Guest essay by Eric Worrall
Bloomberg claims Colonial paid the ransom to cybercriminals who halted 45% of East Coast fuel supplies. But this episode has exposed just how vulnerable vital US systems are to hacking or system failure.
Colonial Pipeline Paid Hackers Nearly $5 Million in Ransom
By William Turton, Michael Riley, and Jennifer Jacobs14 May 2021, 00:15 GMT+10 Updated on
- Payment came shortly after attack got underway last week
- FBI discourages organizations from paying ransom to hackers
Colonial Pipeline Co. paid nearly $5 million to Eastern European hackers on Friday, contradicting reports earlier this week that the company had no intention of paying an extortion fee to help restore the country’s largest fuel pipeline, according to two people familiar with the transaction.
The company paid the hefty ransom in difficult-to-trace cryptocurrency within hours after the attack, underscoring the immense pressure faced by the Georgia-based operator to get gasoline and jet fuel flowing again to major cities along the Eastern Seaboard, those people said. A third person familiar with the situation said U.S. government officials are aware that Colonial made the payment.
…
When Bloomberg News asked President Joe Biden if he was briefed on the company’s ransom payment, the president paused, then said: “I have no comment on that.”
…
Anybody can get hacked, the hackers have an inherent advantage. System security professionals have to get it right every time, cybercriminals only have to get it right once.
But what happens after you are hacked is at least as important as protecting systems from being hacked.
Colonial allegedly paying the ransom tells me they felt they had no other choice. Why would they pay the ransom if they could simply restore the hacked systems from a backup copy? Either they don’t have a backup, they didn’t trust their backup, or they didn’t think they could restore the backup in a reasonable timeframe.
Giving code written by criminals a second chance to mess with your system is surely an act of desperation. If a criminal wants to shake down their victims a second time, its a lot easier to plant additional malware weaknesses by coercing their victims to run a $5 million “cleanup” tool, than break through what will surely be tougher security a second time from scratch.
There are other risks besides cyberhacking which might create the need for a restoration from backup. In 1859 the Carrington Event, a colossal solar flare struck the Earth, causing enormous electrical disturbances throughout the primitive telegraph system of the time. A similar event today wouldn’t necessarily destroy everything electronic, but there would be extensive damage. A lot of computer hardware would suffer total or partial failure. Some might be repairable, but a lot of it would have to be junked and replaced.
Everyone has heard of a nuclear EMP device, but there are non-nuclear EMP devices which are easy to build but capable of causing extraordinary damage at range to electronic equipment. Originally developed in the Soviet Union for nuclear fusion research, these non-nuclear EMP devices convert a sizeable percentage of the energy released by a chemical explosion into an electromagnetic shockwave, like a localised man made Carrington event. It is only a matter of time until eco-crazies start pointing home made EMP devices at oil and gas infrastructure.
There are plenty of other risks which need to be managed. I once saw an entire utility company fail, because they refused to give a 10% pay rise to the only person in the company who understood how their badly written 30 year old systems worked (not me, someone else). After his departure, management discovered they were no longer able to issue utility bills. They had no idea how important that one person was to their operations and profitability.
Lets hope Colonial has those secure backups ready, and adequate risk management systems in place, for when the next Carrington event or another widespread disaster or attack takes out some of their computer systems.
But your election was totally safe from hackers…
Exactly. The alleged “hackers” (if you believe the narrative) saw it as a $5M haul in fiat. The hacking of the Election’s payoff is in the form of an international slush fund of many trillions of fiat plus POWER to loot more until the host is dead.
Wake up to history…..even in 1864
https://www.washingtonpost.com/history/2020/08/22/mail-in-voting-civil-war-election-conspiracy-lincoln/
Not only how vulnerable to hacking but how lucrative for hackers
$5M this time
$500M next time
$5B the third time
They had better get their $#!T together
That isnt their business model- see ‘Ransomware as a service’
Likely they didnt know how important this company was – amoung dozens every week they target for this. Smaller amounts are more likely to be paid up quickly.
Even $50 mill is absurd, the end result is like robbing the Federal Reserve Bank in your city , a whole lot of serious grief compared to robbing a suburban bank, where its just part of the local PD armed robbery squads list
From the statement issued by the hackers, this wasn’t a target they picked. It was a contract job. Now, I wonder, who would benefit from shutting down a big source of US fossil fuels? Certainly not another country, too risky and an act of war if traced back. Who benefits? Can anyone think of a group that hates fossil fuels and would delight in seeing them become ‘unreliable’?
Because doing this for $5 mil is chickenfeed. The object was to shut down the pipeline… but in a ‘clean’ way.
Mr. Lincoln was not a popular guy while he was living. I make it a point not to read WP propaganda, so would kindly ask you if the article mentioned how many opposition newspapers were shutdown, about troops being deployed to polling places and the jailing of dissidents and the suspension of habeas corpus – all in Lincoln’s north.
“But your election was totally safe from hackers…”
Thats why Dominion voting machines were mostly ‘ballot printers’ to create a paper copy of the voters intent – which they could check- and then that page is scanned to to provide the initial count. That intial count has both rescans and ballot page manual recount.
