# Can Blackhat Hackers Be Stopped



## bobmc (May 21, 2021)

Stories about ransomware and malware corruption seem to be on the increase.  They attack those who can least afford to restore from backup such as the Colonial Pipeline and hospitals.  Colonial paid 4.4 million.

There is a story in Wired about a theft of RSA SecureID seeds from an air-gapped server. This event was blocked by non-disclosure for ten years.. now we know.

People continue to be sloppy with passwords. For example, "SolarWinds123".  I am surprised that IT does not enforce some software discipline.

People issues aside, I am wondering what sort of server software these malware victims are using. Windows, Linux, BSD, other...


----------



## ralphbsz (May 22, 2021)

bobmc said:


> Stories about ransomware and malware corruption seem to be on the increase.


Are they really increasing? Or are you noticing them more? I would rather say that major attacks are declining, and are more and more focusing on companies that try to do their own IT.



> They attack those who can least afford to restore from backup such as the Colonial Pipeline and hospitals.  Colonial paid 4.4 million.


Which proves that Colonial was (a) incompetent since their system had enough holes to let the hackers in, and (b) incompetent because they didn't have a plan for what to do when their systems become inoperable. And that the government should supervise infrastructure that is of national importance (such as fuel pipelines), since the companies are not competent enough.



> There is a story in Wired about a theft of RSA SecureID seeds from an air-gapped server. This event was blocked by non-disclosure for ten years.. now we know.


We have known for the last "many" years that SecurID tokens had been cracked. I remember when suddenly they were all replaced or swept away by other technology. Furthermore, we have known since the "clipper chip" wars and the Ed Snowden disclosure that RSA (the company) was bought off by at least the US government, when they caved in to the clipper chip. And perhaps by others too. I haven't seen a SecurID in many years, nor any other RSA product in use.

EDIT: There were many stories published about that in 2011; it is possible that the full details have just become available, but "The Register" was full of this in 2011.



> People continue to be sloppy with passwords. For example, "SolarWinds123".  I am surprised that IT does not enforce some software discipline.


Yes, like the famous scene in Spaceballs: "12345 ... that's the same password as my luggage". No, in major companies IT first enforces reasonable passwords (no more 12345 or Password or new laptops shipping with password = New4You). And I think in the last ~10 or 15 years, I have not been able to log into my employers systems with just a password. It takes some form of 2FA, for example a trusted laptop (serial number recorded and checked, corporate supplied) first setting up a VPN with one password, then a login with a second password. Or hardware two-factor authentication, such as fingerprint readers. For example, at one employer people were given the advice to please configure their computer with fingerprints from both hands, so if they have a minor kitchen accident and have to have band-aids on the fingertip, they can still log in.



> People issues aside, I am wondering what sort of server software these malware victims are using. Windows, Linux, BSD, other...


Statistically speaking, it is 99% likely that the OS on the servers is Linux, although Windows is still used some in industrial SCADA systems. But the OS itself doesn't matter much; security is about much more than the one OS.


----------



## datasmurf (May 22, 2021)

ralphbsz said:


> And that the government should supervise infrastructure that is of national importance (such as fuel pipelines), since the companies are not competent enough.



The company halted operations because its billing system was compromised, three people briefed on the matter told CNN, and they were concerned they wouldn't be able to figure out how much to bill customers for fuel they received.


----------



## gpw928 (May 22, 2021)

Regardless of the method used by the blackhats, it's clear that Colonial Pipeline had manifestly insufficient defences in place.

I once sat in the office of the CIO of a multi-billion dollar organisation and asked how he intended to bootstrap the recovery if every Windows machine was hit with something similar to the Anna Kournikova worm.

The proposal to force the Unix admins to use Windows on their desktops was abandoned.  They got to keep Unix (the version of their choice), and connect to the Citrix servers when compliance with corporate standards demanded (calendar, email, ...).

Defence of the dark arts comes in many forms.  Technical and social.


