So here's an idea: improve security by stopping the hoarding of 0days.
Built a company that buys 0days and doesn't immediately turn around to get them fixed? Too bad, this is a business model that leeches off everyone's insecurity and now deemed unethical like so many other seemingly-genius business plans. If you're that good, go find a different thing to do with your time.
Note that this applies to states too: in my book they're welcome to buy/incentivize 0day info, but only to then get stuff fixed ASAP. Any state that keeps a 0day "just in case" is failing to protect (among others) its own citizens.
The ability to inflict massive damage to a nations infrastructure is now part of modern weaponry. It's akin to asking militaries to stop buying weapons. We have basically split the atom here, we aren't going back.
If you don't want people hacking into your systems you need to go full Galactica, disabling networks and have stopgap measures on every critical device.
There's a great book that talks about this ecosystem (of buying bugs, vulnerabilities, and other 0days), among other cyber security related things:
This Is How They Tell Me the World Ends: The Cyberweapons Arms Race
They say it’s the result of inaction, new tactics, criminals having safe harbor and ubiquitous connectivity .
I'm surprised they don't call out the "mostly unregulated cryptocurrency" stuff a bit more as a cause as well.
The market will not spend one dime more on security than is needed to maintain lines of business, and that includes things like perception of risk and mitigation.
If there is enough pain, whatever level of baseline security is needed to protect most orgs against these attacks will become the new standard.
And then this threat will be replaced by a new one.
Plus, there's other benefits. Companies might at least think a bit more about storing data about people (their employees, customers, etc) if there's a risk of it being stolen in a ransomware attack. That's a win for privacy overall.
Of course, lamenting the fact that cryptocurrencies exist isn't getting us any closer to a solution to the problem, but ¯\_(ツ)_/¯ media gonna media.
I wonder what percentage of the ransom demands remain private and unknown.
We still collectively haven't learned the need for Capability Based Security. I give it 5 more years before people finally catch on.
 - http://mikewarot.blogspot.com/2005/08/secure-computing.html
 - http://evlan.org/concepts/capabilities/
For a general user, this may just turn into the equivalent of "Terms and Conditions" acceptance. Most just blindly accept them because we're focused on the end-action. The same seems to go for allowing apps access to much of our phone data. In that sense, it doesn't really mitigate user risk (but does give legal cover). Is there any evidence that general users will "see something fishy was going on" enough to actually change behavior?
People don't just hand over their wallet, they chose the amount to tender in a transaction, which is the most they could lose.
If someone asks me to hand over my wallet, I know I'm being robbed.
In a capabilities based system, you pick what files to give to an application, instead of the application showing you a dialog and then getting them itself. As far as the user is concerned, the UI doesn't even need to change.
It is my long held belief (2005!) that capability based systems are the only way out of this nightmare.
Some of that already exists on desktop OSs but seems to have been abandoned. Drag and drop file loading is commonly available but applications still seem to insist on file dialog workflows. Drag and drop saving even exists in RiscOS and ROX-Filer. But how do we abstract other resources like cameras, keys, contacts, network ports, or money? Is it as simple as having drag-and-drop-able representations of those things? Do I drag $5 out of my virtual wallet into Steam? My bank password from a virtual keyring? Connect a virtual cable to the application window from an icon representing my camera?
Sadly, the desktop metaphor itself is out of fashion as everyone went insane when the iPhone came out, so I expect it will be a lot longer than 5 years before any of this is explored in any depth.
Android has some of that figured out. For instance, instead of getting a permission to use the camera directly, an application can use a camera intent, which will pop up the camera application (which does have that permission); when the user takes the picture, the original application will receive something somewhat similar to a capability which can be used to access that picture (and only that picture). The same idea can easily be extended to contacts (use an intent which pops up the contacts application, which then return something somewhat similar to a capability to access the contact chosen by the user), and so on.
This is a good analogy for the tech-minded, but I think it may not be as applicable to the non-tech-savvy. To many general users software is an abstract black box unlike a tangible wallet which they intuitively have an understanding of the contents.
