The impact is that 20% of Sweden's food supply is locked out. This is larger than what it seems, not just for Swedish meatballs - the underlying Kaseya hack is global.
It's truly scary that you can get into these kinds of situations (completely relying on a 3rd party IT), but it's also very costly to have a doubled setup :/
Once, while working at a large grocery store, we lost power. The emergency lights came on, but all the cash registers stopped working. One of the managers ran to the back of the store and returned with hand cranks that fit into the side of the cash registers. It was darker, but sales did not stop. The time required to re-train the cashiers was negligible.
This cyber attack will probably result in a doubling down of the same technology that put them into this position. Perhaps, in addition, they should look for a lower tech fall back approach.
A key point is remembering the reason for computerization & automation is efficiency.
The difference between less (manual) & more (computerized) efficiency is probably less important than the difference between stopping & continuing operations, in exceptional times.
Waffle House and Home Depot (among others) are pretty good at internalizing this, and have processes for running on shoestrings, but still running, until normal support can be restored.
Also these days I think you're legally required to use some sort of government fiscalisation service where each receipt is uploaded as issued or something like that.
In Norway the CEO(? I don't know his exact title) of the countrys national bank gas demanded that everyone keep supporting cash for the foreseeable future or face fines.
Not everyone is paying attention. I went past a shop in Tønsberg last week that had a sign saying that they do not accept cash. Quite a few buses here in Norway do not accept cash at the moment in order to reduce the driver's risk risk of catching COVID.
> May I ask why you want to know, and what you will do with this information?
Sure. The reason I asked was that I just want to get a feeling for who all you folks are. Also since I live in Horten it would have been the closest one I knew except people at work.
As for what I want to do with the information I guess it depended on the answer, but probably nothing.
If there was a place to meet HNers near home or work I'd probably visit it once a year or something (depending on how it turned out the first time).
It’s already effectively been done away with, and it would be a multi-year societal change to bring it back. I’ve been living in Sweden for four years, and I think that’s about the same number of times I’ve even seen a coin or note.
It's far more common in the US and I certainly see it on a regular basis. But, personally, I'll go months without using it and if I'm driving somewhere I'll have some cash in the car but don't usually carry it on my person.
That train has left the station a long time ago. In Sweden, debit cards are the most common payment method at stores. Most legit companies don't want cash. It just exposes a lot of people for the risk of being robbed.
Forgot to add... They want to be able to make anyone unable to buy anything at the click of a button. Sweden is pretty much there already so now we are hoping the government doesn't turn into fascism because then we are completely unable to do anything. Keep your guns, America.
Handling cash is expensive for stores. They need to store the cash safely in-store, deploys all kinds of security measures to prevent robberies and theft, use armored cars to transport to and from the bank, pay more in insurance, etc.
GDPR and other laws are supposed to stop that, and has worked out nicely according to audits. Stores are not allowed to keep your credit card number just a reference number. (But a lot of clubs are now registered on the credit card so they can still conncet a sale to a person with out storing the credit card number.)
It was very common to rob money transfers back in the days. It kind of peaked around the big helicopter robbery +10 years ago. The use of cash has been on a decline for decades. The transports are never armed like in other countries. https://en.wikipedia.org/wiki/V%C3%A4stberga_helicopter_robb...
Agreed, pretty much every physical operation (stores, logistics, etc) should have plans to continue operating when their IT is down. Losing access to dynamic pricing and loyalty discounts is better than closing up entirely.
Any POS terminal should be able to work with power only. There’s probably a dusty manual somewhere telling you how to configure it for the store to enable it and allow the cashier to type in an amount owing and then hand to the customer and queue payments for upload when network connectivity comes back.
Might lose some payments to overdrafts or cancelled cards. But they lived with that with credit cards up until 2000ish.
Buy-on-board on Aircraft and trains take advantage of this.
Offline payments is baked into EMV payments. It can at least verify the PIN and that the card was valid at its last phone-home.
