Companies could also stop creating monoculture networks that are easy to manage and also easy to compromise. When every device is a domain joined Windows 10 machine running some low level, 3rd-party centralized remote management system, it's just a matter of time before you are completely owned.
This is the "Encryption Backdoor" problem in Computer Science (aka "Exceptional Access System"). It is impossible to build an exceptional access system and then ensure it is only used by good people to do good things.
Non-computer-experts were sold computers and the internet as tools that would help them run their business.
I find it hard to blame them too much for unexpected unadvertised technical problems.
I propose something simpler: disconnect most computers from the internet, and don't put them places strangers can access them. Then build out the tools that work in that environment.
I don't actually think it would work in practice, though, because it's a race to the bottom. The company continuing to do all their shit over the public internet with commodity PCs is going to be doing things more quickly and more cheaply initially, and may thoroughly beat the competition before getting hit by an attack.
Some of this monoculture and attack surface is necessary (line-of-business software, standard productivity tooling, the OS itself...) for the company to function.
At least with remote management, you can respond at scale if one of those gets compromised.
The problem is the entire thing will be compromised. Exchange, SharePoint, clients, servers, domain controllers, etc. That's what happens to monocultures. You must have diversity at every level (OS, DB, network, apps, etc.)
Yes, it is more difficult to manage a diverse environment, but when you survive the next big ransomware attack you'll see why it's so important (while your competition struggles to recover).
This holds true for crops, people, animals, financial investing and everything else. Diversity makes us strong and resilient. Monocultures make us weak.
Monocultures are easier to manage, audit and predict, but their weaknesses outweigh those benefits IMPO.
I know how to configure a firewall on linux. I don't know how to on plan9 and windows.
Should I run Windows, Plan9, Solaris, FreeBSD, NetBSD, and Linux on my 5 servers to ensure I have diversity?
To me, that makes it seem 5x as likely that I make a configuration error that leads to a critical vulnerability if I have to figure out 5 different ways to setup a firewall and sandbox.
What about using software that historically has been shown to have vulnerabilities? For example, wordpress has had a lot of vulns in the past, so should I host one of my blogs on ghost, one using jekyll, one using wordpress, or should I only use a static site made with jekyll because I know static sites are more secure?
If I'm allowed to eliminate wordpress there, why can't I eliminate diversity at other layers? I know linux is more secure than windows IME, so can't I just not run any windows hosts by the same argument that I won't use wordpress?
You mentioned "diversity at every level (network)". Do you mean I should run wireguard VPN for some of my networks, cisco for others, unencrypted for others, just so I have more diversity?
I'm genuinely curious because the model I've heard advocated so far is that a monoculture is more secure because you can eliminate less secure things (use wireguard instead of unencrypted traffic), and gain mastery of a small surface area to ensure it is harder to attack.
Adding diversity just for the sake of it, by its nature, adds more attack surface and requires more expertise to secure, so it seems to fly in the face of the common advice I normally hear.
> Should I run Windows, Plan9, Solaris, FreeBSD, NetBSD, and Linux on my 5 servers to ensure I have diversity?
No. At the scale of five servers, a monoculture is acceptable risk, and as long as other businesses at that scale are choosing different monocultures, the systemic risk is limited as well.
But in analogy to agricultural monocultures, larger fields make monocultures more dangerous, and many adjacent fields with the same monoculture increase the risk even more.
But geographic continuity isn't necessary in our networked world, so the analogy is of limited use, and any vendor with enough customers, no matter how spread out, makes an attractive target.
> Should I run Windows, Plan9, Solaris, FreeBSD, NetBSD, and Linux on my 5 servers to ensure I have diversity?
Running Windows and Linux would be a good start. Plenty of business-y software runs on POSIX systems: perhaps your business processes don't have to run the same operating system as your desktops?
Having a file share appliance (e.g., TrueNAS, NetApp) would be a good step after that (if things get encrypted just revert to the last snapshot).
You may have missed the point of the question. All my machines (business and servers) are currently linux because I know how to update and secure linux.
