NBC: Colonial Pipeline blames ransomware for network shutdown

[Renegade7]

1 hour ago, PleaseBlitz said:

 

Well the alternative is we just let criminals attack critical US assets without consequence?  I'm aware it would not be easy, but if we don't make a big ****ing deal about it every time it happens, then it's going to happen a lot.  Again, not talking about making it more difficult for these criminals to successfully conduct these attacks (which we should also do), talking about putting resources into finding who did it and where they are, extraditing them if necessary, and jailing them.  And if countries are harboring people that have attacked the US, creating consequences for those countries.  In other words, a dramatic escalation in our national response that makes it clear that this type of thing is a bad career choice. 

 

Like more sanctions on Russia?

 

@tshile is right on many fronts, I love removing the insurance and would go further on compliance requirements for critical infrastructure that allows the government to come behind and lay more wood on them when stuff like this happens.

 

Having said that, its also a supply chain issue, especially with SCADA and ICS.  I'd like to hear more about making this equipment opensource so we can talk about upgrading kernels and not Windows XP.  Microsoft does have extended support, but there's so many Operating Systems they've made that they don't make patches anymore, its a lot of sitting ducks.  I'm still not happy they cut Windows 7 off at the knees the way they did, that was a damn good OS.

 

We aren't doing enough in Cybersecurity yet to say that much of this isn't our own damn fault.  At the same time, look on indeed right now and agency after agency is hiring Cyber Specialist.  Somebody gets it.

Edited May 12, 2021 by Renegade7

[bearrock]

3 minutes ago, tshile said:

To my knowledge we don’t know what happened. 
 

the fact that the pipeline is not functioning suggests they gained access to the scada systems. 

 

Apparently the hack was to the billing system and not pipeline functions.

 

https://www.cnn.com/2021/05/12/politics/colonial-pipeline-ransomware-payment/index.html

 

Quote

Meanwhile, new details are emerging about Colonial's decision to proactively shut down its pipeline last week, a move that has led to panic buying and massive lines at the gas pump.

 

The company halted operations because its billing system was compromised, three people briefed on the matter told CNN, and they were concerned they wouldn't be able to figure out how much to bill customers for fuel they received.

 

One person familiar with the response said the billing system is central to the unfettered operation of the pipeline. That is part of the reason getting it back up and running has taken time, this person said.

 

Asked about whether the shutdown was prompted by concerns about payment, the company spokesperson said, "In response to the cybersecurity attack on our system, we proactively took certain systems offline to contain the threat, which temporarily halted all pipeline operations, and affected some of our IT systems."

 

At this time, there is no evidence that the company's operational technology systems were compromised by the attackers, the spokesperson added.

 

[mammajamma]

3 minutes ago, tshile said:

and for all we know what they’re doing right now is deploying their redundant system. Maybe it just takes a week?

i just recently read an article (can't find it again for some reason) about a data company that got the ransomware treatment. they were complete experts on data systems and modern technology, and luckily had a redundancy plan with everything backed up offline. and it still took them WEEKS to get everything back up running properly again. i'd imagine an archaic/non-tech focused company like this would take longer, so i'm actually surprised they're back up already

[tshile]

By the way - the whole “go hard on hackers” mantra already exists. 
 

it’s why we have young people being kicked out school because some dingbat in Harvard IT made each acceptance record just a number you can increment in the url and boom - you can read all of them before they were released. 
 

or why we have some young people sitting in jail cause some prosecutor decided to use the new laws to get publicity instead of being a normal ****ing person and evaluating a situation like an adult. 
 

im not saying you can’t go after people or change laws or whatever - just remember how ****ty our criminal justice system is, how many people are concerned about pr image or vengeance, and think critically about what you’re supporting 

 

most of this **** is only stuff you’re aware of if you follow the scene. 

[PleaseBlitz]

7 minutes ago, Renegade7 said:

Like more sanctions on Russia?

Not sure what part of “dramatic escalation” is unclear in my posts. 
 

Like the hunt for the Unabomber. 

[Renegade7]

Executive Order on Cybersecurity signed just now, looks like more of a response to supply chain attacks then on critical infrastructure.

 

https://www.washingtonpost.com/national-security/biden-executive-order-cybersecurity/2021/05/12/9269e932-acd5-11eb-acd3-24b44a57093a_story.html

 

Quote

The 30-plus page document — unusually long for an executive order — calls for the reporting of severe cyber incidents within three days, the creation of a board to review significant incidents, the removal of contractual barriers to reporting federal agency breaches, and strengthening a program that allows a federal agency to test a product’s security before it is sold to the government. It also makes clear that contractors are required to report incidents at federal agencies to the Office of Management and Budget and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).

