Massive Ransomware Attack Hits 23 Local Texas Government Offices (texas.gov) 52
Long-time Slashdot reader StonyCreekBare shared this press release from the Texas Department of Information Resources (Dir) press release as of August 17, 2019, at approximately 5:00 p.m. central time:
On the morning of August 16, 2019, more than 20 entities in Texas reported a ransomware attack. The majority of these entities were smaller local governments...
At this time, the evidence gathered indicates the attacks came from one single threat actor. Investigations into the origin of this attack are ongoing; however, response and recovery are the priority at this time.
It appears all entities that were actually or potentially impacted have been identified and notified. Twenty-three entities have been confirmed as impacted. Responders are actively working with these entities to bring their systems back online. The State of Texas systems and networks have not been impacted.
At this time, the evidence gathered indicates the attacks came from one single threat actor. Investigations into the origin of this attack are ongoing; however, response and recovery are the priority at this time.
It appears all entities that were actually or potentially impacted have been identified and notified. Twenty-three entities have been confirmed as impacted. Responders are actively working with these entities to bring their systems back online. The State of Texas systems and networks have not been impacted.
OK boys and girls. it's time to (Score:5, Insightful)
do a security analysis of your networks, and check your backup and especially recovery/restore processes to make sure they actually work.
Then have some coffee, and start the real work.
Re:OK boys and girls. it's time to (Score:5, Insightful)
And don't forget to segment your networks into smaller segments to be able to isolate problems that occurs.
Back in the 80's and early 90's every department had their own network and server, but in the name of "cost saving" everything have been centralized and therefore a lot more sensitive to attack.
Re:OK boys and girls. it's time to (Score:5, Informative)
And don't forget to segment your networks into smaller segments to be able to isolate problems that occurs.
Back in the 80's and early 90's every department had their own network and server, but in the name of "cost saving" everything have been centralized and therefore a lot more sensitive to attack.
I remember thicknet and the ARP storms, and bridging and repeaters.
Segmenting/firewalling your network resources like SAN and Production from users only makes sense.
Test and QA environments can be rebuilt pretty quickly with no downtime for "the Important Stuff".
The first rule of firewalling is DENY ALL.
Exceptions can then be made, documented, tested, and then implemented.
DMZs are also important to minimize exposure of "approved" external and internal services.
If your network is one gooey center, with no crunchy outside, you will be sad.
Re:OK boys and girls. it's time to (Score:5, Funny)
I'd recommend making DENY ALL the last rule, not the first, because ... well ...
Re: (Score:1)
DENY ALL is a default policy, not a firewall rule. Still, having a DENY default policy might be a first rule of managing firewalls, if you see what I mean.
Re: (Score:2)
You think they did not already have segmented networks?
You think they did not already have DMZ's?
You think they did not already have blocked FW ports?
You think their SAN appliances and Production network were not already separated?
"Exceptions can then be made, documented, tested, and then implemented."
And those exceptions are how they got in. Congratulations you let the enemy right in through the front door!
"If your network is one gooey center, with no crunchy outside, you will be sad."
If you stick to old
Re: (Score:2)
Fell asleep?
The firewall was getting an upgrade at that time?
It was dark and nobody saw the green lights of the firewall change to red?
The city laptop at home did not go beep loud enough and warn the engineer in time?
Re: (Score:2)
Kinda' agree - to a bit.
NO ACCESS - NO EXEMPTIONS
someone wants 'digital' access, they can link to the offline, read-only, 'ghost-image' network, but NEVER to the MAIN NETWORK !
Re: (Score:3)
And the private for profit contractor linked to the failures, well, when it is all about profit, security is nothing but a cost and somebody else's problem.
Has no one noticed contracting out stuff to the lowest tender has made network security far worse than it should be, when profit is the goal, make no mistake the only thing being paid for is security by obscurity or in reality no security at all.
