Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy Education Security

Hacker Publishes Info On Las Vegas-Area Students After Demanding Ransom (businessinsider.com) 114

An anonymous reader quotes a report from Business Insider: Last month, Las Vegas' largest public school district announced that a hacker compromised some of its files using ransomware and was holding the files hostage while demanding a ransom payment. Now, a hacker has published files containing students' grades and personal information after school district officials refused to pay the ransom.

Brett Callow, a threat analyst with cybersecurity firm Emsisoft, told Business Insider that he discovered leaked documents published to an online hacking forum that purported to include records from Nevada's Clark County School District, including students' names, social security numbers, addresses, and some financial information. Callow's findings were first reported by The Wall Street Journal on Monday. "Ransomware attacks happen for one reason, and one reason only: they're profitable," Callow told Business Insider. "The only way way to stop them is to make them unprofitable, and that means organizations must stop paying ransoms."

This discussion has been archived. No new comments can be posted.

Hacker Publishes Info On Las Vegas-Area Students After Demanding Ransom

Comments Filter:
  • by Kelxin ( 3417093 ) on Monday September 28, 2020 @10:43PM (#60552658)
    Yes, they need to be made non profitable, but because they need to be stopped before they're started, not that they shouldn't pay out. I think every organization should be held liable for every breech of trust, and not this stupid credit protection service crap. There should be a fee of several thousand dollars per individual affected that's paid out to that individual and then it will start to be taken seriously.
    • by mark-t ( 151149 ) <markt AT nerdflat DOT com> on Monday September 28, 2020 @10:53PM (#60552676) Journal

      And the way to stop them before they start is for the person who might otherwise create the ransomware to realize the futility of trying to profit from it.

      Hence why a policy of not paying out is wisest.

      As long as people keep paying the ransoms, ransomware authors will continue to proliferate.

      • by gweihir ( 88907 ) on Tuesday September 29, 2020 @12:35AM (#60552836)

        Well, I am all for making it actually illegal and criminal to pay ransomware attackers. That may have the desired effect. As it is, far too many organizations are far too vulnerable to this for it to stop anytime soon. Comparing to the industrial revolution, this "computer" thing is still in the phase where the steam engines blew up regularly, safety valves were considered optional and forget about getting a pressure vessel actually certified to any sane standards (or at all).

        I also think that if you are successfully compromised by ransomware these days and cannot recover on your own, gross negligence is a given. This is a _standard_ and _expected_ threat these days to anybody that even only loosely and remotely follows what is going on. Not to be prepared for it is to willfully ignore it.

        • by AmiMoJo ( 196126 ) on Tuesday September 29, 2020 @03:12AM (#60553044) Homepage Journal

          Mandatory reporting with jail if you don't would be nice. At the moment there is every incentive to cover it up if possible to avoid lawsuits.

          That doesn't solve the other issue though: scapegoating. If the hack is going to cost millions (from lawsuits) they are going to blame the person who opened the infected email. They will cover themselves by sending round a 94 page PDF file containing all the things you must not do with the IT equipment, which if followed would make employee's jobs impossible, and then blame whoever they can for violating it.

          • by burningcpu ( 1234256 ) on Tuesday September 29, 2020 @04:51AM (#60553174)
            At a previous job, there was an issue where the company was using semi trailers as temporary onsite storage, and our operators kept falling through the floor of the trailers, as the forklift and product load would exceed the tolerance of the aging wood floors. Now, the obvious solution would be to replace or reinforce the existing fleet of trailers, that had been allowed to dilapidate over the decades of use. However, that would have required an expense, and instead, the operators were blamed for not 'inspecting' the floors of the trailers sufficiently before entering, and would be 'retrained and recertified' following each incident. Keep in mind that these workers were moving 1000L totes of concentrated nitic acid, and death was a real possibility if one of those totes ruptured.
            • by gweihir ( 88907 )

              That would probably fall flat on its face if anybody actually had been injured or killed and the case went to court. Unless the staff was all construction engineers qualified additionally in building integrity evaluation _and_ they were given the time to really evaluate the floors each time?

