[HN Gopher] After Boeing declines to pay up, ransomware group le...
___________________________________________________________________
After Boeing declines to pay up, ransomware group leaks 45 GB of
data
Author : turtlegrids
Score : 264 points
Date : 2023-11-20 18:47 UTC (4 hours ago)
(HTM) web link (www.itbrew.com)
(TXT) w3m dump (www.itbrew.com)
| strangattractor wrote:
| Didn't a ransomware gang just renege on a deal and release the
| data anyway. Seems like they are killing their own business
| model. If company X cannot depend on the gang delivering why pay
| in the first place. Boeing will have to pay for any fallout form
| the data breach - why have the added expense of paying the
| criminals for the privilege?
| barryrandall wrote:
| They do that all the time. The first ransom is to get the
| decryption keys to the target's data, the second ransom is to
| prevent them from publishing the decrypted data.
| CivBase wrote:
| If they're going to publish the data publicly, what do you
| need decryption keys for? Seems like it's basically an all-
| or-nothing deal to me.
| contravariant wrote:
| I think that's why you ransom the decryption key first. If
| I understood correctly.
| bretpiatt wrote:
| Perspective as CEO of a backup and disaster recovery
| company...
|
| A lot of folks now have ransomware protected backups for
| critical data so they aren't paying for decryption keys.
|
| This has escalated to hack and release, the attackers are
| now exfiltrating data and threatening to make it public in
| addition to encrypting it on the host system.
| sandworm101 wrote:
| >> If they're going to publish the data publivally, what do
| you need decryption keys for?
|
| Because they will publish the bad stuff, the stuff you
| really don't want public, but likely withhold the boring
| stuff, the stuff the business really needs to function. And
| whatever they release might not be in the format that it
| was taken.
| barryrandall wrote:
| They only tell you about the second extortion attempt after
| the success of the first. As I understand it, each gang
| operates differently, but most are consistent in their
| approach (e.g. x will always double ransom, but y will
| never).
| asdfman123 wrote:
| Tragedy of the commons. We need to establish a centralized
| judicial system to identify and shut down bad ransomware
| actors.
| op00to wrote:
| let's hold off on advocating for a New World Order just yet.
| ceejayoz wrote:
| I wonder if this counts as an ITAR violation on Boeing's part.
| da_chicken wrote:
| How do you figure that?
| ceejayoz wrote:
| There's almost certainly ITAR-subject data in a Boeing data
| dump of this size; I'm curious as to whether not paying a
| ransom counts as releasing it.
| lesuorac wrote:
| I'm more curious why failing to secure it doesn't count as
| a ITAR violation.
| hiharryhere wrote:
| I doubt it. Here in Australia at least companies with large
| gov contracts are prevented by gov policy from paying
| ransoms.
| ceejayoz wrote:
| It wouldn't be the first catch-22 scenario caused by
| conflicting laws.
| tsujamin wrote:
| Out of curiosity what's the source on that? AFAICS
| there's no clear legislation restricting it (although a
| lot of talk about such a bill in the future). It is in
| standard contract terms?
| brookst wrote:
| I think ITAR covers exporting, which is necessarily
| intentional. At least I'm not aware of any espionage victim
| also being subject to ITAR prosecution.
| annoyingnoob wrote:
| In the case of ITAR, not exporting means limiting access
| to US persons only. I suspect this could be a violation,
| even if unintended.
| dymk wrote:
| Size of the dump means nothing, on one extreme it's a
| single 45GB video file of a security camera looking at
| nothing.
| 2OEH8eoCRo0 wrote:
| Being a Russian-linked cyber gang, anything sensitive in there
| should be treated as public information now anyway. Why bother
| paying then?
| kh49 wrote:
| The never ending cost of low quality outsourced digital
| transformation. Pathetic how many large corps have been hit. And
| tax payer has to foot the ever growing bill to investigate and
| defend these useless orgs.
| hnthrowaway0315 wrote:
| Basically every large, traditional business is relying on some
| offshore gig for certain key technical responsibilities. They
| probably don't consider it the real key as they are cost
| centers, but hey ransomewares are reminding them.
|
| It's not even just offshore. Some onshore consultancies are
| really of agasp quality.
| pid-1 wrote:
| Is there any case of a company suffering significant
| financial backlash due ransomware attacks?
|
| My current impression is: consumers don't care, regulators
| don't care... so why should CEOs care?
| hnthrowaway0315 wrote:
| Yeah you have a good point.
| rileyphone wrote:
| Customers care if your business is in security, especially
| b2b. Though the biggest downstream effects are probably
| from security tightening making it more difficult to get
| anything done.
|
| Source: my company was hit a couple months ago
| dimitrios1 wrote:
| I don't think in the case of airlines we have the option to
| care. We are just kind of stuck with whatever the
| government-backed airline oligarchy chooses to do. The
| airlines would be the ones to have to care for it to
| matter. When the 737-MAX crashes occurred many frequent
| travelers, including myself, flat out refused to fly
| 737-MAX even after we were given assurances by the
| regulatory bodies. But after a while it just didn't matter.
| Life goes on, your company will book you on the plane
| that's the cheapest or part of their plan or whatnot, and
| you just get stuck being a cog in the wheel again.
| punkybr3wster wrote:
| The MGM ransomware supposedly cost them $100mil
| whatever1 wrote:
| Is it a tax write off ?
| newswasboring wrote:
| This attack originated from an acquired company by Boeing. No
| outsourced party seems to be involved. Am I missing something
| in the article?
| CatWChainsaw wrote:
| "digital transformation" was such a hot buzzword too, and yet
| the biggest market players don't want to spend enough to ensure
| it goes well, apparently.
| stillwithit wrote:
| > And tax payer has to foot the ever growing bill...
|
| You might be put at ease to read all that debt is a
| hallucination humanity has no obligation to pay.
|
| Also after decades in IT hearing about one lapse in security
| after another (including entire iron mountain trucks being
| robbed back in the day) yet society seems capable of shrugging
| them off, it's hard to take the anxiety seriously.