Its obvious to anyone even now from the circus in Arizona they are looking at an arena full of paper ballots.
The claim of a screen to server digital system to record votes isnt happening anytime soon,as the security doesnt seem to be robust at all, yet the false claims are made.
I hear all the voting machine data in Arizona has been illegally deleted by someone. It’s a federal crime to delete this data.
Repeat after me …paper ballots. But I think you have a thing about false claims triggering your nuerons
Whatever that means.
The Dominion voting system is a system, not a machine. It includes the ballot input device which prints the voter’s ballots, as you said, but it also includes an optical scanner that scans the printed result, as well as the servers and databases that collect the scanned ballot counts.
It is those databases that store the tallied results and send them on to the state as the county’s official vote count.
Part of the purpose of the printed ballots is to ensure auditability…the ability to recount the paper copies of the ballots and compare them to the tallies contained in the database. You know…what’s going on right now that the Democrats are fighting so hard to stop…I wonder why.
Oh…but the tally database was deleted so no comparison can be made and no analysis of if and how the vote count was manipulated can be performed…what a purely random and totally innocent coincidence that is right?
So, even if the hand recount of the paper ballots doesn’t match the final tally sent from the county to the state, there’s no way to figure out who did it, when and how. Convenient that.
In the only other county audit from one of the states who’s election results were…um…interesting…it was also discovered that important computer files were deleted…in this case, the log files that records accesses to the database and records of changes made.
So, so far, in 100% of the counties from the states who’s election results are in question and forensic audits of the system have been conducted, we’ve discovered illegal deletion of critical data from the voting system.
But there’s no evidence of vote fraud right? That’s just a conspiracy theory.
Pro Tip: Ignoring the evidence really, really hard does not make the evidence go away.
When I saw dollars instead of rubles, I had to look twice. CNN is missing a step. (lol)
Look up the paper on EMP by Mario Rabinowitz at EPRI regarding EMP effects _not_ being the debilitating ‘bogey man’ most people (including technical authors) make it out to be …
Microprocessors are devices which can be destroyed by a bit of static on your hand. The way they make all that electronics so small is they make it really fragile, insulators dividing electrical surfaces which are so thin they are microscopic. I’m sure there are exaggerations, but an event which generates even 2-3v more than the device can withstand on the wrong connector would be bad news.
Eric, as a former one of the top 15 execs at MOT ( a while ago), what you say is unbelievably true. It was true 25 years ago at 400 micron line widths, it is unbelievably true now at 10 nanometers.
The ‘wires’ connecting chip transistors are also ‘fuse links’—which used to be an actual thing called a FPGA semiconductor. We used them in my 1993 Indala RFID acquisition to ‘blow’ links to permanently encode a unique ID into each FPGA chip in our devices—all fabbed the same—millions per year way back then.literally handing out unique digital keys to our RFID systems. My current permanent address still uses the MOT Indala access system.
Just to carry on. I now have two (my choice) credit and one debit card, all three now NFC enabled. NFC is the great grandson of RFID. Works the same way, only unimaginably less (then) chip size+antennae, and thus the resulting minimal energetic voltage requirements.
Life lesson: right but with wrong timing=wrong.
Why does the EMP emitted by thunderstorms in my neighborhood not destroy my laptop?
Because the power of a lightening bolt is much smaller than the power of a nuclear bomb blast. Have you considered why the thunderstorms in your neighborhood don’t flatten all structures and start everything on fire?
? Are roof top solar systems vulnerable to such natural events?
https://www.barrons.com/news/servers-of-colonial-pipeline-hacker-darkside-forced-down-security-firm-01621002013
Yes, and this is coming next.
Klaus is absolutely correct. But the real scary thing is that an attack launched right now might not be detected for years, or not at all, and could be triggered either by detection of specific events or remotely.
Cryptocurrency is actually extremely easy to track-every bitcoin or fraction of a bitcoin has a full cyber history. Thus, this fraud that has caused mass damage to the economy and mass inconvenience can have the perpetrators caught and jailed for 100 years for grand theft.
Perhaps come up with some other way of convicting them down after the Bitcoin tip off so the trap criminals have fallen in to is still open for law enforcement.
Mind you, this extortion pales in to insignificance when compared with the extortion by the UN via the Paris Accord. The UN has effectively extorted hundreds of billions from the nations (and taxpayers) of the world.
HT, I get your points but need to point out that the crypto-locking of computer operating systems and/or associated databases, for the purpose of monetary ransom to remove such, is actually not a crime of “fraud” but is instead a crime of “extortion”.
The perpetuators of such deserve the retribution dispensed by a John Wick, not by courts-of-law and jails.
If John Wick is unavailable you can always try ‘Nobody’ (recent movie).
There are crypto exchanges connected to banking systems of countries which are not friendly towards the USA. Tracing transactions through those banking systems, all the criminals need is for the trackers to be delayed long enough for them to make a physical withdrawal then disappear.
In addition there are other cryptocurrencies. Its possible they bounced the bitcoin through a few other cryptocurrencies, in the hope of shaking off pursuers.
