Cyber attack shuts down U.S. fuel pipeline

[Bombastinator]

24 minutes ago, wseaton said:

I worked corporate IT for 20 years and frankly I'm not surprised. Spent half that time doing infrastructure security and spent 90% of my time battling IT culture and *not* C-suite drones. The suites will write checks if it's justified.

 

What needs to happen is these data breaches need to be responded with fines the likes of which will tick shareholders off to the point they demand heads to roll. I guarantee you nobody in IT from director level upwards will lose a job over this. Even McDonalds will fire people. This isn't Target store..it's a strategic asset that can harm the infrastructure of the united States.

 

Has anybody heard of the term 'air gap'? Oh wait....the IT bill of rights declares that all computer systems need to be hooked up the internet so network "engineers" have a job and and 3rd party vendors can remote in after hours. I put that term in quotes because 99% of the network engineers I've worked with aren't engineers. They are just sys admins who know how to upgrade firmware on a switch and look important with Solar Wings graphs on their triple monitor displays. Oh yeah....Solar Winds...haha.

 

Virtually all these attacks use layer 7 vectors, but I budgets are slanted towards layer 1-5 mitigation which doesn't do squat. Granular Execution mgmt on critical work systems? Heck no....got a Cisco Cert to complete. Client level security is entry level stuff. Meanwhile the entry level guys doing desktop support are managing most of the real security yet getting paid half the salary. The entire system is bass ackwards. 

 

Work from home doesn't help either because home computer systems are impossible to manage, but it's a manageable scenario. Remote users need limited vertical access and the working scenario is *everybody* has their password compromised. 

 

A big thing that would help this is senior IT staff needs to be told that if data breached occur, and they've been given the tools to mitigate it, then they lose their jobs and unemployment is denied - no exceptions. High level OS support people like myself know how to wall systems up so that it would take an AI from Neuromancer to penetrate, but we spend most of our time fighting a system that pushes lack of accountability. Don't get me started on 30yr old sysadmins who still live with their parents. They have a BA in computer science, and can name all the infinity stones but can't outline even a basic ransomware attack vector.

 

 

The problem with fining companies that get breached is there is already a problem with companies keeping such things secret.  No way to know if they get breached then.  A bigger punishment for hiding a breach would be needed and one that could follow someone after they quit a company because “hide it till you leave and let the company implode” is something someone might do.  Record executives did that to the music industry with digital music long ago.  Those asshats are the reason the digital millennium copywrite act exists. It was a way to try to save the music industry from the predations of their own executives that the American people and the world are still paying for.

[Arika]

 

"it was too hard to revert to manual billing or use previous bills as an indication of usage numbers, so we thew part of the country into a panic"

 

yay money

[StDragon]

24 minutes ago, Arika S said:

"it was too hard to revert to manual billing or use previous bills as an indication of usage numbers, so we thew part of the country into a panic"

 

yay money

 

I doubt they even had the means or procedure to manually bill. It would take too long to implement and probably be more expensive than just paying the ransom.

 

But yes, I'm sure falling back on a manual billing process will be a national requirement going forward.

[leadeater]

3 hours ago, StDragon said:

I doubt they even had the means or procedure to manually bill. It would take too long to implement and probably be more expensive than just paying the ransom.

Shouldn't be, our backup procedure for payroll is repeat last pay round then as permits calculate missing run and then get difference. Nothing should have prevented them from doing this, save for that fact that the differences would be much more than a payroll run.

 

Maybe they had no way of tracking volume units while the system was down so had no way to reverse/retrospectively calculate the billing, that would be my guess anyway.

[XWAUForceflow]

5 minutes ago, leadeater said:

Shouldn't be, our backup procedure for payroll is repeat last pay round then as permits calculate missing run and then get difference. Nothing should have prevented them from doing this, save for that fact that the differences would be much more than a payroll run.

