Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security United States

Ransomware Hits Capitol Hill Contractor (therecord.media) 41

A company that provides a user engagement platform for US politicians has suffered a ransomware attack, leaving many lawmakers unable to email their constituents for days. From a report: The attack, which hit DC-based iConstituent, has affected the offices of nearly 60 House lawmakers across both parties, Punchbowl News reported earlier today, citing House officials, lawmakers, and office aides. Catherine Szpindor, the Chief Administrative Officer of the House, said she was informed of the attack, which appears to have been limited to iConstituent's e-newsletter service and did not impact the company's GovText text messaging system. Szpindor, which is in charge of House cybersecurity, was also quick to distance the US government's network from the attack. "At this time, the CAO is not aware of any impact to House data," Szpindor told Punchbowl News. "The CAO is coordinating with the impacted offices supported by iConstituent and has taken measures to ensure that the attack does not affect the House network and offices' data."
This discussion has been archived. No new comments can be posted.

Ransomware Hits Capitol Hill Contractor

Comments Filter:
  • by Ostracus ( 1354233 ) on Tuesday June 08, 2021 @11:46AM (#61466278) Journal

    A company that provides a user engagement platform for US politicians has suffered a ransomware attack, leaving many lawmakers unable to email their constituents for days.

    THANK YOU! THANK YOU! THANK YOU!

    • by Anonymous Coward
      No kidding. Next PLEASE hack those auto warranty guys!
    • Re: (Score:1, Informative)

      by Anonymous Coward

      They weren't gonna be emailing you. Their constituents are Amazon, Apple, Alphabet, Exxon Mobil, and so on.

      • The point (Score:5, Insightful)

        by Okian Warrior ( 537106 ) on Tuesday June 08, 2021 @12:05PM (#61466356) Homepage Journal

        They weren't gonna be emailing you. Their constituents are Amazon, Apple, Alphabet, Exxon Mobil, and so on.

        You're missing the point. If ransomware affects politicians, they might do something about it.

        • I really don't want politicians deciding what happens with ransomware. All that will happen is that they will ask their patrons to create a committee slanted for their use to come up with ways to decide on it, which benefit them.

          I wouldn't be surprised to see more DMCA or CFAA like laws, which wouldn't stop ransomware, but add a lot to the Federal private prison population. Or, we will see mandates that all Internet connected devices be locked down, similar to how the MPAA demands all Blu-Ray devices be r

          • Re: The point (Score:5, Interesting)

            by ArmoredDragon ( 3450605 ) on Tuesday June 08, 2021 @12:34PM (#61466464)

            Or we could see new NIST standards developed for incremental backups. The federal government and all federal government contractors are required to follow NIST.

            We could also possibly see an outright criminalization of individuals involved in paying data ransoms, drying up all possible revenue sources.

            • That would be great, but the average business wouldn't know a STIG from an inode, and generally, FISMA/FedRamp tends to bring with it provisions for backups.

              Criminalization is also a good idea, and technically paying ransoms is a criminal act to hostile entities. However, companies can easily dance around that by paying a consultant to "fix" their problem, and the consultant (likely offshore) takes the cash and pays the ransom. The company has plausible deniability and their data back, the consultant has

              • > However, companies can easily dance around that by paying a consultant to "fix" their problem, and the consultant (likely offshore) takes the cash and pays the ransom. The company has plausible deniability and their data back, the consultant has their cut, and there isn't anything LEOs can do. Sounds about right, isn't this what companies already do to work around the FCPA (Foreign Corrupt Practices Act) that normally bans company from committing bribery, regardless of what local laws say?
              • Re: The point (Score:4, Informative)

                by geekmux ( 1040042 ) on Tuesday June 08, 2021 @03:08PM (#61466876)

                That would be great, but the average business wouldn't know a STIG from an inode...

                We don't need "average" businesses right now in charge of Federal contracts. For this very reason.

                Either they can learn to be secure, or they can stick to making bowling balls or some shit.

            • Re: The point (Score:5, Interesting)

              by jonbryce ( 703250 ) on Tuesday June 08, 2021 @12:55PM (#61466530) Homepage

              I think we will see either a ban or much tougher AML controls on Bitcoin exchanges, and a ban on US banks having anything to do with exchanges that don't meet the required standards.

            • we could see new NIST standards developed for ransomeware.

              These are politicians.

            • Or we could see new NIST standards developed for incremental backups. The federal government and all federal government contractors are required to follow NIST.

              Yeah. And that actual adoption rate was going so well that they were forced to create the CMMC standard, and put the threat of 3rd party compliance validation behind it.

              Maybe 5% of the DIB has fully complied with NIST 800-171 after years of it being pushed as a "mandate".