|
| It's possible the CEOs are not the only people in IT inflating
| the value of their contributions and ideas.
| barbazoo wrote:
| Are there any signs to suggest that this was being made
| possible by "low quality outsourced" work?
| legitster wrote:
| I struggle to see how this business model would work in the first
| place. They pay you and you pinky swear not to release it? All
| you are doing by negotiating is to buy the victim time to harden
| their systems.
|
| This sounds liked a failed ransomware attack. They encrypted the
| systems - Boeing says "no thank you, we have backups". There were
| no valuable zero-days to sell to GRU, so give a last ditch offer
| to try to salvage something.
| hnthrowaway0315 wrote:
| I wouldn't be surprised if some ransomeware gangs are frontends
| of national (in)security agencies. They don't care about
| profits. Sure it's good to have some.
| kramerger wrote:
| Well, every time Boeing tried to bribe a country, someone
| leaked emails and audio recordings from their secret
| meetings.
|
| Usually we blame the Chinese, but in this case I think its a
| toss between CIA and NSA.
|
| (I think I'm on some kind of list now)
|
| Edit: I am an idiot. I was thinking of Airbus, see
| @perihelions comment below
| perihelions wrote:
| Which incident are you referring to? The NSA took credit
| for hacking Airbus, but that's Boeing's _foreign
| competitor_ --not Boeing.
|
| https://www.economist.com/special-
| report/2003/06/12/airbuss-...
|
| - _" According to a European Parliament report, published
| in 2001, America's National Security Agency (NSA)
| intercepted faxes and phone calls between Airbus, Saudi
| Arabian Airlines and the Saudi government in early 1994.
| The NSA found that Airbus agents were offering bribes to a
| Saudi official to secure a lion's share for Airbus in
| modernising Saudi Arabian Airlines' fleet. The planes were
| in a $6 billion deal that Edouard Balladur, France's then
| prime minister, had hoped to clinch on a visit to see King
| Fahd in January 1994. He went home empty-handed."_
|
| - _" James Woolsey, then director of the Central
| Intelligence Agency, recounted in a newspaper article in
| 2000 how the American government typically reacted to
| intelligence of this sort. "When we have caught you
| [Europeans]...we go to the government you're bribing and
| tell its officials that we don't take kindly to such
| corruption," he wrote. Apparently this (and a direct sales
| pitch from Bill Clinton to King Fahd) swung the aircraft
| part of the deal Boeing's and McDonnell Douglas's way."_
| kramerger wrote:
| You are correct. I think my brain was on a break while I
| was writing that :)
| bee_rider wrote:
| I imagine at least some (probably many) of the engineers
| who work for Boeing have a basically lawful-good/lawful-
| neutral temperament and are just disgusted by things like
| bribery. Maybe one of the parties in the conversation
| leaked it, no intelligence agencies needed.
| emodendroket wrote:
| Why exactly would the CIA or NSA want to do that? Boeing
| works so closely with the security apparatus they're
| practically an unofficial member so I don't understand what
| the motivation would be.
| hnthrowaway0315 wrote:
| It doesn't hurt to hack into any corporation. You never
| know what kind of intelligence you might get out. There
| are also considerations of different factions I guess.
| jowea wrote:
| For North Korea sure quite believable. Some links existing
| also sound likely for the Russian gangs.
| jasonwatkinspdx wrote:
| It's an open secret that FSB et all work with ransomware
| gangs. As long as they don't target Russian companies they
| don't care what they do otherwise. So it's not so much
| they're a front as they're in a sort of quasi officially
| sanctioned middle ground.
| r00fus wrote:
| Digital privateers
| terminous wrote:
| https://en.wikipedia.org/wiki/Letter_of_marque
| hnthrowaway0315 wrote:
| Yeah. I'm also thinking about ways to "promote" malware
| without getting impacted.
|
| Let's say some three digit agencies create sort of malware
| distribution forums in the darknet. They make sure to only
| broadcast to people who wants to play with malwares so the
| net catches the "bad guys" mostly, except for a few curious
| researchers or journalists maybe. Then they start to share
| recent generarion malwares they created. They don't need to
| distribute them by themselves because they already have the
| CCC servers. Some malware gangs would eventually be the
| frontend and start the distribution.
|
| In this way you not only distribute the malwares without
| getting impacted, you also get to know the gangs so
| whenever you want to catch a few fishes you just pull the
| net.
|
| Once the darknet forum dies out or they need to wipe the
| records, they would just leave and create a new one.
|
| Just my wild thought.
| sofixa wrote:
| As an example, the DarkSide malware (the one used against
| the Colonial Pipeline) explicitly checks if it's running on
| a computer in the CIS (Russia+countries nostalgic of the
| Soviet Union / without a better choice) and exits.
| sfink wrote:
| privateers
| beambot wrote:
| > How North Korea's Hacker Army Stole $3 Billion in Crypto,
| Funding Nuclear Program
|
| https://www.wsj.com/articles/how-north-koreas-hacker-army-
| st...
| nimih wrote:
| > They don't care about profits.
|
| This isn't really true in general: intelligence agencies
| often want access to funds with less/no oversight from (or to
| skirt controls enacted by) other parts of the government. As
| an example, that was the dynamic at the basis of the Iran-
| Contra affair in the US.
| RandallBrown wrote:
| > They pay you and you pinky swear not to release it?
|
| Yes. If any of this information does end up getting leaked, it
| kills the credibility of the ransomware group and they'll never
| get paid again. Sort of mutually assured destruction.
|
| Now of course, most people don't really trust criminals anyway
| so the business has a pretty strong bargaining position and I
| believe many of the ransoms are negotiated way down.
| tanelpoder wrote:
| Wouldn't it be easy to just pick a new name for the
| ransomware group then?
|
| (or do we need eBay-like "seller ratings" and customer
| reviews for ransomware groups?)
| ceejayoz wrote:
| A no-name ransomware group is less likely to be trusted to
| hold up their end of the bargain than one with an
| established reputation.
|
| Didn't Silk Road have eBay-style ratings/reviews?
