[HN Gopher] Hackers extorted $1.14M from UCSF
___________________________________________________________________
Hackers extorted $1.14M from UCSF
Author : Pick-A-Hill2019
Score : 192 points
Date : 2020-10-22 15:02 UTC (7 hours ago)
(HTM) web link (www.bbc.com)
(TXT) w3m dump (www.bbc.com)
| hankchinaski wrote:
| now the question is, did they have an insurance in place? who
| will be held (legally and financially) accountable for the
| incident?
| coderintherye wrote:
| Previous discussion here:
| https://news.ycombinator.com/item?id=23659590
|
| And discussion from years back when they outsourced all of their
| IT: https://news.ycombinator.com/item?id=12870150
| scott-smith_us wrote:
| It really bugs me when I hear of institutions paying these
| ransoms.
|
| Regardless of the damage, I'd just take the bullet, fix my
| security, and not pay. Be consistent in this, and keep it up for
| a while. Long term: no more extortion for anyone.
| exolymph wrote:
| That's real easy to say when the gun isn't up against your
| head. Call us when your principles in this matter have been
| tested in practice.
| colejohnson66 wrote:
| Except if you're a company with millions of users, losing
| everything would be a lot worse. As @gowld mentioned: you can't
| retroactively fix security.
| gowld wrote:
| You can't retroactively fix your security.
|
| It can take a lot money (well spent, so that's fine) and time
| (which can be devastating) to recover the compromised system.
| gk1 wrote:
| > Regardless of the damage, I'd just take the bullet, fix my
| security, and not pay.
|
| It's irrational to "bite the bullet" if the damage is
| significantly greater than the ransom.
|
| Sure, it's better in the long term, but not for the
| person/organization being ransomed.
| reaperducer wrote:
| _It 's irrational to "bite the bullet" if the damage is
| significantly greater than the ransom._
|
| It's not irrational. It's called doing the right thing.
|
| _Sure, it 's better in the long term, but not for the
| person/organization being ransomed._
|
| That's called being selfish. One would expect an institution
| like UCSF to act for the benefit of all of society and not
| like a six-year-old grabbing all the Easter eggs at the hunt
| and saying, "I got mine!"
| recursive wrote:
| What you call "selfish" is also known by some as
| "rational". Maybe that will help.
| jbm wrote:
| We can't survive in a society where min/maxing benefit is
| the sole form by which we determine whether something is
| the correct action or not.
|
| I am sure you would agree that gender-based abortion,
| deforestation, and infinite copyright periods could be
| seen as "rational" to people in certain societies and
| certain economic situations. It doesn't mean that we
| should let such actions go without comment.
| kelnos wrote:
| The two things are not mutually exclusive.
| LinuxBender wrote:
| I think this assumes an organization has proper data backup
| strategies in place. If you have daily snapshots and full
| weekly backups, then ransomware should just be a nuisance and
| cause some people to work weekends / after hours.
| [deleted]
| arcticbull wrote:
| I for one love to see Bitcoin getting so much widespread
| adoption. That's the real story here.
| Vladi00 wrote:
| Today's hackers are just like the pirates, robbers and thieves of
| the past. Many will find graish zones (e.g. software piracy)
| hoping to go undetected. Others will take high risk, high rewards
| (e.g. computer extortion, etc).
| diebeforei485 wrote:
| Well, didn't they fire tech staff and outsource the work? Sounds
| like it might not have been the best decision in hindsight.
| atishay811 wrote:
| A more capitalist solution to the random ware problem could be
| ransomware insurance ideally mandated. You get hit and the
| company pays. But your premium rises the next time and till
| forever. You can get premium incentives to do audits and update
| software. Lower premiums show up in the balance sheet as profit
| and therefore there is immediate incentive to act on security
| issues. The insurance company has enough incentive to track the
| victim that some action might get taken.
| VectorLock wrote:
| US Treasury announced recently "Advisory on Potential Sanctions
| Risks for Facilitating Ransomware Payments."
|
| I wonder if these will reduce these kind of payments in the
| future, which seemed to really be ramping up.
|
| https://home.treasury.gov/system/files/126/ofac_ransomware_a...
| gowld wrote:
| These are acts of war by foreign entities against US citizens,
| hospitals, and governments. The lack of military response is
| dumbfounding and unacceptable.
|
| The NSA is recording every byte of data crossing our borders, and
| also much internal traffic, and they are unable or unwilling to
| track down these perpetrators?
| bovermyer wrote:
| They're not always state actors, though. Sometimes it's just
| sociopaths who happen to be really good at compromising
| systems.
|
| Also, assuming the NSA has a copy of every byte of network data
| ever sent through the USA, that's a LOT of data. Processing
| that takes time.
| DevX101 wrote:
| Attacks like this make me think there's a real ($1+ billion
| opportunity) business in making an tech-first insurance company
| for security incidents.
