Even Hunger-Relief Groups are not Off-Limits

 

With the economy not doing exceptionally well, people’s wages for the year generally decreasing significantly, and the pandemic continuing at least for the short-term, not-for-profit budgets can be stretched rather thin. As these provide services based on their mission, these may need to be re-evaluated. One form of service desperately needed is food relief and pantries. One of these organizations is Philabundance. Of all the targets available across the vast expanse of the internet, the attackers chose this one.

 

Philabundance is a food relief organization located in the Philadelphia area. This is the region’s largest hunger-relief group. The organization feeds over 100k people per week in the areas it has a presence. With the economic downturn, it shouldn’t be a big surprise this number of people served is almost double last year’s.

 

The attack itself took a widely used, yet simple, attack method. The attackers used phishing as a tool in the summer of 2020 to execute the attack. The organization is constructing a new building. The budget for this is $12M. This new building will house the Philabundance Community Kitchen. The attackers tied into this for the attack. They infiltrated the target system through a phishing campaign. Once in, a rule in the email system was set to block legitimate emails. The attackers were able to then spoof the construction company’s email with a fake invoice for $923,533. The organization paid the fake invoice on July 6, 2020. They discovered the problem when the construction company called for their money on July 24, 2020. After detecting the issue, the investigation began with full force. The effort indicated this was a one-time event. There was no staff information or data accessed. One area the organization specifically noted as not being affected was the online donation platform. There needed to be confidence in the system, so people would continue to donate.

 

Fortunately, the organization was able to cover the debt with its reserves. The hope is the insurance company will assist the organization in replenishing the lost funds. The FBI was contacted and is investigating. The organization hired a cybersecurity subject matter expert to review the incident. Internally, they have begun to update their security system with increased controls and more employee training.

 

Phishing can be tough to defend against. Yes, there are easy instances to detect. These include emails with the misspelled words, grammar not quite making sense, and 85 people being emailed for a late arrival package, all with the same tracking number. More often, the emails encountered have become so much more sophisticated. To maintain the pace with these phishing email advances, the training needs to be updated. With how fast the industry continues to advance, this cannot be overlooked. Of course, the appropriate systems in place to monitor for these.

  

Resources

6abc Digital Staff. (2020, December 1). Philabundance loses nearly $1 million in cyberattack. Retrieved from https://6abc.com/philabundance-cyberattack-hack-phishing-scam-philly-fbi/8425984/

 

6abc Digital Staff. (2020, December 2). Philabundance loses nearly $1 million in cyberattack. Retrieved from https://www.newsbreak.com/pennsylvania/philadelphia/news/2116820862556/philabundance-loses-nearly-1-million-in-cyberattack

 

Associated Press. (2020, December 3). Philadelphia hunger group loses nearly $1M in cyberattack. Retrieved from https://www.insurancejournal.com/news/east/2020/12/03/592596.htm#:~:text=The%20Philadelphia%20region's%20largest%20hunger,Jones%20told%20The%20Philadelphia%20Inquirer

 

Brubaker, H. (2020, December 1). Philly hunger relief group philabundance lost nearly $1 million in cyberattack. Retrieved from https://www.inquirer.com/business/philabundance-cybertheft-nearly-1-million-20201201.html

 

Fox29.com. (2020, December 1). Philabundance loses nearly $1M in cyberattack. Retrieved from https://www.newsbreak.com/pennsylvania/philadelphia/news/2116586100406/philabundance-loses-nearly-1m-in-cyberattack

 

Philadelphia Sun Staff. (2020, December 11). Philadelphia hunger group loses nearly $1M in cyberattack. Retrieved from https://www.philasun.com/local/philadelphia-hunger-group-loses-nearly-1m-in-cyberattack/

 

Ralph, P. (2020, December 1). Philabundance falls victim to cyberattack, loses almost $1 million. Retrieved from https://www.phillyvoice.com/philabundance-cyberattack-theft-1-million-dollars/

 

Schratwieser, D. (2020, December 1). Philabundance loses nearly $1M in cyberattack. Retrieved from https://www.fox29.com/news/philabundance-loses-nearly-1m-in-cyberattack

UK flooring firm pwned

 

Attackers are always looking for new targets to attack. With the vast expanse of the internet, the field is ripe with people and businesses with data or operations to leverage for a fee. A company acknowledged its issue in late November 2020. Headlam Group, a UK flooring group distributor based in Birmingham, experienced a successful attack, acknowledged on November 24. The attackers were able to exfiltrate data as part of the attack. The attackers were able to access the system’s back end, including their email system. The company was able to restore its email system for usage. Fortunately, the company’s customer and supplier information was accessed. The company did not disclose the method the attackers used, however, this was effective. We can learn from their unfortunate issue. All the attackers need is one vulnerability or user to click on one link or picture, while the blue defensive team has to work to patch everywhere possible, monitor the threat feeds for the latest attacks, think through various attacks that could occur, and secure the data at rest.

