denopa wrote:
Fly.garmin.com back up, though slow (well it never was fast, was it).
anyone been able to update via flygarmin ?
just tried to update but it failed.
not sure if I did something wrong, or if garmin not fully operational yet.
I am told even Garmin’s satellite wx service (GSR56 etc) was down. That’s pretty amazing! No in-flight wx delivery.
I’d guess it’s the Earth-side Garmin servers preparing the data for upload which are unavailable, rather than the satellite themselves.
Sure; the satellite system used is Iridium, not related to Garmin.
The notPetya ransomware cited earlier in this thread was just that: intended to only be destructive. There wasn’t anyone to provide the key to unlock the data if you paid the ransom. It was basically a Russian attack on Ukraine.
Peter wrote:
I am told even Garmin’s satellite wx service (GSR56 etc) was down. That’s pretty amazing! No in-flight wx delivery.
Yes, but the one and only think to do if you are hit by a ransomware attack (and don’t have an extremely sophisticated partitioning in place): Should down your entire network before cleansing! A single system left on can infect the entire network again…
Peter wrote:
So even the most sophisticated backup strategy doesn’t reduce the risk at all!
That I don’t understand. For sure if an attacker is going to infiltrate your site and do damage over many months, then all your backups (well, those that are of any use) will be useless.
Because a professional ransomware hacker doesn’t care about backups as long as they can encrypt the keys you need to decrypt the backup. Or do you store your backup decryption keys on a piece of paper (and I mean the real keys, not the password you need to enter so that the backup software looks up the keys and uses them…).
Many people don’t even know where their backup software stores the keys…
Malibuflyer wrote:
Because a professional ransomware hacker doesn’t care about backups as long as they can encrypt the keys you need to decrypt the backup. Or do you store your backup decryption keys on a piece of paper (and I mean the real keys, not the password you need to enter so that the backup software looks up the keys and uses them…).
Many people don’t even know where their backup software stores the keys…
Yes, sure, theoretically, I can store the keys in HSM (hardware security module, see Wikipedia), and that provides enough protection for the keys.
These days it is also possible to install a backup/restore infrastructure as separate appliances, somewhat protected.
With all the havoc created at Garmin, I wonder about a couple of things:
- As they accept the bank cards from the customers, are they subject to the same PCI DSS standard as we are, mere mortals?
- And if yes, then who has signed off their external PCI DSS security audit?
All companies optimise costs, I know, and might cut some corners, but for that there is an external audit.
arj1 wrote:
As they accept the bank cards from the customers, are they subject to the same PCI DSS standard as we are, mere mortals?
Sure they are – but what does that have to do with ransomware-attacks? Or to be more precisely: Which of the 12 PCI-DSS rules would protect you against ransomware?
Malibuflyer wrote:
Sure they are – but what does that have to do with ransomware-attacks? Or to be more precisely: Which of the 12 PCI-DSS rules would protect you against ransomware?
For example:
“Protecting all systems against malware and performing regular updates of anti-virus software. Malware can enter a network through numerous ways, including Internet use, employee email, mobile devices or storage devices. Up-to-date anti-virus software or supplemental anti-malware software will reduce the risk of exploitation via malware.”
arj1 wrote:
All companies optimise costs, I know, and might cut some corners, but for that there is an external audit
Most PCI-DSS audits are somewhat barebones. If the company is using something like Worldpay to take credit card transactions, and doesn’t store or see the PANs themselves, then there’s no external audit at all. Most companies these days who take recurring payments use tokenization, and never see the cardholder data. So they don’t need an external audit. Given Garmin’s core business ins’t banking, I would expect they are using tokenization and are not holding any cardholder data such as PANs themselves.
If you do need a PCI-DSS ROC (in other words, a full audit), most of the time it is really easy to pull the wool over the auditor’s eyes.
Garmin’s case is likely similar to Maersk’s in the linked article – too many people having too many system privileges, plus not applying updates (which patch the flaws the ransomware uses to get in), plus a monoculture (Windows only), and other things such as insufficient control over removable media/infected devices, plus the ease of being able to pull the wool over the eyes of the auditors.
