Security News for the Week Ending June 11, 2021

Feds Recover Some of the Colonial Pipeline Ransom

The feds say that they recovered most of the Bitcoin paid as ransom, but because the price of Bitcoin is in a slump, it is only worth about $2 million. The feds say that they acquired the private key to the Bitcoin wallet and transferred 63 Bitcoin out of it. The feds didn’t say how they did that, but the gang that claims to have carried out the attack, DarkSide, said that they lost control of their server (i.e. the hackers were hacked). If that was done by the feds **AND** the private key for the wallet was stored on that server **STUPID**, that would explain it. The good news is that most crooks operational security is horrible. Credit: Bleeping Computer

Colonial Breach Due to Compromised Password, Lack of 2FA

Hackers are not Superman; they tend to use simple attack vectors first. According to Bloomberg, a consultant says that the whole thing went down due to a compromised VPN password that allowed the attacker free reign of the network. On top of that, the account was no longer in use at the time, but still enabled. Finally, the VPN account did not use MFA. So, basic hygiene – MFA and disabling unused accounts – either of which – would likely have avoided the shut down of the fuel supply to the East coast. If I was a lawyer, I would be rubbing my hands in glee. If I was Colonial’s insurance company, I might be sending out a notice that I don’t plan to renew the policy. Credit: Bloomberg

Walmart to Give 700,000 Employees a Free Phone and Walmart App

Walmart plans to provide all of their employees a free Samsung phone so that they can keep tabs on them. Walmart has been sued enough times that they understand that the preloaded Walmart employee app will only work when the employee is clocked in. They don’t want hourly employees doing work things when they are off the clock. This a good thing. While buying 700,000 phones at $500 retail, maybe $300 in in that kind of volume is not cheap, it appears that they are not providing a voice or data plan, meaning that even though they say that you can use that phone for personal use, unless you buy your own voice/data plan, it is really only going to work while you are in a Walmart store while logged into the Walmart WiFi. Walmart says that they won’t spy on you, but that may be easier said than done. For example, they might say that they want to access your contacts so that they can connect you with other employees, but once you give them access to your contacts, they have them. Many employees are saying we would like Walmart to raise our salary instead. Credit: Vice

Biden Revokes Trump EOs Banning AliPay, TikTok, WeChat

A year ago former President Trump issued a series of EOs that were designed to hurt China, but for a variety of reasons, his administration never actually completed the EOs. This week President Biden revoked those failed EOs. The replacement EO does try to address the real problem – protecting the data of Americans. That is a very difficult problem because we really are not addressing the real problem, securing users’ phones and computers. Credit: ZDNet

Another Pipeline Hit By Ransomware – Lost 70 Gig of Data

LineStar Integrity Services was attacked at about the same time as Colonial Pipeline, but they tried to keep the attack quiet. That didn’t work. That is because the hackers posted the gigs of stolen data online. LineStar does not actually move petro; rather it helps those companies remain legally compliant. The data stolen and posted could enable future attacks. Given the rather crappy cybersecurity of the industry, that is likely to happen. Credit: Wired

Executive Order on Cybersecurity, Part 4

Today we are going to talk about a novel part of the executive order – the Cyber Safety Review Board.

It turns out that the act that created the Department of Homeland Security allows DHS to create advisory boards. The EO tells DHS to create an advisory board to review major cybersecurity events. Examples might be the Colonial Pipeline attack, but, in theory, it could be any event. How is this going to work?

The EO says:


The Board shall review and assess, with respect to significant cyber incidents (as defined under Presidential Policy Directive 41 of July 26, 2016 (United States Cyber Incident Coordination) (PPD 41)) affecting FCEB Information Systems or non-Federal systems, threat activity, vulnerabilities, mitigation activities, and agency responses.

Executive Order on Improving the Nation’s Cybersecurity | The White House

So, the scope would only be for attacks that affect federal computer systems (which is pretty much all major cyber attacks). Significant incidents are defined in PPD 41 as follows:

Significant cyber incident. A cyber incident that is (or group of related cyber incidents that together are) likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.

https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/

So we sort of have the scope of the board reasonably defined.

So when does the Board convene? Whenever the Secretary of Homeland Security says so. There are some caveats, but not anything meaningful. So, an event happens, it affects federal computers and it is deemed significant. That is all that it takes.

Unlike the National Transportation Safety Board, which can take a year or more to create a report, this Board only has 90 days. That is probably a good thing since you want to take action quickly.

