Consolidated Business & Enterprise Computing Rant Thread

Discussion in 'Business & Enterprise Computing' started by elvis, Jul 1, 2008.

  1. wazza

    wazza Member

    Joined:
    Jun 28, 2001
    Messages:
    3,643
    Location:
    NSW
    It's not quite expert hackers, but Coveware have been tallying the stats on method of crypto infection for a while, and RDP compromise has been well up there for a while - Q4 2019 their stats show that 57.4% of ransomware was via RDP compromise vs 26.3% via email phishing.

    I'm not in an IT business but occasionally have customers (or our sales guys, on behalf of the customers) reach out when they have a huge issue, and I've spoken with multiple who after a review found that the infection came in via RDP open to the web, crap passwords etc - of the 3 most recent only 1 had viable backups (unsure on the specifics, but untouched by the crypto so likely offline), one had their backups directly connected to their server so they were also crypto'd, the last one had no backups. I'd be very surprised if there's not a similar weakness in a large number of small/mid sized business all over the place.

    Personally I don't trust anyone outside of my place of work to really care about my place of work - even vendors we pay to care about it. Relying on an external vendor/DC provider/whatever to do backups correctly (especially when you can't verify them) is unwise, and not having a contracted RTO with them is equally unwise because they can just say "we'll fit it in whenever". I've had a case personally where I requested a web host who kept backups (as an additional paid service) of our VPS/Web server to restore some files and only then did they claim that not just the latest backup, but *all* backups they had were corrupted (I had my own, so while it took longer it was restored - and we moved our services elsewhere), and had a customer (as above, non IT customer) contact me regarding similar when their cloud host performed an unannounced upgrade to an incompatible DB server on a Saturday, then on monday claim that backups are only kept for 24hrs so they had no backup of their DB prior to the upgrade, preventing them from restoring to a compatible DB server (from memory the customer had a backup from prior to their move to cloud, but it was a few months old so lost a lot of data).
     
  2. OP
    OP
    elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    42,813
    Location:
    Brisbane
    Allow me to reiterate previous statements: part of being on the Internet in 2020 means not exposing Citrix, RDP or other legacy connection methods to the internet.

    By all means use them. But wrap them up safe in something that doesn't get pwned every 20 seconds.

    It's not 1999 any more, friends. Time to change.

    Speaking of change, CommBank are dumping 875 bits of shitware LOB apps from their collection of 3000 internally:

    https://www.itnews.com.au/news/cba-...c-cloud-as-it-culls-25-percent-of-apps-537882

    That's a good start. I'm certain that have while business units panicking about the change, but fuck 'em. Hoarding is a problem, and that goes for shitware too. Every now and then you have to call in a skip, and mercilessly clean house. Does the shitware spark joy?
     
  3. Hive

    Hive Member

    Joined:
    Jul 8, 2010
    Messages:
    6,286
    Location:
    AvE
    I would hazard a guess some time after they get karen to "pop down" to the bank and pull out a few hundred thousand in cash to take to a convenience store to top up their bitcoin account.
     
    elvis likes this.
  4. pH@tTm@N

    pH@tTm@N Member

    Joined:
    Jun 27, 2001
    Messages:
    2,135
    Location:
    BRISBANE
    Citrix bought Netscaler because it was a secure edge device and load balancer, then integrated the citrix gateway in it. It was sold as a secure edge device running BSD. Funny how all the citrix diagrams now have it behind a firewall...
     
  5. OP
    OP
    elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    42,813
    Location:
    Brisbane
    Portknock + VPN. Trivial to implement, $0, yet somehow mind blowingly complex for 99% of orgs.

    I swear to god I don't know how people keep their jobs.
     
    cvidler likes this.
  6. itsmydamnation

    itsmydamnation Member

    Joined:
    Apr 30, 2003
    Messages:
    10,650
    Location:
    Canberra
    until there is a zero day in your port nock then your never patched VPN server ( because you port nock) gets owned :)
     
  7. OP
    OP
    elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    42,813
    Location:
    Brisbane
    1) Patch early, patch often. All layers. No exceptions. Put in business processes to deal with outages, whether they be malicious attacks or bad patches. These are now non-optional things in 2020.

    2) This is a war of attrition. Nobody worth their paycheque believes in silver bullets or one-hit magic, and nobody worth paying relies on one single layer. And that goes for the bad guys too - their tools are multi-vector, so your defence should be too. Again, mandatory in 2020.

    3) There is always risk. Even a computer powered off, filled with concrete and thrown into the sea can have some of its data retrieved with the right amount of effort and money. Minimise your attack surface, make the weak and lazy around you a juicier target than you for intentionally targetted malice. Make the slow and stupid around you an easier target for the scattergun malice.

    I can count on one hand the number of major attacks I've read about in the last 30 years that were genuinely 100% unavoidable. The other 99% could have been avoided with very little effort, money and impact to business, but weren't because people were a combination of ignorant or lazy.
     
    Last edited: Feb 14, 2020
    GumbyNoTalent likes this.
  8. GumbyNoTalent

    GumbyNoTalent Member

    Joined:
    Jan 8, 2003
    Messages:
    9,277
    Location:
    Briz Vegas
    If you cannot recover your data from a offsite/not part of your network backup and verify it is indeed recoverable, then you do not have a recovery plan. This one point is lost on so many people in this thread, and probably people in toll. This will not 100% protect you but if you validate every backup daily then you can always get back to a state of unfucked, and to be totally unfucked your recovery/backup should not be image based, and os/software/data should all be separate processes and independent of each other.

