ransomware – Techdirt (original) (raw)

Judge Grants City Restraining Order Blocking Researcher From Accessing Ransomed Gov’t Files

from the stop-doing-things-anyone-can-do! dept

Having completely shit the bed in its handling of a recent ransomware act, the city of Columbus, Ohio has decided the person who must be silenced — and, hopefully punished — should be the person who informed city workers and residents their PII was available on the dark web.

The messenger hasn’t been shot quite yet, but it’s almost an inevitability at this point, as Bill Bush reports for the Columbus Dispatch.

A Franklin County judge on Thursday granted the city of Columbus a temporary restraining order against a cybersecurity expert who has been telling the media about the public impact of the ransomware attack on city government.

Franklin County Common Pleas Judge Andria C. Noble approved the temporary restraining order, which bars cybersecurity expert David L. Ross Jr., who goes by “Connor Goodwolf,” “from accessing, and/or downloading, and/or disseminating” any of the files stolen from the city that were posted to the dark web.

This order makes no sense. If Ross/Goodwolf has access to these files, plenty of other people do as well. No, this is an attempt to silence someone who has repeatedly embarrassed the city by exposing its unwillingness to fully inform the multiple victims of this ransomware attack and release of the ransomed data.

And there’s a lot at stake. Not only was drivers license and social security information about citizens and city employees released, but the ransomed data also included personal info about domestic violence victims and (allegedly) undercover police officers.

Goodwolf’s exposure of the extent of the breach has already resulted in two lawsuits against the city for failing to protect this information. City Attorney Zach Klein was more than happy to express his agreement with this clearly unconstitutional injunction since it gives him something else to talk about rather than the city’s botched attempt to downplay the severity of the incident.

In a series of disclosures, Ross has shown [Mayor Andrew] Ginther’s statements to be incorrect about the extent of damage done after Rhysida, a foreign cybercrime organization, hacked the city’s server farm and demanded a $1.7 million or 30 bitcoins to keep the information off the dark web. The hack was discovered in July by the city, which refused to pay the ransom.

Ross’ investigation has provided many more details about the risks to city employees and the general public — and has proven more accurate — than what the city has divulged, even prompting Ginther to correct himself about the extent of the damage.

The city has decided the person informing the public about the ransomware attack is the real villain here, rather than city officials who tried and failed to keep this under wraps. This was the warning shot. There’s possibly more to come — something hinted at by the language used in the court order.

The order is in effect for 14 days, and also orders Ross not to destroy or alter any information he has downloading, suggesting the city may try to indict him.

There’s the true extent of the city’s pettiness. It wants revenge for being exposed as reckless caretakers of persona info, as well as misleading the public about the extent of the data exposure. Even with all of this going on, city representatives continue to dodge direct questions about the attack — such as when it was actually first discovered. They won’t have this luxury for much longer, not when it’s the subject of at least two potential class-action lawsuits.

For the time being, the city seems satisfied with trying to silence the security researcher who was far more informative about the extent of the breach and far more responsible in terms of answering questions raised by city employees and residents.

In the end, all the city really has accomplished is the generation of more negative press and securing a truly absurd court order — one that the person requesting it (city attorney Zack Klein) won’t even attempt to explain.

Asked if Ross would potentially become the only person in the world prohibited from downloading the stolen city files for purposes of forensics, Klein said he didn’t want to discuss potential litigation and the ongoing criminal investigation.

Hopefully, Ross/”Goodwolf” will get this order rescinded in the near future. Once that happens, the city is going to have to actually deal honestly with the repercussions of this attack. Trying to scapegoat the person who speaks up about incidents like these is, unfortunately, the expected response when there’s an imbalance in power. But it rarely works out as well as those with power believe it will.

Filed Under: andria noble, censorship, columbus, connor goodwolf, david ross jr, franklin county, kim brown, ohio, ransomware, shooting the messenger, zach klein

The Group Claiming To Have Hacked Sony Is Using GDPR As A Weapon For Demanding Ransoms

from the unintended-consequences dept

We’ve spilled a great deal of ink discussing the GDPR and its failures and unintended consequences. The European data privacy law that was ostensibly built to protect the data of private citizens, but which was also expected to result in heavy fines for primarily American internet companies, has mostly failed to do either. While the larger American internet players have the money and resources to navigate GDPR just fine, smaller companies or innovative startups can’t. The end result has been to harm competition, harm innovation, and build a scenario rife with harmful unintended consequences. A bang up job all around, in other words.

And now we have yet another unintended consequence: hacking groups are beginning to use the GDPR as a weapon to threaten private companies in order to get ransom money. You may have heard that a hacking group calling itself Ransomed.vc is claiming to have compromised all of Sony. We don’t yet have proof that the hack is that widespread, but hacking groups generally both don’t lie about that sort of thing or it ruins their “business” plan, and Ransomed.vc has also claimed that if a buyer isn’t found for Sony’s data, it will simply release that data on September 28th. So, as to what they have, I guess we’ll just have to wait and see.