If I was a cybercriminal I would probably at some point want to convert the currency into digital Yuan, to shake off the NSA pursuers. I can’t see the Chinese Communist Party rushing to help the USA resolve a global embarrassment.
The full cyber history is not like a meatspace bank account with name, street address, and taxpayer identification number, all verified with photo id.
Bitcoins are registered to bitcoin addresses. Creating a bitcoin address requires nothing more than picking a random valid private key and computing the corresponding bitcoin address. There is no link between the bitcoin address and the real world person who created it. It is totally anonymous and not related to anything in the real world. Once a bitcoin is transferred to a bitcoin adress, only a person who knows the private key can control it.
There is simply no way of finding out who has the proceeds of a crime if they are in bitcoin format.
Walter says, “There is simply no way of finding out who has the proceeds of a crime if they are in bitcoin format.”
So if the “private key” is lost then the investment is gone?
Yes.
The most important thing we need to do is to limit the use of bitcoin. It is the perfect medium for international criminal enterprises. The thing we need to do is to prevent all regulated US financial institutions from dealing in or transmitting funds to and from bitcoin platforms. Without the ability to be paid, there is no incentive for hackers.
Nope. Bitcoin is useful in other ways. Hackers will find other ways to get paid. Stop doing stupid things with your computers and networks.
Because cartels (private & public sector) never worked out how to move ~$800 billion p.a. before bitcoin?
You think BCCI was just a lonesome rogue trader?
lol
Ransom hacking such as this is actually relatively easy to prevent/overcome:
1) make daily backups of your complete operating system(s) and store them on backup memory (e.g., SSDs) separated from any computers or in computer(s) electronically separated from the the basic computer(s) being used for daily operations and separate from any computer having a Internet/Web connection.
2) Never, ever have your primary operating computer electronically connected to the Internet/Web for any reason.
Assuming you have no sleeping-viruses in your current operating software and associated database(s) and are never connected to the Internet/Web, you cannot be “hacked” other than by an “inside job” . . . and there are ways to monitor and protect against even that.
And with a good regular software backup philosophy, you can give the hackers the middle finger in any case and continue on with your business with just a temporary computer shutdown and software/database reload.
Your points are all valid. The issue I see is that management in a company says that backups and security are important but they rarely put the resources into making it work.
At work sometimes I actually will purposely delete one of my files and then ask the system guys to restore it. This is a sanity check for me to make sure my files are really being backed up.
“Never, ever have your primary operating computer electronically connected to the Internet/Web for any reason”
I think the Colonial Pipeline company had that for its pipeline servers, however without the rest of company’s servers for business and personnel – which was compromised- available they couldnt work as a business, and to be absolutely sure they closed their entire systems.
Good point! I would then comment that Colonial Pipeline’s “company servers for business and personnel” should have been catagorized a “primary operating computers” and protected as such.
I suspect it is extremely difficult to not be connected to the internet due to the prevalence of remote monitoring/control by persons working remotely from a physical connection to the systems.
This has been exacerbated by the current Covid issue having work from home as a practical method for isolation plus still being able to get work done. Connection to systems requires a local connection via the internet with, hopefully, sufficient security overlays (VPN, etc) to protect from nefarious actors.
More convenience equals less security.
Maybe . Even before 2000 I worked for a US company involved in top secret work – I was in more mundane commercial applications- they ran every single outside connection in their offices in cities and other countries through a security centre in Virginia first.
It was called leased lines then and was a higher form of VPN and that was before internet security was thing
JinO posted “I suspect it is extremely difficult to not be connected to the internet due to the prevalence of remote monitoring/control by persons working remotely from a physical connection to the systems.”
Well, yes and no. Consider the computers aboard modern commercial jets that monitor and control very complex “systems of systems”. To the best of my knowledge, they do not use tied-in Internet connectivity. But they usually RF transmit-only data to ground facilities for things like real-time position, altitude, airspeed, and engine performance.
Similarly, modern cars today have multiple interconnected microprocessors to monitor and manage things like engine performance, exhaust emissions, and navigation yet do not require Internet-connectivity to either transmit or receive such related data.
One wonders why today’s sophisticated monitoring/control computers really should require/admit control to “persons working remotely” (thus requiring Internet connectivity), except for laziness or cost-cutting measures.
But maybe just potentially paying out multiple-millons of dollars to hackers installing ransomware on their computers systems is a risk many companies willingly accept . . . time will tell.
One thing is for sure: the announcement that the ransomeware hackers were able to get ~ 5 Million USD for their efforts will greatly encourage more such activity.
I agree with most of what you said, except keeping your core systems off the internet. In the modern world, that would render them useless.
That said, I agree that protecting from a ransom ware attack is not that hard. Air gapped copies of frequent backups onto media that can be write locked (LTO tape for example) is a technique that has been around for decades. The problem is while this best practice has been around for a long time, management is rarely willing to shell out the bucks to get proper expertise and regular audits. Worse, it sounds simple to implement, but it isn’t. IT shops get lulled into thinking they’ve done it right because they lack the expertise to know if they’ve missed a crucial step, and being overwhelmed with day to day problems they fail to find time to test their backups.