| jeron wrote:
| What good are the reviews? "5 stars, didn't leak data
| after ransom paid"
| barryrandall wrote:
| It's more like, "Security Company X says this gang has
| behaved predictably in their previous interactions."
| csydas wrote:
| SilkRoad was a dark web market, so the comparison from
| the parent is a bit strange for me, but regarding your
| comment on reviews, yes they're very important and for
| the sites I've used, the reviews have been very reliable
| and useful.
|
| My understand is that since it's a much more limited
| market, access is very difficult even under normal
| circumstances (not because of security but just because
| dark web markets usually have awful performance for
| various reasons), so it's a far different review
| landscape than say shopping on Amazon, at least the ones
| I have used. The markets themselves were fantastic about
| refunds/conflict resolution, better than most normal
| online shops. Reputation is key for basically everything
| dark web, and the main actors in this space are
| notoriously petty and bold towards anyone that makes it
| harder to conduct business.
|
| I imagine it's very similar with Ransomware as there has
| to be some reason for the targets of the attack to
| believe paying the ransom is worth it, and anyone who
| upsets that balance for the ransomware gangs unexpectedly
| becomes rapidly unpopular, and usually a target for the
| other gangs. It very much so is heavily relying on the
| honor system, but it seems the groups are committed to
| such a system.
| yieldcrv wrote:
| all the darknet markets have eBay style ratings, but for
| the vendor and products purchased, not for reviews on
| negotiating with a randomware group that weaponized it
|
| Silk Road was 10 years ago that would have been like the
| smallest one ever since then, just curious why it is
| referenced at all, and in such an odd way
|
| "I heard eBay has bulletin board like reviews" _you know
| you can just go look, in a web browser_ "woah thats crazy
| talk, I prefer 10 year old hearsay"
|
| anyway, they often have a separate forum where one could
| ask more about a group
| adolph wrote:
| 5 star would hostage again
|
| Superhost for my datas
| echelon wrote:
| Amazing satire, but I shudder to think that's how
| companies actually treat ransomware.
|
| All companies and governments should take the stance that
| any randomwared or compromised data is now public. And if
| they don't have the backups, then they should consider it
| permanently lost.
|
| Write it off as a business loss and hire better ops
| people.
| dkjaudyeqooe wrote:
| Govts should make funding ransomware groups a criminal
| offense. The money likely going to RU and NK anyway.
| red-iron-pine wrote:
| Depends on what their SOP is. Attribution is hard but there
| are a lot of really, really smart people trying really hard
| to identify orgs by their TTPs.
|
| You can rebrand as CaTBUTT, or Indrik Spider 2.0, or
| whatever, but if you're using some custom version of Mirai
| they'll eventually tag your M.O. and the threat
| intelligence briefings will reflect that.
|
| And then no ransom.
| tanelpoder wrote:
| Didn't think of that, thank you.
| Exuma wrote:
| What is Mirai? Can you re-explain what you said in plain
| english?
| not2b wrote:
| You could have Googled it, but you can start with
| https://en.wikipedia.org/wiki/Mirai_(malware)
| barryrandall wrote:
| They'd need to burn all their tools, techniques, and
| practices for this kind of rebrand to be successful.
| Jaepa wrote:
| From what I understand there's a market for ransomware
| negotiators, and reputation (and tooling) is very much a
| thing that affects settled price.
|
| Understand: For the ransomer's point of view this is
| another monday, albeit one where a big fish walked away.
| FirmwareBurner wrote:
| So there's honor among thieves.
| ben_w wrote:
| There's an iterated prisoner's dilemma, I wouldn't go as
| far as calling that honour.
| GuB-42 wrote:
| That's fundamentally what honor is.
| ben_w wrote:
| The result may be the same, but I think honour requires a
| state of mind where you do the "honourable" thing even if
| nobody will know.
| __MatrixMan__ wrote:
| Agreed. Honor may have its roots in a prisoner's dilemma,
| but you're not actually practicing it until you have
| Stockholm syndrome.
| barryrandall wrote:
| Only to the extent that they derive value from being
| perceived as consistent.
| paulcole wrote:
| My brother did this with lawn care and HVAC companies. The
| first business lesson he learned was never name your
| business after yourself. He was about 16 when he learned
| this and ever since it's been like AAA Lawn Care or Aces
| HVAC until he gets so many negative reviews he can't get
| more business.
| frandroid wrote:
| So lesson of the story, avoid the AAA named companies
| because they've been in the respawning business for a
| long time
| Tyr42 wrote:
| Or at least the ZZZ corps if they made it that far down
| the alphabet.
| sfink wrote:
| The lesson is that hiring "ZZZ Lawn Care" is a _really_
| bad idea.
| paulcole wrote:
| This was a plot point in The Accountant starring Ben
| Affleck.
|
| He's a criminal who launders money through small
| businesses he owns and the accounting firm he runs. He
| names it ZZZ Accounting so it doesn't get a lot of calls
| through people looking up accountants in phone book.
| jstarfish wrote:
| Nah, back in the old days A1 Locksmith or AAA Windshields
| were just competing for top placement in the
| (alphabetized) phone book.
|
| Look to Amazon for new ideas on DGA-derived names for
| your fly-by-night business.
| temporarara wrote:
| Your brother is the hero this world deserves. And this is
| why I generally trust only those small businesses who
| have their full real name on display.
| HeyLaughingBoy wrote:
| You're assuming it's _their_ real name...
| paulcole wrote:
| When he was a teenager and had a business under his own
| name he'd get in trouble sometimes because he'd close all
| the deals himself then hire other kids to go out and do
| the work.
|
| Some homeowners thought it was going to be him cutting
| their lawns and would get upset because the contract said
| he'd do it. So he'd just rip up the contract in front of
| them and refuse to cut their lawn ever again.
|
| In Florida there were so many houses with lawns in so
| many subdivisions he was always busy anyway. Plus he
| liked getting into fights with adults. Win win, I guess.
| mysterydip wrote:
| Couldn't the ransomeware group just come back under another
| alias to clean their slate?
