[HN Gopher] Hackers extorted $1.14M from UCSF ___________________________________________________________________ Hackers extorted $1.14M from UCSF Author : Pick-A-Hill2019 Score : 192 points Date : 2020-10-22 15:02 UTC (7 hours ago) (HTM) web link (www.bbc.com) (TXT) w3m dump (www.bbc.com) | hankchinaski wrote: | now the question is, did they have an insurance in place? who | will be held (legally and financially) accountable for the | incident? | coderintherye wrote: | Previous discussion here: | https://news.ycombinator.com/item?id=23659590 | | And discussion from years back when they outsourced all of their | IT: https://news.ycombinator.com/item?id=12870150 | scott-smith_us wrote: | It really bugs me when I hear of institutions paying these | ransoms. | | Regardless of the damage, I'd just take the bullet, fix my | security, and not pay. Be consistent in this, and keep it up for | a while. Long term: no more extortion for anyone. | exolymph wrote: | That's real easy to say when the gun isn't up against your | head. Call us when your principles in this matter have been | tested in practice. | colejohnson66 wrote: | Except if you're a company with millions of users, losing | everything would be a lot worse. As @gowld mentioned: you can't | retroactively fix security. | gowld wrote: | You can't retroactively fix your security. | | It can take a lot money (well spent, so that's fine) and time | (which can be devastating) to recover the compromised system. | gk1 wrote: | > Regardless of the damage, I'd just take the bullet, fix my | security, and not pay. | | It's irrational to "bite the bullet" if the damage is | significantly greater than the ransom. | | Sure, it's better in the long term, but not for the | person/organization being ransomed. | reaperducer wrote: | _It 's irrational to "bite the bullet" if the damage is | significantly greater than the ransom._ | | It's not irrational. It's called doing the right thing. | | _Sure, it 's better in the long term, but not for the | person/organization being ransomed._ | | That's called being selfish. One would expect an institution | like UCSF to act for the benefit of all of society and not | like a six-year-old grabbing all the Easter eggs at the hunt | and saying, "I got mine!" | recursive wrote: | What you call "selfish" is also known by some as | "rational". Maybe that will help. | jbm wrote: | We can't survive in a society where min/maxing benefit is | the sole form by which we determine whether something is | the correct action or not. | | I am sure you would agree that gender-based abortion, | deforestation, and infinite copyright periods could be | seen as "rational" to people in certain societies and | certain economic situations. It doesn't mean that we | should let such actions go without comment. | kelnos wrote: | The two things are not mutually exclusive. | LinuxBender wrote: | I think this assumes an organization has proper data backup | strategies in place. If you have daily snapshots and full | weekly backups, then ransomware should just be a nuisance and | cause some people to work weekends / after hours. | [deleted] | arcticbull wrote: | I for one love to see Bitcoin getting so much widespread | adoption. That's the real story here. | Vladi00 wrote: | Today's hackers are just like the pirates, robbers and thieves of | the past. Many will find graish zones (e.g. software piracy) | hoping to go undetected. Others will take high risk, high rewards | (e.g. computer extortion, etc). | diebeforei485 wrote: | Well, didn't they fire tech staff and outsource the work? Sounds | like it might not have been the best decision in hindsight. | atishay811 wrote: | A more capitalist solution to the random ware problem could be | ransomware insurance ideally mandated. You get hit and the | company pays. But your premium rises the next time and till | forever. You can get premium incentives to do audits and update | software. Lower premiums show up in the balance sheet as profit | and therefore there is immediate incentive to act on security | issues. The insurance company has enough incentive to track the | victim that some action might get taken. | VectorLock wrote: | US Treasury announced recently "Advisory on Potential Sanctions | Risks for Facilitating Ransomware Payments." | | I wonder if these will reduce these kind of payments in the | future, which seemed to really be ramping up. | | https://home.treasury.gov/system/files/126/ofac_ransomware_a... | gowld wrote: | These are acts of war by foreign entities against US citizens, | hospitals, and governments. The lack of military response is | dumbfounding and unacceptable. | | The NSA is recording every byte of data crossing our borders, and | also much internal traffic, and they are unable or unwilling to | track down these perpetrators? | bovermyer wrote: | They're not always state actors, though. Sometimes it's just | sociopaths who happen to be really good at compromising | systems. | | Also, assuming the NSA has a copy of every byte of network data | ever sent through the USA, that's a LOT of data. Processing | that takes time. | DevX101 wrote: | Attacks like this make me think there's a real ($1+ billion | opportunity) business in making an tech-first insurance company | for security incidents. | | Write insurance policies to major companies. But as a pre- | condition for getting under-written you have to submit to | periodic security review by legit security pros. Failure to | adhere to security