back to article Unidentified hax0rs told not to blab shipping biz Clarksons' stolen data

British shipping company Clarkson plc has obtained an injunction against hackers who broke into its IT systems, slurped a load of data and then tried to blackmail the business. The judgment, handed down by High Court judge Mr Justice Warby earlier this week, orders the unknown hackers not to publish the stolen data and to pay …

  1. JeffyPoooh Silver badge
    Pint

    It's like a $10 door lock...

    It's still a crime to break it.

  2. jake Silver badge

    Re: It's like a $10 door lock...

    Even without a lock it's a crime to enter without permission. Here in California, it's illegal without so much as a door.

  3. Justice
    FAIL

    Don't they have to SERVE the injunction?

    Good luck with that.

  4. Anonymous Coward
    Anonymous Coward

    Re: Don't they have to SERVE the injunction?

    No, a precedent was set a long time ago allowing injunctions against Persons Unknown.

    An example is this case, plenty more out there.

    https://inforrm.org/2015/02/07/unknown-unknowns-in-kerner-v-persons-unknown-dan-tench/

  5. monty75 Silver badge

    Re: Don't they have to SERVE the injunction?

    AFAIK and IANAL but I believe it can be served by email.

  6. jake Silver badge

    Re: Don't they have to SERVE the injunction?

    Which makes no sense. "Email? What email? I saw no email!"

  7. Anonymous Coward
    Anonymous Coward

    Can't they just send the police round to the email address?

    Sorry, just seeing if I can top the stupidity of Clarkson.

  8. Anonymous Coward
    Anonymous Coward

    Stuff your holes full of lawyers!!!!

    All the way down!

  9. Aodhhan Bronze badge

    Yes it's difficult to find out who is behind attacks.

    It's not difficult though, to hire experienced InfoSec professionals and support them adequately to provide a sufficient defense in depth architecture, patch management and monitoring to ensure it's difficult to get in, and just as difficult to get data out.

    Since it is so difficult to identify hackers, you may want to keep this in mind when it comes to your risk management. Can I get a palm thump to the head?

  10. Lee D Silver badge

    Random attacks, yes you can defend quite well against.

    But any targeted attack at all, anything with the help of even a low-level insider, anything by a well-funded or determined adversary, anything committed with a modicum of up-to-date technical knowledge? Not a chance of defending against.

    This is the problem - scale. Sure, granny isn't really worth attacking but she is quite an easy target and is more likely to succumb to random spam than anything else.

    Sure, Facebook are really worth attacking, but they shouldn't be an easy target and aren't likely to succumb to random attacks, pings, port-forwards, email attachments, social engineering etc.

    The middle ground? That's tricky. They almost certainly deal with hundreds if not thousand of people a day, emailing back and forth, and all kinds of levels of staff most of which will have little to no dealing with the IT guys. They may be worth attacking. They can be easy targets. They are capable of succumbing to "one wrong click" no matter who you put in charge.

    Take my example - a private school. Despite what you might think, teachers and other staff are paid pretty much market rates. But they suck in millions of pounds a year (which are spent with suppliers because they usually have to be non-profit). They will accept credit cards, they will have tons of personal information, they will have celebrity parents, they will have databases of children's details that every teacher needs to be able to log into, they will have contact with hundreds upon hundreds of parents from all kinds of staff (office, IT support, teachers, etc.) and all their suppliers. And they won't have teams or budgets big enough to stand up against a determined attacker or malicious interference from within.

    Sure, you'll catch the silly stuff. Your remote desktop will be up-to-date. Your Windows patches will be recent. You'll have backups. Your network won't allow arbitrary access. You may even be able to stop people getting in via the website / parent portal / intranet / etc. if you're diligent. You'll have antivirus. You'll have sensible email defaults (i.e. not opening attachments, etc.). But there's still nothing in the way of a targeted, determined, knowledgeable attacker finding a PHP hole in the parent portal (which needs to talk to the main school database) and walking right through it. I guarantee you, the quality of most school online MIS software is such that I wouldn't trust it alone. And things like "set up a VPN to let us suck from your school database to your cloud-based parent portal" are surprisingly common (and usually with just arbitrary SQL access to said database without even limited views).

