One of the problems of having up to date backups wis the prevalence of online backup solutions out there.
The problem, Russell, is that if an organization has online backups, and a cyber criminal gets a ransomeware injected, the modern ransomeware can reach out over the Internet and destroy the backups. I've seen this happen. It is also SOP for ransomeware to destroy local backups so if an org has a "junkebox tape changer" or NAS or disk array, that's the very first thing targeted. Only air-gapped, local backups are secure from a ransomeware attack IMHO and too many orgs think local backups are passe, or they use NASes that have a jumbo just a bunch of dumb disks online, or USB attached disks, etc. Remember, if the backup media is not physically disconnected from the network it can be targeted and destroyed. It it can be turned off by software it can be turned back on by software. The author of the original Star Wars movie was right - where Ben Kenobi had to go to the actual tractor beam transfer switches and physically put them out of commission, so that the controllers in the Death Star sitting at a console couldn't just switch back on the tractor beam. It's funny to me how such obvious knowledge in computers dating from 47 years ago that it went into a popular movie, is lost on the modern IT manager. But no doubt they are assured they are secure by some AI-bot, a-la Microsoft Bob. LOL Ted -----Original Message----- From: PLUG <plug-boun...@lists.pdxlinux.org> On Behalf Of Russell Senior Sent: Saturday, January 13, 2024 12:40 PM To: Portland Linux/Unix Group <plug@lists.pdxlinux.org> Subject: Re: [PLUG] 'Linux devices are under attack by a never-before-seen worm' - ArsTechnica It is a pet peeve of mine the kind of vulnerability journalism that seems to predominate today, which is all about the DANGER and not about modality or mitigation. You have to read far into the article (if it is there at all) to get any idea of what the vulnerability actually is and whether you are actually vulnerable, how to tell, and what you should do about it. Another good example is journalism around ransomware. To me, no story about ransomware should omit the kind-of-obvious mitigation of having up-to-date backups, and yet I NEVER see that mentioned. Just yesterday, I heard a story about cybersecurity that cited the huge number of "attacks" happening daily on the Internet. Probably (WAG) 95% by volume are brute force password guessing against ssh services. I see them a lot in my own logs of public facing machines, but at the rate passwords are being tried, my math suggests it will take many centuries to guess a decent password. Answer: have a decent password. -- Russell Senior russ...@personaltelco.net On Thu, Jan 11, 2024 at 12:29 PM Russell Senior <russ...@personaltelco.net> wrote: > TL;DR, this is using password guessing. Solution: use better passwords > or turn off passwords altogether and use ssh authorized_keys. > > On Thu, Jan 11, 2024 at 12:13 PM MC_Sequoia <mcsequ...@protonmail.com> > wrote: > >> "For the past year, previously unknown self-replicating malware has >> been compromising Linux devices around the world and installing >> cryptomining malware that takes unusual steps to conceal its inner >> workings, researchers said. >> >> The worm is a customized version of Mirai, the botnet malware that >> infects Linux-based servers, routers, web cameras, and other >> so-called Internet of Things devices. Mirai came to light in 2016 >> when it was used to deliver [record-setting distributed >> denial-of-service attacks]( >> https://arstechnica.com/information-technology/2016/09/why-the-silenc >> ing-of-krebsonsecurity-opens-a-troubling-chapter-for-the-net/) >> that [paralyzed]( >> https://arstechnica.com/information-technology/2016/10/inside-the-mac >> hine-uprising-how-cameras-dvrs-took-down-parts-of-the-internet/) >> key parts of the Internet that year. The creators soon released the >> underlying source code, a move that allowed a wide array of crime >> groups from around the world to incorporate Mirai into their own attack >> campaigns. >> Once taking hold of a Linux device, Mirai uses it as a platform to >> infect other vulnerable devices, a design that makes it a worm, >> meaning it self-replicates." >> >> Article link - >> https://arstechnica.com/security/2024/01/a-previously-unknown-worm-ha >> s-been-stealthily-targeting-linux-devices-for-a-year/ >> >> Sent with [Proton Mail](https://proton.me/) secure email. > >