Ransomware and Cloudy

[tspear]

Lightroom Version

4.1

Operating System

1. Windows 10
2. Android

Short version, companies are now getting hit all the time with ransomware. As I deal in cyber security for a good portion of my living, I wonder.
As anyone considered how to backup and recover Cloudy in the case Adobe is hit, and they cannot recover?
Has anyone raised this issue with Adobe?

 

[clee01l]

Short version, companies are now getting hit all the time with ransomware. As I deal in cyber security for a good portion of my living, I wonder.
As anyone considered how to backup and recover Cloudy in the case Adobe is hit, and they cannot recover?
Has anyone raised this issue with Adobe?

The most important part of the Lightroom environment are the original files. Keeping a local copy will insure that you have a copy of your original images.

Adobe has lots of servers across the world and although there is some interconnection, I can’t say what if any redundancy Adobe has in place.

If I were a ransom ware crook, I’d target Adobe’s licensing servers.


Sent from my iPad using Tapatalk

 

[tspear]

The most important part of the Lightroom environment are the original files. Keeping a local copy will insure that you have a copy of your original images.

Adobe has lots of servers across the world and although there is some interconnection, I can’t say what if any redundancy Adobe has in place.

If I were a ransom ware crook, I’d target Adobe’s licensing servers.


Sent from my iPad using Tapatalk

License servers, Adobe can afford much more easily to wipe them , and stand up new ones., which "auto-approve" all requests. Pretty much all revenue is now monthly with a few exceptions being annual. If you read your contract Adobe has the right to cancel it. So worst case they could just cancel everyone's contract and have everyone do a new contract; assuming they do not have the information separate. The best case would be to just extend everyone with a grace period and keep running, send an early renewal notice and just keep on moving forward.

If the attackers go after the core image data servers, Adobe not only has the majority of revenue tied to it, but they also will have to deal with implied warranty claims which will be distracting and expensive, let alone the damage to their reputation. If they do not get data back they are in serious trouble.

A few months ago, per the press, Garmin was hit by ransomware, while they negotiated to get the data back, they effectively gave away update services and many other things to avoid the blow to reputation. Much easier in their cases because your devices continued to work since data was always cached locally (even on the aviation side where I subscribe). Adobe based on current structure does not have that luxury.

Tim

 

[clee01l]

If the attackers go after the core image data servers, Adobe not only has the majority of revenue tied to it...

Presumably, these core image data servers would be redundantly backed up. The License servers are used every time you login to Lightroom Cloudy and every time you open LightroomClassic. Lightroom Classic will supposedly run 60-90 days without an internet connection to validate, but all validation is likely centralized.

As I understand ransomware, it works by encryption of the data on your computer that can't be decrypted without their key. This ransomware once a vulnerability is discovered worms its way onto every computer on the network. My question back to your is this: Are the infected computers Windows, Unix, LINUX or a mixture? Does Ransomware infect only one Operating system per infection or how does it manage to shut down a multiple OS environment? The Hospital system that I also worked in used RedHat data servers. Individual users accessed this data via Windows or Mac workstations. When I worked for Compaq (before they were purchased by HP), their internal ordering and supply system was run on an HP-UX computer.

I used to work for a pipeline company. I am puzzled as to why the Colonial Pipeline was even vulnerable. I was on a project that opened the pipeline to free market shipping. the Pipeline controls (valves pumps etc.) were handled by a SCADA system that was not even connected to the internet but ran in its own separate intranet. I think it would be unconscionable for a Company like Colonial to run its SCADA process over the open internet.

 

[tspear]

Depends on the attack vector. There are really two types of attacks.
1. What I call the script kiddies attack, this is more of a volume based approach that is more easily protected against. This is a cookie cutter approach going after everyone, it generally attacks Windows, Mac, iOS or Android.
2. Second is a targeted attack. Sometimes the script kiddie just opens the door to the targeted attack. In a targeted attack, the hacker is in your system to some level. And they can then attack any platform, Windows, Linux... Also depending on how you have your data accessed by users determines how vulnerable it is to this attack.

In terms of Colonial , the access point was most likely the business side (as usual). The SCADA system would normally be connected to the company network to allow for integrated billing, ordering and other functions. Such functions have been slowly opened to the internet to accept orders, delivery notifications, confirmations and other functions from business partners. The most likely answer is the hackers got in via a back office system, and slowly worked themselves from system to system to the critical servers which controller the business operations which were connected to the pipeline.

