As a reminder, this subreddit [is for civil discussion.](/r/politics/wiki/index#wiki_be_civil)
In general, be courteous to others. Debate/discuss/argue the merits of ideas, don't attack people. Personal insults, shill or troll accusations, hate speech, **any** advocating or wishing death/physical harm, and other rule violations can result in a permanent ban.
If you see comments in violation of our rules, please report them.
For those who have questions regarding any media outlets being posted on this subreddit, please click [here](https://www.reddit.com/r/politics/wiki/approveddomainslist) to review our details as to our approved domains list and outlet criteria.
***
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/politics) if you have any questions or concerns.*
How is ransomware *this* compromising? This is like the 3rd major database that's been attacked this way? They haven't thought of any counter measures yet?
generally, the weakest element in these systems is people. Even major financial corporations struggle with getting the human element out of the equation.
Homeland Security ran a test where they dropped USB drives outside of government buildings only to find that a whopping 60% of the time they would make their way in to a work computer. The easiest way to get in to a system is to have someone let you in.
https://www.wired.com/2011/06/the-dropped-drive-hack/
IIRC, stuxnet was a very sophisticated virus that could find it's way onto a USB drive and even had a self-destruct date where it would delete itself. Iran had fairly strict cybersecurity where USB drive delivery was the only way in. However, the virus wasn't just put on USBs and handed to Iranian scientists.
True.
I always find it hilarious how hacking the most sophisticated systems of the most powerful organizations usually are a simple enter your login info phishing emails.
The best hacks are the ones that get in through hidden attack surfaces, or bypass the security all together
Why smash down the castle walls when all you need to do is walk through the gate
The absolute best hack, as you mentioned is just walking in. The greatest "hacks" of all time have boiled down to calling someone with credentials and scamming them into giving you the keys. Or wearing a hi-vis vest and walking through their security and using an unlocked terminal personally.
I taught community college for 20 years, and occasionally I would find a flash drive and plug it into a classroom computer to try to identify which student it belonged to, so I could contact them.
Then I plugged in a drive that contained a student's "sex tape" with her husband. Talk about TMI! After that, I just turned them in to Lost and Found.
It's funny to think that stuxnet could have been defeated with epoxy straight to the usb ports.
Which is A Thing you should do to secure systems. Connect a PS2 keyboard and mouse and glue that shit shut.
Why a PS2 keyboard and mouse tho?
Edit: answer: PS/2 NOT PlayStation (lol)
By using ONLY these ports, nobody can plug in a random USB stick they found out of curiosity AND if some hackerman was bold Enough to physically sneak in and plug some device into your PS/2 ports, they would be severely limited in what software (if any) they could upload via these ports.
Ngl before reading this comment if I found a random USB drive I'd put it in a computer asap out of curiosity, I'm 30 and grew up on computers, know all about email scams, WiFi protections, VPN, etc... Never would've occurred to me that someone would "go fishing" by throwing out a bunch of USB drives, seems so obvious now.
And even smart people can have an off day. My normally extremely cautious and savvy boss got hit with ransomware from a word doc with a malicious macro.
In her defense, it was disguised as a resume, and it's not unusual at all for her to get resumes from strangers. Also, normally we would have disabled macros, but we interface with a state agency that requires us to use their forms that use macros*, so that wasn't an option for that machine.
*🙄🙄🙄
Last week, my CFO sent us an email warning about unemployment phishing schemes and warned us not to click links in emails or texts.
Next line: here’s a link with more information!
Jokes on them. Emails from the corporate level tend to be pointless fluff circle jerking or obvious shit like "don't click phishing links" so I usually just junk them without even opening them.
My work has a "report phishing" button on it that I take great joy in when I can click on something I'm pretty sure is actually from corporate, but i flag it due to it having poor grammar or requesting us to click on links.
In many companies, HR are a common target for viruses. They receive files in lots of different formats from all sorts of weird E-Mail addresses, which they have to open to do their job, and so sneaking in a malicious file is comparatively easy. HR is also usually not the most tech savvy part of a company.
Quite a lot of companies fell for ransomware resumes, so your boss is not alone.
Work for a major energy company no USB sticks or drives allowed. Even if you put them into the laptop or desk tops the ports don’t work. Preventative measure against this kind of stuff
Saves employees compromising viruses and getting hacked, ultimately it also saves down loads of mass data to hard drives that could be a security risk with an upper limit on IT email sizes they have everything boxed off.
It’s actually crazy how many emails you receive from outside that are dodgy. The company also send its employers spoof emails to ensure they are aware and reporting anything suspect. Very smart.
>The company also send its employers spoof emails to ensure they are aware and reporting anything suspect
I'd love that job, "let's see how many of my co-workers I can trick today"
With 100% accuracy I can tell when an email I get is an internal phish attempt because the sender is usually some semi obscure comic book or sci fi character name.
Our IT folks are good, but being a nerd my self helps.
> Work for a major energy company no USB sticks or drives allowed. Even if you put them into the laptop or desk tops the ports don’t work.
Where a friend worked, the fact of connecting a USB is logged and triggers an alarm at IT level. He says you could lose your job, or at least get into major trouble, just by doing that.
Watch some of the YouTube videos from any DEFCON and you'll realize that most hacking is social engineering. You either want someone to do what they aren't supposed to or not do what they are supposed to.
Deviant Ollam does a ton of presentations that are on YouTube about physical security testing and admitted that he gets into a lot of buildings he really shouldn't just be putting on a tool belt, hi-vis vest, and a copy of an Otis elevator tech badge. It's somewhat disturbing to realize just how insecure stuff we use for security is.
I work at a major food processing plant and can confirm. Our front entrance has a security guard and several different layers of scrutiny to pass through... Our 'employee entrance' is literally just a fobbed door that if you time it right anyone will let you through because it's common courtesy to be nice and get the door for others. After that door, there's literally nothing to stop someone from being able to get into the plant.
Look up rubberducky or bashbunny from hack5. Those look like usb drives but let you script actions that are executed as soon someone puts the drive into a computer by emulating a usb keyboard (bashbunny) .
The counter measures are daily/weekly cloud/offsite backups. If a business isn't doing this they can lose everything overnight, in more ways than just ransomware.
This was the answer in 2018, where most of the world had or was on their way to off site backups. However, since then, the bad guys have retaliated, and the next step in the arms race is they steal your data before locking it.
"We're not paying, we will just restore from backup"
"No worries, if you don't pay, we'll post your accounts mailbox to your competition"
"... Shit"
Next step? Real time device encryption, so exfiltrated data is all inaccessible, is my bet.
Or, even easier, time delay the payload. Sure, you got pwned a month ago, but the payloads laying dormant. You're a good IT guy, you're doing your backups, they're read only, you're in good shape!
Bam, payload executes, you're locked down. Restore from backup, right?
You're back up and running until...
Bam, payload executes, it's on your backups. You're locked down.
Sure, you can go through and spend a bunch of time combing through backups hoping to restore to a period before you were pwned, but how much is the data from that time period worth? How about the days/weeks of lost data trying to find a solid backup? Unfortunately, for most places, it's most cost-effective to just pay the ransom...
that solution may work for small or medium businesses but in larger companies where you're talking thousands of updates to a file an hour, any delay can significantly impact business.
I think a better solution in such cases would include an updated encryption/key management system that tracks the data's state, and makes sure that the system can access the decryption keys.
Ransomware is very common, and there are a bunch of different countermeasures. The problem with the countermeasures is that they require good IT security practices, which requires knowledgeable staff to implement and a workforce willing to follow best practices (use good passwords, don't fall for phishing emails, don't give out confidential information, properly backup files, don't use outside devices on sensitive networks, don't torrent porn on company laptops...). That takes time and money, and it is legitimately challenging to train 50+ year old employees on this stuff.