The hack was reported by Cyber Security Connect, which said that a group calling itself Ransomed.vc claimed to have breached Sony’s systems and accessed an unknown quantity of data. “We have successfully compromissed [sic] all of Sony systems,” Ransomed.vc wrote on its leak sites. “We won’t ransom them! we will sell the data. due to sony not wanting to pay. DATA IS FOR SALE … WE ARE SELLING IT.”

The site said the hackers posted some “proof-of-hack data” but described it as “not particularly compelling,” and also said that the file tree for the alleged hack looks small, given the group’s claim that it had compromised “all of Sony’s systems.” A price for the hacked data isn’t posted, but Ransomed.vc did list a “post date” of September 28, which is presumably when it will release the data publicly if no buyers are found.

But what really caught my attention was the description of how this particular group was going about issuing threats to its victims in order to collect ransoms. And part of the group’s reputation is that it compromises its victims and then hunts for GDPR violations, building ransom requests that are less consequential than what the GDPR violation fines would be.

While the hackers say they’re not going to ransom the data, Ransomed.vc apparently does have a history of doing so, with a unique twist: Cybersecurity site Flashpoint said in August that Ransomed takes “a novel approach to extortion” by using the threat of the European Union’s General Data Protection Regulation (GDPR) rules to convince companies to pony up. By threatening to release data that exposes companies to potentially massive GDPR fines, the group may hope to convince them that paying a little now is better than paying a whole lot later.

“The group has disclosed ransom demands for its victims, which span from €50,000 EUR to €200,000 EUR,” Flashpoint explained. “For comparison, GDPR fines can climb into the millions and beyond—the highest ever was over €1 billion EUR. It is likely that Ransomed’s strategy is to set ransom amounts lower than the price of a fine for a data security violation, which may allow them to exploit this discrepancy in order to increase the chance of payment.”

And so because of the mess that the GDPR is, combined with its remarkable level of fines, the end result is that in some respects the EU has empowered rogue hacking groups to act as its enforcement wing for GDPR. And that both sucks and certainly isn’t what the EU had in mind when it came up with this legislative plate of spaghetti.

Frankly, this has some parallels to other unintended boondoggles we’ve seen. What is making the hacking industry such a rich endeavor? Well, in part it’s the cyber-insurance industry and its habit of paying out the bad actors because it’s cheaper than helping their customers recover from ransomware and other attacks. All of which encourages more hacking groups to compromise more people and companies. GDPR appears to now operate in the same way for bad actors.

Well meaning or otherwise, when legislation purported to protect private data and interests instead proves to be a weapon in the hands of the very people most interested in compromising those private data and interests, it’s time to scrap the thing and send it back to the shop to be rebuilt, or discarded.

As to what this Sony hack actually is, for that we’ll have to wait and see.

Filed Under: eu, fines, gdpr, hack, ransomware, threats
Companies: sony

Illinois Hospital First To Shut Down Completely After Ransomware Attack

from the this-seems-bad dept

Fri, Jun 16th 2023 05:29am - Karl Bode

You may have noticed that for-profit healthcare in the U.S. is already a hot mess, especially in the most already marginalized parts of the country. Giant, mismanaged health care conglomerates have long pushed their underfunded staffers to the brink, while routinely under-investing in necessary technical upgrades and improvements. It’s getting consistently worse everywhere, but in particular in rural or poor regions of the U.S.

And that was before COVID. Not too surprisingly, it doesn’t take much for this kind of fragile ecosystem to topple completely. Like St. Margaret’s Health in Spring Valley, Illinois, which this week was forced to shut down completely because it simply couldn’t recover from a 2021 ransomware attack:

A ransomware attack hit SMP Health in 2021. The attack halted the hospital’s ability to submit claims to insurers, Medicare or Medicaid for months, sending it into a financial spiral, Burt said.

Such attacks can have a chain reaction on already broken hospitals and health care systems. Health care workers are sometimes forced to resort to pen and paper for patient charts and prescriptions, increasing the risk of potentially fatal error. Delays in care can also prove fatal. And ransomware is only one of the problems that plague dated medical IT systems whose repair is being made increasingly costly and difficult by medical health care system manufacturers keen on monopolizing repair.

When hospitals like St. Margarets’ shut down, they create massive health care vacuums among the already underserved. In this case, with St. Margarets being closed, locals have to travel at least a half an hour for emergency room services and obstetrics services. Which, for many, will be fatal:

Kelly Klotz, 52, a Spring Valley resident with multiple medical issues, said she was concerned the drive could lead to medical complications for her and her parents.

“I need access to good medical care at any given time,” she said. “It’s not like I can say I’ll schedule my stroke six months from now. It’s devastating to this area.”

“If you’re having a heart attack or a stroke, may the odds ever be in your favor, because you’re not going to make it there in time,” Klotz said.

Data from the University of Carolina indicates that 99 rural U.S. hospitals have shuttered since 2005. Many hospitals are hit with dozens of such attacks on dated IT infrastructure every day. St. Margarets’ is being deemed the first to be shut down over a ransomware attack (probably not true), but it’s certainly not going to be the last.