Re: (Score:3)
What I notice is that there is a lot of pain in the ass fake security stuff (strange and annoying password policies such that people just write the passwords down) while leaving the network open to some really basic attacks. It really looks like a lot of the security stuff is designed to be as user visible as possible and not to actually address basic issues. So tired of network systems that assume everything is just a web browser and security is pretty much confined to 80 and 443 while everything else is o
Re: (Score:2)
would get a +1 - funny
funny, but sad, since it is such an overlooked issue - - -
back to basics - secure the SYSTEM, then the data can be secured !
Re:OK boys and girls. it's time to (Score:4, Funny)
"And don't forget to segment your networks into smaller segments to be able to isolate problems that occurs."
Network Segmentation is "Security Theater".
Tell that to any military organization that network segmentation is "Security Theater" and you'd be put in the freezer quicker than you can blink.
Re: (Score:2)
Especially if there are any senators in earshot.
Re:OK boys and girls. it's time to (Score:5, Informative)
Network Segmentation is "Security Theater".
Not if done properly.
Hopefully nobody is stupid enough to think that network segmentation just means "use different network addresses for different networks". It should mean "complete separation" except for controlled gateways.
Re: (Score:1)
What really baffles me, is people accessing the internet from work.
What does the DMZ need access to Google for? They're processing tickets, license plates, and so forth. All network access should be 100% based upon VPNs between offices, static IPs, and maybe even blackhole routing for anything not on the list.
If you're a DMZ employee that wants to read the news, check their mail, go to Google -- use your damned phone!
So many places have access to "the web", without any real logical reason. And those that
Re: (Score:1)
"The guys in the white coats will see that your report is ready in four hours. They will deliver the printout.
Please step away from the half-door window. Your request has been queued."
Re: OK boys and girls. it's time to (Score:5, Insightful)
Not just governments in Texas have been targeted. Our company was hit two weekends ago Saturday. Unfortunately I was in early Saturday morning to work on a project and discovered it. I hated being the one and making the call.
You firewall rules I am reading below will not help you.
These are social engineer attacks, with email, usually to sales and appearing to come from a known customer or vendor.
In the end, the insurance paid with our company and we had a 25k deductible. Took a week to clean up.
The infected computer directly attacks domains. Once the domain controller is toast so is the rest of your domain stations.
I had several pcâ(TM)s not part of the domain and they were fine.
They are after cash and itâ(TM)s working. Encrypted the servers, backup systems and all window domain controlled databases.
Yes in a way not terrible to clean up and I am sure they will have a much better system in the end. We all know mid size companies like to hold back expenses on IT.
Maybe a wake up call for some CEO who does not want to commit funds to secure the infrastructure.
BTW none of the antivirus picked it up,
We now have sensor system that runs on each pc, and can disconnect the pc from the network if itâ(TM)s detected.
Re: OK boys and girls. it's time to (Score:1)
Forgot: BTW thank your local NSA agent for the quality tools they provided to the attackers. These sent script kiddie tools used.
So... you rely on WINDOWS for your data? (Score:1)
1. Don't use Windows. Domain controllers aren't a "thing that got attacked." It's "yet another Windows weakness that WILL be attacked."
2. Do backups. Keep them offline. That means "physically disconnected." Yes, go connect before the backup runs and disconnect after the backup runs. Do this on a human being calendar, not scheduled (in your domain controller or your Acronis account or whatever people can sniff out) regularly.
3. RESTORE those backups on a test system that is off-net regularly ("regularl
Re: (Score:2)
Massive ransomware (Score:5, Funny)
because everything is bigger in Texas.
Re: (Score:1)
Re: Massive ransomware (Score:2)
Re: (Score:2)
Keep paying the billable hours to expert contractors until the malware stops?
Re: Massive ransomware (Score:4, Insightful)
Re: (Score:3)
the outside vendor won the contract on the golf course where the voted in guy got an nice kickback to make the deal happen.
Re: (Score:1)
Wouldn't a hugely beautiful wall help here?
Just— (Score:5, Insightful)
Now you've got fucking blood in the water—is there any wonder the sharks are circling?
