Tag Archives: Colonial pipeline

Security News for the Week Ending June 11, 2021

Feds Recover Some of the Colonial Pipeline Ransom

The feds say that they recovered most of the Bitcoin paid as ransom, but because the price of Bitcoin is in a slump, it is only worth about $2 million. The feds say that they acquired the private key to the Bitcoin wallet and transferred 63 Bitcoin out of it. The feds didn’t say how they did that, but the gang that claims to have carried out the attack, DarkSide, said that they lost control of their server (i.e. the hackers were hacked). If that was done by the feds **AND** the private key for the wallet was stored on that server **STUPID**, that would explain it. The good news is that most crooks operational security is horrible. Credit: Bleeping Computer

Colonial Breach Due to Compromised Password, Lack of 2FA

Hackers are not Superman; they tend to use simple attack vectors first. According to Bloomberg, a consultant says that the whole thing went down due to a compromised VPN password that allowed the attacker free reign of the network. On top of that, the account was no longer in use at the time, but still enabled. Finally, the VPN account did not use MFA. So, basic hygiene – MFA and disabling unused accounts – either of which – would likely have avoided the shut down of the fuel supply to the East coast. If I was a lawyer, I would be rubbing my hands in glee. If I was Colonial’s insurance company, I might be sending out a notice that I don’t plan to renew the policy. Credit: Bloomberg

Walmart to Give 700,000 Employees a Free Phone and Walmart App

Walmart plans to provide all of their employees a free Samsung phone so that they can keep tabs on them. Walmart has been sued enough times that they understand that the preloaded Walmart employee app will only work when the employee is clocked in. They don’t want hourly employees doing work things when they are off the clock. This a good thing. While buying 700,000 phones at $500 retail, maybe $300 in in that kind of volume is not cheap, it appears that they are not providing a voice or data plan, meaning that even though they say that you can use that phone for personal use, unless you buy your own voice/data plan, it is really only going to work while you are in a Walmart store while logged into the Walmart WiFi. Walmart says that they won’t spy on you, but that may be easier said than done. For example, they might say that they want to access your contacts so that they can connect you with other employees, but once you give them access to your contacts, they have them. Many employees are saying we would like Walmart to raise our salary instead. Credit: Vice

Biden Revokes Trump EOs Banning AliPay, TikTok, WeChat

A year ago former President Trump issued a series of EOs that were designed to hurt China, but for a variety of reasons, his administration never actually completed the EOs. This week President Biden revoked those failed EOs. The replacement EO does try to address the real problem – protecting the data of Americans. That is a very difficult problem because we really are not addressing the real problem, securing users’ phones and computers. Credit: ZDNet

Another Pipeline Hit By Ransomware – Lost 70 Gig of Data

LineStar Integrity Services was attacked at about the same time as Colonial Pipeline, but they tried to keep the attack quiet. That didn’t work. That is because the hackers posted the gigs of stolen data online. LineStar does not actually move petro; rather it helps those companies remain legally compliant. The data stolen and posted could enable future attacks. Given the rather crappy cybersecurity of the industry, that is likely to happen. Credit: Wired

Colonial Pipeline – the Saga and the Fallout

The saga of the Colonial Pipeline hack continues. Colonial says that there is fuel flowing through the pipeline again but it will take time to get all of the tributary lines operational.

But more importantly, many sources are reporting that Colonial paid $5 million in cryptocurrency to the Russian hackers on Friday, contradicting earlier reports that the company did not plan on paying the ransom. They paid the ransom, it is being reported, immediately. Even though Treasury said that paying terrorists a ransom violated OFAC and could land you in jail for 20 years, in this case the government, apparently knew about the payment and, well, we don’t know what the conversation was. My guess is they said, oh, in the case of critical infrastructure, the law doesn’t actually apply.

Next, it is being reported that the decryption tool was so slow that Colonial is restoring from backups in parallel with decrypting their servers.

The White House did a “no comment” on whether they knew about the ransom, which, of course, in political talk means, of course we knew.

One pundit pointed out that if the lack of security had been going on for years, paying the ransom was way cheaper than actually protecting the network.

Credit: Bloomberg

Next comes some more bad news for Colonial. Three years ago Colonial hired an outside auditor. The auditor said that they found “atrocious” information management practices and “a patchwork of poorly connected and secured systems,”

“We found glaring deficiencies and big problems,” said Robert F. Smallwood, whose consulting firm delivered an 89-page report in January 2018 after a six-month audit. “I mean an eighth-grader could have hacked into that system.”

In response, the company said that they had hired four independent firms and increased their spending by 50%, whatever that means. They said they have spent tens of millions of dollars. So, for one of the largest oil companies in the country, possibly this means that they spent $10 mil/4 years = $2.5 million a year. Hmmm. We don’t know, but it doesn’t seem impressive.

On the other hand, this is likely wonderful ammunition for the plaintiffs’ attorney.

Credit: The Washington Post

Finally, likely in response to this mess, the White House released its much talked about and long waited for cybersecurity executive order. Think of an EO as an inter-departmental memo. All the President can do is make some changes in how the executive branch interacts with vendors. On the other hand, they spend tens of billions of dollars a year, so if a company wants to continue to do business with the government, they will have to follow the EO’s procurement rules. And, they likely cannot have two sets of rules, one for government sales and one for commercial sales.

Here are some of the things that the EO covers:

  1. Removes contract barriers between the government and IT providers to information sharing and requires providers to share breach information.
  2. Moves the government towards secure cloud, zero trust and multifactor authentication.
  3. Makes a baseline security standard for software sold to the government a requirement and requires developers to make security information public.
  4. Establishes a Cybersecurity Safety Review Board that will operate like the NTSB after a plane crash (Colonial definitely fits into that category).
  5. Creates a standardized playbook and set of definitions for cyber incident response by federal departments and agencies.
  6. Creates standards for endpoint protection in government systems, incident response and improves incident detection.
  7. Creates a standard requirement for agency security event logs to better analyze incidents.

There is lots more (the EO is over 30 pages; many EOs are 1-2 pages). Commerce (NIST) gets to create #3 and apparently, it even requires SBOM – Software Bill of Materials.

The devil is in the details, but this is only about 25 years overdue.

More to come on the EO, but this is turning into a PR nightmare for Colonial. I am guessing the vultures, err, lawyers, have already started circling over the carcass.