Why on earth should a member-owned structure be limited to some little store where everyone knows everyone? In the US some fairly large organizations, including juice makers Ocean Spray and outdoor chain REI, are co-ops.
Just because the organization is a co-op (of co-ops in the case of the overall parent org) doesn't mean it knows all members of the public that go shopping there.
It doesn't mean they socially know everyone that shows up, but every member would have paid some amount to buy (a) share(s), at least that's how coops work where I am. Plus accumulated dividends. That's a relative barrier to fraud if they decided to issue credit to members.
You could still fraud hit them in this circumstance, but they have some kind of info printed on your card with your name on it and how long you've been a member, and somewhere in the background, a phone# and address.
If one wanted to commit retail crime, easier to just take stuff and walk out without paying.
> [..] more about downtime procedures that don’t have to be perfect [..]
Once, while waiting to check in for a British Airways flight from Manchester (UK), I noticed several large plastic boxes behind the check-in counters labelled "manual check-in".
Presumably someone at BA not only thought about but actually implemented a plan for how to check in passengers when (not if) all the check-in computers go down.
Coop were handing out bread here today like some disaster movie. But ICA and several other stores are still open so I really don't take this too seriously.
This is a classic case of layered out sourcing as I'd like to call it, and no redundancy. They'll learn.
That's overly dramatic. We just go to another company brand chain to shop. Plenty of those, so no worries, at least until all food shops run out of food... :)
They are victims of a ransom attack, it's spread through the software in the checkout tills.
There is a message on the client, for example on the till when you log in.
Yeah, rates are going up. There is a deficit of talent. There are plenty of people with relevant degrees, but they lack fundamental knowledge related to systems and code.
I think the talent is there, but the pay is lacking. Besides, no one has ever gotten a raise for carefully avoiding even the most common of vulnerabilities because that would only delay "the product".
The root problem seems to be that most businesses treat IT security as a cost center, rather than a value center.
How do I spend the least amount to get "security"? Rather than, what risk mitigation is appropriate for my business, and how can I gain value from approaching or exceeding that?
It feels like part of the problem is not blending IT security into a peer level with the Operations org, as that's what it functionally is to most companies these days, and looking at it from a revenue risk mitigation perspective makes more sense for funding it appropriately.
Increasing pay might protect your company, but every security expert you hire is a security expert that just quit another company. So in the end the world lacks security experts right now. The main way increasing pay would help is that more people would try to get into the field and supply of talent might be better in a few years, but it wont do much for supply today.
When you say the pay is lacking then I’m curious what region you refer to. I’m pretty certain that the pay isn’t lacking in Silicon Valley for example.
In my experience, in practice a software engineer salary in England is usually advertised in the range, or just below, other middle-class jobs, such as a solicitor.
If the security team is a blocker it might be that they’ve been brought in too late.
Security is everyone’s responsibility and creating an environment where it’s like this, and making it as easy as possible to get people to report stuff they see without playing the blame game is key to getting trust and demonstrating that togetherness.
There’s only really hate in them v us type environments (I’ve seen it also in other cross team interactions like Dev v Ops for e.g.) or security teams blindly giving teams lists of controls to implement without having even done any kind of risk assessment with the asset owner (and quite possibly without taking other business risk priorities into account).
As for convincing non-technical staff of the importance: The technical vulnerability (or whatever) needs relaying in business risk terms they can understand.
Really? What kind of staff are you talking about and what new implementations did they resist you on? And why?
I'm curious cause while I'm not on my company's security team, due to heightened awareness and wanting to ensure we're protecting our trade secrets, etc, we've ramped up security in basically every way across the entire organization, and it's been basically a pleasant ride internally for all few thousand members of the company across the globe. The technical teams (dev, support) had some speed bumps, but a frank discussion with IT Security to discuss what our need was and why it wasn't being met, we found acceptable new routes. If anything, we've used the locking down of potential security risks as a leap-board to overhaul and optimize a LOT of workflows for the better.
