Security News for the Week Ending December 3, 2021

Australia Proposes Law To Force Online Platforms to Disclose User Info

Australia plans to introduce legislation that will force social media companies to either take down posts that people don’t like or hand over their user’s information. This isn’t law yet, but I can easily see how this will be gamed. This comes in the wake of Australia’s high court saying that publishers can be liable for contents that their customers post. in response, CNN has shut down their Australia Facebook site. I suspect that more publishers will do this – the market for Australia is just not big enough and the liability is too big. Credit: Gizmodo

What a Difference Having Backups Makes

Colorado’s Delta-Montrose Electric Association, an electric coop on the Western Slope of Colorado was hit by a ransomware attack in early November. While they didn’t say it was ransomware, it took down 90% of its internal systems. They were not able to send out any bills last month and they have said that it will take them a long time to restore data that was corrupted. Reports are that they LOST the majority of their historical data for the LAST 20 to 25 YEARS. Guess they didn’t know about backing up there data offline. Credit: MSN

Cuba Ransomware Gang Compromised At Least 49 Critical Infrastructure Entities

The Cuba ransomware gang, which, curiously, is not based in, run by, or funded from Cuba has infiltrated AT LEAST 49 different entities in five critical infrastructure sectors, including finance, government, healthcare, manufacturing and information technology – according to the FBI. It has also made over $40 mil in ransom payments. Much more important than the money is the possibility that this gang has compromised at least dozens of companies in different areas of critical infrastructure. How many more have they infiltrated that we don’t know about? Credit: Bleeping Computer

NSO Group Hacks US State Department

NSO Group has really been getting in trouble lately. Now that it has been banned in the U.S. and is the target of multiple lawsuits and has tried to redeem its image, it was caught spying on at least 9 U.S. State Department employees. NSO says that they cancelled the accounts of the offenders after being told that the media was going to out them for this attack (I think that is called self preservation, but it isn’t going to help). The State Department found out because Apple told them. Credit: Vice

In Case You Thought These Bitcoin “DeFi” Companies Were Safe

Hackers stole hundreds of millions of dollars of cryptocurrency from two “DeFi” projects. MonoX lost $31 million after hackers exploited a bug in their smart contract software and BadgerDAO lost $120 million to hackers when an alert from some of their customers of unusual activity which the admins blew off. $100 million plus later the platform says that it is pausing all withdrawals as the investigate. Likely none of this is covered by insurance. Credit: Hackread

Defense Contractors Highly Susceptible to Ransomware Attacks

Security firm Black Kite says that 20 percent of America’s largest 100 defense contractors are highly susceptible to a ransomware attack. Why do they say this?

Nearly 43% of federal defense contractors have out-of-date systems, giving them a D+ rating for patch management.

42% of contractors have had at least one credential compromised in the last 90 days and 40 contractors received an F in credential management.

The top 100 federal contractors averaged an RSI of 0.39 (Ransomware susceptibility Index) but 20 percent scored above 0.6.

This is compared to 10% of pharmaceutical manufacturers who scored above an RSI above 0.6 .

The top 100 scored a C+ for information disclosure (leaks) and a C on both SSL strength and application security.

But consider this.

These are the big companies and the ones who should be very security aware.

If the top 100 defense contractors are in bad shape can you imagine what the millions of small businesses’ security profiles look like? You don’t have to wonder. The Chinese already know and if the news is any indication (as in the number of breaches and the number ransomware attacks), it isn’t pretty. Credit: Help Net Security

MI-6 Follows CIA, Just 22 Years Late

Why? Quantum Computing and Artificial Intelligence!

For those of you who are not familiar with MI-6, even via a somewhat romanticized version in James Bond movies, MI-6 is Britain’s spy agency. Working along MI-5 and GCHQ, their goal is to protect Britain from the bad guys. MI-6, similar to our NSA (often referred to as No Such Agency), prefers to stay in the shadows. The agency’s existence wasn’t even formally acknowledged until the 1990s.