Over 50% of the backup audits I do turn up a problem that would prevent recovery from backup. That was true 20 years ago when I got involved in this industry, and it is true today.
I think what Gordon may refer to is not doing “core” work on a connected computer. Then having another connected system or systems to do other work. It is a good clean room approach that is absolutely perfect for some situations, but requires pre-planning and some sort of discipline to prevent ad hoc modification that could make the system vulnerable. It also restricts the usefulness of the core system — which is why planning and design, maintenance, and process discipline is required, and an unholy beotch to try to explain to a naiive manager or bean wrangler looking to cut costs (their job, btw).
No matter how well you design and implement a system, by nature it will break down. A single personnel retirement, a lost physical copy, a bad day at the office, or a single drive-by retasking by micromanagers can potentially break a lot of systems. An unforseen event — maybe a forced layoff, strike, or lockout — could permanently put the systems out or place them at risk.
I’ve built out multiple air gapped systems for customers. Popular in media and entertainment where the chance of having stolen copy of a new movie get out before the movie is released has to be eliminated. Military examples also. But the use cases where this can work are few and far between.
Yes. Business case (can’t believe I used the term) driven. Making such a thing where it doesn’t fit is guaranteed to fail, or fall into waste and disuse.
davidmhoffer posted “I agree with most of what you said, except keeping your core systems off the internet. In the modern world, that would render them useless.”
I do not agree with that statement. Please see my reply to “John in Oz” above.
Your reply to John lists examples that have nothing to do with the day to day running of business systems, which are THE primary target. An accounting system that gathers today’s transactions from thousands of retail outlets all around the globe gets connected… how? You want to run dedicated fibre runs to each one of them so they don’t touch the internet? Not practical. Same goes for the telemetry feeds from the controllers on the pipeline. That’s the information that feeds all the business apps, and you have to get it there somehow. Not to mention that SCADA devices are themselves hackable, and can be used by someone in physical proximity to them to compromise business systems from the device itself EVEN IF neither touches the internet.
The most interesting aspect of this whole misadventure was, that the Federal agency tasked with the prevention and mitigation of this sort of thing, publicly abdicated responsibility.
The “Federal agency” (I think there are more than one) is/are far “behind the curve” on prevention and mitigation of ransomware hacking.
They should not be . . . this is the equivalent of global war on a digital scale.
Please, Lord, don’t let me live to see the day when a U.S. federal agency simultaneously has the authority, power, law, funding, and expertise to manage and regulate a private company to that degree. I will be good, promise.
Governments don’t protect anyone from anything. People use government cover to protect themselves. Governments also don’t have responsibility, only people. Governments are used by people to escape responsibility.
Nearly twenty years ago internet and technology companies began selling cloud computing and internet distributed storage. The end result was that stored information capacity expanded rapidly beyond the capabilities of local IT management to back up or restore, and out of their span of control for close up detailed work. Back up media or duplicate storage capabilities are difficult for anyone trained in older technology to design, and terabytes of rapidly growing data simply do not have easy, cheap, reliable technology to support backup.
Even before the cloud and distributed computing evolution, backup and restore procedures were seldom exercised by IT, and most new employees didn’t know how to start a restore without training, often stored in the absent memories of high salaried, now retired or moved on, senior former employees.
One of the features of ransomware is that it runs in slow motion. Accesses are stealthed and processes run at low level in the background and run automatically. Before they “phone home” to the attacker, they’ve penetrated a large portion of the systems as well as the “online backups.” They exfiltrate data before they begin encryption, which in turn, for a network of any substantial sized takes much longer than the standard old backup media cycle. Likely, the last several backups are corrupted, not only software, but with bits and chunks of the ransomware software embedded. Restoration signals the attacker that the victim has tried to escape, and results in a higher demand with the likely as not punitive release of proprietary, privacy, or classified data. Even a few corrupted tags on a backup media are enough to poison the information.
But we have known about repeated attacks using ransomware for somewhere between four and five years. We’ve also had a rapidly growing number of IT security certifications and organizations, as well as government-required security compliance regulation. Yet this kind of attack is expanding. The best target seem to be large bureacracies, many of them medical, and embedded commercial infrastructure support. While we rushed to “protect” what we thought was the most threatened, namely military, diplomatic, and national law enforcement, we haven’t been able to push that protection out to the greatest vulnerabilities. Remind you of another recent crisis?
Following the current pattern for training, certifying and hiring IT security, an army of ex-coal miner or new-minted minor security specialists will only be able to run an audit checklist against an outdated compliance checklist which today’s overworked IT department is unequipped to even understand. Result will be “pencil whipped” compliance and certification of vulnerable or currently breached networks. No added benefit, but plenty of jobs for guardians of digital figuratively smoking ruins.
Thanks. You wrote what I was going to, and wrote better than I would have.
In addition Biden can simply declare the group responsible terrorists. Can’t remember the law, but I remember it being adopted. This allows shoot or capture on sight, anywhere in the world.
Thanks, in turn. I have a better edit, but ran out of time and space. Debating whether to ask the editor to trash the comment and re-submit as a separate contributing article. Thoughts?
