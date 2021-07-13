Every computer on the network of city of Leonardtown, Maryland, froze on July 2, targets of a ransomware attack made possible by the city's use of Kaseya VSA remote network management software. A security patch will be made available next week.
In the meantime, all of the city's data (including taxpayer data) has been downloaded by hackers, and their data locked up pending payment of $45,000 per compromised system.
This isn't the first mass ransomware attack this year, but it is the largest known hack to date. But to me, the real question is: what do all of this year's ransomware attacks have in common? It's not the Russian hacker gang, it's not the state-sponsored cyberwarfare unit, it's not the particular system vulnerability: it's Microsoft Windows.
The dirty secret of the IT world is that proprietary platforms are more vulnerable to security problems than their open-source counterparts. And the No. 1 proprietary operating system is Microsoft Windows.
Given these vulnerabilities, why does the state of Montana, Lewis and Clark County, and the city of Helena still rely on Windows technologies to manage our data?
The U.S. defense and intelligence community is beginning to understand that free and open-source systems (FOSS) and hybrid networks (mixes of open-source and proprietary systems) are far less vulnerable to hacking attempts. Most of the current system hacks exploit known vulnerabilities in systems that are slow to respond to security threats. As an example, the most recent ransomware storm affecting Leonardtown exploits a known vulnerability in Kaseya network management tools that the company knew about, was fixing, but didn't get it fixed in time.
The specific hack that disabled Leonardtown's computer network added Microsoft-compatible executables to compromised systems, and those executables allowed hackers to download and then encrypt local data. Those executable files will not work on non-Microsoft systems.
So why didn't Keseya fix the known vulnerability? The company has a limited number of engineers that can focus on the problem and although they were in the process of addressing the vulnerability, the hackers got there first. They’ll eventually get it patched. In the meantime, citizen data was leaked to foreign criminal gangs.
How can we minimize the security risks inherent in the systems used by our state, county and local governments? Start planning and migrating toward FOSS platforms and protocols. Now. It will save money in the long run, and may provide more system security in the short- to medium-term.
Our state, county and local systems are hamstrung by bureaucratic inertia. The old IT department mantra of, "Nobody ever got fired by choosing IBM" has replaced “IBM“ with “Microsoft.” The time where that kind of magic thinking can pass as reasonable planning has passed. It's time to reevaluate where policy compliance gets in the way of real system security. And that's where open-source platforms become mission critical.
FOSS systems aren't more secure because it's better software, they are more secure because more people are able to examine how various software components work, analyze those components for vulnerabilities, provide possible solutions to component maintainers, and routinely update their software with the latest security patches. Problems get fixed simply because more software engineers have their eyes on the problem.
Are all FOSS systems impenetrable? No. But are FOSS vulnerabilities, once identified, more likely to be addressed in open-source communities? Yes. Again, because there are more entities with stakes in the game. The key to open-system security is that software components are well-vetted and community-maintained. FOSS is considered as, or more secure than proprietary software by the U.S. Department of Defense CIO (among other federal IT leaders).
Kaseya is the key point of failure in the most recent hack. Will they survive as a service? That's an open question. Recently, every federal agency using their services was told to stop using them. Unfortunately, it wasn't in time to save the city of Leonardtown.
It's time for our state, our county and our city to step up and take serious measures to protect the data of our citizens and begin the migration to open-source systems.
Bob Schmitt is a Helena-based software engineer with 35-plus years of software development and network management experience. He works with federal customers for CivicActions Inc.