              • and disappear into the ether. If they couldn't do that they'd pay out a token fine after decades of arguing and then stop hiring Americans for the work and lobby congress for H2-B employees.

                That's how it actually plays out. But we don't want to put anyone in charge of our gov't that would change it.
                • by gweihir ( 88907 )

                  Yes, probably. Reduce accountability and you always find lots of people willing to exploit that, no matter the consequences for others.

            • Assuming what you are saying was accurate and not an exaggeration, or a oversimplification on what has happened a call to OSHA is probably enough to get the company to reconsider what it is doing.
              However my gut feeling the following probably is happening. There was some dumb ass middle manager trying to impress the Big Boss man, so he pushed the employees to use the Forklift to increase efficiencies. Then pointed his finger down the line when the problem happen causing the employee who was pressured to do

              • No, this wasn't an experience or wisdom issue. The instances were regular, occurring several times a year. I was in a unrelated department but all safety related incidents were related to all personnel at monthly safety meetings. What I described was the stance and approach of the company, and stated openly. A while back, I published my account of the fraud, safety issues and hostile work environment at the company, here on slashdot, and my experience as a whistleblower. It didn't go well. https://slashdot.
            • You guys and gals are missing the whole goddam point!

              You're attacking the problem after the fact.

              Why not get some fucking brilliant ideas about putting some technology smarts between the vulnerable and the attackers to shut this shit down?

              How hard is it to watch what workers are doing and predicting outcomes and firewalling malicious activities?

              We all know what the entry points are.

              Mostly it's phishing, malicious links, and stuff like that.

              It shouldn't matter what the initial contact is, it should matter wh

          • We need a rework of corporate law in this nation. And the first place to start is to shift the blame for misdeeds. It should not be possible for corporations to pass off liability to individual scapegoats. Perhaps a mandatory requirement for liability to fall on the officers of the corporation? No that's too heavy handed. Then the company is screwed when an individual legitimately is to blame.

            I'm no lawyer so I'm not sure how I to proper word that system, but then again so many laws are fraught with loop ho

            • by AmiMoJo ( 196126 )

              In the UK there is a duty of care for the company. They requires that the company makes reasonable effort to avoid this sort of thing, so the 94 page PDF would not be adequate. They would need practical measures that stand a reasonable chance of working.

              Unfortunately it often results in them simply paying some consultant so they can tick the box and say they got expert advice.

              • And that's the problem isn't it? Ultimately its too easy to pass the buck and shift blame. I'm not a fan of large regulatory bodies in general because they usually end being imperfect monstrous things that fail to solve the intended problem and create others. But at the same time we have designed corporations to incentivize profit and productivity over all, which is fine up to the point where they start to make the world a worse place.

                The goal should be to prevent and punish deviant behavior on their part.

            • > And the first place to start is to shift the blame for misdeeds. It should not be possible for corporations to pass off liability to individual scapegoats.

              You pretty much just defined what a corporation is.
              If you buy a lemon made by Ford, you can sue Ford and Ford has to pay you. You don't have to figure out which Ford employee(s) screwed up.

              That's the "legal person" thing - a corporation is, in a court of law, a person who can sue and be sued. Which is a heck of a lot simpler than figuring out which

              • You pretty much just defined what a corporation is.

                Strictly speaking that is not what a corporation is. A corporation is a group of people pooling their resources and energy into an enterprise to provide a good or service to the end of making money.

                That's not a "change* that's needed, that's how it's been since the first corporations built roads in ancient Rome.

                That may be how they are intended to work. But they don't always do so and even then they shouldn't always do so depending on circumstance. The earlier example given was how management had dodged the responsibility of proper and safe storage of nitric acid and blamed accidents on individual workers. Now its up fo

                • > Strictly speaking that is not what a corporation is. A corporation is a group of people pooling their resources and energy into an enterprise to provide a good or service to the end of making money.

