Ransomware & HSE

seamus

Bot1 wrote: »

How true would some of the claims be that WFH facilitated this attack?

I'm skeptical, personally.

While one can reasonably say that at home someone's internet usage is unfiltered so they are able to browse dodgy sites and potentially download dodgy stuff, this is only one tiny piece of the puzzle.

Quite rightly, users accessing corporate applications outside of the physical buildings have to do so through locked-down means. Whether that be a VPN, Citrix session, or through a web portal. This means that the machines of users working remotely tend to be, by default, less of a security risk than those inside the physical building.

Those inside the physical building often have far more open access to applications and their machines are trusted by default. In the background some authentication may still take place, but any malware running on that machine will get to piggyback on that authentication. A remote machine won't have the same access.

In my experience, there is so much paranoia about computers that leave the building, that security overfocusses on locking them down and underfocusses on securing the machines inside the building.

This has traditionally made sense; a machine that leaves the building is more likely to have its data stolen.
But now most data is not stored locally on machines. The focus needs to change and treat all machines equally regardless of location.

In this case, the nature of the attack says that if it was facilitated by WFH, it was only in regards to the initial access. The ability of the hacker to move around inside the network had nothing to do with lots of people WFH.

It could be argued though that having everyone WFH led to some "missed" alerts or security audits that might otherwise have been more meticulous had IT staff been physically present.

Bot1

Bot1 wrote: »

How true would some of the claims be that WFH facilitated this attack?

Where are these claims?

On this very thread there have been claims that have been at best outlandish and at worst, plain false.

With the results of that study that came out yesterday saying 95% would prefer to continue to work from home, I'd surmise that particular claim was made in attempt to justify a full return to the office.

madcabbage

Can't see anything from the WFH angle. They'd surely be using proxys and VPN's, as well as security suites / endpoint protection.

kippy

Cuddlesworth wrote: »

This group and others make their money by getting paid. You don't get paid by doing the things that would stop you getting paid in future attacks.

Ah Jesus,
This "group" can monitise this data in a large number of ways if they want to.
What is stopping them:
1. Take the HSE ransom.
2. "Hand back" a copy of the data.
3. Monitise their copy in another way.
4. Change their name (they have a name don't they?)
5. Rinse and repeat for another organisation


You are not dealing with a coporate entity here that has a reputation to protect.



I cannot believe how naive some people are when it comes to dealing with CRIMINALS and international/faceless criminals at that!

ineedeuro

Cuddlesworth wrote: »

This group and others make their money by getting paid. You don't get paid by doing the things that would stop you getting paid in future attacks.

:P
Do they provide references?
Nobody had heard of this group prior to the HSE. Or who works for them. What if they take the money and then release the data. They can start up another "company" tomorow morning. It's not like you can check their CV's and mark them own for working on the HSE?

Nobody should even consider paying the ransom as an option.

Tij da feen

Tij da feen wrote: »

89k is a pitiful amount for that role. I know people working in security companies earning 120k plus working as Security Engineers (red teams and such) - never mind manager or director level roles.

Queue the over paid public service comments.

agoodpunt

so if our names, dob, address and pps no. are out there for all to see can be used that is very scary will give more access to cc/ bank accounts which bank we use omg all because someone clicked on an email link most lightly

kippy

agoodpunt wrote: »

so if our names, dob, address and pps no. are out there for all to see can be used that is very scary will give more access to cc/ bank accounts which bank we use omg all because someone clicked on an email link most lightly

You can probably oversimplify any major event to a very small thing if you wanted to but is it because someone clicked on an email link or because someone went out to cause harm?

[Deleted User]

[Deleted User] wrote: »

Where are these claims?

On this very thread there have been claims that have been at best outlandish and at worst, plain false.

With the results of that study that came out yesterday saying 95% would prefer to continue to work from home, I'd surmise that particular claim was made in attempt to justify a full return to the office.

Work from home is a reality for a lot of private sector I.T. companies, and I can see it being extended as a norm for the public service.

Personally I have been working from home since 2017, and three days a week before that. The security of anything that I work with is determined by what is enforced at the company level.

runawaybishop

Cuddlesworth wrote: »

Forbes is a blog site, Sophos exists to sell security products and the majority of ransomware floating around isn't this specific and linked to larger groups.

There are plenty of other reports that will tell you paying up in no way guarantees you will get your data back.

These people are criminals, they have already begun sounding out other buyers for this data, that is if it hasn't already been sold. Paying them just encourages more attacks.

Roger_007

Deleted User wrote: »

They've identified the group who did it. They are based in St Petersberg.

Its not an assumption, its fact.

Surely you mean that the hackers made it look like they are based in St Petersburg?
Isn’t that what clever hackers do? They lay a false trail to make it near impossible to get to the original source.

frozenfrozen

good talk on the types of actions they take to hide themselves

https://www.youtube.com/watch?v=zXmZnU2GdVk

kippy

May have been posted already but a really good (recent) series on how some of this stuff works is here:
https://www.bbc.co.uk/programmes/w13xtvg9/episodes/downloads

Tij da feen

DubInMeath wrote: »

Queue the over paid public service comments.

Yeah, the issue is people will complain about something they don't understand. If you want competent employees then you need to compete with the market you're in.