Lots of comments on this site have later been rewritten and published, no need to trash it. Mind you it is an unforgiving audience (I wrote what I am pretty sure was the first IT centric article on WUWT shortly after ClimateGate)
in any event, feel free to augment, plagiarize, or quibble with my most recent effort on the topic.
https://www.x10networks.com/ransomware-checklist/
Thanks, I appreciate the encouragement. I’m debating posting more, but I will consider your recommendation.
Here’s a thought. Ensure that all digital equipment and software used to operate equipment, be it a pipeline or an electrical grid, be completely isolated from the web And especially from The Cloud. Management can happily continue to do all their business processing in an unsafe environment, but the process management can be rendered safe from outside interference. Then also implement very strong controls on physical access to the off-net equipment.
You are correct. That would be a good design. I know of, and have worked on several that do exactly that. It is just not how current systems and support evolved, since it is considered expensive and really hard to justify to the un-burned innocents who are in charge of the beans.
This whole mess is just one of the reasons that I am a retired engineer, too.
“Right, I hear you say, so you predicted this? You, who claim all predictions are fakes?” Nope, like Johnny Cash, I heard (and saw) the train a’ comin.’
Well yeah, it would be a great design. Two problems.
First, the process equipment wasn’t hacked, the business systems were. If you don’t know how much oil you shipped to which customer, how do you bill any of them.
Second, the reason the systems both need to be interconnected is that it is telemetry from the process systems that informs the billing systems. Break that automation and administrative costs will overwhelm the cost of the product.
But half-witted, semi-trained, uneducated teenagers do make great keystroke information data transcribers. With their thumbs. For the first 15 minutes. For $15 an hour. Just think of the jobs!
Three observations.
There may be some longer term solutions that could come out of this fiasco.
—For interstate public utilities (pipelines, grids), federally mandated periodic audits no different than for nuclear plant operations, where there is already precedent. Maybe also for interstate hospital systems (first NHS UK, and now Ireland have been crippled).
—Better transnational cybercrime extradition treaties. They already exist for war crimes. Cyber crime is conceptually similar.
I agree there need to be audits. I work for investment firm and we have accounting audits every year and random SEC audits. Additionally every day our firm positions are independently verified by a 3rd party. Something similar is needed for IT.
Consider an international commons. Perhaps one which is actually global in scope and is used by the various countries and nations of the world for trade and commerce. Have I just described the Internet and the World Wide Web, or have I described the worlds oceans? You grab a ship on the seas, and we all recognize it as piracy, we know how to respond, and what to do with the perpetrators. In this light, the Colonial attack is no different. It is straight up piracy.
“It is evident that DHS is not doing an important job they were partly set up for.”
Well, this is the understatement of the day. I saw the press conference with the Biden administration official nominally in charge. She said “This is a private company so the Administration is taking a hands-off approach”.
*Gasp*
So there would be no misunderstanding, she repeated the “private company, hands-off” line twice more. No chance of somebody having “misspoke”.
Now consider:
A bunch of no-good types seize a cruise ship with 5000 Americans aboard down in the Caribbean, and hold it for ransom. The US government issues a statement that the affair is between two private companies, and so the US will take a “Hands-Off” stance.
This is what we have come to.
TonyL Great analogy. If I look at this like 17th century shipping and trade, vs. foreign interference, brigandage, and piracy, I think we need something like an early version of Lloyd’s of London. Probably backed by ships of the line, but I’m shakier on how to implement that part of the metaphor.
Thanks.
How about some process that requires the ransom be reimbursed by the holders of the crypto-currency on a pro-rata basis. As there is a database that already knows who holds how much of each crypto it should be easy to implement. It would also provide an incentive for the computer wizards who control them to track and identify the thieves to the authorities.
I’m with you in spirit, but not an expert in cryptocurrency. One of the features is supposed to be complete anonymity, from the outside as well as between any two parties to an exchange. Again, not an expert, but I think of the “database” as being like a bank list of serial numbered bills, with no reliable ID of ownership.
I get really nervous when someone talks about “requiring” behavior from international criminal and/or multinational intelligence organizations. While those are bad enough, I have a sense that the cure might be worse than the disease. I also understand why my suggestion might be abhorrent to some. Can’t remember who said “The works of man are fraught with magnifications of their authors’ shortcomings ” or something like that. 🙂
Having participated in quite a number of SOX and PCI audits, I’m not impressed with the process. Auditors know how to follow a checklist, without understanding what the checklist is supposed to check. Trying to explain to an auditor why the details they are requesting don’t apply in this particular environment is pretty much a lost cause. Regular audits are a good deal better than nothing, but a very long way from true security.
The other thing I’ve experienced is that every year the auditors ask for something different than they did the year before. This makes me wonder just how much of what they do is driven by a solid methodology and how much is just the personal opinions of that particular auditor. It’s like programmers who seldom have anything good to say about someone else’s code, because they would have done it differently.
The real problem is US businesses have become lazy and simply can’t imagine performing standard business processes without the internet. How many times have you had the customer service experience that nobody can manage to do anything that isn’t provided on the company web site? If the internet is down they generally have no idea what to do; you might as well be talking to a chat bot.