The parent poster is arguing for diversity for the sake of it. To me, moving from my linux monoculture to a linux+windows diaspora seems less secure.
I'm talking specifically about the idea of security through diversity, not about this specific incident, so backup recommendations aren't really related to this thread.
Ransomware in particular requires the attacker to be able to make your data inaccessible; in order to do that they need a certain level of control over every system on which that data is replicated, and as you say avoiding a monoculture makes that (substantially?) more difficult.
On the other hand, a leak or breach of user privacy requires exploiting any single system containing the data. Putting the same data on a diversity of systems makes that easier, and you won't even know what's happened if you've made it too difficult to "manage, audit and predict."
Avoiding a monoculture isn't the security magic bullet you pretend it is.
Diversity just leads to more attack surfaces that have to be locked down. Doesn’t sound like a good idea. And even if you had it (33% of desktop OSes each on Linux, Windows and Mac), having 1/3 of your company neutralized is still a huge problem.
Unfortunately companies cannot afford to build messy environments.
Fixing small issues, on-boarding new people, explaining existing setups to already employed, adding new servers. That is nontrivial amount of money burned there "day in and day out" when networks are monoculture with centralized access. Making it a little bit of this flavor a little bit of other, will make those costs grow 100x in no time. This way you have 100x operational costs to prevent something that may or may not happen.
Having messy environment also brings other risks like some operator might mess up easier because of being tired fighting that mess.
> The US always claims to have the best cyber-warfare capability on the planet, so presumably they could do ransomware better and faster than gangs like REvil. The US should use this capability to mount ransomware attacks against US companies as fast as they can.
As ridiculous as this sounds, a private sector version could work. Imagine 'hacking' companies that audit municipal services and private companies. The hackers would have to be motivated to win, by payment, not just go through a security checklist. Insurance and law could demand this sort of active and ongoing security check. This would also create diversity in hacking systems instead of one governmental set of tools and strategies.
Right, but I think they're talking about a marketplace of friendly hackers that are motivated by big winnings if they successfully penetrate a system. As opposed to a security consultant who gets paid to test a company's security and write a report, regardless of the findings.
This does already exist, to a limited extent, as the security bug bounty programs that some companies have on public offer. For example, Amazon says they'll offer you $15,000 if you find a "critical" security bug in one of their services; Google offers up to $31,337 for discovering a remote code-execution bug. https://hackerone.com/bug-bounty-programs
This solution has been proposed before in security circles. The reason I have heard that it is not done is that just the act of hacking into a system can destroy things that are important. With a pen tester the company can review their plan and make sure it won't affect critical systems. With the government randomly hacking systems they will eventually touch something they should not have. Encrypting all the systems for non-compliance is even worse, some systems will be effectively destroyed or require months to recover from just being off and unavailable. Some things can be recovered fairly easily (database rollbacks, replays) but often a lot of transaction history is lost when the systems go offline. We are not actually sure we could restart the USA power grid if the whole thing went down at the same time (never happened before). You do NOT want an uncontrolled shutdown of an oil refinery or chemical plant. There is a business cost too while the systems are down which might be viewed as a "fine", but that is a fine imposed with no legal recourse. A company could take the government to court, but they may never be able to recover from this "fine". The amount of the "fine" will vary per company also, some companies with the right recovery architecture could just consider it a cost of doing business and find it is cheaper than doing good security, others may be wiped out. There is no way to make the "fine" proportional to the crime.
None of this solves the problem of zero-days either. The only thing that I know of that sometimes could work against zero-days are intrusion detection/anomaly detection. They do not guarantee that you'll be able to stop the intrusion in time though, especially if the entire attack is automated or really sneaky, masquerading as normal users or third party vendors. An automated IDS that can halt an attack is a very risky thing; change your business practice one day and that could shut down your network meaning you just attacked yourself. It could be purposely triggered by an attacker also as a denial of service.
