Jump to content
Washington Football Team Logo
Extremeskins

NBC: Colonial Pipeline blames ransomware for network shutdown


Recommended Posts

So we had an internet and the savvy among the tech world created a dark web based on anonymity which has furthers a ton of illegal activity which knows no bounds including child porn, child sex trafficking, and rape videos

 

its time for some more savvy people to go the other route and create a secure web

 

there is absolutely no reason a business needs “internet access”. No reason why a business can’t be locked down to an only business related web. 
 

majority of compromises start with phishing. Majority of the zero day vulnerability require access to wide open internet to even have a chance of being exploited. 
 

Put your public facing website on the regular internet on a server. Let customers interact with that. 
 

but Debbie in accounting doesn’t need access to the damn internet. They need access to banks and vendors. 

these phishing links shouldn’t resolve. They shouldn’t load. You shouldn’t be able to accident get there. 
 

and while you can say that’s sucks and sounds awful for the day to day work, hey - we’ve tried a lot of things and the one big constant that keeps ruining is is you. You ****ed it up. 
 

Wont solve state actors and won’t solve 100% of it but it’ll drastically reduce an incredibly large group of people constantly looking for, finding, selling and using vulnerabilities and access to peoples information. You’ll cut 90% of the r&d effort instantly (I’m sorta just guessing nation states only make up 10% of the activity - it’s a large community, not talking about dollars, talking about quality output)

 

I don’t know how you roll that out to the rest of us to protect us, but at least it would get the businesses out of the line of fire. 

  • Like 2
Link to post
Share on other sites

I gotta admit I really don’t understand any of the details of the technical sides of this whole thing.  And I’ve for the most part not said much here because of that.  But this type of stuff is what scares me.  I now people that prepare to survive nuclear war, EMPs, foreign invasions, zombie apocalypse, etc.  I think if there is something to be worried about, it is something like this on a worse scale.  Imagine power being shut off in the northeast for the month of January.  Or hell, even cutting off peoples cell phones for a few weeks.  Look how people freaked out over a gas shortage when there wasn’t even a gas shortage.  This and seeing the grocery store shelves when COVID started.  I don’t have much faith in our government handling a larger attack well.

 

@tshile tell me I’m wrong.

  • Like 1
Link to post
Share on other sites
55 minutes ago, China said:

Perhaps to curb the panic buying they could put limits on how much you can get at one fill up.

 

Should have been implemented by mandate Friday at every gas station in the effected area.  Gas only in vehicle tanks and five gallon jerry cans until normal supply has been restored.

Link to post
Share on other sites
3 minutes ago, tshile said:

So we had an internet and the savvy among the tech world created a dark web based on anonymity which has furthers a ton of illegal activity which knows no bounds including child porn, child sex trafficking, and rape videos

 

its time for some more savvy people to go the other route and create a secure web

 

there is absolutely no reason a business needs “internet access”. No reason why a business can’t be locked down to an only business related web. 
 

majority of compromises start with phishing. Majority of the zero day vulnerability require access to wide open internet to even have a chance of being exploited. 
 

Put your public facing website on the regular internet on a server. Let customers interact with that. 
 

but Debbie in accounting doesn’t need access to the damn internet. They need access to banks and vendors. 

these phishing links shouldn’t resolve. They shouldn’t load. You shouldn’t be able to accident get there. 
 

and while you can say that’s sucks and sounds awful for the day to day work, hey - we’ve tried a lot of things and the one big constant that keeps ruining is is you. You ****ed it up. 
 

Wont solve state actors and won’t solve 100% of it but it’ll drastically reduce an incredibly large group of people constantly looking for, finding, selling and using vulnerabilities and access to peoples information. You’ll cut 90% of the r&d effort instantly (I’m sorta just guessing nation states only make up 10% of the activity - it’s a large community, not talking about dollars, talking about quality output)

 

I don’t know how you roll that out to the rest of us to protect us, but at least it would get the businesses out of the line of fire. 

 

CURE CAN'T BE WORSE THAN THE DISEASE!!!!!  YOU ARE INFRINGING ON MY IMAGINARY CONSTITUTIONAL RIGHT TO WASTE TIME ON MY EMPLOYER'S DIME!!!!!

  • Haha 1
Link to post
Share on other sites
Posted (edited)

As for the rest of us. Just think about this. I believe 500 supposedly verified credit card numbers runs about 50$ on the dark web

 

now think about what having your credit card compromised costs you. If you’re lucky it costs you a hassle of canceling a card, identifying a handful of fraudulent transactions, and switching out your autopays 
 

if you’re unlucky you find yourself sitting at your table with 6 months of statements spread out, circles and highlighting everywhere, when you finally realize somehow over the course of the last 6 months someone has stollen 15k from you. 
 

And your info cost $0.10

 

A ****ing dogecoin costs more than that. 