The Board’s membership is up to DHS, but in addition to private sector peops, it needs to include the FBI, DoJ, CISA and the NSA. It is unclear from the underlying law whether this Board has subpoena power, but it seems to me that that is a critical part of things. That may require legislation. Not sure.

After the Board makes its recommendations to the Secretary of DHS, the Secretary has 30 days to make recommendations to the President.

Assuming this all gets implemented, this will be the first time in US history where we have a semi independent body reviewing major cyber attacks and providing recommendations to the President. This is a good thing.

Credit:

The Executive Order

PPD 41

The Homeland Security Act of 2002

X-Rated Phishing is up 974% This Year

Attackers have figured out that x-rated phishing attacks are very successful. The number of attacks are up almost by a factor of 10.

In part, it is designed to shock people.

If you open an email or visit a web site and when you do, some x-rated content, most people freak out. THAT IS EXACTLY WHAT THE HACKERS WANT YOU TO DO.

Why? Because freaked out people make mistakes and mistakes tend to help the hackers. There you are, you visited what you thought was a benign web page from a search engine and up pops something totally not suitable for work. What do you do? The first thing most people will do is start clicking on stuff to make it go away. Some people will freeze in panic.

THE WHOLE GOAL IS TO GET YOU TO MAKE IRRATIONAL DECISIONS.

Typically these attacks do all of the normal things that hackers do:

  • Download malware
  • Attempt to get you to enter credit card data
  • Track users to follow up with more attacks

I would add one to that list and that is to try and get you to enter credentials.

The hackers will also be able to collect any data that a normal web site can. FOR EXAMPLE, IF YOU ALLOW YOUR BROWSER TO SAVE INFORMATION LIKE EMAIL ADDRESSES, PHYSICAL ADDRESSES OR WORSE YET, PASSWORDS, THE HACKER WILL BE ABLE TO GET ALL OF THAT INFORMATION.

Sorry, but SECURITY **OR** CONVENIENCE, pick just one.

Agari Cyber Intelligence did a test. The put 8,000 fake accounts (ones with no data but which they owned and which worked) on a phishing site just to see what would happen.

25% of the credentials were tested using automation instantly.

For this test (which may or may not represent the greater Internet), just three families of attacks represented 85% of the attempts. This could mean shared attacks, attacks as a service, that there are just a few attackers or that the sample is not representative.

92% of the accounts were manually breached. 20% were breached in just one hour. 91% were attacked within a week.

While many accounts were only accessed once (which could be due to the attackers not finding anything interesting), many were under persistent attack.

The attackers did things like creating forwarding rules, moved to other applications, attempted to use the accounts to launch other phishing attacks and even used that infrastructure to run other BEC attacks. Credit: Threatpost and KnowBe4

TSA Issues New Pipeline Security Directive

After not doing anything over the last twenty years to protect the cybersecurity of pipelines, the TSA decided they needed to do something – anything – so that they have the appearance of responding the problem.

If you get the sense that I am not impressed, you are correct.

So what do pipeline operators have to do now?

The first thing, which I suspect that operators are not thrilled about, is that they now have to report both confirmed and POTENTIAL cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA).

One requirement that probably won’t be too painful is that they are required to designate a cybersecurity coordinator and that person needs to be available 24/7.

They also have to review their current security practices and report risks, gaps and remediation measures to the TSA and CISA within 30 days. What makes this a bit toothless is that there is no guidance in how to conduct this risk assessment.

The Secretary of Homeland Security, Alejandro N Mayorkas said that DHS will continue to work closely with our private sector partners to support their operations and increase the resilience of our nation’s critical infrastructure.

I would rather they treat these organizations like businesses that they are regulating and hold them accountable for their horrible security (reminder: the auditor of an audit that Colonial paid for a few years ago said their security was so bad that an 8th grader could hack them). Partners are cozy. Way too cozy. Credit: Bleeping Computer

Nothing in this order requires them to fix any issues, fix them in a particular amount of time or adhere to any standards. Even the electric industry has standards. Credit: Metacurity

While this is designed to give the appearance that the government is doing something, that something is, in reality, not very much.

