Security Blueprints of Many Companies Leaked in Hack of Swedish Firm Gunnebo

Brian Krebs: In March 2020, KrebsOnSecurity alerted Swedish security giant Gunnebo Group that hackers had broken into its network and sold the access to a criminal group which specializes in deploying ransomware. In August, Gunnebo said it had successfully thwarted a ransomware attack, but this week it emerged that the intruders stole and published online tens of thousands of sensitive documents -- including schematics of client bank vaults and surveillance systems. The Gunnebo Group is a Swedish multinational company that provides physical security to a variety of customers globally, including banks, government agencies, airports, casinos, jewelry stores, tax agencies and even nuclear power plants. The company has operations in 25 countries, more than 4,000 employees, and billions in revenue annually.

Acting on a tip from Milwaukee, Wis.-based cyber intelligence firm Hold Security, KrebsOnSecurity in March told Gunnebo about a financial transaction between a malicious hacker and a cybercriminal group which specializes in deploying ransomware. That transaction included credentials to a Remote Desktop Protocol (RDP) account apparently set up by a Gunnebo Group employee who wished to access the company's internal network remotely. Five months later, Gunnebo disclosed it had suffered a cyber attack targeting its IT systems that forced the shutdown of internal servers. Nevertheless, the company said its quick reaction prevented the intruders from spreading the ransomware throughout its systems, and that the overall lasting impact from the incident was minimal.

Minimal impact

[geekmux]

Well it is good that the âoeoverall lasting impactâ was minimal...I mean after all we are only worried about Gunnebo Group and their network security...not like anything of value was stolen, right? #sarcasm

There is an easy way to prevent this

[RickyRay]

In 2000-2001, I worked for a company focused on digital encryption and certificates. We used some security measures that still make sense:

• To update the prod system that provided access to the secret docs, two superusers had to go to a different location, and turn keys simultaneously (similar to US nuclear launch, but without any backdoor key).
• The documents were stored without a copy of the huge secret key. The customers understood that if they lost their key, their documents were lost. So while the docum

Re:

[Heir Of The Mess]

What I don't understand is why these things are stored on an internet facing computer. Anyone who cares about securing information has air-gapped networks. Even Valve the game company does development on an air gap network, something they implemented after getting their Half-Life 2 game code stolen and leaked publicly on October 2, 2003.

Re:

[tlhIngan]

What I don't understand is why these things are stored on an internet facing computer. Anyone who cares about securing information has air-gapped networks. Even Valve the game company does development on an air gap network, something they implemented after getting their Half-Life 2 game code stolen and leaked publicly on October 2, 2003.

Stuxnet has proved air-gaps aren't the be-all end-all of security.

And Valve is probably better positioned to airgap their source code (though probably why they don't do much

Security Giant?

[nospam007]

You keep using that word, I don't think it means, what you think it means.

Internet, Intranets, all houses of cards

[Rick Schumann]

I don't think anyone can say their network, or anything Internet-connected, is ever 'secure', not with a straight face anyway. I really get the feeling that all these criminal hacking organizations could burn the Internet and everything connected to it right down to the ground if they wanted to -- but where's the fun and profit in that? You don't kill the goose that lays the golden eggs.

Here's how secure it should be

[raymorris]

> I don't think anyone can say their network, or anything Internet-connected, is ever 'secure'

Well the drive I just wiped is secure, even if Input it in the internet, but what's the fun in that? :)

But seriously, there is an equation for how secure things should be, and lots of things are appropriately secured. You wouldn't get a $10,000 safe to protect your lunch from being stolen, that would be too much security. (Especially since a $200 safe would mean the attacker would be better off buying their own

Re:

[Rick Schumann]

And how often do your employers stand in the way of you doing your job because of cost, or tell you to dumb things down to the bare minimum to save money? Be honest. All I see is shit being breached all over the place and no end in sight for any of it, and every sign that they could just take over anything they want if they wanted to do so.

Never. The other way around

[raymorris]

> And how often do your employers stand in the way of you doing your job because of cost, or tell you to dumb things down to the bare minimum to save money?

Never. Actually it's the other way around - I tell the bosses that X system isn't top-secret national security data, we shouldn't be focusing our efforts/budget on protecting it to the level DoD requires of Top Secret. The appropriate level of protection is some other, less expensive, level. Doing that increases our OVERALL protection because we spe

Quick example

[raymorris]

I have a database admin who is always letting me know about developers using service accounts to change stored procedures in the database. The database structure in production servers should be changed only by the DB admin, he says - and he's right. We're working on making it so devs don't have the passwords that the applications use.

The exact same sysadmin thinks it's ridiculous for me to say his SQL queries shouldn't be changing the operating system of the server that the database happens to run on. SQ

Re:

[raymorris]

I forgot to say:

> or tell you to dumb things down to the bare minimum to save money?

