Comments

Carl Engelbrecht March 29, 2024 7:53 AM

Why do technologists who know better continue to propagate the erroneous statement “ransomware attacks”. Ransomware is launched by a click of a mouse [FULL STOP].

Tom March 29, 2024 9:20 AM

@Carl Engelbrecht – I think the description is fair in this case. This was not a one-click operation; it involved days of reconnaissance, the capture of access to a large and diverse server estate, exfiltration of hundreds of GB of data (this was not an encryption attack), destruction of backups that might have been used for recovery, significant work to cover tracks and the destruction of a large chunk of the server estate.

There were two points raised in the report which I thought were particularly interesting. The first is about risk. The library say they were good at identifying large risks that they weren’t prepared to accept and acting to mitigate them. They were good at identifying small risks and deciding they were content to live with them. They were not good at looking at the overall risk picture and aggregating all those small risks and deciding whether they were happy with their overall level of risk. I suspect this is true of a very large number of organisations full of good, capable people; an individual identifies a large risk, thinks it’s not acceptable and gets something done about it. But an individual identifies a small risk and thinks it’s not worth doing anything about it; no-one has an overall picture of risk.

The second was that recovery has been so arduous because many of the library’s systems are so specialised and old that they simply can’t get an installer for them. The original supplier has disappeared or no longer supports the software. They had a copy of the installer … in the backups which the attack destroyed. On a similar line, I wonder how many organisations out there have software running on an Ubuntu 12.04 VM? It’s not that old, but you can’t install it any more; Ubuntu have removed it from their mirrors.

Prefer Not To March 29, 2024 11:38 AM

This will continue to be a problem as long as society thinks of this as nerds suffering nerd crime. It’ll stop when His Royal Majesty sends the SAS to deliver a kinetic response to the Rhysida Ransomware Team.

Does anyone believe that MI-6 and GCHQ can’t find some of the humans behind Rhysida? You don’t even have to find all of them – just enough to ensure that the leadership decides to attack the Library of Botswana or Tuvalu next time. Like, seriously, this is why western societies employ rough men who stand ready to do harsh things to bad actors. Why aren’t we using them?

Not really anonymous March 29, 2024 1:31 PM

I don’t think you really want to go down the assassination road. We already have India assassinating people (or trying to) in the US and Canada. The US regularly blows up people near the wrong (as in it’s bad to be there, but it can be incorrect as well) cell phone, often killing innocent people.
You probably don’t want other governments killing people who break laws in their countries remotely. A number of governments make criticising the government a very serious crime. There have already been assassinations in the UK of Russian dissidents and the UK hasn’t responded strongly enough to actually stop that practice.
Less powerfull countries already do this as well.

Not really anonymous March 29, 2024 2:23 PM

There are two kinds of assassination. There is the kind where you don’t tell anybody you did it and your Press Secretary or Secretary of State has a press conference where they try to suppress laughter while insisting that Glorious Leader is completely innocent.

The other kind is where a country proudly takes credit and announces, “Action that is widely acknowledged as immoral and illegal will be met with reprisal.”

When the Israelis took Adolf Eichmann out of Argentina, they were happy to take credit for it on the world stage. And, quite frankly, the world was happy it done.

Insisting that acts of war not be met with reprisal if they happen in the digital domain is kind of like how, if you steal less than the FBI limit from 1 million people, the federal government stills insists that it’s not a crime worthy of the attention of the FBI. Digital changes the scale, scope, and reach of bad actors. And I do believe that for certain adversaries, the only effective solution is kinetic.

Prefer not to March 29, 2024 2:25 PM

My apologies, I typed the wrong name in the field on the comment above. There was no intention of misleading.

And, to be clear, I am not advocating assassination. Clear police action, and legal, not extra judicial, punishment is certainly appropriate

Clive Robinson March 29, 2024 2:58 PM

@ Prefer Not To, ALL,

Re :

“Clear police action, and legal, not extra judicial, punishment is certainly appropriate”

It does not work that way when an idiot thinks “Might is Right” it always ends up in a game of “mine is bigger” in the ego dept.

For instance a certain Russian was sent out to “make a point” by assassination, and is now spending time in some what meager German accomodation.

As Putin knows the German’s are unlikely to negotiate… So Putin is rounding up those with US citizenship or relatives and having them charged with spying and the like and put in jails. Putin knows that the US will give in and put pressure on the Germans…

So those from the US that come in range of Putin’s cronies are suffering because Putin thinks “might is right”.

https://www.bbc.co.uk/news/world-europe-68679483

So what do you do in response?