The only ransomware solution I can envision is gradual hardening, like in the old days of Sun workstations and how airplanes became so safe. Make only small incremental changes and respond to feedback so over time the system gets more and more secure, until everything is just secure by default except when rare new vulnerabilities are discovered (new zero days, but if the system doesn't change much they should get rarer and more difficult to discover with time discouraging people from trying to find new ones). This is expensive and takes time and kills innovation, but I don't think there is a quick fix. So reserve/require it for critical systems and let innovative systems be more subject to failure and attacks. The first step would be deciding what is critical (the power grid? facebook? your grocery store IT system?) and hence should be required to follow this practice. Eventually even the more innovative services will benefit from using some of the well hardened systems. Ransomware will run rampant meanwhile, diminishing with time. I view this as similar to global warming, there is not just one problem, there are thousands of problems in networks, computers, OS's, apps, services, and users, and it is not going to be fixed with a patch (especially when patches are also an attack channel).
Big companies probably already do something like this (hence they continue to use Windows NT or DOS or invent their own flavor of Linux), but this is also something that should probably be a government requirement for the grid, chemical plants, ISP's and anything we can not risk having fail.
I assume this proposal is at least somewhat tongue in cheek based on the title, but if the US really wanted to nip this in the bud could they not instead make it a crime punishable by jail to pay the ransom?
This is by far the most effective solution to the problem. The foreign corrupt practices act [1] was highly effective at stopping US businesses from paying bribes in foreign countries, with many other developed nations following suit with similar laws. Such a law for ransomware would no doubt also be effective. Companies pay lawyers specifically to audit their processes around FCPA compliance because the penalties are so severe. No executive wants to go to prison because a salesperson hires some “consultant” in Thailand to win a deal…
How do you know it was highly effective? Do the audits enhance compliance or just ensure non-compliance is well concealed? The SEC's enforcement actions page shows a continuous stream of actions against large corporations ("Goldman Sachs Group, Inc. - The firm agreed to pay more than more than $1 billion to settle SEC charges that it violated the anti-bribery, books and records, and internal accounting controls provisions of the FCPA in connection with the 1Malaysia Development Berhad (1MDB) bribe scheme. See related action against Tim Leissner (10/22/20).") since they ramped up enforcement in 2007. How do you know that's not just the tip of the iceberg?
The main perverse incentive I see here is that it encourages companies to hide the fact that they've had a breach so they could pay the ransom w/o consequence.
I do think regulation making ransoms hard/impossible to collect is the way to stopping the immediate problems posed by ransomware.
More disturbingly, however, is that such hacks just underpin how vital infrastructure is exposed to nation states. When the motivation isn't collecting a ransom but rather to disable a country's vital infrastructure, such regulation would do little.
The theory behind banning ransom payments is an attacker won't go to the risk and expense of kidnapping someone if they know there's only a 1% chance they'll get paid.
But if the attack is an automated bulk exploitation of thousands of computers all around the world - why should an attacker stop targeting US computers just because US companies are banned from paying?
There already are "security consultants" who will do the dirty work of paying the ransom and handing the victim the decryption key. Pretty hard to stop that sort of thing, no?
Make it strict liability? ie. if you paid for a "consultant" and it just so happens that he paid off the ransomware operators without your knowledge, you'll still be liable
That's going to be nearly impossible to enforce, because the first thing that will probably happen is that companies will stop reporting ransomware attacks. And these "consultants" could be based anywhere, as well as further outsource their work to independent contractors, shell companies, etc. So getting hard evidence that's there's been a ransom payment will likely be a wild goose chase.
More likely the "consultants" will handle the decryption process, and the company's own engineers, who are probably already shell-shocked and under huge pressure, will be told to just be thankful that the experts have secret, proprietary technology to deal with the ransomware. Even if the engineers want to be whistleblowers (at the risk of sacrificing their own jobs/careers), it'll be pretty hard to get enough conclusive evidence that a ransom was paid.
For one thing the bud has already bloomed into a vast field. For another, criminalizing the behaviour of the victims is rarely all that effective, especially when difficult to track and enforce.