However, now they are they are talking very publicly. Richard Moore (AKA “C” in MI-6 speak) talked publicly for the first time since taking over the role of Chief of MI-6. He said that developments in quantum computing and AI are good for society.

Speaking at the International Institute for Strategic Studies, Moore warned that China, Russia and Iran are a threat to the UK (and the rest of the world), who could exploit technology to meet their aims.

While human intelligence is important (and, I might add, becoming harder by the day because of the digital footprint that every human leaves behind – or if they are a spy, do not leave behind), technology is going to be critical to assessing that intelligence.

He warned that “our adversaries are pouring money and ambition into mastering artificial intelligence, quantum computing and synthetic biology because they know that mastering these technologies will give them leverage”.

However, “C” admitted that they (the UK) will lose the battle if they try to out-do big tech.

So, they are doing what the CIA started to do in 1999 and have started a venture capital fund called the National Security Strategic Investment Fund. The CIA calls theirs In-Q-Tel. While I don’t know NSSIF, I did pitch In-Q-Tel a few years ago. Some super smart people. Likely also true for NSSIF. Both are looking for smart people with even smarter ideas who need money. Of course, they want to use, partner, or own the tech that these investments produce. “C” said that this is a culture change for the organization that is going to be a sea-change. The CIA seems to have figured out how to do it. Perhaps the two organizations should chat. Or maybe they already are.

Key point is that Quantum computing and AI are going to be critical to national security and, my guess is, China and the others know that too (read my November 25th blog post if you doubt this). If they can’t develop it themselves, there are other alternatives that they seem to be pretty good at also. Credit: ZDNet

Booze Allen says that the Chinese are already planning for the day when powerful quantum computers are running inside their state run intelligence service. Booze says that Chinese hackers might soon start trying to steal encrypted data such as encrypted weapons design data, biometric data and spy agency human asset info, with the hope that, with quantum computing, they will be able to decrypt it in the future.

Booze writes:

In the 2020s, Chinese economic espionage will likely increasingly steal data that could be used to feed quantum simulations,” the analysts write in the report¬†Chinese Threats in the Quantum Era.¬†

Hackers could steal encrypted data now and crack it with quantum computers later, warn analysts | ZDNet

We either need to protect our tech. Or learn Mandarin.

Interpol Arrests 1,000 Cyber Criminals

While arresting 1,000 people in a four month long operation is a significant feat, it is likely mostly very low level people that they caught.

They also recovered $27 million in proceeds. Given that the estimate is that Internet crime will cost us $10 trillion a year by 2025, recovering $27 million doesn’t seem like much.

The operation, code named HAECHI-II, involved law enforcement from 20 countries and allowed them to close over 1,600 cases. Again, not to diminish their work, but there are millions of cases every year.

Interpol’s Secretary General said that this operation showed that the surge in online financial crime during the Covid pandemic has not eased.

Not only did they arrest over a thousand crooks, but they also discovered ten new criminal techniques during the operation.

And the crooks are creative. In one attack the hackers got people to download an app based on the hit South Korean Netflix show Squid Game and that app had a trojan that subscribed the victims to paid premium services without their approval.

This is part of a three year anti-crime operation. Phase one, called HAECHI-I arrested about half as many people but recovered more than three times as much money.

While these efforts are useful, the only way to make a real dent in cybercrime is to get people to be more aware and take more responsibility for protecting themselves. This is hard because many of the attacks are very sophisticated and hard for people to understand. Part of the challenge is to get people to do things that they don’t want to do. Google, for example, says that only about 10 percent of its users have turned on two factor authentication, which makes compromising a user’s Google (or bank) account much harder. Google has decided to force the issue and is planning make two factor authentication mandatory on a hundred fifty million accounts this year in phase 1 of getting all accounts 2FA enabled. But other companies do not want to take the heat from unhappy consumers. For example, most banks do not require 2FA for online banking and consumers don’t care because the bank takes the loss from the fraud.

