Ransomware Out Of Control

The hotel Romantik Seehotel Jaegerwirt, a 4 star hotel in the Austrian Alps, decided to pay a ransom of 1,500 Euros in bitcoin after hackers broke into the hotel’s systems and locked all the guests out of their rooms.

Kind of a downside of the Internet of Things.

If you can unlock your hotel room door from your smartphone, hackers can disrupt that system and stop you from doing that.

In addition, new card keys could not be programmed.

IF the only way that you can open a guest room is via a card key, that would be very difficult to hack because those doors are typically not directly connected to a central system .  However, if the hotel, like many luxury hotels, allowed guests to open their room doors using their smartphones, then that requires a connected lock.  And that the hackers can attack.

In addition to the room key system, the hotel’s reservation system and even the cash control system were compromised.

The hotel has been hit by at least three ransomware attacks, all of which resulted in the hotel paying the ransom.

But apparently three attacks was not enough to lock down the systems sufficiently to keep the hackers out.

In another attack revealed this week, the city of Cockrell Hill (population around 4,000, southwest of downtown Dallas, TX.) was hit by a ransomware attack that  compromised the police department’s evidence system.

The hackers asked for $4,000 in bitcoin.

In the universe of alternate facts, the Cockrell Hill police chief said that this was not the work of hackers.  If not hackers, then who would get the requested ransom?

The Chief also said that no confidential information was breached or obtained by outside parties.  While this is possibly true, given the system was encrypted , I am not quite clear how the Chief might have looked at the log files to make that determination.  Assuming sufficient log files even existed.

The Chief says that the non-hacker was likely from Ukraine or Russia and that the compromise was a result of someone clicking on a link in email that looked like it came from inside the department.

Chief Barlag decided not to pay the ransom after the FBI told him that it could not guarantee that they would get their data back if they spent the four grand.

Instead they decided to wipe the system clean,  losing any possibility of recovering the data.  I guess they told the non-hackers who is boss!

The Chief said that none of the information was critical.

The hacking was discovered on December 12th, but the department chose not to disclose the fact to defense attorneys or the court until a judge in Cockrell Hill “asked” the police why they had not turned over the requested evidence.

The videos and other documents lost date back to 2009.  Some were backed up to CDs and paper documents.  What was not backed up is gone.

The Chief said that no cases had been dismissed YET as a result of the loss of evidence, but given that the police had not disclosed that they didn’t have the evidence any more, that is not a big surprise.

While I don’t know, I suspect that at least some cases will be dismissed as a result of the police department’s poor backup strategy (apparently they had a single generation of backup and didn’t discover the ransomware until after the backups were also encrypted) and decision not to spend $4,000.  Some criminals will likely wind up back on the street.

Given that, at last report a while back, the FBI’s Internet Crime Complaint Center  says that they receive over 4,000 reports of ransomware every day, these two events are not a huge surprise, but it does point to the fact that no one is immune.

A 180 room hotel in Austria and the police department of a city of 4,000.  Neither one of these entities are high profile, large or rich.  Given that the attackers are only asking a few thousand dollars (1,500 Euros and $4,000), the victims don’t have to be large, famous or rich.  In fact, preying on small, low end victims probably improves the odds for the attackers.  They assume that the victims have an immature or non existent cyber security program and a small and possibly outsourced IT department.  This makes the victims easy to attack with little to no defense and little to no ability to recover.

We have both sides of the coin here.

In the case of the hotel, they opted to pay rather than having 180 rooms full of guests leave without their possessions – and likely sue the hotel for damages.  In the case of the police, they opted not to pay knowing that some criminals will likely get off scot-free.

These cases point to the fact that everyone needs to be ready in case they are the next target.

Information for this post came from The Local and WFAA Dallas.

The SEC is Coming, The SEC is Coming!

For Financial Service firms, the message is clear.  Both FINRA and the SEC are looking over your shoulder to make sure that you are taking cyber security seriously.