                  That describes a partnership and a couple of other forms of business. The defining characteristic of a corporation is that the corporation itself can be sue and be sued, it can be held liable, because it can be a party in court. That's called a "legal person", one type of "legal fiction".

          • by gweihir ( 88907 )

            That would not fly. They can send around what they want, but no court will rule against an employee that opened a harmless looking email attachment, not even if the employee is a security expert. Defending against malware is the task of the company IT, not of an individual. Phishing is a different thing though.

            • by AmiMoJo ( 196126 )

              Maybe the goal is to just tie everyone up in litigation for years. The employee probably doesn't have the funds to mount a proper defence.

              • by gweihir ( 88907 )

                Maybe the goal is to just tie everyone up in litigation for years. The employee probably doesn't have the funds to mount a proper defence.

                It is unlikely that an employee would even have to defend themselves against such a claim.

          • I've found out about several data breaches I've been part of for just that reason. A few of them cited the statute.

            It works. Companies don't want the bad press so they tighten security. But they can find way around it when it's a state law.
        • by DarkOx ( 621550 )

          I think basic regard for freedom means you can do what you want with your own property. That to me includes paying with your own money to get someone to return your stolen property to you, if that is what you wish to do however inadvisable. So I am pretty solidly in the against camp when it comes to telling private individuals they can't pay a ransom.

          I am solidly in the government should have have 'we never pay' policies and those should extend to we wont help individuals pay either. That is if you want to

          • by mark-t ( 151149 )

            I think basic regard for freedom means you can do what you want with your own property

            Except to the extent that it might endanger other people, sure.

            That to me includes paying with your own money to get someone to return your stolen property to you, if that is what you wish to do however inadvisable.

            Except that paying such ransoms *DOES* endanger other people, by giving the extortionists or even those who might imitate them if the story make headlines, further financial incentive to exploit other people, as

            • by DarkOx ( 621550 )

              It does not directly endanger others, any more than say publishing metasploit and manufacturing lock picks. Yes things are interconnected but at some level you have to allow others to do things you wish they would not; or nobody would be able to do anything at all.

              I agree paying is generally a bad idea unless 1) it really is the cheapest route to recovery and you think it could work as in they really will give the cipher key, 2) you have plan you can implement quickly to not be a victim again.

              Personally I s

              • by mark-t ( 151149 )

                It does not directly endanger others

                Of course it does. By paying the ransom, you are directly *rewarding* bad behavior, all but guaranteeing that they are going to keep doing that.

                Otherwise, it's like submitting to a child having a temper tantrum. The only way to resolve it long term is to put up with the inconvenience it causes you at the time and absolutely *NOT* give in.

                • by DarkOx ( 621550 )

                  No firing a gun into the air, directly endangers others. Posting a youtube video of it giving the person the attention they desire might reward them, but it does not DIRECTLY endanger others.

                  The person sending malware is the one directly endangering others. Even if you do reward them you are not directly endangering anyone, even if you may be encouraging the endangering of others you are not doing it directly, get a dictionary and look up the word directly if this is still unclear to you.

                  As I stated before

                  • by mark-t ( 151149 )

                    If you reward bad behaviour, you are directly incentivizing the bad behaviour to continue. In this way, paying ransoms increases risk to others.

                    Otherwise it's like letting a driver who was intoxicated off because he happened to get pulled over nearly right in front of his own home without actually harming anyone else.

                    • by DarkOx ( 621550 )

                      No its not like that. In that example the driver is directly acting in a way that endangers others. What you are suggesting is more like we let the liquor store owner off the hook for selling him cheap booze. Oh wait we do!

                • DarkOx(Pays) --> Hacker (Paid) --> "Others"

                  DarkOx said their actions don't directly endanger others.
                  You said yes it does, because DarkOx directly rewards the Hacker. I see another degree of separation in there. Still sounds indirect to me.
                  • by mark-t ( 151149 )

                    If you want to argue that rewarding bad behavior does not directly encourage further bad behavior, then perhaps you have a point.

