Ransomware crim: Yeah, what I do is bad. No, I don't care. Yes, infosec bods are all mouth and no trousers Someone claiming to be a former contractor for the REvil ransomware gang has given an interview to a security firm, saying he struggles to sleep at night but isn't ashamed of what he does. The unnamed person was interviewed by Russian news outlet Lenta as part of a series focusing on the mostly Russia-based scourge of modern …
... is why, after 15 years in Infosec, I've had enough and have transitioned out of infosec.
I had enough of being a figleaf, of the endless pointless tickmarks by "security consultants" with 6-letter passwords who think MFA is an ingredient in Chinese food, of the sheer security kabuki, the hopeless underfunding, the vendors just keen to upsell you another useless silver bullet and so f*cking on and on and on.
I have no idea what the solution should be. Maybe the Russians are better and smarter and simply can't be beat. Maybe it's the lack of real liability all the way up to the C-level, including vendor sales drones and above-mentioned consultants. Us few, us unhappy few, wouldn't have a problem, as we've been documenting and gathering evidence about how we've been warning and how we've been ignored like latter-day Kassandras for ages.
<friday rant off>
In construction it is easier to identify risks (e.g. falling from heights), address those risks (e.g. safety lines) and verify that best practise is being followed.
With aircraft after an incident there is an investigation to identify the root cause and if mechanical failure then inspections are ordered with dates based on how likely the failure is. Software flight controls make it much harder to test and identify the root cause.
IT risks are harder to identify (zero days), harder to address and even harder to train users.
perhaps it's just as simple as cost balance. Currently, security for biz is very much considered 'necessary evil' - and 'cost-optimised' as much as possible. Until your business is hit that is, and all those savings go up in smoke. But if this business loss becomes significant and widespread, the system will need to re-adjust itself by investing more time and more effort, more... dilligence. Not throwing money at 'security' (well, that will happen too), but spending money on solutions that work. Which generally goes with 'quality'. The system will have to try to solve this, at a point where the losses become too large for the management to ignore. Rather than delegating the shit down the ranks, i.e. 'something needs to be done, I don't care how and what!', something will really have to be done, because delegation and dilution of responsibily won't make this problem go away, quite the opposite.
Incidentally, the interview supported me opinion that all that talk in the West about evil! Russian! Chinese! regimes! controlling their evil! hacking! gangs! wreaking havoc! on innocents! is just bullshit used simply to drum up public support for the us v. them polarisation, and it's working in the West very nicely, likewise in the East. I'm pretty sure those evil regimes, like our peace loving democracies, have their own cyber-teams, and most likely control some hacking groups and use others, but not as widely as painted by Western governments. If anything, most probably it's the last option, a natural world symbiosis: as long as the hackers stay away from monther Russia's assets, they're given free ride, and from time to time asked for special 'favours'. And it wouldn't make sense to refuse such favours, of course, as Russian oligarchs have found out.
If defending and being responsible and accountable for the indefensible/unpalatable/inequitable/unfair/unattractive/extremely lucrative and rewarding is your business, AC, it is a veritable gold and diamond mine for that and those either able or enabled to relentlessly attack it to try and take advantage of all possible benefits too.
It is surely what humans can easily be programmed to do and regard as quite normal and is therefore fully to be expected from hordes of them.
"perhaps it's just as simple as cost balance. Currently, security for biz is very much considered 'necessary evil' - and 'cost-optimised' as much as possible. Until your business is hit that is, and all those savings go up in smoke. But if this business loss becomes significant and widespread, the system will need to re-adjust itself by investing more time and more effort, more... dilligence. "
Which likely means, like automobiles and aviation, proper legislation will be written in blood.
LOTS of people will have to die due to a ransomware attack with the lawsuits costing billions. Insurance companies pushed to totally exclude coverage. Kick even the most corrupt politician's snout out of the pig trough.
Just one attack getting out of the attackers hands. It seems to be the only way these things get done.
Let's just hope the knee-jerk reaction instead isn't starting WW3.
I admire your optimism. Remember Enron? End of the financial world. Much hand-wringing from politicians of red-tie and blue-tie variety.
What did it give us? Sarbanes–Oxley Act. A veritable gift to the same firms that allowed Enron to happen.
More useless compliance work that doesn't actually change anything. Forced paper trails.
Anyone stupid enough to be caught by info gleaned from a Sarbanes-Oxley audit would probably be hard pressed to steal candy from a baby.
The challenge of any security role is that a single mistake can make you vulnerable. In Infosec that mistake (e.g. buffer overflow) could have been made by someone else and worse could have been added deliberately via an attack on a software developer who wrote a library that is used by a piece of software.
