Re: Can somebody explain these ransomwear attacks?

2021-06-25 Thread Karl Auer 
On Fri, 2021-06-25 at 15:18 -0700, Michael Thomas wrote:
> On 6/25/21 8:39 AM, Karl Auer wrote:
> > We need to start building systems that are not seamless, that are
> > not highly interchangeable, that are not fully interconnected, and
> > we have to include our human systems in that approach.
> How does one go about that in real life?

I don't know. I'm trying to figure it out too.

I just know that the less diverse an ecosystem, the more vulnerable it
is to destruction. Heterogeneity (and change, by the way, i.e being a
moving target) mitigates against the risks of a monoculture.

Homogenous, centrally managed, massively networked systems bring many
benefits, but we are now seeing the sorts of weaknesses it brings, too.

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer

Beta Starlink with a slight tree obstruction vs degraded DOCSIS3 last mile

2021-06-25 Thread Eric Kuhnke 
I thought I would post an interesting comparison between a degraded DOCSIS3
link, of a carrier that shall remain nameless to avoid embarrassing
anybody, and a starlink CPE with a slight 1/12th tree obstruction in a
portion of its view.

First two screenshots are the docsis3, to its gateway and to a very
reliable hosted asterisk system in Seattle.

Second two screenshots are starlink, also to its gateway and to the same
destination.

https://imgur.com/a/OQ5wyDr

Re: Can somebody explain these ransomwear attacks?

2021-06-25 Thread Michael Thomas 



On 6/25/21 8:39 AM, Karl Auer wrote:

On Fri, 2021-06-25 at 10:05 -0400, Tom Beecher wrote:

Everything can be broken, and nothing will ever be 100% secure. If
you strive to make sure the cost to break in is massively larger than
the value of what could be extracted, you'll generally be ahead of
the game.

Easy to say.

IMHO the only workable long-term defence is heterogeneity - supported
by distribution, redundancy and just taking the simple things
seriously.

Business has spent the last few decades discarding heterogeneity and
the bigger they are, the more comprehensively they have discarded it.
Companies that are floor to ceiling and wall to wall Windows.
Centralised updates, centralised networking, centralised storage,
centralised ops teams, and (typically) a culture of sharing. A
relentless prioritising of convenience over security. For goodness
sake, even the NSA had the attitude that "if you are this side of the
drawbridge you must be OK"!

We need to start building systems that are not seamless, that are not
highly interchangeable, that are not fully interconnected, and we have
to include our human systems in that approach.

How does one go about that in real life? You certainly want your servers 
patched with the latest security updates. For all intents and purposes 
there is just Windows and Linux. I suppose you could throw in some 
hardware diversity with ARM or MIPS.


Routers are definitely in better shape on that front as there are lots 
of choices and at least Cisco has tons of different BU's that compete 
with each other with different software and hardware.


Mike

Re: Microsoft O365 DNS issue

2021-06-25 Thread harbor235 
I found the routing, peering, and dns support number. Hopefully that will
help


Mike

On Fri, Jun 25, 2021 at 4:51 PM harbor235  wrote:

> Noggers,
>
> Having some O365 DNS issues, looks like we are getting directed to EMEA
> instead of US. Anybody understand O365 A record location syntax? Any one
> else have issues being directed to EMEA?
>
> Is there a direct MS O365 DNS support number? I have the O365 biz support?
>
>
> Mike
>

Re: Can somebody explain these ransomwear attacks?

2021-06-25 Thread Baldur Norddahl 
fre. 25. jun. 2021 21.33 skrev Aaron C. de Bruyn via NANOG :

> On Fri, Jun 25, 2021 at 10:43 AM Tom Beecher  wrote:
>
>> Incompetent insurance companies combined with incompetent IT staff and
>>> under-funded IT departments are the nexus of the problem.
>>>
>>
>> Nah, it's even simpler. It's just dollars all around. Always is.
>>
>
> Agreed.
>
>
>> From this company's point of view, the cost to RECOVER from the problems
>> is so much smaller than it would be to prevent the problems from happening
>> to begin with, so they are happy to let you guys handle it. From the
>> insurance company's point of view, they are collecting premiums, but no
>> claims are being filed, so they have no incentive to do anything
>> differently.
>>
>
> I'm sure that'll change drastically if either of these conditions are true:
> * A claim is filed
> * An audit is required
> * Ransomware surges throughout 2021 and payouts go through the roof
>
> I think it's reasonable to expect at least one of those things will happen
> in the next year.
>
> -A
>

Or they do business in the EU where huge fines are becoming the norm. The
ransomware does not matter but the implied data breach does.

Microsoft O365 DNS issue

2021-06-25 Thread harbor235 
Noggers,

Having some O365 DNS issues, looks like we are getting directed to EMEA
instead of US. Anybody understand O365 A record location syntax? Any one
else have issues being directed to EMEA?

Is there a direct MS O365 DNS support number? I have the O365 biz support?


Mike

Re: Can somebody explain these ransomwear attacks?

