Red Cross Begs Hackers Not To Leak Data of 'Highly Vulnerable People' (therecord.media) 71
The Red Cross has disclosed that it was the victim of a cyber attack and has asked the hackers who broke into the IT network of one of its contractors not to leak the personal information of more than 515,000 of "highly vulnerable people." The Record reports: The data was stolen from a Red Cross program called Restoring Family Links, which aims to reunite family members separated by conflict, disaster, or migration. "While we don't know who is responsible for this attack, or why they carried it out, we do have this appeal to make to them," said Robert Mardini, director-general for the International Committee of the Red Cross. "Your actions could potentially cause yet more harm and pain to those who have already endured untold suffering. The real people, the real families behind the information you now have are among the world's least powerful. Please do the right thing. Do not share, sell, leak or otherwise use this data," Mardini said.
"The people affected include missing people and their families, unaccompanied or separated children, detainees and other people receiving services from the Red Cross and Red Crescent Movement as a result of armed conflict, natural disasters or migration," the organization said in an email.
"The people affected include missing people and their families, unaccompanied or separated children, detainees and other people receiving services from the Red Cross and Red Crescent Movement as a result of armed conflict, natural disasters or migration," the organization said in an email.
Re:Hackers Beg Red Cross (Score:5, Insightful)
Sounds like Red Cross farmed the job out, counting on the word of some salesman for security. The data was probable vacuumed up as part of a larger haul.
Re: (Score:2)
The data was probable vacuumed up as part of a larger haul.
Probably. It is high time that those responsible (that would be CEO and CISO at the very least) face serious personal penalties when something like this happens.
Re: (Score:2)
But the criminals who obtained this information shouldn't be penalized? If I forget to lock my door and a criminal comes in and steals something, they shouldn't be held accountable is what you're saying.
Re: (Score:2)
Slashdot loves to blame the victim when it comes to cyber crimes. See, in their twisted minds, the hackers are morally superior because they're more technically adept.
So to answer your question, yes, that's what they believe. If your security is insufficient, that's your fault and you should be arrested. They also think that you should pay the hacker for teaching you an important lesson about security.
I can hear them now: "Did you see what that windows server was wearing? She was practically begging for
Re: (Score:2)
Complete bullshit. The attackers already can and will get punished if caught. But attacks like these are only possible due to negligence, sometimes gross negligence and that must carry a price for those responsible as well.
Re: (Score:2)
Probably. It is high time that those responsible (that would be CEO and CISO at the very least) face serious personal penalties when something like this happens. But the criminals who obtained this information shouldn't be penalized? If I forget to lock my door and a criminal comes in and steals something, they shouldn't be held accountable is what you're saying.
Of course the perpetrators should be heavily punished, but there's the small detail that you have to catch the fuckers first! Then we find out the systems were breached via unpatched systems, weak or reused passwords, single factor authentication or other security atrocities.So there are a lot of opportunities to allocate blame.
Re: (Score:2)
Probably. It is high time that those responsible (that would be CEO and CISO at the very least) face serious personal penalties when something like this happens.
But the criminals who obtained this information shouldn't be penalized? If I forget to lock my door and a criminal comes in and steals something, they shouldn't be held accountable is what you're saying.
What kind of stupid statement is this? I never implied the attackers should go free.
non IT contractor that needs that data but there o (Score:2)
non IT contractor that needs that data but there own IT got hacked?
Re:Hackers Beg Red Cross (Score:5, Insightful)
Hackers Beg Red Cross Not To Be Careless When Handling Data of 'Highly Vulnerable People'. Get your shit together, being a charity does not absolve you of responsibility.
The fucking planet has been hacked. Remember that as shit happens to everyone eventually. Their response was perfectly acceptable. They're not absolving themselves of responsibility, but asking others to find theirs after committing a crime. The damage hardly stops after data exfil.
And yeah, hopefully they will get their shit together after this, but since you've already identified the most obvious budget weakness (they are a charity) that likely comes down to funding. Perhaps you put down your ranting stick and open your wallet if you want to effect change. Or go volunteer to assist with cybersecurity. Looks like they could use a hand.
Re: (Score:3)
And yeah, hopefully they will get their shit together after this, but since you've already identified the most obvious budget weakness (they are a charity) that likely comes down to funding.