Edited by tshile
Link to post
Share on other sites
7 minutes ago, tshile said:

So we had an internet and the savvy among the tech world created a dark web based on anonymity which has furthers a ton of illegal activity which knows no bounds including child porn, child sex trafficking, and rape videos

 

its time for some more savvy people to go the other route and create a secure web

 

there is absolutely no reason a business needs “internet access”. No reason why a business can’t be locked down to an only business related web. 
 

majority of compromises start with phishing. Majority of the zero day vulnerability require access to wide open internet to even have a chance of being exploited. 
 

Put your public facing website on the regular internet on a server. Let customers interact with that. 
 

but Debbie in accounting doesn’t need access to the damn internet. They need access to banks and vendors. 

these phishing links shouldn’t resolve. They shouldn’t load. You shouldn’t be able to accident get there. 
 

and while you can say that’s sucks and sounds awful for the day to day work, hey - we’ve tried a lot of things and the one big constant that keeps ruining is is you. You ****ed it up. 
 

Wont solve state actors and won’t solve 100% of it but it’ll drastically reduce an incredibly large group of people constantly looking for, finding, selling and using vulnerabilities and access to peoples information. You’ll cut 90% of the r&d effort instantly (I’m sorta just guessing nation states only make up 10% of the activity - it’s a large community, not talking about dollars, talking about quality output)

 

I don’t know how you roll that out to the rest of us to protect us, but at least it would get the businesses out of the line of fire. 

But I need the link to those free ringtones!!! Also I need to find out what my birthdate says about my personality on Facebook.  

  • Haha 1
Link to post
Share on other sites

Also because that last posted caused this thought:

 

if you’re super unlucky you’re sitting at a table in your lawyers office having their IT consultant explain to you that the 350k you wired as a down payment on your retirement home, didn’t go to the correct account, and is gone. 
 

no **** - I’ve had that conversation. 

 

it’s heartbreaking. 

Link to post
Share on other sites
Posted (edited)
5 minutes ago, tshile said:

As for the rest of us. Just think about this. I believe 500 supposedly verified credit card numbers runs about 50$ on the dark web

 

now think about what having your credit card compromised costs you. If you’re lucky it costs you a hassle of canceling a card, identifying a handful of fraudulent transactions, and switching out your autopays 
 

if you’re unlucky you find yourself sitting at your table with 6 months of statements spread out, circles and highlighting everywhere, when you finally realize somehow over the course of the last 6 months someone has stollen 15k from you. 
 

And your info cost $0.10

 

A ****ing dogecoin costs more than that. 

I use one card online. Have that sucker text me a notification for any charge.  Caught one the other day. InstaCart from California. Locked my card called the company and all is good.  Can’t imagine not getting notifications of purchases. 

Edited by HOF44
  • Like 1
Link to post
Share on other sites

I’m just happy I filled my wife’s truck up on Mother’s Day so, thanks to Covid, we should be good for a month. 
 

Also happy that gas hoarders were paying $10/gallon to fill up their truck pools and Piggly Wiggly bags. 

  • Like 1
Link to post
Share on other sites
15 minutes ago, TheGreatBuzz said:

 

 

@tshile tell me I’m wrong

Well it was what, 2 weeks ago they caught someone that had broken into a municipal water facility and tried to poison the water supply by changing the chemical mixture. They were in the system, they were doing it, and they got stopped. 
 

I’ve been exposed to utilities and manufacturing enough to understand the hurdles and the threat. I also dabble in healthcare (what if someone just shut life saving equipment off in a whole hospital) to know it’s an issue. 
 

but it would be absurd for me to speculate on how bad the overall situation is. I think anyone commenting on that, without direct personal experience, is saying something they don’t actually know. 
 

you know how we want to inspect the Iranian nuclear stuff?

 

That’s how we should be inspecting our critical infrastructure. Small groups of experts looking at everything and holding people accountable. 
 

but about 2 weeks  ago someone got caught trying to poison a water supply. 
 

So no, you are not wrong. 

Link to post
Share on other sites

So am I correct in thinking that based on information available the gasoline situation down there is based more on people's irrational paranoia than anything else?  Sort of similar to the toilet paper hoarding during the first couple months of the pandemic?

Link to post
Share on other sites

Oh also the people proposing political/legal maneuvering 

 

you’re gonna have to figure out how to come square on the fact that we’re ****ing with everyone else’s **** too

13 minutes ago, HOF44 said:

I use one card online. Have that sucker text me a notification for any charge.  Caught one the other day. InstaCart from California. Locked my card called the company and all is good.  Can’t imagine not getting notifications of purchases. 

And that may be why the going rate is so cheap for that information now

 

But SSNs are cheap too. 