A good many large US companies would grind to a halt without the internet because they depend on email to transmit purchase orders and invoices and quite literally have no plan B. Try finding a supply of envelopes at a typical office; a postage machine — forget it. And a lot of critical business communication is tied to individual email accounts, which go into a bit bucket when that person leaves the company.
And the current US standard practice is to issue every employee a laptop, which is the least secure and most expensive possible computing environment. Critical work products are kept on local laptop storage unless the employee takes the time and effort to replicate them to central storage.
The individual laptop strategy has essentially expanded the company security perimeter to include everyone’s home, Starbucks, airport lounge, hotel room and pretty much anywhere else.
The common IT security response is to load multiple security agents on every desktop, consuming local processor and memory resources and network bandwidth. Without careful QOS provisions, WAN links can be saturated by automated patching systems pushing gigabytes of critical updates to thousands of desktops in a self-inflicted DDoS attack.
Before we have real cybersecurity, the work computing environment needs to be rethought from the ground up, and not just jury-rigged on top of whatever Microsoft provides.
IMHO, the individual company laptop is a horrible idea from any number of perspectives and can never be made secure.
But we’ve gotten here because US corporate groupthink has decided that Microsoft is the “safe” choice, just as IBM was 50 years ago. The vulnerability cross section of the typical US IT environment is huge; it’s not going to be fixed by regular audits. The whole structure is fundamentally unsound.
As I understood it, the company had computers hacked, and shut off the pipeline out of “an abundance of caution”. The pipeline was never controlled by anybody else, the control system was disabled by the company. As such, the damage was done by the response to the “hack”, not the hack itself. Sound familiar?
I’m not sure I believe them. If the control systems were safe, why did they need to pay the ransom to restore operation?
Even if this is true, payment of the ransom suggests management was not 100% confident their control systems are safe. This tells me their control systems probably run on Windows or Linux, or there is some crossover between the network which got hacked and the control systems. Possibly they rigged up a remote login facility for people working from home during Covid lockdowns, and some of those remote computers were hacked.
Eric. Cost/benefit with ransom or tribute calls for determining whether or not to pay the Dane, grant him land, or run him out of your territory. Really, the true oldest profession is capture or intimidation followed by ransom or tribute. This is the new high seas, or maybe the Viking warm. We can’t know how Colonial figured their equation, and more than one victim of ransomware for hire has (freely mixed metaphor) bitten the bullet and told the attacker to go frack themselves. Both ways, the victim pays, but how exactly to whom and how much is an individual decision.
I don’t really want the responsibility of checking their books, and I already don’t trust any one who says that they do.
It seems that half the time that Microsoft pushes the monthly update to my Windows 10 OS they break something. I have a number of non-critical features that aren’t working properly, but I’m not about to spend money to have them fix what they broke. I’m refusing to pay the ransom.
Because the billing data was compromised. Without billing data, you have no idea who to bill for what, plus your supplier data is compromised so you don’t know what you bought from who. Continuing to run the system would have exacerbated the problem. In addition, it would have been prudent to shut down the systems until the control systems could be verified. It is not uncommon for control systems to be back up in a few days while business systems are impaired for weeks.
The control systems run on a very wide variety of operating systems and protocols, all of which are hackable.
Agreed, but if/when a company is willing to spend the time and effort, robust, reliable systems can be designed, put in place, tested, and maintained, reducing risk/probability of failure. Beyond a certain case-variable point, it will become prohibitively expensive. The question is always answered by the perceived bottom line, and with oversight by the stockholders.
And, unlike the half-wit hysterics of the “Exxon knew” variety, risk assessment is not an oracle nor produced on stone tablets from an omniscient power. It is always faulty, in hindsight, after the horses is stole and the barn burnt down.
Post script: “You never know how good your security really is until after it has failed.” Paraphrasing someone, just can’t remember the original author. Thinking maybe it was from Heinlen’s Puppet Masters, but not sure.
Yeah, when someone asks how much a vulnerability assessment is going to cost, I ask how much time do you want me to spend combing through your system looking for holes? The attackers are willing to look for months if not years… It isn’t practical to put that many hours into an assessment. That said, for the average customer who gets a pen test, my guys have compromised them in a few days.
I don’t see the problem as much a refusal to fund robust, reliable, systems. I sell projects to accomplish that every day. What they lack is the will to fund IT to the point where they can support that level of excellence in their day to day jobs. Some problem comes up, production is down, a temporary fix is put in place because it is urgent, and then IT is off to the next urgent problem and the temporary fix becomes permanent with no one circling back to see if a new attack surface has been created.
The other big problem is companies who HAVE gotten outside expertise, and they don’t know that what they got is junk. I sometimes provide a free pen test to a customer if I suspect that is the case. The last one involved a well known known company who had given the customer passing marks on their PCI security 5 years in a row. In three days we compromised them four different ways and sent the evidence to them via a screen shot from the security manager’s laptop. Very large company gets fired, we get new contract. The frequency with which we displace large well known security auditors is great for my commission check, but frightening in terms of how many customers think they are safe when it can easily be shown that they are not.
