Tag Archives: hacking

Why Paying Ransomware May Not Be A Great Idea

You may recall that a hacking group called the Dark Overlord hacked into Larson Studios, a third party provider to Netflix and other studios.  They stole the unreleased copies of the whole season of Orange as well as about 36 other series and movies.

Now we are beginning to hear the back story and it points out that paying ransomers is dicey business.

Larson’s owners tried to protect their customers.  The did this by paying the ransomers $50,000 in bitcoin.  The theory was that they would not release any of the titles if they did.

Investigators discovered that ground zero for the attack was a Windows 7 PC.  Whether it was patched current or not is unclear, but as we are seeing with the Wikileaks releases of CIA and NSA exploits, being patched does not mean being secure.  The CIA and NSA do not have an “exclusive” on exploits.

When Larson’s IT guy looked at the server and found the shows were gone, they called the FBI.  They did not tell their clients because the group said not to and at that point they were still hoping to contain the damage.

They paid the ransom.  It took a while to work through the system to buy $50,000 in bitcoin.  About a week in total.

The Dark Overlord got a bit greedy and contacted Netflix and the other studios trying to get them to pay a ransom also.  Those studios opted not to pay.  So, even through Larson paid the ransom, they released the titles.

It is a bit of a crap-shoot as to whether hackers will keep their word, even though not keeping their word should, in theory, destroy their business model.

In many cases, having a backup will protect you from having to pay the ransom.  Not in this and any number of cases where the hackers can steal intellectual property.  Like at law firms or accountants, for example.

Once they have your intellectual property, it is a new game.

They could sell it or publicly release it.  Depending on the model, they might want to embarrass the company, destroy it or make money.

Your best bet is to keep the hackers out.  That is not always so easy.

After the fact, Larson upgraded security.  Files are encrypted.  The network is segmented so that if an attacker gets in they don’t have free range to the whole company.  They no longer keep the audio files and video files together to make it harder for an attacker to get something useful.

Larson lost some customers over this, but they learned a lesson.  An expensive lesson.  Lost customers PLUS ransom PLUS reputational damage PLUS the cost of re-engineering the network EQUALS an expensive lesson.

You can spend the money before an attack or spend a lot more money after the attack.  It is your choice.  But there is no free lunch.

Information for this post came from Data Breach Today.

 

Facebooktwitterredditlinkedinmailby feather

Another Public Private Partnership Between Police and Hackers

A few days ago I wrote about a public-private partnership between the Russian spy folks and Russian hackers that was uncovered when the Feds indicted two hackers and two Russian spies.  In that case, the hackers gave the Russians the data that they wanted and kept and used the rest for themselves.

Now there are reports of a similar but different arrangement with the Metropolitan Police in London.  These reports are unsubstantiated as of right now.

The anonymous person who used to work for the intelligence community (or so they say), said it worked this way.

Scotland Yard worked with the Indian police who hired hackers to hack the emails of political dissidents.  The hacked passwords were supposedly then returned to Scotland Yard so that they could then read the emails of environmental campaigners and journalists.  It is not clear how the hackers benefited from this other than for being paid for their work.  How the public-private partnership between the Indian hackers and Indian police worked may come out in the future – or may not.

Some of the passwords were verified by their owners as being their passwords, which certainly adds some legitimacy to the conversation.

The person who reported the crime said that the police had been rummaging through journalist’s and activist’s emails for several years.

The complaint was referred to the Independent Police Complaints Commission (IPCC) and they are reported to be investigating.  The IPCC is already investigating a complaint that the intelligence unit shredded large numbers documents in 2014 in spite of an order to preserve the documents for review by the court.  The complainer said that documents had been shredded on a far greater scale than the IPCC seems to be aware of.

Lawyers who received the letter in question said it contained 10 userids and passwords and they were able to confirm that five were the correct password for those users and one more was almost identical.

The Metropolitan Police said that they need to keep track of thousands activists to detect the few bad apples. They didn’t explain HOW they might do that – legal or otherwise.

Combine this with the details that WikiLeaks revealed about CIA efforts to hack into iPhones and there certainly is the appearance of widespread efforts to eavesdrop on people’s emails.

Certainly law enforcement has authority to a certain amount of eavesdropping, based on a set of rules laid out by law.  Those laws vary from country to country.

On the other hand, there is sometimes a bit of fuzziness as to what is legal and what is not.

It may be easier – although likely much less legal – to obtain the password of people they want to monitor such as journalists – than to get multiple warrants.  It is also likely difficult to get a warrant to monitor the emails of journalists if the journalist is just reporting the news.