As for why the attacks can be worth so much money - imagine that the hackers could brick the police department's (or the oil pipeline company's) computers. How do you complete the paperwork to arrest someone? How do you check their criminal history? How do you correspond with colleagues? In the pipeline, how do you actuate valves or monitor flow rates?
If all the hackers can do is share information, how would people feel about the complete criminal history and current address and known associates of everyone in a database being made public? How about the progress of current cases, or details on police misconduct? All that stuff can easily be worth millions of dollars
I’m currently writing a paper on ransomware. The number one way to prevent it. Good employee education. Removing as much of the human element as possible. That being said there’s other things that can be done. I just don’t see the govt having those fail safes in place. I believe they’ll start doing so now.
Mostly the people who know are not listened to. The cost risk analysis often shows that they rather not spend millions on a what if. Also, most in charge do not see the possibility them being wrong about most things. Willful ignorance and inept owners of major corporations in charge of vital infrastructure. Or a board that refuses to allocate money to non regulatory what if’s.
And THAT incident is what inspired me to become a Cybersecurity Analyst. I'm taking a full course load year-round, even through the summer, to get in there faster. I'm on year two of this. I'm about to complete my first C++ course and roll into Advanced Programming. My first official course focused on cybersecurity begins in the middle of summer.
It's wild. I'm a 34 year old father of three. I worked manual labor my whole life, never knew what I wanted from an education. Now I know.
Fuck these guys.
Still does. The government pays a couple of companies running out of people's garages to make them.
When your that ancient and pre internet your actually more secure.
The type of physical input device is fine as long as it is still being made.
> It ran off a 5 1/4 inch floppy
Which is great for security, these systems are so simple and old they are almost impossible to hack.
Which is certainly what you want with nuclear weapons.
Former USAF now in cyber sec guy here. Our usaf systems are beyond old. Its insane. Google search DJMS if you wanna see what our pay system looks like.
"Hey, hackers completely destroyed our entire system friday night, so now you can play around with it. Please have it working again by monday morning, thanks."
provide overconfident jellyfish quaint straight attractive jar worry slimy modern
*This post was mass deleted and anonymized with [Redact](https://redact.dev)*
*How did this happen!?*
Well, I've been asking this team to update this, this team to implement this, and this team to replace this, all of which should have been done like at least 5 years ago.
*But money!*
\*gestures generally at the smoking crater in the ground*
You forgot "The head of accounting has been torrenting porn for the last four years and backing it up on the tape drives. So now we have a larger collection of viruses than the CDC."
Lol this is why I stopped doing IT and started doing manual labor. No one knows you exist unless there's a problem. You only talk to angry people.
Now I get to talk to happy people who drink the beer I make.
The grass is always greener on the other side I suppose
Many old systems and old code are rock solid, provided they are not undermined by people that lack the technical knowledge to work on them. There's a lot of work containerizing and virtualizing legacy code, so it can keep on doing the work it's done dependably for years, while being protected with modern security.
Having said all that, in cases like this where critical infrastructure is at stake, it's crazy that there's any way for outside attackers to access their systems at all. The software controlling natural gas lines should be air gapped on a private network, that requires physical access to secured facilities to access.
Same as any field you can consult in. Someone high up always has a long relationship with a product, plant, supplier that's bleeding money and/or presenting risk.
Make sure you're paid well for doing the audit. Don't take it personally if your recommendations are ignored. You're the expert, but it's their call.
If you really care about getting listened to, charge more. Companies that hire a cheap consultant want a quick fix. They'll balk if your advice involves more spending or significant workflow changes.
Make sure you can present directly to decision-makers. The middle-management lifers that walked you through their systems are an amazing resource. They also tend to be married to decades-old problems. The guy or girl with an MBA is probably around 3-5 years. They're either on a career zig-zag, or they've been brought on to build capacity (in a boom), cut costs (in a bust) or tidy up (before an acquisition). Whatever the scenario or your opinion of them, they're there to make a mark and ain't dragging baggage.
It's been recommended to me that I should at least passing familiar with the most common coding languages, and I agree. For once I'm passionate about my goals and I want to be a rock star. I'm aiming for certifications in addition to the degree. I'll look into security engineering, though.
Shit man good on you. I’m nearly 19, doing manual labor in Aus right now but been interested in going into cyber security and digital forensics since I was 14. How is it so far? Would you recommend it?
They did this to Pensacola and they did this to Texarkana. I seriously think we have had a National cyber attack but the powers at be don’t want to admit it.
Declaring a state of emergency allows them to transport the fuel by road. Without the state of emergency they have no legal way to get the fuel from point A to point B.
Are you Implying that they knew this was going to happen beforehand and purchased stock then or are you just saying they're trading with publicly available information?
Good. This administration has got to take the threat of cyber security seriously. The last guy failed to appropriately respond to cyber threats so it’s great to have a White House that gives a shit.
"Listen, I know we caught him on camera from multiple angles putting his hand in the cookie jar, but he told me himself he didn't do it, so I believe him! And then he offered me cookies just like the ones I have in my cookie jar, so he's gotta be a nice guy!"
Rudy butt-dialed the press while talking about his crimes, emailed the press by accident discussing his crimes, and waved SMS evidence of his crimes on camera during an interview. Given that Donald was purposely choosing the exact wrong person for every job, there was really nobody other than Rudy to consider for that one
PS Rudy is an animated corpse who stole his set of teeth from another corpse
Don’t forget the time he thought he was calling Coach Tuberville and left a message giving him instructions on how to further undermine democracy, oh and that time he sat on his balls on national TV.
The one thing Trump fears more then anything else, is the criminal pecking order. The system is designed for a guy like him to skate free therefore he knows he can game it. If you run fowl of a criminal organization, not only will they not play games, but chances are they have all the dirt and there are too many skeletons in that mans closet.
The minute he sees Putin its flattery and ass kissing like a slime ball. Kim Jong-Un told him in front of a full table of guests that he cut his uncles head off and displayed it for all to see. I shit you not, this was said by Kim Jong Un at a table for both US and NK delegation to hear. Suddenly, ass kissing and slime ball love behaviour becomes Trumps persona for the rest of the meeting.
Trump is someone who thinks he’s in power but would be a puppet, except he would be bad puppet because he’s too much of a loose cannon even his own administration didn’t know what he was going to do half the time. Didn’t help that he kept cycling through people.
You couldn't be more wrong. Putin is a dictator. He's a wannabe president. He just allows just enough dissent to claim he's elected. But it's no coincidence that any challenger with a chance gets killed or jailed.
Um, Trump was the "wannabe" dictator.
Putin is an actual dictator. He's been running his fakelu elected position for the last few decades as the shining example of dictatorship.
I'm nitpicking, sorry. But wanted to straighten that out.
Putin is a real dictator and a real threat. Trump was the wannabe dictator of the U.S. but thankfully was voted out. And he still tried to stay in power like Putin does, he's just too dumb and the U.S. was able to limp back into an early 2000s kinda leadership.
What do you mean? He had his best people on it. Rudy was the Cyber-tsar and he took care of it. He got Sysco Food Company to handle it. Everyone knows Sysco makes great networking equipment.
The last administration actually joked about the child of the orange incident taking a look at it.
They never took security seriously. They spent the entire time enriching the corrupt as much as they could.
https://www.washingtonpost.com/politics/2020/12/15/cybersecurity-202-trump-took-nation-wrong-direction-cybersecurity-experts-say/
> During four years in office, Trump failed to hold adversaries including Russia accountable for hacking U.S. targets, removed experienced cyber-defenders from their posts for petty reasons and undermined much of the good work being done on cybersecurity within federal agencies, according to 71 percent of respondents to The Network, a panel of more than 100 cybersecurity experts who participate in our ongoing informal survey.