 

Maybe they had no way of tracking volume units while the system was down so had no way to reverse/retrospectively calculate the billing, that would be my guess anyway.

That would be my guess to be honest. With the way everything is automated and integrated these days I'd say one of the systems that got hit was that one single poor server that gets the hard log-data from the fenced actual pipeline system and converts it to something usable (most likely an excel file ) for their billing system to work with.

You loose that server and you don't get the logs which will get dumped quickly because of lack of space on the decades old control hardware. Thus no chance to do any billing corrections later on. (*Disclaimer* I know nothing of their operations, but experiences tells me that this is at least a possible scenario...)

 

 

[CarlBar]

On 5/15/2021 at 12:34 AM, wseaton said:

A big thing that would help this is senior IT staff needs to be told that if data breached occur, and they've been given the tools to mitigate it, then they lose their jobs and unemployment is denied - no exceptions.

 

Sounds cute, until you remember that local laws would kill this stone dead in virtually every first world country outside of the US.

 

On 5/15/2021 at 12:34 AM, wseaton said:

High level OS support people like myself know how to wall systems up so that it would take an AI from Neuromancer to penetrate, but we spend most of our time fighting a system that pushes lack of accountability.

 

Right pull the other one it's got bells on it. Given how many pieces of software and hardware get exploits posted about them on here alone, (it's gotten to the point where it's a monthly occurrence pretty much), odds are something your using has a flaw in it. And you may not find out about it till you become the target of an attack using it because you may find your network is the canary in the coal mine for the issue.

 

And that just flat out ignores that any security system is a tradeoff between being secure and ease of use. The more you harden somthing, (be it computer or people security elements), the more problem you create when using it legitimately. Sometimes the tradeoff of being less secure for greater ease of use, (or more features, or whatever else), is worth the potential downsides.

 

Thats the thing here, for the companies in question a lot of time the cost of a breech is less than the cost of hardening up, both in initial outlay and lost productivity from a more awkward system. In this case the cost to the strategic security of the USA was much larger than the pure monetary cost, but due to a lack of regulations the company is neither responsible nor liable for that so it doesn't need to worry about it.

[leadeater]

1 hour ago, CarlBar said:

Thats the thing here, for the companies in question a lot of time the cost of a breech is less than the cost of hardening up, both in initial outlay and lost productivity from a more awkward system. In this case the cost to the strategic security of the USA was much larger than the pure monetary cost, but due to a lack of regulations the company is neither responsible nor liable for that so it doesn't need to worry about it.

True that. If we went through the full exercise of auditing all our software and services, how they interact with each other (data flows, sources of information etc) and users, internal and external penetration tested, legal compliance audit etc etc we could never finish such a project. We have a ton of legacy software and systems maintained over years to even decades with all sorts of upgrades, additional modules, integration with other systems done over the life of these software/systems and while we do our best effort today to do things properly and document we cannot go back in time and the other problem is things change over time.

 

Even just high level looking just at a service i.e. Learning Management System (Moodle for us) this is comprised of multiple different software and underlying systems many of them maintained on the software side by external 3rd parties. How are we supposed to fix a security flaw in something we have no control over? You cannot, all we can do is mitigate as best we can when/if we become aware.

 

Unlike other types of crime that require a physical presence of a person to commit it which means far higher risk of getting caught and punished cyber crime is not like that at all. It's because of this core difference more people are willing to do it and against entities they would otherwise not go anywhere near. How many low level criminals are willing to break in to ExxonMobil and steal documents? Practically zero right? Now how many are willing to try it from another country digitally? A dam sight more I think.

 

Cyber crime is such a problem because they are for the most part practically untouchable or there is little to no deterrent to doing it.

[CarlBar]

58 minutes ago, leadeater said:

True that. If we went through the full exercise of auditing all our software and services, how they interact with each other (data flows, sources of information etc) and users, internal and external penetration tested, legal compliance audit etc etc we could never finish such a project. We have a ton of legacy software and systems maintained over years to even decades with all sorts of upgrades, additional modules, integration with other systems done over the life of these software/systems and while we do our best effort today to do things properly and document we cannot go back in time and the other problem is things change over time.