 

 

PLEASE contact us when we may be of assistance with embedded systems cybersecurity architecture, validation, and penetration testing. We have a full lab ready to perform.

Charles Parker, II; Principal Scientist; MBA/MSA/JD/LLM/PhD/DCS (IP)

charlesparkerii@gmail.com

810-701-5511

Of all targets, you chose Sophos

 

You know it’s not going to be a good day when a cybersecurity company is breached. Cybersecurity companies are supposed to be the top tier and subject matter experts of cybersecurity. Since they are selling and marketing their services to other companies, one would infer their stance and defensive posture is without reproach. A recent issue with Sophos recently shown light on this. Sophos is a cybersecurity company, selling many services, located in the UK. The company is well-known in the industry, for good reasons. In mid-November of this year, the company experienced an attack and subsequent breach. The attackers were able to exfiltrate data during the attack, including user names, emails, and contact numbers. Fortunately, per Sophos, only a small number of customers were affected by the issue. This is an example of why we need to maintain vigilance with cybersecurity. This field changes frequently and is not static. The lack of regular updates and monitoring provides for too many viable attacks points to try.

 

PLEASE contact us when we may be of assistance with embedded systems cybersecurity architecture, validation, and penetration testing. We have a full lab ready to perform.

Charles Parker, II; Principal Scientist; MBA/MSA/JD/LLM/PhD/DCS (IP)

charlesparkerii@gmail.com

810-701-5511

Hope you don’t expect automobile connectivity to slow down anytime soon

 

Automobiles are becoming more connected with each innovation and year. This is an extension of consumer’s desires in functionality. These innovations haven’t been only mechanical or with efficiency, but with the electronics and software applications. These innovations, while increasing and improving the user experience, the connectivity as a bi-product has also allowed for more of an attack surface. There are more points to attack with this in place. This has been noticed by the automobile manufacturers. In response to the increased attack points and vulnerabilities, the OEMs and Tier 1 and 2 manufacturers have refocused on cybersecurity. This has included additional work from the beginning of the projects, focusing on software, hardware, and dependencies. For instance, it is not a general focus with software coding, validating the functionality, testing the software, and working to detect any vulnerabilities not previously addressed. Regarding the hardware, each vehicle has an increased number of ECUs (electronic control units) to accommodate the additional functions. These also represent more points for the attackers to address. Providing more points to explore is never a good thing. 

 

 

PLEASE contact us when we may be of assistance with embedded systems cybersecurity architecture, validation, and penetration testing. We have a full lab ready to perform.

Charles Parker, II; Principal Scientist; MBA/MSA/JD/LLM/PhD/DCS (IP)

charlesparkerii@gmail.com

810-701-5511

Not enough attention paid to industrial automated systems

 

Nearly all the products we purchase are processed by automated systems. If these were to stop working, or workflow maliciously adjusted, there would be a clear issue immediately as the products were assembled incorrectly or broken during the “adjusted” process. While this potential to wreck our way of life if implemented on a large scale, there has not been a sufficient amount of attention paid to it. Recently, a new vulnerability was uncovered with the equipment. This vulnerability, which is critical, is in the real-time automation’s (RTA) 499E5 EtherNet/IP (ENIP) stack. The stack is widely used and is the standard for factory floor I/O applications in North American plants. If the attacker is able to exploit this, the equipment could experience a DoS-type attack, and allow for remote code execution. This vulnerability, CVE-2020-25159, has the opportunity to not only shut down a line and part of a plant but also be instructed to do whatever the unauthorized third party directs it to. Based on the pertinence to society these automated processed play and the costs associated with these lines not being productive, more of a focus needs to be applied to this. There is even a tool available used to scour the internet seeking the robots used in these processes which are not properly secured. Without cybersecurity, in place, there is the potential for individual attacks and much worse with a concerted attack.

Please contact us when we may be of assistance with embedded systems cybersecurity architecture, validation, and penetration testing. We have a full lab ready to perform.