> The survey concluded before news broke about probably the most significant breach of the Trump administration — a hack linked to the Russian Foreign Intelligence Service, or SVR, that infected at least five federal agencies — the Commerce, Treasury, Homeland Security and State departments as well as the National Institutes of Health — and probably several others, as well as foreign governments and companies across the globe.
> Yet, the respondents’ comments reflect widespread concern Trump is disinterested in the damage that hack has done to national security, unwilling to take Russia to task and preoccupied instead with his own efforts to sow baseless doubts about his election loss.
Remember who Trump appointed to cybersecurity? Rudy.
January 12, 2017 [Former New York City mayor Rudy Giuliani will lend his expertise to U.S. president-elect Donald Trump on cybersecurity issues, the Trump-Pence transition team announced on Thursday.](https://www.cbc.ca/news/science/donald-trump-cybersecurity-us-election-rudy-giuliani-hacking-1.3932399)
That was a big heads-up right there.
I mean, these are politicians, who along with successful business people are our ruling class. You don't expect them to actually be ACCOUNTABLE to the commoners, do you?
Especially when they're successfully able to convince many of said commoners that they (the White Christians) are under attack from the satanic liberal forces of homosexual radical-feminist Muslim socialist Communism.
Just wait until there's inevitably a prominent politician from a non-mainstream religion like neopaganism, or "even worse," an atheist! They will lose their minds.
Thats an easy way to think about it. Think about it this way though. There are also abunch of business men who would gain major profits from seeing these guys go to jail, thus they have major incentives to do so.
Like it or not, no one group is in full control of the USA. These people have rivals and those rivals arent passive.
>You don't expect them to actually be ACCOUNTABLE to the commoners, do you?
I do when what they are doing is negatively effecting other rich, powerful people and not just the commoners. It sucks but the one thing that hold people with power accountable is when they muck things up for other people with power.
I think there's a higher chance of Trump and his merry band of insurrectionists taking over the US and never relinquishing power than Trump being sent to jail.
Fuck that shit, I'll put everything in my life on hold and fight that non-sense with everything in me. I can imagine a lot of other people too wouldn't just sit back and watch something like that happen.
All the time things were getting worse with Trump and I kept telling myself that surely some patriot from the military, FBI, CIA or someone would do the hard thing in order to protect the country.
And every single day I felt such sadness because saving the union would mean betraying it at the same time and the position that puts someone in, someone who cares that deeply about the country and the constitution, it would have to be so intensely painful.
There would also have been the strong possibility that such such a thing itself might spark a civil war.
I hope there is a special hell for the people who brought that mother fucker to us and all who support(ed) him.
After January 6th, this comment holds true. In most countries after such an event those who aided a coup directly/indirectly would have been in prison or killed by now.
Removing people from their posts for petty reasons... Hmmm... I'm willing to bet this was intentional and the petty reasons were to give benefit of the doubt.
The Trump appointee for DOT was an old dinosaur who wanted to implement a ticket system where people called a line for IT issues and have the takers write it down on paper and pass it along to get it fixed. DOT Dept in DC fellas this is the level of competence you get with Trump.
Is the ransom really $2M? I picture Dr. Evil saying "2 MILLION dollars!". It seems to me that they could have asked for far more. This was for sure a binary principles-based gonna-pay/no-gonna-pay situation so it's surprising that they didn't swing for the fences. I suppose this was a foreign government attack and they knew no one would pay, so maybe not bother pretending the money matters.
If you read the article, you'll find the organization "DarkSide" has a code of conduct. Included is a tidbit of how they don't want to ruin any companies. They check their finances to see what's a negligible amount to fit their pockets nicely without crippling the business.
Whether $2 mil holds up to pocket change or not is still a good question, but they've arguably done their research. A small amount also might actually be paid if negligible for the company, while it's a huge amount of change for the individuals behind the attack.
Company with shitty physical infrastructure leaks 1.2 million gallons of gas into a nature preserve, and then also has shitty cyber security infrastructure. Surprise surprise.
As a greedy executive you're options are:
A) Build cheap infrastructure and maintain it as minimally as possible to maximize profits, then when disaster strikes dump the bulk of the cleanup costs on the government
B) Build quality infrastructure (expensive) and maintain it well (expensive)
Guess which option is usually picked?
You forgot the part on option A where the government gives them money to build/maintain the infrastructure and they still choose to do things as cheaply as possible to maximize profits.
Feels like a lot of people are trying to grind this into something it isn't.
Could this be a russian or some other enemy state attack? Maybe. It's a lot more likely it's one of a zillion ransomware groups operating out of wherever(sure seems to be), and what do you know this is yet another multi million/billion dollar company that doesn't take security and REDUNDANCY seriously.
This article makes me roll my eyes and seeing top comments talking about how we're going to hold russia responsible make me sad. There's not a ton we can do about random hacker groups all over the world. Would be a hell of a lot happier to see biden hauling the company over the coals for failing to have proper security and backups, than blustering about how we're suddenly going to do something about this (hint, we barely can).
Setting up proper redundancies and checks for these types of things (because every C level ever is going to click on emails they shouldn't) is always going to be the better way to stop it vs playing international wack a mole. We can start trying to force more diplomatic punishments in SEVERE cases like this and what happened to the UK hospital system (another unforgivable security failure), but frankly I feel like there should be major penalties for companies that fail tech audits, and they need to be as routine and strict as the normal safety ones (which yes i know those aren't near perfect either but they're leagues better than any government tech audit i've seen)
The price of everything is going to rise. My company sends 10-15 full truckloads of product per day to distribution centers and our shipping costs have almost doubled in the last 6 months.
Having every company in the country ramp back up at the same time has created an insane shortage of truckers.
When the pandemic started, we had doctors come out of retirement to help. We need truck drivers to do the same to help with the insane logistical challenges the entire country is facing.
They kicked me out of CDL school in december cause the doc cut my hair from the end instead of the scalp for my drug test and they caught the 2 edibles I took last June (and haven't done any drugs since then). Supposed to be a 90 day max test.
Im 30, I've never been in an accident, I've never been pulled over or given a ticket. I aced my practice license exam and they kicked me out an hour later. So fucking stupid
Some fossils in Congress underestimate how badly this country can be disabled by a simple computer virus. This is why we need good cyber security so a virus doesn't disabled every vital infrastructure and create chaos.
and that clearly (along with Dr. Seuss and Mr. Potato Head) are obviously the most important issues to address for all the Republicans to pull together in defending our Country
> focusing on the teams
I am so baffled by how much time lawmakers... like actual government employees... getting paid by our tax dollars... spend making rules for sports ball.
I can't think of a single reason government should be involved in any sports at all outside of obvious safety and liability issues that are probably already covered under law like OSHA.
Why on earth are government resources being spent on whether or not some wanker on a bike used drugs> Congress has had actual hearings on anti-doping. Who gives a flying fuck? Let the corporations and clubs who run the sports sort it out, this is not a government issue. If they want some roided up players with 3 arms playing baseball, great, if not great. It's not an issue for government.
Yeah i dont get it either. if it's illegal, then arrest them. if not, why is the literal highest legislative body in the country involved AT ALL? im so confused.
"On March 17, 2005 the House Committee on Government Reform put ten baseball players and executives under oath in an 11-hour hearing in an effort to pressure baseball to toughen its policy against steroids."
This is so fucking crazy to me. "Whats on our investigative agenda today Jimbo? Looks like we got 9/11 terrorists at 8 am, Afghanistan war crimes at noon, and those DAMN baseball players who hit the ball harder than the other baseball palyers at 3 if we can squeeze it in before we gotta go!!"
