Page 6 of 6 FirstFirst ... 456
Results 51 to 56 of 56

Thread: Baltimore City Government Computers Taken Over by Ransomware Hackers

  1. Top | #51
    Contributor barbos's Avatar
    Join Date
    Nov 2005
    Location
    Mlky Way galaxy
    Posts
    9,521
    Archived
    8,047
    Total Posts
    17,568
    Rep Power
    61
    Quote Originally Posted by Gun Nut View Post
    Great.. good idea... lets walk through it.
    what do you mean "utilizes the actual name"? Like the 3:00AM girl scout cookies at your door with the ski mask? They use the ACTUAL NAME... Girl Scouts. That's authentic. Girl Scouts are REAL. This would be called a Spear Phishing attempt. It's phishing, but highly targeted to the recipient (using an employee's name they pulled off of a Google search.. and then read their blog about the conference they attended... and then mention the conference in the email.)
    That email simply directs the recipient to click on a link
    Is that how your company manages HR communications.... "here - click this link", with no context whatsoever? No introduction as to what to expect. No proprietary information or context that is even vaguely familiar..no branding... no reference to a memo or a project... nothing... just a link, ey? Well that company is training employees to just blindly click shit, then... and they are creating / reinforcing idiot activity.
    , clicking on that link launches an attack.
    That would be the company failing to patch a vulnerability, or it's a zero day (previously unknown vulnerability). This is rare (like once a decade rare) and in neither case would be the employees fault beyond having clicked the link in the first place. More commonly, the link presents a form that is asking for a password, and that is all they want. If your company has horrible Identity and Access management where the employee has to remember 10 passwords that they have to enter all over different places all day, then, again, the company is creating idiot users. If descent, simple SSO is setup, like Active Directory affords, then users should see the form and just laugh at it (actually, they should never see the form because the phishing attack should (almost) never be successful).
    Is that a phishing attack, or one of those problems that you claim was solved long ago? If it is not a phishing attack, what is the solution to it, given that it was solved long ago? If it is phishing, how is it any less problematic than the problem that was solved long ago?
    The "attack" is in two parts... the delivery mechanism, and the payload. The payload should never have a chance to deploy. and no... nothing was "fixed" a long time ago.
    Maybe he is thinking of the Java sandbox that never fixed anything, but instead gave some people a false sense of security. Java is so insecure that after years and years of patching, it has simply been abandoned. The concept of a sandbox is good... but when you can only play in the sandbox, you only get sand. not good for an enterprise with complex integrations and collaboration tools that are needed to conduct business.

    If you do one single thing to protect yourslef and your company... just one simple thing... then that thing should be to check the incoming email address of every single unsolicited email you receive. Just look at it. NOT the name. the address. Especially the part just to the left of the last dot...

    APerson@google.hackersparadise.com <- this email came from "hackersparadise.com". They had their own private subdomain on their own network that they named google. It DID NOT come from google.com

    I sound like "do this one thing every day to..."

    but do that.
    OK, verdict is official, you are worthless security "expert" I was talking about. You understand absolutely nothing.

  2. Top | #52
    Veteran Member KeepTalking's Avatar
    Join Date
    Jan 2010
    Location
    St. Louis Metro East
    Posts
    3,281
    Archived
    3,057
    Total Posts
    6,338
    Rep Power
    40
    Quote Originally Posted by barbos View Post
    Quote Originally Posted by KeepTalking View Post
    Quote Originally Posted by barbos View Post
    I know that, it's just I think that your average 100k security people are useless waste of money.

