News: 1617962525

...just the insurance coverage. It's simple economics. At least then orgs will assess the risks more appropriately; why spend £££ on prevention when you can spend £ on a policy? Instead of comparing the prevention costs to the premium, they'll need to compare to the potential losses/disruption costs.

Since when have GCHQ been good at anything other than electronic eavesdropping or lobbying for encryption backdoors? Its a disingenuous statement from a former member of an organisation who has contributed to the problem by hoarding and not reporting zero days and the like. The intelligence agencies are a large part of the problem.

Banning coverage or payouts is a dumb suggestion. Its no surprise to see technocrats trying to avoid the problem (partially of the industries own making) and ignore fundamental human and business realities that are much much harder to fix.

If this starts hurting insurances companies bottom lines then they will start taking action - such as setting minimum standards for coverage - but that wont address the core of the problem.

Its predicated on the false assumption that people buy the insurance rather than fix their legacy software and hardware estates, and its also predicated that IT is the fundamental reason a business exists rather than a useful tool like accounting or sales people.

There will always ransomware vulnerabilities just as there will always be fire risk in a physical premises. Suggesting that tackling a consequence rather than the multiple causes (human nature, Government behaviour, Vendor software development practises, designed in obsolesce etc etc) is just lazy and clickbait-ish.

It would help if everyone were trained to follow a simple rule: do not click on a link or open an attachment in an unexpected/unsolicited email, even if you think you know who sent it. Trained on penalty of immediate dismissal for failure. Then train customers not to do so either because if you persist in sending emails with embedded links (yes, I'm looking at you, marketing) then, apart from the risk to the customers you've trained, it's very likely that you will indeed do that very thing.

On which topic, can anyone recommend a UK bank or building society that has the faintest clue about email security because mine has finally convinced me that they haven't and don't intend to get one.

I'm with Barclays, and don't get any emails from them at all (by choice). Seems the most secure method...

My immediate situation is that I've got 2 AGM notices. One is on paper and the other is an email stuffed full of links because they think their customers who pretty well have to do business online because branches are an endangered species won't be able to find their website unaided. Unfortunately I'd transferred the account concerned away from the paper-based lot as a result of bad customer service.

It's high time we saw the race to the bottom replaced by a race to the top..

I get where you are coming from, but before I get fired for clicking on an attachment in an unsolicited email, I want you fired for letting me get to that point. If you want a 'no link to click/ no attachments' email policy then implement it at your firewall. You'll have to deal with the issue of how your users get to safely access links that they do need but that's why you get paid the big bucks!

The firewall merely keeps out bad IP packets. You are referring to a "content filter" and these are only as good as the block-lists they use - assuming the business has implemented one! Criminals have been waging a speed war against the real-time block-lists to see how quickly they can spread their spamwares before the RBLs catch and block them. It does not matter if you are filtering content, or blocking at DNS level, you will never keep ahead of the criminals. So you do need your end-users to pay attention to what they are doing, and not have the entire finance department blindly following the "click here to download the invoice" link!

The mail-user-agents can take some of this blame. Whilst Thunderbird has always offered the URI of the link when hovered over, Outlook, in its attempt to be totally clean, never did*, so end-users got used to blindly clicking on things, whilst TB users could spot the dodgy URI and trash the email.

* No idea if later versions have started offering this, although I am aware Outlook started to flag potentially dodgy sites.

It might pay insurers to risk-assess businesses as they do with vehicle owners. Points for DUI, etc., and you pay more. Fail to implement strong passwords, security training, content filtering, etc., and you pay much more for premiums. And as others have said: sort out your back-up solution!

A thumb up, but I think that's just too compelling a feature for legitimate use cases for organisations to give up. Tackle it via solving the lack of authentication for e-mail, and then links can be deleted from any unautheticated e-mails. Give people easy to use white-listing tools for trusted suppliers.

Charge a fee per e-mail.

Folks got used to tossing the junk mail that arrived through the post. While they still fall for bogus letters, the postage cost vs return rate from victims there is not good enough to support the kind of volumes we see via e-mail.

Some of the worst offenders seem to be those who use a 3rd party agency set up as a sub-domain of the alleged sender. Pinging those reveals the truth but not many recipients are able to do that. An automated check and bounce would help. OK, it destroys a business model but it's essentially a parasitic one and if the choice were made between adding the spamming capacity in-house and not spamming it might, in effect, raise the cost of email as you suggest.

Charge a fee per email and you will start getting invoices claiming that you have sent a 1000 emails last week and that you need to pay the invoice in bitcoin quickly otherwise you will be disconnected from the internet.

Adding little fees isn't going to stop anything, the internet is designed to always work, security was not an issue for years after the internet first appeared - it needs a complete redesign.

How would you do that? Most people trust certs from the larger cert providers so you buy a cert, sign the mail, it looks cushy at least until the cert is revoked, more than enough time to have caught a few people

It would help if everyone were trained to follow a simple rule: do not click on a link

It would. But anyone who has dealt much with real users will tell you that the only way to keep one substantial subset of that bunch from clicking on links would be amputation of their mouse clicking appendage.

One could try using a text-only mail reader like Alpine or Mutt or perhaps a 1990s version of Eudora. But I expect that some users would still find ways to get themselves (and your system) into trouble.

Or configure the mail server to remove all links from emails - remember the days when we all used to email friends .exe files? Back then it was not a problem, these days it's a disaster.

Doctor Syntax,

That is all very well, but wilfully keeping oneself deaf, dumb and blind to a great deal of what is going on all around you, leaves one ignorant of what is in store and effecting and infecting everyone and everything around you.

That presents you with an exclusive narrow rose tinted view of a huge deep and dark web with myriad worlds of intrigue and persistent endeavour.

Can you imagine what would happen if governments followed that advice ......... do not click on a link or open an attachment in an unexpected/unsolicited email, even if you think you know who sent it. Being deaf, dumb and blind to all that is going on around them renders them extraordinarily easy prey to that which they mightn't have even the faintest of clues about. Methinks that is tantamount to a right treasonous dereliction of both public and private duty in national administrative office. And it is always inevitably increasingly quickly self-defeating.

Never, never, never, never click on a link in an email. NEVER.

The mail should have the link in plain text (without all that guff to identify you) and you should cut-and-paste it. Train your staff to understand the structure of URLs, I mean, even my wife[1] will ask me first, saying it looks funny.

I know buttons look nice and with business presentation is so important. But NEVER EVER click a button in a mail, it is just too easy to fool people.

[1] Wow. WOW!

Dumb advice. There are quite legitimate cases where clicking a link in an email is valid. For example, validating a newly created account on a website. It's standard advice from penetration testers to construct such a link.

Take the problem out of cyberspace for a moment...

If someone breaks into your business premises and nicks a bunch of stuff, your insurer will do an inspection of the site post-event. They will check that you had a reasonable amount of security in place. If you did (e.g. you had lockable doors which were actually locked, you had cameras in place, plus whatever other measures were agreed in your policy...) then they will pay out. If not, they won't.

Now bring the problem back into cyberspace.

You and your insurer agree a set number of practices that you are required to follow to ensure that you are secure, and to mitigate any attack that might get through (e.g. segmenting the network, taking regular backups and testing recoverability etc). If somehow a particularly motivated or well-resourced attack does make it into your network, the insurance company sends out a qualified investigator and pays out. If you weren't secure... tough.

The nuanced approach works, at least on paper. Hopefully it should encourage companies to invest more in IT, in the same way that they should for other business costs.

Great idea, but I fear there's an immaturity in assessing the risk on the underwriting side and a fatal lack of qualified and experienced professionals to take on the claims assessor/adjuster roles. It's taken decades to establish and mature the premises insurance underwriting/claim model and deal with fraud issues, assess losses and costs, etc.

Brought to you by The Crimson Permanent Assurance. -->

Fair enough.

But for something to mature, it has to start somewhere. There are a number of cyber-security companies out there already offering services such as pen testing. That would be a place to start.

The question to ask here isn't whether the idea is perfect, but whether it is better than the current status quo, or other potential solutions

> You and your insurer agree a set number of practices that you are required to follow to ensure that you are secure, and to mitigate any attack that might get through

At the moment this is called the Security & Fraud Awareness mandatory eLearning courses that I've been doing every year for the last many years.

Not much has changed over the years - if you get something unsolicited, leave it alone. If you must be curious, hover the links to find out where they actually go. But still not all users have a clue. I remember a boss coming to me saying he thinks summat was wrong with his laptop. Turned out he had been "randomly selected to win an iPod" and had to open a Word doc to fill in a claim form. The filename was "EntryForm.doc .exe".

Needless to say I popped the LAN cable while switching it off and told him to call in IT, but he was a relatively clued up guy in tech, so would have thought he'd be a bit more careful.

I'm surprised the insurance companies pay out anyway - all they would have to do is show some security negligence. No different from getting burglarised if you leave your front door open, no security, no claim.

Those in security all know a dodgy link or attachment when we see one, and can train staff, but we cannot anticipate what future attacks will look like with any degree of certainty. IT managers could block all links in Outlook, and block all attachments, but this is likely to be impractical.