recommendations means your policy gets | dropped. | colejohnson66 wrote: | I think those already exist. I've heard claims of insurance | companies refusing to pay out for ransomware because they | should've had backups (they'll pay for recovery from backups, | but not ransom). | lawnchair_larry wrote: | That insurance already exists. Periodic review by security pros | is pretty much worthless, however. Nearly every company that | has been hit had review by security pros, and many had | compliance certifications. | DevX101 wrote: | How good are these reviews really? I'm thinking of top tier | security pros on the calibre of Project Zero/Google. Doubt | most hacks would have gotten past a thorough audit by those | folks. | dboreham wrote: | This is the point. Any review process that's sufficiently | mechanical to be duplicated at scale becomes a | box-[ticking|checking] exercise with little actual value. | E.g. you can verify that backups are made and can be | restored but how do you find mission critical data that | isn't subject to backup? | Veserv wrote: | No material difference from a defense perspective. | Offensive prowess does not result in defensive prowess. | Just look at the Android bug bounty program [1], only $250K | for an remote kernel arbitrary code execution, or Apple | [2], $250K for a one-click kernel arbitrary code execution. | To be fair though, that is on the high end of security, you | could probably totally compromise any Fortune 500 company | for less than that. And no, I am not joking or exaggerating | that is actually a serious statement. | | Really all these audits do is validate your security. If | they find something at a price point then you are probably | vulnerable at that price point. Think of it like a live- | fire test of a bulletproof vest against a gun. If a bullet | goes through then you probably can not protect against | that. If it does not go through, you still can not be | certain that it actually does provide comprehensive defense | against that gun and bullet, but it is at least not totally | ineffective. In the current state of the industry, any | competent audit will find multiple critical vulnerabilities | at these price points. It is like shooting an airsoft | pellet at a "bulletproof vest" and seeing it pierce | through. It is so fundamentally flawed that testing against | a real gun (better offensive specialist) is kind of | meaningless since to actually solve the problems you | already need to completely redesign everything. | Unfortunately, most companies who get such audits done | think the takeaway is that the places the airsoft pellet | went through must be the only problems, so if they just | patch them up then everything else must be good because | nothing pierced those other pieces instead of realizing | that observable quality defects in one place probably means | there are many unobserved quality defects in other places. | | [1] https://www.google.com/about/appsecurity/android- | rewards/ | | [2] https://developer.apple.com/security-bounty/ | paul_f wrote: | What exactly are these security "pros" doing? I just don't | understand how the ransomware guys could destroy the snapshot | backup copies of the database in my desk drawer. Why don't | companies with this much data to protect have air-bridged | offsite backups? | curiousllama wrote: | It's a great idea, iff you can accurately price security risks. | | Security is an org problem as much as a tech problem. Trying to | estimate likely security risks caused by orgs is... | complicated. You would blow your margin in assessment costs | alone. | | Besides, can you imagine a board asking the CEO why they're | buying insurance with the infosec budget instead of, y'know, | ensuring infosec? | DevX101 wrote: | Insurance puts skin in the game for the insurance/security | company. If a security company audits my system and gives the | greenlight, they should be willing to put money on the line | to defend their work. | spzb wrote: | Story is from June | stygiansonic wrote: | Seems like randomware negotiation has become a professional | service. See: https://www.prnewswire.com/news- | releases/groupsense-launches... | | The negotiations here were similar to the ones CWT had, albeit a | little less courteous: https://www.reuters.com/article/us-cyber- | cwt-ransom/payment-... | [deleted] | tinyhouse wrote: | What a shame the keep paying those hackers. | [deleted] | TacticalCoder wrote: | So the bad guys used a public ledger (Bitcoin) to get paid? Why | aren't the hackers asking for cryptocurrencies using zero- | knowledge proofs like ZCash or Monero? Bitcoin? What's their plan | next? | | I'm not saying you can't get away with this (there are coin | "mixers" and decentralized exchanges) but still, this leaves lots | of traces left and right. | | For example we saw a lot of people getting busted recently while | they thought they were smart using cryptocurrencies, including a | money launderer ring... And they were using mixers, decentralized | exchanges, people located overal several countries/continents and | whatnots if I recall correctly. Yet: all busted. | | For all we known in six months the headline could be: "Hackers | who extorted 1.14M USD from UCSF arrested by Interpol" | | Besides that: what happened to offline backups? How exactly are | hackers coming for cloned, unplugged, HDDs/SSDs stored on shelves | / bank safes? (I know several companies doing just that as | offline backups) | | I hope