Author: Roger A. Grimes

Comment on French Hospital Hit By $10M Ransomware Attack, Sends Patients Elsewhere by Roger A. Grimes

Another example that many ransomware groups do not respect obvious ethical boundaries and in fact are likely encouraged that life and death decisions make it more likely they will be paid. Every organization, whether a hospital or not, must do more to prevent ransomware, and really all hacker and malware attacks. The four best defenses all organizations can do is to better focus on mitigating social engineering (that’s how most attacks begin), better patch their software, use phishing-resistant multi factor authentication (MFA), and where passwords must be used, make sure different strong passwords are used for all sites and services. There are no other defenses that will give as much protective benefit as these four defenses. It is the world’s lack of focus on these four defenses that allow ransomware, hackers, and malware to be as successful as it is.

Comment on Callback Phishing Attacks See Massive 625% Growth Since Q1 2021 by Roger A. Grimes

Just like in sales, the more “touches” you have with a potential lead, the better chance to convert. We’ve all been told not to click on unexpected emails…but if the attacker also calls us, it adds an immediate sense of legitimacy to the original email. You might even be thinking, “And I thought that could have been a phishing email.” Officially, attacks that use multiple touches, including the first one that doesn’t include any outright suspicious links or downloads, is known as “pretexting”. Pretexting attacks are harder for the attacker to pull off because it takes more time on their side to setup and accomplish. But the time put in pays off, in that they are far more likely to have success across the victim subset they are targeting and be more likely to steal more per instance. The best defense is to educate everyone about these more sophisticated attacks and then do simulated instances to see how likely these sorts of attacks are to be against your population, and to make potential victims more aware of these sorts of attacks. It’s really the only defense that will work.

Comment on Python Packages Discovered On The PyPI Repository by Roger A. Grimes

Attacks where shared developer resources contain malicious instructions have been around since the beginning of computers. They are known in general as watering hole or poisoned well attacks. In 1984, Ken Thompson, one of the creators of Unix and the C Language, embedded a trojan horse program into one of his programs, people unknowingly downloaded and used it, and he wrote a paper and announced (<a href=”” target=”_blank” rel=”noopener nofollow ugc”></a>) in a speech and a paper how people should not just trust other people’s code. So, this has been a problem for a long, long time. It’s a bit sad that this has been a problem for this long, and not only do we not keep making the same mistakes, but seemed doomed to keep making the same mistake forevermore.

Some of the biggest and most impacting companies of our time, including Microsoft, Google, and Apple, have been hit by these types of attacks. No organization that allows their developers to obtain and use other people’s code is immune to it. All developers should be educated about waterhole attacks…they are not uncommon, and instructed to either inspect and verify every bit of code of anything they download or not to download and use other people’s code. It’s just too risky ot rely on other people’s unverified code.