That may or may not help. If a company has a choice between going out of business or some probability of the CIO going to jail you know what they're going to choose.
But the choice is really between a personal risk of going to jail or a personal risk of finding a new job. As long as the individual risk outweighs the collective reward the incentive to lie should be small.
Besides, unless 2 or 3 execs can also implement the recovery procedure without any of their engineers catching wind I don't think it's likely that the secret would remain well kept.
The CIO can resign instead of going to jail. It all depends on how strictly the law gets e forced. If only a few get caught, then it becomes a dishonor to not have "the balls" of just risking it, and you'd not get a new job as CIO if you didn't want to play it out. But if it's guaranteed to get caught, nobody would do it.
> The CIO can resign instead of going to jail. It all depends on how strictly the law gets e forced. If only a few get caught, then it becomes a dishonor to not have "the balls" of just risking it, and you'd not get a new job as CIO if you didn't want to play it out. But if it's guaranteed to get caught, nobody would do it.
Right. Humans don't strictly adjust their behavior according to the game theoretic adjusted risk (penalty × probability). Raising the odds of getting caught tends to work much better than increasing the penalty.
That said, one of the outgrowths from this observation has been Broken Window Theory (that credits a drop in larger crimes to increasing enforcement and speedy mitigation of other - highly visible - minor infractions), which turns out to be more of a just-so story. You mostly have to increase the odds of getting caught for the crimes you are most interested in deterring rather than something else.
Sure, we could fix the flaws in every accessible software on the planet. Or we could outlaw non-traceable payment methods like Bitcoins so that there is no profit in ransomware. What are they going to do? Ask for payment of a million dollars in iTunes gift cards?
That solves ransomware, which is bottom of the barrel in the hacker world. The reason talk about this is so much about _defense_ lately is because if people as untalented as ransomware operators can make it into US corporate and government infrastructure, imagine how deep in state-employed hackers must be. In the past decade US government infrastructure has been deeply penetrated multiple times, with catastrophic consequences.
Bitcoin is quite traceable; but I take your point. To flesh out your position, are there any circumstances in which you believe two parties should be able to transact securely and privately?
It's trivial to make Bitcoin untraceable. See tumblers.
I think people also have this strange idea that the bitcoin ledger must represent all bitcoin transactions. But think for a minute that I can just email you a wallet and the coins just changed hands without putting anything on the ledger.
> But think for a minute that I can just email you a wallet and the coins just changed hands without putting anything on the ledger.
I won't trust that you destroyed your own copies of the keys, so I'll want to transfer the coins to another wallet first thing with a real transaction recorded on the ledger. Otherwise I'm risking that at any time you could take the coins back from me.
Doesn't matter much if it is traceable, as long as it can be converted into actual money. And it can, thanks to dodgy exchanges turning a blind eye or being actively complicit.
Couldn't they still demand ransom in BTC? I assume if BTC is largely banned in the US, it will still exist. Exchanges will still exist (in some countries) and it'll still be traded.
Couldn't attackers still say, "Go get some BTC and deposit it. Where do you get some? Not our problem."
Good question! So this is like US companies paying bribes. The employee handbook for my first job said that bribes could be paid in other countries if they are usual and customary. Bribes over a certain sum required executive authorization.
The US has now made paying bribes in other countries into US felonies. So now US companies do not pay bribes if they are sane.
So sure, an attacker could say "Go get some BTC and deposit it. Where do you get some? Not our problem." But then the executive in charge would have to choose between (1) committing a felony with jail time attached for him or (2) possibly going out of business and finding a new job. For sensible people, that's not really a choice.
If paying bribes is already a felony, can you help me understand how "outlaw non-traceable payment methods like Bitcoins" would help?
Seems like you sweep up a lot of innocent consumers who just want to use bitcoin, and if paying bribes is already illegal I'm not sure what additional incentive this adds.
I guess my point in this post and prior was: paying the bribe is the problem, not the medium they wish to use to transact.
