Baltimore City Government Computers Taken Over by Ransomware Hackers

[Gun Nut]

That's  Social engineering (security) - ways to trick people into revealing passwords and other such info for accessing computer systems. Sometimes being rather threatening, like saying that one's target's account is about to expire or that one's target's account has been broken into and it's necessary to log into it about that.

would you buy girl-scout cookies from a man in a ski mask at your door at 3:00AM? No? Then why the fuck are following along with that Indian on the phone that wants you to do stuff to your computer so he can "fix it"... cause Microsoft calls you all the time to fix things they "detect" you might need fixing, right?

Social engineering only works on gullible people. There has not been a clever social engineering attack since the IRS scam (which was not that clever either... how people believe that their government "sues" them for taxes, threatens legal action over a phone call, and would be happy to "make it all go away" with a money wire (no check, no credit card... a fucking bank wire).

Normally I would say that victims are fully deserving of loosing their money in some of the most moronic ways possible... but the problem is that money is used by terrorists, human traffickers, and money launderers.

 

[bigfield]

Social engineering only works on gullible people.

And no matter how angry you get about it, you'll never change the fact that gullible people use computers at work.

Normally I would say that victims are fully deserving of loosing their money in some of the most moronic ways possible... but the problem is that money is used by terrorists, human traffickers, and money launderers.

All the more reason to make more secure IT systems.

Raging at human nature, especially with you stupid fucking ski-mask-at-3am hypotheticals, is just a waste of time. It doesn't lead to actual solutions.

 

[barbos]

I don't see why [being presented with mysterious links] has to be a security hole. I think that good security involves a lot of idiot-proofing.

... and that is the problem... that people think this. Do you get in your car, close your eyes, and then jam your foot down on the peddle to find out later where your car took you? If you kill a dozen people doing that, is it "bad car security"? People need to take responsibility for their own actions... like even a little fucking bit.

Do you know what the "spam email" success rate is (success = they clicked the link you sent them)? It's 1:12. For every 12 people you send ANY email to, one will blindly follow along. You know why there is a spam problem? Because of that 12th person... who, it seems, is this friggin guy.
.

No, the real problem is that one can not safely click on unknown links. Technology exists which allows just that, yet for some reason MS can't implement it.

 

[Gun Nut]

I don't see why [being presented with mysterious links] has to be a security hole. I think that good security involves a lot of idiot-proofing.

... and that is the problem... that people think this. Do you get in your car, close your eyes, and then jam your foot down on the peddle to find out later where your car took you? If you kill a dozen people doing that, is it "bad car security"? People need to take responsibility for their own actions... like even a little fucking bit.

Do you know what the "spam email" success rate is (success = they clicked the link you sent them)? It's 1:12. For every 12 people you send ANY email to, one will blindly follow along. You know why there is a spam problem? Because of that 12th person... who, it seems, is this friggin guy.
.

No, the real problem is that one can not safely click on unknown links. Technology exists which allows just that, yet for some reason MS can't implement it.

One cannot safely open the door for strangers at 3:00AM
One cannot safely cross the street in traffic without looking both ways
One cannot safely grab a random bottle of chemicals from under the sink and drink it

Yes, there are lots of things people just can't safely do without taking some degree of personal responsibility.
The difference between some people here is the thought that it is someone else's responsibility to tell you who to open the door for or not, or to hold your hand for you when you cross the street, or smack the bottle of cleaner out of your hand... or tell you if you really won the prize to the drawing you didn't enter.

 

[Jimmy Higgins]

That's  Social engineering (security) - ways to trick people into revealing passwords and other such info for accessing computer systems. Sometimes being rather threatening, like saying that one's target's account is about to expire or that one's target's account has been broken into and it's necessary to log into it about that.

would you buy girl-scout cookies from a man in a ski mask at your door at 3:00AM? No? Then why the fuck are following along with that Indian on the phone that wants you to do stuff to your computer so he can "fix it"... cause Microsoft calls you all the time to fix things they "detect" you might need fixing, right?

Or logging into a system your username and password because your "IT head" told you to update your information. Typically, the email sent doesn't read.

Hello, this Boris... your IT scam provider.

We need you to log into fake human resource site in order we get your login and password to upload ransomware software.

Please do not call me on phone, I'm busy in other office.

Boris Badinov
Not Head of IT at Your Company

Heck, even email is letting a bunch of phishing scams in again, as the phishers have managed to make the scanners think that you really have let your prescription lapse at the pharmacy.