I was looking at a role within the HSE before (not security related, but data analytics) and their salary scales were out of whack in comparison with the market. I'm guessing a lot of their technical side roles aren't being compensated properly.

Donald Trump

madcabbage wrote: »

Can't see anything from the WFH angle. They'd surely be using proxys and VPN's, as well as security suites / endpoint protection.

If they just let people blindly connect their own machines then there would well be security issues. It would be normal for an organisation to not allow machines onto their networks without the company locking it down first.


I doubt they do that though. VPN would be no good in the scenario that I use my personal machine to go off and do whatever dodgy stuff to infect it stupidly and then SSL/TLS back in inside the company firewall with the same machine. Now you have an infected machine on whatever subnet you allowed me access to.


You might have a gateway over citrix etc. to access data, but you won't have your machine "on the network" so to speak.

TomOnBoard

pryingEyes999 wrote: »

If anyone would a link to the Conti News site to keep abreast of the teams leaks, or download them if you want, PM me.

So, a lad joins Boards, and in his 1st post ever, asks other lads on a ransomware thread to send him information by PM.. Have I got that straight in my head?

Seems legit!

:eek:

Keyzer

Tij da feen wrote: »

89k is a pitiful amount for that role. I know people working in security companies earning 120k plus working as Security Engineers (red teams and such) - never mind manager or director level roles.

Agreed - the salary should be a minimum double this figure.

Anyone working from home experiencing drop offs in connectivity today?

I'm Virgin media and it has fallen off 3 times since 2pm.

kippy

Northernlily wrote: »

Anyone working from home experiencing drop offs in connectivity today?

I'm Virgin media and it has fallen off 3 times since 2pm.

What's that got to do with this thread?

mohawk

DubInMeath wrote: »

Queue the over paid public service comments.

Problem for the public sector is that it is tied into grades and has unions to deal with. Certain roles therefore are under paid compared to what they can get in private sector. IT already in some areas already has a skills shortage. A private company can offer more money if they can’t get the best people for the job but public sector can’t.

Roger_007

Roger_007 wrote: »

Surely you mean that the hackers made it look like they are based in St Petersburg?
Isn’t that what clever hackers do? They lay a false trail to make it near impossible to get to the original source.

Or they don't care if people know where they are?

They dont attack Russian sites
Russia would never extradite a citizen of theirs
Russian government doesn't care about their actions

So, what are the consequences of people knowing where they are based? None.

Keyzer

Everybody is going on that this is Russian criminals - is there any evidence of this yet?

Keyzer

Keyzer wrote: »

Everybody is going on that this is Russian criminals - is there any evidence of this yet?

The group have identified themselves, they're based in Russia. So yep confirmed.

gctest50

This is a good thing overall, the 100million total cost is the only thing that will make the HSE tidy up security

And already people getting offers of better healthcare abroad

https://m.independent.ie/irish-news/patients-have-already-received-unsolicited-approaches-after-data-leaked-by-hse-hackers-dail-told-40444900.html

Dyr

gctest50 wrote: »

This is a good thing overall, the 100million total cost is the only thing that will make the HSE tidy up security

And already people getting offers of better healthcare abroad

https://m.independent.ie/irish-news/patients-have-already-received-unsolicited-approaches-after-data-leaked-by-hse-hackers-dail-told-40444900.html

The HSE is so ****e that being hacked improves their waiting lists

Tij da feen

Tij da feen wrote: »

Yeah, the issue is people will complain about something they don't understand. If you want competent employees then you need to compete with the market you're in.

I was looking at a role within the HSE before (not security related, but data analytics) and their salary scales were out of whack in comparison with the market. I'm guessing a lot of their technical side roles aren't being compensated properly.

There's a whole thread on it here full of bitter people complaining that the public service are over paid.

I agree with your assessment that the pay levels for I.T. roles are seriously out of kilter in relation to the private sector, even in the last recession. During it I moved company every two years, with an increase in salary or for the same salary but better perks.
Hence they have to hire in contractors at high daily rates, and those that believe it is saving money are kidding themselves as some of those contractors have been working for the same department for over ten years.

If the public service were to introduce a technical AP grade I might consider it.

Deleted User

Deleted User wrote: »

The group have identified themselves, they're based in Russia. So yep confirmed.

Yes ! Bashirov and Petrov again ! I will not surprise if somebody of them will use your home address for the next attack.
Or president of Ireland home address !

mohawk

mohawk wrote: »

Problem for the public sector is that it is tied into grades and has unions to deal with. Certain roles therefore are under paid compared to what they can get in private sector. IT already in some areas already has a skills shortage. A private company can offer more money if they can’t get the best people for the job but public sector can’t.

Actually from talking to a friend who works in the civil service, it's the government via the department of finance/expendIture, that are fighting against the drive for the introduction of technical grades and associated salary scales.

[Deleted User]

[Deleted User] wrote: »

Yes ! Bashirov and Petrov again ! I will not surprise if somebody of them will use your home address for the next attack.
Or president of Ireland home address !

Da!

No point pay ransom
All names and surnames if somebody looking for information are in facebook instagram etc
And been stolen from there already together with all addresses emails and phone nr before