Filed Under: er, healthcare, medical, privacy, ransomware, right to repair, security

Former Uber Security Officer Won’t Go To Prison For Covering Up A 2016 Data Breach

from the not-sure-what-this-is-meant-to-deter dept

A rather strange prosecution of a former Uber executive finally comes to an end. And the first tech company executive to be convicted of criminal acts related to a data breach won’t be going to prison, as Joseph Menn reports for the Washington Post.

Former Uber chief security officer Joe Sullivan avoided prison Thursday as he was sentenced for covering up the 2016 theft of company data on 50 million Uber customers while the company was being investigated by the Federal Trade Commission over a previous breach.

Sullivan had been convicted in October of obstruction of justice and hiding a felony, making him the first corporate executive to be found guilty of crimes related to a data breach by outsiders.

To be sure, some poor decisions were made by Sullivan. But this wasn’t a case where a company carelessly exposed user data and then made moves to ensure its users never found out about it. This was extortion by cyber-criminals, an act aided by the accidental exposure of a digital key, which the extortionists used to obtain data on 600,000 drivers and 50 million passengers.

Sullivan’s team tried to satisfy the extortionists with a $10,000 payment under the company’s bounty program but the hackers insisted on a six-figure payout. Sullivan agreed to pay the amount, provided the hackers destroyed the data and never disclosed the breach. These were the acts federal prosecutors claimed amounted to obstruction of justice and hiding a felony.

According to Sullivan, this was done to ensure the data never leaked while also utilizing the back-and-forth with the extortionist to seek clues to their identity. The pair of extortionists was eventually arrested, with one of the two testifying on behalf of the prosecution(!).

With more and more companies paying ransoms to recover data/prevent data distribution, it seems extremely odd the government would go after someone who appeared to be doing what he could to protect drivers and passengers from having their personal data exposed or sold to other criminals.

And it’s not as though Sullivan had a track record of being careless with sensitive data collected by the companies he worked for. That’s the message that came through in the letters of support delivered to the court by more than 180 colleagues and security professionals.

The conviction shocked many security professionals, many of whom saw Sullivan, a onetime federal cybercrime prosecutor, as an industry leader who continued to work in the public interest as the top security executive at Facebook, Uber and Cloudflare.

They also criticized the government for criminalizing questionable judgment in paying off extortionists when the practice has become a regular occurrence at U.S. companies hit by ransomware.

What has now become an acceptable, if a bit unsavory, “solution” to ransom demands was treated as a criminal act in this case. This successful prosecution suggests the feds might go after more big tech targets if it finds out they’ve been secretly negotiating with criminals.

The only assurance we have from the government that it won’t start prosecuting security professionals for paying off crooks isn’t all that assuring:

The FBI has said it will not pursue charges against those who approve payouts that do not go to gangs sanctioned for working in concert with Russian authorities or targeting critical infrastructure.

All well and good, but it’s not like malicious hackers provide targets with business cards and employment history (such as it were…) when trying to extort cash from their victims. Attribution is difficult. With the proper operational security in place, it can be almost impossible. Unless hackers affirmatively declare their affiliation with the Russian government, victims of ransomware attacks won’t actually know where the money is going. And with time being of the essence, sometimes the payment has to be made far ahead of the due diligence.

And it’s not as though the federal government is willing to prosecute its own for careless handling of breaches and lax security practices that invite hackers to partake of massive, government-mandated data collections. This seems like a very selective prosecution meant to show the government won’t let the private sector get away with mishandling their users’ data.

It’s unclear what deterrent effect this is supposed to create. If anything, it encourages companies to take a hands-off approach when dealing with extortionists, increasing the risk exfiltrated data will be publicized or sold to other criminals. That can’t be what the federal government actually wants. But it seems like that’s what it’s going to get.

Filed Under: computer security, doj, extortion, joe sullivan, obstruction of justice, ransomware
Companies: uber

US Marshals’ Secretive Surveillance Wing Still Trying To Recover After Being Hit By Ransomware More Than Two Months Ago

from the inadvertently-open-secrets-operations-group dept

Money can’t buy you everything. Not even the kind of money that’s apparently infinite, if our current federal deficit is any indication.

The US Marshals Service was hit with ransomware in February. And, despite drastic measures being taken by the USMS, the breached system still has yet to return to service.

And it wasn’t just any part of the Marshals Service. It was its innermost sanctum, as Devlin Barrett reports for the Washington Post. Here’s what the hackers targeted:

The computer network was operated by the Marshals’ Technical Operations Group (TOG), a secretive arm within the agency that uses technically sophisticated law enforcement methods to track criminal suspects through their cellphones, emails and web usage. Its techniques are kept secret to prolong their usefulness, and exactly what members of the unit do and how they do it is a mystery even to some of their fellow Marshals personnel.

Sounds bad! Sounds like the sort of thing you’d want to keep ultra-protected to ensure the sort of thing that happened doesn’t happen. That’s where it gets even worse. This super-secret group (one not previously acknowledged or reported) had a bunch of its stuff left out in the open, an apparent oversight by the Marshals Service and one that went unnoticed until someone from the outside noticed it and decided to ransom the TOG’s data stash.

