Garmin paid the ransom

[benb]

Quote:

Originally Posted by FlashUNC

After using Garmin's software for years as an end-user (Hello Garmin Connect) I can absolutely believe their back-end IT was similarly awful. If what they put in front of paying customers was garbage, I can only imagine what their in-house stuff was like.

Wasted Locker is windows malware the only way it can take down everything is if the entire setup is that homogenous.

Maybe if you work in small businesses outside of tech or something it is conceivable that you can see your whole office running on windows, with backups on windows, your website is hosted on some windows server in the corner, etc.. the phones are some windows solution that plugs into a USB port on a windows machine, etc...

It's almost inconceivable a place like Garmin could be like that... they are a large hardware + software OEM. You literally cannot do what they do with a setup that basic and homogenous.

Windows Malware just doesn't do anything to non-windows stuff.

The problems that you have to solve to design & build GPS units & all the software that runs on them and a giant cloud platform that handles hundreds of thousands of users concurrently are just incredibly different than running a law firm or accounting firm or something like that... the variety and sophistication of computer systems you need is incredibly different.

If they were that incompetent they would have failed at their business so long ago this wouldn't even be a story. The whole thing collapses because of your own internal incompetence.

[Charles M]

Any good kidnapper will hand back the kid if paid... It's a good business for these folks. Shame they couldnt find another way.

[PaMtbRider]

Our IT department sends out sporadic phishing emails, If an employee responds to it they have to sit through more training.

[Cantdog]

Quote:

Originally Posted by steveandbarb1

What the heck is our NSA doing? This is such massive exposure to US companies (Garmin is a large MIL provider and of course airlines). Just firing a bunch a people and setting up new corporate policies won't work - all they need is one key in.

Spying on citizens?

[FlashUNC]

Quote:

Originally Posted by benb

Wasted Locker is windows malware the only way it can take down everything is if the entire setup is that homogenous.

Maybe if you work in small businesses outside of tech or something it is conceivable that you can see your whole office running on windows, with backups on windows, your website is hosted on some windows server in the corner, etc.. the phones are some windows solution that plugs into a USB port on a windows machine, etc...

It's almost inconceivable a place like Garmin could be like that... they are a large hardware + software OEM. You literally cannot do what they do with a setup that basic and homogenous.

Windows Malware just doesn't do anything to non-windows stuff.

The problems that you have to solve to design & build GPS units & all the software that runs on them and a giant cloud platform that handles hundreds of thousands of users concurrently are just incredibly different than running a law firm or accounting firm or something like that... the variety and sophistication of computer systems you need is incredibly different.

If they were that incompetent they would have failed at their business so long ago this wouldn't even be a story. The whole thing collapses because of your own internal incompetence.

These are the same folks who told a regular fellow Saturday club ride attendee, when warrantying his third set of Vector power pedals in six months, that the faulty spring in the battery compartment that provides tension for contact was improperly designed and "yeah, they just stop working sooner or later."

This crew can't get a two cent spring right in their marquee power pedal, I can only imagine the kind of IT infrastructure they've got.

[robt57]

Johnny Dangerously:

"Don't forget, crime doesn't pay... Well, it paid a little!"

[unterhausen]

The people with experience in this field that are saying Garmin couldn't have been 100% windows have apparently never owned a garmin product. Because I find it believable.

[BobbyJones]

Quote:

Originally Posted by kppolich

Every tech company I have worked at these trainings have been mandatory for all employees, not just for those with exclusive network access. I've been doing digital project management stuff for a while now and dealt with large clients like Wells Fargo, Phizer, etc and I'm still never surprised by anything that comes across my desk. Reason: Marketing gets the budget, IT gets the scraps.

And Compliance has to fight it out with both!

[reuben]

Quote:

Originally Posted by steveandbarb1

What the heck is our NSA doing?

Quite a lot, actually. Just because they alert corporations and other government agencies of vulnerabilities doesn't mean that those corporations or agencies patch the holes. As noted elsewhere in this thread, it costs time and money. Management makes decisions regarding priorities and spending. Sometimes those decisions backfire.

The President is well known to use an unsecured (not hardened) iPhone, but who can make him change?

Quote:

Originally Posted by steveandbarb1

Since, we've spend a large sum trying to keep our system free from outside hacking. Nearly every consultant we've engaged has said there's little way to fully prevent it, and it's better to put resources into developing a parallel system and backing up data frequently. Given hacks of Twitter, Facebook and even Garmin, it seems they're correct, that no system is impenetrable.

This is true. Stay up to date, create backups in other offline areas.

[benb]

Quote:

Originally Posted by unterhausen

The people with experience in this field that are saying Garmin couldn't have been 100% windows have apparently never owned a garmin product. Because I find it believable.

Never speak in absolutes.

Garmin ships iOS software and Mac Software, therefore it is incredibly unlikely they're 100% windows as there's nothing but extreme fringe options for developing software for Apple platforms without developing on Macs.

Also it's completely obvious from job postings that they run Connect in Microsoft's Azure cloud platform, most likely in containers... that is windows but it's not going to be affected by this kind of Ransomware stuff or it would be all over the news in a way bigger way as massive swaths of companies would be down.

