La password debole ha permesso agli hacker di affondare un’azienda di 158 anni
https://www.bbc.co.uk/news/articles/cx2gx28815wo
di cennep44
La password debole ha permesso agli hacker di affondare un’azienda di 158 anni
https://www.bbc.co.uk/news/articles/cx2gx28815wo
di cennep44
26 commenti
Nothing to do with a weak password, admin password was leaked in stealer logs its irrelevant how “weak” it is, its in plaintxt already.
I’m not surprised. You’d be shocked how many people will always try to use CompanyName1! for every single password possible.
Small, old family businesses like this are the most vulnerable and it’s really hard to persuade them to invest time or money in boring things like password policies.
That’s because password policies have been stupidly implemented before recent times.
Two factor authentication would surely prevent this from happening, no?
Utter nonsense – firstly, weak password *requirements* were the root cause. Secondly if your infra can be sunk using a password alone then you done did fuck up.
There are so many layers of security and protection you can add here – ranging from simply just fucking requiring a secure password (Which is still a weak as fuck improvement), upto two factor, ensuring separation between user and admin accounts, and temporary account escalation. Yes, they add overhead, yes they’re faffy as fuck day to day if you’re a sysadmin, but I could literally give you my admin user account password and username and you’d achieve *nothing* with it
Not that these guys are alone, but the fact that this is the conclusion and it’s then repeated by the BBC as fact, is *the* problem in cyber security right now.
And all the way at the end, where the fuck is your DR? Your backups? God, as an infra consultant, it hurts me inside.
The kind of greed that destroys entire companies and puts 700 people out of work is plain evil.
>KNP director Paul Abbott says he hasn’t told the employee that their compromised password most likely led to the destruction of the company.
>”Would you want to know if it was you?” he asks.
He’s a nicer person than I could be, I’d be so tempted to tell the employee.
Reminder to IT Security admins that require you to change your password every 30 days – screw you! People pick simple passwords because you force us to change them so frequently. Let me use lovely long passwords that don’t need changing every other day.
Why didn’t they restore their backups?
They had air gapped off-site backups, right?
A weak password allowed the hackers to encrypt the data.
Not having backups put the company out of business.
I love the stock images of hackers.
Someone sat at the computer with their hood up and 0011010101111 in the background or something lol
As others have said, it’s weak password requirements that was the issue, which is the reason the boss isn’t telling the employee, rightly, as they did nothing wrong if their password complied with policy.
The issue rarely being mentioned in this ransomware story is why are your business machines connected to the Internet anyway?
I work in the public sector and we have a distinct break in critical infrastructure for day to da operations, and connected devices for communication. It is security priority no1, nothing that can affect day to day operations should ever be on a connected device.
Ask me to change my password often and I WILL write it down somewhere.
> The company said its IT complied with industry standards and it had taken out insurance against cyber-attack.
Neither of which will secure a company against malicious actors.
> But a gang of hackers, known as Akira, got into the system leaving staff unable to access any of the data needed to run the business. The only way to get the data back, said the hackers, was to pay.
Hmm. No contingency plan against this? No separation or segmentation of networks for different aspects of the data this company dealt with?
> In the end all the data was lost, and the company went under.
Holy shit, if I’m understanding this right – there didn’t even seem to be a backup procedure. When I worked in a design agency, we had daily backups – you’d lose at best a days work or whatever whenever someone had IT issues and our billing stuff was kept separate and backed up separately. Pain in the ass for restoring systems, but we had it pretty well set up – back in the 2010’s as well.
> Back in Northamptonshire, Paul Abbott of KNP now gives talks warning other businesses about the cyber threat.
He thinks companies should have to prove they have up-to-date IT protection – a sort of “cyber-MOT”.
Yes – hire a cybersecurity firm and get a proper pen test done. Might seem expensive or you may even think you don’t need it (as it’s “never happened yet”), but they are the kind of things that would show the weaknesses this company had and suggest things to implement to improve it. The biggest problem is complacency when it comes to these things.
>James Babbage, Director General (Threats) at the NCA, says it is the characteristic of a younger generation of hackers, who now are “getting into cybercrime probably through gaming”.
The man in charge of dealing with organized crime at a national level, everyone.
Trust absolutely nothing you’re told in terms of technical details, they barely know how to turn on a computer.
Christ almighty.
Having executives who know f all about IT security making decisions based on how to cut costs usually ends up with such costly mistakes.
The M&S hack pretty much boils down to poor outsourcing. Instead of being hit directly, attackers got in through a third-party IT provider – likely via phishing or SIM-swapping. Once in, they had full access to internal systems.
Outsourcing isn’t the issue by itself, but clearly M&S didn’t have tight enough controls over vendor access. No zero-trust, no proper segmentation – and it cost them big: months of outages, millions lost, and serious damage to trust.
“but a specialist ransomware negotiation firm estimated the sum could be as much as £5m.”
So they pulled that out of their arses.
27 years providing IT support to small businesses like this one. I know exactly the reason why. They thought it was a cost. They didn’t value it. They probably didn’t have any I.t support and if they did it would have been dirt cheap bottom of the barrel rubbish. They didn’t train their stuff on how to use a computer at all. Even though that was primarily what they did for 95% of their job, there was zero training. There will be no cyber security training. There will have been no cyber security training in fact, anything to do with it will have been purely an annoyance to this business. I can guarantee that is what has happened.
Honestly so few businesses care about it. They literally see it as a horrible cost. Probably below the cleaners because at least the cleaners empty their bins
No, complete incompetence sunk a 158 year old company.
There seems to be a big media push to try and redirect criticism from these firms. Yes hackers are bad but incompetence is also bad and I’m pretty sure this level of carelessness with customers data is supposed to be punished.
The article said the company had insurance. It doesn’t explain how it went under despite the insurance. Any ideas?
Lack of an effective backup strategy tanked that business, but the director didn’t want to know it was him. Disgusting he puts that blame on another citing a compromised password.
One of the main reasons I am now a happy lawyer, rather than a miserable sysadmin, is that I had a particularly awful boss who should not have been my boss. He was an idiot and started trying to micromanage me. At one point he demanded we have a secure-password-expires-every-month-automatically system. I told him we couldn’t. He ranted at me. The board were made to understand that they were in breach of my contract and we settled generously and I could afford to go to law school. Yay.
“We couldn’t” – I actually told him it would be hard. We had a bunch of systems, including a windows based system, a linux one and some sort of Solaris based system. There was at that time no reasonable way to synchronise the passwords across them all that actually worked. Because.
The ending was happy, but I am so glad not to be working for someone who says “that’s an order” at me.
And my boss had a complete freak out when our log ins were our public facing email addresses AND we all had to use the same password (so she could check on us). How I laughed when she got her arse handed to her by the Head of IT. (Company is only 200 years old though)
when will people learn that 1234567 as a password is neither clever nor strong
Shitty management and shitty IT are to blame here. This is super basic IT security which they have failed at.
This is what happens when management don’t invest in IT, or/and you have an incompetent team. “This is how we have always done stuff” kills. Unfortunately I see way too many orgs following this path.
The CEO said they were following industry best cyber security practices. Absolute utter horseshit.
the UK government are gonna force websites to verify our ages with ID this week, so we can look at tits.
That’s going to go swimmingly
EDIT.