Absolutely. Fucking. Not. The ARC wastes money left and right. They spend it on all manner of looking like they're doing something while actually fucking up relief efforts. The one thing they still (as in, since their early days) used to do really solidly was blood collection, which they've had problems with contaminating because they did inadequate testing. The ARC has been fucked by corporate involvement [propublica.org] like all good things are eventually in a corporatocracy like the USA.
If they stopped wasting money loo
Re: (Score:3)
I can confirm this about ARC 100%. About 20 years ago a very good friend of mine was in charge of a local chapter of ARC in a VERY poor rural area. Every year they would have a fund drive and every year they'd get almost exactly $30,000 since the only donors were corporate sponsors. Then they'd have to pay their ARC dues which came to $25,000 per year so they'd then have $5,000 to have volunteers, supplies, etc. for an entire year AND her pay for the year. Does ARC(national) care about the problems with fun
Re: (Score:2)
But the ICRC is not the American Red Cross.
Re: (Score:3)
Big talk until your organization that you are responsible of keeping secure gets hacked and your information taken.
It really just takes one employee to click on a malicious email. Perhaps mistype a url to go to a website. Having your business required to use software from a vendor, who uses libraries from an other, which had a 0 day vulnerability open.
If you are able to keep your org secure from every way someone can get in, chances are you are not going to keep your job for too long, because you had succe
Re: (Score:2)
You can't stop a 0day or an employee doing stupid, but a good defense in depth strategy with good proactive monitoring can significantly reduce the impact and time to detection.
Most of the successful hacks that have gone public have discovered some very poor practices, like not patching a known vulnerability for more than 6 months. You can at the very least practice due diligence and make reasonable efforts to address or mitigate known risks.
Re: (Score:2)
Hackers Beg Red Cross Not To Be Careless When Handling Data of 'Highly Vulnerable People'.
Get your shit together, being a charity does not absolve you of responsibility.
Oh yeah... totally. "She shouldn't have gone out dressed like that."
Or you could just stop being an asshole..
Why the hell is this data not better secured? (Score:5, Insightful)
Somebody at the Red Cross went cheap. And now a lot of people may have to pay the price.
Re:Why the hell is this data not better secured? (Score:5, Interesting)
The Red Cross is frankly something of a shit show. After the Camp fire (all time worst name) in Lake County, local volunteers had a working system gathering and distributing donations and the Red Cross came in and shut it down because they wanted to be in charge, and literally never got it up and running again.
That's nothing compared to their bullshit response to heavy weather in 2012 [propublica.org], but it's in the same vein.
https://www.propublica.org/art... [propublica.org]
Re:Why the hell is this data not better secured? (Score:5, Interesting)
Like a lot of Generation Woke, the charity sector seems to have been taken over by people who are more interested in appearing virtuous and caring than actually being virtuous and caring. The latter involves hard work, commitment and putting others first, whereas the former involves just a lot of noise making and PR which is much easier to undertake.
Re: (Score:2)
Unfortunately, that sounds very plausible. Appearance over substance.
Re: (Score:1)
What doesn't sound plausible is that this is the fault of "generation woke", whatever that's supposed to mean. Malfeasance in the name of charity has been a thing since time immemorial.
Re: (Score:3)
Ah, the Apple model of charity.
I run a non-profit, and I've run other non-profits. I can assure you that most organizations are actually working hard to make a difference in their communities.
That said, charity is absolutely overloaded with corruption. Particularly in larger organizations where real money is involved. It's been like this for thousands of years. I don't buy that "generation woke" crap. That generation finally realized that we need a shared set of moral values. My generation was cynica
Re:Why the hell is this data not better secured? (Score:5, Insightful)
"hard right folks like you "
Thanks for proving my point. Anyone who disagrees with the Woken is a fascist. Whatever.
Re:Why the hell is this data not better secured? (Score:5, Insightful)
Except I'm not a boomer, I'm gen-x and most of us think woke is a load of BS too, but thanks for playing.
Re: (Score:2)
"hard right folks like you "
Thanks for proving my point. Anyone who disagrees with the Woken is a fascist. Whatever.
Actually... you totally proved their point.
They never called you a fascist, they just rightfully called you out for trying to turn everything into a criticism of "woke".
Here's the thing, I don't think many people identify as "woke", you hear it a bit on the left but not that much, probably some of that has to do with the fact that it's a weird sounding work that clearly has an origin in African American English. It's like if someone was trying to promote "y'all" with a drawl as a sign of solidarity with the
Re: (Score:2, Informative)
Like a lot of Generation Woke, the charity sector seems to have been taken over by people who are more interested in appearing virtuous and caring than actually being virtuous and caring.