Rather than negotiate with computerrorists, the Marshals Service deployed the nuclear option, much to the surprise of many of TOG’s members.

To limit the potential spread of infected devices and systems, officials decided to wipe the cellphones of those who worked in the hacked system — clearing out their contacts and emails. The action was taken with little advance notice on a Friday night, meaning some employees were caught by surprise, these people said.

The exposed-then-ransomed-then-nuked system was apparently an essential part of the Marshals Service’s fugitive apprehension program. But the Service remains (perhaps a bit too) optimistic that 10 weeks without it (and no resurrection date in sight), it can still go about the business of rounding up bad guys. The statements provided to the Washington Post infer the Service still has plenty of fugitive-hunting options, which is, of course, the sort of thing people in the fugitive-hunting business would say when an apparent crippling of their offensive weaponry is made public.

But for it being so secretive and so high tech, a lot of the fugitive tracking work is still being done the old fashioned way: by grabbing third party records without warrants.

A great deal of the hunting is done through what is called pen register/trap and trace — a means of cellphone surveillance that has evolved along with phone technology.

This law enforcement tactic dates back to the days when almost all phone communication occurred via landlines. These orders can now be used to grab email metadata and cell phone communication data, including metadata on SMS texts. It’s also a handy way to hide Stingray deployments, something I’m sure the Marshals Service has never done. Some services are capable of providing this metadata in near-real time, which leverages the Third Party Doctrine to create ad hoc tracking devices — something that would seem to run afoul of the Supreme Court’s Carpenter decision. And that appears to be the Marshals Service’s PR/TT bread-and-butter:

The Technical Operations Group does so many real-time PR/TT data searches that in many years, it collects more of that data than the FBI and DEA combined…

That’s insane. The FBI and DEA have more personnel and cover far more law enforcement territory (in terms of investigations) than the USMS. And yet, this is the agency that outpaces those agencies’ exploitation of third party records.

That’s a little strange. It’s also a little strange that something called a “Technical Operations Group” relies so heavily on a decidedly old school method of information gathering. Quite certainly it has better and more powerful tools. But its continued reliance on something decades-old suggests there’s still plenty of value in allowing old dogs to continue performing old tricks.

Even old bad dogs. Some within the Marshals Service think the TOG is a rogue unit — one rarely placed under direct oversight and prone to abusing its power. Others think this sort of thing is an ideal to be striven for: a powerful and unsupervised group of go-getters rarely bogged down by red tape or constitutional rights.

But this lack of supervision is likely part of the problem facing the agency now. Its most secret stuff was left exposed, inviting computer criminals to not only attempt to extort money from the government, but also dig through sensitive data pertaining to USMS personnel, its investigations, and the third party contractors it employs. This is an inadvertent plea for direct supervision, albeit one that has cost the Marshals Service some of its capabilities and, undoubtedly, a decent amount of taxpayers’ money.

Filed Under: computers, marshals technical operations group, ransomware, surveillance, tog, us marshals

Insecuring Your Home And Data: Ring Vendor Apparently Hit With Ransomware Attack

from the better-put-a-camera-on-the-data dept

Ring offers security products. Shame they’re not all that secure. Sure, things have improved in recent years, but there was nowhere to go but up.

In December 2019, multiple reports surfaced of Ring cameras — most of them inside people’s houses — being hijacked by malicious idiots who used the commandeered cameras to yell nasty things at people’s children when not just lurking and watching the inner lives of unsuspecting Ring users. The worst of these people performed livestreams of camera hacking, taunting and frightening their targets for the amusement of truly terrible human beings.

The problem here was the default security options for the cameras. Ring did not require anything more than an email address and password to activate accounts, allowing these miscreants to sift through the massive piles of endlessly reused credentials to hijack the cameras. Shortly thereafter, Ring “encouraged” users to enable two-factor authentication. But it did not make this a requirement.

That same month, login credentials for nearly 4,000 Ring owners were exposed. Ring claimed it had suffered no breach, suggesting (rather unbelievably) that people were compiling credentials from other data breaches and compiling lists of verified Ring owners. Whatever the case, the company still wasn’t forcing customers to use strong passwords or enable 2FA, so credentials continued to be easily obtained and exploited.

The hijacked cameras led to a lawsuit in early 2020. A few days after the lawsuit was filed, Ring finally decided it was time to make some changes. It added a privacy dashboard for users to allow them to manage connected devices, block any they didn’t recognize, and control their interactions with law enforcement. And it finally made 2FA opt-out, rather than opt-in.

None of that’s helping much in the latest bad news for Ring. As Joseph Cox reports for Motherboard, hackers claim to have made off with some Ring data and left behind a ransom note.

A ransomware gang claims to have breached the massively popular security camera company Ring, owned by Amazon. The ransomware gang is threatening to release Ring’s data.

The party behind this appears to be ALPHV, a ransomware gang that — unlike others in this criminal business — created a searchable database of data obtained from these attacks and made it available on the open web.

