[anon(9721108)]

BBC estimated yesterday that they will make at least 1B dollars in bitcoin.
That's not peanuts.
They applied the software industry approach: charge many users a tiny amount that they think they can afford.

Microsoft clearly blames the NSA for this and this BBC article blames both Microsoft and the NSA, not the victims, as I wrote yesterday.

http://www.bbc.com/news/technology-39915440

And a new version of the virus is already out...


Posted via CB10

$300-600 per person IS peanuts. That's a global number.

It really does look like it was Russians.

They quickly targeted Ukraine and Taiwan as guinea pigs before hitting Western Europe.

Another possibility -- the NSA is behind it and this is a cyber-warfare test to prove they're as skilled as the Russians at this game. Of course, that doesn't explain why Ukraine would be the 2nd most attacked country. (Therefore it looks like you know who, get it?)

https://www.nytimes.com/interactive/...-map.html?_r=0



It is clear this is just a test or warm up for bigger things to come!



And again....Russia on top of the list

http://www.telegraph.co.uk/news/2017...d=tmg_share_em


And of COURSE Microsoft is going to blame the NSA because no one wants to look weak, but remember that the encryption was supposedly STOLEN FROM the NSA. So if that is true then blaming the NSA is like blaming the victim of a crime for being violated.

[anon(9721108)]

What you think about BlackBerry role in protecting these kind of threats in future ?

Posted via CB10

I think this can definitely help Blackberry because I doubt many are targeting their software.

[chain13]

Something we do need to know that security is not about the end software only. All your networks are most playing the role.

[kvndoom]

$300-600 per person IS peanuts. That's a global number.

That's not how it works though. The price has to be low enough that the average person can afford it, even if it hurts a little bit. They already know that a lot of their victims will be home computers. Sure a hospital or government office can foot $10,000 to save critical data, but the average home user can't.

So charging thousands which can only be paid by a few, will be less profitable than charging hundreds that can be paid by many. Most of these attacks only demand payment in the hundreds.

[anon(9721108)]

That's not how it works though. The price has to be low enough that the average person can afford it.

That's exactly what I said. The price WAS "low enough."

The price was low enough (peanuts) and people paid it.

You helped my point

[glwerry]

BlackBerry put out a blog article, but it's all fluff anyway. It's as groundbreaking as BB is relevant to this particular attack.

Microsoft patched this in March, to be vulnerable requires unpatched or unsupported software. Unfortunately, the lumbering beast that is enterprise software is too slow to get things updated on a wide scale. Awful vendor apps that require one to use ancient versions of Windows/use features that should have been removed long ago (this particular attack uses SMBv1 to spread), or bureaucratic indolence getting in the way of deploying updates ("it works, why fix it?"), those are endemic to the field and contributed greatly to why this worm spread like it did.

I have more than 35 years in the "lumbering beast" of enterprise software.

Sometimes circumstances just combine - a number of years ago we installed an ERP system - huge install, huge money, impact completely across the organization.
We had not even finished the install when the vendor we purchased the software from was bought out.
The new owners DEAD-ENDED the software. Suddenly, through no fault of our own, we were left with NO UPGRADE PATH.
We took over support ourselves. As time went on we found complexities with the code that kept us on a certain release of the operating system.
Eventually we did a COMPLETELY NEW ERP INSTALL on another package - I don't know the final price tag, but it was TENS of MILLIONS of dollars.

So, in the real world it's really quite difficult to keep everything up to date, especially in a large organization.
Seriously.