I used to do similar things. Stopped. Beginning to feel better. Just like the time I quit hitting my forehead with a hammer.
The education of an IT guy, who happened to be very good.
2001: What is this Linux thing I keep hearing about? Is it any good, or maybe a passing fad?
2008: Changeover complete, we are 100% Linux on all servers.
2012: Now running VM (Virtual Machines) on all servers. The commercial product, VMWare is excellent, you should look into it. We are running our favorite Linux inside the VM. If we get attacked, just delete the whole machine, and reboot from Read-Only media. If the attack is ongoing, you can pull the plug, literally pull the plug out of the wall and crash the computer, then reboot. It’s harmless. You can do this to your whole network if needed. You will lose your network to the attack anyway, so there is no extra cost here.
I ask, what about attacks which scramble the file system?
The VMs give us a couple more levels of protection over and above what we already have. We are a much more hardened target. Worst case, successful file system attack, we restore from backups and lose no more than 12 hours information. Those 12 hours worth will be buffered off the servers, so still available.
The previous IT Guy:
Windows NT, because Microsoft.
Now you know.
The hackers are following the same trends in the way software is used
Ransomware-as-a- Service
‘The security industry calls DarkSide’s business model “ransomware-as-a-service,” as it mimics the software-as-a-service model. First, provide financially motivated cybercriminals with the best software for stealing data and encrypting victims’ files over the internet via an easily accessible dark website. Second, provide the services around that software, such as tools that allow digital extortionists to communicate directly with their victims or get IT support. Third, share the rewards if a target pays the ransom. DarkSide takes most of the cut….. It also supports attacks on both Microsoft Windows and Linux operating systems.”
” There were, for instance, a large number of surveillance cameras attached to the company’s IT infrastructure, according to Derek Abdine from security company Censys. And Bob Maley, a former PayPal security lead and now chief security officer at cyber defense startup Black Kite, says he saw open remote management and file sharing servers, which, if the hackers had somehow acquired logins, could have provided a path onto Colonial’s network.
https://www.forbes.com/sites/thomasbrewster/2021/05/12/the-colonial-pipeline-hackers-are-one-of-the-savviest-criminal-startups-in-a-370-million-ransomware-game
“The commercial product, VMWare is excellent”
I’ve worked a lot with VMware. It’s not. But otherwise good points 🙂
5m to get online sooner may have well been an insurance directive to stave off possible lawsuits from it dragging on and causing more contract violations.
Colonial had no choice but to pay and surprisingly, did not get the ball rolling sooner.
Without the fuel necessary to power life supporting infrastructure, many lives were at risk.
I want to see the cancelled check. Something doesn’t smell right.
Agree, but bitcoin is like limburger, some people seem to like it, but mostly they notice the smell, which is all that’s left after the cheese is gone.
But will they pay ransom to get Biden back … https://www.youtube.com/watch?v=-sIHxg4X5JI&t=2s
Barring that the hackers be an alphabet agency of the federal government,the state agencies will move heaven and earth to track the culprits down and smite them.
For Government hates competition.
The extortion of private business is their exclusive domain and they will tolerate no competitors..
Of course with the traditional skill of the bureaus,they will be unable to track these bandits,so will do their normal..
Which is to fine the company for being hacked..
Surprised this has not been tracked back to President Trump or the January 6 Insurrectionists.
Yeah, just imagine the reaction of the Media if Trump was still president and downplayed Putin’s role in the hack, by saying it was just a bunch of hackers who happened to live in Russia, but no connection to Putin, like Biden did. I wonder if that bribe the wife of the Mayor of Moscow paid to Hunter Biden had anything to do with Joe “the Big Guy” Biden going easy on Putin? Or is he just afraid to confront Putin? Or both?
We know how the Media would have treated Trump saying such a thing. But for Biden, it’s a whole different story, isn’t it. They allow Biden to allow Putin to escape culpability. The Media are completely biased towards the radical Left. They are propagadists, not reporters.
I hear the Russian hacking group that shut down the pipeline says they are now going to “close up shop”.
The hackers definitely need to be paid a visit by someone who will make them regret what they did.
“Surprised this has not been tracked back to President Trump or the January 6 Insurrectionists.”
So you havent been aware that these types of ransomware attacks happen every week, including before Jan 6, and a lot of companies keep stummm.
It isnt surprising that you could make such a an absurd claim- of something that didnt happen- as thats a hallmar of the ‘ever Trumpers’
I took that remark from Nicolas Harding as being sarcasm, but you’ve got several great observations. You’re absolutely right that most victims remain silent about such an attack. I think a Federal agency forced release of this one before the deal was done. That kind of stupidity in the future may make the victim pay out more. There should be government transparency, but this kind of idiotic, unnecessary open discussion of a crime in progress, will eventually cause an attacker to just pull the trigger and walk away.
It seems, however, the DarkSide gang messed with the wrong (i.e. powerful) people.