And the fines are not small.  From hundreds of thousands to millions of dollars, firms big and small are getting whacked with fines.

In 2014, the SEC office of Compliance Inspections and Examinations released a risk alert describing their new initiative designed to assess cybersecurity preparedness.  Among the requirements outlined in the program are:

  • Inventory of physical devices and systems
  • Inventory of platforms and applications
  • map of network resources, connections and data flows
  • The map above to include locations where customer data is housed
  • External connections are cataloged
  • Resources are prioritized for protection based on their sensitivity and business value
  • Logging capabilities and practices are assessed
  • A written information security policy is available
  • Periodic risk assessments conducted and findings mitigated
  • Periodic physical security risk assessments are conducted
  • Cyber security roles in the company are explicitly assigned and communicated
  • A written cyber business continuity plan has been implemented
  • The firm has a CISO or equivalent

This is only part of the list.  The list goes on for 8 pages.

Check out the end of this post for a list of references to FINRA and SEC documents describing these programs.

John Stark Reed of Reed Consulting has come up with some recommendations.  While paper is 12 pages long, here is the gist of the recommendations.  A link to the paper appears below.

  1. Review overall cyber security policies for adequacy
  2. Eliminate red flags (DUH!)
  3. Create the team (Now, not after a breach)
  4. Protect against identity theft
  5. Get private (protect private data)
  6. Choose the right monitoring technology
  7. Watch out for insiders (Chase learned the hard way)
  8. Consider cyber insurance (Don’t consider it, buy it)
  9. At the first sign of trouble, investigate

There is a ton of information in the articles listed below.

If your head is swimming after reading the articles, contact outside experts (yes, that is self-serving;  we do that for financial service companies, but it is very hard to do it yourself).  I liken fixing cyber security in a running business like paving a road while you are driving on it.  Not easy.

Each year the SEC and FINRA visit more businesses and each year their examiners get more knowledgeable about cyber, so don’t think you are going to fool them.

If you start early and have an active program, you are much more likely to get a friendly reception when the examiners come to visit.

It will take quite a while to put together an entire program, so we really do recommend starting early.  It is much easier to put together a program over a year or two rather than trying to get it done in a couple of months after you get that examination report.  If you wait, not only do you have to pay someone like us, but you also have to pay the fines.

LINKS to useful articles:

Cybersecurity and Financial Firms: Bracing for the Regulatory Onslaught by John Reed Stark

SEC National Exam Program risk alert.

SEC examination sweep results summary.

FINRA Report on cyber security practices.

FINRA cyber security report with small business checklist.

Trump Senior Staff Using Same Hackable Private Email as Hillary

I generally stay away from politics in this blog, but this item is an interesting intersection of security and politics. And, it is pretty unique.  Most non-public sector businesses don’t have to worry about this.  While they may or may not let employees use their business email for personal reasons, there are no laws or regulations governing that.  Which makes this situation unique.  And very interesting. Sooooo…..

Politicians are an interesting breed.

After Trump spent months on the campaign trail saying that Hillary Clinton was a criminal for using a private email server, that she risked state secrets and that she should be locked up, Newsweek is reporting that Kellyanne Conway, Jared Kushner, Sean Spicer and Steve Bannon have active email accounts on the private RNC email server.

This is the same email system that George W. Bush used and on which he misplaced 22 million emails.  You may remember that Trump also complained about some 30,000 emails on Hillary’s private email server that were deleted.

Politicians can talk out of one side of their mouth to complain about what an opponent does and then do it themselves.

Now that it has come to light, the staffers are no  longer using those accounts.

But, just like Trump complained about Hillary, we have no idea what the senior Trump staff may have used that server for.

We do believe that Bush used that very same server to evade transparency rules.

We have not yet heard from the White House that while they may no longer be using the RNC email server that they are not using any other private email servers.

This is the same kind of servers that Trump complained about on the campaign trail were not secure.  And, at least until yesterday, they, themselves, were using.