Security News for the Week Ending June 4, 2021

Freaking Ooops: Us Nuke Bunker Security Secrets On Public ‘Net Since 2013

Details of some US nuclear missile bunkers in Europe, including secret duress codewords have been exposed publicly on the Internet. Journalists discovered it by using simple search queries. The information was on training flashcards, which should not have been public. It includes “intricate security details and protocols such as the positions of cameras, the frequency of patrols around the vaults, secret duress words that signal when a guard is being threatened and the identifiers that a restricted area badge needs to have”. The information has now been deleted. It was exposed since 2013. Good job, folks! Credit: The Register

If You Can’t Spy Yourself, Ask Your Friends for Help

It takes a village – even if that is a village of Spies. The NSA got help from Denmark in spying on top politicians and other high ranking officials in Germany, Sweden, Norway and France. They did this by asking the Danes to let them tap into an underwater fiber optic cable in 2012. Targets include Angela Merkel. Generally, politicians cyber hygiene habits are really poor, so the NSA probably found a lot of unencrypted data. Credit: The Hacker News

Watch Your Words When Discussing Breaches

If your company is in the unfortunate situation of dealing with a cyber breach, the lawyers say watch what you say in emails or Slack or similar channels because it can come back to bite the company later. If you say to a coworker “oh, yeah, we knew about that bug for months” and the bug wasn’t fixed and that contributed to the breach, well, you can see, that could be a problem for the company. Obviously, it goes without saying that social media is definitely off limits for that kind of conversation. Unless, you don’t like your job or the company. Read details in SC Magazine.

ARIN Plans to Take Down Part of the Internet – This is Just a Test

ARIN, the American Internet IP authority, plans to take down the RPKI infrastructure some time in July, without notice, just to see what breaks. In theory, if RPKI is implemented correctly, the fact that this goes down should be a big yawn. We shall see. Credit: Bleeping Computer

FBI and DoJ to Treat Ransomware Like Terrorism

Since ransomware *IS* terrorism, it is nice to hear that the DoJ is going to treat it as such. Unlike the last administration, this time the FBI took direct aim at Russia as the culprit in a lot of the ransomware attacks. The US Attorney’s offices in every state have been directed to investigate ransomware attacks the same way that they treat other forms of terrorism. While they don’t have the resources to investigate every ransomware attack, any big attack or one that hits a critical industry will be handled just like a terrorist bombing. While this won’t fix the problem, more attention is good. Credit: ZDNet

Cybersecurity Application Questions

When you renew or try to obtain cyber insurance, the questions have historically been pretty lame. But, in the face of large losses, insurance companies are STARTING to get serious. Here is a report from one company on what their insurance company asked at renewal time. This is from an actual application.

How would you answer these questions?

Do you perform regular backups and store them in a secure off-site location? Note the second part. Ransomers are targeting backups, if they can get to them.

Do you limit remote access to all computer systems by using two-factor authentication? Ignore, for the moment, that these folks can’t construct a well formed English sentence, they want to know whether you REQUIRE two-factor authentication for ALL remote access.

How many PII records are held on your network? Note they are are not asking how many are created each year, but how many are stored. Getting rid of old data reduces this number.

Do you provide periodic anti-fraud training to all employees? Everyone should be doing this, but are you? Lying on an application is likely grounds for not paying when there is a claim.

Are processes in place to request changes to bank account details including account numbers, telephone numbers or contact details? Unfortunately, this may be up to your bank, but you should find out what is available. Or, if this really awkward question means how do you authenticate your customers when they want to change their bank account, the task is up to you to deal with.

Are you using Office 365? Huge attack surface – enough said.

Can users access email through a web application on a non-corporate device? Start with your phone.

Do you STRICTLY enforce SPF on incoming email? Maybe 1% of companies do this because, they say, they might miss an email from a customer, so it is better to let all those phishing emails in.

Are your backups encrypted AND kept separate from your network, whether offline or with a specialist cloud service? Again, they are asking whether a hacker can wipe your backups before encrypting your systems.

Do you use endpoint protection in the network? What brand? What steps are you taking to protect your systems.

How long does it take to install critical high severity patches? Remember, it only takes hackers hours to weaponize them.

Do you have a SOC (Security Operations Center)? Most do not.

What steps are you taking to detect and prevent ransomware? It is costing the insurance company billions, so it is a reasonable question.

Some of the other questions include:

  • Have you implemented a hardened baseline configuration across servers, laptops, desktops, and managed mobile devices?
  • How do you implement local administrator rights?
  • Do you provide users with a password manager software?
  • Are end-of-life or out-of-support hardware and systems segregated from the rest of the network?

You probably have a good idea what the right answer is. If you need help getting there, contact us.

Credit: CSO Online