When most people take their car to an auto mechanic they aren't prepared to say, "When you plug in your computer, only access the wheel speed sensor data and anti-lock braking software. Don't touch the fuel-mapping, car speed, infotainment, or GPS data." All they want is their car to drive again. They may not know enough of what's going on under the hood and, I suspect, would be more likely to blindly sign over whatever data the mechanic says they "need".
We need wallets, not cars.
If filesystem access permissions were invented today rather than 50 years ago, they would probably look a lot like permissions on iOS: user would need to affirmatively grant the process access to specific files or directories. No blanket read/write access to everything the user has. Same with networking. The user should have control over what kinds of inbound and outbound connections the process is making.
In practice, however, no.
In seriousness though, banning cryptography would appear to have many more serious consequences than the elimination of Bitcoin. Free speech would take a big hit for starters.
If the concern is regarding the waste of electricity, then why not apply a tax on energy equivalent to the associated negative externality? That way everyone who wastes electricity will be charged equivalently, and the government won't have to determine which use cases are "useless." (Personally I think mining gold for jewellery is almost as useless as mining Bitcoin -- both certainly have an aesthetic beauty to them.)
I think, when they say "ban crypto", they mean "ban cryptocurrencies".
I, too, find it deeply unfortunate that some cryptocurrency nerds have suddenly decided that a term that has for a long time been used to refer to cryptography should now suddenly be understood to refer to cryptocurrencies excusively, but it's not the first time I witness this misunderstanding.
The issue here is the same as it has always been: Cost cutting, poor management, poor oversight, and laziness. We have infrastructure sensitive industries being hit and in the years preceding the hits full of heavily reported ransomware incidents zero audits were conducted that flagged these problems, backups strategies weren't reformed (i.e. they have no offline backups), network onioning wasn't utilized, and other basic 101 security strategies weren't employed.
All we hear over and over is "they're CRIMINALS," "they're in [foreign country]!" but ultimately that is a distraction; there will always be criminals, and they will always operate beyond the reach of the law. What matters is mitigating their ability to do damage which we absolutely can and should do.
If senior management started being fired and companies heavily fined this problem would magically disappear (or its impacts substantially reduced, like a two-day outage while they restored offline backups instead of multi-week). This isn't because criminals stopped being criminals, it is because this is all just a symptom of a different problem: Corporate responsibility, or lack thereof.
Congress should take action, fund mandatory audits on private infrastructure companies and impose large fines on companies & senior executives that cause widespread disruption. Even the threat would be highly effective and the pocket-books would magically open to pay for security professionals and fixes.
For increased interest, the Colonial Pipeline shut down had huge far reaching affects beyond the cost to the company. News of the situation reached beyond tech wonks. It also impacted tons of people not directly related to CPC.
To the uptick in successful attacks, the increase in working from home probably has a lot to do with it. A virus that wouldn't make it past an enterprise firewall will more easily hit some user at home. They then connect to the corporate VPN for work and bridge past a lot of firewalls and IDSes. Companies they might have decent network security are poking a lot of holes to handle people WFH that never had previously.
Joe from Accounting that's a wiz in Excel but falls for every phishing e-mail that hits his inbox is a bigger problem WFH than when at the office. He's a match in a powder mill when he connects to the corporate VPN from his malware riddled home PC. Was he not supposed to install totallylegitzoominstaller.exe from totesthisiszoom.ru?
This is nothing new, or surprising if you look at human nature. The big issue with security these days is that bad behaviors are not just common practice, in many cases they are incentivized. Many companies have pushed the risk into cyber security insurance policies, or if they haven't they can create massive paper "losses" when a cyber incident happens. Prior to ransomware, if companies were smart, they can actually make money off a cyber incident, versus spending money to prevent an incident.
I would say the tipping point for many executives was in that realizing that the Equifax breach (one of the biggest in history up to that time) had literally zero impact to their businesses long term. The company was focused on monitoring credit and many would have assumed the company would have a responsibility to secure its data.
