Category Archives: Breach

Trump Organization Hacked 4 Years Ago (And Didn’t Know It)

Reports are coming out that the Trump organization suffered a hack, Bigly, as the President would say, around four years ago and, we assume, did not know about it until a week ago.  The only alternative explanation is that they did know about and chose to let the hacker stay inside their network for four years.  Either explanation is problematic.

What happened?  The heart of any Internet based corporate world is DNS or the Domain Name System.   DNS is where you define every web site in the organization and all of the parameters of those sites.  If a hacker controls your DNS he or she can shut down access to your web servers or point them to a different place (such as to porn sites as we have seen in the past).

Apparently, based on reports shown to the media, hackers took over the Trump organization’s DNS and added hundreds of sub-domains under a variety of Trump domains.

These roughly 250 sub-domains were all hosted in Russia.  The Mother Jones article below provides a link to a list of those domains.

These domains were pointing to one of 17 IP addresses owned by the Petersburg Internet Network, known for hosting a lot of cyber criminals.

Two weeks ago a researcher came to Mother Jones with this information;  The anti virus firm Kaspersky (who has been in the news lately) said that many of those sub-domains were, in fact, serving up malware.  Last week a researcher tweeted about it.

Trump said that the domains were not CURRENTLY serving up malware (which appears to be true) and they have no association with those sub domains.  If that is true, then the only reasonable explanation is that they were hacked and didn’t know it.

I am sure there will be more about this in the news.

Information for this post came from Mother Jones.

Facebooktwitterredditlinkedinmailby feather

Trouble in Paradise

A couple of weeks ago I wrote about yet another breach at a law firm.  This time the firm was Appleby, a law firm based in Bermuda and home to the rich and famous – especially those that are looking for tax shelters and the similar.  Most of these tax shelters are legal but the optics of using them are terrible.  For many of the rich and famous, they don’t want the NOT rich and famous to know what they are doing.

So imagine what happens to a law firm (or any firm) that caters to those people who is hacked and threatened with disclosure.  They likely have some unhappy soon-to-be-ex-clients.

Well at least some of the 13 million plus hacked documents are now public and it paints an unflattering picture.  Likely legal, but very unflattering.

The hack is being called the Paradise Papers.  In sheer size, it is the number two breach, only surpassed by the Panama papers hack in 2016, which revealed 2.6 terabytes of data.  The Paradise Papers hack revealed 1.4 terabytes of data.

Among what was disclosed is:

  • Millions of Pounds from the Queen of England’s private estate has been invested in a Cayman Islands fund which makes questionable investments.
  • Extensive offshore dealings by Donald Trump’s cabinet members, advisors and donors, including substantial payments from a firm co-owned by Vladimir Putin’s son-in-law to the shipping group of US commerce secretary Wilbur Ross.
  • How Twitter and Facebook received hundreds of millions of dollars in investment that can be traced back to Russia.
  • The tax avoiding Cayman Islands Trust managed by the Canadian Prime Minister Justin Trudeau’s chief moneyman.
  • A previously unknown $450m offshore trust that has sheltered the wealth of Lord Ashcroft.
  • Aggressive tax avoidance by companies like Nike and Apple.

And on and on.

As I said, I assume that most of this is legal, but as people like President Trump and Prime Minister Theresa May have been talking about closing tax loopholes, the optics of this could not happen at a worse time.

According to reports, this does not appear to be state sponsored; just a hacker out to do a little “social justice”.

The message is that any business that stores sensitive information (and apparently the information stolen goes back 70 years) probably ought to look at how you are protecting it and improve that security – unless you want to be the next P papers – Pentagon Papers, Panama Papers, Paradise Papers ……..

I assume that there will be a large exodus of clients from this firm.

Information for this post came from The Guardian.

 

Facebooktwitterredditlinkedinmailby feather

The Cost of Cyber Breaches

Earlier this week Merck said that the NotPetya is going to cost them and the numbers are staggering.

In last Friday’s earnings call Merck said that NotPetya has impacted third quarter results to the tune of around $300 million.  That includes $135 million in lost sales and $175 million in costs.

But that is not all.  They also said that they anticipate a similar impact to revenue and costs in the fourth quarter.

That means in just this year alone, it could cost Merck $600 million plus. It is likely that the costs will not end with the turning of the calendar page to January.

Also likely is that they have cyber insurance, but that might pay $100 million and could be a whole lot less than that.  That could leave Merck with having to write a check for a half billion dollars. Or more!