I’m sure speculators and drug buyers would go on using Bitcoin, but businesses can only be persuaded to do these ransom payments because they can buy Bitcoin legally with a normal wire transfer.
"The US always claims to have the best cyber-warfare capability on the planet, so presumably they could do ransomware better and faster than gangs like REvil. The US should use this capability to mount ransomware attacks against US companies as fast as they can."
This is totally ridiculous. If anything, the US government needs to hack people less, stop dropping broken DLLs[1] and focus on defense. Security needs to be built up and incentivized, not punitively broken down. Practically all of the organizations hit by these huge attacks were not doing basic measures. Many of them not by CVEs from this year as this post implies.
It also isn't even "ransomware" in this case since there's no ransom. It's just the government hacking your computer because the military-industrial complex (MITRE) doesn't like you. No hate towards them or CVE, but that's not a good look or policy.
The article is attempting to follow in the satirical tradition of Jonathan Swift's "A Modest Proposal", which suggested feeding children to the poor in 18th century Ireland.
I've read it, but I find the line hard to see with this article. There are several, maybe most, of the other claims that are actually true. Governments in general really do breach systems and drop malware like this, and most ransomware attacks aren't being performed with big zero day exploits. Jonathan Swift didn't cite his previous articles or actual newspapers, as I remember at least. After a couple more reads I should have picked up on them "shortening the grace period", that seems obvious. I got burned by this one.
OR the US could fund hacker groups that only target Russian companies, in a quid-pro-quo mode. For every ransomware attack to US companies there would be a retaliation asking the same ramson value to a Russian Company (or oligarch) That would get the Russian government working.
BLUF: government should attack vulnerabilities first, disabling systems until they are patched.
Very creative. It might also be done better with an open market where companies set the price there’re willing to pay for red hats.
This also requires some understanding of how zero-days come to exist. Briefly, insiders, many of them foreign assets developed from their earliest education and helped along the way to get to their target. There are some ‘in the wild’ discoveries, but the sophisticated attack chains do not rely on luck.
Given that, here’s another viewpoint: $70m in ransom might be a far better deal than exploitation by a nation state. It’s quite possible that these guys are actually defectors doing us a favor.
So, we should consider that security is something we’ll have to pay for one way or another, and we should seek to establish markets that make that cost predictable and minimize disruption. And yes, I do understand the moral hazard this would create, and I don’t have any good ideas to fix that right now.
> The NSA routinely hoards 0-days, preferring to use them to attack foreigners rather than disclose them to protect US citizens (and others). This short-sighted policy has led to several disasters, [...] Unless they are immediately required for a specific operation, the NSA should disclose 0-days it discovers or purchases
The author too charitably positions NSA here. When one considers the hoarding of 0-days, weakening of encryption standards, wrecking trust in US businesses by forcing compliance, failing to intervene in years of breaches, and many other malicious activities, it soundly refutes any claim of concern for protecting the country. How many billions has this cost in business terms, on top of the billions they're paid for the privilege?
So if defense isn't their actual mission, maybe it's actually population control.
>"The US always claims to have the best cyber-warfare capability on the planet, so presumably they could do ransomware better and faster than gangs like REvil. The US should use this capability to mount ransomware attacks against US companies as fast as they can."
I wonder why it is presumed that the US has the best cyber-warfare capability? Why do we think this is true?
It isn't presumed, it's claimed by the U.S., and the presumption the author is making comes from granting that claim for the sake of his(facetious) argument.
Whether it's true or not doesn't matter. I don't think you'll find many countries making claims of weakness on defense-related topics. In the same way that no country would just announce that they have the 11th or 12th greatest military in the world, they'd never say they have the 2nd best cyber-warfare capability either.
I wonder how hard it would be to spoof that your computers are using Russian as the default language so that the code wont execute in your environment?
This is the "Encryption Backdoor" problem in Computer Science (aka "Exceptional Access System"). It is impossible to build an exceptional access system and then ensure it is only used by good people to do good things.