DarkSide Ransomware Gang Quits After Servers, Bitcoin Stash Seized
“The DarkSide ransomware affiliate program responsible for the six-day outage at Colonial Pipeline this week that led to fuel shortages and price spikes across the country is running for the hills. The crime gang announced it was closing up shop after its servers were seized and someone drained the cryptocurrency from an account the group uses to pay affiliates.“
In the days of big shipping piracy it was often the case that a successful pirate would be taken out by a bigger pirate or their own erstwhile nationalist sponsor. But a pirate never tells the truth. I’ve reason to believe Krebs and his sources are good. Don’t know if this story is verified, but these specific people are great at misinformation too. Remember that everything you see from the attacker is crafted by experts too.
You may be right! DarkSide’s website actually had a page describing their code of ethics. Yeah, right! They are criminals — they have no ethics. Any of their announcements should be considered false until proven otherwise.
Every native russian speaker I’ve met, later trained in English, has watched every episode of Rocky and Bullwinkle. Every one of them can put on a Boris and Natasha accent. They very properly think it is funny, and they are not the only ethnic group to do this sort of thing for precisely the same reason. But just like the cartoon voice over artists, the accent doesn’t mean that the speaker is russian.
The accent is even easier to simulate in text, which is how DarkSide has always allegedly communicated.
Brian Krebs is a rare thing — a technical journalist with experience and some earned credibility — but I don’t believe that he can verify or actually interviewed the source of his report, or he would have said so.
I disagree with those that say this is infrastructure. This is a company that got sloppy with their SCADA system and got caught.
If taxpayers have to fund technology for every company we’ll go broker. I used to work on pipeline controls and there is a right way to do it and there is a cheap and dirty way.
Guess which way Colonial chose.
That’s not the MO of these extortionist groups. They are not about breaking things like SCADA, instead they gain from releasing embarrassing data. In this case they caused a continuing accounting problem which led the company to shutdown product distribution because they did not know who to bill and for how much.
Exactly how they got into the system is anyone’s guess at this time and probably will never be known. Surveillance cameras and remote management systems were exposed. A set of default or weak credentials can open up a whole new world…
And the Geek shall inherit the Earth 😉
ROFLMAO!
…in little bits and bytes
BitCon: don’t
http://www.market-ticker.org/akcs-www?singlepost=3171400
A review of currencies. The merits of cryptographic currencies, including perfect tracking and auditing of transactions.
No disrespect to n.n. nor Denninger, or to Market-TIcker, but the linked article is dated end of March 2013. I will stipulate that it is equivalent to a Gospel, but there’s probably been others since. I don’t think perfect tracking and auditing of transactions are features that encompass the anonymity of Bitcoin, today, but I am not an expert, and don’t know any. If someone can correct me, please post here. Really.
“That if once you have paid him the Dane-geld, you never get rid of the Dane.”
Why is ‘mission critical’ hardware connected to the internet?
If they didnt even get this right they wouldnt have got any of the security right.
“Why is ‘mission critical’ hardware connected to the internet?”
Good question.
When will our politicians ask this question?
Name an attack on your infrastructure what it is: an act of war. Do what the Israelis do. Find them, go in and take them down with overwhelming force.
The question is, what’s the solution? We are a free country, where the supply of goods and services is controlled by private industry, not by the government.
Should the government take over industries considered “vital infrastructure”? If so, who gets to define what “vital infrastructure” entails? Energy production for sure. Probably communication infrastructure. What should be included in that? Phones? Cell Phones? Email? Internet? Cable TV Providers? What about water? Food supply? Internet? Heck, the 2nd amendment is cooked into the Bill of Rights, shouldn’t guns and ammo be considered critical infrastructure? Why shouldn’t the government take over all gun and ammunition companies?
Slippery slope that. There’s are names for economic systems where government either owns (Socialism) or controls (Fascism) the means of production. Neither of them has worked out so well in the past.
I suppose we could just pass laws and regulations to force the companies to harden their systems against intrusion, but would that really be effective? Or would it just add more expense to the consumer and make it even harder for competitors to get into the market? That’s what usually ends up with strict regulations. The big boys can afford the fines (or bribes) associated with bending the rules and the upstart would-be competition can’t get off the ground because of the crushing expense of government regulation.
And no matter how strictly an industry is regulated or controlled, there is simply no way to completely immunize it against attack. As stated above, when protecting something, you have to be successful 100% of the time, the attacker only needs to succeed once.
I’d say the better plan is to EXPECT vital infrastructure to be cut off at some point and be prepared for it. If you live in a city, you should have a bug out plan, with several alternatives. You should have supplies stored in the event food and water gets cut off. You should have alternative cooking and lighting methods. Etc Etc Etc. The government is not your babysitter. If the world comes crashing down and you are caught unprepared for it, that’s not the government’s fault, that’s yours.
“Either they don’t have a backup, they didn’t trust their backup, or they didn’t think they could restore the backup in a reasonable timeframe.”
All of which are unacceptable.
Wouldn’t be surprised if we find out someday that the $5M ransom actually was paid to a US intelligence agency.
What?! They only asked for $5 million? Cheap charlie crooks.
I continue to ship systems where the “software” is in ROM. To do otherwise on important systems is foolish at best. Funny how our technologists have moved from this secure approach. Why even voting machines are in R/W.