                    I disagree, however. If a person reward bad behavior that happens to in turn directly affect people other than yourself, then that person is *DIRECTLY* part of the actual problem that hurts other people.

                    It makes the most sense to break the chain of this dependency at the part of it that you can personally control, which is to not pay the ransom. If you are concerned about

                    • by mark-t ( 151149 )
                      blargh... I don't know what illegal substance I was inhaling when I typed that sentence above... subject verb misuse, changing the subject from third to second person and back again, hopefully my intent is still clear.
          • I'm against paying ransoms and in favor of criminalizing it because by paying a ransom and making it profitable you're aiding and abetting any future ransomware attacks by making it profitable for them to do it again. Ransomware attackers are nothing more than cyberterrorists that only get paid because they're taking hostages.
      • There are two revenue streams.

        1.) The most lucrative is the ransom demand.
        2.) People pay (not much) for personal data.

        Then there are those who get pissed at non-payment and destroy data.

        --

        We've been over this time and again and we keep circling back to security.

        The weakest entry point is the user. Phishing attacks are the most popular vector.

        When in simple hell are we going to step in front of those phishing attacks, run the scheme to its conclusion using coding (wow) and determining that, "Hey. This bitch

    • by Darinbob ( 1142669 ) on Monday September 28, 2020 @11:08PM (#60552700)

      Maybe paying the ransom is cheaper than the level of security that some people expect everyone to have. It is not a school's fault for not paying for the best in security when they can't even afford basic school supplies and teacher salaries. They've been scammed enough by Cisco that they're not falling for another trick when they promise one box to fix all their security problems.

      • NOT plugging the network cable into the internet at all, is the cheapest solution, with the best security.
        • by rtb61 ( 674572 ) on Tuesday September 29, 2020 @01:24AM (#60552894) Homepage

          Two networks, one for internal communications and wired and one for external communications and wireless. Easy to tell them apart, desktop monitors are for the internal network and little cheap linux notebooks for external communications. That will make things a whole lot more secure.

          • Many a company has tried that. Only to be thwarted by a high-level executive who wants to access his Facebook or watch cat videos on his work machine. When IT refuses, he brings a router from home and hooks it up himself in his office, bridging the two networks.

            You'll probably have more success giving everyone external internet access, but putting your important stuff behind a local VPN. And issuing everyone an individualized VPN client key, so if there is a breach IT has the capability to detect whose
      • by Khyber ( 864651 )

        The school can download a local copy of their native language Wikipedia (I can't believe I'm saying that) and make the school network internal-only and unplug the modem.

        School is for education. You want internet access, get it at home or from your cell phone, not off the taxpayer's dime where you can fuck it and other things up, like, oh student records and identities.

        • The internet access is for the school administration as well. This ransomware attacked the school records, not the homework assignments.

      • Comment removed based on user account deletion
      • by gweihir ( 88907 ) on Tuesday September 29, 2020 @12:38AM (#60552842)

        You do not need the "best" in IT security to be prepared. You need an offline backup and a strategy to reinstall your systems. That is a pretty basic requirement.

        • by Drethon ( 1445051 ) on Tuesday September 29, 2020 @07:31AM (#60553438)

          You do not need the "best" in IT security to be prepared. You need an offline backup and a strategy to reinstall your systems. That is a pretty basic requirement.

          Helps with data recovery, not so much with private data being broadcast to the internet.

          • While you are correct, it's a matter of scale.

            Unlocking an entire system is a lot more expensive than apologizing to Suzie's parents.

        • Unfortunately, that will do nothing to stop attacks like this, where data is misappropriated and a ransom is solicited with the consequences for non-payment being release of data. Only security can prevent that.

          • Only a well-designed system monitor with predictive capabilities will override the actions of the multitude of uninterested users.

      • How about some product liability?

        Does the box do what Cisco says it does?