 

Even just high level looking just at a service i.e. Learning Management System (Moodle for us) this is comprised of multiple different software and underlying systems many of them maintained on the software side by external 3rd parties. How are we supposed to fix a security flaw in something we have no control over? You cannot, all we can do is mitigate as best we can when/if we become aware.

 

Unlike other types of crime that require a physical presence of a person to commit it which means far higher risk of getting caught and punished cyber crime is not like that at all. It's because of this core difference more people are willing to do it and against entities they would otherwise not go anywhere near. How many low level criminals are willing to break in to ExxonMobil and steal documents? Practically zero right? Now how many are willing to try it from another country digitally? A dam sight more I think.

 

Cyber crime is such a problem because they are for the most part practically untouchable or there is little to no deterrent to doing it.

 

I suspect there's a good amount of truth on that last point, but don't forget that the internet makes it possibble for a lot more people to have the locality of access as if they lived next door. Thats going to up the amount you see just from more people havign opportunity.

 

And that extends to the skill-sets, a lot of the knowledge and equipment that is used to pull this stuff off has legitimate uses in IT of one form or another. The skill-set and equipment used to physically raid a corporate HQ doesn't have much use outside of the military, and even then your talking more spec ops than line soldiers. And well the military screens pretty hard so your not going to find a lot of ex military with the required skill-set willing to do that kind of thing.

 

Then you've got the intel side of things, a good breech in It is silent till it wants to make itself known, the hacker can go in with no clear objective and see whats there, they cna also lock up everything in a way even a remote detonated bomb on every computer couldn't, (A bomb you can use a sensor or dog to see fairly reliably if you missed finding one, not so much in IT), and they can take their time, no in and out before the cops arrive because no one even knows your there till it's too late.

 

Throw in nation states likely pulling false flags to throw suspicion off their actual cyber warfare groups, (which unlike a normal misdirect or false flag don't need to be restricted to the vicinity of the target, the whole world is a potential option to go after), and you've got a recipe for problems. Give a large number of people ready access to the location, tools, and skillset to pull of a crime and you'll see a lot of it. Hence why you see lots of home robberies, but relatively few people tackling armoured cars full of cash.

[leadeater]

17 minutes ago, CarlBar said:

The skill-set and equipment used to physically raid a corporate HQ doesn't have much use outside of the military, and even then your talking more spec ops than line soldiers.

Well that actually depends on if you want to get in undetected or not, crowbar v Window the crowbars wins lol. Smash and grab is a thing, however with the example in play it would take quite some time once in the building to traverse through it and find anything and by that time you won't be there alone anymore 

 

Such is one of the many reason why I say a low level criminal simply would not touch such an entity, unlike a cyber criminal. Local Kwik-E-Mart is a much more attractive target for those people.

 

That's the other problem too, a lot easier to notice a broken window or door and it's nearly trivially easy to have a real time alarm for both of these. Accurate and clear alerting on the IT side isn't quite as cut and dry in that respect.

 

Edit:

What might be of interest to you is our backup software has multiple different forms of ransomware protection, one of those being abnormal change rate and will not run the backup past the scan phase. This is to prevent poisoning the backup chain with a cryptolocked data backup and that also means data aging will not happen on certain restore points so you are more likely to have a recovery point. Actually a nice feature.

[Random_Person1234]

DOJ has apparently recovered millions of dollars of the ransom.

https://www.cnn.com/2021/06/07/politics/colonial-pipeline-ransomware-recovered/index.html

[StDragon]

1 hour ago, Random_Person1234 said:

DOJ has apparently recovered millions of dollars of the ransom.

https://www.cnn.com/2021/06/07/politics/colonial-pipeline-ransomware-recovered/index.html

?