2021-06-25 Thread Aaron C. de Bruyn via NANOG 
On Fri, Jun 25, 2021 at 10:43 AM Tom Beecher  wrote:

> Incompetent insurance companies combined with incompetent IT staff and
>> under-funded IT departments are the nexus of the problem.
>>
>
> Nah, it's even simpler. It's just dollars all around. Always is.
>

Agreed.


> From this company's point of view, the cost to RECOVER from the problems
> is so much smaller than it would be to prevent the problems from happening
> to begin with, so they are happy to let you guys handle it. From the
> insurance company's point of view, they are collecting premiums, but no
> claims are being filed, so they have no incentive to do anything
> differently.
>

I'm sure that'll change drastically if either of these conditions are true:
* A claim is filed
* An audit is required
* Ransomware surges throughout 2021 and payouts go through the roof

I think it's reasonable to expect at least one of those things will happen
in the next year.

-A

>

Weekly Routing Table Report

2021-06-25 Thread Routing Analysis Role Account 
This is an automated weekly mailing describing the state of the Internet
Routing Table as seen from APNIC's router in Japan.

The posting is sent to APOPS, NANOG, AfNOG, SANOG, PacNOG, SAFNOG
TZNOG, MENOG, BJNOG, SDNOG, CMNOG, LACNOG and the RIPE Routing WG.

Daily listings are sent to bgp-st...@lists.apnic.net

For historical data, please see http://thyme.rand.apnic.net.

If you have any comments please contact Philip Smith .

Routing Table Report   04:00 +10GMT Sat 26 Jun, 2021

Report Website: http://thyme.rand.apnic.net
Detailed Analysis:  http://thyme.rand.apnic.net/current/

Analysis Summary


BGP routing table entries examined:  856006
Prefixes after maximum aggregation (per Origin AS):  323083
Deaggregation factor:  2.65
Unique aggregates announced (without unneeded subnets):  410634
Total ASes present in the Internet Routing Table: 71491
Prefixes per ASN: 11.97
Origin-only ASes present in the Internet Routing Table:   61485
Origin ASes announcing only one prefix:   25393
Transit ASes present in the Internet Routing Table:   10006
Transit-only ASes present in the Internet Routing Table:319
Average AS path length visible in the Internet Routing Table:   4.3
Max AS path length visible:  54
Max AS path prepend of ASN ( 48366)  51
Prefixes from unregistered ASNs in the Routing Table:  1118
Number of instances of unregistered ASNs:  1124
Number of 32-bit ASNs allocated by the RIRs:  36432
Number of 32-bit ASNs visible in the Routing Table:   30284
Prefixes from 32-bit ASNs in the Routing Table:  141003
Number of bogon 32-bit ASNs visible in the Routing Table:25
Special use prefixes present in the Routing Table:1
Prefixes being announced from unallocated address space:538
Number of addresses announced to Internet:   3040868480
Equivalent to 181 /8s, 63 /16s and 248 /24s
Percentage of available address space announced:   82.1
Percentage of allocated address space announced:   82.1
Percentage of available address space allocated:  100.0
Percentage of address space in use by end-sites:   99.5
Total number of prefixes smaller than registry allocations:  285200

APNIC Region Analysis Summary
-

Prefixes being announced by APNIC Region ASes:   229936
Total APNIC prefixes after maximum aggregation:   65725
APNIC Deaggregation factor:3.50
Prefixes being announced from the APNIC address blocks:  225687
Unique aggregates announced from the APNIC address blocks:90258
APNIC Region origin ASes present in the Internet Routing Table:   11672
APNIC Prefixes per ASN:   19.34
APNIC Region origin ASes announcing only one prefix:   3329
APNIC Region transit ASes present in the Internet Routing Table:   1655
Average APNIC Region AS path length visible:4.5
Max APNIC Region AS path length visible: 32
Number of APNIC region 32-bit ASNs visible in the Routing Table:   6843
Number of APNIC addresses announced to Internet:  774691840
Equivalent to 46 /8s, 44 /16s and 220 /24s
APNIC AS Blocks4608-4864, 7467-7722, 9216-10239, 17408-18431
(pre-ERX allocations)  23552-24575, 37888-38911, 45056-46079, 55296-56319,
   58368-59391, 63488-64098, 64297-64395, 131072-147769
APNIC Address Blocks 1/8,  14/8,  27/8,  36/8,  39/8,  42/8,  43/8,
49/8,  58/8,  59/8,  60/8,  61/8, 101/8, 103/8,
   106/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8,
   116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8,
   123/8, 124/8, 125/8, 126/8, 133/8, 150/8, 153/8,
   163/8, 171/8, 175/8, 180/8, 182/8, 183/8, 202/8,
   203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8,
   222/8, 223/8,

ARIN Region Analysis Summary


Prefixes being announced by ARIN Region ASes:249491
Total ARIN prefixes after maximum aggregation:   113801
ARIN Deaggregation factor: 2.19
Prefixes being announced from the ARIN address blocks:   249455
Unique aggregates announced from the ARIN address blocks:118754
ARIN Region origin ASes present in the Internet Routing Table:18840
ARIN Prefixes per ASN:13.24
ARIN

Re: Can somebody explain these ransomwear attacks?