this serves as a wake up call to companies/institutions | either not doing backup properly or outsourcing to incompetent | companies not doing backups properly (the latter being not really | excusable). | SirYandi wrote: | I've wondered about this as well. What's stopping such | criminals from purchasing Monero with the Bitcoin. Would that | be enough to anonymize? | jrochkind1 wrote: | > And an anonymous tip-off enabled BBC News to follow the ransom | negotiations in a live chat on the dark web. | | So, that "anonymous tip-off" was obviously from the hackers, | right? I guess the other option is a "whistleblower" at UCSF | (would anyone else know about it?), but the hackers have a lot to | benefit from everyone knowing about it, so next victim thinks | "Gee, respected institutions like UCSF are willing to pay the | ransom and didn't have the capability to recover otherwise, we | should probably just pay the ransom too". | riffic wrote: | the whistleblower option is the most probable one, isn't it? | Universities have to operate in a transparent manner and have | no incentive to obscure facts here. | jrochkind1 wrote: | It doesn't sound like the university publicly and | transparently revealed this -- the BBC wouldn't have to be | cagey about how they listened in on the chat if that were | true, they could just say "according to UCSF". But it wasn't | that, it was an "anonymous tip-off". | | So we already know the university was not being transparent | and open about it. When I say "whistleblower", I mean someone | who secretly gave the BBC the info and remains secret because | they weren't supposed to and would be disciplined at work for | it. | | The university has PLENTY of incentive to obscure facts here, | because the official line is that it's immoral to pay hackers | like this (it encourages future hacks, law enforcement says | not to do it), and because it reveals them as having made IT | mistakes that led to a ransomware takeover where they decided | their best/cheapest recovery option was to pay up (instead of | restoring from backups etc). It does not make them look good | to have paid up, that's plenty of incentive to not want the | BBC to report it. | | Also, having spent many years working for universities, I | think it's kind of cute that you think they "have to operate | in a transparent manner." Would that it were true. | sbassi wrote: | some ramsomeware like Netwalker has public forums with | announces, so the tip may come from anybody not involved with | any of the 2 parties. | jrochkind1 wrote: | Sounds like BBC literally eavesdropped on the chat, they were | able to login to the chat. I'm doubting the public forum | announcements give the public info to log into a chat where | the hackers are negotiating with the target! | dannyw wrote: | It's also possible the darknet site is poorly secured and you | can iterate through all conversations with some URL | incrementing. | luckylion wrote: | That would still require someone to tell the BBC. I doubt | that the BBC routinely enumerates hidden services and then | looks to enumerate all potential chat rooms and randomly | stumbled upon a negotiation. | brian_herman__ wrote: | I misread this as US CHESS Federation. | JackFr wrote: | If US Chess Federation had a budget in the billions, that'd be | a story by itself. | aborsy wrote: | Can't NSA (or FBI) track down these attackers, or help decrypt | the data? | | At least then it makes a useful service for the public, also | clears doubts on its crypto capabilities. | cortexio wrote: | euuh no. Skillful hackers can remove their tracks 100% and | decrypting is impossible unless u have a few thousand years | depending on the encryption method. Just secure your | computers/servers so unauthorized software cant be installed or | executed. And maybe some IQ training for the people there, so | they dont open stupid shit from their mailbox or the web. | naveen99 wrote: | Enterprises generally go too far in the direction of restricting | data access and copies of data, making themselves more fragile. | They should outsource custodianship of data or do like what aws | etc do, proper backups and fail tolerance. | naveen99 wrote: | Maybe single source of truth has some downsides, like single | point of vulnerability. | SommaRaikkonen wrote: | Hi, I'm not sure if my comment will be read since there are a lot | of them already, but what would the best move be for a medium- | sized company in this situation? | | Hypothetically, the fees won't be as astronomical like in UCSF's | case but the importance of the data being held in ransom will | still be the same. Should they take the risk of getting their | financial/healthcare/IT data uploaded to the public if they don't | pay the fee? | abeppu wrote: | This article makes the point that law enforcement agencies take | the stance that paying a ransom further encourages this behavior | from hackers. | | In the case of state or public institutions like this, would it | be advisable for legislatures to make it illegal for state | entities to pay ransoms, and then very publicly announce these | laws? I.e. can/should we make credible, public commitments in | advance to not pay ransom, or to remove that choice from the | organization-level administrators? Would this make these | organizations less appealing targets? | | "Sorry, we are not authorized to pay you any ransom due to SB- | XYZ. If you can get several hundred thousand signatures from CA | residents to