NBC: Colonial Pipeline blames ransomware for network shutdown

[Ball Security]

1 hour ago, Springfield said:

I manage an auto shop, gas station.

 

We ran out of all gas last night at about 6:00. Got a small delivery of gas at 8:25 this morning, premium only. Ran out of that at 11:25. Every other station around us is out of gas too. We don’t know when our next load of gas is going to come.

 

Stop ****ing calling us asking if we have gas and when our next delivery is coming please.

Cool.  I won’t call.  Just post it here.  Lol.

From your posting history, I have a pretty good idea where your shop is.  Is it an intersection where there are three stations on the corners and a 7/11 up the street too?

[The Evil Genius]

I'm guessing the near $4 a gallon gas is keeping people from making a run on it here in NorCal. 😁

[Springfield]

37 minutes ago, Ball Security said:

Cool.  I won’t call.  Just post it here.  Lol.

From your posting history, I have a pretty good idea where your shop is.  Is it an intersection where there are three stations on the corners and a 7/11 up the street too?

Thats the one. This all is just insanity. I wouldn’t believe it if we didn’t just buy up all the toilet paper when we didn’t need it last year.

Edited May 12, 2021 by Springfield

[Destino]

This is turning into a giant cluster ****, what can be done to ensure private companies have adequate IT security systems in place?  Is it going to need to be regulated like accounting systems are?  Clearly leaving it up to each individual company to figure out, has failed.  
 

Might be time to take ransomware attacks more seriously, or at least draw a line in the sand on essential infrastructure.  

[PleaseBlitz]

People engaged in ransomware attacks should be hunted down and imprisoned like people who kidnap for ransom.  

[Destino]

4 minutes ago, PleaseBlitz said:

People engaged in ransomware attacks should be hunted down and imprisoned like people who kidnap for ransom.  

I think that’s what this group wants.  What they’re worried about is that they’ll be treated as terrorists.  That’s why their press release stated that they were apolitical with no political goals.  The subtext there is clearly “not terrorists, just criminals”.  They knew the US was about to become very angry and they want to worry about police, not the most powerful military on the planet deciding that capture or kill are both equally acceptable outcomes.  

[tshile]

15 minutes ago, Destino said:

This is turning into a giant cluster ****, what can be done to ensure private companies have adequate IT security systems in place?  Is it going to need to be regulated like accounting systems are?  Clearly leaving it up to each individual company to figure out, has failed.  
 

Might be time to take ransomware attacks more seriously, or at least draw a line in the sand on essential infrastructure.  

Um. 
 

as someone that deals with this. 
 

do we even know what the entry point was? Cause without that, this is a pointless conversation. I’ve asked but no one answered. I’m not glued to it on the news but my guess is that isn’t public info. 
 

you might as well ask what can we do to make sure people aren’t poor, or that people are educated, or people are nice. 
 

security is a constantly evolving issue with tons of complexity and there is no one solution for all of it. 
 

And in my experience most people prefer convenience to security. 
 

just like they prefer getting somewhere quicker over driving safe. 
 

or not being told what to do over taking safety precautions (confirms, masks, vaccines)

 

most IT departments are understaffed, under budgeted, overworked, and lacking in expertise. 
 

And they’re controlled by execs that view IT as a cost center and security practices as inconvenient 

 

my company is very good about security. From top to bottom. We have been since about 2007. We’ve been mostly ahead of the curve. We’ve beaten the enterprise level, on average, in implementing things before them, and I’ve yet to come across a small business that does half the **** we do security wise. 
 

yet I go through every day wondering when one of my clients is next. 
 

we have not had a security breach that involved our side of things in, ****, 12 years? Back in 2009 when crypto viruses first came out and were brand new?

 

it’s a daily concern. 
 

anyone can sit around and preach practices. But it involves a lot. And most businesses don’t have the money. And most people, even ones with a job title that says cyber security, aren’t competent enough. 
 