              CMMC requires backups to be encrypted and offline. Because of the very threat of ransomware. We'll see how many It'll-never-happen-to-ME orgs take that seriously. Good backups are always too expensive, until the day they're worth their

          • I really don't want politicians deciding what happens with ransomware. All that will happen is that they will ask their patrons to create a committee slanted for their use to come up with ways to decide on it, which benefit them.

            Yes, they could in fact do that.

            And in response, they attack the committee with ransomware.

      • by g01d4 ( 888748 ) on Tuesday June 08, 2021 @12:09PM (#61466382)

        They weren't gonna be emailing you.

        They'll email you unsolicited photo-op fluff after you get added to their mailing list. You won't get an individual reply to any email you send unless you're a major donor or someone individually know to their staff.

      • No, they direct mail those constituents directory, or even have them on speed-dial. The engagement platform is for sending out spam to voters. Generally email of the sort saying "our opponents are destroying this country so please send me money and subscribe to my newsletter!"

    • by tomkost ( 944194 )
      Sounds great FOR THEM. Now they only have to worry about the big money donors that have direct access...
    • by sconeu ( 64226 )

      I was going to say, "And how is this a bad thing?"

    • THANK YOU! THANK YOU! THANK YOU!

      Here's $20. Leave the ransomware in place.

  • I guess the Ransomware people are hurrying up to get as much as they can from the US. Why ? We all know the new cyber push by the US Gov will fix everything forever.

  • These sorts of problems are getting worse, not better. Why? Enough with the excuses, how about some actual solutions, before everything comes crashing down around our ears? Seriously: how much longer do you think it'll be, before they manage to fuck up everyones' banks and credit unions, and we're all flat broke having had all our money either deleted or stolen? No, I'm not panicking, and I'm not spreading FUD either, I'm being realistic: they clearly have the capability, they just haven't used it -- yet. P
    • The patchwork of vendors and solutions fortunately gives us a level of systemic defense. We'll probably see more and more companies getting hacked over time, but projecting that trend infinitely into the future isn't realistic. At some point we'll hit a critical mass of problems and they'll be addressed.

      The tricky part is addressing it. A good start would be:

      - criminal liability for anyone who knows of a hack but doesn't report it
      - financial penalty of around $25k for each incident paid to t

      • The patchwork of vendors and solutions fortunately gives us a level of systemic defense.

        Except it is the patchwork of vendors and solutions that are part of the problem. Just look at Solarwinds.

        • Certainly. But it also means a wider attack on all the critical infrastructure at the same time is quite hard to pull off. It would be better if the security was better, but I'm not worried about some sort of social collapse due to the power going out across the country for days.

      • At some point we'll hit a critical mass of problems and they'll be addressed.

        NEWS FLASH: We're there already.
        We need to fix all this shit NOW, not years from now.

  • by Bearhouse ( 1034238 ) on Tuesday June 08, 2021 @12:48PM (#61466508)

    ...We built the iConstituent Engagement Platform with the belief that secure, efficient, impactful communications can bring people and government closer together....

    Yup, more bullshit from magic cloud land...

    • by dysmal ( 3361085 )

      It says "secure" so it must be secure!

      Reminds me of my first monitor (15" CRT - free) that had "low radiation" on it. No brand name but at least it was low radiation!

  • .... And Nothing Of Value Was Lost!

  • Congress now has a reason to do nothing. I used to watch CSPAN and seeing lawmakers giving speeches to an empty chamber. Or how often Congress goes into recess without any meaningful legislation passed.

    So now Congress can blame ransomware and do what it always does...nothing. Progress indeed.

    Billy Preston in 1974 was prescient on this...

    https://www.youtube.com/watch?... [youtube.com]

    JoshK.

  • by NoMoreACs ( 6161580 ) on Tuesday June 08, 2021 @05:24PM (#61467284)

    Simply outlaw Cryptocurrency worldwide and this problem virtually disappears overnight.

    Yes, it really is just that simple. Ransomware absolutely depends on Cryptocurrency. No Cryptocurrency, little to no Ransomware.

    Try it and prove me wrong. Iâ(TM)ll wait...

  • From the Cisco Talos blog. MSFT is nitpicking by calling some vulnerabilities "important" instead of "critical" Hmmm.

    "Another vulnerability, a privilege escalation flaw in the DWM Core Library, has already been exploited in the wild, according to Microsoft. An attacker could trigger CVE-2021-33739 by running an executable or script on the local machine. Although this vulnerability has a CVSS score of 8.4 out of 10, Microsoft still considers it to be “important.” Talos would also like to spec
  • Yes, it happens. And I will tell you why it exists and what it is connected with - the security personnel failed, it happens. Now it's up to the legal profession, not them. In general, it is often easier, especially in the non-state sector, not to keep your own lawyer, but to work for hire, and to find one you can visit here [garcialegalsearch.com]. And you do not need the fixed costs of maintaining a lawyer.

Algebraic symbols are used when you do not know what you are talking about. -- Philippe Schnoebelen

Working...