For those people who wear tin foil hats (i.e. think the government is out to get them), this is just more evidence that they are right.

For people who just want to increase their level of privacy, using two factor authentication definitely helps to make it more difficult for this tactic to work – at the cost of a little more effort to log in.

For those people who want to go the extra privacy mile, using a solution that encrypts your email from end to end where you keep control of the encryption keys is a more secure solution.  This solution, while significantly improving the privacy of your email, is also significantly more complicated to use.

Email solutions that claim to be encrypted but do not require you to know or manage any encryption keys likely do not provide much additional privacy for a variety of reasons.

Bottom line is that it depends on your level of paranoia and the length that you are willing to go to in order to gain some additional privacy.

For most people, keeping the contents of their email private is, at best, a nuisance.  For other people, including journalists and investigators, privacy likely rises to a higher level.

Certainly interesting.

Information for this post came from The Guardian.

Facebooktwitterredditlinkedinmailby feather

Traffic lights are easy to hack

According to an article on CNN’s web site, many traffic lights in the US are easy to hack.

Earlier this summer researchers in Michigan demonstrated how easy it was to hack into the traffic lights in an undisclosed city.

The traffic lights in question are made by Econolite, the largest manufacturer of traffic controls in the U.S.

Used to be, the controllers were all mechanical and the only way to control them was to drive to the intersection, open the control box and do what you needed to do. Now they support WiFi and anyone with a laptop – and in the case of the undisclosed city above – the default userid and password which is published in the manual – can get in and change or shut down the traffic lights.

There is a standard in the U.S. for traffic controllers, NTCIP 1202, that all manufacturers support. It is also susceptible to the same problems if cities don’t change the default settings.

The interesting thing is that with a little work cities could make the traffic lights more secure.  However, that requires money (time) and since most cities are strapped for cash, nothing is likely to change.

Until some hacker decides to shut down a city by turning off all the traffic lights or making the all red or whatever.  All of a sudden folks will get religion.

Mitch Tanenbaum

Facebooktwitterredditlinkedinmailby feather

Why do attackers like your current security strategy?

I just read a white paper on a security vendor’s (Prevoty.com) web site and I think they really understand the problem.  I have not had a chance to review their products, so I make no claims about them, but I do recommend reading the article.

First a quote from the paper:

Traditional security is like a city protected by castle walls with a moat and a drawbridge to keep invaders at bay. But now the walls have fallen down and the invaders have sprouted wings, waving to your guards as they fly over the moat. Good luck protecting your citizens.

Now onto their 5 reasons attackers love your strategy:

1. Relying on signature and past definitions exposes applications to zero-day attacks.

Most security solutions rely on the fact that what is going to happen is the future is based on what has happened in the past.  While this is partly true, it certainly isn’t exclusively true.  Examples of this are what is known as zero-day attacks – something new, something different.  It could be something as simple as something that was used in the past, but in a different context. Basing the future solely on the past is not a good security strategy.

2. A perimeter based security cannot protect today’s distributed world.

In olden days (like a few  years ago) when mobile phones, tablets and laptops were not as integrated into the enterprise as they are today, you might have been able to at least define the perimeter of your enterprise.  That would be a step towards protecting it.  Today, you cannot even tell me on what devices your corporate data exists – never mind whether you own or control those devices (the misguided principle of BYOD is the primary cause of that, but that is the subject of an entire post by itself).

3. Any attempt at active prevention that occurs outside of the application has no context

This one I might argue with a tiny little bit – but only a tiny bit.  The key point being that you MUST mitigate risk in the context that the risk exists in.  Risk is always context sensitive.

4. Developers are not, and should not be, security experts

If you are counting on your developers to protect you, you already have a problem.  This is not meant to reflect negatively on them.  That is not their focus.  Their focus is to create great applications that satisfy your business requirements.  Security is a discipline of its own and should be treated that way.

5. Your business is not application remediation

Boy, howdy!  As I said above, application, system and network security is a discipline by itself.  Hackers are working 24×7 to break into your world.  You need someone on your side that thinks the way hackers think.  Any doesn’t have to do that as a sideline.

One of the interesting things about digital attacks is that unless the attacker is unskilled or wants you to know she has been there, you often won’t know that an attacker is inside your system.  The only reason Edward Snowden is a household name today is that he ‘outed’ himself.  Initially General Alexander of the NSA told Congress that Snowden took around 250,000 documents.   Later the General said he took 1.7 million documents.  I suspect they don’t really know what the number is.  And remember, the NSA is an organization that prides itself on its data security efforts.  How does your average company compare in terms of security budget, staff and expertise to the NSA?  This is a difficult and never ending battle – for both you and the NSA.