| rtkwe wrote:
| If any group does it it kills the credibility new entrants
| too so there's still incentives to not do it.
| cjaybo wrote:
| Are these rational actors who would even care about the
| collective long term effects? Eg the same could be said
| for drug dealers ripping off their customers, but that
| still happens daily because they often prioritize short
| term self interest over long term/collective concerns.
| NegativeK wrote:
| Many ransomware groups have learned that acting more like
| a business results in higher payouts. They're not all
| going to do it, but they have payment portals,
| negotiators using professional language, attempts to
| maintain reputation, etc.
|
| Obviously this behavior doesn't apply to all of them, but
| it's a clear effort by some of them to immediately appear
| more palatable to random IT worker, the execs, and the
| lawyers who are watching the who process play out.
|
| And it also lines up with the fact that ransomware groups
| have freaking HR departments to handle their employees.
| galangalalgol wrote:
| And Boeing could never know Airbus hadn't been given the
| opportunity to buy the data, as they would never disclose
| that.
| rtkwe wrote:
| It's not consistent across the broad category of criminal
| for sure but they're probably not the most long term
| oriented people as a rule now. Initial groups were more,
| for a lack of a better word, professional about the
| process with some groups even having a kind of tech
| support for helping victims to make sure people would
| believe they'd get their files back if they paid. Better
| preparation on the corporate side and a democratization
| of the tools to perform it has lead to some changes it
| looks like where ransomware groups didn't exfiltrate
| often before because it wasn't their main playbook.
| csydas wrote:
| Yes, mostly because the other actors are notoriously
| vengeful and petty; ransomware gangs, dark markets, etc,
| they don't just register complaints with each other, they
| typically look to ensure the bad actors are removed from
| the space entirely.
|
| regarding drug dealers, I wouldn't consider it a good
| comparison. the actions of one dealer typically doesn't
| affect others, they're just not that connected beyond
| professional recognition/courtesy. If dealer A is
| shorting their customers, dealer B absolutely wouldn't
| care as why would they? they have no relationship, and
| it'd probably mean the customers go to dealer B instead.
| business will continue as usual even if one bad actor is
| doing shitty stuff to their customers.
|
| with ransomware that is not the case -- if public opinion
| overwhelmingly tells there's no sense in paying because
| the ransomware gangs never follow their word, that
| affects all the gangs, not just the bad actor. the gangs
| already have a hard enough argument to make as to why the
| targets should pay so anything that frustrates that
| further is frowned upon.
| callalex wrote:
| By that logic, illicit food and drugs wouldn't have a
| problem of being cut with fillers. A tragedy of the
| commons doesn't really reign in the behavior of criminal
| organizations.
| micromacrofoot wrote:
| a clean slate also means rebuilding reputation
| legitster wrote:
| Data ransoms have existed for a long time before "ransomware"
| was even really a thing - there's just never been a market
| for ransoms for the "stolen" data. Once it's out you can't
| put that genie back in the bottle.
|
| The reason ransomware worked was you didn't have to trust the
| group long-term - just enough to give you a copy of your data
| back.
|
| It's the difference between you making a copy of my car keys
| and stealing them. Yes, I will pay for "a" key back - I only
| have to trust you enough to hand it over.
| jowea wrote:
| I wonder why they don't make into a recurring payment instead
| of a one time deal. Turn it into an iterated game theory
| game.
| timeon wrote:
| RaaS
| augustulus wrote:
| more risk of exposure presumably
| kspacewalk2 wrote:
| >credibility of the ransomware group
|
| Hilarious.
| waynesonfire wrote:
| It's your naive comment that I find hilarious. it's a
| business like any other that puts food on peoples plates.
| in fact, a mature business with a deep and sophisticated
| industry. it benefits all participants when everyone
| behaves reliably and predictably. These aren't amateurs.
| JohnFen wrote:
| > it kills the credibility of the ransomware group
|
| There are people who consider these groups credible?? The
| world really has gone insane.
| dkjaudyeqooe wrote:
| > it kills the credibility of the ransomware group
|
| There are review sites for ransomware groups?
|
| "honored promise not to disclose, didn't gloat or taunt,
| would pay again, 10/10"
| arnvald wrote:
| Not sure about review sites, but there are companies
| specializing in ransomware negotiations on behalf of the
| victims and they can advise not to pay a group that is
| known to release the data anyway
| barryrandall wrote:
| They also help their clients to determine whether or not
| anything valuable was taken. 40 GB of travel
| documentation and approvals, parking garage logs, or call
| center workstation images isn't worth much. Paying a
| ransom might require board approval, whereas a security
| incident that doesn't impact the stock price probably
| won't even require board notice.
| hot_gril wrote:
| Either way, seems like something that a government or
| other actor could mess with, thus making it harder for
| hackers to profit.
| miohtama wrote:
| I am sure there are discreet nation state buyers, like Russia
| and China, who are happily to use the information without
| causing an incident. Russia does not even need to ask, as
| most ransomware gangs operate under the blessing of Putin.
| justsomehnguy wrote:
| [citation needed]
|
| At least for 'most'.
| bastawhiz wrote:
| > it kills the credibility of the ransomware group and
| they'll never get paid again
|
| I don't buy it. There's nothing to stop the group from
| rebranding themselves. The company has no proof nobody else
| got a copy of the data. And the group could simply hang onto
| the data, extort a bunch of money from other companies, then
| start back at the beginning and demand even more (knowing
| that the data is worth _at least_ what was already paid for
| it).
| sofixa wrote:
| > I don't buy it. There's nothing to stop the group from
| rebranding themselves
|
| Apart from the fact that nobody would pay them if they have
| no reputation.
| raincole wrote:
| Then how did they get "reputation" from the first place?
| Quite chicken and egg problem, right?
| hot_gril wrote:
| By starting with smaller ransoms. Same way any new
| business gets off the ground without rep, it's not easy
| or very profitable at first.
| tshaddox wrote:
| Surely that can't be completely true. The reputation has
| to be bootstrapped somehow.