|
| Write insurance policies to major companies. But as a pre-
| condition for getting under-written you have to submit to
| periodic security review by legit security pros. Failure to
| adhere to security recommendations means your policy gets
| dropped.
| colejohnson66 wrote:
| I think those already exist. I've heard claims of insurance
| companies refusing to pay out for ransomware because they
| should've had backups (they'll pay for recovery from backups,
| but not ransom).
| lawnchair_larry wrote:
| That insurance already exists. Periodic review by security pros
| is pretty much worthless, however. Nearly every company that
| has been hit had review by security pros, and many had
| compliance certifications.
| DevX101 wrote:
| How good are these reviews really? I'm thinking of top tier
| security pros on the calibre of Project Zero/Google. Doubt
| most hacks would have gotten past a thorough audit by those
| folks.
| dboreham wrote:
| This is the point. Any review process that's sufficiently
| mechanical to be duplicated at scale becomes a
| box-[ticking|checking] exercise with little actual value.
| E.g. you can verify that backups are made and can be
| restored but how do you find mission critical data that
| isn't subject to backup?
| Veserv wrote:
| No material difference from a defense perspective.
| Offensive prowess does not result in defensive prowess.
| Just look at the Android bug bounty program [1], only $250K
| for an remote kernel arbitrary code execution, or Apple
| [2], $250K for a one-click kernel arbitrary code execution.
| To be fair though, that is on the high end of security, you
| could probably totally compromise any Fortune 500 company
| for less than that. And no, I am not joking or exaggerating
| that is actually a serious statement.
|
| Really all these audits do is validate your security. If
| they find something at a price point then you are probably
| vulnerable at that price point. Think of it like a live-
| fire test of a bulletproof vest against a gun. If a bullet
| goes through then you probably can not protect against
| that. If it does not go through, you still can not be
| certain that it actually does provide comprehensive defense
| against that gun and bullet, but it is at least not totally
| ineffective. In the current state of the industry, any
| competent audit will find multiple critical vulnerabilities
| at these price points. It is like shooting an airsoft
| pellet at a "bulletproof vest" and seeing it pierce
| through. It is so fundamentally flawed that testing against
| a real gun (better offensive specialist) is kind of
| meaningless since to actually solve the problems you
| already need to completely redesign everything.
| Unfortunately, most companies who get such audits done
| think the takeaway is that the places the airsoft pellet
| went through must be the only problems, so if they just
| patch them up then everything else must be good because
| nothing pierced those other pieces instead of realizing
| that observable quality defects in one place probably means
| there are many unobserved quality defects in other places.
|
| [1] https://www.google.com/about/appsecurity/android-
| rewards/
|
| [2] https://developer.apple.com/security-bounty/
| paul_f wrote:
| What exactly are these security "pros" doing? I just don't
| understand how the ransomware guys could destroy the snapshot
| backup copies of the database in my desk drawer. Why don't
| companies with this much data to protect have air-bridged
| offsite backups?
| curiousllama wrote:
| It's a great idea, iff you can accurately price security risks.
|
| Security is an org problem as much as a tech problem. Trying to
| estimate likely security risks caused by orgs is...
| complicated. You would blow your margin in assessment costs
| alone.
|
| Besides, can you imagine a board asking the CEO why they're
| buying insurance with the infosec budget instead of, y'know,
| ensuring infosec?
| DevX101 wrote:
| Insurance puts skin in the game for the insurance/security
| company. If a security company audits my system and gives the
| greenlight, they should be willing to put money on the line
| to defend their work.
| spzb wrote:
| Story is from June
| stygiansonic wrote:
| Seems like randomware negotiation has become a professional
| service. See: https://www.prnewswire.com/news-
| releases/groupsense-launches...
|
| The negotiations here were similar to the ones CWT had, albeit a
| little less courteous: https://www.reuters.com/article/us-cyber-
| cwt-ransom/payment-...
| [deleted]
| tinyhouse wrote:
| What a shame the keep paying those hackers.
| [deleted]
| TacticalCoder wrote:
| So the bad guys used a public ledger (Bitcoin) to get paid? Why
| aren't the hackers asking for cryptocurrencies using zero-
| knowledge proofs like ZCash or Monero? Bitcoin? What's their plan
| next?
|
| I'm not saying you can't get away with this (there are coin
| "mixers" and decentralized exchanges) but still, this leaves lots
| of traces left and right.
|
| For example we saw a lot of people getting busted recently while
| they thought they were smart using cryptocurrencies, including a
| money launderer ring... And they were using mixers, decentralized
| exchanges, people located overal several countries/continents and
| whatnots if I recall correctly. Yet: all busted.
|
| For all we known in six months the headline could be: "Hackers
| who extorted 1.14M USD from UCSF arrested by Interpol"
|
| Besides that: what happened to offline backups? How exactly are
| hackers coming for cloned, unplugged, HDDs/SSDs stored on shelves
| / bank safes? (I know several companies doing just that as
| offline backups)
|
| I hope this serves as a wake up call to companies/institutions
| either not doing backup properly or outsourcing to incompetent
| companies not doing backups properly (the latter being not really
| excusable).