Moving on to the Wannacry attack, The Guardian is reporting that hackers moved 108,000 British Pounds out of a few Bitcoin wallets that people paid ransoms into.  Note that this is not what it cost people to deal with Wannacry, but rather what they paid the attackers.

Since Bitcoin is not anonymous (in fact it is anything but, which is why, months later, we know exactly each and every withdrawal from the Bitcoin wallet virtually instantly), the police are tracking those transactions and may be able to figure out who is moving the money.

As the British Health Services (NHS) are doing an after attack review from Wannacry, the story that is coming out is that they could have avoided the attack if they had implemented basic cyber security practices.

As far back as 2014 the Department of Health and the Cabinet told NHS that they needed a robust plan to migrate away from old software (like Windows XP) and in March and April 2017 (a month or two before the attack) NHS Digital issued a critical alert for NHS organizations to install the patches needed to stop Wannacry in its tracks.  Those patches were not installed.  NHS blamed cost cutting measures from reducing resources needed to manage their systems.

NHS Digital had conducted on site assessments of 88 out of 236 of the health trusts in England.

NONE PASSED.

But NHS Digital has no enforcement powers to make anybody fix the problems.

Bottom line is that these attacks can be tremendously costly and in many cases, simple measures would have mitigated the attacks, possibly completely.

Information for this post came from Tech Republic, The Guardian  and another Guardian article.

Facebooktwitterredditlinkedinmailby feather

The Dangers of Removable Storage

Does your organization allow thumb drives?  Do you use them at home?  What do you store on them?  What follows could be called nightmare on Main Street.

Queen Elizabeth from Airport Technology

A private citizen found a thumb drive (AKA flash drive or memory stick) and did what any smart cyber security aware person would do.  He took it to the library and plugged it into their computer.  After all, if it was infected, you wouldn’t want to infect your own computer, would you?

What he did find was an interesting surprise.

About 70 folders with about 175 files, including:

  • The exact route the Queen uses to get to Heathrow and the security measures to protect her.
  • Specific types of IDs needed to get into restricted areas at the airport.  Including those used by undercover police.
  • The location of closed circuit TV cameras at the airport.
  • Routes and safeguards for cabinet ministers.
  • Details of the security system used to protect the perimeter of the airport.
  • And other security related information

Of course the flash drive was unencrypted, not password protected and not secured in any way.

What happened next is what you would hope the average, security conscious citizen would do – he shared it with the international newspaper in town.  After all, if he took it to the police, it might get swept under the rug.

The next step is also pretty obvious – the excrement hit the rotating air movement device (AKA the Sh*t hit the fan).

Police are worried that this data was copied and shared on the dark web.  Certainly possible.  If it has, the cat is out of the bag and not possible to rebag the cat.

The man who found it was an unemployed person who found it in Queens Park, West London.  Not exactly the source material for the next Mission Impossible movie.

Insiders said that the DISCLOSURE of finding the flash drive started a “very, very urgent” investigation.  I am not sure whether that is because Heathrow security was publicly embarrassed or something else.

A spokesman for the airport said “Heathrow’s top priority is the safety and security of our passengers and colleagues”.  Also a priority – stop placing extremely sensitive documents on unencrypted memory sticks an losing them outside.  Oh, wait, they didn’t say that last part.

They also said that they “have reviewed all of our security plans and are confident that Heathrow remains secure …”.  I am not sure what else they might say.

Hopefully, behind the scenes they are making changes – like changes to the Queen’s route to the airport.  And training people.  And locking down computers.  Among other things.

For your company, could an employee plug a flash drive into a computer and download sensitive information to it?  And then lose it on a street corner.  To be found by a homeless person.  PROBABLY!

Information for this post came from The Mirror and The Standard.

 

Facebooktwitterredditlinkedinmailby feather

Another International Law Firm Hacked

You might think that after the Panama Papers breach in which the law firm of Mossack Fonseca was hacked and 11 million documents exposed – including ones that forced the prime minister of Iceland to resign and the prime minister of Pakistan to be removed from office – that law firms around the world would have stepped up their cyber security efforts.

I am sure that some have improved their security while others have made minor efforts to improve it, but it is not working.  Until clients of these same law firms start conducting frequent cyber security audits of those firms, it is unlikely that significant changes will be made in the industry.

Remember that security and convenience oppose each other and security costs money.  If their clients are not demanding that they spend money on security, they likely will spend that money elsewhere.

So what is this week’s news?