FYI, one company I am aware of, the hackers got in, did not steal data, proceeded to encrypt only the dedicated backups taken offsite for a full year before they struck. The attacks are getting more and more sophisticated.

Tim

 

[RobOK]

I was on a project that opened the pipeline to free market shipping. the Pipeline controls (valves pumps etc.) were handled by a SCADA system that was not even connected to the internet but ran in its own separate intranet. I think it would be unconscionable for a Company like Colonial to run its SCADA process over the open internet.

I understood it was their billing and business operations systems, not SCADA, but did not do a deep dive. They had some old system that was vulnerable that was hard for them to upgrade or replace, very common in large corporations (as it sounds like you know)

 

[clee01l]

I understood it was their billing and business operations systems, not SCADA, but did not do a deep dive. They had some old system that was vulnerable that was hard for them to upgrade or replace, very common in large corporations (as it sounds like you know)

It was FERC Order 636 that required pipelines to become open carriers. I worked to develop that system in the ‘90s. It should not impact scheduling but it would be open to internet vulnerabilities. Gas pipelines and product pipelines (Like Colonial) got along fine before FERC 636.


Sent from my iPad using Tapatalk

 

[Linwood Ferguson]

If I were attacking Adobe I would do it differently; I would try to get into their update servers (in addition to however I got in first), to distribute malware back down onto their customers' systems as part of the legitimate update processes, and then after a few weeks or months of that threaten Adobe with an attack on however many (millions?) of customers they managed to infect, then later after being paid (and a brief respite) attack them anyway.

Remember the Solar Winds hack was about how updates are distributed. But it went after businesses, imagine the public outrage if Adobe became a vector to all their home and small business customers' being infected.

My Adobe Desktop reminded me today it auto updated itself. I do not every recall allowing that, it probably defaulted that way when I installed on my new computer. I just turned it off again. Not that in a manual update you can tell if the kit is infected, but at least then by staying a bit behind, you may hear if the world is ending because of updates before you manually update.

The only real solution to ransomware is to make cryptocurrency illegal. Untraceable means to pay ransom is why ransomware works. If you can follow the money, it stops working.

An interim solution is make it illegal for US companies to pay ransom, and if that doesn't pass constitutional muster, make it illegal for any government entity (especially local ones) to pay ransom. If ransom uniformly cannot be collected in a sector, most hackers will go elsewhere. Now that it just becomes a normal cost of business, with ransomware insurance.... there's motivation to the hackers, AND there's NO motivation (except insurance requirements) to the business to be on guard.

 

[PhilBurton]

If I were attacking Adobe I would do it differently; I would try to get into their update servers (in addition to however I got in first), to distribute malware back down onto their customers' systems as part of the legitimate update processes, and then after a few weeks or months of that threaten Adobe with an attack on however many (millions?) of customers they managed to infect, then later after being paid (and a brief respite) attack them anyway.

Remember the Solar Winds hack was about how updates are distributed. But it went after businesses, imagine the public outrage if Adobe became a vector to all their home and small business customers' being infected.

My Adobe Desktop reminded me today it auto updated itself. I do not every recall allowing that, it probably defaulted that way when I installed on my new computer. I just turned it off again. Not that in a manual update you can tell if the kit is infected, but at least then by staying a bit behind, you may hear if the world is ending because of updates before you manually update.

The only real solution to ransomware is to make cryptocurrency illegal. Untraceable means to pay ransom is why ransomware works. If you can follow the money, it stops working.

An interim solution is make it illegal for US companies to pay ransom, and if that doesn't pass constitutional muster, make it illegal for any government entity (especially local ones) to pay ransom. If ransom uniformly cannot be collected in a sector, most hackers will go elsewhere. Now that it just becomes a normal cost of business, with ransomware insurance.... there's motivation to the hackers, AND there's NO motivation (except insurance requirements) to the business to be on guard.

By its very nature, it would be impossible to enforce laws against use of crypto currency.

Moreover, Putin seems to turn a blind eye to Russian ransomware gangs because he maintains they have broken no laws in Russia. Coincidentally or not, some ransomware tries to detect a Russian (or Belarus ...) website, and then uninstalls itself.