    But, hey WTF would I know. ;)

    As for SELinux being the hardened process to beat them all, don't put all your eggs in 1 basket.
    https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=selinux

    hindsite.png
     
    Last edited: Feb 14, 2020
  9. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,306
    Head in Sand... gotcha.

    The business that have not been hit (my place of employment included), haven't been hit because they have been lucky, not good.
     
    NSanity likes this.
  10. itsmydamnation

    itsmydamnation Member

    Joined:
    Apr 30, 2003
    Messages:
    10,650
    Location:
    Canberra
    i do believe that was the point of my post :)
     
    elvis likes this.
  11. GumbyNoTalent

    GumbyNoTalent Member

    Joined:
    Jan 8, 2003
    Messages:
    9,277
    Location:
    Briz Vegas
    PS - Happy Pointless Hallmark day!
    hoff.jpeg
     
  12. OP
    OP
    elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    42,813
    Location:
    Brisbane
    This constant talk of SELinux is symptomatic of the problem of people not looking for new ways of doing old things in a changing world.

    AppArmor, cgroups and "ambient capabilities" (a great way tp replace setuid, since kernel 4.3) are all excellent tools that very few sites use properly. SELinux is fine too, but it's not even close to being the only tool in the bag.

    I assumed you were taking the piss somewhat, but I was also cranky (not at you) and on a rant roll, which brings be catharsis.
     
  13. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,306
    Some unknown party was able to run whatever the fuck wanted on our systems, but "we have seen no evidence to suggest any personal data has been lost as a result of the ransomware attack" because we aren't looking for it.


    But its better than my local councils notice (they got Ryuk'd)

    https://www.onkaparingacity.com/Emergency-announcements/System-outage-update
     
    GumbyNoTalent likes this.
  14. GumbyNoTalent

    GumbyNoTalent Member

    Joined:
    Jan 8, 2003
    Messages:
    9,277
    Location:
    Briz Vegas
    LOL because all the servers a cryptolock'd and we are unable to recover, but personal data hasn't been lost, please re-register to use the Toll system.

    https://www.dictionary.com/browse/lost
    lost
    adjective
    1. no longer possessed or retained: lost friends.
    2. no longer to be found: lost articles.
    3. having gone astray or missed the way; bewildered as to place, direction, etc.: lost children.
    4. not used to good purpose, as opportunities, time, or labor; wasted: a lost advantage.
    5. being something that someone has failed to win: a lost prize.
    6. (Toll) Unable to access saved data: lost data
     
    Last edited: Feb 14, 2020
  15. looktall

    looktall Working Class Doughnut

    Joined:
    Sep 17, 2001
    Messages:
    26,498
    I couldn't workout what that council was called from the url so I clicked the link to see their website and I'm still totally fucking confused as to what it's called.

    It's either poorly formatted for mobile or someone got paid when they shouldn't have.

    Also, 404 on their IT outage page.
    I guess everything's fine.
     
  16. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,306
    The LGA is City of Onkaparinga. They've had a bit of a revolving door in the IT Management department :). I see the job re-advertised all the time.
     
  17. tonner78

    tonner78 Member

    Joined:
    Sep 16, 2003
    Messages:
    2,195
    Location:
    Inside the Matrix
    If I recall correctly I saw it advertised again recently - I wonder why :)

    Also, one week down outside of MSP land. It's very different, but I do not miss that cess pit at all..
     
    scips and bcann like this.
  18. OP
    OP
    elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    42,813
    Location:
    Brisbane
    As above, if someone *really* wants to get in, they'll get in. But our jobs are to make it as expensive, annoying, and rewardless as possible. Throwing your hands in the air and saying "eh, nuthin' we can do" isn't the answer.

    "Luck" may have a big part in that, but we also get to influence the number of faces on the dice. Making your site more annoying and less rewarding than the ones around you influences that greatly.
     
    Gargamel likes this.
  19. wazza

    wazza Member

    Joined:
    Jun 28, 2001
    Messages:
    3,643
    Location:
    NSW
    Absolutely, and that was my advice to all of them - one of them had bought in an MSP pretty much straight away and their first move was to disable RDP to the web (good, but a bit late...), the 2nd one advised that it was open at the near demand of their MSP who claimed the only way they could manage their systems was via RDP and took no precautions such as VPN or even the bare minimum of having it restricted to a certain IP/Block only - my advice to them was to fire said MSP immediately and consider if they would have a case against them for negligence.

    Ignorance at a management level. If you don't get compromised they never know what's going on, and if you do get compromised and can pin it on kathy in accounts then she gets a slap on the wrist and you manage to keep your job. I'm not in MSP land (though was a long time back) but even still I end up dealing a bit with both internal IT staff elsewhere and MSPs (plus hiring for our internal IT team) and the number of people who are even half decent at their job (and some of them *are* only half decent, not good) are massively outnumbered by people who are barely good enough to fumble their way to a solution that kind of works....but hell, that's what post 1 of this thread was about....so we all already knew this.

    That's just brilliant.... It says more than their actual update statement ever could!
     
    elvis likes this.
  20. BAK

    BAK Member

    Joined:
    Jan 7, 2005
    Messages:
    1,197
    Location:
    MornPen, VIC
    Toll failed to secure their systems well enough, and they also failed to put in place a Disaster Recovery plan so that in the event everything got hosed, they could restore core business functions and continue doing business.

    TNT and other competitors are likely enjoying the surge in business, but are probably similarly vulnerable because its obvious nobody learns from the very high profile, very public failings of their competitors. "We got all green traffic lights on this security audit report from $Cheapest_Security_Tender, this couldn't happen to us!"
     
    elvis likes this.

Share This Page

Advertisement: