BrianKrebsDec 15, 2023

I've grudgingly come around to the notion that there is only one way out of the ransomware problem: Make paying a ransom illegal. This is not very different from laws that make it illegal for US companies to pay bribes to foreign officials.

I really don't see any other way out of this mess. Yes, some victims will unfortunately ignore any laws that say they can't pay, but enforcement probably will not be hard.

What will be difficult are the situations where peoples' lives are at stake in ransomware incidents This sounds callous, but we can't afford to take the short view here anymore, and our other alternatives aren't great either.

I'm quite certain this is an unpopular view, but we have already seen the cost of doing nothing. At least in the interests of congruity for our financial sanctions vs Russia, we should probably make this change sooner rather than later.

Show threadBrianKrebsDec 15, 2023
In the past month, ransomware assholes have shut down emergency rooms at multiple hospitals; dinged the US bond market; major shipping ports in Australia closed, e.g. We used to talk about a hypothetical scenario in which cybercriminals are having real-world, kinetic impacts. But that stuff is old news. Kinetic impacts from ransom incidents now happen on a daily basis.
Show threadmoving_target01Dec 15, 2023

@briankrebs this is a clear sign that security is not nearly where it should be.

i don't just mean credentials and login methods, but also include the edge devices (routers, switches, etc), the OS on this devices, and the devices in the field.

as long as the "rush deploy, patch later (if at all)" mindset continues, this will never end.

Show thread0815
@moving_target01 @briankrebs
Security does not seem to scale well. As long as security is seen as a task for a few people in an organization it will not stop every if you add layers of security. You might end up having twenty 2FA tokens which are vulnerable themself. And a UX where every redflag info (URL bar shortend, E-Mailheader hidden) is removed from our eyes.
Dec 15, 2023 at 1:50amWeb
Show threadmoving_target01Dec 15, 2023

@0815 @briankrebs I fully agree that security is seen as a task that a few people are supposed to handle, but also make it easy for non-technical people to use. That alone has the potential to limit the effectiveness of any security measure put in place.

But, I'm speaking largely of hardware that is released with minimal/no penetration testing performed. And that same hardware gets a few (at best) firmware updates... like the overwhelming majority of IoT devices, or consumer grade wireless access points.

That mindset is very much "a device will be released, and obsolete in 2-3 years" so the manufacturer is training the consumer to accept the near constant replace/upgrade mentality... Apple and Google are both notorious for this, as are many mobile devices makers like Samsung.

Because profit over all...

Show threadDemi Marie ObenourDec 16, 2023
@0815 @moving_target01 @briankrebs Clicking on a malicious link should be safe. That it is not is a problem.