Charles Parker, II; Principal Scientist; MBA/MSA/JD/LLM/PhD/DCS (IP)

charlesparkerii@gmail.com

810-701-5511

Medical arts still targeted

 

The medical field has been targeted over the last few years for attacks. The focus has and continues to be the data being held. These attacks may take any of the many different forms of attack, dependent on the target’s equipment, configurations, and other factors. The data targeted by the attackers has value to them and for resale. A recent case directly involved this. UCSF experienced a successful attack on June 1, 2020, with its School of Medicine’s IT environment. While the method was not published, the data involved was. The attacker may have had access to the current and former employee’s names, social security number, government ID numbers, medical information, health insurance ID numbers, and possibly financial information.

After the attack was discovered, UCSF did contract with a cybersecurity consultant, and others to investigate the breach. The IT system was also analyzed for areas to harden, to minimize the opportunity for this to happen again.

The successful method used for the breach was not available. This could have been a simple phishing attack, or a more complex, multi-step attack on their system. This attack however does emphasize the need for a complete, defense in depth. This involves staff training, patch management, and updates.

Embedded systems software: Still vulnerable

 

Our computer systems run on software. Without this, the industry has a vast inventory of boat anchors, paperweights, and expensive equipment to prop doors open. With this, we have finely-tuned equipment that works through miraculous tasks. With our dependency on these systems, seemingly, as a culture and industry, we could learn from our oversights and mistakes. This begins in 2015 with the infamous Miller & Valasek Jeep Hack. At this point in time, the embedded systems industry though passwords made the products secure, no one would be interested in attacking wireless sensors or cellular, and a device with a singular function would never be a target. These faulty beliefs were clearly wrong and our industry was built on curing these issues.

 Embedded systems continue to be excessively insecure, unfortunately. These systems continue to be very accessible. There is no license required to purchase these. The cybersecurity researcher simply has to drive to an auto parts store, log into eBay, or call a junkyard to secure one or more of these units to test. Once secured there are numerous online resources available to assist the researcher through the hardware configuration and OS (e.g. CANbus).

 These systems are often not secured. The researcher simply has to connect to these and begin the attack. This is the case, especially with the CANbus. Other systems may use Linux or Android for certain systems within a vehicle. These, while an improvement to for cybersecurity, still have ample vulnerabilities based on the version and other factors.

 With these systems, due to their importance in our lives, security should be built in from the beginning phases through production. Adding this in at the last bit of the project has not and will not work. We’ve seen this repeatedly. Cybersecurity needs to be incorporated from the beginning and not bolted on at the end of the project unless you enjoy the opportunity to fix the bug or vulnerability for your product located across the globe.

 One of the crown jewels for the attackers is the data. This has to be secured at rest and when this is between the sender and receiver (in transit). When you don’t have this in place and the appropriate measures working, there will be issues.

 Finally, you should think like the attacker would. The person attacking your system isn’t going to care about the project gates or deadlines and why the cybersecurity issues are not fully addressed or the thousandth of a penny, you saved by not fully implementing adequate security. The attacker is focused on how to break into your system using present or past tools, or creating new ones to ensure their success.

Barbie is not happy: Mattel hit with ransomware

 

Toys bring a smile to a child’s face. At certain events and holidays, children and some adults look forward to for an entire year. As much joy and happiness as these bring to most people, these are manufactured by big business. These, while having a definite role in society, also are a target. The business and its locations for warehousing and manufacturing hold data, and computer systems that could be exploited. Recently, the toymaker was hit with ransomware and joined the club of other businesses given the opportunity to work through this issue. With the holidays around the corner, the attackers have no heart!

Mattel

Mattel has been a common name around households for decades as they have created and produced so many toys and different toys. Mattel has risen to the second-largest toymaker in the world. The corporation presently has an estimated 24,000 employees with its headquarters in California. The business is rather large, as an MNB (multi-national business) with locations in 35 different countries. Notably, the business manufactures Barbie. Other subsidiaries familiar to the parents and children are Fisher-Price, American Girl, Thomas & Friends, and Hot Wheels.

Attack

Mattel was the recipient of the ransomware attack. The tool used appears to have been the Trickbot variant. This malware piece was so well used, it was voted the most dangerous threat to healthcare in 2019. This particular variant has tended to compromise entire networks. The attack occurred on July 28, 2020. Mattel published this in early November 2020 and in their 10-Q (quarterly report to the U.S. Securities and Exchange Commission). The report noted on page 31 “On July 29, 2020, Mattel discovered that it was the victim of a ransomware attack on its information technology systems that caused data on a number of systems to be encrypted.” This was also noted on page 52 of the same report.