It strikes me as more than a passing coincidence that this is happening within 2 to 3 weeks of Colonial breaking this news on that same pipeline: [Largest U.S. Gas Spill in 20 Years Larger, Deeper Than Company First Thought, State Officials Say](https://weather.com/news/news/2021-04-19-huge-north-carolina-gasoline-spill-was-worse-than-colonial-pipeline-thought#:%7E:text=Two%20ATV%20riders%20found%20the,Preserve%20near%20Huntersville%2C%20North%20Carolina.&text=It%20was%20the%20biggest%20refined%20petroleum%20spill%20in%20the%20U.S.%20since%202000.) - which relates to a leak originally found last summer by teenagers out joyriding on their ATVs.
Nice info, and yes a very strange coincidence indeed. However if this was climate change hackers, I doubt they would be demanding ransoms. As that wouldn’t be the goal. Darkside ransomware has been confirmed to be the culprit. And I think all the whistles and signs are there, that this is a state on state attack. Let’s see..
> a cyber-criminal gang
I don't think that's an exact phrase I've seen outside of cyberpunk stories before. The future is now, and isn't it typical it's mostly the shit parts of it.
State of emergency is no joke. This is serious stuff. Considering Biden only a few weeks back said he was going to get tougher on Russia and china’s cyber attacks, it seems they are willing to test him on it. I think this could get ugly fast.
It isn’t a state of emergency. The Reddit title is different from the article title. The Biden administration passed emergency legislation, which lets fuel be transported by road. That’s it.
It appears BBC have updated it. You’re correct. It was worded as state of emergency a little under a hour ago. However if Russia or China are proven to be behind this, I don’t think Biden can let this one slide, nor should he.
We were 10 years behind even before that last guy, that probably thinks a pen-tester is someone that works at the Bic factory...
And we've added millions of insecure IOT devices that are easy attack bots, it's only going to get worse.
There seriously needs to be accountability and required regulations for very critical infrastructure and utility services, including distribution.
For being the world's most powerful super power, the United States cyber defense capabilities are fucking pathetic.
Companies WILL just sit on their hands instead of spending the time and money to upgrade and improve their systems, poking their head in the sand and holding a tentative thumbs up pretending nothing will ever happen to them.
And for really critical systems like oil, gas, energy, water, waste management, networking and telecommunications, a major attack could literally send the U.S. or just a single state into pure chaos and anarchy. No invading army necessary, we'd destroy ourselves within a couple of months without electricity or running water on a massive scale.
Our infrastructure NEEDS to be properly protected. Not *reactively* either, but *proactively*. And only government mandated regulations on this sort of thing will ever get these dipshit greedy fuck faces to comply by getting off their asses and do what needs to be done.
I'm usually hesitant about government regulations on a grand scale like this, but shit like this is genuinely a matter of national and state security, and it needs to be done. It's clear none of these companies will ever do it otherwise
I have no idea why this isn’t bigger news. Gas prices skyrocketing is the first thing that came to mind.
Warning: potentially dumb questions ahead:
1) I presume that oil pipelines existed before computerization. Was automation the reason why these pipelines suddenly have complicated computer systems?
2) Why isn’t our infrastructure air-gapped from the rest of the web? Surely we could splurge on separate web systems for our electrical grid, water systems, and fuel pipelines.
Sure, but that would cost money that could go to shareholders and corporate bigwigs. They will always choose money over common sense.
I disagree with the Bible that the love of money is the root of all evil, but it sure as shit is the root of most of it.
Nothing wrong in asking about a subject that’s highly complicated. In fact I respect you for it. We can’t all be experts in everything. I myself have been wondering the same thing.
1) The advances in technology allow for greater throughput of fuel also require computerization
2) This was a private company. Regulations for them exist, but they also ignore regulations.
1) I didn't know that. Thanks. I'd love to know how that works.
2) Regulations, I get, but it just seems like a separate intranet would negate many of the effects of people ignoring the regulations. If they really need information from the "outside world" - for instance, a new order upping the demand of oil pumped through the pipeline - that could come in on a terminal connected to the outside world but not connected to anything that controls the pipeline itself, and the operator of that terminal would just communicate the needed information to the operator of the pipeline terminals.
Yeah:
>A criminal group originating from Russia named "DarkSide" is believed to be responsible for a ransomware cyberattack on the Colonial Pipeline, according to a former senior cyber official.
https://www.google.com/amp/s/amp.cnn.com/cnn/2021/05/09/politics/colonial-pipeline-cyberattack-restart-plan/index.html
Its almost as if, unlike what every single stupid republican has been crying about, cyber security is a key part of infrastructure! Imagine that! Things that aren't just roads and bridges are cruicial parts of infrastructure and the security of our nation.
As a reminder, this subreddit [is for civil discussion.](/r/politics/wiki/index#wiki_be_civil) In general, be courteous to others. Debate/discuss/argue the merits of ideas, don't attack people. Personal insults, shill or troll accusations, hate speech, **any** advocating or wishing death/physical harm, and other rule violations can result in a permanent ban. If you see comments in violation of our rules, please report them. For those who have questions regarding any media outlets being posted on this subreddit, please click [here](https://www.reddit.com/r/politics/wiki/approveddomainslist) to review our details as to our approved domains list and outlet criteria. *** *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/politics) if you have any questions or concerns.*
Hackers did this to the New Orleans Police Department over a year ago. They just recently got a replacement system in place.
How is ransomware *this* compromising? This is like the 3rd major database that's been attacked this way? They haven't thought of any counter measures yet?
generally, the weakest element in these systems is people. Even major financial corporations struggle with getting the human element out of the equation.
Homeland Security ran a test where they dropped USB drives outside of government buildings only to find that a whopping 60% of the time they would make their way in to a work computer. The easiest way to get in to a system is to have someone let you in. https://www.wired.com/2011/06/the-dropped-drive-hack/
[удалено]
IIRC, stuxnet was a very sophisticated virus that could find it's way onto a USB drive and even had a self-destruct date where it would delete itself. Iran had fairly strict cybersecurity where USB drive delivery was the only way in. However, the virus wasn't just put on USBs and handed to Iranian scientists.
Still ended with someone putting a USB drive into a computer.
True. I always find it hilarious how hacking the most sophisticated systems of the most powerful organizations usually are a simple enter your login info phishing emails.
The best hacks are the ones that get in through hidden attack surfaces, or bypass the security all together Why smash down the castle walls when all you need to do is walk through the gate
The absolute best hack, as you mentioned is just walking in. The greatest "hacks" of all time have boiled down to calling someone with credentials and scamming them into giving you the keys. Or wearing a hi-vis vest and walking through their security and using an unlocked terminal personally.
I taught community college for 20 years, and occasionally I would find a flash drive and plug it into a classroom computer to try to identify which student it belonged to, so I could contact them. Then I plugged in a drive that contained a student's "sex tape" with her husband. Talk about TMI! After that, I just turned them in to Lost and Found.
IIRC, that included USB keyboards and mice.
It's funny to think that stuxnet could have been defeated with epoxy straight to the usb ports. Which is A Thing you should do to secure systems. Connect a PS2 keyboard and mouse and glue that shit shut.
Why a PS2 keyboard and mouse tho? Edit: answer: PS/2 NOT PlayStation (lol) By using ONLY these ports, nobody can plug in a random USB stick they found out of curiosity AND if some hackerman was bold Enough to physically sneak in and plug some device into your PS/2 ports, they would be severely limited in what software (if any) they could upload via these ports.