Prefer not to March 29, 2024 4:23 PM

@Clive Robinson

What we have here is a crime committed against an agency of a western state, with significant costs to the state to remediate the crime scene, and a group with a well known brand name committing the act. What would you have us do except ask our security experts to “nerd harder” so the bad guys don’t succeed the next time?

Not really anonymous March 29, 2024 4:47 PM

The proper path is to follow the normal judicial procedure. If a government is supporting bad actors then diplomatic actions should be taken. In some cases this just isn’t going to work and you need to reply on improving security.
Also note that western governments do this crap too. Less hipocrisy might help get agreements amoung governments to punish governments that do this. Currently the reactions depend mostly whether a government is an ally or not.

Jerome April 1, 2024 1:18 AM

@Prefer Not to

A ransomware attack on a private health insurer (Medibank) in Australia 2022 resulted in the doxing of private medical info of millions of Australians

Australia government decided to up the ante. Earlier this year, they doxed the identity of the leader of the team responsible, through MSM.

And obtained financial and travel sanctions throughout the western world.

That was certainly an concerted effort to raise the bar and make a stand in the public sphere. The sort of thing our host and his colleagues have been saying for years now.

Deserves credit. The message is finally getting through to legislators

Here’s one of the Aus. Gov press releases on their punitive measures.

https://www.foreignminister.gov.au/minister/penny-wong/media-release/cyber-sanctions-response-medibank-private-cyber-attack

Carl Engelbrecht April 1, 2024 5:22 AM

@Tom

You then agree/acknowledge there’s a tremendous difference between a cyber-attack and the launch of ransomware within a “protected domain”?

Clive Robinson April 1, 2024 11:58 AM

@ Prefer Not To, ALL,

Re : Escalation just increases the fall.

“What would you have us do except ask our security experts to “nerd harder” so the bad guys don’t succeed the next time?”

Well it rather depends on what you mean by “nerd harder”…

But your question to me suggests you are fairly new here as I’ve given quite lengthy discourse in the past indicating why what is done in the West is not the right way to do things.

So as a recap, for crimes to be committed there needs to be some some things in place first,

1, Legislation to establishing illegal behaviour.
2, Ability to show a crime has been committed.
3, Ability to bring an alleged perpetrator to account.
4, Ability to, where harms have been shown to be committed, have commensurate punishment.

In the West due to the “influence of industry” the first two steps have been brought into significant disrepute.

Likewise the third due to political posturing in the West, and in the US mainly misuse of the first two steps for political or business reasons is counter productive at best.

As for punishments that are “fines or sanctions” they are mostly pointless. They sound very grand but they can rarely be enforced, thus nebulous charges against third or fourth parties are announced, but not exactly enacted otherwise all the major Western Banks leaders would be in the dock.

As far as the ICT Industry is concerned the reason crime is so high is because,

“There is neither lock or bolt on the stable door or paddock gate.”

Thus the data effectively just gets led out into the night…

So first step would be deal with the root of the problem such as Microsoft and Google, we know their products are,

“Not fit to be put on the market”

Yet we don’t do anything about it.

If we did the level of crime would drop significantly.

Back at the beginning of this Century, I said in front of an audience of people who now have significant names in academia that we were going about things wrongly.

We were in effect “educating the enemy” because it could easily be shown that we were at best just reactive, and then not enough to stop anyone.

Yes we fix vulnerabilities when they become embarrassing or are going to become so. But only to the point of stopping “a specific instance of attack” and next to never do we close “a class of attack”.

Thus the attackers just find another of thousands of vulnerabilities to just “carry on as normal”.

Mostly the ICTsec Industry efforts do not stop a problem / attacker, just give them a reason to mutate into a different attack.

The standard “evolution model” tells you where that is going to go.

Another problem is treating petty crimes as warfare, it’s just plain silly. Few nations teach military personnel to deal with common crimes. So things legally have to stop at boarders.

I could go on, but by now you should be asking yourself,

“Why are we doing things the wrong way, that we know does not work?”

The answer is the wrong way is not only cheap for the Mega-Corps, but it also allows tax money to be put in certain “right” Mega-Corp pockets in return for political funding. Whilst giving politicians another pointless “tough on crime” drum and flag to goose step to…

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.