petition for a referendum to overturn this law, we | may be able to pay you a ransom after ... well not the upcoming | election but maybe the one after that." | pfortuny wrote: | And then the "committee" meets and they take a majority | decision to pay with a secret vote, and another committee makes | the actual payment (by majority). | | Who do you prosecute? | | Would you close the University to huge harm to the students and | researchers? | MrMorden wrote: | What you're describing is conspiracy to commit embezzlement; | everyone who participated in that conspiracy gets a tenured | position at Folsom. And why would you close the university? | Are you seriously claiming that everyone in management is | determined to do everything possible to hand money to | criminals? | pfortuny wrote: | Really? In a secret voting? Who is to blame? Are you sure | people are really at their best when their positions are in | play and they can hide behind a committee and the solution | is "grey"? | | Never understood the power of anonymity... | sslayer wrote: | Typical turn the victim into the guilty tactics. Why not hunt | down the extortionist? | iforgotpassword wrote: | How about the victim applies security fixes in a timely | manner and creates backups? The excuses at the end of the | article are rather weak. | | Edit: Also https://news.ycombinator.com/item?id=12870150 | Nextgrid wrote: | Banning ransom payments won't magically fix the underlying | vulnerabilities that allow these gangs to deploy their | ransomware. | | If ransoms weren't being paid, criminals would find other ways | to monetize the data. "Honest" ransomware is actually good for | the public in the sense that should the ransom be paid, the | data is indeed destroyed by the gang. Make ransoms impossible | and they will start selling the data or monetizing it in other | ways (identity theft, card fraud, etc), at the expense of the | public. | | Given that we can't eradicate this kind of crime entirely by | improving security, I think ransomware is the least bad option | in the sense that it punishes the offending company while | minimizing the risk of the data being leaked which would hurt | the data subjects themselves (the public). | nickysielicki wrote: | I mean they clearly _want_ to pay the ransom, because they care | about their data and /or the privacy of their data. | | Making it illegal for them to pay just means that they can't | look after that interest. Why would that be a good thing to do? | vlan0 wrote: | >because they care about their data and/or the privacy of | their data. | | >Making it illegal for them to pay just means that they can't | look after that interest. Why would that be a good thing to | do? | | You only have the criminal's word to stand on when they claim | to delete data. It's far too easy to simply hang on the to | troves of collected data and wait for a rainy day. | landryraccoon wrote: | Because the criminals won't hack them if they know there's no | ransom to be paid. | Beldin wrote: | That's the assumption. Alternatively, the ransom is changed | to "change the law". | cpncrunch wrote: | They might take off-site backups a bit more seriously if it | is made illegal to pay the ransom. | | I don't think it will have any effect on privacy. The hackers | say they will delete the data, but how can you trust them? | ryandrake wrote: | Right, today the logic is: If the risk-adjusted cost of a | ransom is less than the cost of implementing proper | backups, then it makes sense to just not do backups. If | paying ransom was illegal, maybe they'd actually invest in | those backups. | UncleEntity wrote: | > If the risk-adjusted cost of a ransom is less than the | cost of implementing proper backups, then it makes sense | to just not do backups. | | Then again you have people who do it just for the lulz | (err...meows?) -> | https://news.ycombinator.com/item?id=23957510 | whimsicalism wrote: | Because it is an action with a huge negative externality? | You're funding criminals. | | We've banned voluntary actions with externalities in the | past. | powersnail wrote: | By that line of reasoning, every blackmail and robbery | victim funds criminals, thus subject to similar punishment. | MacsHeadroom wrote: | It's a public institution. It's not "their" data. It's their | shareholder's data-- the public. | | Whether or not trusting the judgement of administrators over | the judgement of law enforcement is the best way to handle | these situations is an open question. | | I'm not sure I trust public university administrators to do | much beyond stimulate the local construction economy and | wider investment banking industry. | [deleted] | amelius wrote: | One thing that might work is if white hat hackers outnumber the | black hat hackers and create ransomware that doesn't have a | decrypt option. At a certain point, people will stop paying the | ransom. | | Another option is: forbid bitcoin and other cryptocurrencies. | Enginerrrd wrote: | I wouldn't call that white hat. ...like at all. | | Greyhat is even a bit of a stretch. It's like Dr. Doom. He | has good motives but he's still the bad guy. | fastball wrote: | Aren't ransomware attacks frequently undirected? | thrownaway954 wrote: | and say they do make it illegal for state entities to pay | ransoms... then what? what is going to happen when a ransom | attack does happen? they contact the fbi... great... now what? | how do they get their data back? what obligation does the fbi | have