This article makes so many unfounded assumptions in order to make a point.
> Presumably they are going to immediately make themselves admin, or wire all your bitcoin to their account.
Attackers running scams like a sophisticated BEC will lay dormant for long stretches of time to gather information before acting. Sure, they can export the emails and set up auto-forward rules to maintain visibility when the session expires, but they've now made a lot more noise to detect on. I've seen threat actors view mailboxes once a day for months before they launch this scam.
> Also, it would be better to protect against this by securing the logs or using hard drive encryption.
Of course it would, but often it's not. It's that simple. It's crazy to think the person responsible for writing a secure app is also the one making decisions on endpoint encryption.
> some applications are used strictly within an company from company devices
Some are, lots are not. This reads like someone who has worked in enterprise environments with well funded security teams, not a small business with one IT guy running the show.
> But even then, the attacker could install a browser extension that sends your credentials to them the next time you log in.
This contradicts the rest of the article. Why is a company securing logs, encrypting disks, locking down where users can access apps, but then allowing anyone to install browser extensions?
I agree that short sessions are not the quick fix that some devs make them out to be, but the author is ruling out a perfectly acceptable control based on an imaginary end user setup.
Again, completely untrue. Automatic unfair dismissal does not have a minimum tenure to be applicable. Here [1] is a handy list of protections that do not require two years. You've also conveniently ignored all the other benefits in that list that are not available in the US.
You've already been corrected by someone else on the unemployment benefits so I'll not waste time repeating that.
The UK has a lot of problems, but downplaying workers rights in comparison to the states is a strange hill to die on.
Can you elaborate more on how the UK's workers rights are "literally worse than the US"? I would say things like statutory sick pay, mandatory holiday allowance, protection from unfair dismissal and the right to uninterrupted breaks are all pretty progressive compared to the States.
This article is from 2019, but it was my recent experiences with autocorrect which led me to finding this. My phone will occasionally have a few days of complete autocorrect meltdown (words completely out of context, random capitalisation, Spanish?) before normal service resumes.
There are countless reports, studies, Gov intel briefings, even whole books, all pointing towards Russia and neighboring countries being a huge exporter of these style of attacks. I'm not saying ALL ransomware is from that region, but the industry agrees that a huge percentage is.
Do you have something to the contrary, or is this just a hunch?
An organization going out of business isn't just a case of bad management being eliminated.
I wrote that line thinking of the clients I've worked with who've been hit by ransomware and didn't realize IT were not doing their job until it was too late. In some cases it's a failure on their part - not investing enough time or resources and seeing IT as "the guy who installs windows". More often than not, they were assured it was taken care of. I don't expect a manager of a car dealership to know if their Exchange server is running recent patches. If companies like SolarWinds and Kaseya can get popped and compromise their downstream customers, think of the number of small MSPs causing that same issue every day. I don't think a business should go under with people losing their jobs because IT screwed up.
We would be better off without leadership who take no interest in security, and once a company is hit with a 100k ransomware bill you can bet they'll care going forward.
While I agree with the sentiment around not paying, I don't think it's as simple as that. Calling on law enforcement to "track down the adversary" is not easy, and when you track it back to a random Russian cybercrime group what can you do with that information?
A lot of these payments are not fortune 500 companies with unlimited IT budget, it's small or medium businesses with a 3 person IT team. Should they have proper off-site backups? Yes. Should we just let these companies go out of business until organizations learn their lesson? I would say no.
I really like the idea of making payment more difficult and mandating organizations to report these incidents. You're correct, companies do have the incentive to cover things up. Banning payment won't stop that.
I'm interested to see how people will circumvent this if the bill passes. If you pay a third-party company who "deal with the issue" on your behalf, all under legal privilege of course, would you still need to report?
> Presumably they are going to immediately make themselves admin, or wire all your bitcoin to their account.
Attackers running scams like a sophisticated BEC will lay dormant for long stretches of time to gather information before acting. Sure, they can export the emails and set up auto-forward rules to maintain visibility when the session expires, but they've now made a lot more noise to detect on. I've seen threat actors view mailboxes once a day for months before they launch this scam.
> Also, it would be better to protect against this by securing the logs or using hard drive encryption.
Of course it would, but often it's not. It's that simple. It's crazy to think the person responsible for writing a secure app is also the one making decisions on endpoint encryption.
> some applications are used strictly within an company from company devices
Some are, lots are not. This reads like someone who has worked in enterprise environments with well funded security teams, not a small business with one IT guy running the show.
> But even then, the attacker could install a browser extension that sends your credentials to them the next time you log in.
This contradicts the rest of the article. Why is a company securing logs, encrypting disks, locking down where users can access apps, but then allowing anyone to install browser extensions?
I agree that short sessions are not the quick fix that some devs make them out to be, but the author is ruling out a perfectly acceptable control based on an imaginary end user setup.