Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
United States Government Security

Atlanta Still Struggles To Recover From Ransomware Attack (reuters.com) 91

An anonymous reader quotes Reuters: Atlanta's top officials holed up in their offices on Saturday as they worked to restore critical systems knocked out by a nine-day-old cyber attack that plunged the Southeastern U.S. metropolis into technological chaos and forced some city workers to revert to paper... Police and other public servants have spent the past week trying to piece together their digital work lives, recreating audit spreadsheets and conducting business on mobile phones in response to one of the most devastating "ransomware" virus attacks to hit an American city. Three city council staffers have been sharing a single clunky personal laptop brought in after cyber extortionists attacked Atlanta's computer network with a virus that scrambled data and still prevents access to critical systems. "It's extraordinarily frustrating," said Councilman Howard Shook, whose office lost 16 years of digital records...

City officials have declined to discuss the extent of damage beyond disclosed outages that have shut down some services at municipal offices, including courts and the water department. Nearly 6 million people live in the Atlanta metropolitan area... Atlanta police returned to taking written case notes and have lost access to some investigative databases, department spokesman Carlos Campos told Reuters... Meanwhile, some city employees complained they have been left in the dark, unsure when it is safe to turn on their computers. "We don't know anything," said one frustrated employee as she left for a lunch break on Friday.

"Our data management teams are working diligently to restore normal operations and functionalities to these systems," said a spokesperson for the police department, adding that they "hope to be back online in the very near future."
This discussion has been archived. No new comments can be posted.

Atlanta Still Struggles To Recover From Ransomware Attack

Comments Filter:
  • by Anonymous Coward on Sunday April 01, 2018 @03:45AM (#56362011)

    They should all be sacked.
    Backups. Backups. Backups.
    Simple. Known process.
    Not done = sacked.

    • Re: (Score:1, Interesting)

      by Narcocide ( 102829 )

      This is the inevitable outcome anyone could have foreseen would arise from letting people who don't care about security sell millions of computers to people who don't understand security. If there had been a backup server I guarantee it would have just been hacked too.

      • This is the inevitable outcome anyone could have foreseen would arise from letting people who don't care about security sell millions of computers to people who don't understand security.

        Next to stupidity, greed is one of humans' finest traits.

        Has anyone considered that this might have been an "inside job" . . . ? Like, a disgruntled city employee purposely starting the infection for a small fee from the ransomers . . . ?

        It would be interesting to see if they can trace the spread back to a "patient zero".

        • by Z00L00K ( 682162 )

          Never underestimate the power of human stupidity.

          Anyway - this also highlights the need to really segment your data nets so that an intrusion don't propagate easily.

          And backups are also important of course. CD-ROMs are decent for short term archiving, but for long term archiving we need something better. SD cards also have a little "lock" switch, but it's in reality telling the computer that the device is read only so it's not proof against extreme hacks.

          • Never underestimate the power of human stupidity.

            To fail to do so would be stupid.

        • The part that bugs me is that the effect is completely indistinguishable from the equally likely probability of completely accidental cross-contamination from an employee's personal USB device.

        • Patient zero is the mouthbreather who specified the requirement for Microsoft products... lots of 'patient zeroes' in the corporate world... the 'B Ark' comes to mind; so does forced sterilization...
      • by hey! ( 33014 ) on Sunday April 01, 2018 @09:03AM (#56362605) Homepage Journal

        What I can't understand is why these high profile ransomware attacks haven't prompted a rush to adopt copy-on-write filesystems. It's not like ZFS is exactly new.

        I understand that because of cost places like Atlanta try to run their networks with the least expertise they can get away with, but projects like FreeNAS make it really easy. I have a cheap server running at home and have background tasks scheduled to rsync changes to it. It's like it's not even there, but if I need to I can mount the NAS box and right click on a file in Windows and access the all the previous versions.

        • You are suggesting a Unix approach to a Windows problem.
          Sure it works fine, and you will be better off in the long run and it would be cheaper too. But that isn’t was Windows was designed. You need to buy multiple thousands of dollars on a app to do this. That is often overkill for the need at hand. Because having that app on the resume looks better then a tiny little tool that does the trick.

        • A targeted ransom attack can certainly not be prevented by a copy-on-write filesystem - or mere backups, for what it's worth.
          • by hey! ( 33014 ) on Sunday April 01, 2018 @10:40AM (#56362865) Homepage Journal

            If you think of security exclusively in terms of prevention you are in deep trouble.

          • Re:"Unknown User" (Score:5, Informative)

            by CAOgdin ( 984672 ) on Sunday April 01, 2018 @12:24PM (#56363149)

            Nonsense! 100% daily backups of systems, using a suite of tools kept offline except during backups activity is ALWAYS a solution....simply because an attack starts at a particular time; anything you've kept offline prior to that time is a resource to be used to recover. Yes, there is the problem of recapturing the lost data in that time interval, but it's a LOT better than having to start redesigning software from scratch AFTER the attack has occurred!

            100% daily backups, with recycling of media over a period of a few weeks is a MANDATORY requirement for every computer under my management. Since I started doing that in 2001, I have never had (nor has any client had) an unrecoverable loss of data.

            The other trick is keeping data separated from executables. My mantra is "C: is for Code, D: is for Data". The idea that everything should be on the same logical drive is simply WRONG.

            There are no perfectly secure systems, and perfection is a fools game. But, simple strategies, unerringly repeated over time, can make recovery from assaults (or hard-disk failure) a straight-forward solution.

            • My work windows machine keeps close to 100% immediate backups. As soon as I change a file, it's saved over the network and there are a few weeks of all file changes available for recovery.

              An infection is identified pretty quickly, the affected machine(s) isolated and rolled back. Pretty much the only thing you can lose (unless you are really trying) is what you've just typed into the editor.

              Real work is done on Linux machines we VNC into, where I understand things are more tightly backed up.

              This is not hard

        • by swb ( 14022 )

          There's so many ways storage and backups and could be leveraged to mitigate this, although I would imagine for most sites with Windows it would revolve around existing storage platform snapshots or VM backups to offline storage or in isolated security realms, not "zfs" by itself.

          I have clients that run hourly incrementals of all VMs and their backup runs in an isolated security realm (firewalled, some physical network isolation and no shared or trust-related Windows security relationship).

      • by Anonymous Coward

        This is the inevitable outcome anyone could have foreseen would arise from letting people who don't care about security sell millions of computers to people who don't understand security. If there had been a backup server I guarantee it would have just been hacked too.

        If your backups can be corrupted by someone hacking into your server, then they aren't really backups.

        Tape is still widely used for backups for a good reason. We rotate ours offsite, and our contingency plan if we do get hacked is to rebuild the backup server from scratch and restore from backup, we have 4 weekly, 4 monthly, and 8 quarterly sets of backup tapes off site, so we can go back 2 years if needed to get a good backup.

    • by Anonymous Coward

      There's a serious lack of accountability at all levels when it comes to IT security.

      One of the biggest benefits of the industry 's move to Cloud, imo, is to remove certain classes of vulnerabilities from the hands of many organizations since I don't expect real accountability to ever increase.

      • Yes and no. (Score:3, Insightful)

        by Anonymous Coward

        Yes, they should all be sacked.

        No, not the IT guys. The beancounters and managers who ignored their advice and failed to foresee the need for a proper backup management strategy for the city. IT knows this crap can happen, and IT tells Management about the need for proper backups, daily, weekly, monthly, on-site, off-site, and tape. We tell them RAID is not a backup strategy. WE tell them without backups their necks are in the noose when, not if, the shit hits the fan.

        Well, 9 days ago, the fan got crushed u

        • Bahahah! That's a good one. The managers will simply fire their IT and give themselves bonuses for doing so now that the troublemakers are gone. Problem solved.

          We all have seen Office Space right? The bobs seem to LOVE management everytime and they seem to think they are invaluable unlike I.T. Sadly they are right as HR won't touch them as they have too much power over HR's job.

          Some organizations even have a rule that only good ideas come from management and lowly employees need to shut up and take notes in

      • There's a serious lack of accountability at all levels when it comes to IT security.

        One of the biggest benefits of the industry 's move to Cloud, imo, is to remove certain classes of vulnerabilities from the hands of many organizations since I don't expect real accountability to ever increase.

        Yep. I hold my head high as a competent techy, but when it comes to my wife's business, it's cloud all the way. Pay someone else to do the storage security, serving, email and access control. It's cheaper than hiring and a lot easier.

    • by jellomizer ( 103300 ) on Sunday April 01, 2018 @09:45AM (#56362715)

      Unless you are working for a government agency with bosses who don’t want to fund your department.