to tracking down the gang and getting the data back? | what's the time line? | | see... the issue i see with making it illegal for state | entities to pay ransoms is that you tie the hands of the victim | without any guarantees that law enforcement will help and help | in a timely manner. i see this as a lose, lose situation. | landryraccoon wrote: | The point is that there's no incentive for hackers to target | state entities. | | Hackers can target state entities for other reasons, but no | rational hacker would do it for the ransom, since there won't | be any ransom paid. | | The FBI can simply say "We'll never catch the hackers, but if | you pay them you'll go to jail". It accomplishes the same | goal of reducing the reward for hacking to zero. | vkou wrote: | This works for targeted attacks, but doesn't work for | untargeted, shotgun-ransom-ware attacks. | | Shotgun attacks aren't discouraged if some X% of their | targets can't/won't pay the ransom. | tolbish wrote: | It seems this law is intended to benefit those with the most | resources to implement the best security, leaving smaller | businesses to pretty much pound sand. | ajsnigrutin wrote: | You mean a pretty basic backup, that your grandma probably | has enabled on her phone? | tolbish wrote: | You presume the attacker does not know the location of | these backups. | | Smart attackers do extensive research on their targets | before performing the attack. | ls612 wrote: | Isn't this literally one of the reasons WORM storage | solutions exist? | [deleted] | tolbish wrote: | We have arrived at why "a pretty basic backup" is no | longer feasible for...any business. A hard sell for a | four person business with no dedicated IT team. | sbassi wrote: | A backup won't protect you from full data disclosure. | amelius wrote: | It's losing the battle but winning the war ... | nickff wrote: | Which sounds better to a general at HQ than to a private in | a foxhole. | [deleted] | chrisshroba wrote: | Sure, but to a general at HQ, 1 dead soldier is better | than 10. The policy is devastating to that 1 soldier (and | family), but that's not enough reason to adopt an | opposing policy that would save the 1 but kill the 10. | | Similarly, I can appreciate the logic in making American | companies less likely to be targeted by ransom hackers, | even if it means some companies are hit harder in the | short term. | nickff wrote: | You've made the implicit assumption that it is acceptable | and desirable for the government to sacrifice some | companies to save some others. I'm not so sure that's the | government's business, and it sounds a lot like a taking | to me. Perhaps it is acceptable in the era of Kelo. | marcosdumay wrote: | > You've made the implicit assumption that it is | acceptable and desirable for the government to sacrifice | some companies to save some others. | | That's how governments operate. Every time a government | "sneezes" is harms some companies and benefits others. | nickff wrote: | No, when governments provide public goods (their most | widely-accepted role), they are not picking companies out | for the gallows. | mandelbrotwurst wrote: | In that case I'm sure you won't mind if we repave all of | the roads to my store twice as often and let the ones you | rely on fall apart. | TheJoeMan wrote: | I agree, it should be illegal. The headline of this should be | "California government supplies bitcoin to illegal terrorist | hackers" | epc wrote: | The problem with that scenario is that it's probably the same | public legislatures that have failed to fund adequate | information security for these public institutions. If such a | law was paired with appropriate funding then sure, go ahead. If | not then what you'll get is more public institutions getting | hacked and officially prevented from paying the ransom to get | files back. | 112012123 wrote: | Interestingly, this is pretty much the split we've seen | regarding terrorist hostage-taking in North Africa. While | European governments have generally paid ransoms for the return | of their citizens, the US Government steadfastly refuses to | pay. | | In early years, this generally led to better outcomes for | European citizens, but as time wore on, it's come to a point | where the terrorists actively avoid kidnapping Americans and | prefer Europeans. Assuming the these types of hacks are | explicitly targeted, I imagine we'd see a similar dynamic play | out. | | Source: | https://www.nytimes.com/2014/07/30/world/africa/ransoming-ci... | e40 wrote: | Pretty sure I heard on a NYT podcast that proxies are used | for US citizens who are kidnapped. Specifically, a high- | profile US citizen kidnapped by ISIS and they were returned | via payment via a proxy. | nickt wrote: | I've traveled a lot in the Sahara and an old expression | amongst the expats was "The French send troops, the Germans | send money and the British send regrets". | nickt wrote: | ^French^Americans probably. | ajpkco wrote: | This doesn't work in practice, companies that aren't allowed to | pay those ransoms usually use proxies (some other company that | doesn't have to follow those restrictions) that will pay the | hackers | newcomputer wrote: | The comment you're replying to is talking about public | institutions not companies, you fucking idiot. | archgoon wrote: | Isn't this the same problem that money laundering laws have | to solve? It's hard, but its not insurmountable. | Beldin wrote: | Not really: money laundering