Unfortunately this was a light bulb moment for many execs and the light bulb wasn't a good one for their customers or society at large. They basically found out that data breaches don't really matter and if you weather the storm there is very little impact to your business. Yes your customers lose their data, but if you need to minimize overhead costs, why spend a ton of money on a security program that doesn't have a guarantee in stopping it anyway.
Fast forward to 2021, with crypto being so ubiquitous and realizing that companies have largely forgot or shut down their Business Continuity Planning (BCP) programs they stood up after 9/11, bad actors are having a field day. Actors were very active stealing DBs and trying to extort people, but they largely found that people just either didn't believe them or didn't care.
With ransomware, they basically prevent the business from doing anything and that is something that is just not something that can be ignored like data theft/extortion attempts. If someone steals your customer ACH information from your accounting database, no big deal, but if you can't accept payments from your customers... They are literally not making money.
I have worked in information security for ~20 years and I don't believe that there will be any improvements until there are major changes to the incentives that customers have to protect their customer information/data. If anything the ransomware threat is one of the few things actually causing many companies to invest in their security programs.
I think it's not only individual incentives, it's also the incentive structure of whole ecosystems.
The way we write software nowadays (or even do other business processes) includes so many complexities and therefore potential attack vectors that I doubt anyone anywhere doesn't have gaping security holes unless they're writing code on airgapped systems where every component is thoroughly vetted or something. Just take a look at the crazy amount of (transitive) dependencies that any average web app (frontend or backend) has nowadays, or all the different infrastructure components.
Luckily for everyone, the endpoint protection market is evolving rapidly, and these solutions do work. Big Game Hunters aren't super humans, they exploit the things that on-the-ball IT teams and endpoint security vendors can easily fix: unpatched vulnerabilities, misconfigured endpoints and mismanaged credentials. Unluckily for everyone, the threat actors, for the reasons laid out in this article, are evolving too. And on top of that there's no shortage of vulnerabilities either.
I expect things to get worse before they get better. But do I expect Big Game Hunting to be a major problem in 15 - 20 years? I don't think so, because eventually every IT device in most any organization will have some type of cloud connected security baked into its cost. Do I think there's a likelihood it will be worse in 2-3 years, most likely yes.
- tech companies for selling software and hardware riddled with security flaws
- the legal system for absolving said companies from any liability whatsoever
- customers who are unwilling to pay more for reliability, security, or recoverable backups
- those who pay the ransoms, ensuring steady income for criminal extortionists.
These are criminals, often state sponsored criminals, that are carrying out literal acts of war against US infrastructure.
So what’s the “media’s narrative” here?
These are criminal actions, as they're not endorsed by the state.
But it doesn't have to reach the scale of war to be bad. The broader narrative is We Have To Do Something. And that Something is always grant the government more power. Why is it a good thing, for instance, that we're taking "unprecedented" steps?
The US has been dealing with ransoms, piracy, extortion since its founding. "From the halls of Montezuma, to the shores of Tripoli," the latter was one of our first expeditions to deal with piracy.
As there is plenty of precedent for dealing with this stuff, we should be very skeptical when the government insists it needs new powers.
The modern media that takes the form of news isn't news. It's public relations for corporate and government interests. Whenever a story like this "suddenly feels" anything it's being manipulated by those interests.
Bitcoin is causing massive damage in so many parts of life. Environmental damage, ransomware, fraud, semiconductor shortages.
End it now. Stop the madness.
Attacks have been ongoing for literal years, but we had a nice war on terror and then a recession to keep banging on about in the news to keep the advertising dollars flowing.
It’s crystal clear that this is a matter of when, not if.
I for one will not be keeping my head in the sand.
And Goodwill in 2014:
And JP Morgan:
Target cyber attack from 2013: https://www.nbcnews.com/business/business-news/target-settle...
2014 had at least 3 major cyberattacks covered by the mainstream media. I'm sure there are more, but I don't have Lexis Nexus or whatever to do that kind of research; just google.
Edit: And that target cyber attack got TONS of coverage. I remember it quite well. Everyone was talking about it at work. So this stuff didn't fly under the radar.