| mvkel wrote:
| Meh. They don't knowingly release it. But they could
| certainly continue to try to sell the data on the black
| market to competitors, etc, which the competitor would never
| disclose.
| ibejoeb wrote:
| LockBit just did a sort of collective bargaining with
| affiliate groups that resulted in guidance for setting
| initial ransom amounts and rules restricting discounts about
| 50%.
| willseth wrote:
| You'd think that, but in practice these ransomware groups are
| pretty reliable, and actually many rasomees have remarked on
| how good the customer service is! Their ability to make money
| is dependent on them maintaining a reputation for being in the
| business for money, not lulz, and tmk the pinky swears are
| typically upheld.
| jameson wrote:
| > in practice these ransomware groups are pretty reliable
|
| Hard to say...
|
| You're effectively trusting the liar they wont lie again
|
| Its possible they leak it to high profile customers without
| publicly announcing it
|
| Business should make decision assuming the data will be
| leaked eventually regardless of random paid or not
|
| Perhaps only thing business can assume is the data wont be
| publicly released in short amount of time
| emodendroket wrote:
| You could say the same about any "ransom"-based business,
| really. Kidnappers could decline to release the kidnapped
| person after they get their money.
| JohnFen wrote:
| And they often do.
| matthewdgreen wrote:
| That's why you secret share the data across six Intel SGX
| instances using software that only reveals the plaintext if it
| doesn't receive a blockchain-based payment after 30 days. (No,
| nobody does this. But they could!)
| adriancr wrote:
| why would anyone trust the data is only on those instances?
| matthewdgreen wrote:
| Because you write your ransomware to encrypt to a hardcoded
| set of public keys that include an SGX attestation from
| those instances. This can be verified forensically and the
| unencrypted plaintext never leaves the victim organization.
| crotchfire wrote:
| ...and then Intel will simply have their HSM sign the
| cheat-code firmware for the EPIDs of those six chips.
|
| Trust isn't all-or-nothing. When I ride a bus I'm
| trusting the driver with my life, but I wouldn't trust
| them to babysit my kids.
|
| Mutability is deniability. I don't trust hardware
| companies with that. And I don't have to, either.
|
| Stop hawking this SGX snakeoil. Except maybe to
| ransomware authors, who deserve what they'll get.
| matthewdgreen wrote:
| Intel could presumably help the ransomware authors bypass
| SGX protections but that'd be dumb. They might have some
| capability to trace attestations to a specific
| motherboard but I doubt any sophisticated ransomware
| group will be foiled by this.
| adriancr wrote:
| > hardcoded set of public keys that include an SGX
| attestation from those instances.
|
| You mean:
|
| 1. generate a public/private key in enclave
|
| 2. generate attestation from SGX enclave with public key
| hash.
|
| 3. seal the public/private key somewhere so it can be
| reused later, otherwise pc restart or app failures / no
| data.
|
| 4. publish source code that generates mrenclave somewhere
| that can be audited.
|
| 5. encrypt in place and assume remote trusts you when you
| say data was only exfiltrated encrypted or not at all.
|
| Now, 5 is the problem i mentioned. Why would anyone trust
| that data was not exfiltrated unencrypted and copied a
| few times.
|
| > and the unencrypted plaintext never leaves the victim
| organization.
|
| You also mentioned this to be fair. Why would this be
| trusted?
|
| 6. Release data if no payment on bitcoin.
|
| SGX enclaves do not have magic trusted access to network
| to get bitcoin payments data.
|
| It can be man in the middled or fooled by omission by who
| controls machibe.
|
| So key can be releases by feeding it bad data (payment
| was not done and time expired - release to the world).
|
| There's also the problem that attestation might lead to
| the originating group if cpu is identifiable.
| jasonfarnon wrote:
| What benefit is it to the ransomware group to release the data?
| They may be sloppy or careless with their data (like their
| victims) but I don't see a for-profit/non-ideological ransom
| group reneging and intentionally leaking the data. And plenty
| of reasons eg repeat actors to do their best not to.
|
| Actually I'm often surprised that many ransomers/hostage-takers
| go through with their threats when they don't get their
| demands. The only reason I can see them doing it is if
| reputation matters to them for future negotiations. more than
| the risks from the greater liabilities they incur by going
| through with the threats.
| michaelt wrote:
| The benefit would be getting paid a second time, by
| extracting a second ransom.
|
| It doesn't have to be the whole group; perhaps one guy
| decides to branch out on his own, and grabs the data on his
| way out the door.
| jasonfarnon wrote:
| You mean "yeah we were lying yesterday about this same
| thing, but we're telling the truth right now" type of
| negotiation? Has that ever worked for ransoms (of any kind)
| anywhere?
| ars wrote:
| The US should make it illegal to pay ransom, with a penalty of
| prison for anyone paying a ransom or authorizing payment.
|
| The purpose of the law is that now ransomware gangs will be less
| likely to target US companies because companies are unlikely to
| risk paying them.
| ironmagma wrote:
| It's maybe already illegal[1][2].
|
| That doesn't stop companies from paying for it. If you're a
| hospital, you're weighing breaking the letter of the law with
| killing a bunch of people.
|
| [1] https://www.gma-cpa.com/technology-blog/paying-ransom-on-
| a-r...
|
| [2] https://cbs12.com/news/cbs12-news-i-team/hospital-
| ransomware...
| gregwebs wrote:
| Paying ransomware is not in any way illegal in the United
| States. Making payments to sanctioned entities (ransomware or
| otherwise) is. If companies go to their insurer, etc, they
| will probably get help to do the compliance to check to see
| if the payment requested would go to an OFAC sanctioned
| entity or not.
| bee_rider wrote:
| Is the duty to make sure you know you aren't paying to a
| sanctioned entity, or is it to not know whether or not you
| are?
|
| Given the sources of many of these attacks, one should
| reasonably assume they are likely to be doing business with
| a sanctioned entity, right?
| gregwebs wrote:
| There isn't necessarily a way to know who you are
| actually dealing with. Maybe in some cases there might be
| some information to figure this out to some degree. But
| normally the only information that is certain is where
| the payment is going. Which is just a bitcoin wallet
| address.