Our customers now, that's another story, and it's like trying to make a pet take medicine. Our largest customers are fine and understand (even appreciating) the security changes we made for our interactions, but a lot of the small business customers only care about the fact that they can't do what they previously used to in some cases.
But I'm fairly curious what resistance people are seeing from their implementations and what these implementations are.
Like any other department, when security is too isolated from others, it creates a culture of perverse incentives and competition rather than collaboration to a shared goal.
For example, try building a new website for a company, only to have the security team insist that you fix "defects" such as not tying sessions to IP addresses. Yeah, fuck all the people on mobile phones hopping between networks. It would make sense for accessing internal data, but not for what amounted to a marketing site for public consumption.
Like I said at the open, this can happen with any department or team- security, I think, might tend to happen a little more frequently, if only because it is logical that they do need a certain amount of autonomy to do their jobs well.
No hate. I am an enabler. I help our teams do what they need to do to move forward securely. When there is an issue, I respond to the event then quickly contain and remediate so business can continue. It is part of my job to help them understand this.
Hate is reserved for the "if checkbox is not checked we kill your project by end of week" and "the form doesn't have (client-side) validation, that's a OWASP vulnerability" kind of "pentest" teams. People who don't even reply when you're asking which threat model we're defending against.
> often lumped in with all engineering as a category.
In recent years I’ve seen no evidence “Infosec people” are worth more than general engineers, and quite a lot that they are worth considerably less. And yes, this is when it comes to security matters.
The industry, as far as I can tell, is about 80% chancers who got into Infosec because they couldn’t cut it creating software.
This is similar to my experience. About 95% if security folks I interact with are compliance folks to audit and make sure checklists are done.
The other 5% are super smart and are basically engineers who specialize in security.
I feel like many cyber people get certs and then hope for nothing bad to happen. When something bad happens, they claim that someone else didn’t do something right or get fired and move on.
A method to transition people from related fields would be the most beneficial. Taking someone with a background in systems administration or programming and nailing on the security skillset would be more effective than taking someone who knows all security concepts and thats it.
The best way for a practitioner to personally capitalize depends on their background. For instance, someone with infrastructure support experience may make an excellent incident responder. Someone who deeply understands how systems would could be a talented pentester.
Edit:
From a compensation perspective the solution is to take your growing experience to the next company willing to pay for it.
The problem is it isn’t about nailing on the security skillset. It’s about executive motivation.“Security” is all about doing enough to shift liability and nothing more. Until executives are liable for security breaches this will continue.
Actually, this smells a lot like a financing decision. Delay near term revenue to ultimately land a bigger purse down the line with additional features or bugs squashed provided the competition doesn’t beat us to the finish line. As the enterprise grows (customers/features -> lines of code) the liability associated with an attack increases—suggesting more care is needed with every release. And, knowing that you cannot keep up with scale by adding workers in parallel implies the following unsubstantiated claim:
As a piece of software grows in length, the releases must be fewer and further apart. Otherwise, the team is taking shortcuts and the liability will eventually catch up with them.
With that framework in mind: if large software company X stretches out their release schedule, their share price will fall, eventually appealing to activists who want to control/replace leadership (ironically for doing the right thing).
I’m a true and through capitalist—please don’t get me wrong, but this is creative destruction at its finest!
What makes you believe you can run a unicorn size organization and not see its general level of quality for the employee/customer become shitty like the rest?
I’m interested in transitioning from electrical hardware design to an info sec role. Any tips? I’m already doing some coursera work and going through everything on tryhackme. My goal is to get a few industry certa under my belt and then start applying for jobs.
That sounds about right - don’t despise small beginnings, you will likely need to work a few stints as an L1 SOC analyst to start getting a feel for what the problem set and processes are really like, but the smart L1s can usually progress rapidly.