I think the overall issue is that "cyber security" industry is fragmented, with too many competing vendors and not enough government leadership or public-private sharing of data and best practices. In the past, there has been political opposition in the US about "government intrusion into the private sector" in this area. totally irresponsible, as we are now seeing the consequences of that opposition.

 

[Linwood Ferguson]

By its very nature, it would be impossible to enforce laws against use of crypto currency.

Nonsense. Make it illegal and having penalties for use and a vast, vast majority of its utility goes away -- it would prevent banks where people have money from converting to crypto, and would prevent them from dealing with known crypto exchanges. An above-board company would have a very difficult time moving millions of dollars of illegal currency to Russia without consequences.

Starting with the assumption that you cannot ban a thing that is bad means you have given up.

Anti-hacking software cannot BEAT hackers, it can just fight a continuing battle to stay even.

Now I might agree there's no POLITICAL will to make it illegal.

 

[tspear]

By its very nature, it would be impossible to enforce laws against use of crypto currency.

Actually, by the nature it is much easier to track. No new law required, a FINCEN regulation requiring reporting of all conversions to/from USD would be simple enough to enact and provide all the information needed to track criminal usage of it. This would be covered under existing AML laws.
The reason this is so easy is the basis of cryptocurrency is a public shared ledger system. No idea why people think the currency is not traceable. It is much easier to trace/track than cash or even credit cards.

As @Ferguson stated, it is fairly easy to stop the flow of money if there is political will. If there is bureaucratic will, then it can become fairly easy to trace the flow of the money. May not be able to stop or recover much, but easy enough to know where it is going.

 

[PhilBurton]

Nonsense. Make it illegal and having penalties for use and a vast, vast majority of its utility goes away -- it would prevent banks where people have money from converting to crypto, and would prevent them from dealing with known crypto exchanges. An above-board company would have a very difficult time moving millions of dollars of illegal currency to Russia without consequences.

Starting with the assumption that you cannot ban a thing that is bad means you have given up.

Anti-hacking software cannot BEAT hackers, it can just fight a continuing battle to stay even.

Now I might agree there's no POLITICAL will to make it illegal.

Crypto currency usage may become illegal in the US, but what about transactions involving parties outside the US? And money transferred to offshore accounts in countries that not ban crypto currency. Criminal gangs have always been able to launder money, what woiuld change now? For companies, (gangs), and invididuals who are not above board?

I would love to be proven wrong.

 

[Linwood Ferguson]

Crypto currency usage may become illegal in the US, but what about transactions involving parties outside the US? And money transferred to offshore accounts in countries that not ban crypto currency. Criminal gangs have always been able to launder money, what woiuld change now? For companies, (gangs), and invididuals who are not above board?

I would love to be proven wrong.

You're not wrong, but I think you are looking (like all good programmers) for the exception. Something like this is about statistics. Eliminating 90% of the problem is not a complete fix, but it eliminates 90% of the problem. Or find 5 regulations each which only hit 20% (of the balance). Look at all the serious criminals who have been caught with IRS and Tax fraud they could never catch for murder, extortion, etc.

But it takes will.

Negotiating with terrorists always ALWAYS breeds more terrorists.

Call them what they are, make it illegal to pay them, and a HUGE amount of this disappears.

 

[PhilBurton]

You're not wrong, but I think you are looking (like all good programmers) for the exception. Something like this is about statistics. Eliminating 90% of the problem is not a complete fix, but it eliminates 90% of the problem. Or find 5 regulations each which only hit 20% (of the balance). Look at all the serious criminals who have been caught with IRS and Tax fraud they could never catch for murder, extortion, etc.

But it takes will.

Negotiating with terrorists always ALWAYS breeds more terrorists.

Call them what they are, make it illegal to pay them, and a HUGE amount of this disappears.

I'm sure you are right, and the US (and some other countries?) seriously need to do more. I'm curious as to what comes out from the Biden-Putin meeting. Vladimir Vladimirovich is a tricky guy, but Biden is pretty smart.

 

[Linwood Ferguson]

Just to drag this issue back to the OP's question.... (And in case Adobe is listening)...

One thing I wish Adobe would explicitly address is the larger issue of data integrity in Cloudy (and all their related programs).

I am certain I have not read every word posted by them, but mostly the theme I get is "trust us, we will take good care of your data". I have long thought they need a white paper describing HOW. Things like:

- How do you ensure the integrity of the uploads and downloads, are they checksummed before and after and compared? Encrypted end to end?