That’s where this data may soon end up:

“There’s always an option to let us leak your data,” a message posted on the ransomware group’s website reads next to Ring’s logo.

Nice. But what data is it? And where did it come from?

Ring claims this isn’t its data, at least not specifically. In a comment to Motherboard, Ring claimed the breached/ransomed party is one of its third-party vendors and not Ring itself. But ALPHV must have something Ring-related and worth ransoming, otherwise it likely would not have called out Ring by name (and logo) on its website. Ring says this vendor does not have access to customer records, but it could have access to information and records Ring may not want to be made public.

Whatever the case, Ring claims to be on top of it. Not exactly comforting, given its history of taking a rather hands-off approach to user security.

Filed Under: alphv, login credentials, ransomware
Companies: amazon, ring

FBI Sat On Ransomware Decryption Key For Weeks As Victims Lost Millions Of Dollars

from the is-this-one-of-those-'greater-good'-things-I-don't-understand-becaus dept

The vulnerability equities process meets the FBI’s natural tendency to find and hoard illegal things until it’s done using them. And no one walks away from it unscathed. Welcome to the cyberwar, collateral damage!

If an agency like the NSA comes across an exploit or unpatched security flaw, it’s supposed to notify affected tech companies so they can fix the problem to protect their customers and users. That’s the vulnerability equities process in theory. In practice, the NSA (and others) weigh the potential usefulness of the exploit versus the damage it might cause if it’s not fixed and make a disclosure decision. The NSA claims in public statements it’s very proactive about disclosing discovered exploits. The facts say something different.

Then there’s the FBI, which has engaged in criminal acts to further investigations. Perhaps most famously, the FBI took control of a dark web child porn server and ran it for a few weeks so it could deploy its malware (Network Investigative Technique, according to the FBI) to users of the site. Not only did it continue to distribute child porn during this time, but it reportedly optimized the system to maximize its malware distribution.

The trend continues. As Ellen Nakashima and Rachel Lerman report for the Washington Post (alternative link here), the FBI could have stopped a massive ransomware attack but decided it would be better if it just sat on what it knew and watched things develop.

The FBI refrained for almost three weeks from helping to unlock the computers of hundreds of businesses and institutions hobbled by a major ransomware attack this summer, even though the bureau had secretly obtained the digital key needed to do so, according to several current and former U.S. officials.

The key was obtained through access to the servers of the Russia-based criminal gang behind the July attack. Deploying it immediately could have helped the victims, including schools and hospitals, avoid what analysts estimate was millions of dollars in recovery costs.

The worse news is it wasn’t just the FBI, which is already known for running criminal enterprises while engaging in investigations. The report says this refusal to release the key was a joint agreement with “other agencies,” all of which apparently felt the nation (and the rest of the world) would be better served by the FBI keeping the key to itself while it tried to hunt down the criminals behind the ransomware attack.

And it turned out to be totally worth it!

The planned takedown never occurred because in mid-July REvil’s platform went offline — without U.S. government intervention — and the hackers disappeared before the FBI had a chance to execute its plan, according to the current and former officials.

FBI Director Chris Wray, testifying before Congress, said the tradeoff was necessary because it could help prevent future attacks (unproven) and time was needed to develop a tool that would help those hit by the ransomware.

“These are complex . . . decisions, designed to create maximum impact, and that takes time in going against adversaries where we have to marshal resources not just around the country but all over the world.”

He also suggested that “testing and validating” the decryption key contributed to the delay.

I, too, would testify before Congress that things were complex and time-consuming, especially when the end result was the bad guys getting away while victims remained victims. I would, however, perhaps consider not belaboring the “it will be long and hard” point when the private sector has demonstrated that it actually won’t be that long, and possibly not even all that hard.

Emsisoft, however, was able to act quickly. It extracted the key from what the FBI provided Kaseya, created a new decryptor and tested it — all within 10 minutes, according to Fabian Wosar, Emsisoft chief technology officer. The process was speedy because the firm was familiar with REvil’s ransomware. “If we had to go from scratch,” Wosar said, “it would have taken about four hours.”

The FBI took three weeks to turn over the key to the first of many victims. During that time, it apparently failed to accomplish what Emisisoft developed in 10 minutes, as well as failing to catch any of the perpetrators. Faced with this not-so-subtle undercutting of its “we really were just trying to save the world” narrative, the FBI — via its parent organization — has decided to shut the fuck up.

The Justice Department and White House declined to comment.

Sure, the FBI could still be pursuing some leads, but the timing of REvil’s disappearance and the FBI’s release of the key to one of ransomware victims suggests the FBI only decided to release because it was no longer of any use to the investigation. It may still possess some limited use to those whose data is still locked up, but pretty much every victim has moved on and attempted to recover from the incident. The cost — as is detailed in the Washington Post report — is in the hundreds of millions. Some victims are still trying to recover. Others are back in business, but only after losing millions to downtime.

Who pays for this? Well, the victims do. And taxpayers will too, if the government decides to compensate some of the companies victimized by ransomware and victimized again by the FBI. The FBI, however, will hardly feel a thing, since the going rate for temporary chagrin is a rounding error in the agency’s reputational damage column.