[stlabrat]

isn't bit coin famous for traceability?
I believe the de-centralized system, including cloud are difficult to secure. NSA just made it worse... BB was under the gun to provide the backdoor. Thanks god someone stood up to them (BBOS does not have backdoor, if I am remember correctly).
Lesson learned for me: 1. people need stability, tech should provide it - 15 to 20 years support for key system is required... IoT for health, finance, etc. better run in a close system, rather than open. (main frame would be my choice).
2. Cyber war without proper vet of access (or protection... what ever you want to say bottle is half full or half empty), will result more harm than good. the collateral damage of citizen is scary - the defenseless silly bee on the snap chat doesn't even know how to protect themselves. You need NSA army force to protect your citizen in cyber space, not just the few org in the white house (something simple, out of reach for the silly bee, but effective to protect them in the brownstone house).
3. i am happy with my g4 Mac on dail up... no patch, no worry, same as the few BB 10 and BBOS handsets in my collection... not heading to the droid (too bad, still using window for work...). Would love to have AI to protect me... human is not really trustworthy, NSA and microsoft included. ;-)

[thurask]

It really does look like it was Russians.

They quickly targeted Ukraine and Taiwan as guinea pigs before hitting Western Europe

If it's the Russians, then it was suicidal Russians.

[thurask]

So, in the real world it's really quite difficult to keep everything up to date, especially in a large organization.
Seriously.

And that's how stuff like this happens. To produce an organization that is hardy enough not to collapse when one ***** opens a scam email requires too many things not to suck (budgeting, planning, vendors) to happen on a large scale.

[Ment]

isn't bit coin famous for traceability?

You can trace transactions to a bitcoin address but not who owns it unless they were stupid enough to publicly link the address to a physical entity. If I were the hacker I wouldn't touch that address for a long time just to be safe. Then when less eyes are on you can mix the bitcoins safely.

[anon(9721108)]

If it's the Russians, then it was suicidal Russians.

Well there was a very interesting commentator on CBC News two days ago on TV and he talked about how Russia was heavily infected yes, but this can also be because that's where it started and it would branch outword. Now think about it if you were a cyber criminal do you really care if you hack your own countries banks to get money? I wouldn't ;-)

[anon(9721108)]

That's not how it works though. The price has to be low enough that the average person can afford it, even if it hurts a little bit. They already know that a lot of their victims will be home computers. Sure a hospital or government office can foot $10,000 to save critical data, but the average home user can't.

So charging thousands which can only be paid by a few, will be less profitable than charging hundreds that can be paid by many. Most of these attacks only demand payment in the hundreds.

But I understand what you're saying and I do agree with you up to a point, I still think it's peanuts though…

The National Health Service in the UK can probably afford quite a bit ... just like Canada's regional health authorities could probably dig up $50,000 easy for a ransom

But the hackers will still make millions, I guess, if only 1 in 10 pay up..

[Prem WatsApp]

I have more than 35 years in the "lumbering beast" of enterprise software.

Sometimes circumstances just combine - a number of years ago we installed an ERP system - huge install, huge money, impact completely across the organization.
We had not even finished the install when the vendor we purchased the software from was bought out.
The new owners DEAD-ENDED the software. Suddenly, through no fault of our own, we were left with NO UPGRADE PATH.
We took over support ourselves. As time went on we found complexities with the code that kept us on a certain release of the operating system.
Eventually we did a COMPLETELY NEW ERP INSTALL on another package - I don't know the final price tag, but it was TENS of MILLIONS of dollars.

So, in the real world it's really quite difficult to keep everything up to date, especially in a large organization.
Seriously.

Good summary. Yes, un-supportable software due to disappearance of the manufacturer, discontinuation, etc. often force such measures, and running dates OSes...

Things move fast, ... and man-agement wants to save money.

Which is an awkward situation. How can this be solved on a global level? Any suggestions? :-)



•   Long live the SPARK! * ... the evil N shall not priv-ail...!!!   •

[Prem WatsApp]

Good summary. Yes, un-supportable software due to disappearance of the manufacturer, discontinuation, etc. often force such measures, and running dates OSes...

Things move fast, ... and man-agement wants to save money.

Which is an awkward situation. How can this be solved on a global level? Any suggestions? :-)



•   Long live the SPARK! * ... the evil N shall not priv-ail...!!!   •

I think software upgrade paths and planning to upgrade MUST be factored in when running a company (of any kind), and be included on the balance sheet or report as a liability.

Sure it doesn't leave a nice aftertaste in the mouth of management... :-D

•   Long live the SPARK! * ... the evil N shall not priv-ail...!!!   •