The Bermuda based law firm Appleby, with 10 offices around the world and around 470 staffers admitted this week that they had been hacked.   The hack, they said, occurred last year.  That hack was not disclosed at the time and legally they were probably not required to do so. The only reason they are talking about it now is that the international investigative journalist group ICIJ was given at least some of the documents and has been pouring through them and asking embarrassing questions.

Apparently, clients of the firm include the rich and the famous, especially in Britain, possibly including some Royals.  While the firm says that try to do things lawfully, “no one is perfect”.  Whether what the two prime ministers who were exposed in the Panama Papers breach were doing things legally or not, the court of public opinion didn’t think what they were doing was appropriate.

When members of the rich and the famous get exposed doing things that may be legal or may be shady or may be perceived as illegal by the masses, that is not good for their public image.

The apparent threat that these documents are now going to be published probably scared the poop out some of the firm’s clients, which forced them to admit the breach.

This brings us to an important point.  In the United States (and the firm has no offices in the U.S.; their offices are mostly in tax havens), companies that are hacked are required to disclose that fact ONLY UNDER SOME, LIMITED, CIRCUMSTANCES.  If personally identifiable health care information is breached, if payment card information is breached and if non-public personal information as defined in the various state’s laws is breached, for example – then, assuming the data wasn’t encrypted, etc. etc. – the companies have to fess up to the breach.

If, however, if the breach did not expose that kind of information  – say it exposed your company’s not yet filed patent applications or information regarding a merger or information regarding an off-shore business transaction – then maybe that information does not have to be disclosed – either publicly or even to the client.

For U.S. based law firms, the American Bar Association has created model ethics clauses for states to adopt – some have been adopted and  others not – that says that attorneys should try to protect client information, but the wording is a bit loose.

As a client of a law firm, your CONTRACT with that firm can certainly be a tight as the two parties agree for it to be (assuming the terms are legal, of course).  You, as a client of a law firm, for example, can say that if you want me as a customer then if you suffer a breach and my information is exposed, then you must notify me within, say 72 hours.  That would put the onus on the law firm.  For small clients that is a difficult issue to force.  For larger clients, it is less difficult.  That doesn’t mean that lawyers, as good negotiators, won’t try to make the terms more favorable to them and you can’t blame them for wanting to do that.  Still, you have a say in the matter and you can always choose to find another firm.  There are lots of law firms in the country.

While there are probably thousands of clients of the Appleby law firm that are currently holding their breath, this, along with the multiple other law firms that have been hacked, should act as a wake-up call to clients to push their law firms to improve security.

I would think that most reputable law firms REALLY don’t want to have their client’s information compromised, independent of ethics rules or client contracts, but security is both inconvenient and expensive.

However, so is being hacked,  as is having your name dragged through the mud and losing clients.

Since many of the largest breaches in the U.S. are the result of vendors being hacked (think Target or Office of Personnel Management, for example), we work with clients to create a vendor cyber risk management program to tighten up the parameters of their vendor contracts and cyber security programs.

Stay tuned; there is likely to be more fallout from this breach.

Information for this post came from The Register.

Facebooktwitterredditlinkedinmailby feather

CrySiS Ransomware Targets Open RDP Servers

The FBI released an alert this week about malware called CrySiS that attacks public facing servers that have RDP enabled.

RDP or Remote Desktop Protocol is an old Microsoft protocol that was designed to allow IT people to remotely control a Windows machine (server or desktop) to perform maintenance.  The protocol is old – it was first released with Windows NT in 1996  – and has been upgraded many times.  There are also many non-Microsoft versions of the client such as a Unix and a Mac version.

However, RDP was designed in pre-Internet days and while Microsoft continues to button up the security of RDP, hackers continue to attack it.

The CrySiS ransomware finds servers facing the Internet which have RDP enabled and attacks them.  Businesses that have been infected with CrySiS include small businesses, churches, medical facilities, law firms and local governments.

Assuming that the attackers are successful, CrySiS operates like many ransomware attacks – they encrypt your files and demand money, in cryptocurrency, to get your files decrypted.

They breach RDP using dictionary attacks, brute force or stolen credentials obtained in other ways.

Our recommendation is that businesses NEVER expose the RDP protocol to the public Internet.  If you need to remotely manage a server where the only access is via the Internet, we recommend that you connect to that remote network via a VPN.  This will put you on a private network that is not visible to the Internet.  From this private network it is safe to RDP into the server to remotely manage it.

Information for this post came from a private FBI alert.  This alert can be provided to clients on request.

 

Facebooktwitterredditlinkedinmailby feather