After the Detection

As eluded to earlier, this did affect operations. The attack did affect a portion of their business operations. Fortunately, there was no data theft. Once the attack was detected, the business began its response protocols. This included methods to stop the attack and begin to restore the impacted systems. Fortunately, through the good work of their cybersecurity team, the attack was contained. The business did a complete forensic investigation to ensure the issue was contained and removed from their system. The forensic team noted no data was exfiltrated, which is a clear benefit.

Discussion

Educating your staff continues to be the first round of defense against ransomware. With this in place, the opportunity to have the ransomware take over your system is limited.

 

Resources

Abrams, L. (2020, November 3). Leading toy maker mattel hit by ransomware. Retrieved from https://www.bleepingcomputer.com/news/security/leading-toy-maker-mattel-hit-by-ransomware/

Bizga, A. (2020, November 4). Toymaker mattel discloses ransomware attack. Retrieved from https://hotforsecurity.bitdefender.com/blog/toymaker-mattel-discloses-ransomware-attack-24476.html

Cimpanu, C. (2020, November 4). Toy maker mattel discloses ransomware attack. Retrieved from https://www.zdnet.com/article/toy-maker-mattel-discloses-ransomware-attack/

Comeau, Z. (2020 November 4). Toymaker mattel says it was hit with ransomware. Retrieved from https://mytechdecisions.com/network-security/toymaker-mattel-says-it-was-hit-with-ransomware/

Muncaster, P. (2020, November 4). Mattel reveals July ransomware attack impacting business. Retrieved from https://www.infosecurity-magazine.com/news/mattel-reveals-july-ransomware/

Spring, T. (2020, November 4). Toymaker mattel hit by ransomware attack. Retrieved from https://threatpost.com/mattel-hit-by-ransomware/160947/

Starks, T. (2020, November 4). Nothing is sacred: Ransomware attack hit toy maker mattel’s systems this summer. Retrieved from https://www.cyberscoop.com/ransomware-attack-mattel-toys/

Weston, S. (2020, November 4). Mattel admits it was hit by a ransomware attack. Retrieved from https://www.itpro.co.uk/security/ransomware/357651/mattel-hit-by-ransomware-attack

 

Why are embedded systems being ignored?

 

In InfoSec, most of the focus and attention has been on the enterprise. When students are matriculating or getting certifications, the focus is on the enterprise. Granted, the enterprise is experienced through the business network, laptops, servers, and the infamous data center. One area though which has not received the relative attention it should are the embedded systems. These are present in many of the products we experience day in and day out, during the workday, and as consumers. These include the IoT devices that we use every day, the vehicles use these throughout their system, and other equipment. With these being in use through the majority of our lives, both at work and home, these should be more known, and more persons should be concerned with these. The issue, by extension, is there is not the focus on securing these there should be.

One point with this is the perception that building in cybersecurity from the beginning of the project, through development, and into production is expensive. Granted there is a cost with this due to the direct labor, materials, and overhead. With the direct labor tasked with this, a full-time employee is not required in most instances. The person may be tasked across several projects. The tasked cybersecurity expert may have their costs distributed across the various projects, making this less costly per project. Compare this with the cost of a breach. As an example, the FCA Jeep hack began at $17M and the costs have increased exponentially with the lawsuits.

Projects have a timeline. The project team lead has certain gates they have to meet at certain points in time. If these are not met, there can be rather significant financial effects. When a project is a bit behind, certain areas may need to be worked on at a later date if the client refuses to budge or work with the vendor. One of these, unfortunately, has tended to be cybersecurity. Somehow along the way, project managers created the idea cybersecurity could be added at the end of the project or later in time. There is the impression this can just be bolted on at some point to the project. Nothing could be more different from reality. The cybersecurity solution architected for the specific use case is not a simple, short process in most instances due to the technical nature of compromises and the complexity of connected systems. This requires a well thought through solution. This needs to be incorporated from the beginning of the project and built-in through every step.

The alternative to these is to have a product with an insecure embedded system and we have seen how this has not worked out well.