 

[Gun Nut]

That's  Social engineering (security) - ways to trick people into revealing passwords and other such info for accessing computer systems. Sometimes being rather threatening, like saying that one's target's account is about to expire or that one's target's account has been broken into and it's necessary to log into it about that.

would you buy girl-scout cookies from a man in a ski mask at your door at 3:00AM? No? Then why the fuck are following along with that Indian on the phone that wants you to do stuff to your computer so he can "fix it"... cause Microsoft calls you all the time to fix things they "detect" you might need fixing, right?

Or logging into a system your username and password because your "IT head" told you to update your information. Typically, the email sent doesn't read.

Hello, this Boris... your IT scam provider.

We need you to log into fake human resource site in order we get your login and password to upload ransomware software.

Please do not call me on phone, I'm busy in other office.

Boris Badinov
Not Head of IT at Your Company

Heck, even email is letting a bunch of phishing scams in again, as the phishers have managed to make the scanners think that you really have let your prescription lapse at the pharmacy.

So is that a "yes", you would open the door for the man in the ski mask because it SAYS "girl scouts" on it? Just like the email SAYS it's your IT guy (who never contacts you that way, and you company never needs you to "update your information", and the email address it came in from isn't even close to looking like a corporate address).

I could ask you, "how does your company help you manage your identity".. and sure as fuck you won't say "they send us emails from external addresses, loaded with vague at best information and broken English grammar". Paying more than 1 second of attention to these is you being a poor employee. And before you complain that you are not a computer expert... I will remind you that you are probably also not an HR expert, but can probably pull of avoiding sexually harassing every female employee you see some how... you are also probably not a judge, but still pull off not breaking every law everyday... so spending 2 more seconds to forward that email to your helpdesk to ask what you should do and/or why IT is trying to contact you that odd way is the least you can do.... the absolute minimum to be anything but a liability to an organization that would do better without you.

 

[barbos]

No, the real problem is that one can not safely click on unknown links. Technology exists which allows just that, yet for some reason MS can't implement it.

One cannot safely open the door for strangers at 3:00AM
One cannot safely cross the street in traffic without looking both ways
One cannot safely grab a random bottle of chemicals from under the sink and drink it

Yes, there are lots of things people just can't safely do without taking some degree of personal responsibility.
The difference between some people here is the thought that it is someone else's responsibility to tell you who to open the door for or not, or to hold your hand for you when you cross the street, or smack the bottle of cleaner out of your hand... or tell you if you really won the prize to the drawing you didn't enter.

I am not following.

 

[lpetrich]

No, the real problem is that one can not safely click on unknown links. Technology exists which allows just that, yet for some reason MS can't implement it.

Or else is unwilling to do so. M$ sometimes seems very slovenly about security.

 

[Gun Nut]

Social engineering only works on gullible people.

And no matter how angry you get about it, you'll never change the fact that gullible people use computers at work.

Normally I would say that victims are fully deserving of loosing their money in some of the most moronic ways possible... but the problem is that money is used by terrorists, human traffickers, and money launderers.

All the more reason to make more secure IT systems.

Raging at human nature, especially with you stupid fucking ski-mask-at-3am hypotheticals, is just a waste of time. It doesn't lead to actual solutions.

The only solution to "can I has your computer" is "no, you cannot". Putting the onus on the user to employ a fundamental level of scrutiny and care is exactly the solution.

The alternative is someone like me gets to pick and choose what sites you are allowed to visit. I'd have to block you from Facebook to protect you from posting something that you will regret. I will have to block all porn sites because I have no way of knowing if you are really interested in chicks with dicks... but you can register your sexual preferences with me on my website so I can let the good stuff get through for you.
Have to block all banking sites, because someone can get your money that might be impersonating you after you gave them your password...

The only reasonable solution is just saying, "no, that link is unknown to me and I have better things to do than just 'see what might be there'"

 

[Gun Nut]

This conversation reminds me of the movie "the invention of lying". Great movie, by the way.
In it, society never learned the skill of lying. Everyone tells the flat-truth always. The protagonist suddenly has a breakthrough where he learns to lie... there was no word for lying... the best he was able to understand is that he was able to, "say things that were not".
One of the first things he does with his new "power" is tell a women in the street that aliens are about to destroy the world unless they have sex together right away... the woman responds, "oh my god, we better get back to my place right away!!"

That's how you guys operate your computers... comically oblivious, to the detriment of all others.

 

[barbos]

The only reasonable solution is just saying, "no, that link is unknown to me and I have better things to do than just 'see what might be there'"

You really have no clue about the subject, none whatsoever

 

[bigfield]

I'd have to block you from Facebook to protect you from posting something that you will regret.