----------



## a6h (May 22, 2021)

bobmc


> Can Blackhat Hackers Be Stopped


I hope not.
Not exclusively, but to some extend, they're the force behind technological advancement. Similar to wars. Somebody should write _ Worm.Win32.Blaster/2004_ to show `billy gates why do you make this possible ? Stop making money and fix your software!!` otherwise we would have been XP-users forever. Beside, _society without crime!_ ... Possible? No. Utopia is impossible. That's real life.


----------



## ralphbsz (May 22, 2021)

datasmurf said:


> The company halted operations because its billing system was compromised, three people briefed on the matter told CNN, and they were concerned they wouldn't be able to figure out how much to bill customers for fuel they received.


That's SAD. Getting hacked: bad, shows they're dumb. Then shutting down (and causing great inconvenience to many people, and significant damage to the economy) over a billing problem: Inexcusable.

Oh well.


----------



## Deleted member 30996 (May 22, 2021)

bobmc said:


> Stories about ransomware and malware corruption seem to be on the increase.  They attack those who can least afford to restore from backup such as the Colonial Pipeline and hospitals.


I don't remember reading about FreeBSD being vulnerable to ransomware and my main concern are rootkits. I trained my clicking finger not to a long time ago and only install programs from the ports tree.



bobmc said:


> People continue to be sloppy with passwords. For example, "SolarWinds123".  I am surprised that IT does not enforce some software discipline.


That's called "Learning the Hard Way".



bobmc said:


> I am wondering what sort of server software these malware victims are using. Windows, Linux, BSD, other...


See above.


----------



## Crivens (May 22, 2021)

Saturday Morning Breakfast Cereal - Real Life
					

Saturday Morning Breakfast Cereal - Real Life




					www.smbc-comics.com
				




So, no.

And whoever did this pipeline thing - word goes he/she/it has annoyed the wrong kind of people. The kind with a high level of options and a low level of accountability.


----------



## kpedersen (May 22, 2021)

Crivens said:


> So, no.


Hah, I had a call from the County Password Inspector this morning. Nice chap, he was very understanding as I read out my passwords to him. He even gave me his email address to send a copy of my more complex passwords, in case he wrote them down wrong. Which of course I sent immediately after the call.

I wish all public services were as courteous and patient as the CPI. I am also impressed they are such hard workers as to work on weekends


----------



## PacketMan (May 22, 2021)

"_Can Blackhat Hackers Be Stopped_"

A long time ago a smart man wearing a white hat said "Look what I have made, it is a lock, and you need the key to open it, without the key you cannot open it".  One of the listeners was another smart man, but was wearing a black hat. He said to himself "hmmmm, if I can copy that key, or make a tool to emulate that key I can unlock that lock." And so he did. The white hat man was determined not to be defeated so he made his lock even better. The black hat man was determined not to be defeated so he adapted too. A couple hundred years later.....the same old story continues.


----------



## SirDice (May 22, 2021)

bobmc said:


> Stories about ransomware and malware corruption seem to be on the increase. They attack those who can least afford to restore from backup such as the Colonial Pipeline and hospitals. Colonial paid 4.4 million.


These are typically not done through remote "hacks" but by sending a large number of emails (targeted at individuals at those companies). These emails have attachments with fake invoices, fake resumes, or something similar. The PDF or Word document exploits a bug and the emails just try to entice anyone to open them. Bad filtering on incoming email, bad practices and old or unpatched software, and some really bad awareness of the people that open these emails does the rest.


----------



## Tieks (May 22, 2021)

ralphbsz said:
			
		

> And that the government should supervise...


Remember Bafin and Wirecard, I'm afraid that's not going to work either. As Ronald Reagan once put it: "One way to make sure crime doesn't pay would be to let the government run it.".
Read a story about a FreeBSD-based NAS where most files were encrypted. It happened to way SirDice just pointed out.


----------



## Crivens (May 22, 2021)

kpedersen And given the state of deep fakes, you shouldn't even trust your CEO on a video call.


----------



## kpedersen (May 22, 2021)

Crivens said:


> kpedersen And given the state of deep fakes, you shouldn't even trust your CEO on a video call.


Yep. Or in person... 

Actually, we did have a phishing attack semi-recently. The amusing thing is that the emails all came within working hours. Whereas pretty much everyone knew that our CEO works mainly at 1am and sends all emails around then. The impersonator didn't factor that in!