City of Shafter Shafted

 

Ransomware is prevalent in the current landscape. Seemingly there are at least one or two attacks published every week. There are certainly many more successful attacks throughout the nation on commercial entities and consumers. There are many reasons for this, including the ease of use and the financial return on the resources used to execute the attack. The targets are varied, but have one thing in common-there is data or a system the target needs to have access to or use. One of the familiar targets has been municipalities. These entities have historically had issues with budgets. These attacks certainly do not help with this concern, as the costs associated with a successful ransomware attack with the forensic work, along with uploading backed up data, tends to be rather costly. When there is an insurance policy with this type of attack specifically addressed is in place, the costs may not be as problematic to the municipality. If the fee is paid, there are also significant costs. Smaller municipalities may be targeted at a greater rate due to their lack of resources and trained staff in cybersecurity. One such recent victim has been the city of Shafter.

Attack

 The city in California unfortunately was the victim of a successful ransomware attack. The targeted IT system was compromised. As with ransomware’s mode of operation, the system was locked and subsequently shut down. Due to the system being locked down, the city hall was closed. Once discovered the city contacted federal law enforcement agencies. The focus is to find the attackers and the extent of the compromise.

Post-Attack

This was clearly a devastating attack. The take-away from this however is the need for cybersecurity and staff training. Granted this is not free, however, to place this in perspective, how much is a successful attack that locks down all of the systems, critical and not, so that the municipality or business is not able to operate. There are training sessions available to train the staff to reduce the opportunity for this to occur.

Resources

Johns, T. (2020, October 21). City of shafter hit by ransomware attack. Retrieved from https://bakersfieldnow.com/news/local/city-of-shafter-hit-by-ransomware-attack

 

Wright, A. (2020, October 20). City of shafter hit with ransomware attack. Retrieved from https://www.turnto23.com/news/local-news/city-of-shafter-hit-with-ransomware-attack and https://www.databreaches.net/ca-city-of-shafter-hit-with-ransomware-attack/

Opportunity to follow your own ransomware response kit

 

In this day and age, everyone and business is a target. If you have data, or your operation can be leveraged by shutting people out, which is nearly every business, you are a target. One of these is Tyler Technologies. This is a Texas-based company located in Plano. The company claims to be the largest provider of software and technology services to the public government. The company sells a wide range of services to state and local governments. A few of their products are appraisal and tax software, integrated software for courts and justice systems, enterprise financial software systems, public safety software, records/document management software, and others.  The company is very large and is publicly traded as TYL. There is an estimated 5,300 – 5,500 with 2019 revenues of over $1B. Their website is tylertech.com. Their clients consist of over 15k government offices. The clients are based in the US, Canada, the Caribbean, and Australia.

Attack

The company was aware of an issue on September 23, 2020. This appears to have been a ransomware attack. The sources noted the RansomExx ransomware group did this attack. This group has also been linked to the recent attacks on the Texas Department of Transportation and Konica Minolta attacks. The system was successfully attacked and compromised. On the bright side, this does appear to be limited to the internal systems for the phone and IT systems, versus every system. Unfortunately, the details of the attack were not released, however, this does appear to be a ransomware attack.

Post-Detection

The company discovered the unauthorized user on the system. In a prudent move, they shut down the points of access to external systems. This was done out of an abundance of caution. This kept the attackers from pivoting into other areas. After this, they immediately began the investigation. The company contracted with third-party IT security and forensic experts. They focused on conducting a complete review. As a result of this, they also implemented enhanced monitoring systems to verify this activity did not continue. They also contacted law enforcement.

Effected

The company does not believe any of its client data, client services, or hosted systems were affected. With certain systems shut down, the local government’s client’s did not have access to certain services (e.g. paying their water bill or court payments online). Ironically, Tyler Tech had used the threat of ransomware as a selling point for many of its services. This included the ransomware survival guide and the ransomware incident response checklist. Apparently,

Lessons

You have to maintain a cyber vigilance. That is our environment. The employees still need the training to recognize ransomware and cybersecurity is everyone’s problem. When you under-estimate the attacker’s tenacity, you probably won’t like the results. The employee training needs to be on-going through the year, not only as part of the mandatory training. When you don’t emphasize the importance of the employee’s role with keeping the business safe, their focus will lapse and you’ll be in the news feed, using your own ransomware response guides.