You're confusing virtue signaling with incompetence. Just because they have the same net effect doesn't make them the same. I know some people who work for the red cross. They genuinely *want* to make a difference and are often completely hamstrung by rules and regulations that are present in any kind of larger organisation.
I think the Red Cross should be broken up into hundreds of little more local institutions. They will actually make a difference then.
Re: (Score:2)
Re: (Score:2)
Re: Why the hell is this data not better secured? (Score:3)
Re: (Score:2)
The Red Cross is frankly something of a shit show. After the Camp fire (all time worst name) in Lake County, local volunteers had a working system gathering and distributing donations and the Red Cross came in and shut it down because they wanted to be in charge, and literally never got it up and running again.
That's nothing compared to their bullshit response to heavy weather in 2012 [propublica.org], but it's in the same vein.
https://www.propublica.org/art... [propublica.org]
They've been a shitshow for a long time. My brother in law was a soldier in Germany, and needed a postage stamp, and they refused to give him one. I forget what it was for, but it was Red Cross related. Supporting the troops, my ass,
Some years ago, after the Katrina Debacle, the Red Cross tried to get Hams who assisted them to get a criminal, lifestyle, and Financial background check.
They dropped the last two after all their volunteer radio people found better things to do.
None of the Hams cared about
Re: (Score:2)
Too bad the INTERNATIONAL Red Cross (which this article is about) and the AMERICAN Red Cross (which your stupid rant is about) are completely different organizations.
Re: (Score:2)
Re: (Score:2)
Somebody at the [Pick-A-Company] went cheap. And now a lot of people may have to pay the price.
FTFY, in case you've been asleep in a coma and missed the inevitable end result of Greed dismissing Security for the last decade or three.
Re: (Score:2)
Actually, I just like to call them out individually these days. Harder to dismiss the problem as "just a few are doing it".
Re: (Score:2)
Actually, I just like to call them out individually these days. Harder to dismiss the problem as "just a few are doing it".
(Public Sentiment) "Who again? I'm sorry, it's been more than 17 seconds, and I scrolled past my concern 37 clicks ago."
Regarding calling out incompetence, it's even harder to find anyone who gives a shit.
Re: (Score:2)
Their primary mission is humanitarian, not about being a billion dollar technology business. Yes they could have better secured their systems, but paying top dollar doesn’t always mean a better implemented system. We also don’t know what they had in place and how it compares to other systems.
From my experience, encryption of data at rest is not something a lot of tech people fully understand to implement. You start asking around, as a technology person, and it is often you “should get an e
Re: (Score:2)
Encryption of data only helps for "data at rest". If it is readily accessible, encryption is not a factor because of transparent decryption.
Re: (Score:2)
Encryption of data only helps for "data at rest". If it is readily accessible, encryption is not a factor because of transparent decryption.
True. At the same time I’d be interested to know what are considered good ways of securing the type of data the Red Cross is dealing with? I hear plenty of criticism, but not much of how they should do it.
Part of the reason for being defensive of the RC, is because I know I don’t have the knowledge to create the right safe guards and nor do many developers I know or know of. PII and PHI regulations often talk about requirements, but rarely is it clear how to fully fulfil all of them and with wha
How about we "beg" the red cross ... (Score:2)
... not to store (ultra) sensitive, life-threatening information on regular unsecured office systems hooked to the public internet?
We can hope they're Grey Hats (Score:2, Interesting)
If this was a Grey Hat event to show the Red Cross that they're vulnerable themselves, that would be to the good. Remember, a Red Cross helicopter (or one painted to look like it) has been used in the past by a US death squad and we have to assume the US is one of the more mature, responsible countries. In other words, that data could easily be used by a hostile power precisely the way the Red Cross fear, with that intent.
I'm looking to see if it would be possible to build an Open Source router, based on Op
Re: (Score:2)
Why?
You're more than capable of looking up misuses of the Red Cross emblem. Its false use to rescue Colombian hostages is well document. Its false use by the DC National Guard is even cited in The Military Times. The case of Terry Waite is hardly a secret, where the CIA was later found responsible for impersonating Red Cross/Red Crescent volunteers to infiltrate the militia there. The Guardian has reported on several occasions on the use of US death squads in South America and Afghanistan. The BBC covered a
Re: (Score:2)
Tell me you're retarded without saying, "I'm retarded".
