DoD Contractor Hit by Ransomware Infection

Electronic Warfare Associates (EWA), a well known defense contractor in DC, was hit by a ransomware attack.  The tagline on the homepage of their website says that they are enabling a more secure future.

A Google search last week for the company brought up these results:


The researcher who discovered the problem said it seems to have affected, at least, EWA Government Systems Inc,  EWA Technologies Inc. , Simplickey and Homeland Protection Institute.

EWA has not made any public announcement of the issue.  As I write this, the EWATech web site does not respond.

The current information suggests this is the Ryuk ransomware.  It is used for high value targets and is known to exfiltrate data.  Exfiltrate is a big word for steal.  Source: ZDNet

One more thing we know.  When ZDNet called the company and spoke to their spokesperson asking for a comment on the story, he or she hung up on the reporter.

So what might we speculate?

You may remember that another Navy contractor lost over 600 gigabytes of very sensitive electronic warfare data (from project Seadragon) to the Chinese in 2018.  Were the Chinese looking for more EW data?  Certainly could be.  That data is very valuable in building better offensive weapons (figuring out how to defeat our weapons) and building better defensive weapons (it is cheaper to steal it than to invent it).

The Navy went crazy after the Seadragon breach.  This makes them look even more incompetent.

DoD contractors are required to notify the Pentagon within 72 hours of a breach.  Assuming they followed the law, the Pentagon’s people (NSA, for example) could be all over this.

Much of the information that the government eventually classifies starts out as commercial research and isn’t classified until later.  Which COULD mean that whoever hacked them was after high value, not-yet classified information.

All of this is speculation, but reasonable speculation.

Which brings us up to the Pentagon’s efforts to require defense contractors to get an independent, third party cybersecurity certification called CMMC.  Would a certifier have discovered a problem which allowed this to happen?   Assuming the Pentagon is in the middle of this investigation, we may never hear.  But I bet folks are looking at the forensics right now.

But this certainly bolsters the logic behind the CMMC certification requirement.  And it is on track for starting later this year.

For those of you who sell to the government – both civilian and military, this is just one more warning to protect your ass.ets.

And more ammunition for Katie Arrington (who runs the CMMC project).

Oh.  One last thing.

The spokesperson who hung up on the media.  That is a GREAT way to get even more media attention on the worst day of your career.

There is something called an Incident Response Plan.  Part of an IRP is a Crisis Communications Plan.

Perhaps they should think about writing one.  And training people.

PS – It is probably required by CMMC.


Feds Say GE Medical Devices Vulnerable to Hackers Changing Settings

Medical devices have never been subjected to much security testing – a fact that the FDA may argue with, but which is visibly accurate.

This time it is GE’s CIC Pro, a workstation that hospital staff uses to manage multiple GE patient devices on a ward.  They can use the device to monitor patients or change patient settings.

Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) published an alert for a series of 6 vulnerabilities together called MDHex.  These vulnerabilities would allow a hacker to compromise the CIC Pro and from there, the patient information.

CISA rates vulnerabilities on a 1 to 10 scale with 10 being the scariest.  FIVE OUT OF SIX of the vulnerabilities were rated 10.  The other was rated 8.5 – pretty serious.

The number of devices vulnerable was not disclosed by GE but is thought to be in the hundreds of thousands.

GE plans to release patches “in the coming months”.  In the mean time, hope your hospital isn’t hacked.

This is a rampant problem with Internet of Things (IoT) devices because they are cost sensitive and Industrial Internet of Things (IIoT) devices (like the patient monitor) because they were never designed to be on the Internet.  The workstation line was launched in 2007, well before anyone worried about the Internet of Things and apparently it runs on Windows XP, which has not been supported by Microsoft since 2014.

There are some things you can do if you have IoT or IIoT devices in your company:

  • Make sure you have a complete and current inventory of all of your IoT and IIoT devices
  • Understand what software runs in them, who is responsible for patching them, whether patches are even available.  This includes what libraries were used by the developers.  An old unsupported library is the source of one of the vulnerabilities above
  • Isolate all IoT and IIoT devices from your IT network
  • Consider whether any individual IoT or IIoT device is sensitive enough or its software is risky enough to separate it from everything else
  • Build a patching program for your IoT and IIoT devices – whether it is the responsibility of you or a vendor.  If it is a vendor, manage the vendor closely.
  • Watch for alerts for vulnerabilities published – by vendors, researchers, the government and others – for devices that are part of your network.
  • If you have a vendor supporting the devices (could be the manufacturer or someone else), review your contract to see what it says about who is responsible for security, privacy and even more importantly, who is liable in case of an attack or a breach.

At least this is a start.


Source: ZDNet Dark Reading

NSA Publishes Cloud Security Risk Mitigation Guide

Maybe this is the NEW AND IMPROVED NSA.

From the NSA document:

This document divides cloud vulnerabilities into four classes (misconfiguration, poor access control, shared tenancy vulnerabilities, and supply chain vulnerabilities) that encompass the vast majority of known vulnerabilities. Cloud customers have a critical role in mitigating misconfiguration and poor access control, but can also take actions to protect cloud resources from the exploitation of shared tenancy and supply chain vulnerabilities. Descriptions of each vulnerability class along with the most effective mitigations are provided to help organizations lock down their cloud resources. By taking a risk-based approach to cloud adoption, organizations can securely benefit from the cloud’s extensive capabilities

The document goes on to talk about the components of cloud computing and the basic tenants of cloud security such as:

  • Cloud encryption
  • Key management
  • Shared security responsibilities
  • Who the threat actors are
  • Vulnerabilities and mitigations
  • and a dozen reference documents

The vulnerabilities and mitigations section is especially good.

Even though it is a bit techie and managers may not  understand every detail, I recommend this for managers too.  It helps them understand what their team is up against.

Read the NSA manifesto here


Security News for the Week Ending January 24, 2020

Breaches Gone Wild – Very Wild

Since EU’s GDPR went into effect on May 25, 2018 – about 18 months ago – 160,000 Breaches have been reported to EU authorities.  A calculator will tell you that means that people are reporting between 250 and 300 security incidents A DAY!

If you think that magically, 18 months ago, the number of breaches that were occurring skyrocketed – well that is not likely.  At least one of the data protection authorities says that there is over-reporting, but that two thirds of the reports are legitimate.

So far companies have PAID about $125 million in fines and the largest single fine was about $55 million.  Expect many more fines in the future since the authorities have not processed most of those 160,000 reports.  Source: ZDNet

Hacker Posts 500,000 Userid/Password Combinations

A hacker who is changing his business model posted the userids, passwords and IP addresses of 515,000 servers, routers and IoT devices on the Internet.  The hacker had used the compromised devices to attack other computers in Distributed Denial of Service attacks.

But he has decided to change his business model and instead use powerful servers in data centers to attack his victims, so he didn’t need all of these devices any more.

What is not clear is why he published the list.  He certainly could have sold it.  Maybe he thought that if the list became public people who change their passwords from the default or easy to guess ones that they were using.  Source: ZDNet


New York State Want to Ban Government Agencies From Paying Ransoms

Two NY Senators, a Republican and a Democrat, have each introduced bills that would outlaw using taxpayer money to pay ransoms.  One of the bills includes language to create a fund to help local municipalities improve their security.  Given the number of attacks on government networks, this would cause some tension.  If a city could pay a ransom and get operational in a few days vs. if they didn’t have good backups, it could take months to recover.  Stay tuned.  Source: ZDNet


U.N. Report: Bezos Hacked By Saudi Prince MBS

While some people are questioning the report by U.N. experts that Amazon and Washington Post CEO Jeff Bezos phone was hacked by Saudi Crown Prince Mohammed Ben Salman.  The report says that the hacking can be tied directly to a Whatsapp message sent from MBS’s phone.  Give other things MBS is accused of doing, this is certainly possible.  While the Saudis, not surprisingly, called the report absurd, others are calling for an investigation.  Source: The Register

Swatting is on the Rise

Swatting, the very illegal and sometimes deadly practice of making a prank call to 911 in attempt to get SWAT police to storm a building is apparently on the rise.  The premise is often that someone is holding a hostage or threatening to murder someone which puts the cops in a no win situation.  If they don’t treat it seriously and someone is being threatened they get in trouble.  If they do treat it seriously and it is a fake, the police can do a lot of damage and, in some cases, kill people.  That happened recently when the victim, who it turns out was not even the person who was supposed to be SWATted came out of his house when the police arrived and the police shot and killed him.  The guy who did it was caught and prosecuted and is serving 20 years at least.

One of the challenges is that the police in almost every city in the country are NOT trained to figure out which 911 calls are real and which ones are hoaxes.  In the case of the Kansas man above who was killed, the caller was smart enough to evade the 911 call recording and tracking mechanisms by calling the non-emergency police number.

According to the NY Times, this is a problem on both coasts with police being called to multiple executives homes over the last few months.

Corporate security at some tech companies are working on dealing with the threat, but we should remember that the police in Kansas went to the “wrong” house (it was the house they were told to go to, but it was not the house the SWATter wanted them to go to).

Seattle is the only city in the country where the police have created a high risk register where executives can register their family members so the cops can attempt to reach someone to try and figure out if it is a hoax or not.

We don’t really know how frequent this is happening because unless things go horribly wrong, the police try and keep things quiet.  In addition, the victims also don’t talk about it because that would only bring attention to them.

Information for this post came from CNet.

Recent SWATting events include one in Victorville that ended well when the cops figured out it was a fake and another one in Washington that targeted the author of a book.

SWATting has been around for years;  the FBI even put out an alert in 2013, but the frequency has been increasing enough that it is a threat to public safety.



A New Brexit Deal Is Proposed

As we get closer to the January 31st deadline for the UK to sort of kind of leave the EU, the bill that the PM’s side so carefully drafted may or may not hold together.

Over the last two days, the House of Lords voted against Johnson 5 times, forcing the bill back to the House of Commons, which will likely try to undo the changes.  What the House of Lords does after that is not clear.  Read the details of the changes here.

What is in the bill with regard to security and privacy is this:

  1. After the 31st, the UK will enter a transition period lasting until the end of this year during which time the EU and UK will negotiate about what happens on January 1, 2021.
  2. Apparently there is no option to extend this 11 month negotiating period and if the EU and UK can’t agree, the UK will leave in a so-called “hard exit” where the UK becomes a third country with whatever agreements might have been created during the next 11 months.
  3. In the meantime, UK companies will need to continue to follow GDPR.
  4. Companies will also need to comply with the UK Data Protection Act of 2019.
  5.  As a result of 3 and 4, data can continue to flow between the EU and UK for the next 11 months.
  6. The UK will try to negotiate an “adequacy decision” meaning that the EU says that the UK’s data protection laws are adequate so that data can flow permanently.  Historically, these determinations have taken way longer than 11 months, so that doesn’t seem likely.
  7. Alternatively they could write and approve a privacy-shield type law like the US has with the EU.  While this could be done more quickly, the courts may strike down the US Privacy Shield law this year so,  I am not sure what this means.
  8.  If 6 or 7 doesn’t happen then companies will need to figure out a different solution such as Binding Corporate Rules, but those are both complex and not easy to get approved.
  9. In the case of moving data between the UK and US, Privacy Shield still works, at least in the short term, but it will need some changes.
  10. The UK says that it plans to keep complying with GDPR long term (because they do want to be able to facilitate commerce between the EU and UK).

Bottom line, things are moving forward, but there is still a lot of uncertainty.  Some information for this post came from CSO Online.