Filed Under: decryption, doj, fbi, ransomware, revil, vep, vulnerabilities, vulnerabilities equities process

DOJ Says It's Time To Add Ransomware Attacks To The Ever Expanding 'War On Terror'

from the not-everything-needs-to-be-terrorism dept

High-profile ransomware attacks — some the FBI have tentatively attributed to Russian hackers — have provoked the kind of response none of us should be in any hurry to welcome. But it’s been coming to this point for years.

Malicious hacking efforts — some of them targeting government agencies — have been normal for as long as we’ve had computers and networks. And it’s something our own surveillance agencies engage in, whether to search for terrorists or to simply cripple foreign governments. Throughout it all, there’s been a steady call by some legislators and officials to turn cyber wars into actual wars. Or, at the very least, allow US government agencies to engage in more offensive hacking efforts, rather than simply play defense.

War — or anything a government can call a “war” — is the one simple trick governments use to obtain more power for themselves at the expense of the rights of those they serve. That’s why the War on Drugs and the War on Terror are more known for mass imprisonment and mass surveillance than any solid victories over the concepts and products the US has declared war against.

Ransomware is the next thing in line for the “war on” treatment. A DOJ internal memo first referenced by Reuters and shared (by the DOJ!) with Gizmodo is equating ransomware attacks with terrorism.

The U.S. Department of Justice plans to take a much harsher approach when pursuing cybercriminals involved in ransomware attacks—and will investigate them using strategies similar to those currently employed against foreign and domestic terrorists.

The new internal guidelines, previously reported by Reuters, were passed down to U.S. attorney’s offices throughout the country on Thursday, outlining a more coordinated approach to investigating attacks. The new guidance includes a stipulation that such investigations be “centrally coordinated” with the newly created task force on ransomware run by the Justice Department in Washington, DC.

This equation of ransomware with terrorism was made explicit by the acting deputy attorney general, who told Reuters this “model” has been used to handle terrorism investigations but not for malicious cyberattacks.

What this means is information will be shared with other agencies as well as oversight and legislators whenever investigators, analysts, and private sector requests for assistance involve ransomware or other online threats, like botnets and forums selling hacking tools and stolen credentials.

What this will mean in practice remains to be seen. The War on Terror hasn’t exactly boosted anyone’s confidence in the federal government’s ability to respond effectively or appropriately to this omnipresent threat. It has saddled us with the TSA and dozens of useless “Fusion Centers.” It has created an FBI cottage industry that allows informants to radicalize random citizens into 20-year prison sentences using tactics that often appear to cross the line into entrapment. It has expanded the buying power of the military and allowed local law enforcement to wield its hand-me-downs against American citizens. It has expanded the reach and grasp of multiple intelligence agencies — some of which have had their own hacking tools leaked/purloined and wielded by the same state-sponsored hackers and cybercriminals these agencies were supposed to be taking down.

Without a doubt, ransomware is a threat to Americans. It has crippled major industry players, resulting in panic buying and price spikes following production dips and logistics nightmares. And it’s only a matter of time before critical systems and agencies are held hostage at virtual gunpoint until ransoms are paid. But considering the underlying infrastructure that allows ransomware attacks to take place is also something millions of non-criminals around the world use regularly, allowing the government to treat the greatest communication tool ever invented as Terrorist HQ isn’t likely to make it better or safer for anyone using it.

Filed Under: criminals, doj, fbi, ransomware, war on terror

Babies & Bathwater: WSJ OpEd Suggests Banning Cryptocurrency Entirely To Stop Ransomware

from the good-luck-with-that dept

The hack of the Colonial Pipeline has already made lots of news, and with that, the government is rushing to come up with new regulations, which will almost certainly be overkill. While the transparency aspect of the expected rules (requiring reporting of “cyber incidents” to the federal government) was more or less expected to come at some point no matter what, the other rules are likely to be fighting the last battle. There are constant changes to these kinds of attacks, and seeking just to prevent them is a fool’s errand.

However, we’re now seeing some truly silly suggestions. Lee Reiners, who runs Duke Law School’s Global Financial Markets Center, has published an op-ed in the WSJ that truly is an astounding example of throwing out all the babies with the bathwater. Reiners says the way to stop these attacks is to just ban all cryptocurrency. This is silly on many levels — mostly because (1) that’s impossible, (2) it wouldn’t work, and (3) it would destroy a ton of important and valuable projects. Frankly this op-ed does not speak well to the Global Financial Markets Center and its understanding of anything. Here’s the core of the argument:

Ransomware can?t succeed without cryptocurrency. The pseudonymity that crypto provides has made it the exclusive method of payment for hackers. It makes their job relatively safe and easy. There is even a new business model in which developers sell or lease ransomware, empowering malicious actors who aren?t tech-savvy themselves to receive payment quickly and securely. Before cryptocurrency, attackers had to set up shell companies to receive credit-card payments or request ransom payment in prepaid cash cards, leaving a trail in either case. It is no coincidence that ransomware attacks exploded with the emergence of cryptocurrency.