| SirYandi wrote:
| I've wondered about this as well. What's stopping such
| criminals from purchasing Monero with the Bitcoin. Would that
| be enough to anonymize?
| jrochkind1 wrote:
| > And an anonymous tip-off enabled BBC News to follow the ransom
| negotiations in a live chat on the dark web.
|
| So, that "anonymous tip-off" was obviously from the hackers,
| right? I guess the other option is a "whistleblower" at UCSF
| (would anyone else know about it?), but the hackers have a lot to
| benefit from everyone knowing about it, so next victim thinks
| "Gee, respected institutions like UCSF are willing to pay the
| ransom and didn't have the capability to recover otherwise, we
| should probably just pay the ransom too".
| riffic wrote:
| the whistleblower option is the most probable one, isn't it?
| Universities have to operate in a transparent manner and have
| no incentive to obscure facts here.
| jrochkind1 wrote:
| It doesn't sound like the university publicly and
| transparently revealed this -- the BBC wouldn't have to be
| cagey about how they listened in on the chat if that were
| true, they could just say "according to UCSF". But it wasn't
| that, it was an "anonymous tip-off".
|
| So we already know the university was not being transparent
| and open about it. When I say "whistleblower", I mean someone
| who secretly gave the BBC the info and remains secret because
| they weren't supposed to and would be disciplined at work for
| it.
|
| The university has PLENTY of incentive to obscure facts here,
| because the official line is that it's immoral to pay hackers
| like this (it encourages future hacks, law enforcement says
| not to do it), and because it reveals them as having made IT
| mistakes that led to a ransomware takeover where they decided
| their best/cheapest recovery option was to pay up (instead of
| restoring from backups etc). It does not make them look good
| to have paid up, that's plenty of incentive to not want the
| BBC to report it.
|
| Also, having spent many years working for universities, I
| think it's kind of cute that you think they "have to operate
| in a transparent manner." Would that it were true.
| sbassi wrote:
| some ramsomeware like Netwalker has public forums with
| announces, so the tip may come from anybody not involved with
| any of the 2 parties.
| jrochkind1 wrote:
| Sounds like BBC literally eavesdropped on the chat, they were
| able to login to the chat. I'm doubting the public forum
| announcements give the public info to log into a chat where
| the hackers are negotiating with the target!
| dannyw wrote:
| It's also possible the darknet site is poorly secured and you
| can iterate through all conversations with some URL
| incrementing.
| luckylion wrote:
| That would still require someone to tell the BBC. I doubt
| that the BBC routinely enumerates hidden services and then
| looks to enumerate all potential chat rooms and randomly
| stumbled upon a negotiation.
| brian_herman__ wrote:
| I misread this as US CHESS Federation.
| JackFr wrote:
| If US Chess Federation had a budget in the billions, that'd be
| a story by itself.
| aborsy wrote:
| Can't NSA (or FBI) track down these attackers, or help decrypt
| the data?
|
| At least then it makes a useful service for the public, also
| clears doubts on its crypto capabilities.
| cortexio wrote:
| euuh no. Skillful hackers can remove their tracks 100% and
| decrypting is impossible unless u have a few thousand years
| depending on the encryption method. Just secure your
| computers/servers so unauthorized software cant be installed or
| executed. And maybe some IQ training for the people there, so
| they dont open stupid shit from their mailbox or the web.
| naveen99 wrote:
| Enterprises generally go too far in the direction of restricting
| data access and copies of data, making themselves more fragile.
| They should outsource custodianship of data or do like what aws
| etc do, proper backups and fail tolerance.
| naveen99 wrote:
| Maybe single source of truth has some downsides, like single
| point of vulnerability.
| SommaRaikkonen wrote:
| Hi, I'm not sure if my comment will be read since there are a lot
| of them already, but what would the best move be for a medium-
| sized company in this situation?
|
| Hypothetically, the fees won't be as astronomical like in UCSF's
| case but the importance of the data being held in ransom will
| still be the same. Should they take the risk of getting their
| financial/healthcare/IT data uploaded to the public if they don't
| pay the fee?
| abeppu wrote:
| This article makes the point that law enforcement agencies take
| the stance that paying a ransom further encourages this behavior
| from hackers.
|
| In the case of state or public institutions like this, would it
| be advisable for legislatures to make it illegal for state
| entities to pay ransoms, and then very publicly announce these
| laws? I.e. can/should we make credible, public commitments in
| advance to not pay ransom, or to remove that choice from the
| organization-level administrators? Would this make these
| organizations less appealing targets?
|
| "Sorry, we are not authorized to pay you any ransom due to SB-
| XYZ. If you can get several hundred thousand signatures from CA
| residents to petition for a referendum to overturn this law, we
| may be able to pay you a ransom after ... well not the upcoming
| election but maybe the one after that."