 

and even if you do everything right your still subject to your vendors doing things right. Microsoft, solar winds, Adobe, oracle, you name it they all have zero days. 
 

and even if all that goes right you have end users that dont pay attention, don’t care, and make honest mistakes. 
 

I deal with infrastructure. Some of it utility related. Scada systems are so far behind it’s a absurd. 
 

the answer to your question is the entire system is ****ed and it’s going to take a long time to un-**** it

 

but if you can come up with the answer you can write a white paper on it and never work another day in your life. 

[skinsmarydu]

2 hours ago, Springfield said:

I manage an auto shop, gas station.

 

We ran out of all gas last night at about 6:00. Got a small delivery of gas at 8:25 this morning, premium only. Ran out of that at 11:25. Every other station around us is out of gas too. We don’t know when our next load of gas is going to come.

 

Stop ****ing calling us asking if we have gas and when our next delivery is coming please.

I've never been a Karen...but you're giving me some motivation here...

 

 

[tshile]

24 minutes ago, PleaseBlitz said:

People engaged in ransomware attacks should be hunted down and imprisoned like people who kidnap for ransom.  

They are. 
 

Microsoft is actually probably doing the best job. They take a lot of flak but they were and are far ahead of all the other major vendors. 
 

hell, Apple ran a campaign saying we don’t get viruses and people still believe that bull****. 
 

Microsoft was rated #1 in caring and doing things about security back in like 2010. They’ve been a central figure in hunting people down for years. They control a lot of things that people use or go through, and they’ve used that control to work closely with the FBI and are likely our biggest current asset in this fight. 
 

(I have lots of bad things to say about Microsoft like WHY DID YOU BREAK EVERYONES OUTLOOK YESTERDAY?!?!? But they have an inaccurate rep on security that comes from the early 2000’s and is perpetuated to this day by people that just don’t like Microsoft)

 

the problem is this **** starts overseas and our ability to track them down is hard, but then turning that into an arrest is even harder. 
 

krebbs and others have made a career out of documenting this specific field of IT. There’s tons to read about and a lot is and has been done. 
 

hell, we know who did this. But is Russia gonna arrest them and turn them over? Of course not. 
 

we are hunting them down. There’s just a ton of them and there’s realistic roadblocks. And those will likely always exist. 

[PleaseBlitz]

Not talking about Microsoft and Apple.  Talking about the FBI and, if international, the military. 

[tshile]

7 minutes ago, PleaseBlitz said:

Not talking about Microsoft and Apple.  Talking about the FBI and, if international, the military. 

Yeah who do you think is providing the most help to the fbi at the moment? I think I mentioned that. 
 

i mean sure wave your magic wand and make it so the fbi and military can just go where ever they want and get whoever they want. 
 

cause otherwise you’re not really working within the restraints of reality. 

[tshile]

Here’s one idea:

get away from cyber security insurance. 
 

Quit with a bull**** low rate add on to your business insurance to protect you from the fallout, which comes complete with a nonsense questionnaire about your environment, all designed to make you feel safe about it by doing nothing practical. 
 

make companies eat the **** storm they caused financially. Where customers are actually harmed, pursue criminal charges as appropriate. 
 

bet that’d wake some people up. little more skin in the game instead of just paying a little premium increase. 
 

(travelers recently started requiring 2FA across the board to qualify for their cyber security insurance, I know cause I’m rolling it out everywhere, and that’s the only meaningful thing I’ve seen come from these things. So props to them for not sucking)

 

 

and if you really want to get angry about it you should make all these cyber security contractors get audited

 

because I know for a fact a sizable portion of them are a ****ING JOKE and they’re bathing in tax payers money being a ****ING JOKE. 

 

 

[PleaseBlitz]

6 minutes ago, tshile said:

Yeah who do you think is providing the most help to the fbi at the moment? I think I mentioned that. 
 

i mean sure wave your magic wand and make it so the fbi and military can just go where ever they want and get whoever they want. 
 

cause otherwise you’re not really working within the restraints of reality. 