2021-06-25 Thread Tom Beecher 
>
> Incompetent insurance companies combined with incompetent IT staff and
> under-funded IT departments are the nexus of the problem.
>

Nah, it's even simpler. It's just dollars all around. Always is.

>From this company's point of view, the cost to RECOVER from the problems is
so much smaller than it would be to prevent the problems from happening to
begin with, so they are happy to let you guys handle it. From the insurance
company's point of view, they are collecting premiums, but no claims are
being filed, so they have no incentive to do anything differently.

Sometimes those of us who know stuff and can fix things are just too darn
good at it for anyone's good. :)


On Fri, Jun 25, 2021 at 11:03 AM Aaron C. de Bruyn via NANOG <
nanog@nanog.org> wrote:

> On Fri, Jun 25, 2021 at 5:28 AM Jim  wrote:
>
>> Big problem that with organizations' existing Disaster Recovery DR
>> methods --
>> the time and cost to recovery from any event including downtime will
>> be some amount.. likely a high one,
>> and criminals' ransom demands will presumably be set as high a price
>> as they think they can get --
>> but still orders of magnitudes less than cost to recover / repair /
>> restore, and the downtime may be less.
>>
>
> I think you're right.  DR methods are a *huge* part of the problem.
> I manage DR systems for a number of companies including a large unnamed
> healthcare provider.
> A year ago they were still running Exchange 2007.  No, that's not a typo.
> Cryptolocker strolled right into the network via file attachment and
> somehow made it past the non-existent 3rd-party AV software that totally
> wasn't integrated into Exchange because it cost too much.
> It spread across the network and started encrypting around 1 AM on a
> Friday morning.
> Due to the way this particular strain worked, it missed several of the
> monitoring tools that would have alerted my company to the massive file
> encryption that was happening and it managed to completely encrypt 21
> offices and all their patient data.
> At 6 AM my monitoring system alerted me to a problem.  By about 6:30 I
> realized the scope of the problem, disabled all the site-to-site VPNs,
> dropped the 1 or 2 infected workstations off the network and the encryption
> stopped.
> We do local snapshots every 15 minutes, local backups twice daily, local
> disconnected backups several times per week, and off-site write-only
> backups multiple times per day.
> After I figured out when cryptolocker launched, I ran a few commands from
> our config management server and had every office restored and running in
> about 28 minutes and the internal techs for the company were dispatched to
> swap out the infected workstations.
>
> The first rule I follow is: Windows *never* touches bare metal.
> I amended that last year to: Windows *never* touches bare metal, including
> workstations.
>
> People *really* need to work on their backups and DR plans.  You don't
> need some expensive 3rd-party cloud solution coupled with expensive VMWare
> licenses to do it.
>
> The other part of the problem is the insurance companies.
> It might surprise you to learn that particular company has been
> cryptolocker'd 8 times in the last 15 years.  They've never lost more than
> a few minutes of data and recovery times are measured in minutes.
> This line has literally been thrown around a few times: "We don't need to
> spend $xxx,xxx to upgrade to current software versions.  We have a
> $5,000,000 cyber insurance policy."
>
> The insurance company issued the policy after *port scanning* their public
> IPs and finding no ports open.  Our only 'ding' we got was that the routers
> responded to pings and the insurance company thought they shouldn't.
> Insurance failed to do any sort of competent audit (i.e. NIST 800-171).  If
> they did, they would have found the techs "solve" problems by making people
> local admins or domain admins and that their primary line-of-business app
> actually requires 'local admin' to run 'properly'.
>
> While they finally replaced Exchange 2007 in 2020 by switching to GMail
> (not for security, but because it made work-from-home easier), they still
> run about 1/3 of their systems on Windows 7 with a few Windows 8 and 8.1
> machines here and there.  They even still have 2 Windows XP machines.
> Their upgrade policy is currently "If the machine dies, you can replace it
> with something newer".  Their oldest machine is around 15 years old.
>
> Incompetent insurance companies combined with incompetent IT staff and
> under-funded IT departments are the nexus of the problem.
>
> -A
>

Re: Can somebody explain these ransomwear attacks?

2021-06-25 Thread Michael Thomas 



On 6/25/21 5:25 AM, Jim wrote:

On Thu, Jun 24, 2021 at 5:41 PM Brandon Svec via NANOG  wrote:

I think a big problem may be that the ransom is actually very cost effective 
and probably the lowest line item cost in many of these situations where large 
revenue streams are interrupted and time=money (and maybe also health or life).

Big problem that with organizations' existing Disaster Recovery DR methods --
the time and cost to recovery from any event including downtime will
be some amount.. likely a high one,
and criminals' ransom demands will presumably be set as high a price
as they think they can get --
but still orders of magnitudes less than cost to recover / repair /
restore, and the downtime may be less.