Maybe companies need to do what cyber insurance companies are starting to do. If you don’t have good cyber hygiene, they just won’t pay your claim – you are on your own, good luck.

Credit: The Hacker News

Security News for the Week Ending November 26, 2021

Tesla Locks Owners Out of Cars – On Accident

Hundreds of Tesla owners got locked out of their cars when a server that powers the Tesla app crashed due to load. Apparently those owners forgot there is such a thing as a car key. The outage lasted about 5 hours and Elon Musk later tweeted that they would work to avoid this in the future. This doesn’t happen often; just a reminder that no tech is perfect. Credit: The Guardian

The Zelle Fraud Scam – Don’t Fall Victim

The Zelle fraud scam starts with a fake text message that asks if you made a Zelle payment in the amount of $X. If you respond to the text with anything, you will get a call from the scammer pretending to be your bank. The scammer asks for your online banking USER NAME (not password) and the hacker then does a password reset, asking you for the PIN that your bank sends to do the password reset. And then empties your bank account. For more details, see the Brian Krebs account of the attack.

Microsoft Says Attackers Don’t Bother to Brute Force Long Passwords

A Microsoft engineer analyzed over 25 million password attempts against a honeypot of SSH servers and discovered that 77% of the attempts to brute force a password used passwords of 7 characters or less and only 6% used passwords of over 10 characters. Also, only 7% of the attempts used a special character. This gives users some parameters for constructing passwords. Credit: The Record

US Sanctions 28 Quantum Computing Companies in China, Russia, Pakistan and Japan

The US continues to work on protecting our technology from foreign bad actors. The Commerce Department added 28 companies in multiple countries as a risk to the US. These sanctions prohibit US companies from dealing with these organizations. Given that quantum computing is a strategic technology for everyone, we do not want to accidentally be helping the bad guys. For a list of these companies, check out this article.

Israel Bans Sales of Hacking Tools to 65 Countries

In the wake of all of the negative press that Israeli hacking tools company NSO Group is getting, including being banned in the US, Israel reduced the list of countries that companies like NSO can sell to from 102 to just 37 countries. See the list here.

India to Ban Almost All Private Crypocurrencies

India is about to ban almost all private cryptocurrencies. A new bill will create a framework for an official digital currency, to be issued by the Reserve Bank of India. Included in the ban would be Bitcoin and Ethereum. Effectively, if this bill becomes law non-fiat cryptocurrency would cease to exist in one of the world’s most populous countries. Credit: Euronews

China Charts Plan for Tech Self-Sufficiency

China’s policymaking body, the Central Comprehensively Deepening Reforms Commission (I did not make up this name) approved a plan yesterday for developing home grown science and technology with an eye toward self-sufficiency.

According to a press release by the state run news agency, Xi said that while China has made substantial progress in trying to develop its science and technology sectors, they are still struggling. Which means that stealing intellectual property from the west is still critical.

And what are they trying to focus on?

Artificial intelligence and quantum computing.

This comes as Biden continues to tighten the screws on the Chinese tech sector, adding another dozen Chinese companies to the entities list, banning US companies from selling to them.

China’s vice premier wrote an article for the People’s Daily yesterday saying, using a lot of words, that innovation is critical and since Xi said that they were still challenged at doing that, it is pretty clear what the alternative is.

China, of course, is not pleased that more companies have been blacklisted, but my guess is that asking us to un-blacklist them will not produce results for them.

Based on this, expect more espionage – both by breaking into US company networks and by planting insiders inside targeted companies. Also expect them to continue to expand the Thousand Talents program.

All in all, this means that US companies with critical tech need to stay on their toes. If you think your tech is important, so does China and they are very motivated to steal it. Likely they will do it very quietly so that you don’t even know that you have been hacked.

Credit: The Record

Privacy, Security and Cyber Risk Mitigation in the Digital Age

Visit Us On FacebookCheck Our Feed