| bee_rider wrote:
| If you aren't a hospital, you are helping the ransomware
| gangs amortize the cost of their R&D. Thus directly helping
| those who hit hospitals, and, as a result, contributing to
| those deaths.
| ploum wrote:
| -- If you don't give me 10k$, I will tell the authorities that
| you have paid a ransom of 100k$. -- Ok, here's the money. --
| Thanks. If you don't give me 10k$ more, I will tell the
| authorities about our previous deal.
| phpisthebest wrote:
| No I did not pay a ransom, I paid a 7 figure consulting fee to
| a cyber security company not based in the US, who somehow
| magically resolved the issue for us...
| smith7018 wrote:
| There are instances where that doesn't make sense. For example,
| there was that plastic surgery office that got hacked a couple
| weeks ago. I get why they think it's better to at least try to
| prevent such private information from getting out. making it
| illegal to pay the ransom means that every patients' medical
| history and pre/post op photos would be leaked. That's a
| nightmare.
| carabiner wrote:
| When Boeing can't match the salaries of Seattle tech companies,
| this is what happens.
| klyrs wrote:
| Speaking as a native Seattleite with multiple friends and
| family at the company, Boeing stopped being a Seattle company
| in 1997.
| jmbwell wrote:
| TIL: Although Boeing still has manufacturing facilities in
| the Seattle area, they moved their HQ from Seattle to Chicago
| in 1997.
| klyrs wrote:
| To rephrase: As McDonnell Douglas was crumpling under the
| ineptitude of its management, Boeing merged with McDonnell
| Douglas, keeping Boeing's name and McDonnell Douglas's
| management.
| massysett wrote:
| The classic joke here is that McDonnell Douglas bought
| Boeing with Boeing's money.
| carabiner wrote:
| Moved HQ from Chicago to DC area last year.
| 1-6 wrote:
| Sounds like the future of Tesla / SpacefleetX
| kramerger wrote:
| Is there anything "useful" in this dump?
|
| The article mentions citrix and emails, but that could be
| anything
| dmix wrote:
| Useful to whom? Email dumps and other data could be useful for
| further breaches and attacks against personnel. I'm sure their
| infosec will be going through everything but they could miss
| stuff and personal information is exploitable for fraud even
| with awareness.
|
| Govs like China and aircraft/defense competitors to Boeing
| probably got a goldmine if they didn't already have their own
| access. Boeing does plenty of NATSEC and space stuff.
| steponlego wrote:
| Now that it's out there somebody will doubtless download it and
| check it out eventually. Stuff that goes onto the Internet
| rarely goes away.
| whatever1 wrote:
| Like how can one download so many files from a company network
| and no alarm is set off ? What do the useless IT departments set
| up? Just employee spyware ?
| GartzenDeHaes wrote:
| Let's say you have 6TB a day going through your perimeter
| firewall. It's kind of hard to pick out a 40GB stream(s) on
| HTTPS going to some US cloud provider.
| JoblessWonder wrote:
| I mean, depending on the data type... 45GB isn't really all
| that much. They probably have 45GB individual CAD files...
|
| Now, if it is 2,000,000 text files totaling 25gb, then that is
| harder to explain away.
|
| (I just read the article and saw that it deals with a vendor we
| use daily... so... great news.)
| bunabhucan wrote:
| I remember an engineer telling me the physical drawings for
| the 747 weighed ten times as much as the plane itself.
| Invictus0 wrote:
| 1000 sheets of paper weighs 10 lbs, the 747 weighs 910,000
| lbs, so there were 91 million sheets of paper describing
| the 747? Does not seem accurate
| avar wrote:
| The 747 has around 6 million individual parts, 15 sheets
| of paper per part doesn't seem unreasonable.
|
| Just detailed schematics of a given plastic knob in the
| cockpit should take at least a few pages, nevermind
| something more complex or critical like turbine blades.
| 38321003thrw wrote:
| Construction drawings are not done on A4. Typical drafted
| drawing is uses handful of ft by ft range, say 3x4. So
| that should give ~2 orders of mag less sheets. Does
| 10,000 sheets of drafting paper sound more reasonable?
|
| Internet says 747 has 6,000,000 parts, half of which are
| fasteners. So 3m individual components. "171 miles" of
| wiring. Blah blah. I can easily see 10k drawings to cover
| that beast, soup to nuts.
| buildsjets wrote:
| 3x4 is about right, but the original 747 drawings were
| not drawn on paper, they were inked on thick thermal and
| humidity stable mylar. Some detail parts may have been
| defined multiple (up to a half dozen) E sized (36"x48")
| mylars. Then there were separate drawings for each
| assembly of detail parts. Then there was all the
| manufacturing planning and detailed work instructions to
| fabricate each level of assembly. Then there is all the
| documentation associated with lab qualification testing
| prior to flight. I have personally authorized qual test
| reports in excess of 3000 pages, where ~100 pages was my
| content and the rest was all backup data.
| ajcp wrote:
| If the FileShare server itself was compromised one could mount
| it in a way that wouldn't show leakage, or just image the thing
| and bork the original.
|
| Otherwise you could have a crawler that just traverses the
| FileShare and makes duplicates at a rate slower than what would
| look like BAU traffic. Given that most enterprise network
| shares host a TON of legitimate batch dump/upload file traffic
| it might be easy to skate by.
| lgeorget wrote:
| We don't know how and over how much time the data was
| exfiltrated.
| cyrnel wrote:
| So many of the security monitoring tools that purport to detect
| things like that only work if the attacker is brainless. Modern
| networks are complex enough where a clever attacker (like a
| professional ransomware gang) can make malicious traffic look
| like any other traffic.
|
| Unless this was just a public S3 bucket, there was probably
| some lateral movement involved, and I'd say time/money would be
| better spent reducing that particular risk in the future.
| demondemidi wrote:
| I just had to download a 69 GB database to my laptop of CAD
| design files (mostly libraries). I'm glad I have 1 Gbit
| download speeds, but peers aren't so lucky. Granted, if IT saw
| remote employees downloading TBs of data it should really raise
| red flags.