The  ransom price becomes the perceived cost of paying from the
perspective of the
organizations faced with the decision,  But the actual cost to the
whole world of them paying
a ransom is much higher and will be borne by others (And/or themselves
if they are unlucky)
in the future, when their having paid the criminals encourages and
causes more and more of that nefarious activity.


Well, the cost of the DR fire drill is proportionate to how automated, 
etc, it is. If you think that the odds of a DR event are really low you 
want to make it possible but not necessarily cheap. If it happens all of 
the time, you want to optimize for speed and efficiency.


The object here is to break their business model, at least for you. Even 
if you go through one DR they aren't likely to go back again rather than 
finding another sucker.


Mike

Re: Can somebody explain these ransomwear attacks?

2021-06-25 Thread Karl Auer 
On Fri, 2021-06-25 at 10:05 -0400, Tom Beecher wrote:
> Everything can be broken, and nothing will ever be 100% secure. If
> you strive to make sure the cost to break in is massively larger than
> the value of what could be extracted, you'll generally be ahead of
> the game.

Easy to say.

IMHO the only workable long-term defence is heterogeneity - supported
by distribution, redundancy and just taking the simple things
seriously.

Business has spent the last few decades discarding heterogeneity and
the bigger they are, the more comprehensively they have discarded it.
Companies that are floor to ceiling and wall to wall Windows.
Centralised updates, centralised networking, centralised storage,
centralised ops teams, and (typically) a culture of sharing. A
relentless prioritising of convenience over security. For goodness
sake, even the NSA had the attitude that "if you are this side of the
drawbridge you must be OK"!

We need to start building systems that are not seamless, that are not
highly interchangeable, that are not fully interconnected, and we have
to include our human systems in that approach.

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer

Re: Can somebody explain these ransomwear attacks?

2021-06-25 Thread Anne P. Mitchell, Esq. 



>  The goal is to make your business very difficult to hack that it is no 
> longer economically viable for terrorists to attack it in the first place.
>  
> That’s the best insurance you can give to your business.

And yet, so often their system is vulnerable owing to ineptness, cluelessness, 
or laziness.  For example, when the City of Baltimore's system got locked up, 
the attacker exploited a vulnerability for which MS had issued a patch *2 years 
earlier* (if memory serves).

Anne

--
Anne P. Mitchell,  Attorney at Law
CEO Get to the Inbox by SuretyMail, GetToTheInbox.com 
Dean of Cyberlaw and Cyber Security, Lincoln Law School
Email Marketing Deliverability and Best Practices Expert
Board of Directors, Denver Internet Exchange
Former Counsel: MAPS Anti-Spam Blacklist
Chair Emeritus, Asilomar Microcomputer Workshop

Re: Can somebody explain these ransomwear attacks?

2021-06-25 Thread Aaron C. de Bruyn via NANOG 
On Fri, Jun 25, 2021 at 5:28 AM Jim  wrote:

> Big problem that with organizations' existing Disaster Recovery DR methods
> --
> the time and cost to recovery from any event including downtime will
> be some amount.. likely a high one,
> and criminals' ransom demands will presumably be set as high a price
> as they think they can get --
> but still orders of magnitudes less than cost to recover / repair /
> restore, and the downtime may be less.
>

I think you're right.  DR methods are a *huge* part of the problem.
I manage DR systems for a number of companies including a large unnamed
healthcare provider.
A year ago they were still running Exchange 2007.  No, that's not a typo.
Cryptolocker strolled right into the network via file attachment and
somehow made it past the non-existent 3rd-party AV software that totally
wasn't integrated into Exchange because it cost too much.
It spread across the network and started encrypting around 1 AM on a Friday
morning.
Due to the way this particular strain worked, it missed several of the
monitoring tools that would have alerted my company to the massive file
encryption that was happening and it managed to completely encrypt 21
offices and all their patient data.
At 6 AM my monitoring system alerted me to a problem.  By about 6:30 I
realized the scope of the problem, disabled all the site-to-site VPNs,
dropped the 1 or 2 infected workstations off the network and the encryption
stopped.
We do local snapshots every 15 minutes, local backups twice daily, local
disconnected backups several times per week, and off-site write-only
backups multiple times per day.
After I figured out when cryptolocker launched, I ran a few commands from
our config management server and had every office restored and running in
about 28 minutes and the internal techs for the company were dispatched to
swap out the infected workstations.

The first rule I follow is: Windows *never* touches bare metal.
I amended that last year to: Windows *never* touches bare metal, including
workstations.

People *really* need to work on their backups and DR plans.  You don't need
some expensive 3rd-party cloud solution coupled with expensive VMWare
licenses to do it.

The other part of the problem is the insurance companies.
It might surprise you to learn that particular company has been
cryptolocker'd 8 times in the last 15 years.  They've never lost more than
a few minutes of data and recovery times are measured in minutes.
This line has literally been thrown around a few times: "We don't need to
spend $xxx,xxx to upgrade to current software versions.  We have a
$5,000,000 cyber insurance policy."