typically is an on-going | activity, while ransomware/hostages is (hopefully) | incidental. | | That means that money laundering laws are up against a | dedicated adversary with resources, while laws preventing | ransoms... not so much. | | Of course, with cyber insurance, incentives for the insurer | may lean towards dedicated circumvention. | bilbo0s wrote: | Money laundering has the benefit of Federal law working to | help the State laws. I think in an environment where there | are 50 different legal regimes it's inevitable people will | develop workarounds. You see legal arbitrage in every | instance where legal differences exist between states. From | corporate law to family law. I don't know why this would be | any different. | | If you want to stop the hackers, make it a Federal crime to | pay anyone. In that environment, there would be no | circumventing the restriction at all. | JackFr wrote: | With strict and timely reporting requirements to the FBI. | leephillips wrote: | But it would remove public institutions from the target list. | Also, in the case of private institutions, if it were a | criminal offense to use such a proxy, an investigator could | discover this. The threat of prison for any officer of a | corporation who arranged such a payment would be a powerful | deterrent. | abeppu wrote: | There's always a loophole, I suppose. | | By very loose analogy, either when playing chicken, or when | you and a person walking towards you both repeatedly veer in | the same direction to avoid collision, one tactic is to very | conspicuously cover your eyes. The other person can then see | that you will not re-correct based on their behavior. Though | I know this option exists, I have never successfully used it. | It's always difficult to truly intentionally commit to limit | your options to respond to future circumstance. | cwsx wrote: | I heard of this as a kid, something along the lines of | 'when walking down a street make an effort to look forward, | through people (and not at them)'. | | Same concept applies, and in my experience it seems to | work. Though this was before the era of phones (and people | not looking where they're going regardless) | smabie wrote: | Also known as the crazy bastard strategy: when playing | chicken, throw away the steering wheel. | naveen99 wrote: | What if the other person covers their eyes at the same | time. Thank god for quantum mechanics | JackFr wrote: | Pass the law to 1) forbid public entities from paying ransom; | 2) stringent public timely (less than 24 hours) reporting | incidents; 3) stringent public reporting on root cause | analysis/resolution/future remediation. | | If it is a legal requirement of my job to do the right thing, | I'm gonna do the right thing. | StevenRayOrr wrote: | Not that it undermines your overall point, but it might prove | to disincentivize attacking smaller companies that aren't in | as strong a position to use proxies -- which I would still | count as a win. | jsharf wrote: | But at least it's difficult and illegal. It makes them less | of a target for hackers since they're less likely to pay and | it places liability on anyone who tries to work around the | law. | numpad0 wrote: | IIRC the kind of phrasing used is "external security | consultants". | | "We didn't hand duffel bags of money to the perpetrator | group's courier, we hired a professional external individual | security consultant to handle the situation" | avip wrote: | So this is what security consultants do. Always wondered. | shard wrote: | News from a few months ago: You just had your servers | hacked into and all your database are belong to them. The | black hats demand X number of BitCoins as ransom, but you | cannot pay because it violates certain laws. So you hire an | intermediary who pays for you, thereby avoiding the legal | problem. | | https://www.theverge.com/2020/8/4/21353842/garmin- | ransomware... | dboreham wrote: | Same thing in The Big Lebowski. | ttul wrote: | There are ways to prevent the "bags of money" from happening. | The Foreign Corrupt Practices Act (FCPA) comprehensively | prohibits even using the most obscure arrangements to pay | bribes. Large institutions hire expensive lawyers to ensure | their ongoing compliance with FCPA, because the penalties for | failing to prevent your organization from paying bribes are | extensive. You can't completely eliminate a practice through | law, but you can come close, and FCPA has done more for this | problem globally than nearly any other measure enacted by a | government. | reaperducer wrote: | _The Foreign Corrupt Practices Act (FCPA) comprehensively | prohibits even using the most obscure arrangements to pay | bribes_ | | You can have all the laws you want in words on paper, but | if they're not enforced, for all practical purposes, they | don't exist. | | The people who enforce the FCPA must be understaffed or | undermotivated or underfunded because I've worked for | several companies that regularly paid bribes as part of | doing business. | | One example: I worked for a large media company that would | send TV crews to cover stories in Mexico on a fairly | regular basis. Almost every time the crews tried to return | to the United States, the Mexican border personnel would | seize their very expensive gear. The only way to get it | back was to pay a bribe. | | This was so common that everyone was told to just mark it | down on their expense reports as "Airport tax." I only | found out about