    • by gweihir ( 88907 )

      Yes, they need to be made non profitable, but because they need to be stopped before they're started, not that they shouldn't pay out. I think every organization should be held liable for every breech of trust, and not this stupid credit protection service crap. There should be a fee of several thousand dollars per individual affected that's paid out to that individual and then it will start to be taken seriously.

      Very much so. If your IT security sucks and data of _other_ people gets stolen, you should be liable automatically for a significant sum to each victim, no appeal. If a victim can prove larger damage, you should liable for that as well. If, say, having crappy security comes with $500 to every person affected, this would end fast. Non-crappy security would then needed to be proven with audit records, pen-test records, etc. and only that should remove the automatic liability.

      As it is, nothing happens to the o

    • The problem is, for all we love to bitch about gov't, we also underfund them like crazy. And IT is one area that suffers in particular.

      The problem is that taxpayers don't want to hear things like well if we spend $1 million now it will save us $10 million down the road. That's why Philadelphia still has a 60 year red light control system even though everyone knows that upgrading it would both save the city maintenance costs over the long run and vastly improve traffic in the city.

      But the net effect is tha

    • There should be a fee of several thousand dollars per individual affected that's paid out to that individual and then it will start to be taken seriously.

      That sounds like a great idea, but how many institutions could afford to cover it? We're talking about a school district here; they could well be driven nearly to bankruptcy over such a fine. I think I see where you want to go with it - encouraging companies and organizations to better harden their security - but this example is a school system after all. Certainly a school system should be mindful of protecting the data they hold, but that is not their primary mission. Likely the system that they have

      • by DarkOx ( 621550 )

        The other thing people don't get when they propose these legalistic solutions to corporate/institutional liability its driving the exact sort of behavior that leads to our big economic crisis.

        If I know my business is going to have pay every on my marketing contact list $500 because I got hacked there are few things I can do as a response:
        1) Keep no data, go all cash, unplug - and get left behind and probably fail as a result
        2) Spend my profitability into oblivion trying to secure my business as if its Fort

    • I understand you were in a rush to FP, but what are you trying to say? If you're pointing at root liability, then most of these breaches rise to the level of Microsoft, and if you've looked at the EULA, then you know you are phucked.

      However I do think that much of the liability should be shared with the email providers, since phishing email they support (on the "Live and let spam" principle) is the mechanism of distribution for so much of the malware, including the ransomeware.

      Oh, well. ADSAuPR, atAJG.

      Oh wa

    • Stock holders should demand that these payments come from the CEO's compensation. Make the big boys feel the burn and the fire will get put out. Maybe hire ex-CIA people to find and persecute the hackers.
  • ransom they should also sell grades to kids in for like 5K for an 4.0 Some schools may give you and full ride for that.

  • Fairly sure many agencies, (probably federal) are going to be interested in this crime. Above an beyond the hack, which they don't care about, but violating child privacy laws... The hackers just got themselves into a world of hurt.
    • Re: (Score:2, Troll)

      by hyades1 ( 1149581 )

      "Above and beyond the hack, which they don't care about, but violating child privacy laws... The hackers just got themselves into a world of hurt."

      Seriously? The US has been locking kids up in cages like animals for years. On top of that, everybody from American toy companies to fast food chains and internet gaming sites have a long history of marketing to children, serving them unhealthy food and harvesting their personal data virtually at will.

      Unless the school district is oversupplied with rich paren

    • This does violate a ton of US Federal and state codes, be it FERPA, CFAA, and may more. However, the chance of the intruders getting caught is low to zero. Even if they were not based in a country that would happily give the finger to interpol, getting caught would be impossible. Even if they were in the US, if they get their stuff in Bitcoin, change to another currency, then from there, have a "legit" Bitcoin wallet ID at some YouTube or other site that accepts donations. An anonymous party then donate

    • Yeah I'm sure Russia/Lithuania/Ukraine or whatever Baltic country they reside in will extradite them immediately.

