Ransomware Operators Up The Ante

Israeli insurance company Shirbit was hit by a ransomware attack last week. The hackers demanded 50 Bitcoin within 24 hours. 50 Bitcoin is about a million dollars.

When they didn’t do that, the hackers started leaking the company’s data and doubled the ransomware demand to 100 Bitcoin or about two million dollars.

They said that if Shirbit still didn’t comply, they would raise the demand to 200 Bitcoin or about $3.8 million in the following 24 hours.

AND then they would start leaking more data every 24 hours as well as selling some of the data.

One thing of interest here is the timeline. Evey 24 hours the rules change. That means that you, as a business, need to be completely prepared because you do not have time to figure it out on the fly.

In the US, you also have to figure out whether paying the ransom is even legal and if not, what your alternatives are.

The insurance company says that they looked and the data that was stolen won’t hurt their customers. That may depend on your definition of hurt. I think that remains to be seen. You may remember that Travelex said their ransomware attack would not have a material effect on their business. Then declared bankruptcy a couple of months later.

Credit: The Jerusalem Post

The End of Encryption as we Know It

Well sort of.

China has joined the club of quantum computing capable countries and companies.

Google and IBM were among the first members of that club and while we know that those two companies are evil (just kidding), we can assume that China has far more evil intentions in mind.

Researchers from the University of Science and Technology of China explained in the journal Science they were able to get a system they named Jiuzhang to perform a calculation in minutes that would have taken a traditional supercomputer an estimated 10,000 years to solve.

The Chinese researchers have claimed quantum supremacy using a quantum computation called Gaussian boson sampling (GBS), their paper explained, which uses particles of light sent through an optical circuit, measuring the output. This means there are now multiple proven quantum-computing technologies, with surely more to come.

This, assuming that they are not just lying, is merely a proof of concept and has lots of problems in order to scale up to what is required. However, the Chinese are willing to both spend a lot of money figuring it out and also spend more bags of cash to steal the answer.

While the end (of pre-quantum encryption) is near, it isn’t here yet, but give the Chinese (and others) a few years and they likely will be. Whether a few is 3 or 5 or 10 years, it is unlikely that it is any longer than that.

Some of you are probably saying well, I will worry about that in 3 or 5 or whatever years and you can certainly do that, but there is a REALLY BIG gotcha there.

Ready?

Any data that was encrypted with pre-quantum encryption techniques (which is ALL current encryption) will be decryptable virtually instantly once this capability has been perfected.

So all of those petabytes of data the the NSA has been collecting and not been able to read. They will be able to read it.

But I am less worried about what the NSA is going to do. That same amount of data (possibly more) is also being collected by the Chinese. What do you think they might do if they can decrypt personal information, health information, financial information, trade secrets and national security secrets?

This so-called protected information runs on non-secure links (also known as the Internet) by definition, so vacuuming this data up is very easy.

I will leave you to ponder the impact.

While we do not have a solution to this problem yet, we will soon, probably in the next couple of years and businesses will need to migrate relatively quickly in order to minimize business risk.

NIST is working on new encryption algorithms but do not expect those standards to be approved for another year or so.

Kind of scary.

Credit: Threatpost

Security News for the Week Ending December 4, 2020

France Says it is Going Ahead with Digital Tax

France has been complaining that U.S. companies (mostly) have not been paying their fair share of French taxes since they are not selling widgets that delivered in France, so they came up with this digital tax, a 3% tax on digital services delivered in France. They held off for a while trying to get some sort of international tax agreement, but that does not appear to be happening, so they are moving forward with the tax. Only affects companies doing business in France with revenue more than 25 million Euros. Is this the wave of the future? Credit: Cybernews

FCC Chairman Pai to Step Down on Jan 20

Ajit Pai announced that he will step down from the FCC on inauguration day rather than having the new President fire him, which is almost guaranteed. Pai, a former telecom industry lawyer and lobbyist, said that he may try to create some rules in his remaining two months in support of the President’s efforts to hurt Facebook, Twitter and similar companies. Those rules would likely be reversed on the day after inauguration, so it is not clear why he would waste taxpayer money doing that, but that is Washington for you. Credit: CNBC

How Many Phishing Sites?

Since the beginning of this year, Google has flagged 46,000 web sites EACH WEEK as phishing sites. That is over 2 million so far, this year. This is a 20% increase over last year and the year is not over. Hackers can buy as many sites as they want, but, in part, they are looking for “look alike” sites – sites with a zero swapped for an Oh or an “L” swapped for a “1”. But also, they just take over sites with bad security. There is almost no way to track that, but I can say from personal analysis, that there are way more of the second kind than the first kind. Credit: KnowBe4

Docker Malware – Its a Thing

Docker containers are the darling of the development world – light weight and easy to deploy; self contained and OS agnostic, supported in the cloud – everything that developers want.

Three years after the first Docker malware showed up, it is now common. Malware gangs are now targeting Docker and Kubernetes.

Many of the attacks – surprise – are due to misconfigured Docker servers, leaving them exposed to attack. It appears that we in IT never learn. Just because tech is delivered slightly differently, the basics still apply.

To make a point, researchers looked at images publicly available in the Docker Hub. 51% had critical vulnerabilities and 6,500 of the images tested could be considered malicious.