    The people "in the know" will offer limited users, limited views, limited access, reverse proxies, DMZ, IDS/IPS, VLANs, audit logs, etc. But I guarantee you that most school IT departments - even where outsourced - follow the default installation instructions which leaves the potential for a massive hole the second someone finds one. And it's not going to be publicly advertised on the CVE lists.

    The big-guys can handle themselves.

    The little-guys, you can't really do much for them except try to build systems where compromise isn't capable.

    The middle-ground is the scary part. Where they have just enough investment to require complex IT systems, but nowhere near enough expertise or resources to hire it to secure it against someone determined to get in.

    Your primitive attempts at "I'm from Apple, click on this attachment" and scanning port 80 might not work. But for sure they are the risk category with the most to lose while being the easiest target for that kind of tradeoff.

  11. Doctor Syntax Silver badge
    Headmaster

    "But there's still nothing in the way of a targeted, determined, knowledgeable attacker finding a PHP hole in the parent portal"

    Not using PHP would stand in the way of finding PHP holes. Of course it only moves the problem elsewhere.

  12. JimmyPage Silver badge
    FAIL

    Shame they didn't spend the money on decent security and encryption, really

    That's all

  13. FlamingDeath Bronze badge

    Re: Shame they didn't spend the money on decent security and encryption, really

    But that costs money.

    They like money

  14. adam payne Silver badge

    The judgment, handed down by High Court judge Mr Justice Warby earlier this week, orders the unknown hackers not to publish the stolen data and to pay Clarksons' legal costs.

    Good luck with that because it's never going to happen.

    What makes them think that the hackers are even in this country?

  15. CAPS LOCK

    IANAL so I don't know if this is as breathtakingly stupid as it sounds...

    ... but m'learned friends will have had a pay day so that's all right...

  16. MiguelC Silver badge

    Ain’t justice a beauty

    Clarkson instructed its solicitors to proceed with court action, and they solicitously did so

    The judge had an injunction to evaluate, and he judiciously did so

    So, although no justice will ever be served by all these actions, everyone did their bit as expected and goes home with a clear conscience of a job well done

  17. FlamingDeath Bronze badge

    Re: Ain’t justice a beauty

    Idiocracy was meant to be a dystopian comedy, not a prophecy

  18. tfewster Silver badge

    Re: Ain’t justice a beauty

    It might have some value if the suspected perps are identified later on - the court order goes into immediate effect to stop the leak going any further while the perps are on bail. Better than locking them up for months before a trial. Plus disobeying a court order has additional penalties.

  19. TrumpSlurp the Troll Silver badge

    Not aimed directly at the perps?

    I assume that any third party involved in the future publication of this information is now on (slightly) dodgier ground and may be more easily prosecuted?

    Assuming jurisdiction, of course.

  20. handleoclast Silver badge
    Coat

    Perfectly sensible decision

    The hackers can no longer rely upon sending the stolen information to a newspaper to publish because the injunction will ensure that no sensible editor would risk publishing it.

    Hurrah!

    Actually, it would also allow take-down orders against any web site the hackers uploaded it to, although other legislation (such as copyright) would probably have sufficed.

    Hurrah!

    The one slight fly in the ointment is Barbra Streisand. But if Clarksons can get an injunction against her, they'll be safe.

    Hurrah!

    I'm starting to wonder about the mushrooms in my morning fry-up. My thought processes seem to be wandering and the walls are melting.

    Hurrah!

  21. GIRZiM

    Barbara Streisand? (Was: Re: Perfectly sensible decision)

    https://www.youtube.com/watch?v=ECgDsLs_J6k

  22. Not also known as SC Silver badge
    Pint

    Photo Caption

    Can I congratulate whoever chose the photo and wrote the corresponding photo caption for this story?

    "A 100 per cent accurate photo of a typical hacker at work."

    Love it.

  23. Anonymous Coward
    Anonymous Coward

    "...the company's public warning..."

    LOL

  24. Anonymous Coward
    Anonymous Coward

    Any relation to Jeremy?

    He thought he was unhackable as well, if I recall.

  25. lostsomehwere

    My guess is that the legal action was needed as a requirement of an insurance claim.

    Still futile though

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018