The real problem is that the system allows for scammers to extort money through several weak links in the chain:

- ease of OSes being susceptible to viruses

- governments hiding these perps, or even being the perps

- ease of sending malicious links or attachments

- ease of creating a website that hosts malicious code

- ease of opening links or attachments on computers

- ease of getting payments more or less anonymously

I don't profess to know the answers, but it's clear to me that the problems are manifold. Each one of these things is being addressed in part by systems, people, laws etc. but I do feel that more could be done in regards to the payment mechanisms like Bitcoin, and perhaps sanctions against those countries which continue to do not a damn thing about the criminal gangs behind these attacks and the hosting companies that help them.

to implement good backups that cannot be corrupted, done at least daily ?

Too hard it seems.

There is a difference between a small business that should know better and a large one where the IT director should be shot for not implementing this.

The IT directer may want to do it but be restricted by beancounters.

By and large, I agree.

I think there are some nasties out there that sit quietly and encrypt away for quite a while before announcing themselves, thus ensuring that a lot of your more recent backups are also toast.

Last time I had to deal with an issue like this, that was exactly what had happened. The recent backup drives were also live on the network, with the same admin security as everything else, so they were a nice ripe target anyway.

nasties out there that sit quietly and encrypt away

That is why you keep Monday's backup for a month or few and the backup on the 1st of the month for a year.

Restoring last night's backup should be quick. If you have not noticed these files being corrupted then it does not matter if it takes longer to restore them.

backup drives were also live on the network

Not a problem, it makes it easy for users to restore their own files, I do the same myself. But surely these backup drives are read-only to anything other than the backup server to which only savvy IT people have write access ?

It is not really that hard, neither is it expensive compared to the cost of not being able to work for many days. But people do love making plausible excuses.

Genuine question - what kind of files are people losing to ransomware?

Small files that don't change very often? Archived and on the most recent back up. Big files that don't change very often? On the last backup. Small files that change very often? They should be under change control. Perhaps the whole repository got encrypted? Big files that change often (e.g. databases)? Are they even that vulnerable? And, if they are, do you not just get the last big back up and then re-run the outstanding log?

I've (touch wood) never been near enough to one of these attacks to know what it is that really tempts the marks to pay the ransom, can anyone please enlighten me? The media articles tend to just refer to 'data' and 'files' ...

"Genuine question - what kind of files are people losing to ransomware?"

I've always assumed that most of the problem is the loss of one or several days worth of work product and/or transaction data. Not a big deal for some of us, but for a retail business or hospital, it's a disaster. The older data can presumably be retrieved from the backups (assuming they exist, worked properly, and haven't been trashed or booby trapped), but this morning's orders and deliveries and payments are toast unless hard copy transaction records have been rigorously maintained along with the digital stuff.

One example company I can think of had 3D CAD design files for their latest prototypes encrypted.

Redoing those would have taken many months of effort, and the products that these files would become would contribute hugely to the company's revenue over the next few years.

And an actual backup strategy is apparently expensive, so a NAS drive will do.

/s

Rotated offline backups costs money. Does the cost of insurance reduce that cost? If it does then they'll keep doing it. Economics 101. My own personal setup for documents I can't lose consists of a Nextcloud server and client, BD-R and an offline two disk raid NAS I turn on and update twice a month.

Can't help but feel more people should be using Content Disarm and Reconstruct e.g. Glasswall. Malware attachments gone!

Unless it's convenient.

What was once a perfectly safe conduit for plain text, is now a funnel for all manner of shite, because "we" yearned for increased functionality, or rather, developers thrust it upon us, in the war for market share.

It's the never ending cycle of "upgrades" and "enhancements" that has shot away all the security that the basic original concept had in place.

In some things, it is fine to let the market lead the way, but fundamental and strategic resources need strong governance to help maintain security, and stop developers from opening ever more exploitable avenues.

You're dead right and upvoted accordingly.

Internet security is a difficult problem and ultimately there may be no very satisfactory answers to many of its problems. But today at least, many/most of our problems are due to ignoring warnings that in the long run X is a terrible idea and you'll wish you hadn't implemented it.

I've upvoted you for the sentiment but email was never secure. It was designed in a different world where computers on the network were trusted. Now we don't trust other computers and the increased "functionality" of email has played a part in breaking that trust.

I have a sneaking suspicion that if the directors of the company were made personally responsible for paying the ransom from their own pockets, there would be a near-instant upgrading in the status of IT security. It would be transformed from being an annoying backwater, to being an annoying front-line operation.

Not near instant. There'd be three categories of director. Those who'd react promptly, those who didn't & got bankrupted and those who'd react once they'd seen a few bankruptcies amongst fellow directors.