 

Well the alternative is we just let criminals attack critical US assets without consequence?  I'm aware it would not be easy, but if we don't make a big ****ing deal about it every time it happens, then it's going to happen a lot.  Again, not talking about making it more difficult for these criminals to successfully conduct these attacks (which we should also do), talking about putting resources into finding who did it and where they are, extraditing them if necessary, and jailing them.  And if countries are harboring people that have attacked the US, creating consequences for those countries.  In other words, a dramatic escalation in our national response that makes it clear that this type of thing is a bad career choice. 

[tshile]

I can’t get into details but I bet I could make some of you smash your desk in half if I could about just how much tax payer money is so poorly spent in the government cyber security contracting sector.

 

 

Just now, PleaseBlitz said:

 

Well the alternative is we just let criminals attack critical US assets without consequence?  I'm aware it would not be easy, but if we don't make a big ****ing deal about it every time it happens, then it's going to happen a lot.  Again, not talking about making it more difficult for these criminals to successfully conduct these attacks (which we should also do), talking about putting resources into finding who did it and where they are, extraditing them if necessary, and jailing them.  And if countries are harboring people that have attacked the US, creating consequences for those countries.  In other words, a dramatic escalation in our national response that makes it clear that this type of thing is a bad career choice. 

um. We are doing that. 
 

we are not doing nothing. 
 

I think this is a topic where there’s just a lot of information you’re not aware of - because it’s boring as **** and not related to your job or what you do. 
 

And did I mention it’s super boring ?

 

we can’t get half the country to wear masks and a sizable portion to get a vaccine during a pandemic that’s killed 500+K people and they estimate over 400k deaths aren’t being counted. 
 

look at how we handled toilet paper a year ago

 

are you following the gas crisis at the moment?

 

are you aware we are basically a large collection of mostly stupid people? 

[tshile]

Although I must point out the non mask wearers are apparently going to start wearing masks to protect themselves from... whatever it is they think falls off us vaccinated people while we walk around in public. 
 

so I mean, baby steps. 
 

just gonna have to be patient. maybe?

Edited May 12, 2021 by tshile

[CousinsCowgirl84]

What we need is a post technical revolution where everything isn’t connected to the cloud. The reason that everything is online is because of the perceived efficiency of the online system. The internet is young and I think as it matures we will find critical infrastructure is no longer connected.

 

 

Edited May 12, 2021 by CousinsCowgirl84

[The Evil Genius]

2 hours ago, PleaseBlitz said:

People engaged in ransomware attacks should be hunted down and imprisoned like people who kidnap for ransom.  

 

Throw in taggers too and you have a deal. 

[Xameil]

1 hour ago, tshile said:

how much tax payer money is so poorly spent in the government cyber security contracting sector.

 

 

[tshile]

It’s supposed to be segmented already in appropriate ways. 
 

I would like to think colonial was doing (most) things right and someone made a mistake it was a zero day they couldn’t prevent.  This isn’t a small business providing accounting by services to other local businesses. This is a national pipeline operator and a member of critical infrastructure. 
 

But you don’t know what you don’t know and I haven’t seen info on it yet. 
 

segmentation isn’t an answer in and of itself. The Iranian nuclear enrichment facility was segmented. There is, and has been for years, research on bridging air gaps. Everything from communicating based on the noise produced by vibrating drives (or electrical components) to using the led lights on components to communicated across a room where there is no networked connection. 
 

user education. Sound security practices. Robust white hacker and bounty program (or some better replacement) communities. Companies focusing on cyber security the same way they do on worker safety.  Vendors doing a better job. 
 

a better IT talent pool. Less paper credentials more actual expertise, experience, and practical ideas. 
 

and I still think banning insurance and making a few companies crumble because they didn’t take it seriously enough is needed. 
 

hunting them down is no better of an idea than the drug war. We know that doesn’t deter people, this is what we hear about our criminal justice system and specifically the death penalty. It just creates an expensive program that’s results are debatable at best. 
 