 

[Springfield]

I think that one of the unfortunate things we learned from the Trump administration is that our government is toothless therefore people will continue to commit these kinds of crimes with general impunity.

[Renegade7]

4 minutes ago, PleaseBlitz said:

Not sure what part of “dramatic escalation” is unclear in my posts. 
 

Like the hunt for the Unabomber. 

 

That was on American soil, you can't Zero Dark Thirty into Russia.

 

Now if want to start treating non-kinetic attacks by nation states as acts of war, we need to rethink our own offensive operations.  

 

These are the new nukes, we need international treaties to calm this down with respect to countries that can overwhelm the private sector with nearly unlimited resources.

[tshile]

11 minutes ago, PleaseBlitz said:

Not sure what part of “dramatic escalation” is unclear in my posts. 
 

Like the hunt for the Unabomber. 

You’ve now got two people educated on and with practical experience in the topic telling you what’s going on. 
 

do I come into threads on legal topics and argue it’s you?

 

wait maybe that’s a bad analogy ...  
 

 

Edited May 12, 2021 by tshile

[Renegade7]

2 minutes ago, Springfield said:

I think that one of the unfortunate things we learned from the Trump administration is that our government is toothless therefore people will continue to commit these kinds of crimes with general impunity.

 

Government can force the private sectors hand by making it harder to sell software to them unless it meets a higher standard of safety.  That will have a ripple effect down to the rest of us, like their goal of non-password authentication.

 

They need a bill, not just an executive order, to really have the necessary impact.  Make a speech about that.

[tshile]

Just now, Renegade7 said:

 

Government can force the private sectors hand by making it harder to sell software to them unless it meets a higher standard of safety.  That will have a ripple effect down to the rest of us, like their goal of non-password authentication.

 

They need a bill, not just an executive order, to really have the necessary impact.  Make a speech about that.

For the most part the entire software communities has switched to agile and is in release first and fix later mode. I’m not saying your idea is bad I’m just pointing out the entire software development community has basically shifted away from a modem that would make that easier and into a model that’ll make it impossible. 
 

it’s chuckle worthy but the whole “why do the cod servers crash the first two weeks it’s released” is basically how everything works now. 

[PleaseBlitz]

12 minutes ago, tshile said:

You’ve now got two people educated on and with practical experience in the topic telling you what’s going on. 
 

do I come into threads on legal topics and argue it’s you?

 

wait maybe that’s a bad analogy ...  
 

 

This is a legal topic, you just can’t view it from outside of your frame. 

[tshile]

1 minute ago, PleaseBlitz said:

This is a legal topic, you just can’t view it from outside of your frame. 

Ok well you legally explain how we’re gonna send the fbi and military into Russia to round these dudes up

 

 

[Renegade7]

2 minutes ago, tshile said:

For the most part the entire software communities has switched to agile and is in release first and fix later mode. I’m not saying your idea is bad I’m just pointing out the entire software development community has basically shifted away from a modem that would make that easier and into a model that’ll make it impossible. 
 

it’s chuckle worthy but the whole “why do the cod servers crash the first two weeks it’s released” is basically how everything works now. 

 

Bruh, now that the some of the software is being called legacy and enhancement requests have gone down, agile teams are getting flowers on the stage about making security a priority where I'm at 😄

 

I'm not sure how a company like solarwinds can prove their software is safer outside of letting the government test it, guidelines will be out in a year:

 

Quote

The order calls for the Commerce Department’s National Institute of Standards and Technology (NIST) to publish preliminary guidelines within six months for software supply chain security, and final guidelines within a year. The guidance should include how to check for vulnerabilities, how to find evidence of flaws, ensuring up-to-date provenance of source code, and instructions for using automated tools to validate trusted source code, among other things.

 

Maybe I'm one of the few still holding out hope that the gap between attackers and defenders doesn't seem like an ocean forever.  We're are in for a rude awakening if we just accept that and don't even try.

[Destino]

28 minutes ago, tshile said:

 

I mean... we are. 
 

We have the military assassinating hacker groups right now?

[PleaseBlitz]

17 minutes ago, Renegade7 said:

 

That was on American soil, you can't Zero Dark Thirty into Russia.

 

Now if want to start treating non-kinetic attacks by nation states as acts of war, we need to rethink our own offensive operations.  