it when I started asking why I kept seeing | "Airport tax" on expense reports for trips I knew were done | in cars. | BoorishBears wrote: | Your example would be a _very_ far stretch for FCPA. | | The law is about bribes for "obtaining or retaining | business". It's one thing if you were paying a bribe to | say, a local minister to get exclusive access to some | sort of scene... | | But low-level crooks pretty much sticking you up and you | try to buy your stuff back from them under the guise of | "government business" is not the kind of thing FCPA is | about. It's for concerted attempts to pay off foreign | officials to strengthen your business. | | Which surely still happen, but not in the manner you're | describing. FCPA violations wouldn't be the sort of thing | that "everyone" is told about. | gnopgnip wrote: | It is already illegal if the payment is to a group that is | sanctioned by the US gov | stevebmark wrote: | It's hard to empathize with a corrupt entity that makes billions | a year from swindling students and patients, all while | maintaining a non-profit status. Par for the course with | universities and large hospitals. Profit focused corruption leads | them to not paying a good IT team. | ttul wrote: | Email your congressman/woman: Paying extortion fees | cybercriminals should be illegal - and severely so. With the | stroke of a pen, a law making the practice illegal would | immediately allow every institution and corporation in America to | say, "We cannot pay your fee no matter how hard you press us, as | we would face jail time if we did so." | | Would gangs still try to extort people? Of course. But large | institutions would no longer be a target, because their internal | controls would prevent the payment of extortion fees. Small | organizations might still pay fees, but the potential take for | gangs would be reduced remarkably. | burtonator wrote: | The problem is the intermediate timeline ... maybe some time | window to limit the amount and then lower it slowly. This way | the momentum from existing malware doesn't hurt one specific | university or group. | jimbob45 wrote: | "We do not negotiate with terrorists" sounds like a great line | but isn't always practical in reality. If many people's lives | were on the line because of this hack, it would be difficult to | justify not paying the fairly small ransom. | gnopgnip wrote: | If they were terrorists, sanctioned by the US government it | is already illegal. | powersnail wrote: | Does the US government not exchange hostages with | terrorists? | abeppu wrote: | I think this is an interesting direction, but I wonder is there | a successful precedent for something like this? Perhaps some | government somewhere in the world has already tried this? And | if not for hacking, data theft/encryption, maybe there are | analogues like (and this is a stretch) large organizations that | have managed to continue operating in regions where kidnapping | for ransom is common? | greeneggs wrote: | There's quite a lot of literature on the US and UK's no- | concessions policies on kidnapping. Here's one example [1]. A | few quotes: | | > Despite the U.S. no-concessions policy, U.S. citizens | continue to top the list of nationalities kidnapped by | terrorists. This may be explained by the prominent role and | perceived influence of the United States and the ubiquity of | U.S. citizens around the world. Nationals of the United | Kingdom, which also has a no-concessions policy, are second | on the list. | | > While a no-concessions policy may not deter kidnappings, it | may affect the treatment of hostages in captivity and | determine their ultimate fate. According to a 2015 study | published by West Point, Americans held hostage by jihadist | groups are nearly four times as likely to be murdered as | other Western hostages (Loertscher and Milton, 2015). The no- | concessions policy may be only part of the reason. Another | factor would be the jihadists' intense hostility toward the | United States. | | > While the U.S. no-concessions policy has not deterred | kidnappings, there is some evidence that political | concessions and ransom payments appear to encourage further | kidnappings and escalating demands. | | > And although it did not produce any demonstrable decline in | kidnappings of U.S. citizens, a 2016 study published in the | European Journal of Political Economy argues that, without | the no-concessions policy, there would have been even more | kidnappings of U.S. nationals (Brandt, George, and Sandler, | 2016). | | [1] https://www.rand.org/content/dam/rand/pubs/perspectives/P | E20... | | My take: Arguably, part of the reason the policy has not been | successful in preventing kidnappings is that most of Europe | does pay ransoms, and Europeans versus Americans are not | always easily distinguishable. Even if the policy hasn't | directly stopped kidnappings, it probably has stopped them | indirectly, by avoiding funding kidnapping organizations. | Europe has spent hundreds of millions of dollars in ransoms | to terrorist organization, and Qatar allegedly paid close to | a billion dollars in ransom. This has to fund further | efforts. | pugworthy wrote: | This forces the victim to be even more desperate, and desperate | people (and institutions) will do desperate things. | | Irrespective of laws, what does the extortionist have to lose? | There's always a chance the victim will pay up under the table. | dodobirdlord wrote: | If the chance