  • Like 1
Link to post
Share on other sites

I mean most compromises involve a c&c. Why is your device even allowed to connect to an IP address outside the country unless you directly interact with a vendor outside the country. 
 

why is your isp-provided business internet with a static ip allowed to even route to/from another country I’d you check a box that says we don’t do business outside the country?

 

Screw it I’m proposing in the next meeting we survey clients on blocking those if they don’t do business outside the country. Just try it. Let’s see if actually causes a problem. And if it doesn’t then you just blocked 99% of compromises from being possible 

 

wonder who would consider that. 

Link to post
Share on other sites
Posted (edited)

So while we are on this is using Apple Pau a more secure alternative?  Or just as bad?  Also I’ve been using an app with my credit card companies that generates one time use virtual cards for websites. Very easy and seems more secure 

Edited by HOF44
Link to post
Share on other sites
2 minutes ago, HOF44 said:

So while we are on this is using Apple Pau a more secure alternative?  Or just as bad?  Also I’ve been using an app with my credit card companies that generates one time use virtual cards for websites. Very easy and seems more secure 

No idea. 

 

I know it’s quicker 😂 

Link to post
Share on other sites

Also if you shut down other countries, you’ll force the criminals that want to do it to acquire resources inside the US and those will be infinitely easier to deal with. Majority of the problem is overseas. Pretty much all of it has roots overseas. 

Link to post
Share on other sites

My solution would be to find the individuals responsible, drone-strike them, then tell the countries harboring them to suck our nuclear warhead tipped dicks.  There is a reason I'm not president.

  • Haha 6
Link to post
Share on other sites

This whole cyber security issue is such a source of frustration, partially because I know so little about the issue.  I'm a guy who thinks our justice system is far too punitive and that punishments tend to be excessive.  But when it comes to cyber criminals, my lizard brain kicks in and starts telling me we need to get medieval on them.  I gotta admit, I judge myself for thoughts that go through my mind, such as " I wonder if these guys would still be hackers if they did not have any fingers?"

 

On a side note, there is a guy who has a YouTube channel where he records himself screwing over people trying to hack him.  He calls the fake tech support numbers that hackers use to get people to give them control of their computer to "fix" a malware issue.  But the access goes both ways, and while the scumbags are trying to hack a virtual simulation of what they think is his computer, he takes over their actual computer.  He will brick their computers, or mess with them by taking a picture of them using the hacker's computer camera and show them that he knows exactly who they are.  The look of panic when they realize what is happening is priceless.

Link to post
Share on other sites
2 hours ago, tshile said:

Preface: without reading all 34 pages it’s probably a bit unfair to comment

but

 

this reads like more bs assessments I have to fill out

 

and don’t get me wrong there’s an advantage in the fact that it can force a company to implement something they otherwise wouldn’t, but in the big picture of stopping targeted attacks on critical infrastructure... *yawn*
 

yeah they stop bull****, drive by, random attacks. 
 

state-sponsored or major, targeted attacks by capable entities?


meh. 

 

Ya, they were saying in the article I posted that it been in the draft form since the Solar Winds attack, but simultaneously outside the article I believe that they do promise to hurt Russia with more sanctions and try to squeeze them to the negotiating table like Iran.  Can you do that with China?  I'm open to it. 

 

What else is in the Article is getting CISA more involved, including making information sharing easier.  Private sector shouldn't be scared to talk to itself in regards to sharing intelligence on APTs, every month we get a new presentation on the one coming after our agency. 

 

Information sharing is one of the things that came out of the 9/11 commission, yes, I believe a cyber 9/11 is possible. Russia did that to Ukraine  ahead of attacking them, came after the power grid there.  There's a reason only the President can authorize the usage of a cyberweapon like Stuxnet, when Obama came after North Korea, they could've interpreted that as an act of war if they wanted to.

 

https://www.washingtonpost.com/business/economy/north-korean-web-goes-dark-days-after-obama-pledges-response-to-sony-hack/2014/12/22/b76fa0a0-8a1d-11e4-9e8d-0c687bc18da4_story.html

 

  • Like 1
Link to post
Share on other sites
7 minutes ago, Renegade7 said:

What else is in the Article is getting CISA more involved, including making information sharing easier.  Private sector shouldn't be scared to talk to itself in regards to sharing intelligence on APTs, every month we get a new presentation on the one coming after our agency. 

Yeah there’s an org that consists of a portion of the top security companies sharing the intelligence and making an incredibly large black list. The damn name escapes me even though I have a cert on it (whoops) 

 

but it’s nuts to watch in action when you’re working with malicious information and you report it to one and it hits imediarely and like 5 minutes later the others got it. I’ve got like 3 products tied to it all and I get to check things regularly and see it in action. 
 

yeah. That’s going to be a key factor. 
 

I mean you can already get on three letter agency mailing lists of things. 
 

I’d like to see more direction to businesses. I hate the idea that a tax incentive is the way to do it but idk what else is feasible 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...