Security has to balance the risk of a breach with enabling people to do their jobs. The more security you add, the harder it is for people to do their work.
For example I'm writing some code to be deployed in the cloud. Previously I could connect to a jump host, copy the text onto the server and test. Now I need to save the file, transfer, wait for it to be scanned and copied to a cloud server, transfer the file to where I require it and test. If I make a change on the cloud server I need to reverse the process.
Do I understand why? Yes it is primarily to make it easier to trace transfer of confidential data.
This post has been deleted by its author
As I'm reading about Russia tolerating the activity so long as Russia isn't targeted, privateers is what comes to mind. That sounds like what Russia is, in effect, doing. I'm sure there are factions in many nations who would be OK with hoisting the jolly roger and going after Russia similarly provided they got state impunity and an expectation of riches.
I don't think that is actually a great solution as it would give Russia excuses to do other things, and it trains people to be jerks. My understanding is that piracy stops being an issue when pirates no longer have safe ports, but I'm not sure what you are supposed to do with pirates when you can't strong-arm the ports into cleaning up their act. What possible downside is there for Russia when they send their citizens a-viking today? Bad press in the UN?
The problem, one might say, with your proposition is that if you only targeted Russian companies with large sums of cash, few if any of those targeted companies would feel any remorse after sending a couple of guys around to weld your doors closed, and set your buildings on fire.
When organizations, such as financial institutions and law enforcement agencies, gain insight into the operational dynamics of malicious cybercriminal communities, they can better understand threat actor TTPs; access potentially vital observations in real-time; leverage that information to thwart a ransomware attack. ....... https://www.flashpoint-intel.com/blog/interview-with-revil-affiliated-ransomware-contractor/
Imitation is the sincerest phorm of flattery, so they say, and such an avenue of/for exploration and exploitation is that which renders all information/Technology and Product Development well enough widely known to be extremely valuable and rewarding either in relatively anonymous secret private, pirate, public use or more general utilisation and facility, and such can even generate unbelievable wealth with zero future use reflecting a tacit and temporary agreement to refrain from further exercise and revelation of the foundational bones of developments which can clearly and easily cause almighty colossally destructive collapse in remotely targeted systems.
And whenever wealth? is easily simply delivered in the virtual transfer of fiat to a unlimited credit/debit card account, for the holder's oft extravagant and/or expensive spending feeds and needs/wants and desires, and an account in which the balance on checking is always that fixed virtual transfer of fiat constant, is the cost priceless and always unambiguously indicative of the arrangement being still acceptable as perfectly valid.
IT aint rocket science, Creative CyberSpace Command and Control with/of/for Computers and Communications.
It seems to me there are 2 groups of criminals; the ransomware goons and the managlement that does try to properly protect the company. The goons are obvious as they are actually perpetrating these attacks. But what seems to another common issue is the obliviousness of manglement to the risks of any attack (see Needless Markup). Issues like not having a proper, robust backup and business continuity plan and procedures, allowing code execution on work stations in Orifice in particular. Macros have no place in a secure office. Another is not looking alternative ways to make yourself less vulnerable; do you really need to use Bloatware as a Disservice and Orifice or could another OS and office suite be suitable. These issues worsen the effect of any attack. Manglement is never punished either civilly or criminally (aiding and abetting would be a start). Until someone starts imprisoning the manglement goons these attacks will continue because manglement has no real skin in the game.
</end rant>
Manglement is never punished either civilly or criminally (aiding and abetting would be a start). Until someone starts imprisoning the manglement goons these attacks will continue because manglement has no real skin in the game.....a_yank_lurker
And whenever said manglement entanglement has surreal skin the game? Would that be a practical problem for some and a fabulous fabless opportunity seized by others with skin in many skinned games ...... with Virile Ware for Almighty Fare well worth a'sampling ..... experiencing/enjoying and employing/AIdDeployment in Leading Applications for Extremely Exceptional Leadership Programs/Projects/Pogroms.
Other Users may Offer Quite Different Ware for Other than such as is a Superbly Convenient Almighty Fare ......... Global Asset in Global Operating Devices Work.
No Time to Lie .... I Kid U Not.
FYI ....... an earlier draft of the whom and the what then engaging the Unparalleled Direct Attention of Special ParaMilitary Force Operations ......... Jimmy's Secret Army
... we went into Afghanistan. The Taliban was providing safe haven for a group that was exporting its criminal activity. Now while I don't expect any sort of military operation against Russia, there are other things that one can do. Cutting their Internet connections at their borders would be a start.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
