions have explicit policies against paying ransoms. It doesn't make them any better at security. There's lots of reasons. IT systems may be partially ad hoc and/or have legacy parts. There's institutional inertia that constrains change. It can be difficult to convince management that a high-risk, low-probability event can even happen. Until one day it suddenly does. People suck at this kind of calculus.
The leverage I'm looking for is to make insurers pay more attention to how they price claims. If no one can afford to buy a claim against a cyber attack without jumping through a ton of security compliance hoops I think it'd improve the situation. An insurance company that makes a business out of insuring against ransomware and cyberattacks can afford the resources to learn the problem domain. I know most companies who are less invested in security and haven't been burned once already have a poor track record of actually prioritizing the threat, but if they can't even buy insurance against the liability I suspect the CFOs and investors would start getting nervous enough to press for change.
I worked in tech and I know how hard it is to get security taken seriously and there's always a tradeoff with productivity.
posted by BrotherCaine at 3:06 PM on July 16, 2021 [2 favorites]
Get the lawyers on it. Allow companies to sue their IT suppliers for security issues. A few Kaseya-type bankruptcies might help tighten things up.
Developers react in shock and horror to the idea of software product liability, or even being prevented from disclaiming warranties of merchantability and limiting damages to the cost of the software.
They still like to call themselves engineers though.
posted by snuffleupagus at 5:18 AM on July 17, 2021 [4 favorites]
Developers react in shock and horror to the idea of software product liability, or even being prevented from disclaiming warranties of merchantability and limiting damages to the cost of the software.
They still like to call themselves engineers though.
posted by snuffleupagus at 5:18 AM on July 17, 2021 [4 favorites]
« Older What can I do? Anything. | Block Newer »
This thread has been archived and is closed to new comments
One notion I have heard is for insurance companies to drop cybersecurity policies (which I have heard will be happening), and for there to be penalties from sources like SEC or something -- because companies only ever, ever act when there is an existential financial threat.
posted by wenestvedt at 10:49 AM on July 15, 2021 [8 favorites]