There is no doubt that cryptocurrency does aid the ability to pass around money without being traced — and that certainly can (and does) help some criminal enterprises. But, the idea that it makes their job “safe and easy” is simply not true. We’ve seen plenty of criminal operations that relied on cryptocurrency run into issues, including being taken down by law enforcement. This is for a variety of reasons — including that in the process of converting cryptocurrency into other forms of money, you often end up introducing friction that may require some identification. Similarly, there are a lot of steps involved in transferring around even large sums of cryptocurrency that can leave trails. Are there ways to hide yourself? Absolutely, but it’s not as “easy” as the article makes it out to be.

And the claim that the rise of ransomware is because of cryptocurrency seems like a “correlation does not mean causation” kind of situation. There are many reasons why ransomware may have increased over the past few years — including improvements in a variety of hacking tools, the increased online nature of many businesses (especially during the pandemic) and some other factors as well.

Banning anything runs counter to the American ethos, but as our experience with social media should teach us, the innovative isn?t always an unalloyed good. A sober assessment of cryptocurrency must conclude that the damage wrought by crypto-fueled ransomware vastly outweighs any benefits from cryptocurrency.

I mean… what? No one has ever argued that any innovation is “an unalloyed good.” Basically everyone recognizes that innovation has a variety of different impacts — some good, some bad, some indifferent. They’re tools. Some people use them for good things. Some people use them for bad things. That’s true of social media. And it’s true of cryptocurrency. But Reiner then takes the leap from saying it’s not an “unalloyed good” to insist that, actually, cryptocurrency is all bad. Why? Because he says so.

It isn?t obvious that cryptocurrency provides any benefit at all beyond the chance to make a quick buck. I have been studying the crypto market since its inception, and I have yet to identify a single task or process that crypto makes easier, better, cheaper or faster. Don?t take my word for it. Ask any friend why he owns cryptocurrency, and the answer will invariably be ?to make money.? In other words, speculation. (The blockchain technology that underpins crypto does have promising applications in supply-chain management and other areas.)

This paragraph is the kind that should be remembered in the future. I know that many people probably do agree with this assessment, but it shows a real lack of imagination about how cryptocurrency could be useful, as well as a real lack of understanding of the nature of innovations and how they progress over time. We certainly heard similar statements regarding home computers, the internet itself, mobile phones and many other things as well. It may be true that the killer apps for cryptocurrencies are not well recognized now, but that hardly means they don’t exist, and it really isn’t an excuse for trying to ban the entire concept.

As for that closing sentence about blockchain, the paragraph totally misses that the underpinnings of what makes a blockchain effective is the integration with cryptocurrency. Yes, you can create cryptocurrency-less blockchains, but they tend to be significantly less interesting, and almost certainly need to create some other incentive system. That generally means that they only work when controlled by a few centralized players, dropping the benefits of a more truly decentralized system with cryptocurrency.

And, the line that most people investing in cryptocurrency are doing so to make money is… meaningless. Yes, that’s one of the important functions of money. It acts as an incentive system. But some of the clever aspects of how cryptocurrency and blockchain work together is that built-in incentive structure that makes the distributed/trustless system function. Yes, the fact that many people are in cryptocurrency to make money does open it up to speculation (and scams). But that incentive is a feature, not a bug.

Most importantly, this ignores that there are interesting ideas and innovations that are just starting to come out of the cryptocurrency world. Obvious, we’ve talked a lot on Techdirt about dealing with other issues — competition, privacy, free speech, content moderation, etc. — with a more distributed internet. And one way to help make that a reality is using cryptocurrency. We’re already seeing some interesting elements of that start to play out with things like FileCoin and the projects that are just starting to show up around that space. To claim that there’s nothing valuable at all is to show a near total ignorance of the more interesting elements of what’s happening. Yes, there are plenty of silly scams and headline grabbing nonsense, but to insist that means there’s no redeeming value is missing the point. Entirely.

Reiner then includes a paragraph that basically says people will mock him for these claims, and insisting that because people will attack him for his short-sighted ideas, it proves that “the emperor has no clothes.” Huh?

A day after the Colonial Pipeline shutdown, cryptocurrency champion and self-proclaimed ?Dogefather? Elon Musk went on ?Saturday Night Live? and admitted the obvious: The dogecoin cryptocurrency is a ?hustle.? He then performed an encore by tweeting that Tesla was suspending the use of bitcoin for vehicle purchases due to the coin?s carbon footprint.

Tarring all cryptocurrency because Elon Musk’s random flights of fancy — and focusing on Dogecoin of all the cryptocurrencies out there — does not make the argument more compelling. It screams out that Reiner is cherry picking examples. Yes, there are silly cryptocurrencies. Yes, there are scams. Yes there is ransomware and yes sometimes cryptocurrencies can make some aspects of criminal behavior easier. But this article fails to tackle any of that in a meaningful way, simply pulling some edge cases and tapdancing around the rest.