That's probably best for everyone.

I will have to block all porn sites because I have no way of knowing if you are really interested in chicks with dicks... but you can register your sexual preferences with me on my website so I can let the good stuff get through for you.

Seems like you have some insecurities to work through.

Have to block all banking sites, because someone can get your money that might be impersonating you after you gave them your password...

Yes, that's exactly what you should do, perhaps with the exception of banks that require two-step verification for each transfer. The system is convenient for some (including the banks) but a massive vulnerability for others

The only reasonable solution is just saying, "no, that link is unknown to me and I have better things to do than just 'see what might be there'"

You're out of your depth. Don't get a job in IT security.

 

[bilby]

Blaming the victim isn't seen as a viable approach in other contexts.

When innocent but naïve people are preyed upon by clever but malicious ones, it's usually the predators (or the systems they exploit) and not their victims, who we seek to change.

Nobody says 'Your father deserved to lose his entire estate; If dementia patients choose to sign over their property to fraudsters, it's their own fault'.

Naïveté is not a crime.

Ignorance is not a crime.

Stupidity is not a crime.

Fraud is a crime.

Blaming the victims of crime for being victims isn't helpful.

You may as well say 'Well that little old lady was asking to be mugged. If she doesn't walk around being a six foot three man with a ripped physique, then it's her own fault'.

 

[Gun Nut]

Blaming the victim isn't seen as a viable approach in other contexts.

When innocent but naïve people are preyed upon by clever but malicious ones, it's usually the predators (or the systems they exploit) and not their victims, who we seek to change.

Nobody says 'Your father deserved to lose his entire estate; If dementia patients choose to sign over their property to fraudsters, it's their own fault'.

Naïveté is not a crime.

Ignorance is not a crime.

Stupidity is not a crime.

Fraud is a crime.

Blaming the victims of crime for being victims isn't helpful.

You may as well say 'Well that little old lady was asking to be mugged. If she doesn't walk around being a six foot three man with a ripped physique, then it's her own fault'.

I accept dementia as an excuse for making bad choices. Who wouldn't?

The little old lady that is overpowered by an attacker... ya, that happens... but your examples all seem to involve someone being overpowered by someone with a massive advantage... so I guess what you are saying is that the social engineering hackers sitting in the call center in India are just overpoweringly smart and clever.

The poor old lady getting beat up by the 7 foot tall line backer for her purse is not a fair analogy for what is happening... a more fair analogy is the 7 foot tall line backer with the deep surly voice approaching the old lady and saying, "I am grand daughter yous... give money me plez... tic tac."
and the little old lady replying "Sure honey, of course... here.... by the way, why do you sound like a man all of a sudden... and why don't you look like you used to anymore? and why are you talking that way all of a sudden... and I thought your email address was different, but whatever... and texting you to ask if you just sent me something might make me look dumb... and what's texting"?


I never accused any contributor to computer crime (those people you call victims) as a criminal... they are not victims, though... they are willfully ignorant contributors to organized crime, sex trafficking, money laundering, and terrorist funding.

 

[Gun Nut]

You're out of your depth. Don't get a job in IT security.

over the past 30 years I have earned well over 3 million dollars in income based almost exclusively on my various areas of Security expertise. I find it funny how many lowly IT workers wish they had a vector into InfoSec, and think they know anything. There is a reason the CISSP cert (for example) requires a minimum of 5 years practical application of the domains of knowledge. This conversation is a perfect example of some Help desk tech's Dunning Kruger experience.

 

[bigfield]

You're out of your depth. Don't get a job in IT security.

over the past 30 years I have earned well over 3 million dollars in income based almost exclusively on my various areas of Security expertise. I find it funny how many lowly IT workers wish they had a vector into InfoSec, and think they know anything. There is a reason the CISSP cert (for example) requires a minimum of 5 years practical application of the domains of knowledge. This conversation is a perfect example of some Help desk tech's Dunning Kruger experience.

That's a carefully-worded bluff intended to give the impression that your security expertise is in IT without actually saying that it is.

That's what someone does when he wants to make himself seem like an expert without expressly lying.

 

[barbos]

$3mil? It's a nice gig to have - go around and tell people it's their own fault for getting hacked and then be paid.

 

[KeepTalking]

$3mil? It's a nice gig to have - go around and tell people it's their own fault for getting hacked and then be paid.