What? No Directors who would hire Bryan Mills?

Taking all of the well made points made above, I would like to add the problem of convenience. Todays software is all about convenience. That's all well and good for marketing the stuff and using links within emails etc., but it isn't any bloody good in terms of security. Computers are great servants but terrible masters - inherent in their very design is their ability to execute commands or instructions at fast speeds, without any thought as to the consequences of that instruction - because computers don't think, they do. The thinking still needs to be done by we humans. But then we find a work-around to all this onerous thinking because software developers build in convenience, cos we bloody demand it from them, cos we are dumb that way. So, one approach might be to make things (like opening attachments or clicking on links) a lot harder to do, at least, harder to do without some serious thought about what the consequences might be (see personal liability above etc.). But businesses like to be that one step ahead of the field and would protest that such a slow down in process time would reduce profits and reduce their competitive efficiency. Bring back command line input! (I feel sure many hereabouts will remember having to think through entering commands in that manner!) Or, perhaps better than that, implement a modern version of command line input, with built in flags and checks designed to alert the human user that it is time to apply some serious thought as to the actions they are currently undertaking!

We just can't continue to have all this thought-free, convenient, computing going on if we actually wan't to do something about ransomware / malware etc.

How often have I been involved in cleaning up a mess all because the organisation is OK

However the MD - to whom the rules don't apply - clicked on it or went to that site.

Then the house of cards falls down.

Time to have some storage devices that disconnect the network interface unless it time to do a backup perhaps?

Still scratching my head how in the world it is possible someone manages to design, produce and make truckloads of money of an Operating System that allows its kernel, device drivers and boot code to be changed by a webpage, email or a pdf.

Maybe it is provocative to many, but after all, it is 2021 not 1995.

Technology today should allow for better operating systems, maybe with slight discomfort to the user, comparable to put on seat belts in a car.

MS is a very capable and rich company, they really should do better and not get away so easily with products that are unsafe dead traps like pre 70's cars were.

I don't care if my kernel, device drivers or boot code are overwritten, I can restore them from the installation media.

The important files are my personal files, which I have full R/W access to.

I think a more functional sandboxing of external untrusted content would help. Currently it seems that you can do little with untrusted files, until you click on the unblock, which everyone is trained to do if its enabled.

I think you missed the point.

If a user can click on a link or get a webpage that can download a nasty that will get root level access to your PC, then the design of the OS is important, after all without root access , it will only screw up the files in your account, with root access it will screw everyone else's accounts, then spam itself onto the network looking for more machines to screw up.

What the insurance companies should be doing is exactly the same as they do assessing physical crimes.

Eg no immobilizer or lock(s) on your bike... less of a payout

Running windows XP* on a production machine tethered to the internet.... no payout

*Scrub that.. running windows at all ;)

Maybe Microsoft should be liable for their Operating System - In other words if malware got through the OS it should be Microsoft's fault...

or am I taking it a bit too far... I do think that software companies should not be able to hide their liability in their TOS/Licences...

Whenever one is a former GCHQ director/former government hacker/former chief of the UK's National Cyber Security Centre/former whatever, what does it tell one and all, both of the individual and the office formerly held?

Was the office too challenging and unsuitable for the individual or was it vice versa, with failure guaranteed because the private sector beckoned with its more attractive rewards? Public service in lucrative fields of deployment is not an employment all can hack successfully and profit from magnificently and graciously whilst others would be so into imagining any excessive just reward, should ever it be revealed and admitted, disgraceful and disgusting. And given the sensitive nature of those sorts of remunerated roles, any leaks unveiling that privileged information can hardly be spun as anything other than a damaging failure of the office and a colossal betrayal of the officer ... which, in its turn, due to the systems and personnel directly involved, will not be without a response invariably packed to overflowing with dire consequences.

Maybe both, the office and prime systems administrator are not fit for great global purpose?

Well bitcoin is only a form of cash. Can't be impossible to work out who has benefitted,. Find them and chop off all their bits.

Can we stamp on all Nokia Android phones. This one is a sti king pile of crap that requires switch onff and on several times during each post because the Fing pile of crap keeps locking the screen up and not updating it also can't answer a phone call. It also stops taking any input at different times. It is a stunning crock of shit which shows Nokia are now so downgrades they can't even test their crap before shipping it. Google's test framework would have highlighted these problems had anyone bothered their arse to use it. A heap of crap that no one should sell and certainly no one should buy. Those if us conned out of our money for this insulting piece of shit should be compensated by being allowed to kick the 7 bells of shit out of the developers, testers and management involved

Most of the problems seem to be with microshite software so ban that and make the hackers life at least more difficult.