Of course we have no idea what they used those email accounts for – or didn’t.  The law does NOT prohibit them from using private email accounts for non-government business.  It does require them to forward any government business email that is received on a private account to the government within 20 days.

A former Obama White House official said that they were trained on the issue of using private emails from day 1 and a former Obama administration lawyer said that they did an enormous amount of training on compliance.

That being said, we likely will never know what is on these servers – those accounts were likely wiped within an inch of their life.

Part of the problem is that some White House staff work part time or in an unpaid capacity for the RNC.  As soon as that happens, mischief is almost certain to follow.

Since FBI Director Comey said that Hillary Clinton’s use of a personal email server was “extremely careless”, I assume he will come out as publicly and as vocally about the Trump team’s use of similar servers.

The RNC said that those email accounts were only used for email distribution lists.  Who knows.  That is certainly possible.  Or not.

Stay tuned.

We definitely live in interesting times.

Information for this post came from Newsweek.

St. Louis, Mo Says “Just Say No”

The St. Louis Public Library system was hit with a ransomware attack last week.  All 17 branches;  around 700 systems.

The attackers asked for $35,000 to decrypt the 700 computers that were infected – translating to around $50 a computer.

However the library told them to pound sand – or something like that, possibly, something that we couldn’t print in a family oriented blog.

The good news is that, apparently, the library had good backups.

Right after the attack patrons could not check out books and staff email was down.

Within two days the circulation system was back up and patrons could check out books again.

At least there was some good news.  Patron information was not stored on the infected system and patron information was not compromised (that was a good design decision).

While the reserve system was still down for a few more days, it appears that everything is back up.

While it likely that it cost the library some overtime – maybe – whatever the cost was, it was less than $35,000.

The message here is that IF you have good backups (which are OFFline so they cannot be infected by the ransomware) and you have the support of your customers, they will tolerate some downtime to avoid paying criminals.

The amount of downtime that an organization suffers is affected by several things.

First, how, exactly, did the ransomware infect 700 computers.  Something went horribly wrong.  I am sure that they will do an investigation – they did call in the FBI and the FBI is providing assistance in figuring out what happened.

If you can reduce the number of computers that get infected, you can reduce the time to recovery.

Things like user training, phishing exercises, policies, procedures and incident response training all work to reduce the impact of cyber events.

A few months before the Sony attack, the Sands Casino chain was under attack in a very similar way.  The Sands, however, unlike Sony, had a very effective operational plan.  They immediately pulled the plug on their Internet connection.  Do you even know where the Internet “plug” is in your company?   Doing that stopped the infected machines from “phoning home” – instantly.   They also had I.T. techs running through the casinos UNPLUGGING computers from the local network so they didn’t get infected (don’t ask why they didn’t just pull the power cords from the network switches – either they didn’t think of that (lessons learned) or there was some other reason that wasn”t publicized).  In any case the impact to the Sands was negligible while the impact to Sony was immense.

The I.T. crew did not have to convene a meeting to get approval to disconnect from the Internet – they already had that authority, so they could do that in minutes.

So in this case, the St. Louis Public Library came out as the good guys.  Yes they were attacked, but they did not pay terrorists and they got their systems back online in just a few days.

Could your company do that as gracefully as they did?  Good question!

Symantec Issues More Unvalidated SSL Certificates

Symantec, who is already on probation for issuing inappropriate SSL certificates, issued more than a hundred additional “illegit” certificates.

SSL certificates – more technically TLS certificates – are the bits of technology required to make those “secure” web sites work.

Certificates are issued by certificate authorities (CAs) – organizations who have supposedly set up processes and controls to only issue certificates to, for example, the real owners of web sites, among many other rules.

There is a CA oversight board that actually has the authority to shut down CAs who do not follow the rules, but that almost never happens because it would put those companies out of business.

In this most recent case, Symantec was found to have issues at least 108 bogus certificates. 9 of the certificates were issued without the knowledge of the web site owner;  the rest were issued without proper validation.

Some of these bogus certificates were revoked quickly, but some were not.

Even after the certificates are revoked, there are many situations where the bogus certificates might still work in a browser.

This is the reason that there are many rules for CAs to follow.  Only, they don’t always do that.  It is highly unlikely that anything will happen to Symantec as a result of this second bogus certificate issue.  Last year, Symantec issued bogus certificates to Google, among other sites.  Those certificates would allow a hacker, for example, to create a fake GMail site and attract visitors to it.  Anyone who visited the fake site and logged in would have his or her GMail credentials compromised and give the attacker the ability to read all of his or her mail.

The Symantec owned CAs in question are Symantec Trust Network, GeoTrust and Thawte.

After Symantec’s mistake last year, Google required Symantec to log all certificates it issues in a “transparency log” – just so that researchers can check on them.  Whether all of the bogus certificates were caught or not is probably a subject to debate.  Google and the other major browser vendors that run the CA oversight board can dictate to the CAs what they have to do because the browsers have to accept the CA’s master key.  If Google or another browser vendor were to stop accepting Symantec’s master key – as they have done for the Chinese CA WoSign – then all of the certificates that they issue will generate an error message when a user tries to initiate an HTTPS session using that browser.

Given Symantec issues so many certificates, it could fall into the “too big to fail” category, making it hard for the CA oversight board (technically the CA/Browser Forum) to shut them down.

My suggestion is to use a different CA – there are lots of them.  Sending a message with your checkbook is always a prudent practice.

Information for this post came from Ars Technica.

Fraud Targets Charities and Small Businesses – Here’s Why

When cyber criminals steal credit cards or buy stolen credit cards, they are buying somewhat of an unknown.

Small time crooks test small numbers of cards by trying to use them at self service gas pumps in the middle of the night, but that doesn’t scale up and you run the risk of getting caught.

In addition, what if all the data isn’t there.  Maybe an address is missing.  Or a zip code.  Maybe the crook didn’t get the CVV code.

So what is a better way to do that?

You run a small dollar transaction on a small business or small charity web site.  These businesses don’t have the fancy anti-fraud measures that Amazon or The Home Depot have.

Sometimes new businesses haven’t learned their lessons yet either.

Let’s assume that the crook make a $5 contribution to a small charity.  The web site asks for a zip code that you don’t have so you start guessing.  The web site isn’t smart enough to stop you after 5 tries.  Or a hundred tries or any number of tries.  It turns out that the merchant’s credit card front end doesn’t stop you either.  Eventually you get the right zip code and the person who’s card was stolen gets hit with a $5 charge.

However because this is online and no one is watching, the crooks automate the process.  A “bot” can test all 99,999 zipcodes in a few seconds – as fast as the web site can respond.  There are only 999 possible CVV numbers for a Mastercard or Visa card, so that goes even quicker.

Now here is the rub.

When the person who’s card was stolen disputes the charge, the bank charges the merchant or the charity back for the $5.  BUT, they also charge the merchant or charity a chargeback fee of maybe $100.

For a small business, if they get hit with a dozen $5 charges and those get reversed, they lose $60.  But, they might also get hit with a thousand dollars (or more) in charge-back fees.

If instead of a dozen cards, it is a hundred cards, then the charge-back fees can be in the many thousands.

Some things that merchants can do –

Limit the number of attempts to complete a charge – after say 3 or 4 tries the entire transaction gets wiped and the crook has to start over.  A limited number of failed transactions from a single IP address in a period of time also helps.  Anything to slow the crooks down.

If there are multiple transactions (more than say, 2 or 3) from the same computer from different people in a short period of time, that is another red flag.

I have even seen web sites that don’t even ask for the card verification number.

Another possibility is to outsource the fraud detection process to experts.

This is a rapidly evolving world and small businesses are a target just because they think they are not a target.  What works to protect you today may not protect you tomorrow.

Information for this post came from Small Biz Daily.