| jstarfish wrote:
| Sadly, this is pretty routine for us (not Boeing). Every
| goddamn day we have somebody plugging in a USB stick and
| copying 1-20 GB of data to it. We see similar volumes
| "accidentally" uploaded to iCloud whenever someone syncs their
| work laptop to their personal iCloud account.
|
| We watch it happen. We have the tools to stop it. But we're not
| empowered to use them, for the exact same reasons that led to
| Equifax's fuckup-- we're not allowed to do anything that might
| impact production/pursuit of new revenue.
|
| Lately, I'm not convinced this is even the "wrong" approach.
| Espionage was not invented alongside the Internet. If we build
| a Thing and it's the only Thing we sell, data concerning it
| will inevitably be stolen by someone in some way. But if we
| iterate on it fast enough, the value of older versions leaked
| diminishes. We're in the market of building and selling a
| moving target.
|
| It also creates an inflated volume of data. You can't just
| break in, grab "the_flag.zip" and run like hell-- you have to
| exfiltrate a fuckton of data, make sense of it, and carve
| something usable from it. Like, checking binaries into a git
| repo makes the size bloom, but it doesn't add a proportionate
| amount of "value" to stealing that repo. It's padded with
| drafts and garbage.
| cryptonector wrote:
| You need to disallow all USB devices not on an approved list,
| which must all be keyboards and mice and nothing more.
| lokar wrote:
| I worked somewhere that filled all the usb ports with
| epoxy. They maintained a large stock of ps/2 keyboards and
| mice.
| barryrandall wrote:
| > Like how can one download so many files from a company
| network and no alarm is set off ?
|
| Slowly, hidden among legitimate traffic, and indirectly. For
| example, most companies don't notice 100 kb/sec increases in
| DNS traffic, slight increases in web server image sizes, or
| changes to server MOTDs.
| ThinkBeat wrote:
| My memory is not the greatest and simple Google searches are not
| helping right now.
|
| Have there ever been massive problems from one of these leaks for
| the targeted company?
|
| I seem to remember quite a lof of similar leaks over the past two
| years where the market and public shrug it off.
|
| Clearly 45gig is a lot. I would think if there was a major
| horrible thing to find that Boeing would have paid the ransom
| (and told no one).
|
| Will it have any real negative consequences for Boeing?
|
| It is a black mark against them that they were vulnerable. I
| guess it is favorable point for many that they didn't pay.
| 1-6 wrote:
| The moment a company pays good money, that legitimizes the
| hacking group and emboldens them to keep going. You can't trust
| that they'll not leak even after they get paid.
| freedude wrote:
| 45GB of data could be like a dozen employees' or less Outlook PST
| files. For this to be astounding we would need to know the
| quality of the data. Otherwise it is a bunch of hype and hoopla.
| campbel wrote:
| You better pay up or we'll delete all of Marge and Victors
| email backups!
| augustulus wrote:
| we should be careful making the assumption that this is all the
| data they exfiltrated. this could easily just be the first
| tranche to prove that they're serious
| SahAssar wrote:
| Can we stop using disk size as a measure of leaked data?
|
| There are bluray movies larger than this leak and there are files
| smaller than 10kb a lot more critical in most businesses.
|
| It'd be nice if there was some sort of scale for data leaks like
| (just spitballing here):
|
| 1. Leak destroys all core company functions (crypto-exchange
| leaks all wallet keys, CA leaks all root keys and becomes banned
| from all trust stores, etc.)
|
| 2. Leak causes regulatory issues criminal enough to shut down
| company
|
| 3. Leak severely hinders core company functions (deploy keys for
| a cloud computing SaaS are deleted which stops all new
| deployments until all infra is reconfigured)
|
| 4. Leak severely looses company competitive advantages (new
| products leak that are replicable by competitors)
|
| 5. Leak causes severe PR disaster
|
| 6. Leak shows embarrassing internal company communication without
| any of the above
| tyingq wrote:
| Would be nice, but there would quite a lot of analysis needed
| to be able to determine any of that. Which you can't start
| until the file is public.
| SahAssar wrote:
| Sure, but instead of saying "Boeing leaked 45GB" it would say
| "Boeing leaked files of undetermined severity".
|
| The disk size does not matter, and when the severity was
| actually determined it would show up in the headlines as
| "Boeing leak determined to be a level 3 leak" instead of just
| being "That boeing leak 5 months ago was kinda bad".
|
| Either way, listing the size says very little.
| xcv123 wrote:
| These are journalists publishing breaking news. They are
| not autistic IT professionals.
|
| Relevant quote from the article: "I haven't gone over the
| whole data set but Boeing emails and a few others stand out
| as useful for those with malicious intent"
| SahAssar wrote:
| Journalists are almost never deep experts of the fields
| they report on (although I hope well versed), but given
| the tools to report the news in a way that is more
| understandable to the public I think they will use them.
|
| Both journalists and the public need a better way to
| understand how different breaches affect them.
| xcv123 wrote:
| As someone wrote earlier, they won't know the severity
| until it is analyzed. That could take a long time. Days
| or weeks. This is just the breaking news. Also what
| incentive does anyone have to waste their free time
| analyzing the data and issuing a report to you after this
| headline that the general public will not give a shit
| about a few days later?
| SahAssar wrote:
| I'm not saying to delay the report. I'm saying to not
| headline the size of the leak unless it has some sort of
| significance. If the severity is later known report that
| as news.
|
| If anything this would create two stories where there now
| is one, so journalists would not have less or later to
| report.
| vinaypai wrote:
| > They are not autistic IT professionals.
|
| What does autism have to do with having the professional
| integrity to understand what it is you're writing about
| before publishing sensational claims?
| rebolek wrote:
| I believe that Boeing already did than analysis and
| determined it's #6.
| tyingq wrote:
| At this point, I think there's quite a lot of "breach
| fatigue" now where the general public doesn't care about
| these stories. It's just "oh, I guess I get another year of
| free identity theft services".