----------



## Deleted member 30996 (May 22, 2021)

I saw a tutorial on how to set up a fake phishing site 2 days ago.


----------



## PMc (May 22, 2021)

SirDice said:


> These are typically not done through remote "hacks" but by sending a large number of emails (targeted at individuals at those companies). These emails have attachments with fake invoices, fake resumes, or something similar. The PDF or Word document exploits a bug and the emails just try to entice anyone to open them.


So that's the purpose of these. I get lots of them, they usually contain a pdf or zip which actually contains an exe. I was never able to get any of these to run on the Berkeley. Professional businesses seem to run on a very different skill level.


----------



## Crivens (May 22, 2021)

PMc said:


> So that's the purpose of these. I get lots of them, they usually contain a pdf or zip which actually contains an exe. I was never able to get any of these to run on the Berkeley. Professional businesses seem to run on a very different skill level.


See? Shame on you. Even the most stupid CEO can get them running in a matter of seconds. Shame! *bing* Shame!


----------



## Deleted member 67440 (May 22, 2021)

Speaking of BSD I would say that all ransomware attacks can be resolved in a period of between an hour and a day, in the latter case by purchasing new hardware (disaster recovery == really start from scratch).
No particular investment is required, or even expertise.

You can easily spend a million euros on advertising, but not 10,000 on safety.

However, I must say that the average level of systems engineers (including multinationals) is minimal, really disheartening.

How many do an actual simulation of restoring an entire infrastructure from scratch?
I do it in all WEs.
And I certainly don't have the resources of a large company.


----------



## Jose (May 22, 2021)

Crivens said:


> And whoever did this pipeline thing - word goes he/she/it has annoyed the wrong kind of people. The kind with a high level of options and a low level of accountability.


Well, the cybercriminals behind this crack have shut down, allegedly:








						DarkSide, Blamed for Gas Pipeline Attack, Says It Is Shutting Down (Published 2021)
					

The hacking group, which the F.B.I. has said was responsible for the ransomware attack, said it had received “pressure” from the U.S.




					www.nytimes.com
				




The US Government claims they didn't shut them down:


			https://www.washingtonpost.com/business/2021/05/19/darkside-hack-colonial-cyber-command/
		


It's possible that they just disbanded to lay low for a while, and will re-emerge once things have cooled down. It's possible the US Gov't did shut them down, but they don't want to disclose if or how to keep their methods secret. It's a cloak-and-dagger world.


----------



## Jose (May 22, 2021)

Tieks said:


> Remember Bafin and Wirecard, I'm afraid that's not going to work either. As Ronald Reagan once put it: "One way to make sure crime doesn't pay would be to let the government run it.".
> Read a story about a FreeBSD-based NAS where most files were encrypted. It happened to way SirDice just pointed out.


Who would trust the government after Snowden and Crypto AG? Not me.

Edit: The Maersk hack was based on leaked NSA tools, too. Yeah, no thanks.








						Ransomware: The key lesson Maersk learned from battling the NotPetya attack
					

Protection is important - but it's equally as important to ensure your recovery process is strong, says head of cybersecurity compliance at the shipping giant.




					www.zdnet.com


----------



## bobmc (May 23, 2021)

The previous place I worked had about 150 windows workstations and laptops. Everybody had a USB key in order to sign in on any machine.  Nothing interesting happened to the network.

I use a Yubico key for my email accounts at home. I rarely use Windows. Linux and BSD are my preference.


----------



## bobmc (May 23, 2021)

ralphbsz said:


> But the OS itself doesn't matter much; security is about much more than the one OS


I agree.  There is an effort to produce a microkernel based OS with a Rust language user layer.  I hope they succeed because Rust is designed to resist hacking and programmer mistakes. It is a compiled language.  The book is 500 pages which is much better than the 1500 page Python book. There are 2 main Pythons and Guido wants to double performance. I think that would tend to reduce security.


----------



## bobmc (May 23, 2021)

Redox - Your Next(Gen) OS - Redox - Your Next(Gen) OS
					

The Redox official website




					www.redox-os.org


----------