We need a new internet founded on security first. Need a new way of doing things. Right now it’s a cat and mouse game. 

Edited May 12, 2021 by tshile

[The Evil Genius]

The DarkSide hackers (the ones who sold the malware) are apparently trying to distance themselves from it as they know how much attention it's brought on them. 

 

So maybe a little bit of both (all the things that tshile mentioned AND a full fledged hunting party) would work? It does seem DarkSide doesn't want the attention this one brought.  

 

As for the actual attack, I'd suspect it was a spear phishing attack that tricked the user into downloading malware. And it had probably had been there for awhile. 

Edited May 12, 2021 by The Evil Genius

[tshile]

Also - our government is a joke. Across the board. 
 

I was participating in the Virginia fusion center program for a bit. 
 

everyone said all the right things. The people in charge were trying to be productive. But ultimately it was kind of a joke because it was a bunch of high minded ideas with no real practical applications. I think funding ran out and the element I was involved in (which centered around cyber security for utilities and local government) and it all fell apart. They had no real teeth. Neat idea, some smart people running it, but it was like an academic circle where everyone appeared to live in a bubble and no one lived in reality. 

and the guests? I gave a rundown on security practices to stop what most of them were complaining about. Aside from “yeah we have no funding for that” (these weren’t expensive solutions I implement these practices for run of the mill barely treading water small businesses all the time, it was a manpower and prioritization issue), I wasn’t impressed with the response. Most of these people seemed... well, they were just there to **** and say nothing is ever their fault. These are people running some wealthy counties, counties that consider themselves pretty important. Much more important than they actually are 😂 
 

i feel bad for the people running it because they were bright and had the best intentions and did many things well. They were victims of how our society functions. 
 

We’re a long way off of solving this. I’m honestly surprised we haven’t had more issues. And we’ve had plenty but... I honest expected more. 
 

and I don’t mean to disparage everyone. It seems that way. But I don’t. There are good, quality people out there. Just not enough of them. 
 

and from what I often see - the real decision makers love to say the right things in interviews and speeches and press releases - but behind the scenes they’re dopes on this stuff. They’re the first to say they care, they’re the first to say the people responsible will be fired or whatever and they’ll spend a ton of our money making sure it doesn’t happen again when it happens, but when it matters (behind the scenes before it happens) it’s just lip service. 

[Busch1724]

Obviously we're all ignorant to how these pipelines work. I don't remember seeing any mechanical engineers posting in any threads in the tailgate. However, I'm mechanical enough to be dangerous. My question to this whole situation is why was there not a much quick backup system in place to release and process the oil/gas that if something like this happened, the pipeline could still operate? I would imagine the pipeline does have something in place, just baffles me it takes this long to get it operational while also still working on fixing the issue brought forth by the hack. 

 

Also to tshile's point about funding these things properly, hell we can't fund fixing mental health issues either. Government alone can't fix many problems, but it can provide resources to experts. Unfortunately we have a governments that can't identify real experts anymore. There a great book by Tom Nichols called The Death of Expertise: The Campaign Against Established Knowledge and Why it Matters." Should be required reading in schools lol. 

Edited May 12, 2021 by Busch1724
additional comments

[Destino]

23 minutes ago, tshile said:

 

hunting them down is no better of an idea than the drug war. We know that doesn’t deter people, this is what we hear about our criminal justice system and specifically the death penalty. It just creates an expensive program that’s results are debatable at best. 

You think an entirely different response for infrastructure wouldn’t influence criminals choice of targets?  I suspect that crippling US infrastructure resulting in a seal team killing every member of your hacking group would change the math somewhat.  This wouldn’t be about stopping all crime, that isn’t possible, but about communicating where the lines between crime and national security are.  