  • by t4ng* ( 1092951 ) on Tuesday September 29, 2020 @12:18AM (#60552798)
    If the attackers stole student identity data, then there is still profit possible if the school won't pay the ransom. Just sell the identity data. The real solution is for admins to keep their networks secure.
    • by AmiMoJo ( 196126 )

      I wonder if the amount the thieves were asking for is more than the cost of the lawsuits that will result from this.

      • Please show a list of successful lawsuits ... heck show us a list of lawsuits pending, resolved, lost, or won.

        Anything.

        • by AmiMoJo ( 196126 )

          Didn't Equifax have to pay out a lot? I read about an EasyJet one a while back.

          • And you noted the ratio of penalty/revenue?

            But, seriously, where are the lawsuits for product liability against Cisco?

            Cisco makes claims with an asterisk*.

            * Not really.

    • And encrypted... its totally irresponsible to store sensitive information in cleartext
  • "... must stop paying ransoms."

    Paying the ransom is just the cost of doing business. This is why the American philosophy of 'voter control' doesn't work at the municipal level: The city council can't afford to obey the voters and provide nation-wide services like penetration-preventing security.

    • I disagree 100%. Paying ransom or protection money or hush money is never the normal cost of doing business. Having a good security plan, separation of critical and public networks, and offline backups are the cost of doing business.

      If one teaching assistant can open a malware-carrying attachment and take down your entire network, then the district board and IT officer should be removed with a vote of "no confidence" and a new board selected. I'm guessing the ransom was approximately equal to the yearl
      • If one teaching assistant can open a malware-carrying attachment and take down your entire network, ...

        ... then a computer program that preempts that teaching assistant (running in the background) should have already examined the attachment in a sandbox in order to determine the threat level and perform predictive analysis and make the artificial intelligent decision to protect the system.

        Why don't we have that?

        Look: Is a teaching assistant even allowed to encrypt files or send files offsite, or destroy data?

        Computers should be smart enough to protect themselves.

        Where is a good coder when you need one?

    • by Dunbal ( 464142 ) *
      Class action suits would fix this in a hurry. Suddenly security would become affordable even if the cost stayed exactly the same. All prices are relative. Since there are no consequences to leaking customer/user information other than a small slap on the wrist, no one cares about security.
    • Paying the ransom is just the cost of doing business.

      Paying ransom increases everyone's cost of doing business. That's why it should be illegal. If you can't afford IT security, you can't afford to do business, and should let someone who can afford IT security take your place and serve your customers... better than you ever could.

      • by DarkOx ( 621550 )

        Right because entire markets should be controlled by one mega corp. That is basically what you are aksing for. How about this law enforcement should remove criminals from the population. Government should prevent forefingers form committing crimes in our country even over the internet; so everyone can participate in our economy on equal terms.

        The inexcusable part of all this is for all the money we shovel at LEAs and Intel agencies, they can't mange to follow the money and run these guys to ground if th

        • Right because entire markets should be controlled by one mega corp. That is basically what you are aksing for.

          You're going to have to draw me a map to that conclusion because I don't see how you got there, and you offered no explanation.

          How about this law enforcement should remove criminals from the population.

          Good luck! First they'd have to start by removing themselves in many cases.

          Government should prevent forefingers form committing crimes in our country even over the internet; so everyone can participate in our economy on equal terms.

          And also I want a unicorn.

          The inexcusable part of all this is for all the money we shovel at LEAs and Intel agencies, they can't mange to follow the money and run these guys to ground if they are domestic or in place where we have extradition agreements or for those nations we are less friendly with effectively firewall the internet form traffic originating in those places (that means traffic analysis around VPNs in friendly places) and block them.

          That stuff is hard, and it only becomes easy if we create an internet which is a fascist's dream. You would cut off your face to save your face.

          • by DarkOx ( 621550 )

            Right because entire markets should be controlled by one mega corp. That is basically what you are aksing for.