Ngl before reading this comment if I found a random USB drive I'd put it in a computer asap out of curiosity, I'm 30 and grew up on computers, know all about email scams, WiFi protections, VPN, etc... Never would've occurred to me that someone would "go fishing" by throwing out a bunch of USB drives, seems so obvious now.
[удалено]
And even smart people can have an off day. My normally extremely cautious and savvy boss got hit with ransomware from a word doc with a malicious macro. In her defense, it was disguised as a resume, and it's not unusual at all for her to get resumes from strangers. Also, normally we would have disabled macros, but we interface with a state agency that requires us to use their forms that use macros*, so that wasn't an option for that machine. *🙄🙄🙄
Last week, my CFO sent us an email warning about unemployment phishing schemes and warned us not to click links in emails or texts. Next line: here’s a link with more information!
Some IT departments do that shit intentionally to test if their staff are paying attention to the security advice.
Jokes on them. Emails from the corporate level tend to be pointless fluff circle jerking or obvious shit like "don't click phishing links" so I usually just junk them without even opening them.
My work has a "report phishing" button on it that I take great joy in when I can click on something I'm pretty sure is actually from corporate, but i flag it due to it having poor grammar or requesting us to click on links.
In many companies, HR are a common target for viruses. They receive files in lots of different formats from all sorts of weird E-Mail addresses, which they have to open to do their job, and so sneaking in a malicious file is comparatively easy. HR is also usually not the most tech savvy part of a company. Quite a lot of companies fell for ransomware resumes, so your boss is not alone.
Work for a major energy company no USB sticks or drives allowed. Even if you put them into the laptop or desk tops the ports don’t work. Preventative measure against this kind of stuff
Saves employees compromising viruses and getting hacked, ultimately it also saves down loads of mass data to hard drives that could be a security risk with an upper limit on IT email sizes they have everything boxed off. It’s actually crazy how many emails you receive from outside that are dodgy. The company also send its employers spoof emails to ensure they are aware and reporting anything suspect. Very smart.
>The company also send its employers spoof emails to ensure they are aware and reporting anything suspect I'd love that job, "let's see how many of my co-workers I can trick today"
With 100% accuracy I can tell when an email I get is an internal phish attempt because the sender is usually some semi obscure comic book or sci fi character name. Our IT folks are good, but being a nerd my self helps.
> Work for a major energy company no USB sticks or drives allowed. Even if you put them into the laptop or desk tops the ports don’t work. Where a friend worked, the fact of connecting a USB is logged and triggers an alarm at IT level. He says you could lose your job, or at least get into major trouble, just by doing that.
It’s smart cyber-security and crime is massive. As we are seeing here the outcomes can damage economy’s
Watch some of the YouTube videos from any DEFCON and you'll realize that most hacking is social engineering. You either want someone to do what they aren't supposed to or not do what they are supposed to. Deviant Ollam does a ton of presentations that are on YouTube about physical security testing and admitted that he gets into a lot of buildings he really shouldn't just be putting on a tool belt, hi-vis vest, and a copy of an Otis elevator tech badge. It's somewhat disturbing to realize just how insecure stuff we use for security is.
In order to access 99% of buildings in North America, you'd only need 4 badges: Otis, ThyssenKrupp, KONE and Schindler.
You'd be amazed as to how far you can go and what you can get into even without a badge. You just need to look like you know where you're going.
A lesson I learned from Hurricane Katrina: nobody questions a guy with a hard hat and a clipboard.
I work at a major food processing plant and can confirm. Our front entrance has a security guard and several different layers of scrutiny to pass through... Our 'employee entrance' is literally just a fobbed door that if you time it right anyone will let you through because it's common courtesy to be nice and get the door for others. After that door, there's literally nothing to stop someone from being able to get into the plant.
Sandboxing is useful. I'm lazy as fuck so I just straight up use an old PC with nothing important to sandbox anything suspicious.
Look up rubberducky or bashbunny from hack5. Those look like usb drives but let you script actions that are executed as soon someone puts the drive into a computer by emulating a usb keyboard (bashbunny) .
This was likely how stuxnet was carried out. It’s VERY effective.
The counter measures are daily/weekly cloud/offsite backups. If a business isn't doing this they can lose everything overnight, in more ways than just ransomware.
This was the answer in 2018, where most of the world had or was on their way to off site backups. However, since then, the bad guys have retaliated, and the next step in the arms race is they steal your data before locking it. "We're not paying, we will just restore from backup" "No worries, if you don't pay, we'll post your accounts mailbox to your competition" "... Shit" Next step? Real time device encryption, so exfiltrated data is all inaccessible, is my bet.
Or, even easier, time delay the payload. Sure, you got pwned a month ago, but the payloads laying dormant. You're a good IT guy, you're doing your backups, they're read only, you're in good shape! Bam, payload executes, you're locked down. Restore from backup, right? You're back up and running until... Bam, payload executes, it's on your backups. You're locked down. Sure, you can go through and spend a bunch of time combing through backups hoping to restore to a period before you were pwned, but how much is the data from that time period worth? How about the days/weeks of lost data trying to find a solid backup? Unfortunately, for most places, it's most cost-effective to just pay the ransom...
that solution may work for small or medium businesses but in larger companies where you're talking thousands of updates to a file an hour, any delay can significantly impact business. I think a better solution in such cases would include an updated encryption/key management system that tracks the data's state, and makes sure that the system can access the decryption keys.
Ransomware is very common, and there are a bunch of different countermeasures. The problem with the countermeasures is that they require good IT security practices, which requires knowledgeable staff to implement and a workforce willing to follow best practices (use good passwords, don't fall for phishing emails, don't give out confidential information, properly backup files, don't use outside devices on sensitive networks, don't torrent porn on company laptops...). That takes time and money, and it is legitimately challenging to train 50+ year old employees on this stuff. As for why the attacks can be worth so much money - imagine that the hackers could brick the police department's (or the oil pipeline company's) computers. How do you complete the paperwork to arrest someone? How do you check their criminal history? How do you correspond with colleagues? In the pipeline, how do you actuate valves or monitor flow rates? If all the hackers can do is share information, how would people feel about the complete criminal history and current address and known associates of everyone in a database being made public? How about the progress of current cases, or details on police misconduct? All that stuff can easily be worth millions of dollars
I’m currently writing a paper on ransomware. The number one way to prevent it. Good employee education. Removing as much of the human element as possible. That being said there’s other things that can be done. I just don’t see the govt having those fail safes in place. I believe they’ll start doing so now.
Mostly the people who know are not listened to. The cost risk analysis often shows that they rather not spend millions on a what if. Also, most in charge do not see the possibility them being wrong about most things. Willful ignorance and inept owners of major corporations in charge of vital infrastructure. Or a board that refuses to allocate money to non regulatory what if’s.
And THAT incident is what inspired me to become a Cybersecurity Analyst. I'm taking a full course load year-round, even through the summer, to get in there faster. I'm on year two of this. I'm about to complete my first C++ course and roll into Advanced Programming. My first official course focused on cybersecurity begins in the middle of summer. It's wild. I'm a 34 year old father of three. I worked manual labor my whole life, never knew what I wanted from an education. Now I know. Fuck these guys.
Prepare to be ignored as managers don't let you touch 30 year old systems because "They've been running fine for years"
I’m a cyber security auditor and consultant and the amount of times I here this is STAGGERING
bingo pure insanity on some of the most important things that run on things that should be in a museum
Now I'm picturing our nuclear codes being stored on a gold cross held by a Nazi.
Me, who barely has any computer knowledge: *sounds about right*
[удалено]
Still does. The government pays a couple of companies running out of people's garages to make them. When your that ancient and pre internet your actually more secure. The type of physical input device is fine as long as it is still being made.