 

Quote

Colonial Pipeline restarts after hack, but supply chain won’t return to normal for a few days

 

Colonial Pipeline restarted operations Wednesday at approximately 5 p.m. ET after a ransomware attack last week forced the entire system offline on Friday evening. The company did warn, however, that its pipeline would not be fully functional immediately.

 

“Following this restart it will take several days for the product delivery supply chain to return to normal,” Colonial said in a statement. “Some markets served by Colonial Pipeline may experience, or continue to experience, intermittent service interruptions during the start-up period. Colonial will move as much gasoline, diesel, and jet fuel as is safely possible and will continue to do so until markets return to normal,” the company added.

 

Shortly before Colonial’s restart announcement, President Joe Biden said to expect “good news” from the company in the next 24 hours. He added that the White House had been in “very close” contact with the company.

https://www.cnbc.com/2021/05/12/colonial-pipeline-restarts-after-hack-but-supply-chain-wont-return-to-normal-for-a-few-days.html

[tshile]

12 minutes ago, Busch1724 said:

Obviously we're all ignorant to how these pipelines work. I don't remember seeing any mechanical engineers posting in any threads in the tailgate. However, I'm mechanical enough to be dangerous. My question to this whole situation is why was there not a much quick backup system in place to release and process the oil/gas that if something like this happened, the pipeline could still operate? I would imagine the pipeline does have something in place, just baffles me it takes this long to get it operational while also still working on fixing the issue brought forth by the hack. 

To my knowledge we don’t know what happened. 
 

the fact that the pipeline is not functioning suggests they gained access to the scada systems. 
 

scada systems were never designed with security in mind. For the most part they’re operating in a 60’s-80’s technology era - which is the easiest way I can describe it quickly in laymen’s terms. 
 

these systems are expensive. They’re expensive to buy and set up. They’re expensive to replace. And when it comes to replacing there’s an issue of whether you can do all or nothing. 
 

the truth is the simplicity of the **** designed pre-2000 produced a ton of really reliable stuff. The downside is none of it had security in mind. All of it trusted that whatever was passing data in, was behaving correctly. And whatever was receiving the data pushed out, was behaving correctly. An entire system where every component basically operated on a blind trust that everything else was behaving correctly. 

newer stuff? Security in mind, but bug hell. Ever had to run a company and go through switching accounting systems? Try running the New York 911 system and making upgrades

(Google New York 911 system disaster and read as you please)

 

our nuclear arsenals are powered by **** developed in the 60’s. It works great. It’s not secure at all

 

the industrial/utility systems I have access to are locked down as best they can be, considering budget. Am I happy about them? **** no. But I’m just a consultant. And it doesn’t matter how well I present replacing your 2 million dollar production infrastructure with a 60 million dollar more modern one that will come with endless consulting fees to make it all run right - finances are still finances. 
 

Im sure they had some redundancy built in. 
 

im also sure running a national pipeline that serves 40% of the east coast has challenges the rest of us can only imagine. 
 

and for all we know what they’re doing right now is deploying their redundant system. Maybe it just takes a week?

 

too much unknown. 

6 minutes ago, Destino said:

You think an entirely different response for infrastructure wouldn’t influence criminals choice of targets?  I suspect that crippling US infrastructure resulting in a seal team killing every member of your hacking group would change the math somewhat.  This wouldn’t be about stopping all crime, that isn’t possible, but about communicating where the lines between crime and national security are.

I mean... we are. 
 

you’re active in the political threads. 
 

your suggestion is akin to saying the way we fix our issue with a sizable portion of republicans is to sit down with them and show them the facts. 
 

it’s naive of the constraints of reality. 
 

but please yes go hunt them down. 

Edited May 12, 2021 by tshile

[TheGoodBits]

1 hour ago, tshile said:

 

 

(travelers recently started requiring 2FA across the board to qualify for their cyber security insurance, I know cause I’m rolling it out everywhere, and that’s the only meaningful thing I’ve seen come from these things. So props to them for not sucking)

 

 

 

Ha, I talked to two customers back to back this afternoon who were looking for MFA for this exact reason.