$3+ million over 30 years is roughly 100k a year, about a mid-range salary for a Developer around here, definitely not out of the ordinary for IT security. I actually agree with Gun Nut on much of what he says, though he tinges it with a good dose of sarcasm when making statements like:

The only reasonable solution is just saying, "no, that link is unknown to me and I have better things to do than just 'see what might be there'"

It is extremely difficult to protect users from themselves, and it is generally their fault when they get caught up in a phishing scam. The security team in my IT organization occasionally run security tests by sending out carefully crafted fake phishing emails, and some of the IT professionals here who should know better, inevitably fall for it. The only thing they can really do about it is to educate everyone after the fact, and hope that we all collectively learn from it. In the 4 years I have been here, we have had at least one legitimate intrusion that I am aware of that came about from a phishing attack. We do a lot of web development, and simply firewalling every unknown URL is not a practical solution for everyone. We do have different levels of access to the internet, and developer access is much more open than the access granted to other users, though there are still some restrictions. I have worked in shops where developer access is entirely unrestricted. No, getting caught up in a phishing scam is not a crime, but you do bear responsibility, and I have seem people fired over it. That intrusion I mentioned above got one of my teammates fired, but I believe there was more to his firing than just that. We never got the full scoop from management, but his laptop was quarantined and we were unable to retrieve his uncommitted code, not that it was any big loss.

 

[Gun Nut]

You're out of your depth. Don't get a job in IT security.

over the past 30 years I have earned well over 3 million dollars in income based almost exclusively on my various areas of Security expertise. I find it funny how many lowly IT workers wish they had a vector into InfoSec, and think they know anything. There is a reason the CISSP cert (for example) requires a minimum of 5 years practical application of the domains of knowledge. This conversation is a perfect example of some Help desk tech's Dunning Kruger experience.

That's a carefully-worded bluff intended to give the impression that your security expertise is in IT without actually saying that it is.

That's what someone does when he wants to make himself seem like an expert without expressly lying.

.. or wishes to maintain a sensible degree of anonymity while also adhering to my company's policies, as I use their assets for this.
I am a Security expert, and that is all I will say about myself in this context... I teach other experts how to be more expert, in a manner of speaking... You may have seen me speak publicly in obscure security conferences... you may have attended one of my sessions or be a member of one of the networks I participate in... I must remain vague about details of my life. for all kinds of sensible reasons.
You people are about 30% completely nuts.... I have to protect myself from you as well.

 

[Gun Nut]

$3mil? It's a nice gig to have - go around and tell people it's their own fault for getting hacked and then be paid.

$3+ million over 30 years is roughly 100k a year, about a mid-range salary for a Developer around here, definitely not out of the ordinary for IT security. I actually agree with Gun Nut on much of what he says, though he tinges it with a good dose of sarcasm when making statements like:

The only reasonable solution is just saying, "no, that link is unknown to me and I have better things to do than just 'see what might be there'"

It is extremely difficult to protect users from themselves, and it is generally their fault when they get caught up in a phishing scam. The security team in my IT organization occasionally run security tests by sending out carefully crafted fake phishing emails, and some of the IT professionals here who should know better, inevitably fall for it. The only thing they can really do about it is to educate everyone after the fact, and hope that we all collectively learn from it. In the 4 years I have been here, we have had at least one legitimate intrusion that I am aware of that came about from a phishing attack. We do a lot of web development, and simply firewalling every unknown URL is not a practical solution for everyone. We do have different levels of access to the internet, and developer access is much more open than the access granted to other users, though there are still some restrictions. I have worked in shops where developer access is entirely unrestricted. No, getting caught up in a phishing scam is not a crime, but you do bear responsibility, and I have seem people fired over it. That intrusion I mentioned above got one of my teammates fired, but I believe there was more to his firing than just that. We never got the full scoop from management, but his laptop was quarantined and we were unable to retrieve his uncommitted code, not that it was any big loss.

Ya, i'm not rich, nor particularly expensive... not a developer. (although I had been - you're welcome for being saved from Y2K, by the way). I am an organizational leader at this point in my career.

Anyway, ya.. what these guys are saying is reality.

The people saying that computers should be idiot proof... are, sorry, the fucking idiots that are the problem, and in my opinion should be held liable for damages in some cases... on one hand, I thank these guys for without them my industry would be less lucrative and prevalent... But that's like a General in the army thanking North Korea for threatening the US with Nukes so they can have a larger budget.

I'd love to know what one of these computer-idiots that feel entitled to being an idiot do for a living so I can present an apt analogy for their own industry.... feel free to offer up a role that I can put an "unreasonable user" into so some understanding can be had.