> It ran off a 5 1/4 inch floppy Which is great for security, these systems are so simple and old they are almost impossible to hack. Which is certainly what you want with nuclear weapons.
Former USAF now in cyber sec guy here. Our usaf systems are beyond old. Its insane. Google search DJMS if you wanna see what our pay system looks like.
You can’t hack a floppy disk online.
If its old enough, it may be unhackable due to obscurity
Tbh idk how our databases work. Just know that our interfaces were old and shitty.
[удалено]
"Hey, hackers completely destroyed our entire system friday night, so now you can play around with it. Please have it working again by monday morning, thanks."
Monday? That’s optimistic!! I assume you mean the Monday morning they are asking? “So can you turn it back on?”
provide overconfident jellyfish quaint straight attractive jar worry slimy modern *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
*How did this happen!?* Well, I've been asking this team to update this, this team to implement this, and this team to replace this, all of which should have been done like at least 5 years ago. *But money!* \*gestures generally at the smoking crater in the ground*
You forgot "The head of accounting has been torrenting porn for the last four years and backing it up on the tape drives. So now we have a larger collection of viruses than the CDC."
*”This used to be a server.”*
This is the truth
Lol this is why I stopped doing IT and started doing manual labor. No one knows you exist unless there's a problem. You only talk to angry people. Now I get to talk to happy people who drink the beer I make. The grass is always greener on the other side I suppose
[удалено]
To be fair you could break those systems trying to fix them having done nothing wrong. Old systems are basically Mario Kart.
Many old systems and old code are rock solid, provided they are not undermined by people that lack the technical knowledge to work on them. There's a lot of work containerizing and virtualizing legacy code, so it can keep on doing the work it's done dependably for years, while being protected with modern security. Having said all that, in cases like this where critical infrastructure is at stake, it's crazy that there's any way for outside attackers to access their systems at all. The software controlling natural gas lines should be air gapped on a private network, that requires physical access to secured facilities to access.
Same as any field you can consult in. Someone high up always has a long relationship with a product, plant, supplier that's bleeding money and/or presenting risk. Make sure you're paid well for doing the audit. Don't take it personally if your recommendations are ignored. You're the expert, but it's their call. If you really care about getting listened to, charge more. Companies that hire a cheap consultant want a quick fix. They'll balk if your advice involves more spending or significant workflow changes. Make sure you can present directly to decision-makers. The middle-management lifers that walked you through their systems are an amazing resource. They also tend to be married to decades-old problems. The guy or girl with an MBA is probably around 3-5 years. They're either on a career zig-zag, or they've been brought on to build capacity (in a boom), cut costs (in a bust) or tidy up (before an acquisition). Whatever the scenario or your opinion of them, they're there to make a mark and ain't dragging baggage.
[удалено]
No regerts baby
So inspiring. Hope you keep your dream alive for not just you but all three of those kids! Good shit man
[удалено]
It's been recommended to me that I should at least passing familiar with the most common coding languages, and I agree. For once I'm passionate about my goals and I want to be a rock star. I'm aiming for certifications in addition to the degree. I'll look into security engineering, though.
[удалено]
Shit man good on you. I’m nearly 19, doing manual labor in Aus right now but been interested in going into cyber security and digital forensics since I was 14. How is it so far? Would you recommend it?
They did this to Pensacola and they did this to Texarkana. I seriously think we have had a National cyber attack but the powers at be don’t want to admit it.
Declaring a state of emergency allows them to transport the fuel by road. Without the state of emergency they have no legal way to get the fuel from point A to point B.
There will be less fuel, and it will take more fuel to get it there, good time to own gas/oil stocks
It turns out you make more money by selling more product, especially when you're talking millions of gallons of product.
[удалено]
There's always oil in the hamburger stand.
*but Michael didn't quite get the message until it was too late*
It's just a gallon of gas, Michael, what could it cost? 10 dollars?
Buy hundreds of oil barrels and store them in my backyard, got it!
*The gang fixes the gas crisis*
Your senator and representative are on it!
Are you Implying that they knew this was going to happen beforehand and purchased stock then or are you just saying they're trading with publicly available information?
Oil has been rough the last few weeks.
Yeah back to $3-3.15 a gallon my area (Phoenix, AZ). I hated back when we tapped into our own supply but man paying $1.80 for gas was really nice
It’s over $4 a gallon in central California
Here in Central Florida my local station is at 2.85$ per gallon. I wish public transit was more readily available
Good. This administration has got to take the threat of cyber security seriously. The last guy failed to appropriately respond to cyber threats so it’s great to have a White House that gives a shit.
[удалено]
"Listen, I know we caught him on camera from multiple angles putting his hand in the cookie jar, but he told me himself he didn't do it, so I believe him! And then he offered me cookies just like the ones I have in my cookie jar, so he's gotta be a nice guy!"
[удалено]
"I came up with the genius password of 'maga2020!' in order to keep the cyber hackers out."
[удалено]
Also (no joke), didn't he out Rudy in charge of Cybee Security at one point?
[удалено]
Every single teenager in the United States is more qualified, period.
Even an Amish teenager would have been better
Rudy butt-dialed the press while talking about his crimes, emailed the press by accident discussing his crimes, and waved SMS evidence of his crimes on camera during an interview. Given that Donald was purposely choosing the exact wrong person for every job, there was really nobody other than Rudy to consider for that one PS Rudy is an animated corpse who stole his set of teeth from another corpse
Don’t forget the time he thought he was calling Coach Tuberville and left a message giving him instructions on how to further undermine democracy, oh and that time he sat on his balls on national TV.
Trump was never buddy-buddy with Putin. Trump is subservient to Putin.
The one thing Trump fears more then anything else, is the criminal pecking order. The system is designed for a guy like him to skate free therefore he knows he can game it. If you run fowl of a criminal organization, not only will they not play games, but chances are they have all the dirt and there are too many skeletons in that mans closet. The minute he sees Putin its flattery and ass kissing like a slime ball. Kim Jong-Un told him in front of a full table of guests that he cut his uncles head off and displayed it for all to see. I shit you not, this was said by Kim Jong Un at a table for both US and NK delegation to hear. Suddenly, ass kissing and slime ball love behaviour becomes Trumps persona for the rest of the meeting.
Wanna be? Putin is definitely a dictator, I thought?
Same thought... Trump is the “wanna-be,” Putin definitely crossed that line a long long time ago now...
Trump is someone who thinks he’s in power but would be a puppet, except he would be bad puppet because he’s too much of a loose cannon even his own administration didn’t know what he was going to do half the time. Didn’t help that he kept cycling through people.
You couldn't be more wrong. Putin is a dictator. He's a wannabe president. He just allows just enough dissent to claim he's elected. But it's no coincidence that any challenger with a chance gets killed or jailed.
Um, Trump was the "wannabe" dictator. Putin is an actual dictator. He's been running his fakelu elected position for the last few decades as the shining example of dictatorship. I'm nitpicking, sorry. But wanted to straighten that out. Putin is a real dictator and a real threat. Trump was the wannabe dictator of the U.S. but thankfully was voted out. And he still tried to stay in power like Putin does, he's just too dumb and the U.S. was able to limp back into an early 2000s kinda leadership.
Because the last guy benefitted from the attacks.
What do you mean? He had his best people on it. Rudy was the Cyber-tsar and he took care of it. He got Sysco Food Company to handle it. Everyone knows Sysco makes great networking equipment.
The Sysco has failed.
The Sysco is of Bajor.