If you find yourself in a SOC a where everyone is stressed out and nobody has any mobility, learn what you can then move on.
This really isn't all that hard, technically. (I've been in infosec for about 20 years now)
1. MFA all the things
2. don't disable windows updates
3. don't give Domain Admin rights to half the company
4. don't use shitty software
For some reason, companies refuse to do these simple steps, and then they get hacked. It's not a technical problem, it's a political problem. Sysadmins naturally want to run their networks in the least secure way possible, and in shitty orgs, there's no one there to stop them. Over and over again, it's the same thing, and it's hard to have sympathy when standard security posture seems to be getting more and more lax as time goes on.
You do realize the implication given by step 2 and point 4 are a contradiction in itself :-) ?
Most large corporate ransomware attacks spread by hosting into the Active Directory Domain server. It will slowly spread to each corporate machine as the users log in.
It seems this was the way Software AG, the second largest German software company, was hit by Clop.
As they did not pay the ransom their private emails are available on the internet, scans of their CEO passport etc...
Maybe ransomware gangs will finally prompt the industry to
fix security practices...Also, maybe the technical stack that
most companies hit by these ransomware attacks use, should be
mentioned every time we see these news ;-)
> You do realize the implication given by step 2 and point 4 are a contradiction in itself :-) ?
Absolutely. Microsoft is a mess. I could go on for hours about how Windows networks are fundamentally insecure, and cannot be fixed without a massive psychological shift. Sysadmins love it though for some reason, probabally because it gives them way more power than they should ever need over their users.
I love hearing war stories from people who worked offense at places like Google, with almost zero AD footprint. Even the most basic attacks take SOOO much more effort. I would love it if a ChromeOS centric Zero Trust model actually became a thing, but it's not going to happen naturally. Maybe if we let all these ransomwared companies fail spectacularly, and refuse to bail them out, then the only companies that will be left will be those who care.
Unfortunately telling people not to use Windows rarely goes over well. To that main point, as bad as Microsoft is, there are so many companies that are so much worse. This Kaseya thing is essentially a rootkit with shitty authentication. Installing this thing on endpoints is a fundamentally flawed concept, yet here we are.
I don't know all the details, but for SSO think about how you log into GMail. They enforce U2F and I'm pretty sure special certs get deployed to client machines.
As for machine administration, it's ChromeOS, what needs administration? Just keep logs of auth and app usage on the server side and you have all the logs you ever need to track down bad behavior. Nothing can be installed on a majority of client systems, and nothing needs to be installed, as it should be.
Why was this predicted a year ago by NGOs [1]? Do they have some special insight into this that cyber security specialists didn't? Are these kinds of supply-chain attacks at this scale new, or newly enabled? Is this a technically impressive attack, or is this just a bunch of backdoors?
Quotes below are from a different article from a source that HN won't let me post. Looks like only conspiracy theory sites are applying any scrutiny to this.
> "The simulation, called Cyber Polygon 2021, was announced by Russia’s largest state-run bank Sberbank in February.
> “The key message voiced by experts at WEF and other international platforms is that supply chain security is to become a major cybersecurity issue in 2021,” Sberbank stated. "
always thougt this to be an attempt to tap into a wider market, but maybe this is the next step after making the main target less attractive for attackers
I think you'll find that it varies throughout the world. In Sweden, I've been to a couple of restaurants when their payment network was down and had it not been for them also being hooked up to the Swish app (which is connected to a separate payment network), no one during those lunch seatings would've been able to pay at all (both of these were cash-less restaurants, which are super common in Sweden, where almost no one uses cash anymore, sadly*).
Just to give you a picture of how seldom we come into contact with cash here: The Swedish Central Bank redesigned the artwork and form factor of the hard currency here, I think even introduced some new denominations, back in 2015. 6 years later, I still haven't seen or touched one of these new bills or coins out in the wild. That's how much people use cash here.