| cvoss wrote:
| Well, first, I'd expect Boeing already had some idea of the
| scope of what was compromised simply by investigating their
| own systems. After all, they knew enough to declare there was
| no impact on flight safety.
|
| And second, even if a company has no idea of the scope, the
| hackers would somehow want to prove at least privately what
| the scope was, else their threat is not as manipulative as it
| could be. On the other hand, the hackers can't credibly bluff
| and inflate the scope too far beyond reality because the
| company can just say "prove it or I don't believe you and I
| won't pay." And the hackers want to get paid.
|
| It's a business deal after all. A really crappy one involving
| criminals. But at the end of the day, the company must have
| already assessed the value of the leak in order to reach a
| decision.
| tyingq wrote:
| >I'd expect Boeing already had some idea of the scope of
| what was compromised
|
| I've seen companies say this sort of thing with high
| confidence. But that seems hard to me, assuming some level
| of administrative access was breached.
| porompompero wrote:
| Nice, it sounds to me similar to the earthquake Richter scale.
| ssss11 wrote:
| You're describing a risk matrix. What level of risk does this
| data hold for the company.
|
| I think that is a good way of measuring it.
| msmith wrote:
| This sounds like how we use a CVSS score to gauge the severity
| of software vulnerabilities.
|
| Maybe the world needs a standardized place to catalog and rank
| all the data breaches that have been disclosed.
| FridgeSeal wrote:
| Because half the time companies can't be trusted to even admit
| there's a leak, let alone the severity of it.
|
| Groups that leak are likely to want to inflate the severity of
| the leak to ensure they get paid.
|
| The larger a leak, the higher the probability there's sensitive
| information in there, and the better opportunities/more time
| attackers had to exfiltrate it.
| SahAssar wrote:
| Agreed, but journalists need a better way to communicate.
| Saying 45GB sounds like a lot of emails to a technical person
| and nothing to someone who bought a bargain-bin 64GB USB
| memory stick the other day and filled it with a single HD
| movie.
|
| The info says nothing, it conveys nothing. Even skipping the
| size and saying it leaked "emails" says more in the headline
| than the size.
|
| A single video recording of an all-hands meeting could fill
| that size but it could also be emails containing the keys for
| accessing a large part of DOD.
| dylan604 wrote:
| Or at least say what the 45GB (for this example) of data
| compromises. As you say, if it were video files, that would add
| up pretty quick, but if it were 45GB of emails, then that's a
| hellalotuvdata. That would be the equivalent of a hostile law
| firm dumping a truck load of banker boxes on a smaller law firm
| to bury the lede.
|
| Kind of like saying I have 10. 10 what? As my math/science
| teachers always said, don't forget to include your units.
| phasnox wrote:
| "After Boeing declines to pay up, ransomware group releases
| DEFCON 3 leak"
|
| Could be the alternative headline.
| fishtacos wrote:
| I was working (very recently, during the 5000+ companies that
| were hacked via some what I presume were zero day hacks) for an
| MSP. 600 GB of data were exfiltrated from a law firm with
| several terabytes of storage of customer data kept due to data
| retention laws.
|
| They asked for almost a million USD. FBI got involved,
| everything was restored from backups (thankfully, a month loss
| of digitalized work, and absolutely nothing was given to the
| ransomware group.
|
| To your point, there are severe regulatory issues that have to
| be addressed due to the exfiltration. I no longer work for
| them, so I don't know the extent of their cost in 1. notifying
| affected clients and 2. providing credit protection coverage
| due to leaking of personal data.
| _visgean wrote:
| This happened now, you can't assess right now any of these
| statements.
| ForkMeOnTinder wrote:
| For me the disk size is interesting because it tells me how
| long I'd have to wait if I wanted to download the leak myself,
| which I do from time to time. (not downloading this one though)
| incahoots wrote:
| I'm at an en-passe here, on the one hand I think Boeing sucks as
| it's primary business is now hyper focused for defense purposes.
| On the other, ransomware generally hurts companies and
| municipalities that generally don't deserve it.
|
| Boeing, Lockheed Martin, Facebook, etc...deserve it
| verandaguy wrote:
| Nit: it's an impasse, not an en-passe.
| justrealist wrote:
| > Boeing sucks as it's primary business is now hyper focused
| for defense purposes
|
| This is a childish 2000s take. The world is rougher, Pax
| Americana is over, we need effective defense contractors
| because the world is full of assholes. Grow up.
| mach5 wrote:
| its rougher because of america, not in spite of it. its a
| self-reinforcing feedback loop. implying you are the grown up
| in the room because you are 'realist' about this or whatever
| is a classic dimwit take.
| justrealist wrote:
| Let me guess, Russia invaded Ukraine to eradicate the US
| biolabs breeding nazi GMO mosquitos.
| cscurmudgeon wrote:
| Yep, so true. Before 1776 there were no wars and the world
| was deaf due to sound overload from globally synchronized
| Khumbaya singing.
| phpisthebest wrote:
| No this is a very 2023 take, everything has to be looked at
| from the lens of the Oppressor vs oppressed narrative, and
| since America, the great satan, is always the "oppressor",
| America is always bad and must be opposed
|
| Any company that helps support America is also bad and most
| be opposed
|
| Any person that that does not view America as bad is a bigot
| alt-right extremist and must be opposed
|
| That is the state of politics for 2023, and anyone born after
| the year 1990 or so
| gist wrote:
| A writer contacted me about my thoughts (unrelated and separate
| from this event) about how the disclosure of vulnerabilities and
| methods of hacking (of all types and in almost all situations)
| aids bad actors vs. helps companies protect their systems (by
| knowing vulnerabilities that are often so obscure they would
| reasonably never be exploited).
|
| Point is what is the upside of disclosure (I think) vs. the
| downside. Nobody is suggesting no disclosure but the writer
| seemed to think that the security industrial complex has
| lawmakers believing that everything should be open and there
| should be constant white hat hacking which seems to feed and
| benefit the security industry.
|
| I am curious if anyone has a thought on this topic.
___________________________________________________________________
(page generated 2023-11-20 23:00 UTC)