 

These are the new nukes, we need international treaties to calm this down with respect to countries that can overwhelm the private sector with nearly unlimited resources.

I didnt see Zero Dark Thirty, so not getting that reference. Im not sure that there are very many countries that would harbor cybercriminals from the US unless they are state-sponsored, which does not appear to be the case here, last I read. 

 

1 minute ago, tshile said:

Ok well you legally explain how we’re gonna send the fbi and military into Russia to round these dudes up

 

 

If Russia wont extradite private criminals engaged in quasiterrorism, then you make them pay a very high price for that, diplomatically, economically, hell, another $1 billion in weapons may need to find its way to the Ukraine. 

[mistertim]

7 minutes ago, PleaseBlitz said:

I didnt see Zero Dark Thirty, so not getting that reference. Im not sure that there are very many countries that would harbor cybercriminals from the US unless they are state-sponsored, which does not appear to be the case here, last I read. 

 

If Russia wont extradite private criminals engaged in quasiterrorism, then you make them pay a very high price for that, diplomatically, economically, hell, another $1 billion in weapons may need to find its way to the Ukraine. 

 

ZDT was about the Bin Laden raid. Basically we can't just send guys into Russia to take someone out like we did with OBL in Pakistan.

 

I have some agreement about making them pay, but it's quite a balancing act because you want to hammer them but at the same time you don't really want to start a potential world war over ransomware. 

[Renegade7]

3 minutes ago, PleaseBlitz said:

I didnt see Zero Dark Thirty, so not getting that reference. Im not sure that there are very many countries that would harbor cybercriminals from the US unless they are state-sponsored, which does not appear to be the case here, last I read. 

 

 

Zero Dark Thirty is the movie about going into Pakistan to get Bin Laden.

 

They don't have to "harbor" them, we can't just go into some of these countries and get them ourselves.  We ruined our relationship with Pakistan over getting Bin Laden and way we did it.  Most APTs are in countries like Russia and China.  We have to bring them to the table on the bigger picture of the threats that aren't these that could do damage to them as well.  That doesn't mean they are going to extradite anyone, that's wishful thinking.

[mistertim]

So I think the next step here is obvious.

 

[PleaseBlitz]

26 minutes ago, mistertim said:

 

ZDT was about the Bin Laden raid. Basically we can't just send guys into Russia to take someone out like we did with OBL in Pakistan.

 

I have some agreement about making them pay, but it's quite a balancing act because you want to hammer them but at the same time you don't really want to start a potential world war over ransomware. 

Sure it’s a balancing act, but we have plenty of tools in the toolkit. 

[China]

27 minutes ago, mistertim said:

 

ZDT was about the Bin Laden raid. Basically we can't just send guys into Russia to take someone out like we did with OBL in Pakistan.

 

 

Wait, you're telling me The Equalizer wasn't a documentary?  Next you'll be telling me Fast and Furious 9 is fiction.  

 

 

[tshile]

37 minutes ago, PleaseBlitz said:

I didnt see Zero Dark Thirty, so not getting that reference. Im not sure that there are very many countries that would harbor cybercriminals from the US unless they are state-sponsored, which does not appear to be the case here, last I read. 

Most of them are in Eastern European, middle eastern, and Asian countries 

 

places we don’t exactly have awesome diplomacy with, if not outright run by anti-USA governments

 

And also places that even if they wanted to help they’re woefully lacking in capabilities 

 

do you follow the hacking scene at all?

 

if feels like you you feel like you’re proposing some novel concept thats never been thought about, debated, nor tried before

30 minutes ago, mistertim said:

ZDT was about the Bin Laden raid. Basically we can't just send guys into Russia to take someone out like we did with OBL in Pakistan.

Many people would argue we shouldn’t have done that. 
in fact if memory serves - Biden advised against it when obama was in power. 

[PleaseBlitz]

2 minutes ago, tshile said:

Most of them are in Eastern European, middle eastern, and Asian countries 

 

places we don’t exactly have awesome diplomacy with, if not outright run by anti-USA governments

 

And also places that even if they wanted to help they’re woefully lacking in capabilities 

 

do you follow the hacking scene at all?

 

if feels like you you feel like you’re proposing some novel concept thats never been thought about, debated, nor tried before

 

It feels like you think this is an IT problem for the overhead IT people to solve. 

[tshile]

Just now, PleaseBlitz said:

It feels like you think this is an IT problem for the overhead IT people to solve. 

 

So the answer is no, and you don’t really have any real knowledge on the subject at hand. 

[PokerPacker]

Let's disconnect Russia's router.