| pfortuny wrote:
| And then the "committee" meets and they take a majority
| decision to pay with a secret vote, and another committee makes
| the actual payment (by majority).
|
| Who do you prosecute?
|
| Would you close the University to huge harm to the students and
| researchers?
| MrMorden wrote:
| What you're describing is conspiracy to commit embezzlement;
| everyone who participated in that conspiracy gets a tenured
| position at Folsom. And why would you close the university?
| Are you seriously claiming that everyone in management is
| determined to do everything possible to hand money to
| criminals?
| pfortuny wrote:
| Really? In a secret voting? Who is to blame? Are you sure
| people are really at their best when their positions are in
| play and they can hide behind a committee and the solution
| is "grey"?
|
| Never understood the power of anonymity...
| sslayer wrote:
| Typical turn the victim into the guilty tactics. Why not hunt
| down the extortionist?
| iforgotpassword wrote:
| How about the victim applies security fixes in a timely
| manner and creates backups? The excuses at the end of the
| article are rather weak.
|
| Edit: Also https://news.ycombinator.com/item?id=12870150
| Nextgrid wrote:
| Banning ransom payments won't magically fix the underlying
| vulnerabilities that allow these gangs to deploy their
| ransomware.
|
| If ransoms weren't being paid, criminals would find other ways
| to monetize the data. "Honest" ransomware is actually good for
| the public in the sense that should the ransom be paid, the
| data is indeed destroyed by the gang. Make ransoms impossible
| and they will start selling the data or monetizing it in other
| ways (identity theft, card fraud, etc), at the expense of the
| public.
|
| Given that we can't eradicate this kind of crime entirely by
| improving security, I think ransomware is the least bad option
| in the sense that it punishes the offending company while
| minimizing the risk of the data being leaked which would hurt
| the data subjects themselves (the public).
| nickysielicki wrote:
| I mean they clearly _want_ to pay the ransom, because they care
| about their data and /or the privacy of their data.
|
| Making it illegal for them to pay just means that they can't
| look after that interest. Why would that be a good thing to do?
| vlan0 wrote:
| >because they care about their data and/or the privacy of
| their data.
|
| >Making it illegal for them to pay just means that they can't
| look after that interest. Why would that be a good thing to
| do?
|
| You only have the criminal's word to stand on when they claim
| to delete data. It's far too easy to simply hang on the to
| troves of collected data and wait for a rainy day.
| landryraccoon wrote:
| Because the criminals won't hack them if they know there's no
| ransom to be paid.
| Beldin wrote:
| That's the assumption. Alternatively, the ransom is changed
| to "change the law".
| cpncrunch wrote:
| They might take off-site backups a bit more seriously if it
| is made illegal to pay the ransom.
|
| I don't think it will have any effect on privacy. The hackers
| say they will delete the data, but how can you trust them?
| ryandrake wrote:
| Right, today the logic is: If the risk-adjusted cost of a
| ransom is less than the cost of implementing proper
| backups, then it makes sense to just not do backups. If
| paying ransom was illegal, maybe they'd actually invest in
| those backups.
| UncleEntity wrote:
| > If the risk-adjusted cost of a ransom is less than the
| cost of implementing proper backups, then it makes sense
| to just not do backups.
|
| Then again you have people who do it just for the lulz
| (err...meows?) ->
| https://news.ycombinator.com/item?id=23957510
| whimsicalism wrote:
| Because it is an action with a huge negative externality?
| You're funding criminals.
|
| We've banned voluntary actions with externalities in the
| past.
| powersnail wrote:
| By that line of reasoning, every blackmail and robbery
| victim funds criminals, thus subject to similar punishment.
| MacsHeadroom wrote:
| It's a public institution. It's not "their" data. It's their
| shareholder's data-- the public.
|
| Whether or not trusting the judgement of administrators over
| the judgement of law enforcement is the best way to handle
| these situations is an open question.
|
| I'm not sure I trust public university administrators to do
| much beyond stimulate the local construction economy and
| wider investment banking industry.
| [deleted]
| amelius wrote:
| One thing that might work is if white hat hackers outnumber the
| black hat hackers and create ransomware that doesn't have a
| decrypt option. At a certain point, people will stop paying the
| ransom.
|
| Another option is: forbid bitcoin and other cryptocurrencies.
| Enginerrrd wrote:
| I wouldn't call that white hat. ...like at all.
|
| Greyhat is even a bit of a stretch. It's like Dr. Doom. He
| has good motives but he's still the bad guy.
| fastball wrote:
| Aren't ransomware attacks frequently undirected?
| thrownaway954 wrote:
| and say they do make it illegal for state entities to pay
| ransoms... then what? what is going to happen when a ransom
| attack does happen? they contact the fbi... great... now what?
| how do they get their data back? what obligation does the fbi
| have to tracking down the gang and getting the data back?