According to a recent Experian report, 60% of small businesses that suffer a breach go out of business within 6 months.  A strategy which depends on you not being attacked may not be totally effective.

Mitch Tanenbaum

Facebooktwitterredditlinkedinmailby feather

The FBI is looking for a little love

According to an item on Govtech, The FBI is looking for a little help from businesses in their effort to bring cyber criminals to justice.

Assistant AG for National Security  John Carlin and FBI Director James Comey said they need more than knowing how a breach occurred.  They also want to know why the bad guys are after them.  So exactly what is in it for businesses to cooperate?

I assume that number one on most company’s list would be to get the bad guys, get the information back and put the perpetrator in jail for a long, long, time.  Let’s analyze this.

While some cyber attacks come from inside the US, many come from foreign countries.  Countries that are not terribly friendly to us.  Countries like Russia, China, North Korea and other places.  Do you think China is going to help us catch some cyber thieves?  Not likely.  Many of them are likely on the government’s payroll.  The ones that are not and are doing things that the government doesn’t like will likely disappear.  That problem is solved.  Sending them to the US to face trial?  Not gonna happen.

What are companies concerned will happen?

1.  My company will be turned into a crime scene.  To some extent, this is likely to happen.  The Feds are going to want to collect evidence.  Are they going to come thundering in and haul off all your computers?  Not likely, but there are no parameters that say what they are going to do and not do.  Are they going to question my employees and take their time?  Likely yes.

2. I will get a lot of PR – all bad.  This is likely to happen anyway unless you can keep the breach quiet.  If it consists of stealing corporate intellectual property, you can probably do that, but the odds of catching the bad guys go to zero.  On the other hand, once the IP is stolen, getting it back is probably not very useful, since it has likely already been copied and distributed.  You cannot get the cow back in the barn.

3. The FBI is not going to understand what I am telling them and I will get frustrated.  Also likely to an extent.  The FBI is hiring a bunch of cyber agents, but they are not programmers and not system administrators and they have not been involved with your company to understand how your systems work.  Still, they are getting much better than they were.

4. The bad guys won’t get caught.  Also likely.  The US just indicted a bunch of Chinese military hackers.  Do you think the Chinese are going to turn them over to us.  Not very likely.  That indictment was a publicity stunt to try to impress the uninformed.  At least we do have some idea of who was attacking us, but the odds of us getting our hands on them to put them through our legal process is as close to zero as you can get.

5. Information I don’t want to get out will get out.  Partly true.  Some information will be protected, but unless a judge agrees to seal an indictment or clear the courtroom before testimony,  which is very unusual, some information will get out and you won’t get to decide what does and what does not.

So it is a messy situation.  No easy answers.  Your board will have to make some decisions. Also consider, however, that if it involves PII (like credit cards) or PHI (like medical records), the decision is mostly out of your hands unless you want to break the law – and they know where you live, so that is probably not a good plan.

Best answer – work hard to protect yourself and hope that your breaches are small.

Sorry if you were looking for a better answer.

M

 

 

 

 

Facebooktwitterredditlinkedinmailby feather

How are public restrooms and public computers alike?

There is an article in Slate that suggests that we should treat public computers like we treat public restrooms – very cautiously.

I had never made that analogy before, but I do like it.

Both public restrooms and public computers may harbor germs and viruses.  Both may have been frequented in the recent past by people of dubious character and you don’t know what you might catch if you visit either one of them.

The article talks about hackers installing key logging software on hotel business center computers, thereby grabbing every keystroke you type – including userids and passwords, of course.  The article is based on a US Secret Service advisory from early July 2014, so I am guessing that the Secret Service found some infected computers.  Obviously, this type of attack is not limited to Hotels – schools, libraries and any other place where shared computers are available are susceptible to this kind of attack.

I know that on those rare occasions that I use public computers, I sort of touch them gingerly and would never use them for anything important – like online banking or paying bills for example.

The article says, and I would agree with it, that it is not hard to install such software on most business center computers, although it is also fairly easy to make it more difficult to do.  (It is impossible to make something bullet PROOF.  On the other hand, bullet RESISTANT is definitely possible).  In the old days, you just stuck a wedge on the parallel port and came back later to retrieve it.  Now all you do is log on to your internet connection and harvest the data.

Unfortunately, there is not the equivalent of the sheet of tissue paper to put down before you use the public computer, so beware.

M

Facebooktwitterredditlinkedinmailby feather