*: I may lament it, but I'm the same. It's so damn convenient, but I am of course aware of the drawbacks.
> I've been to a couple of restaurants when their payment network was down
Visa and MasterCard EMV have offline transactions baked in. Your bank could disable it on your card, but then you wouldn’t be able to buy a beer on an airplane.
I’m not sure if all terminals can be configured this way (or more likely, if anyone nearby would know how), but the functionality is baked into the visa and MasterCard standards.
But it seems like there’s only a few manufacturers of payment terminals out there and they just interface to the POS.
That's a traditional payment system where you hand off your card to some waiter who then sketchily takes off with it and does who-knows-what with it and returns it along with your receipt.
The modern ones have these portable card terminals that are chip+PIN only. These customers would have to come back another day to pay.
I would think that in a grocery store, the registers are deeply integrated with the inventory control. That's not needed in a restaurant, registers just collect cash/card.
So, in the former, catching up is much harder - you might need to take an inventory if the outage is lengthy, which is a PITA. The requirements probably didn't include offline mode.
It's not given that the cashier machines are the reason they are staying closed. Coop has a database that maps all items they sell to the corresponding price. What if they aren't sure about the integrity of it, and the possible offline copies that the stores have. That would be a very good reason to keep closed. After all, you wouldn't want to sell steak for the price of potatoes.
It isn't that long since i've seen Norwegian cashier machines running in offline mode. While Norway isn't Sweden. I'm under the impression that our payments systems are almost identical.
In Sweden pretty much everything is done online in these kind of businesses. And I don't think you can do it in another way since it is a bit of franchise model.
I don’t even know which denominations our cash uses now. For example is there a 100 bill or was it replaced with the 200?
But as we see here it doesn’t matter whether I use cash since stores close when the systems go offline anyway. I doubt they’d even set up a cash fallback if this continues for months.
Sweden uses Krona, Spain uses Euro. You might have a few Euro laying around for when you travel (most likely you just get some at the airport just before boarding to Spain), but in Sweden Euro is almost useless.
I guess you're too young to remember when ALL transactions involved trust. Cheques didn't even have any kind of verification whatsoever, you just handed them out and the shops had to just hope they would clear... if they did not, the payee could obviously get into trouble with the law, but criminals still found creative ways to get away with it... watch the movie "Catch me if you can" to see one of the most entertaining abuses of cheques in history.
Once the transaction goes through your account at the bank (in case of debit) will be overdrawn and the bank will charge a penalty sum/interest as well as asking you to put funds in to get it back to a positive balance again.
Almost all Visa/Mastercard cards support this. It's actually better with chip cards since they're MCUs, capable of storing data including offline 'credit limits' and tabulating how much has been debited offline. Can verify pins offline too.
When you buy food/beer on a plane/train, this is probably happening. Ryanair would rather eat the cost of a fraudulent payment than pay for data and slow down their salespeople.
When I paid with a semi-broken machine recently, I actually had to sign a slip. I think the machine just read my IBAN as if the chip was a magnet strip. The offline credit limits are more of an optimization.
That would be more than the number actually branded as Coop which is 665 [1] so yeah that'd be all of them plus some of their acquisitions like the 165 Nettos [2]. Sweden is a country of only 10 million by the way.
This is not that hard. Each store can keep a local record of what is going on. Back in the "dark ages" this was done anyway, credit card transactions were settled at the end of the day. Inventory at a physical location can be tracked locally and updates sent to a central system later to figure out what needs to be restocked where.
Unlike other distributed databases you don't have one store selling an item of food from another store (especially if your online system is down) and need to do a split brain recomp.
Enough people rely on debit cards nowadays that only work online that it would still cause significant disruption. Enough that it's probably not worth keeping the stores open until it can be fixed.
I don't even know a single person with a credit card here. Everything is done with debit cards which require being online to check the balance and reject the transaction if it's insufficient.