| what's the time line?
|
| see... the issue i see with making it illegal for state
| entities to pay ransoms is that you tie the hands of the victim
| without any guarantees that law enforcement will help and help
| in a timely manner. i see this as a lose, lose situation.
| landryraccoon wrote:
| The point is that there's no incentive for hackers to target
| state entities.
|
| Hackers can target state entities for other reasons, but no
| rational hacker would do it for the ransom, since there won't
| be any ransom paid.
|
| The FBI can simply say "We'll never catch the hackers, but if
| you pay them you'll go to jail". It accomplishes the same
| goal of reducing the reward for hacking to zero.
| vkou wrote:
| This works for targeted attacks, but doesn't work for
| untargeted, shotgun-ransom-ware attacks.
|
| Shotgun attacks aren't discouraged if some X% of their
| targets can't/won't pay the ransom.
| tolbish wrote:
| It seems this law is intended to benefit those with the most
| resources to implement the best security, leaving smaller
| businesses to pretty much pound sand.
| ajsnigrutin wrote:
| You mean a pretty basic backup, that your grandma probably
| has enabled on her phone?
| tolbish wrote:
| You presume the attacker does not know the location of
| these backups.
|
| Smart attackers do extensive research on their targets
| before performing the attack.
| ls612 wrote:
| Isn't this literally one of the reasons WORM storage
| solutions exist?
| [deleted]
| tolbish wrote:
| We have arrived at why "a pretty basic backup" is no
| longer feasible for...any business. A hard sell for a
| four person business with no dedicated IT team.
| sbassi wrote:
| A backup won't protect you from full data disclosure.
| amelius wrote:
| It's losing the battle but winning the war ...
| nickff wrote:
| Which sounds better to a general at HQ than to a private in
| a foxhole.
| [deleted]
| chrisshroba wrote:
| Sure, but to a general at HQ, 1 dead soldier is better
| than 10. The policy is devastating to that 1 soldier (and
| family), but that's not enough reason to adopt an
| opposing policy that would save the 1 but kill the 10.
|
| Similarly, I can appreciate the logic in making American
| companies less likely to be targeted by ransom hackers,
| even if it means some companies are hit harder in the
| short term.
| nickff wrote:
| You've made the implicit assumption that it is acceptable
| and desirable for the government to sacrifice some
| companies to save some others. I'm not so sure that's the
| government's business, and it sounds a lot like a taking
| to me. Perhaps it is acceptable in the era of Kelo.
| marcosdumay wrote:
| > You've made the implicit assumption that it is
| acceptable and desirable for the government to sacrifice
| some companies to save some others.
|
| That's how governments operate. Every time a government
| "sneezes" is harms some companies and benefits others.
| nickff wrote:
| No, when governments provide public goods (their most
| widely-accepted role), they are not picking companies out
| for the gallows.
| mandelbrotwurst wrote:
| In that case I'm sure you won't mind if we repave all of
| the roads to my store twice as often and let the ones you
| rely on fall apart.
| TheJoeMan wrote:
| I agree, it should be illegal. The headline of this should be
| "California government supplies bitcoin to illegal terrorist
| hackers"
| epc wrote:
| The problem with that scenario is that it's probably the same
| public legislatures that have failed to fund adequate
| information security for these public institutions. If such a
| law was paired with appropriate funding then sure, go ahead. If
| not then what you'll get is more public institutions getting
| hacked and officially prevented from paying the ransom to get
| files back.
| 112012123 wrote:
| Interestingly, this is pretty much the split we've seen
| regarding terrorist hostage-taking in North Africa. While
| European governments have generally paid ransoms for the return
| of their citizens, the US Government steadfastly refuses to
| pay.
|
| In early years, this generally led to better outcomes for
| European citizens, but as time wore on, it's come to a point
| where the terrorists actively avoid kidnapping Americans and
| prefer Europeans. Assuming the these types of hacks are
| explicitly targeted, I imagine we'd see a similar dynamic play
| out.
|
| Source:
| https://www.nytimes.com/2014/07/30/world/africa/ransoming-ci...
| e40 wrote:
| Pretty sure I heard on a NYT podcast that proxies are used
| for US citizens who are kidnapped. Specifically, a high-
| profile US citizen kidnapped by ISIS and they were returned
| via payment via a proxy.
| nickt wrote:
| I've traveled a lot in the Sahara and an old expression
| amongst the expats was "The French send troops, the Germans
| send money and the British send regrets".
| nickt wrote:
| ^French^Americans probably.
| ajpkco wrote:
| This doesn't work in practice, companies that aren't allowed to
| pay those ransoms usually use proxies (some other company that
| doesn't have to follow those restrictions) that will pay the
| hackers
| newcomputer wrote:
| The comment you're replying to is talking about public
| institutions not companies, you fucking idiot.
| archgoon wrote:
| Isn't this the same problem that money laundering laws have
| to solve? It's hard, but its not insurmountable.