    must be demented ones according to Nut

    No, not the only thing. There are number of things on service side which can be done but are not being done.
    and hope that we all collectively learn from it. In the 4 years I have been here, we have had at least one legitimate intrusion that I am aware of that came about from a phishing attack. We do a lot of web development, and simply firewalling every unknown URL is not a practical solution for everyone. We do have different levels of access to the internet, and developer access is much more open than the access granted to other users, though there are still some restrictions. I have worked in shops where developer access is entirely unrestricted. No, getting caught up in a phishing scam is not a crime, but you do bear responsibility, and I have seem people fired over it. That intrusion I mentioned above got one of my teammates fired, but I believe there was more to his firing than just that. We never got the full scoop from management, but his laptop was quarantined and we were unable to retrieve his uncommitted code, not that it was any big loss.
    Anyway, I was really talking about executing unknown code from the internet (ransomware and viruses, problem which was solved long time ago), not phishing.
    Okay... so, how about this scenario:
    An IT professional receives an email purporting to be from their HR department, and it is a pretty damn good one with no misspellings and it utilizes the actual name and title of a known person in HR. That email simply directs the recipient to click on a link, clicking on that link launches an attack. Is that a phishing attack, or one of those problems that you claim was solved long ago?
    It's a problem which was solved long time ago by sandboxing unknown code. In fact all code can and should be sandboxed, and I understand android and IOS use it to some extent.
    If it is not a phishing attack, what is the solution to it, given that it was solved long ago? If it is phishing, how is it any less problematic than the problem that was solved long ago?
    You can read wiki on phishing, they have few solutions, one with forcing user to select image from a set seems pretty bulletproof.
    And I just spent 5 minutes and devised another solution where you simply forbid sending passwords over Web and use hashes instead, and hash them with something which would be hard for an attacker to spoof for example IP and of course hash it with random message from the server of course so that even if the attacker manages to spoof IP (I don't see how it can be done especially if user
    use direct connection) he would have to do everything in real time, in other words no ability to store credentials for later use.

    Then browser can hash credentials it is about to send and compare it to database of sites it was sent to before and insist on user using bookmarked address instead. And of course refuse to send hashes/passwords to sites which are not "secure"

    Oh wait, it all depends on user being able to distinguish between ordinary input field and input field for password. and we know already we can't be sure of that at all.
    Ok , how about hashing all input fields and checking with database. that way browser can detect plain password is about to be sent somewhere and refuse to do so.
    My scenario was meant to illustrate the disconnect in your statement:
    Anyway, I was really talking about executing unknown code from the internet (ransomware and viruses, problem which was solved long time ago), not phishing.
    The attack in question used both phishing and delivery of malicious code. I am not sure why you brought up passwords with regard to the phishing portion of the scenario, as neither the phishing portion, nor the malware portion of the attack utilized a password. As far as your "sandboxing of unknown code" goes, that is pure horseshit. How are you going to "sandbox unknown code" when your users are web developers who are actively writing "unknown code" all day long? Sure, we use sandbox environments when necessary, but with modern web development you are pushing code to production multiple times a day, how is IT security going to determine which piece of previously unknown code is malicious, and which piece is something that is being actively and legitimately developed within the organization?

    Note that I don't actually have the answers, I am not in IT security, I am a developer, and I don't pretend to be an expert on how someone like Gun Nut does their job. I do know how to detect and avoid most phishing attempts, but I also see developers around me failing to do just that. I also know that there is no way in hell I would let you inform me or my organization in any way on how IT security should be handled.

  3. Top | #53
    Veteran Member KeepTalking's Avatar
    Join Date
    Jan 2010
    Location
    St. Louis Metro East
    Posts
    3,281
    Archived
    3,057
    Total Posts
    6,338
    Rep Power
    40
    Quote Originally Posted by Gun Nut View Post
    Great.. good idea... lets walk through it.
    what do you mean "utilizes the actual name"? Like the 3:00AM girl scout cookies at your door with the ski mask? They use the ACTUAL NAME... Girl Scouts. That's authentic. Girl Scouts are REAL. This would be called a Spear Phishing attempt. It's phishing, but highly targeted to the recipient (using an employee's name they pulled off of a Google search.. and then read their blog about the conference they attended... and then mention the conference in the email.)
    That email simply directs the recipient to click on a link
    Is that how your company manages HR communications.... "here - click this link", with no context whatsoever? No introduction as to what to expect. No proprietary information or context that is even vaguely familiar..no branding... no reference to a memo or a project... nothing... just a link, ey? Well that company is training employees to just blindly click shit, then... and they are creating / reinforcing idiot activity.
    , clicking on that link launches an attack.
    Sorry, this was meant to be a simple illustration of the blurred lines between a phishing attack and a malware attack. No, my company does not send out communications like that, but in one of the security tests they performed last year, they did something very similar to the above. They used an email that impersonated our HR manager, which directed the recipient to click a link, it was a bit more than just a link in the email. If I recall correctly the email actually stated that there was a change to insurance benefits, and to click the link to see the new information. The clue to me that it was a phishing email came from examining the link, which threw up red flags for me, but I don't remember exactly why. Several developers did click the link, however, so if it had been a actual attack they would have been responsible for damage caused.