is sufficiently low then the practice becomes | unprofitable. | fortran77 wrote: | Well, they extorted it from Taxpayers. What does UCSF care? | jeffbee wrote: | Pretty remarkable that this data was worth at least a million | dollars to UCSF, but it apparently wasn't worth paying for | backups, or hiring IT staff who aren't idiots. | _wldu wrote: | I think the idea is to pay them to not publicly release it | rather than to get it back. | anthony_doan wrote: | Yeah this probably it since UCSF is the UC for only grad, no | undergrad, and for medical. Those data could be HIPAA | related. | gowld wrote: | Doesn't matter. HIPAA is already violated. | hn_throwaway_99 wrote: | > or hiring IT staff who aren't idiots. | | I hate comments like this. It seems quite prevalent in the | software dev field to constantly shit on other developers while | having 0 information about what the source of the issue was. | fastball wrote: | It was ransomware. The source of the issue was not having | append-only backups. It's not very complex. | colejohnson66 wrote: | Does append only work if you have access to the raw disk | bytes? Sure, the file system could enforce creation and | appending _only_ , but I can easily counter that with: | dd if=/dev/random of=/dev/sda | | (Using /dev/random to give the illusion of encryption) | LinuxBender wrote: | Yes. You would have backup agents that authenticate to a | backup server. The server would only allow a specific | method of sending data and the backup server would have | policies about backup anti-tampering and retention. All | workstations and live servers should be considered | ephemeral and disposable. | | Specifically for an institution like a medical facility | or financial institutions, there are hardened appliances; | sometimes referred to as vaulting appliances, that | enforce anti-tampering to the point that the system | administrators can't even delete data. You set a policy | that requires multiple specific people using MFA to | authenticate and authorize the deletion transaction. | These are not cheap, but it's a lot cheaper than paying | out a ransom and the down-time of rebuilding everything | and the loss of reputation and loss of trust by board | members and investors. These appliances have the bonus of | enforcing many of your audit requirements around data | retention and destruction. | | To your example though, yes, it's not fun to manage | fleet-wide, but you can boot up both Windows and Linux | into ram and have network filesystem overlays that | patient data could be written to. The SAN/NAS/Ceph | clusters can then do backups locally and have anti- | tampering in place. This is non trivial to set up | correctly. That would be more resilient than depending on | backups, but is much more work up front. For Windows, | look into Windows 10 LTSC [1]. It can operate in a Kiosk | mode and boot into memory or have hardened security | options to minimize attack surface. Most Linux | distributions can do this as well. Ceph can do both | transport and filesystem encryption now. I will leave out | the Linux examples as I doubt this is where these | institutions are getting into trouble. | | [1] - https://docs.microsoft.com/en-us/windows/whats- | new/ltsc/what... | NegativeLatency wrote: | Probably should've been directed at the mangers/department | head (not devs), but not having backups is most definitely | not professional. | | EDIT: The CIO or whatever the title is makes $460K per year | so they should for sure know to have and be responsible for | proper backup/restore functionality. | throwaway749294 wrote: | Well, they did gut their IT staff four years ago to replace | them with low paid foreign workers. | | And reading the poor spelling and grammar in the negotiations | makes me wonder if that's somehow related. | secabeen wrote: | They outsourced some IT staff. Reports are that this attack | hit the epidemiology department, which lists a 10-person IT | staff: https://epibiostat.ucsf.edu/our-team | | I don't think we can assume that the IT outsourcing | directly affected their vulnerability to this attack. | CorruptedArc wrote: | In my experience EDU IT tends to be an extremely small staff | with a very heavy amount of duties and overtime. It frankly | surprises me this doesn't happen more often. | secabeen wrote: | It's also often quite distributed, which many small IT groups | of 1-5 staff members that may or may not coordinate with each | other or with the central IT group(s). | silexia wrote: | Establish a global death penalty for this crime. | Woodi wrote: | And what about backups ? Is it cheaper to pay ransom then | reinstall and copy data ? And then cut off f* internet until some | security is in place ?? | | If that ransomware uses something like flash for persistence why | not ask some jury to enforce hardware manufacturers to stop | enabling worse and worse viruses ? Floppies, cd autoplay, usb, | firewire, thunderbolt, 5G networking - everything exploitable | right from the factory. | tlogan wrote: | Actually, setting up a proper backup is last thing business | want to spend money on. | | Why do you think there is so many "increase your sales" | products and so very few "backup" products? | tmpz22 wrote: | So they outsourced all their IT to save money then got | randomwared. | ghjdrt wrote: | Again, the Digital currency is a big thread to our society. ___________________________________________________________________ (page generated 2020-10-22 23:00 UTC)