On top of that if Connect is in Azure in a containerized setup it would take minutes, not even hours to restart the whole thing and erase everything hackers did. That's just the way cloud deployments work. You typically would have to go out of your way as an IT shop to defeat the multiple layers of security those platforms start with. You start out opening an Account and Amazon/Google/Microsoft has already applied rings of security to your setup before you even start.

Most of Garmin's quality issues have to do with them having WAY too many models IMO. The number of different models they have to keep working is totally insane. After all these years they are still in the same situation as say Samsung and still can't grasp that Apple's model is the one that works. A very small # of devices that you concentrate on and polish till they work exceptionally well has completely defeated the model of vomiting an ever increasing # of models out on the market that you never get working right and abandon and hope the users just shovel out for the next one.

Ransomeware could be part of what happened but it just has to be a very small part of a larger attack to have accomplished what happened.

I'd believe there were inside IT employees paid by the Russian hacking group or a sophisticated social engineering attack to help sabotage the company from within before I'd believe the news stories here that try to pin the whole thing on a single malware attack.

The recent twitter hack that was so spectacular was social engineering.. literally the hacker calling into the company impersonating an employee to get the ball rolling. Those are far more deadly than ransomware when it comes to these big corporate hacks.

[NYCfixie]

Quote:

Originally Posted by benb

These articles are fun but as I said in the other threads they are just wild fun speculation from cycling journalists with little knowledge of computer systems or networks.

I also mentioned speculation earlier in this thread and I am glad more techies like myself are responding. For those not in the IT industry, one can see a theme in the posts from IT people:

- Anything you are currently reading is probably pure speculation
- You will not ever know the full story unless Garmin decides to have a 3rd party investigation and they release the full results
- It is unlikely 1 piece of ransomware/malware/etc. took down an entire company
- Backups/Disaster Recovery Plans/Hot Sites/Redundancy all depends on how they are set up and are not a panacea for all attacks
- Training end users is helpful but only part of a larger defensive plan

So, if you like Garmin products then continue to use them but continuing a conversation about what might have happened when nobody on this forum, or in the media, appears to have real information about the attack seems pointless IMHO.

[Bostic]

I'm the IT Manager for the Company I work for. I work closely with our Head of Security and all hires have to watch the mandatory Security Awareness training. I verify all of them have multi-factor authentication enabled for their accounts. It's a work in progress to get everything locked behind 2FA but the more the better. I also don't want users going with Approve/Deny versus having to manually enter in the 6 digit code. Yes it's slower but it's more secure and you would be surprised at the number of users that will just click Approve on their mobile phone even though they were not the one who initiated the request.

We will never know the extent of how bad it was with Garmin. From various sysadmin forums I frequent, the backups were encrypted as well. So unless you have cold backups that are written to then taken offline you are out of luck. Even then, the amount of time to restore is nothing trivial.

In my previous company there was so much bureaucracy, siloing between teams and levels of Management that everything fell upon deaf ears or simply flat out ignored. "We don't have time for this or it's not in the budget or it can't possibly happen to us." This company also forced a 1.5 hour video with only 3 questions at the very end with passing being 80% so if you missed one you had to re-watch the entire thing all over again. No way to skip through or run at 2X speed. That was probably the most vocal I have ever had end-users storm over and vent. Hey, I had to watch the same thing, part of being the small company gobbled up in an acquisition.

[GregL]

Quote:

Originally Posted by Bostic

I'm the IT Manager for the Company I work for. I work closely with our Head of Security and all hires have to watch the mandatory Security Awareness training. I verify all of them have multi-factor authentication enabled for their accounts. It's a work in progress to get everything locked behind 2FA but the more the better. I also don't want users going with Approve/Deny versus having to manually enter in the 6 digit code. Yes it's slower but it's more secure and you would be surprised at the number of users that will just click Approve on their mobile phone even though they were not the one who initiated the request.

This is great advice not only for the workplace, but for personal cyber security as well. I have multi-factor authentication set up for all my personal financial accounts. One time codes for electronic access and a verbal code for phone or in-person access. I was one of millions caught up in the Office of Personnel Management data breach in 2014-2015. I'll never know for sure if my information was being used for criminal purposes, but I strongly suspect it was. My company-sponsored retirement account was nearly compromised. Only my noticing an e-mail about account activity and the suspicion of a customer service rep at the financial institution stopped a thief from walking off with the majority of my retirement savings. When it comes to cyber security, it pays to be paranoid.

Greg

[kingpin75s]

Quote:

Originally Posted by NYCfixie

What is this based on? From a report? From your own experience?

IME, there are very few (not many as you suggested) companies that do this type of broad and deep training and testing for non-IT employees. At-best, it is once a year or at time of hiring and thus simply not enough.

I can speak to this based on experience. Companies are getting on board with this now more than ever. The past 5 years has seen huge growth in the Cyber area and it is now not uncommon for companies to have even monthly Phishing simulations as end users are generally the weakest link. All employees with computer email access are part of the program.

[kingpin75s]

Quote:

Originally Posted by unterhausen

My understanding is that it infects the backups. The process is to gain admin level control first, generally through social engineering.

This is why tape based offsite backups are not going away. Air gap. Disk based systems with replication offsite can still be at risk as you stated.