You can wait until you are compromised or you can get ahead of the freight train. Credit: ZDNet and Dark Reading

Even Before Dust Settles on Swiss/CIA Deal to Subvert Encryption …. Another One

Even before all of the investigations are complete of the CIA’s compromise of Crypto AG and selling compromised encryption hardware to both our friends and enemies so we could spy on them, another story surfaces. Apparently Crypto AG was not the only one. Now the Swiss media is reporting that the CIA controlled another Swiss crypto company, Omnisec. The Swiss politicians are going crazy and calling for executions in the public square. Stay tuned, but assume your crypto has been compromised. By someone. Credit: Security Week

Just Because You Can Doesn’t Mean You Should

Amazon added a new feature, very quietly (I wonder why – not) last year to some Ring products and some Echo products. Amazon Sidewalk takes some of your Internet bandwidth (a small amount) and lets your Ring/Echo enabled neighbors use it in case their Internet goes down (and vice versa).

What could possibly go wrong. Let’s name a few past Amazon mistakes.

  • Last year Gizmodo was able to map tens of thousands of Ring doorbells using Amazon’s neighbors app.
  • Vice and Gizmodo both found instances of hackers breaking in to Ring cameras (ultimately leading to a class action lawsuit).
  • Or that Amazon forgot to mention in its privacy policy that humans might listen to your echo voice recordings.
  • A Portland couple had a private conversation recorded by their Echo sent to a colleague because of Amazon’s software getting confused.

Does this feature intentionally spy on you or steal your bandwidth? NO, not INTENTIONALLY.

You as the consumer have to opt out if you don’t want to play and you have to know how to do that. IT IS ENABLED BY DEFAULT. You have to do that from your Alexa app (see link below for more details).

Of course Amazon is scared to death that if even if just a few people opt out the whole thing collapses because it only works if neighbors very near by have it turned out. I don’t know what the range is, but it can’t be more than a very few hundred feet.

Anyway, if you are concerned and clearly Amazon is not being terribly transparent here, just turn it off if you have one of the Sidewalk enabled devices. Credit: Gizmodo

How Long Does it Take to Recover from Ransomware?

First the wise guy answers: Too Long and It Depends.

Unfortunately, both are true.

For a lot of companies, 30 to 60 days seems to be the average.

Company size doesn’t seem to be a factor. We recently worked with a smallish company (less than 150 people) and it was 30 days before they were mostly back to semi-normal.

Travelex, the huge foreign currency exchange company was closed for 30 days and they wound up having to file for the equivalent of bankruptcy.

Today’s story is about the University of Vermont Medical Center.

The attack started during the week of October 25th. The system, which includes hospitals, home health and hospice care and which employs a thousand doctors plus 2,000 other medical staff, caused the system to have to cancel procedures such as chemotherapy.

The governor even brought in the National Guard’s cyber team to help recover (don’t you wish you could get that treatment if you had a cyber attack)?

A month later, they are still picking up the pieces.

Just last week they got their electronic medical record system back online and restored their online patient portal. At least medical staff doesn’t have to deal with paper charts any more. Of course, now they have to enter a month’s worth of backlogged patient chart data.

There are still other systems to be restored.

While the online patient portal is working again, new patients still cannot sign up. Also billing and payments are still a problem area, not great for cash flow during a pandemic.

Due to the outages, up to 300 employees have either been transferred or furloughed.

Now translate this to your company.

How long would it take you to recover from a complete cyber meltdown?

Do you have the funds to tide you over?

Do you have a plan to be able to continue to perform your key business functions during this time?

Can your IT team deal with the challenges?

If you don’t plan now, it will take longer to recover in the event that the worst does happen. Some companies have just shut down after a ransomware attack. They do not have the resources to recover.

Many companies hope that it won’t happen. Many companies have been wrong about that. Credit: Threatpost

California Privacy Rights, Part 2

The California Privacy Rights Act, CPRA, AKA Prop 24, was approved by voters on November 3rd. This is a continuing story on its potential impact.

Some simple answers first:

When does it go into effect: January 1, 2023.

Who has to comply: That is still murky. There was a $25 million revenue minimum in CCPA and that is still here. It now says that the revenue was for the prior year, but it does not say whether that is California revenue or worldwide revenue. Do you feel lucky?

Number of records: That number has doubled from 50,000 to 100,000, but for most companies, that is still a small number of visitors to a website. It also now excludes devices in the count, so that adds some relief to the number. It is still a small number.

Revenue: CCPA only counts revenue from selling data, but companies like Facebook don’t sell your data – so they tried to claim they were exempt. CPRA says revenue from sharing your data (a new term) is now included in the calculation.

Commonly controlled entities: The new law says that you only have to add numbers together for commonly controlled entities if the entities have common branding and consumers are likely to understand that the entities re the same company.

New data category: sensitive information: Like GDPR in Europe, there is now a category of sensitive information that includes your ID numbers, financial information, account credentials, geolocation data, race and ethnicity , biometric information, health information and sexual orientation. That is a lot of the information that companies collect today.

New right: Limit the use of my sensitive information: This right says that a resident can say that they only want the business to use sensitive information to perform the function that I asked you to perform. This may require a new, special, opt-out link.

New right: Correct my information. Somehow CCPA forgot this one. Now residents will have the right to have their information corrected and businesses will need to track these requests.

Opt out rights expanded. The new law allows not only the right to opt of sale but also the right to opt out of sharing data for behavioral advertising purposes, whether money changes hands or not.

Expanded right to deletion: Under the new law, you now have to track everyone that you share data with. If someone asks you to delete their data, you have to get third parties to delete that data too.

Watch for part 3. This law is a bit of a beast. Getting ready now is a good plan.

Credit: The Jones Day law firm