Re: (Score:2)
If the military themselves are acknowledging their own misuses of the Red Cross emblem, and if the BBC (probably the most impartial and thoroughly investigating news outlet on the planet) is saying this stuff is standard operating practice, and if you've not been convinced by such confessions for the past three or four decades, what's a link going to do?
Their work for them.
It's pretty pathetic how people will demand citations for stuff that you can find trivially with google. If it's hard to find a citation then by all means demand one, but if it's trivial then all demanding a citation does is prove how lazy someone is.
However, when an AC demands a citation, just ignore them. They aren't worth responding to. AC posting is for trolling, and that's what they did, they trolled you. Successfully, I might add.
Re: (Score:1)
Ah, the whore had to jump in.
I didn't even know your mom had a slashdot account.
Don't you have anything better to do with your time?
He said, without even a touch of irony. Or, apparently, a sense thereof.
Good luck with that (Score:4, Insightful)
Most black hats (that have been caught) seem to match the dictionary definition of sociopath loners. I doubt many would be bothered about doing it to their own mothers, never mind strangers however vulnerable.
Where is my comment on this? (Score:1)
I literally said hackers are powerless tools of authoritarian states who take their pathetic shit out on anyone they can, and there you go.
You Nazi cocksuck.
I'm about done with these guys (Score:2)
The Red Cross just seems to stumble from one screw up to the next. Contaminated blood, child molesters on staff and half a million bucks missing in Haiti, emergency vehicles taken out of service for a photo op during Hurricane Sandy relief...now this. And that's just what they couldn't cover up.
Until I see hard evidence of a genuine cleanup, with a lot of top management publicly fired, the Red Cross is dead to me. There's so many charities out there that desperately need money, and don't have this kind o
Re: (Score:2)
Yep. Unfortunately charitynavigator is still giving them a very high score, which means charitynavigator is also dead to me since I know beyond a shadow of a doubt that their ratings are bullshit.
Re: (Score:2)
Charity Navigator is more concerned with the finances of charities, especially the ratio of what they collect to what they spend. For example, in Haiti the Red Cross spent hundreds of thousands of dollars bribing local thugs not to steal food they were distributing. According to Charity Navigator metrics, that's fine and dandy. Although it doesn't completely ignore scandals and incompetence, it doesn't highlight them, and I'm fairly sure it doesn't include them in its evaluations.
Charity Navigator is a v
Begging (Score:5, Funny)
It is often the case that begging gets to sound repetitive. Or, maybe the Slashdot editors empathized so deeply with the Red Cross' situation that they permitted a copy-paste duplication on the front page.
no ethics (Score:2)
Who goes after an organizational that helps people? You don't shoot the neutral party that is there to help.
Re: (Score:2)
https://www.militarytimes.com/... [militarytimes.com]
https://edition.cnn.com/2008/W... [cnn.com]
https://www.nickdavies.net/198... [nickdavies.net]
"There is no hard evidence as to whether Waite realised how he was being used. The Tower Commission found that North was using the Archbishop’s envoy as a source of intelligence, quoting his views in internal memos and referring to him as “our only access to events in Lebanon”. But principally, he used Waite as camouflage."
In short, governments have no problem abusing trust and humanitarian o
Ethics, schmethics (Score:2)
They will go after their own grandma. Nothing is sacred to them.
That's why they need to be sent to a concrete building with metal bars everywhere, where they are not sacred, except maybe their ass.
Wow, the Red Cross already lost this one (Score:2)
"Red Cross Begs Hackers Not To Leak Data of 'Highly Vulnerable People'
500,000 US dollars please. You may pay in Bitcoin.
This is like giving Tommy Tucker your lunch money. Either you sock him hard in the face the first time, or you might as well tattoo "FREE ATM" on your forehead.
ARES or RACES?!? (Score:1)
ICRC vs Amercian Red Cross (Score:2)
There is a difference between the ICRC and the Amercian Red Cross. They're two entirely different orgs.
https://en.wikipedia.org/wiki/... [wikipedia.org]
vs.
https://en.wikipedia.org/wiki/... [wikipedia.org]
These aren't the guys who saved your cousin Louis from a flood last year. These are the guys who save international refugees.