In sweden they don't - at least not on the debit cards, which are common. They also just removed the holder's signature field too, nobody ever uses that (it's authenticated with pin + optional ID).
There are a couple of approaches that could involve multiple payment providers over redundant networks so switch to something else.
For inventory, since it’s likely only temporary transactions can be stored locally and then synced when back online.
Theoretically the design could be distributed all the time and just keep working the same while disconnected with some potential reorders and restocks slowed down or delayed.
They'd have to make that very clear at the entrance to the store. This is just a guess, but I think most Swedes don't carry enough cash to even pay for groceries when they go shopping. I haven't had any paper money in years, just a few coins.
But if the store in question would accept cash, then it could at least server some of its customers. I expect it would not only be 15% of the customers. I would add those customers who are, you know, a little capable of adapting to circumstances and would actually go to their ATM to pick up some cash if they don't have any in their wallet. If not, I guess they don't need those groceries so urgently.
I think you're underestimating how little we use cash. There aren't even ATMs in some parts of town and there are plenty of villages without one for tens of miles. Nobody uses cash anymore. It's all either debit cards or direct transfers (either via and app or the bank.)
Treat it as "card not present". Write down the card number, expiration, cvv, name, and zip or equivalent. Get a signature and process it later. If you can't process it later, your system design is flawed.
People are quite loyal to their grocery store. The shut down means all of their customers are forced to try out another grocery store, could hit them hard long-term.
I downvoted this comment, mostly for the tone and attitude of the edit.
I get that downvotes are frustrating, especially when you don’t understand why you’re receiving them. I think your edit is generally not a constructive or helpful response to that.
If the original comment was "What is a the Coop store and why is it bad?", that's just a reasonable question. The answer being, "Sometimes they are the only nearby store."
Coop is the "Major Swedish supermarket hit by cyberattack" and it's not bad but they are posting alternatives because all Coop are closed due to the attack.
Governments of Canada and Hong Kong do tests against public IP space with the same country code. Results are not what one would expect - just a bunch of noise is send to CISOs, mostly about uh-oh your NTP server is wide open (it is not in fact). Usefulness of those test is very questionable.
It's equally possible for a company's security team to do a shit job, that doesn't mean companies should not think about security. If those governments are doing a shit job it's an argument against doing it badly, not against doing it.
Kaseya VSA, an RMM tool, have been attacked, creating a supply-chain attack against many, many MSPs and other customers using Kaseya. In part you could say that this is due to compromised Windows servers, but IMO that's a sloppy description that invites theories about the problem being Windows security. The problem here is Kaseya's security and a supply-chain attack isn't unique to Windows.
[An MSP (Managed Service Provider)] makes experts in lower-wage locations available to companies in high-cost place. An MSP can replace a company's IT department entirely, or provide a single niche service. The industry is evolving to provide expertise to all points of the globe and makes cutting-edge technology available at a low price. [0]
Note: It's interesting that the above quote, copied directly from the DDG search for "MSP", differs from what is currently at the url listed in the search item.
Why is MFA supposed to be so much more secure? Aren’t they just sending an authentication hash just like password only? Haven’t these solutions been hacked too? Or am I missing something?
Cryptocurrencies need to be banned to help stop these attacks. If corporations in the West cannot buy the coins legally, they will not be able to pay the ransoms, and the attack frequency and intensity will fall.
On top of that, we'll also reduce electricity and computer chip waste, since mining activity will decrease as the price plummets.
Its a lot harder to justify huge attacks when your payment is in gift cards, compared to semi-anonymous crypto that can be cashed out in your 2nd world country of choice.
It’s already of dubious legality in some situations, like in the instance that the criminal organization is sanctioned. But, corporations are often not paying these ransoms directly, they hire an intermediary to pay it for them. If the west bans crypto, those intermediaries will just fly an employee to wherever they can send it.
https://www.voanews.com/europe/major-swedish-supermarket-cha...