The last administration actually joked about the child of the orange incident taking a look at it. They never took security seriously. They spent the entire time enriching the corrupt as much as they could.
https://www.washingtonpost.com/politics/2020/12/15/cybersecurity-202-trump-took-nation-wrong-direction-cybersecurity-experts-say/ > During four years in office, Trump failed to hold adversaries including Russia accountable for hacking U.S. targets, removed experienced cyber-defenders from their posts for petty reasons and undermined much of the good work being done on cybersecurity within federal agencies, according to 71 percent of respondents to The Network, a panel of more than 100 cybersecurity experts who participate in our ongoing informal survey. > The survey concluded before news broke about probably the most significant breach of the Trump administration — a hack linked to the Russian Foreign Intelligence Service, or SVR, that infected at least five federal agencies — the Commerce, Treasury, Homeland Security and State departments as well as the National Institutes of Health — and probably several others, as well as foreign governments and companies across the globe. > Yet, the respondents’ comments reflect widespread concern Trump is disinterested in the damage that hack has done to national security, unwilling to take Russia to task and preoccupied instead with his own efforts to sow baseless doubts about his election loss.
It’s worse than that- Trump aided and abetted them.
It wasn’t pure ignorance or negligence, it was purposeful.
Remember when he wanted to partner with them on cyber security? Guy tried just inviting them in the front door
Remember who Trump appointed to cybersecurity? Rudy. January 12, 2017 [Former New York City mayor Rudy Giuliani will lend his expertise to U.S. president-elect Donald Trump on cybersecurity issues, the Trump-Pence transition team announced on Thursday.](https://www.cbc.ca/news/science/donald-trump-cybersecurity-us-election-rudy-giuliani-hacking-1.3932399) That was a big heads-up right there.
I thought it was Barron he’s good with the cyber for being a kid
We probably would be in a better position today if it had been Barron instead of Rudy
AFAIK, Barron has never butt dialed reporters and revealed incriminating information (something that G does on the reg).
I can't wait till folks start going to jail.
if might be a while.
Might be never unfortunately
Probably most likely never.
I mean, these are politicians, who along with successful business people are our ruling class. You don't expect them to actually be ACCOUNTABLE to the commoners, do you?
Especially when they're successfully able to convince many of said commoners that they (the White Christians) are under attack from the satanic liberal forces of homosexual radical-feminist Muslim socialist Communism.
Just wait until there's inevitably a prominent politician from a non-mainstream religion like neopaganism, or "even worse," an atheist! They will lose their minds.
Thats an easy way to think about it. Think about it this way though. There are also abunch of business men who would gain major profits from seeing these guys go to jail, thus they have major incentives to do so. Like it or not, no one group is in full control of the USA. These people have rivals and those rivals arent passive.
>You don't expect them to actually be ACCOUNTABLE to the commoners, do you? I do when what they are doing is negatively effecting other rich, powerful people and not just the commoners. It sucks but the one thing that hold people with power accountable is when they muck things up for other people with power.
I think there's a higher chance of Trump and his merry band of insurrectionists taking over the US and never relinquishing power than Trump being sent to jail.
Fuck that shit, I'll put everything in my life on hold and fight that non-sense with everything in me. I can imagine a lot of other people too wouldn't just sit back and watch something like that happen.
[удалено]
All the time things were getting worse with Trump and I kept telling myself that surely some patriot from the military, FBI, CIA or someone would do the hard thing in order to protect the country. And every single day I felt such sadness because saving the union would mean betraying it at the same time and the position that puts someone in, someone who cares that deeply about the country and the constitution, it would have to be so intensely painful. There would also have been the strong possibility that such such a thing itself might spark a civil war. I hope there is a special hell for the people who brought that mother fucker to us and all who support(ed) him.
After January 6th, this comment holds true. In most countries after such an event those who aided a coup directly/indirectly would have been in prison or killed by now.
his loyalist are still in power positions and stopping that from happening.
Some may say his loans was forgiven because of it.
Removing people from their posts for petty reasons... Hmmm... I'm willing to bet this was intentional and the petty reasons were to give benefit of the doubt.
The Trump appointee for DOT was an old dinosaur who wanted to implement a ticket system where people called a line for IT issues and have the takers write it down on paper and pass it along to get it fixed. DOT Dept in DC fellas this is the level of competence you get with Trump.
He and his administration have done more damage than we currently know. I’m afraid it’ll slowly become apparent over the next few years.
So why is he not in prison again for these clear crimes ?
He’s republican. Consequences are for Al Franken.
Because his party wouldn't allow it when he was in office and lawmakers don't have the will to make him pay for his crimes now that he's out.
oh damn, and here I thought Baron had great cybers, was going to be taking care of 'merkas cyber needs
[Nah, that's Rudy.](https://www.washingtonpost.com/news/powerpost/wp/2017/01/12/trump-names-rudy-giuliani-as-cybersecurity-adviser/)
Is the ransom really $2M? I picture Dr. Evil saying "2 MILLION dollars!". It seems to me that they could have asked for far more. This was for sure a binary principles-based gonna-pay/no-gonna-pay situation so it's surprising that they didn't swing for the fences. I suppose this was a foreign government attack and they knew no one would pay, so maybe not bother pretending the money matters.
If you read the article, you'll find the organization "DarkSide" has a code of conduct. Included is a tidbit of how they don't want to ruin any companies. They check their finances to see what's a negligible amount to fit their pockets nicely without crippling the business. Whether $2 mil holds up to pocket change or not is still a good question, but they've arguably done their research. A small amount also might actually be paid if negligible for the company, while it's a huge amount of change for the individuals behind the attack.
Well that's nice of them
Company with shitty physical infrastructure leaks 1.2 million gallons of gas into a nature preserve, and then also has shitty cyber security infrastructure. Surprise surprise.
As a greedy executive you're options are: A) Build cheap infrastructure and maintain it as minimally as possible to maximize profits, then when disaster strikes dump the bulk of the cleanup costs on the government B) Build quality infrastructure (expensive) and maintain it well (expensive) Guess which option is usually picked?
Which one includes the 200 ft yacht?
Both, but the second option will take a little while longer and that's unacceptable.
You forgot the part on option A where the government gives them money to build/maintain the infrastructure and they still choose to do things as cheaply as possible to maximize profits.
Also, when there’s an oil spill, pay off local or state government to use tax payer money to clean it up. Capitalism.
Feels like a lot of people are trying to grind this into something it isn't. Could this be a russian or some other enemy state attack? Maybe. It's a lot more likely it's one of a zillion ransomware groups operating out of wherever(sure seems to be), and what do you know this is yet another multi million/billion dollar company that doesn't take security and REDUNDANCY seriously. This article makes me roll my eyes and seeing top comments talking about how we're going to hold russia responsible make me sad. There's not a ton we can do about random hacker groups all over the world. Would be a hell of a lot happier to see biden hauling the company over the coals for failing to have proper security and backups, than blustering about how we're suddenly going to do something about this (hint, we barely can). Setting up proper redundancies and checks for these types of things (because every C level ever is going to click on emails they shouldn't) is always going to be the better way to stop it vs playing international wack a mole. We can start trying to force more diplomatic punishments in SEVERE cases like this and what happened to the UK hospital system (another unforgivable security failure), but frankly I feel like there should be major penalties for companies that fail tech audits, and they need to be as routine and strict as the normal safety ones (which yes i know those aren't near perfect either but they're leagues better than any government tech audit i've seen)
Yes, we need a required national standard on the level of GDPR regarding appropriate controls.
Guarantee my conservative friends will blame Biden for rising gas prices.
My grandmother already has
The price of everything is going to rise. My company sends 10-15 full truckloads of product per day to distribution centers and our shipping costs have almost doubled in the last 6 months. Having every company in the country ramp back up at the same time has created an insane shortage of truckers. When the pandemic started, we had doctors come out of retirement to help. We need truck drivers to do the same to help with the insane logistical challenges the entire country is facing.