Getting hit by ransomware doesn't save money.

Having an intern take everything you've got with her when she goes to work for a competitor doesn't save money.

Having unstable systems that can be easily DOSed on purpose or on accident, constantly putting our fires because your systems aren't robust, doesn't save money.

If the people making budget decisions think that cutting security is going to save money, the head security p

Re:

[Rick Schumann]

Waited until this morning to read your comments because they appeared to need to be read carefully, containing actual content, and I was right.
So if I condense down what I just read, based on your own personal perspective, of course (which in no way shape or form invalidates any of it, mind you), it sounds to me that if there is a world-wide Internet and data security problem, the core of that problem is really communication and expectations between humans, not a lack of technical ability to adequately and

Re:

[raymorris]

> Waited until this morning to read your comments because they appeared to need to be read carefully, containing actual content, and I was right.

Thanks. :)

> it sounds to me that if there is a world-wide Internet and data security problem, the core of that problem is really communication and expectations between humans, not a lack of technical ability to adequately and appropriately secure everything

Yeah, I'd agree that's a good summary. Also there is a very specialized type of communication needed as

Re:

[Rick Schumann]

If I thought that,
1. Law enforcement could get what they wanted without wrecking encryption entirely, handing the 'keys to the kingdom' to criminal hackers,
and
2. I knew I could trust the Government (at all levels, including especially three-letter-agencies, both known and hidden) and law enforcement to play by the rules, always get a warrant, and never, never, ever circumvent due process and The Law themselves,
then I might just let them have the power to see into anything they wanted.
However the curr

Re:

[raymorris]

> I just do not believe that the government and law enforcement should have the power to make all encryption irrelevant, technical issues aside.

I totally agree. Which makes me scratch my head about your support of Kamala Harris, of all people. From your post, I could see you maybe holding your nose and voting for Biden despite Harris, but I'm surprised you pemote a rather "aggressive" DA and attorney general in your sig. Just weird to say "I don't trust law enforcement, vote for the author of the Crime

Re:

[Rick Schumann]

Let me be clear about this: Until Trump was elected I had no party affiliation whatsoever, and voted for Jill Stein in 2016 'on principle', because I didn't like Clinton or Trump. But Trump stinks so bad at everything, is just a jackass, such a criminal, and so bad for this country overall, that I regretted throwing my vote away, as if it would have mattered that much. Furthermore the Republican party has totally lost it's way, doesn't stand for 'conservative values' the way it used to, and is just a bad, d

Re:

[raymorris]

I totally understand. I voted against Trump, twice. Several elected Republican leaders have said Biden is better than *Trump*. Not that they like Biden.

Even if he wasn't a jackass (and he is), it's not like traditional Republicans would like him - he's a Clinton donor who decided he wouldn't make it running as a Dem or an Independent, so he went after the R nomination.

It's just your sig kinda threw me for a loop. It's like saying:
Support women's rights - free Bill Cosby.

I totally understand not liking Tru

Re:

[Rick Schumann]

It's a package deal. *shrug*
Who knows? Maybe she'll surprise everyone.
I'll be happier if they just plain repair the damage Trump has done to pretty much everything he's touched, and to be sure Biden will get rid of the sycophant boot-licker Trump appointees. Sadly he's also appointed a metric buttload of Federal judges, and that's potentially going to hurt for a long time to come.

Re:

[Rick Schumann]

I'd also posit to you that the appointment of this Amy Coney Barrett woman to the SCOTUS will sooner or later set back womens' rights in this country much worse than anything Kamala Harris will or won't do in 4 to 8 years as VP.

Re:

[raymorris]

> the appointment of woman to the SCOTUS will set back womens' rights

Suddenly I have the urge to listen to Pink Floyd's album from 1987.

Re:

[Rick Schumann]

I vaguely remember the album (at one point would set up a cassette player, connected to an old clock radio, to wake me up to 'Dogs of War': "You! Get your bloody hands off my desert! *artillery barrage*". But you'll have to explain the reference in this context.

Re:

[sysrammer]

Somehow I don't think any of this is Momentary.

Re:

[raymorris]

:)

Re: Here's how secure it should be

[madsh]

What if the value of the customers loss, is very different than the value for the attacker?

Re:

[raymorris]

> What if the value of the customers loss, is very different than the value for the attacker?

That's an interesting question. I left that out of my simplified rul above. Considering the value to each may mean you should reduce the protection level compared to the rule above.

To be clear, the way I'm understanding your query is the value to the attacker of a successful attack vs the cost to the defender of the same attack.

Suppose the value of the resource to the attacker is $10, to the defender $10,000. Th