- How do you protect it sitting on your servers, is it always on redundant media, is it always geographically redundant in addition to Raid(like) redundancy? Is it encrypted in place?

- How is it backed up? Is it versioned, so if you got hit with corruption, you can roll back?

- Is it checked for bit rot? Are you prepared for recovery on detection of bit rot?

- To the above, can a user request a roll back to a date? How far?

- How do you protect against user ransomware, e.g. if my laptop gets malware that starts encrypting the images, do those encrypted images get uploaded during sync, and so corrupt the online versions?

- And to my point above, how can we know the updates downloaded from your site are authentic, un-modified either on your portal or during download? (E.g. solarwinds). How can we validate that the code we are now running is authentic, and unmodified by other parties either before I got it, or after it got on my machine?

I'm sure there are others... but it would be nice to hear technical details. I realize some companies view security-by-obscurity as a good thing, but it pretty generally is accepted it is not. It's just obscurity.

And to me Adobe is a prime target. Its user base is often not computer savy, even with just LR and Photoshop we all have dozens of Adobe programs running all the time with no explanation of what they do (the point being that the normal advice of "look for unusual activity" is pointless). Tell us the details of how you are making us and our data safe. Please.

 

[PhilBurton]

Completely agree with Ferguson's latest post. He said it better than I ever could.

Security through obscurity doesn't work when scammers simply try out all possible IP addresses. Personal use at home, Small Office/Home Office, small business, large business and governments and universities, all targets since they all have IP addresses.

Using a Mac (or Linux) is no defense against attacks that use a phony webpage to capture login credentials, etc.

And judging by this forum, and other photo forums, the Adobe user base is certainly not all sophisticated "power users."

Phil Burton

 

[clee01l]

Just to drag this issue back to the OP's question.... (And in case Adobe is listening)...

One thing I wish Adobe would explicitly address is the larger issue of data integrity in Cloudy (and all their related programs).

… Please.

I would like to see this issue raised at the Adobe forum. You have some very good points and by posting there Adobe would have to respond…


Sent from my iPad using Tapatalk

 

[PhilBurton]

I would like to see this issue raised at the Adobe forum. You have some very good points and by posting there Adobe would have to respond…


Sent from my iPad using Tapatalk

Only question is who does the posting on the Adobe forum.

 

[clee01l]

Only question is who does the posting on the Adobe forum.

It is Ferguson that has so clearly stated the problem. Let him post it and we can quickly endorse the idea. The more support for this on the Adobe forum, the more likely we will get a response from someone other than Rikk. I would like to see Jeff Tranbury or Simon Chen speak to the issue. Considering the proliferation of Ransomware and that in the past Adobe user login information was compromised, All of the major software and hardware companies should be formulating an answer and a plan to deal with having user data held hostage.


Sent from my iPad using Tapatalk

 

[Linwood Ferguson]

I have raised this in another venue more directly with Adobe and was pretty much ignored. No real interest in having another run at them. And the idea that Adobe would "have to" respond is amusing...

 

[clee01l]

I have raised this in another venue more directly with Adobe and was pretty much ignored. No real interest in having another run at them. And the idea that Adobe would "have to" respond is amusing...

As I suggested the more support for an issue on the Adobe site, the better the chance there will be a coordinated response.


Sent from my iPad using Tapatalk

 

[PhilBurton]

I have raised this in another venue more directly with Adobe and was pretty much ignored. No real interest in having another run at them. And the idea that Adobe would "have to" respond is amusing...

Is there some link where we can "like" or comment on the issue you raised.

Adobe may very well be one of many companies that has chosen to ignore the malware/ransomware threat, until it bites them hard. Then some people are scapegoated and forced out but never the ones who denied the requests for more resources.

 

[Linwood Ferguson]

Is there some link where we can "like" or comment on the issue you raised.

Adobe may very well be one of many companies that has chosen to ignore the malware/ransomware threat, until it bites them hard. Then some people are scapegoated and forced out but never the ones who denied the requests for more resources.

No. I really can't say more, and maybe have said more than I should. But I tried, I failed completely, and I will not repeat the effort myself.

 

[tspear]

@Ferguson

If you want to try and get Adobe's attention. Comment, vote on my thread. Ransomware and Lr Coud files

I have noticed that when specific issues get enough attention, Adobe does respond.

 

[Linwood Ferguson]

OK. I'm happy to +1. Did so.