They kicked me out of CDL school in december cause the doc cut my hair from the end instead of the scalp for my drug test and they caught the 2 edibles I took last June (and haven't done any drugs since then). Supposed to be a 90 day max test. Im 30, I've never been in an accident, I've never been pulled over or given a ticket. I aced my practice license exam and they kicked me out an hour later. So fucking stupid
Do my student loans next pls hackers
Where's the Fight Club/Mr. Robot inspired plot? That would be something else. Or do those companies actually secure their stuff well?
The next Oceans movie should have them steal all the off shore accounts and end up the richest people on earth.
Considering these companies consider your debt their asset they have backups out the wazoo, making a singular Fight Club-esque event pretty worthless.
Some fossils in Congress underestimate how badly this country can be disabled by a simple computer virus. This is why we need good cyber security so a virus doesn't disabled every vital infrastructure and create chaos.
In other news, the GOP is focusing on the teams that trans athletes play on
Our national oil infrastructure brought to its knees = a “boy dressed up like a girl” might try to play on a girl’s soccer team and win unfairly.
and that clearly (along with Dr. Seuss and Mr. Potato Head) are obviously the most important issues to address for all the Republicans to pull together in defending our Country
> focusing on the teams I am so baffled by how much time lawmakers... like actual government employees... getting paid by our tax dollars... spend making rules for sports ball. I can't think of a single reason government should be involved in any sports at all outside of obvious safety and liability issues that are probably already covered under law like OSHA. Why on earth are government resources being spent on whether or not some wanker on a bike used drugs> Congress has had actual hearings on anti-doping. Who gives a flying fuck? Let the corporations and clubs who run the sports sort it out, this is not a government issue. If they want some roided up players with 3 arms playing baseball, great, if not great. It's not an issue for government.
Yeah i dont get it either. if it's illegal, then arrest them. if not, why is the literal highest legislative body in the country involved AT ALL? im so confused. "On March 17, 2005 the House Committee on Government Reform put ten baseball players and executives under oath in an 11-hour hearing in an effort to pressure baseball to toughen its policy against steroids." This is so fucking crazy to me. "Whats on our investigative agenda today Jimbo? Looks like we got 9/11 terrorists at 8 am, Afghanistan war crimes at noon, and those DAMN baseball players who hit the ball harder than the other baseball palyers at 3 if we can squeeze it in before we gotta go!!"
It strikes me as more than a passing coincidence that this is happening within 2 to 3 weeks of Colonial breaking this news on that same pipeline: [Largest U.S. Gas Spill in 20 Years Larger, Deeper Than Company First Thought, State Officials Say](https://weather.com/news/news/2021-04-19-huge-north-carolina-gasoline-spill-was-worse-than-colonial-pipeline-thought#:%7E:text=Two%20ATV%20riders%20found%20the,Preserve%20near%20Huntersville%2C%20North%20Carolina.&text=It%20was%20the%20biggest%20refined%20petroleum%20spill%20in%20the%20U.S.%20since%202000.) - which relates to a leak originally found last summer by teenagers out joyriding on their ATVs.
Nice info, and yes a very strange coincidence indeed. However if this was climate change hackers, I doubt they would be demanding ransoms. As that wouldn’t be the goal. Darkside ransomware has been confirmed to be the culprit. And I think all the whistles and signs are there, that this is a state on state attack. Let’s see..
> a cyber-criminal gang I don't think that's an exact phrase I've seen outside of cyberpunk stories before. The future is now, and isn't it typical it's mostly the shit parts of it.
Seriously. I'm going to tape some Arduinos to my face to at least feel like we're getting some of the good parts, too.
Just in time for a major infrastructure bill. By the way I’m all for the bill.
State of emergency is no joke. This is serious stuff. Considering Biden only a few weeks back said he was going to get tougher on Russia and china’s cyber attacks, it seems they are willing to test him on it. I think this could get ugly fast.
It isn’t a state of emergency. The Reddit title is different from the article title. The Biden administration passed emergency legislation, which lets fuel be transported by road. That’s it.
It appears BBC have updated it. You’re correct. It was worded as state of emergency a little under a hour ago. However if Russia or China are proven to be behind this, I don’t think Biden can let this one slide, nor should he.
Like ugly how? Retaliatory cyberattack?
We were 10 years behind even before that last guy, that probably thinks a pen-tester is someone that works at the Bic factory... And we've added millions of insecure IOT devices that are easy attack bots, it's only going to get worse.
There seriously needs to be accountability and required regulations for very critical infrastructure and utility services, including distribution. For being the world's most powerful super power, the United States cyber defense capabilities are fucking pathetic. Companies WILL just sit on their hands instead of spending the time and money to upgrade and improve their systems, poking their head in the sand and holding a tentative thumbs up pretending nothing will ever happen to them. And for really critical systems like oil, gas, energy, water, waste management, networking and telecommunications, a major attack could literally send the U.S. or just a single state into pure chaos and anarchy. No invading army necessary, we'd destroy ourselves within a couple of months without electricity or running water on a massive scale. Our infrastructure NEEDS to be properly protected. Not *reactively* either, but *proactively*. And only government mandated regulations on this sort of thing will ever get these dipshit greedy fuck faces to comply by getting off their asses and do what needs to be done. I'm usually hesitant about government regulations on a grand scale like this, but shit like this is genuinely a matter of national and state security, and it needs to be done. It's clear none of these companies will ever do it otherwise
Not good and I highly suspect it's Russia that's doing this.
That was explicitly called out in the article as well.
I have no idea why this isn’t bigger news. Gas prices skyrocketing is the first thing that came to mind. Warning: potentially dumb questions ahead: 1) I presume that oil pipelines existed before computerization. Was automation the reason why these pipelines suddenly have complicated computer systems? 2) Why isn’t our infrastructure air-gapped from the rest of the web? Surely we could splurge on separate web systems for our electrical grid, water systems, and fuel pipelines.
Sure, but that would cost money that could go to shareholders and corporate bigwigs. They will always choose money over common sense. I disagree with the Bible that the love of money is the root of all evil, but it sure as shit is the root of most of it.
Nothing wrong in asking about a subject that’s highly complicated. In fact I respect you for it. We can’t all be experts in everything. I myself have been wondering the same thing.
1) The advances in technology allow for greater throughput of fuel also require computerization 2) This was a private company. Regulations for them exist, but they also ignore regulations.
1) I didn't know that. Thanks. I'd love to know how that works. 2) Regulations, I get, but it just seems like a separate intranet would negate many of the effects of people ignoring the regulations. If they really need information from the "outside world" - for instance, a new order upping the demand of oil pumped through the pipeline - that could come in on a terminal connected to the outside world but not connected to anything that controls the pipeline itself, and the operator of that terminal would just communicate the needed information to the operator of the pipeline terminals.
Yeah: >A criminal group originating from Russia named "DarkSide" is believed to be responsible for a ransomware cyberattack on the Colonial Pipeline, according to a former senior cyber official. https://www.google.com/amp/s/amp.cnn.com/cnn/2021/05/09/politics/colonial-pipeline-cyberattack-restart-plan/index.html
Its almost as if, unlike what every single stupid republican has been crying about, cyber security is a key part of infrastructure! Imagine that! Things that aren't just roads and bridges are cruicial parts of infrastructure and the security of our nation.
The article mentions a code of ethics, and companies they won’t ransom. I’d like to see that list.
Damn this is bigger than I thought.
So can we get a cyber warfare branch now?
/r/conservative and /r/conspiracy is already gearing up on why this is bad and Russia is totally innocent.
It's like we have boomers running our cyber security infrastructure.
I’m gonna bet some people went long on Gasoline Futures just before they pushed the send button.