The insurance company issued the policy after *port scanning* their public
IPs and finding no ports open.  Our only 'ding' we got was that the routers
responded to pings and the insurance company thought they shouldn't.
Insurance failed to do any sort of competent audit (i.e. NIST 800-171).  If
they did, they would have found the techs "solve" problems by making people
local admins or domain admins and that their primary line-of-business app
actually requires 'local admin' to run 'properly'.

While they finally replaced Exchange 2007 in 2020 by switching to GMail
(not for security, but because it made work-from-home easier), they still
run about 1/3 of their systems on Windows 7 with a few Windows 8 and 8.1
machines here and there.  They even still have 2 Windows XP machines.
Their upgrade policy is currently "If the machine dies, you can replace it
with something newer".  Their oldest machine is around 15 years old.

Incompetent insurance companies combined with incompetent IT staff and
under-funded IT departments are the nexus of the problem.

-A

RE: Can somebody explain these ransomwear attacks?

2021-06-25 Thread Jean St-Laurent via NANOG 
I agree with you that 100% secure is not achievable. 

 

The goal is to make your business very difficult to hack that it is no longer 
economically viable for terrorists to attack it in the first place.

 

That’s the best insurance you can give to your business.

 

Jean

Re: Can somebody explain these ransomwear attacks?

2021-06-25 Thread Tom Beecher 
>
> The payment to ransomware gangs is now tax-deductible.
>

It's not new. In the US, losses due to theft have been at least partly
deductible for a very long time. By IRS definitions (
https://www.irs.gov/publications/p547), blackmail and extortion both
qualify as theft, and it's fairly safe to say those apply to all ransomware
attacks.

Everything can be broken, and nothing will ever be 100% secure. If you
strive to make sure the cost to break in is massively larger than the value
of what could be extracted, you'll generally be ahead of the game.




On Fri, Jun 25, 2021 at 8:39 AM Jean St-Laurent via NANOG 
wrote:

> Hi Jim,
>
> Very nice text from you and you seem to offer good hints on how to stop it
> long term.
>
> The reality is that USA is going in the direct opposing direction that you
> express.
>
> The payment to ransomware gangs is now tax-deductible.
>
> "Extorted by ransomware gangs? The payments may be tax-deductible".
> Published June 21st.
> https://www.cbsnews.com/news/ransomware-payments-may-be-tax-deductible/
>
> Again from cbsnews. Not sure if we can rely on them to report accurate
> news?
>
> Jean
>
> -Original Message-
> From: NANOG  On Behalf Of Jim
> Sent: June 25, 2021 8:26 AM
> To: Brandon Svec 
> Cc: nanog@nanog.org
> Subject: Re: Can somebody explain these ransomwear attacks?
>
> On Thu, Jun 24, 2021 at 5:41 PM Brandon Svec via NANOG 
> wrote:
> >
> > I think a big problem may be that the ransom is actually very cost
> effective and probably the lowest line item cost in many of these
> situations where large revenue streams are interrupted and time=money (and
> maybe also health or life).
>
> Big problem that with organizations' existing Disaster Recovery DR methods
> -- the time and cost to recovery from any event including downtime will be
> some amount.. likely a high one, and criminals' ransom demands will
> presumably be set as high a price as they think they can get -- but still
> orders of magnitudes less than cost to recover / repair / restore, and the
> downtime may be less.
>
> The  ransom price becomes the perceived cost of paying from the
> perspective of the organizations faced with the decision,  But the actual
> cost to the whole world of them paying a ransom is much higher and will be
> borne by others (And/or themselves if they are unlucky) in the future, when
> their having paid the criminals encourages and causes more and more of that
> nefarious activity.
>
> I would call that a regulatory issue regarding commerce and payments not
> able to be addressed by technology.
>
> No matter how much companies can improve your DR process to cost less for
> a recovery and take less time -- a recovery is bound to still involve some
> downtime and cost a large enough amount  where it will then be possible for
> motivated criminals to come up with a dollars cost improvement for a ransom
> that will be less than it.
>
> I do wonder for a moment.. about companies paying ransoms: Do they somehow
> manage to get the crooks' W-9 and verify their identity, as required when
> an organization makes a payment to any 3rd party -- or do those paying
> ransoms somehow circumvent the mandatory tax reporting and witholdings,
> B/c it seems like making a payment to an Unnamed / unidentified /
> unverifiable party ought to be a crime  or make the payor be considered an
> accomplice in the crooks' evasion of the taxing authority?
>
> I always think.. have the governments impose penalties, eg.
> "If you make a payment for a ransom, then a penalty of  $10k plus 1%
> the ransom will be due."
> / Have it be a more-severely penalized crime to send any digital payment
> for a transaction above X say $1000 without the Proof of Identity and
> Physical location of all Payees -- make sure it gets enforced strictly
> against anyone paying a ransom.
> Make the ransoms not payable without larger repurcussions, and perhaps the
> crooks will have to find a new profession.
>
> >
> > The original thought that it should be handled like standard DR and
> tighten up security may apply to very small businesses though where they
> could afford to try to ignore the ransom request and rebuild more securely
> hoping the criminals will move on and not come back for revenge.
> >
> --
> -Jim
>
>

LACNOG 2021 Call for Presentations

2021-06-25 Thread Hernan Moguilevsky 
Hi NANOG,

CPF for LACNOG 2021 is now open.
Feel free to contact me off list if you have any questions.

Thanks.

HM

LACNOG 2021 - Call for Presentations

 

 

LACNOG, the Latin American and Caribbean Network Operators Group, will
hold its LACNOG 2021 conference from 11 to 15 October 2021 together with
the LACNIC 36 event.This meeting is scheduled to be held in person in
the city of Cali, Colombia (if the evolution of the epidemiological
situation in the region allows).Otherwise, this conference will be held
online.

 

The LACNOG 2021 Program Committee invites the Internet community to
submit their presentation proposals for the event.

 

In line with the spirit of LACNOG, proposed topics must be geared
towards Internet development in the region. The following is a
non-exhaustive list of some of the topics of interest for the LACNOG
2021 meeting:

 

●    Network operation and professional experiences, success stories

●    Internet of Things

●    MANRS

●    Community Networks

●    IPv6 integration and deployment

●    Experiences involving botnets, malware, spam, viruses, denial
of service attacks and exploit techniques

●    IP network architecture, sizing, configuration and administration

●    Routing and switching protocols, including unicast, multicast,
anycast, SDN, etc.

●    End-user applications (e.g., e-mail, HTTP, DNS, NFVs)

●    Value-added services such as VPNs, distributed systems, cloud
computing, etc.

●    Peering, Internet traffic exchange, IXPs

●    Network data security and management, attack mitigation

●    Network monitoring, performance, measurements and telemetry

●    Network automation, evolution and convergence

●    Infrastructure and physical transport, including optical and
wireless networks

●    Legislation, regulations and Internet governance issues

●    Research and education

 

Possible presentation formats include: 

 

●    Lightning talk: brief, 10-minute presentation (including a
space for Q)

●    Presentation: 20-minute presentation (including a space for Q)

●    Posters: includes a single-page PDF (A2or smaller) with the
basic information of the presentation plus a 2- to 5-minute video with
the presentation

 

Deadlines for the 2021 call for proposals will be as follows:

 

●    Reception of proposals: 24June to 23 July 2021

●    Proposals will be accepted until: 23 July 2021 at 23:59 UTC-3
(Uruguay time)

●    Evaluation by the Program Committee: 26 July to 8 August 2021

●    Announcement of results: 10 August 2021

●    Deadline for submitting the final presentation: 10 August - 17
September 2021

●    Final presentations will be accepted until: 17 September 2021
at 23:59 UTC-3 (Uruguay time)

●    Event date: 11 to 15 October 2021

 

Applicants must submit a summary and a draft of the slides of their
proposed presentation along with a brief biography, for which they must
use the form available athttps://eventos.nog.lat/e/lacnog2021


 

If your work is selected, you authorize LACNOG and LACNIC to publish
your name, photograph, biography and final work in the event program.

  

Speakers presenting their work at the LACNOG 2021 conference will
receive a certificate acknowledging their participation.

 

Guidelines for Submitting a Presentation for LACNOG have been prepared
that contain a description of the criteria that will be considered when
evaluating each proposal, presentation format details and other
information. These Guidelines are available
at https://www.lacnog.org/guiapresentaciones/
.

 

Communications with the Program Committee will be handled
through p...@lacnog.org .

 

We thank you in advance for your attention and look forward to receiving
your proposals for LACNOG 2021.

 

The Program Committee

 

___
LACNOG mailing list
lac...@lacnic.net
https://mail.lacnic.net/mailman/listinfo/lacnog
Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog

RE: Can somebody explain these ransomwear attacks?

2021-06-25 Thread Jean St-Laurent via NANOG 
Hi Jim,

Very nice text from you and you seem to offer good hints on how to stop it long 
term.

The reality is that USA is going in the direct opposing direction that you 
express.

The payment to ransomware gangs is now tax-deductible.

"Extorted by ransomware gangs? The payments may be tax-deductible". 
Published June 21st.
https://www.cbsnews.com/news/ransomware-payments-may-be-tax-deductible/

Again from cbsnews. Not sure if we can rely on them to report accurate news?

Jean

-Original Message-
From: NANOG  On Behalf Of Jim
Sent: June 25, 2021 8:26 AM
To: Brandon Svec 
Cc: nanog@nanog.org
Subject: Re: Can somebody explain these ransomwear attacks?

On Thu, Jun 24, 2021 at 5:41 PM Brandon Svec via NANOG  wrote:
>
> I think a big problem may be that the ransom is actually very cost effective 
> and probably the lowest line item cost in many of these situations where 
> large revenue streams are interrupted and time=money (and maybe also health 
> or life).

Big problem that with organizations' existing Disaster Recovery DR methods -- 
the time and cost to recovery from any event including downtime will be some 
amount.. likely a high one, and criminals' ransom demands will presumably be 
set as high a price as they think they can get -- but still orders of 
magnitudes less than cost to recover / repair / restore, and the downtime may 
be less.

The  ransom price becomes the perceived cost of paying from the perspective of 
the organizations faced with the decision,  But the actual cost to the whole 
world of them paying a ransom is much higher and will be borne by others 
(And/or themselves if they are unlucky) in the future, when their having paid 
the criminals encourages and causes more and more of that nefarious activity.

I would call that a regulatory issue regarding commerce and payments not able 
to be addressed by technology.

No matter how much companies can improve your DR process to cost less for a 
recovery and take less time -- a recovery is bound to still involve some 
downtime and cost a large enough amount  where it will then be possible for 
motivated criminals to come up with a dollars cost improvement for a ransom 
that will be less than it.

I do wonder for a moment.. about companies paying ransoms: Do they somehow 
manage to get the crooks' W-9 and verify their identity, as required when an 
organization makes a payment to any 3rd party -- or do those paying ransoms 
somehow circumvent the mandatory tax reporting and witholdings,  B/c it seems 
like making a payment to an Unnamed / unidentified / unverifiable party ought 
to be a crime  or make the payor be considered an accomplice in the crooks' 
evasion of the taxing authority?

I always think.. have the governments impose penalties, eg.
"If you make a payment for a ransom, then a penalty of  $10k plus 1% the 
ransom will be due."
/ Have it be a more-severely penalized crime to send any digital payment for a 
transaction above X say $1000 without the Proof of Identity and Physical 
location of all Payees -- make sure it gets enforced strictly against anyone 
paying a ransom.
Make the ransoms not payable without larger repurcussions, and perhaps the 
crooks will have to find a new profession.

>
> The original thought that it should be handled like standard DR and tighten 
> up security may apply to very small businesses though where they could afford 
> to try to ignore the ransom request and rebuild more securely hoping the 
> criminals will move on and not come back for revenge.
>
--
-Jim

Re: Can somebody explain these ransomwear attacks?

2021-06-25 Thread Jim 
On Thu, Jun 24, 2021 at 5:41 PM Brandon Svec via NANOG  wrote:
>
> I think a big problem may be that the ransom is actually very cost effective 
> and probably the lowest line item cost in many of these situations where 
> large revenue streams are interrupted and time=money (and maybe also health 
> or life).

Big problem that with organizations' existing Disaster Recovery DR methods --
the time and cost to recovery from any event including downtime will
be some amount.. likely a high one,
and criminals' ransom demands will presumably be set as high a price
as they think they can get --
but still orders of magnitudes less than cost to recover / repair /
restore, and the downtime may be less.

The  ransom price becomes the perceived cost of paying from the
perspective of the
organizations faced with the decision,  But the actual cost to the
whole world of them paying
a ransom is much higher and will be borne by others (And/or themselves
if they are unlucky)
in the future, when their having paid the criminals encourages and
causes more and more of that nefarious activity.

I would call that a regulatory issue regarding commerce and payments
not able to be addressed by technology.

No matter how much companies can improve your DR process to cost less
for a recovery
and take less time -- a recovery is bound to still involve some
downtime and cost a large enough amount  where it
will then be possible for motivated criminals to come up with a
dollars cost improvement for a ransom that will be less than it.

I do wonder for a moment.. about companies paying ransoms: Do they
somehow manage to get
the crooks' W-9 and verify their identity, as required when an
organization makes a payment to
any 3rd party -- or do those paying ransoms somehow circumvent the
mandatory tax reporting and
witholdings,  B/c it seems like making a payment to an Unnamed /
unidentified / unverifiable party
ought to be a crime  or make the payor be considered an accomplice in
the crooks' evasion of the taxing authority?

I always think.. have the governments impose penalties, eg.
"If you make a payment for a ransom, then a penalty of  $10k plus
1% the ransom will be due."
/ Have it be a more-severely penalized crime to send any digital
payment for a transaction above X say $1000 without the Proof of
Identity
and Physical location of all Payees -- make sure it gets enforced
strictly against anyone paying a ransom.
Make the ransoms not payable without larger repurcussions, and perhaps
the crooks will have to find a new profession.

>
> The original thought that it should be handled like standard DR and tighten 
> up security may apply to very small businesses though where they could afford 
> to try to ignore the ransom request and rebuild more securely hoping the 
> criminals will move on and not come back for revenge.
>
--
-Jim

Re: Can somebody explain these ransomwear attacks?

2021-06-25 Thread Don Gould 

NEW ZEALAND HEALTH EXPERIENCE AND DISCUSSION

Some of you may be aware that one of our major hospitals was taken off 
line with 680 compromised servers.


Discussion on one local list is that the systems have been open for some 
time and the rnasom hackers didn't open the systems, they have just 
caused them to be cleaned up and locked.