And, of course, as we noted above, the idea that you could even ban cryptocurrency is ludicrous. The entire idea behind them was that there is no central node that you can shut off. Reiner tries to get around this by noting the government could put in place a whole bunch of annoying hurdles, but that’s not going to stop cryptocurrencies at all.

Any solution must at least reduce the use of cryptocurrency. Governments and retailers should be encouraged not to accept payment in it. An outright ban could get the job done, but if it would be too difficult to enforce or get through Congress, regulators could crack down on the off-ramps and on-ramps, the points at which crypto is converted into fiat currency and vice versa.

Cryptocurrency firms serving U.S. customers are supposed to be subject to the same anti-money-laundering requirements as traditional financial institutions, but more can be done. Late last year, the Treasury Department?s Financial Crimes Enforcement Network proposed a rule to establish new reporting, verification and record-keeping requirements for certain cryptocurrency transactions. Last week Treasury proposed granting more resources to the Internal Revenue Service to address crypto and called on businesses to report receipts of more than $10,000 in cryptocurrency. Both proposals should be adopted, but they will be effective only if other countries follow suit.

I mean, it’s kinda funny, because up top I noted that the idea that criminals can easily get away with ransomware because of cryptocurrency wasn’t always true because of regulations at the “on-ramps” and “off-ramps” and then later in the article he more or less admits that’s true.

Of course, there are other risks associated with heavily regulating cryptocurrency — again in potentially throwing out babies with the bathwater. Putting too many restrictions on the usage of cryptocurrency could hinder adoption of the actual useful elements of it.

We can live in a world with cryptocurrency or a world without ransomware, but we can?t have both. It is time for the adults to tell the children: Party?s over.

That’s nonsense. There’s no way to get rid of cryptocurrency, and if we just overly burden it with excess regulations as he proposes, that will just lead to more creative workarounds, that will get even more adoption among criminal elements, rather than for more socially useful activities. Second, there is no such thing as “a world without ransomware.” This is just wishful thinking based on the false premise that ransomware only exists because of cryptocurrencies.

And, yes, clearly there’s a real risk with ransomware and attacks like the Colonial Pipeline that the end result could be quite problematic. However, the fact is the real cybersecurity risks from ransomware are monetary risks. The risks associated with taking down or breaking critical infrastructure tends to come from nation-state attacks, not ransomware attacks for money. The whole op-ed is a silly, nonsensical attack on cryptocurrency that doesn’t seem based in reality. If that’s the level of the work that comes out of the Global Financial Markets Center, it does not speak highly of Duke’s ability to produce good scholarship on this subject.

Of course, I will note that Reiner’s hatred of cryptocurrency has not stopped his own center from asking the public to donate cryptocurrency to support the center. How curious.

Filed Under: cryptocurrency, lee reiners, ransomware

Internet-Connected Chastity Cages Hit By Bitcoin Ransom Hack

from the the-future-is-not-what-we-were-promised dept

Tue, Jan 12th 2021 06:24am - Karl Bode

If you hadn’t noticed yet, the internet of things is a security and privacy shit show. Millions of poorly secured internet-connected devices are now being sold annually, introducing massive new attack vectors and vulnerabilities into home and business networks nationwide. Thanks to IOT companies and evangelists that prioritize gee-whizzery and profits over privacy and security, your refrigerator can now leak your gmail credentials, your kids’ Barbie doll can now be used as a surveillance tool, and your “smart” tea kettle can now open your wireless network to attack.

So of course this kind of security and privacy apathy has extended to more creative uses of internet-connected devices. Case in point: last October, security researchers found that the makers of an IOT chastity cage — a device used to prevent men from being able to have sex — (this Amazon link has the details) had left an API exposed, giving hackers the ability to take remote control of the devices. And guess what: that’s exactly what wound up happening. One victim and device user say he was contacted by a hacker who stated he wouldn’t be able to free his genitals from the device unless he ponied up a bitcoin ransom.

Luckily his genitals weren’t in the device at the time, though it’s not clear other users were as lucky:

“A victim who asked to be identified only as Robert said that he received a message from a hacker demanding a payment of 0.02 Bitcoin (around $750 today) to unlock the device. He realized his cage was definitely “locked,” and he “could not gain access to it.” “Fortunately I didn?t have this locked on myself while this happened,” Robert said in an online chat.”

Given the often nonexistent security on internet of things devices, such problems aren’t particularly uncommon in devices like not-so-smart thermostats. It’s also a major problem in many hospitals where big medical conglomerates haven’t been willing to pony up the money necessary to keep lifesaving technology private and secure. That said, “I had to pay some kid in the Ukraine $750 so I could access my own genitals” is a new wrinkle many hadn’t seen coming.

It’s just yet another reminder that you shouldn’t connect everything to the internet just because you can. And you shouldn’t endeavor to engage in such innovation unless you’re willing to spend the money and take the time to ensure you’re adhering to basic security and privacy standards. Whether a heart monitor or a sex toy, most companies still aren’t after ten years of headlines like this. And despite some promising headway being made in policy, our response to the security dumpster fire that is the IOT remains a pretty hot, discordant mess.

Filed Under: bitcoin, chastity cage, hack, iot, ransomware, security