      Backups cost money. Redundant off site hot failover systems cost more.
      Please explain to the general public on why the city should have computers running in hope you don’t need to use them. When they can use that money to feed the poor.

      I have done years of consulting and working across many agencies. And for nearly every agency the tech workers are not incompetent, I may disagree with their methods, but they know what they are talking about. The bosses on the other hand especially ones without technical background, see the IT departments as a cost center. So will invest the minimum necessary to keep it running. They don’t realize that their equipment is being attacked constantly and it is only matter of time until something gets across.

      Current I work in healthcare and luckily management invest a lot into IT. So when spyware hit we only suffered minor damage and had it restored running with 15 minuets of missing data. After that incident we in the IT area was livid, and doubled our efforts to stop it again.

  • by deviated_prevert ( 1146403 ) on Sunday April 01, 2018 @04:38AM (#56362105) Journal
    WTF? From the brief description what happened sounds like the "virus" spread instantly with a DB injection attack. A simple thing to do if vulnerable old VB6 scripted front end from 20 years ago is still shoe horned into an internet exposed db. Hell there are banks running VB6 coded garbage from 20 years ago and one wonders why we are still getting hosed. There are even a few banks here like the Bank of Nova Scotia that run backend XP desktops up until just a year ago because all of their key db software would only work with a really old activeX front end.

    We complain bitterly about problems with industrial espionage and yet we still cheap out and use crapware swiss cheese .Net garbage that hackers in China and Russian can drive a truck through.

    • Great post until you mentioned them. Lots of other possibilities - and unless it was government sanctioned, it's especially pointless to mention those particular nations.

      • Someone else suggested it first but I'd also place my bets on "disgruntled employee" as the primary threat vector. Furthermore, I'd even go so far as to postulate "a few free days to goof off without any work to do" as the motive.

    • by Anonymous Coward

      I was with you until you confused VB6 and .Net so apparently you have a knowledge problem here.

      • I was with you until you confused VB6 and .Net so apparently you have a knowledge problem here.

        No confusion involved. A butt tonne of old VB code is also still out there working so that the look and feel of the interfaces remain static as well as antiquated data base interface requirements that do not get updated because of rewrite and retraining costs. Then the problem becomes leaving network visible vulnerabilities there ignored for a very long time just waiting for a criminal hacker to spot them. The point is how and where in the front end did the attack happen?

        Dollars to donuts the attack was do

  • by Max_W ( 812974 ) on Sunday April 01, 2018 @05:08AM (#56362155)
    It could be very convenient. No further audits are possible, since all documents are gone. All is to start from zero.
  • by Anonymous Coward

    throw the windows servers in the trash.

    and do backups.

  • by Tom McGhan ( 3474487 ) on Sunday April 01, 2018 @08:33AM (#56362533)
    Who can expect anyone to believe they "lost 16 years" of data? 192 consecutive months without backups? Zero offline storage? Pull the other one: it's got bells on it!
    • Who can expect anyone to believe they "lost 16 years" of data? 192 consecutive months without backups? Zero offline storage? Pull the other one: it's got bells on it!

      You are looking at this backwards. As explained by the program "Yes Minister", losing files can be very convenient:


      James Hacker: [reads memo] This file contains the complete set of papers, except for a number of secret documents, a few others which are part of still active files, some correspondence lost in the floods of 1967...

      James Hacker: W

  • by Anonymous Coward

    It isn't like the other 4.5M people are impacted by what the 500K people in Atlanta do or their incompetent city govt.

    City of Atlanta is just 500K people. Hardly the entire metro area of 5+M people. Many of those non-Atlanta govts are efficient, capable, and smart. A few county govts merge their services to save money overall. These aren't tiny rural counties. Metro Atlanta has about 20 nearby counties. Fulton is where Atlanta is.

  • Stupid is as stupid does.

    "Three city council staffers have been sharing a single clunky personal laptop brought in after cyber extortionists"

    And no one sees this as an issue? Only in government could people exceed to this level of incompetence and still know they have jobs.

  • So has Georgia actually passed a law that will effectively make the investigation of this ransomware attack illegal? That would be both stupid and highly amusing.

The Force is what holds everything together. It has its dark side, and it has its light side. It's sort of like cosmic duct tape.

Working...