I was in one of our other hospitals this week.  I was presented with 
Windows 2000 systems.  These people don't seem to understand the 
concepts of a dated DLL stack, combined with inter system networking.  
They don't leave me with the impression that we've been presenting 
object level compromise data for decades now.  They don't seem to 
understand that we've made that public facing for, what I would have 
thought, fairly obvious reasons.  By 'we', I don't mean any special, 
crazy, conspiracy theory, tin foil hat wearing groups, I mean just plain 
old every day computer geeks who write software.


In the NZ hospital case, it looks to me, and I don't know, this is just 
pure speculation, like someone is going around global hospitals and 
making them clean up stuff that they should have been upgrading.


I personally accept that there are groups around the world with vested 
interests to have access to our hospital systems, if for no other reason 
that just to see who's coming and going... you never know when that 
might make a cool media story ea?


I keep reading how this is a training issue of staff in hospitals who 
shouldn't be clicking on email attachments.  It's a comment that just 
strikes me as bonkers.  It's not a training issue at all, other than 
training management that systems have to be patched, updated, and 
upgraded.


Call me crazy, but you can't go around telling kids that IT has great 
jobs, ask them (make them) pay for education, and then not actually give 
them jobs to do the work that clearly has to be done.


Yes, you can call this a conspiracy theory, but I venture that when old 
people cry out for young people to learn IT so they can make better 
health systems, and then 'investors' don't actually upgrade to those 
'new systems' and just leave the doors wide open to personal 
information, at some point some folk are going to get their noses out of 
joint a fairly obvious theory that to many in management are just 
discounting as conspiracy until things get broken then they blame 
the user for using email.


Going back a number of years our whole social services system was found 
to be wide open because a vendor couldn't make their software work 
without giving it a 'few more permissions'.  Couple that kind of 
thinking with decades old, compromised, DLL stacks...  interests who 
like to just quietly watch... and a lack of good, reasonably paid IT 
work... and I have one question



" Can somebody explain these ransomwear attacks?"  ...I don't know... 
can I?


HTH

D

On 2021-06-25 22:39, Jean St-Laurent via NANOG wrote:

Here are some facts that it’s important to not pay them.

80% OF RANSOMWARE VICTIMS SUFFER REPEAT ATTACKS, ACCORDING TO NEW
REPORT

https://www.cbsnews.com/news/ransomware-victims-suffer-repeat-attacks-new-report/

published June 17th 2021

Don’t pay them. Just clean your mess. 

Jean

FROM: NANOG  ON BEHALF OF
Michael Thomas
SENT: June 24, 2021 5:59 PM
TO: JoeSox 
CC: nanog@nanog.org
SUBJECT: Re: Can somebody explain these ransomwear attacks?

On 6/24/21 2:55 PM, JoeSox wrote:


It gets tricky when 'your' company will lose money $$$ while you
wait a month to restore from your cloud backups.

So Executives roll the dice to see if service can be restored
quickly as possible keeping shareholders and customers happy as
possible.


But if you pay without finding how they got in, they could turn around
and do it again, or sell it on the dark web, right?

Mike


On Thu, Jun 24, 2021 at 2:44 PM Michael Thomas 
wrote:


Not exactly network but maybe, but certainly operational.
Shouldn't this
just be handled like disaster recovery? I haven't looked into this
much,
but it sounds like the only way to stop it is to stop paying the
crooks.
There is also the obvious problem that if they got in, something
(or
someone) is compromised that needs to be cleaned which sounds sort
of
like DR again to me.

Mike


--
Don Gould
5 Cargill Place
Richmond 8013
Christchurch, New Zealand
Mobile/Telegram: + 64 21 114 0699
www.bowenvale.co.nz

RE: Can somebody explain these ransomwear attacks?

2021-06-25 Thread Jean St-Laurent via NANOG 
Here are some facts that it’s important to not pay them.

 

80% of ransomware victims suffer repeat attacks, according to new report

 

 

https://www.cbsnews.com/news/ransomware-victims-suffer-repeat-attacks-new-report/

 

published June 17th 2021

 

Don’t pay them. Just clean your mess. 

 

Jean

 

From: NANOG  On Behalf Of Michael 
Thomas
Sent: June 24, 2021 5:59 PM
To: JoeSox 
Cc: nanog@nanog.org
Subject: Re: Can somebody explain these ransomwear attacks?

 

 

On 6/24/21 2:55 PM, JoeSox wrote:




It gets tricky when 'your' company will lose money $$$ while you wait a month 
to restore from your cloud backups.

So Executives roll the dice to see if service can be restored quickly as 
possible keeping shareholders and customers happy as possible.

 

But if you pay without finding how they got in, they could turn around and do 
it again, or sell it on the dark web, right?

Mike





 

On Thu, Jun 24, 2021 at 2:44 PM Michael Thomas mailto:m...@mtcc.com> > wrote:


Not exactly network but maybe, but certainly operational. Shouldn't this 
just be handled like disaster recovery? I haven't looked into this much, 
but it sounds like the only way to stop it is to stop paying the crooks. 
There is also the obvious problem that if they got in, something (or 
someone) is compromised that needs to be cleaned which sounds sort of 
like DR again to me.

Mike