  4. Top | #54
    Contributor barbos's Avatar
    Join Date
    Nov 2005
    Location
    Mlky Way galaxy
    Posts
    9,521
    Archived
    8,047
    Total Posts
    17,568
    Rep Power
    61
    If it does not involve victim entering credentials into a fake website or something or it relies on something other than phishing then It is not phishing. In other words phishing is pure phishing.

    here is a definition:
    Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication.
    In your case it's superficially phishing, in reality it's just how malware propagates most of the time.
    And as I said it was solved long time ago. You can safely click on everything in theory, the fact that Microsoft does not want to implement it is a different matter.

  5. Top | #55
    Veteran Member KeepTalking's Avatar
    Join Date
    Jan 2010
    Location
    St. Louis Metro East
    Posts
    3,281
    Archived
    3,057
    Total Posts
    6,338
    Rep Power
    40
    Quote Originally Posted by barbos View Post
    If it does not involve victim entering credentials into a fake website or something or it relies on something other than phishing then It is not phishing. In other words phishing is pure phishing.

    here is a definition:
    Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication.
    In your case it's superficially phishing, in reality it's just how malware propagates most of the time.
    Malware can do a variety of things, including things that will allow hackers to to obtain sensitive information in the compromised system, or in the case of Baltimore, attempt to extort money. The initial email in the provided scenario is an example of "disguising oneself as a trustworthy entity in an electronic communication". It is not just superficially phishing, it meets the exact definition of phishing.

    Quote Originally Posted by barbos View Post
    And as I said it was solved long time ago. You can safely click on everything in theory, the fact that Microsoft does not want to implement it is a different matter.
    You were wrong when you said it before, you are still wrong. Microsoft has very little to do with our IT shop, I don't think there is a developer here who is not using a Mac.

  6. Top | #56
    Contributor barbos's Avatar
    Join Date
    Nov 2005
    Location
    Mlky Way galaxy
    Posts
    9,521
    Archived
    8,047
    Total Posts
    17,568
    Rep Power
    61
    Quote Originally Posted by KeepTalking View Post

    Malware can do a variety of things, including things that will allow hackers to to obtain sensitive information in the compromised system, or in the case of Baltimore, attempt to extort money. The initial email in the provided scenario is an example of "disguising oneself as a trustworthy entity in an electronic communication". It is not just superficially phishing, it meets the exact definition of phishing.
    OK, lets say I agree (I don't), how is that relevant to anything?

    Quote Originally Posted by barbos View Post
    And as I said it was solved long time ago. You can safely click on everything in theory, the fact that Microsoft does not want to implement it is a different matter.
    You were wrong when you said it before, you are still wrong. Microsoft has very little to do with our IT shop, I don't think there is a developer here who is not using a Mac.
    I am not wrong, You can't get malware from clicking some link on linux system. Not that linux has specifically dealt with that specific problem.
    It's just the idea that one can simply execute .exe files from some link never came about in linux for some reason.
    Now linux have digital signatures and apparmor.

Similar Threads

  1. New computers - old blu-ray
    By Jimmy Higgins in forum Computers and Technology
    Replies: 14
    Last Post: 07-12-2018, 04:16 PM
  2. Some of the worst thugs are the police, at least in the city of Baltimore
    By southernhybrid in forum Political Discussions
    Replies: 5
    Last Post: 02-07-2018, 08:30 PM
  3. Baltimore Mayor Does Right By Her City
    By Trausti in forum Political Discussions
    Replies: 0
    Last Post: 04-12-2017, 06:16 AM
  4. Russian hackers compromise DNC network
    By Deepak in forum Political Discussions
    Replies: 1
    Last Post: 06-15-2016, 03:36 PM
  5. computers
    By BH in forum Natural Science
    Replies: 13
    Last Post: 08-16-2014, 02:16 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •