Security News Bites for the Week Ending July 31, 2020

Many Cyberspace Solarium Commission Recommendations Likely to Become Law

The Cyberspace Solarium Commission was a blue ribbon commission that made recommendations to Congress earlier this year on improving government cybersecurity. It appears that many of their recommendations are being added to the National Defense Authorization Act, which is “must pass” bill to fund the military. President Trump has said that he will veto it because it directs the Pentagon to rename bases named after Confederate Generals. Stay tuned; that sausage is still being made. If they do remain in the bill, that would be a great thing. Credit: CSO Online

Fintech “Dave” Exposed 7.5 Million Customers’ Data

Fintechs, those Internet firms that act as an intermediary between your financial institutions and you, are not regulated in the same way that say, banks are. Fintech Dave (yes, that is their name) exposed data on 7.5 million customers as a result of a breach at one of their vendors. One more time, vendor cyber risk management is an issue and Dave will wind up with the lawsuits and fines. While credit card data was not exposed, passwords, which were very weakly encrypted, were compromised. Credit: Dark Reading

IRS “Recommends” 2FA – Makes it Mandatory Next Year

IRS is “Recommending” Tax Pros Use Multi-factor Authentication, especially when working from home. They say that most of the data thefts reported to the IRS this year by tax pros could have been avoided if they used multi-factor authentication. Starting in 2021, this will be mandatory for all providers of tax software. The IRS seems to recommend two factor apps like Google Authenticator over SMS messages which are easier to hack. Credit: Bleeping Computer

5G is Here – Sort Of

The article says “After years of hype, 5G making progress in the US”. While true, there is less to the statement than most people would like. Last week AT&T joined T-Mobile in claiming that have deployed 5G nationwide. While this is a true statement, they are doing it using the low frequency band. They are doing this because they can cover the country with an order of magnitude less cell sites. Unfortunately, this also means that the speed that you will see after you fork over a thousand bucks for a new 5G phone is basically the same as the speed you currently have with your current phone without spending the money on the new phone and new plan. For details, read the article in USA Today.

Planning for a Ransomware Attack

You know that if publications like Forbes are running pieces on preparing for ransomware attacks that things must be getting bad.

The Forbes piece, written by former Deputy Undersecretary for Cybersecurity at DHS Mark Weatherford is good, but it leaves out a few things (I am guessing that Forbes gave Mark a word limit).

We continue to see multi million dollar ransoms being paid. Garmin is reputed to have paid $10 million and the University of California at San Francisco paid $1.1 million. Those are just a couple of very recent, very public ransoms paid.

We seem to hear every day of a new attack: Opus Capital Markets (Freddie Mac vendor), Honda, Fresenius, 41 health care providers. This is just a sample of the attacks.

So what do you do – how do you prepare?

These are Mark’s recommendations. I will add some of my own.

  1. Have a business continuity plan. When Travelex got hit by ransomware earlier this year they were literally out of business for a month. They can afford that – can you?
  2. Focus on the data. Mark says systems can be replaced. Not so easy when it comes to the data. How much data are you willing to lose? A week? A day? An hour? Many times the backups are accessible online. Convenient. And easy for the hackers to destroy or encrypt. If that happens, you have nothing.
  3. Regularly educate your users. That means, for example, you need to be phishing your users regularly and the fake phishes need to be very convincing. Regular means weekly. Different phishes for different people. This includes the executive team.

Okay, so that was end of Mark’s list. Here are a few of mine to add to the mix.

4. Make sure that everything is patched. Computers, servers, cloud, phones. While that may not stop hackers, no sense making it easy for them.

5. Have a TESTED incident response plan. When Equifax announced their breach, they gave out the wrong web site and the right web site, when they finally got that out – it was not even owned by Equifax. It was set up after the breach by someone at their marketing vendor. He owned it personally. Doesn’t inspire confidence by your customers who may have just had the worst day of their business life.

6. Have cyber insurance. This is your last resort. These days it is still pretty affordable. Norsk got paid $3.5 million by their insurance and they spent $60 million to recover. Make sure that the insurance covers all of the situations that might occur (they often don’t) and that you have enough.

Finally, plan, test and plan some more. A few months before the Sony attack that was blamed on North Korea, there was a very similar attack on the Sands Hotel and Casino empire. Didn’t hear about the Sands attack? That is because they were prepared.

Are you? The rate of attack and the price of ransom are both escalating. Don’t wait; prepare now.

Source Code from Dozens of Companies Stolen

Companies like Microsoft, Lenovo, GE, Nintendo and many others have created publicly visible repositories on places like Github. Some of these buckets are empty and some may legitimately be intended to be public.

But those that contain access credentials – userids, passwords and API keys – likely are NOT intended to be public.

Some of the code from, for example, game developers, may be valuable intellectual property.

You can kind of think of this as a variant of the Amazon S3 buckets which are discovered all the time without passwords.

The project, called “Confidential & Proprietary” takes that code and posts it on their web site.

Sometimes they tell companies about it in advance. Not always.

If they get a takedown notice, they remove it, but likely any damage is already done.

Bottom line, companies need to create a secure software development culture and protecting their code and credentials is part of that.

Does your company have a secure software development lifecycle program? Do you need help creating one? Contact us. Credit: Bleeping Computer

Ransomware Gone Berserk

As if ransomware wasn’t bad enough in the past.

As if ransomware 2.0 didn’t make you lose sleep.

If you thought that the pandemic was slowing down cyberattacks.

Sorry to be the bearer of bad news.

We are seeing new ransomware strains pop up at an alarming rate. In just the past couple of months we have seen:

  1. Avaddon – an email based attack that tries to lure you in by a subject line like Your New Photo? of Do You Like My Photo? The attackers sent out over a million emails in just one week trying to compromise people’s computers. And they have an affiliate program that pays a very generous 65% of any ransom that they generate.
  2. AgeLocker– uses the Google developed Age encryption tool. They are demanding 7 Bitcoin to unlock your files (about $65,000).
  3. Conti – probably a successor to Ryuk. New and improved. Can encrypt 32 files at the same time for reduced time to detect before it is all over. It attempts to maximize damage.
  4. ThiefQuest – This is a piece of Mac wizardry. Not only does it encrypt your files, but it also installs a keylogger, reverse shell and other niceties. They were asking $50 to decrypt, but there is no way to contact the hackers. There is now a free decryptor, but if the goal was really to install the keylogger and back door, maybe they figure that you won’t notice that if you can get your files back.
  5. WastedLocker – a variant of the EvilCorp malware, it has been targeting U.S. Fortune 500 companies and demanding multi-million dollar ransoms.
  6. Try2Cry – This ransomware uses infected links and compromised flash drives to share the love. This one, too, seems to be decryptable.
  7. FileCry – Another amateur attempt. They ask from 0.035 Bitcoin or about $400 at today’s value.
  8. Aris Locker – This one threatens the user that if they snitch on the hacker, they will delete your data permanently. They are asking for $75 in ransom if paid quickly; $500 otherwise.

While some of these strains are not a serious threat, others are and these are just the strains that this article identified in the last couple of months.

Suffice it to say, ransomware is alive and well and not taking a break during these crazy times.

This means that you better be ready to deal with the situation if one of your employees accidentally opens an infected email and compromises your network. Credit: Cyware

Security News Bites for the Week Ending July 24, 2020

Cloudflare DNS Goes Down Taking A Big Chunk of the Internet Down

Good news and bad news. For companies like Shopify, League of Legends and Politico, among many others, Friday afternoon gave you a headache. You outsourced your DNS to Cloudflare and they had a burp. The good news is that because they are Cloudflare they were able to diagnose it and mitigate the problem in 25 minutes. While no one wants to be down, could you fix your internal DNS server meltdown in 25 minutes? Credit: Techcrunch

Great Article on How Norsk Hydro Dealt with a Ransomware Attack

Bloomberg has a great article on how Norsk dealt with their ransomware attack. Couple of thoughts. They spent $60 million to recover. Their insurance has paid them $3.6 million. You do the arithmetic. And, they weren’t dealing with ransomware 2.0 which really changes things. Check out the article on Bloomberg.

Grayshift Has a New Form of Spyware

Grayshift, the company that breaks into cell phones for cops and “other entities”, has come up with a new tool. Take a locked iPhone and put it on the Grayshift box. They install malware onto your locked iPhone. Then they give it back to the suspect under the guise of, say, calling their lawyer. The suspect unlocks the phone and the malware records the unlock code. Then the cops take the phone back and can unlock the phone without you. Likely Apple will figure out how they are doing this, but for now, it works. Credit: NBC News

First American (Title Company) Makes History

New York’s Department of Financial Services released a highly detailed set of security standards a couple of years ago for businesses that they regulate called DFS 500. This set of security standards dictates what controls and processes banks, mortgage companies, insurance companies and others must implement to protect the data that they store. First American is the first company that DFS has sued for messing up. There were 885 million records exposed and the fine can be $1,000 per record. You do the math and start the negotiations. Credit: PYMNTS.Com

Critical Infrastructure Can be Hacked by Anyone

Well that is not a comforting thought.

Cybernews is reporting that using an Internet of Things search engine (like Shodan, but they don’t say which), they were able to scan big swaths of the Internet. In their case they were looking for exposed IoT systems.

Not just any IoT, but critical infrastructure IoT. Here is just a sample of what they found.

This represents an onshore oil well and it looks like they could change flow from this interface.

This system seems to control five different off-shore wells.

Perhaps you would prefer to control the water supply instead.

Or perhaps you would like to drinking water undrinkable.

If you would prefer to mess up the other end of the process, maybe you could make this poop plant poop in the wrong place.

These hacks did not require a great deal of skill. They did not exploit zero day vulnerabilities that only nation states have access to. Sure it took some work, but these guys are journalists, not master hackers.

Only the electric grid as **BEGUN** to take these threats seriously and they are only taking baby steps.

In Europe, Facebook can be fined 125 million Euros for for not taking down a piece of terroristic content within an hour.

Have any of these companies been fined anything? I don’t think so.

Maybe hackers don’t want to start a fighting war, but for anarchists, who knows. Let’s say there is an anarchist in Iowa. Are we going to bomb Des Moines?

What if the hacker *WAS* in Des Moines but took over a computer in Germany to launch the attack. Are we going to attack Germany? Anarchists would like us to do that.

Needless to say, this is a bit of a mess and these are only samples of what they were able to do.

One of the problems that the critical infrastructure industries have is that many of their control systems were designed when people were still painting pictures on cave walls with ground up plants. Well, not exactly, but in technology terms, pretty much exactly.

If the government doesn’t FORCE these companies to pass security tests like the DoD is beginning to force contractors to deal with under the threat of not getting any contracts, nothing will improve.

Since most of these companies are regulated, their regulators need to approve the rate increases necessary to fix the problems and, for most regulators, this is a theoretical problem. After all, no one was provably killed by my decision not to force utilities to improve their security.

And since most legislators have trouble starting a Zoom conference without help from their millennial intern, I would not hold out a lot of hope for those same people understanding the complexities of industrial internet of things devices.

I just hope that it won’t take a Bhopal-style disaster to get their attention.