Tag Archives: G-Suite

Security News bites for the Week Ending March 15, 2019

Jackson County Pays $400,000 in Ransomware

Following a ransomware attack on March 1st, 2019, Jackson County, Georgia decided to pay hackers a ransom of $400,000.

The county population is 67,000 according to Google.  While hackers may not be explicitly targeting these small municipalities, they may be.  After all, small municipalities likely have poor cybersecurity practices and are likely to be willing to pay exorbitant ransoms in order to restore public services.

After the attack, the county said that they decided to pay the ransom because they thought, given their shoddy security practices, it would take them months and cost them even more to rebuild their systems.

Who gets to pay the price of their poor security practices, unfortunately, are the county residents.  The county budget for 2017 was about $40 million, so a $400k hit represents about one percent of the total annual county budget.  There is no indication that the county had any insurance.  In addition to the actual ransom, the county hired a consultant, had downtime and is in the process of recovering from the outage.  Hopefully, the county will institute better security practices now that the horse is out of the barn, costing residents even more money.

This same ransomware, Ryuk, was used in the recent newspaper attacks, but other than delaying the printing of several newspapers like the NY Times by a few hours, the impact was minimal – likely due to better cybersecurity practices in the private sector than the public sector.

There are at least 10,000 municipalities across the country, the vast majority of them are small and with no cybersecurity expertise, so, to the hackers, this is a bit like shooting fish in a barrel — expect more attacks and millions in ransom paid.  Source: Bleeping Computer.

 

Consider Security Basics

Journalists were able to waltz into an undersea fiber optic cable landing station in the UK because engineers forgot to close or lock the gate to the fiber hut.

For terrorists, that would be a wonderful way to destroy a  very high speed Internet link.

As is often the case, even though there were surveillance cameras at the building, no one came to question the reporters as to why they were there.

So, locking the doors and monitoring the surveillance cameras might be a “basic” security measure.   Source: The Register.

Google Now Allows You to Disable Insecure Two-Factor Authentication Methods

Two-factor authentication is a great way to improve security but nothing is perfect.  There are many methods of two-factor authentication, including a phone call and a text message.

Now Google will allow Corporate G-Suite administrators to disable less secure two-factor methods if they choose to (a feature that Microsoft Office has had for a long time, so Google is playing a bit of catch-up).

If you want to force users to either use the Google Authenticator App or a Yubi Key as the only approved second factor, you can do that.  MUCH – repeat MUCH – more secure.  Source: Bleeping Computer.

 

App 63red Security Lacking;  Developer Threatens Messenger

63red, an app that was developed by conservative news site 63Red Safe, is supposed to provide a directory of places that were safe to do things like wear your MAGA hat without being harassed.

Soon after it was released, a French security researcher discovered that the security of the app was less than perfect.  Inside the code of the app the researcher found the developer’s email, password and username in plain text,  Also, there was no security in the app’s API and other security issues.

Developers react differently to being told their app is not secure. In this case the developer reported there was no breach, no data changed, minor problem fixed.  The first two statements are accurate but misleading.  He called it a politically motivated attack.

The developer called the FBI on the researcher, claiming he hacked them, when in fact all he did was look at the source code and then use what was in the code to test the security.  Theoretically, that could be considered exceeding your permissions under the Computer Fraud and Abuse Act, but there are specific exceptions for security research.

The app has now been removed from the app store, apparently due to security issues.

If you are going to fire back at a security researcher, you probably need to make sure that you are on solid ground.  Sources:  The Daily Beast and Ars Technica.

Multi Factor Authentication – Not Perfect

Hackers have figured out how to attack Office 365 and Google G-Suite accounts protected by Multi Factor Authentication (MFA).

No, this is not a bug in some software and no it is not hyper-sophisticated attack.

In fact, it is very old school.

First, as best I understand, it is a limited attack so it is not a full compromise.

It is a perfect example of security vs. convenience.

OK, I will end the suspense.

Both Microsoft and Google support IMap for email.  IMap doesn’t support multi-factor authentication.

The bad guys use password spray attacks against millions of accounts from a large number of compromised machines.

If they get in, they use that compromised email account as a landing spot to launch attacks against other users in the same organization since they are now (pretending to be) a trusted insider.

If the company has enabled geo-fencing then the attackers might be able to use a proxy or VPN to get inside the fence, but that is more time and more work.

So does that mean that MFA is useless?

Actually not at all.

First of all, if you can, disable all legacy insecure protocols (protocols that do not support MFA), do so.

Next, if you can, enable geo-fencing.  This will make things harder for the bad guys.

For systems that support it, enable improbable login.  This will detect logins that don’t make sense, even if they are inside the geo-fence.

Enable maximum logging and alerting.  Again we are trying to make it hard for the bad guys so they will go somewhere else.

While none of this is perfect, not having MFA enabled definitely makes life easier for the hacker.  Make it harder and unless you are a specific target, the hacker will move on.

Source: Proofpoint .