            Pretty simple the more you raise barriers to entry the fewer competitors in the market place there can be. Doing anything more than putting a few static pages online and having everyone in your org just use gmail and zoom individual accounts requires a non-trivial knowledge of IT/Internet security issues. Its also not really something you do once and forget about it. Its an ongoing process or an ongoing expense if you outsource it. Given how critical online presence and information technology is to most bus

  • Good! (Score:4, Funny)

    by Tablizer ( 95088 ) on Tuesday September 29, 2020 @01:03AM (#60552864) Journal

    They used to charge me $30 to send transcripts. Now I just tell employers to go to HackedSchools.fu

  • I'm certain these would still happen without the possibility of financial gain. Are vandalism and graffiti profitable? Thought not.

  • Sorry kid, but *that* line and "your dog" line has been used FAR too much before. If I can't read it when I get around to it, then you flunk no matter who's at fault.

    Well, but now-a-days I need to take points away from you for things that I see you did wrong -- so 100 points minus "unavailable" is ... 100 points. Congratulations -- you get an A++!
  • I am always amazed at how often the US organizations have Social Security Numbers to be beaches. In Canada the Social Insurance Number is really only given out for banking, employment, taxes and application for income from the government. What kills me is how many of you are thinking I'm terms of penalties rather than thinking in terms of getting elected officials to do harm mitigation.
  • Rudyard Kipling, 1911, public domain:

    Dane-Geld
    A.D. 980-1016

    It is always a temptation to an armed and agile nation
    To call upon a neighbour and to say: --
    "We invaded you last night--we are quite prepared to fight,
    Unless you pay us cash to go away."

    And that is called asking for Dane-geld,
    And the people who ask it explain
    That you've only to pay 'em the Dane-geld
    And then you'll get rid of the Dane!

    It is always a temptation for a rich and lazy nation,

  • I used to be a CTO for a largish school district in the Midwest, and I also sold student information system software for one of the major players in that market. Our system never stored students' social security numbers, and I've having a hard time thinking of a reason why a school district would need or want that particular information.
  • by davidwr ( 791652 ) on Tuesday September 29, 2020 @07:56AM (#60553492) Homepage Journal

    Doing business in a world of ransomware is doing business in an environment where criminals holds sway. If you can't afford adequate defenses, you can't afford to stay in business.

    You can either pay off the local thugs, pay for your own defenses, not do business, or be a victim.

    Paying off the local thugs may be cheap in the short run but it's expensive in the long run and it makes life tougher for the next guy, since the crooks are now better resourced. Don't do it.

    Being a victim over and over again will eventually put you out of business.

    This leaves paying for your own defenses. If you can't afford to do that, you can't afford to stay in business.

  • This isn't much different from what I have said time and time again about spam. These problems exist because they are profitable, not for any other reason. The only way to stop them is to take away the profitability, anything else is just a feelgood solution.

    Now, standing up to the ransomware attackers might not be the most practical thing to do - and in some cases the ransomware attackers have the targets in a situation where this isn't even really an option - but it is an option that should always b
  • "The only way way to stop them is to make them unprofitable, and that means organizations must stop paying ransoms."

    How about: organizations implement real security protocols instead of "feel good" weak security theater? There are plenty of consultants out there who will be happy for the work.

  • Reward the person who provides the critical information leading to the arrest, conviction, and imprisonment of the ransomer.

    Countries harboring ransomers should be dealt with using appropriate government pressure.

  • Not sure why, but a lot of places want to use SSNs as account IDs, when the applications should be making their own. Maybe being a school board it was necessary, but was it?
  • If the sensitive data (FERPA related and SSN) had been encrypted, this wouldn't have been an issue. The hackers wouldn't have had any sensitive data to release.

    When I left industry to teach, I was issued a laptop. I asked about full-disk encryption (which was required by my employer in industry). That wasn't an option for my university issued laptop.

  • They should publicly offer the amount of the ransom as a reward to whoever brings them the head of the hacker. Bonus points if they make this announcement on live TV sitting behind the ransom $$$ in piles of cash.

  • fortunately you can change your SSN, just like a password.

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...