Paranoid thought (Score:5, Interesting)
How many of these attacks will be used to cover the loss of documents that might become incriminating at some point in the future? "Well, every so often we used to have a courthouse fire..."
Re: (Score:2)
Don't worry (Score:2)
If there is revenue tied up in this ransomware they won't let that go. Ever seen an alcoholic pass up a drink? Just change that to government and cash.
Don't mess with Texas (Score:5, Funny)
Perhaps they should con the ransomware scammers into a face-to-face meeting, and shoot them. Seems like a Texas-style solution to me.
Re: (Score:2)
Oh with the way the American Justice system is, whoever is behind this better pray the Americans don't extradite them. Some of those prisons make Guantanamo look like a holiday report.
23 hour a day solitary...... fucking forever
In my only ransomware experience (Score:5, Informative)
Just sharing a personal experience. We didn't pay, I recovered mostly from backups.
Backdoors ... (Score:1, Interesting)
William Barr's backdoor is obviously working as designed ...
Re:Backdoors ... (Score:4, Insightful)
William Barr has only been in office for a few months.
But this guy [washingtonpost.com] was in office for 6 six years and had the same opinion.
Perhaps part of a larger, nationwide attack? (Score:2)
This pisses me off ... (Score:3)
... because the message to users is actually something that, in many cases, could be automated.
From TFA:
Cybersecurity Best Practices
It is everyone’s responsibility to remain cyber aware and practice information safety. Throwaway
Do not open suspicious or unexpected links or attachments in emails. Advice from the goddam late 80s
Hover over hyperlinks in emails to verify they are going to the anticipated site. Advice that has never worked well
Be aware of malicious actors attempting to impersonate legitimate staff, and check the email sender name against the sender’s email address. Too much work
Use unique strong passwords or pass-phrases for all accounts. No. They are not going to do that
Do not provide personal or organizational information unless you are certain of the requestor’s authority, identity, and legitimacy. Again, 80s
Alert your IT staff or supervisor if you have any concerns about the legitimacy of any email, attachment, or link. They don't have staff or time for everyone
Take advantage of available cybersecurity awareness training. Instead of looking at phones in class
This puts the onus on us. Why not let IT do the heavy lifting? Where in simple hell is AI when you actually need it? If humans can't think straight, take them outa the goddam loop. They are the weakest link.
Buy them books, send them to school and they bite the teacher.
Re: (Score:2)
Where in simple hell is AI when you actually need it? If humans can't think straight, take them outa the goddam loop. They are the weakest link.
There is no such thing as AI. It doesn't exist, nor will it for a very very long time.
Re: (Score:1)
If a few smart people in the state/city could prevent this as part of their day jobs?
That how many billable contractor hours lost to the unfair competition from a gov worker.
Thats computer work the private sector can be doing for a city.
Thats quality over time for the contractors doing clean up for the state..
Thats why the advice is set to 1980's. If the advice works, security is too good.
The heavy lifting is in the hours to find problems
The only way to stop them (Score:3, Funny)
The only way to stop a bad guy with ransomware is a good guy with ransomware... right Texas?
Re: (Score:3)
Re: (Score:2)
You kid,but I do wonder to what extent some cyber offense would work as a deterrent. There certainly isn't much disincentive right now...
You kid, but I bet the hacker's IT security is a lot better that the departments he's attacking.
Why does this happen? (Score:2)
And all the hand wringing and finder pointing begins.
But we have to look at the root cause, the real reason this happens.
Think about it.
Someone is clicking a link in an email or opening an attachment in an email.
That is usually how this happens.
Why would either of those things allow a piece of software to take over an operating system so completely?
I don't blame anyone but those who create and sell the OS this happens on.
Security reliant on users is broken by design. (Score:2)
Users cannot be made reliable, even in DoD where they get frequent training and are under orders to comply.
Something better is required.
Sending thoughts and prayers ... (Score:1)
As soon as the United States District Court for the Eastern District of Texas gets their computers working again, I will be doing some major lawsuits against Texas.