| Beldin wrote:
| Not really: money laundering typically is an on-going
| activity, while ransomware/hostages is (hopefully)
| incidental.
|
| That means that money laundering laws are up against a
| dedicated adversary with resources, while laws preventing
| ransoms... not so much.
|
| Of course, with cyber insurance, incentives for the insurer
| may lean towards dedicated circumvention.
| bilbo0s wrote:
| Money laundering has the benefit of Federal law working to
| help the State laws. I think in an environment where there
| are 50 different legal regimes it's inevitable people will
| develop workarounds. You see legal arbitrage in every
| instance where legal differences exist between states. From
| corporate law to family law. I don't know why this would be
| any different.
|
| If you want to stop the hackers, make it a Federal crime to
| pay anyone. In that environment, there would be no
| circumventing the restriction at all.
| JackFr wrote:
| With strict and timely reporting requirements to the FBI.
| leephillips wrote:
| But it would remove public institutions from the target list.
| Also, in the case of private institutions, if it were a
| criminal offense to use such a proxy, an investigator could
| discover this. The threat of prison for any officer of a
| corporation who arranged such a payment would be a powerful
| deterrent.
| abeppu wrote:
| There's always a loophole, I suppose.
|
| By very loose analogy, either when playing chicken, or when
| you and a person walking towards you both repeatedly veer in
| the same direction to avoid collision, one tactic is to very
| conspicuously cover your eyes. The other person can then see
| that you will not re-correct based on their behavior. Though
| I know this option exists, I have never successfully used it.
| It's always difficult to truly intentionally commit to limit
| your options to respond to future circumstance.
| cwsx wrote:
| I heard of this as a kid, something along the lines of
| 'when walking down a street make an effort to look forward,
| through people (and not at them)'.
|
| Same concept applies, and in my experience it seems to
| work. Though this was before the era of phones (and people
| not looking where they're going regardless)
| smabie wrote:
| Also known as the crazy bastard strategy: when playing
| chicken, throw away the steering wheel.
| naveen99 wrote:
| What if the other person covers their eyes at the same
| time. Thank god for quantum mechanics
| JackFr wrote:
| Pass the law to 1) forbid public entities from paying ransom;
| 2) stringent public timely (less than 24 hours) reporting
| incidents; 3) stringent public reporting on root cause
| analysis/resolution/future remediation.
|
| If it is a legal requirement of my job to do the right thing,
| I'm gonna do the right thing.
| StevenRayOrr wrote:
| Not that it undermines your overall point, but it might prove
| to disincentivize attacking smaller companies that aren't in
| as strong a position to use proxies -- which I would still
| count as a win.
| jsharf wrote:
| But at least it's difficult and illegal. It makes them less
| of a target for hackers since they're less likely to pay and
| it places liability on anyone who tries to work around the
| law.
| numpad0 wrote:
| IIRC the kind of phrasing used is "external security
| consultants".
|
| "We didn't hand duffel bags of money to the perpetrator
| group's courier, we hired a professional external individual
| security consultant to handle the situation"
| avip wrote:
| So this is what security consultants do. Always wondered.
| shard wrote:
| News from a few months ago: You just had your servers
| hacked into and all your database are belong to them. The
| black hats demand X number of BitCoins as ransom, but you
| cannot pay because it violates certain laws. So you hire an
| intermediary who pays for you, thereby avoiding the legal
| problem.
|
| https://www.theverge.com/2020/8/4/21353842/garmin-
| ransomware...
| dboreham wrote:
| Same thing in The Big Lebowski.
| ttul wrote:
| There are ways to prevent the "bags of money" from happening.
| The Foreign Corrupt Practices Act (FCPA) comprehensively
| prohibits even using the most obscure arrangements to pay
| bribes. Large institutions hire expensive lawyers to ensure
| their ongoing compliance with FCPA, because the penalties for
| failing to prevent your organization from paying bribes are
| extensive. You can't completely eliminate a practice through
| law, but you can come close, and FCPA has done more for this
| problem globally than nearly any other measure enacted by a
| government.
| reaperducer wrote:
| _The Foreign Corrupt Practices Act (FCPA) comprehensively
| prohibits even using the most obscure arrangements to pay
| bribes_
|
| You can have all the laws you want in words on paper, but
| if they're not enforced, for all practical purposes, they
| don't exist.
|
| The people who enforce the FCPA must be understaffed or
| undermotivated or underfunded because I've worked for
| several companies that regularly paid bribes as part of
| doing business.
|
| One example: I worked for a large media company that would
| send TV crews to cover stories in Mexico on a fairly
| regular basis. Almost every time the crews tried to return
| to the United States, the Mexican border personnel would
| seize their very expensive gear. The only way to get it
| back was to pay a bribe.
|
| This was so common that everyone was told to just mark it
| down on their expense reports as "Airport tax." I only
| found out about it when I started asking why I kept seeing
| "Airport tax" on expense reports for trips I knew were done
| in cars.
| BoorishBears wrote:
| Your example would be a _very_ far stretch for FCPA.
|
| The law is about bribes for "obtaining or retaining
| business". It's one thing if you were paying a bribe to
| say, a local minister to get exclusive access to some
| sort of scene...
|
| But low-level crooks pretty much sticking you up and you
| try to buy your stuff back from them under the guise of
| "government business" is not the kind of thing FCPA is
| about. It's for concerted attempts to pay off foreign
| officials to strengthen your business.
|
| Which surely still happen, but not in the manner you're
| describing. FCPA violations wouldn't be the sort of thing
| that "everyone" is told about.
| gnopgnip wrote:
| It is already illegal if the payment is to a group that is
| sanctioned by the US gov
| stevebmark wrote:
| It's hard to empathize with a corrupt entity that makes billions
| a year from swindling students and patients, all while
| maintaining a non-profit status. Par for the course with
| universities and large hospitals. Profit focused corruption leads
| them to not paying a good IT team.
| ttul wrote:
| Email your congressman/woman: Paying extortion fees
| cybercriminals should be illegal - and severely so. With the
| stroke of a pen, a law making the practice illegal would
| immediately allow every institution and corporation in America to
| say, "We cannot pay your fee no matter how hard you press us, as
| we would face jail time if we did so."
|
| Would gangs still try to extort people? Of course. But large
| institutions would no longer be a target, because their internal
| controls would prevent the payment of extortion fees. Small
| organizations might still pay fees, but the potential take for
| gangs would be reduced remarkably.
| burtonator wrote:
| The problem is the intermediate timeline ... maybe some time
| window to limit the amount and then lower it slowly. This way
| the momentum from existing malware doesn't hurt one specific
| university or group.
| jimbob45 wrote:
| "We do not negotiate with terrorists" sounds like a great line
| but isn't always practical in reality. If many people's lives
| were on the line because of this hack, it would be difficult to
| justify not paying the fairly small ransom.
| gnopgnip wrote:
| If they were terrorists, sanctioned by the US government it
| is already illegal.
| powersnail wrote:
| Does the US government not exchange hostages with
| terrorists?
| abeppu wrote:
| I think this is an interesting direction, but I wonder is there
| a successful precedent for something like this? Perhaps some
| government somewhere in the world has already tried this? And
| if not for hacking, data theft/encryption, maybe there are
| analogues like (and this is a stretch) large organizations that
| have managed to continue operating in regions where kidnapping
| for ransom is common?
| greeneggs wrote:
| There's quite a lot of literature on the US and UK's no-
| concessions policies on kidnapping. Here's one example [1]. A
| few quotes:
|
| > Despite the U.S. no-concessions policy, U.S. citizens
| continue to top the list of nationalities kidnapped by
| terrorists. This may be explained by the prominent role and
| perceived influence of the United States and the ubiquity of
| U.S. citizens around the world. Nationals of the United
| Kingdom, which also has a no-concessions policy, are second
| on the list.
|
| > While a no-concessions policy may not deter kidnappings, it
| may affect the treatment of hostages in captivity and
| determine their ultimate fate. According to a 2015 study
| published by West Point, Americans held hostage by jihadist
| groups are nearly four times as likely to be murdered as
| other Western hostages (Loertscher and Milton, 2015). The no-
| concessions policy may be only part of the reason. Another
| factor would be the jihadists' intense hostility toward the
| United States.
|
| > While the U.S. no-concessions policy has not deterred
| kidnappings, there is some evidence that political
| concessions and ransom payments appear to encourage further
| kidnappings and escalating demands.
|
| > And although it did not produce any demonstrable decline in
| kidnappings of U.S. citizens, a 2016 study published in the
| European Journal of Political Economy argues that, without
| the no-concessions policy, there would have been even more
| kidnappings of U.S. nationals (Brandt, George, and Sandler,
| 2016).
|
| [1] https://www.rand.org/content/dam/rand/pubs/perspectives/P
| E20...
|
| My take: Arguably, part of the reason the policy has not been
| successful in preventing kidnappings is that most of Europe
| does pay ransoms, and Europeans versus Americans are not
| always easily distinguishable. Even if the policy hasn't
| directly stopped kidnappings, it probably has stopped them
| indirectly, by avoiding funding kidnapping organizations.
| Europe has spent hundreds of millions of dollars in ransoms
| to terrorist organization, and Qatar allegedly paid close to
| a billion dollars in ransom. This has to fund further
| efforts.
| pugworthy wrote:
| This forces the victim to be even more desperate, and desperate
| people (and institutions) will do desperate things.
|
| Irrespective of laws, what does the extortionist have to lose?
| There's always a chance the victim will pay up under the table.
| dodobirdlord wrote:
| If the chance is sufficiently low then the practice becomes
| unprofitable.
| fortran77 wrote:
| Well, they extorted it from Taxpayers. What does UCSF care?
| jeffbee wrote:
| Pretty remarkable that this data was worth at least a million
| dollars to UCSF, but it apparently wasn't worth paying for
| backups, or hiring IT staff who aren't idiots.
| _wldu wrote:
| I think the idea is to pay them to not publicly release it
| rather than to get it back.
| anthony_doan wrote:
| Yeah this probably it since UCSF is the UC for only grad, no
| undergrad, and for medical. Those data could be HIPAA
| related.
| gowld wrote:
| Doesn't matter. HIPAA is already violated.
| hn_throwaway_99 wrote:
| > or hiring IT staff who aren't idiots.
|
| I hate comments like this. It seems quite prevalent in the
| software dev field to constantly shit on other developers while
| having 0 information about what the source of the issue was.
| fastball wrote:
| It was ransomware. The source of the issue was not having
| append-only backups. It's not very complex.
| colejohnson66 wrote:
| Does append only work if you have access to the raw disk
| bytes? Sure, the file system could enforce creation and
| appending _only_ , but I can easily counter that with:
| dd if=/dev/random of=/dev/sda
|
| (Using /dev/random to give the illusion of encryption)
| LinuxBender wrote:
| Yes. You would have backup agents that authenticate to a
| backup server. The server would only allow a specific
| method of sending data and the backup server would have
| policies about backup anti-tampering and retention. All
| workstations and live servers should be considered
| ephemeral and disposable.
|
| Specifically for an institution like a medical facility
| or financial institutions, there are hardened appliances;
| sometimes referred to as vaulting appliances, that
| enforce anti-tampering to the point that the system
| administrators can't even delete data. You set a policy
| that requires multiple specific people using MFA to
| authenticate and authorize the deletion transaction.
| These are not cheap, but it's a lot cheaper than paying
| out a ransom and the down-time of rebuilding everything
| and the loss of reputation and loss of trust by board
| members and investors. These appliances have the bonus of
| enforcing many of your audit requirements around data
| retention and destruction.
|
| To your example though, yes, it's not fun to manage
| fleet-wide, but you can boot up both Windows and Linux
| into ram and have network filesystem overlays that
| patient data could be written to. The SAN/NAS/Ceph
| clusters can then do backups locally and have anti-
| tampering in place. This is non trivial to set up
| correctly. That would be more resilient than depending on
| backups, but is much more work up front. For Windows,
| look into Windows 10 LTSC [1]. It can operate in a Kiosk
| mode and boot into memory or have hardened security
| options to minimize attack surface. Most Linux
| distributions can do this as well. Ceph can do both
| transport and filesystem encryption now. I will leave out
| the Linux examples as I doubt this is where these
| institutions are getting into trouble.
|
| [1] - https://docs.microsoft.com/en-us/windows/whats-
| new/ltsc/what...
| NegativeLatency wrote:
| Probably should've been directed at the mangers/department
| head (not devs), but not having backups is most definitely
| not professional.
|
| EDIT: The CIO or whatever the title is makes $460K per year
| so they should for sure know to have and be responsible for
| proper backup/restore functionality.
| throwaway749294 wrote:
| Well, they did gut their IT staff four years ago to replace
| them with low paid foreign workers.
|
| And reading the poor spelling and grammar in the negotiations
| makes me wonder if that's somehow related.
| secabeen wrote:
| They outsourced some IT staff. Reports are that this attack
| hit the epidemiology department, which lists a 10-person IT
| staff: https://epibiostat.ucsf.edu/our-team
|
| I don't think we can assume that the IT outsourcing
| directly affected their vulnerability to this attack.
| CorruptedArc wrote:
| In my experience EDU IT tends to be an extremely small staff
| with a very heavy amount of duties and overtime. It frankly
| surprises me this doesn't happen more often.
| secabeen wrote:
| It's also often quite distributed, which many small IT groups
| of 1-5 staff members that may or may not coordinate with each
| other or with the central IT group(s).
| silexia wrote:
| Establish a global death penalty for this crime.
| Woodi wrote:
| And what about backups ? Is it cheaper to pay ransom then
| reinstall and copy data ? And then cut off f* internet until some
| security is in place ??
|
| If that ransomware uses something like flash for persistence why
| not ask some jury to enforce hardware manufacturers to stop
| enabling worse and worse viruses ? Floppies, cd autoplay, usb,
| firewire, thunderbolt, 5G networking - everything exploitable
| right from the factory.
| tlogan wrote:
| Actually, setting up a proper backup is last thing business
| want to spend money on.
|
| Why do you think there is so many "increase your sales"
| products and so very few "backup" products?
| tmpz22 wrote:
| So they outsourced all their IT to save money then got
| randomwared.
| ghjdrt wrote:
| Again, the Digital currency is a big thread to our society.
___________________________________________________________________
(page generated 2020-10-22 23:00 UTC)