 

Resources

Abrams, L. (2020, September 23). Government software provider tyler technologies hit by ransomware. Retrieved from https://www.bleepingcomputer.com/news/security/government-software-provider-tyler-technologies-hit-by-ransomware/

Bizga, A. (2020, September). Government services firm tyler technologies hit by ransomware. Retrieved from https://hotforsecurity.bitdefender.com/blog/government-services-firm-tyler-technologies-hit-by-ransomware-24193.html

Johnson, O. (2020, September 23). Tyler technologies suffers apparent ransomware attack. Retrieved from https://www.crn.com/news/security/tyler-technologies-suffers-apparent-ransomware-attack?itc=refresh

Kovacs, E. (2020, September 24). Government software provider tyler technologies hit by possible ransomware attack. Retrieved from https://www.securityweek.com/government-software-provider-tyler-technologies-hit-possible-ransomware-attack

Krebs, B. (2020, September 23). Govt. services firm tyler technologies hit in apparent ransomware attack. Retrieved from https://krebsonsecurity.com/2020/09/govt-services-firm-tyler-technologies-hit-in-apparent-ransomware-attack/ 

Menn, J. (2020, September 23). Software vendor tyler technologies tells U.S. local government clients it was hacked. Retrieved from https://www.reuters.com/article/idUSL2NZGK25A?utm_medium=Social

Tyler Technologies. (n.d.). Website unavailable. Retrieved from https://www.tylertech.com/DesktopModules/EasyDNNNews/DocumentDownload.ashx

                             

It's all in the family tree; including the data!

 

The latest craze has been with finding out about one’s history. This does not refer to those events that have molded our life, but to where we and our families originated. This may be in the UK, Europe, Africa, or another part of the globe. Once DNA testing became reasonably priced, this market opened up. We’ve seen the tests with the swab. While these are non-intrusive physically, these are able to tell much about you. This can show your relative who has also taken the test with the same service, health disposition, and much more.

               One such manufacturer is The Family Tree maker software. Their software, first released in 1989, has gone through many corporate owners over the years. These include Broderbund, The Learning Company, Mattel, Ancestry.com, and finally to McKiev, who presently is tasked with managing the code.

Oops!

               These services hold a large amount of data, accumulated from each person. This information has value and needs to be protected. By the company accepting this, they are responsible for its safekeeping. The issue in this instance, much like too many others, was a misconfigured cloud server. This was found by a team from WizCase led by Avishai Efrat. The Elastic Search server was not configured correctly. This allowed the server, along with all its data, to be insecure and accessible by anyone who wanted to check it. If the data would have at least been encrypted, it would have been a little bit better, however, this was not even the case.

               The cloud server had 25 GB of data available with 60,000 users data. This included a nice selection of data for people to view and download. This included the user’s email addresses, geolocation data, IP addresses, system user IDs, support messages, technical data (e.g. error logs), refunds (if applicable), and subscription type and status. Imagine what you could do with a credential stuffing attack with this data!

               This is also very useful for a phishing attack. With this data, the attackers would be able to create more and better content for their phishing attacks. This data is also perfectly usable for spam. Interestingly enough, competitors could also use this for their business. They could use a script to filter for keywords of unhappy customers or subscription status and target them as clients.

Post-Detection

               This was unfortunately was not a surprise. There have been too many of these being noticed. WizCase did notify the company of the oversight. WizCase did not receive a response from the company. They must have received this though since the company closed the cloud server after the email was sent.

Recurring

               The misconfigured cloud servers are not new, unfortunately. Many of these have been found and successfully attacked. Many of these attacks have been published showing the extent of the issue. When you read through a handful of these, it makes you wonder if the engineers just threw it up there and hoped for the security through obscurity. It never ceases to amaze how the misconfigured cloud servers keep happening. There are so many resources available, this really shouldn’t happen this often. This is not even considering the secondary person the engineers have looking at the build prior to signing off on the cloud server being in production.

Affected

               If you know someone who was affected by this, or for general information, there are a few helpful hints. On the bright side, at least they did not collect the user’s social security numbers. Going forward, users should continue to watch what they share online. People want to share everything on social media. If possible, they should share as little as possible. This is not the popular route to take these days, but I prudent.

               With phishing emails, the email service stops most of these. Generally the filter is dialed in well so this is not an issue. A handful will make it through though. The users should not open just any attachment or link unless they are expecting it. UPS is not going to send the same notice of delivery with the same shipping number to 30 people. Your bank is not going to send you an email with their link.

 

Resources

IT Security News. (2020, July). Unsecured server leaks family tree maker customer details-Experts’ comments. Retrieved from https://www.itsecuritynews.info/unsecured-server-leaks-family-trees-maker-customer-details-experts-comments/

Muncaster, P. (2020, July 21). Genealogy software maker exposes data on 60,000 users. Retrieved from https://www.infosecurity-magazine.com/news/genealogy-software-maker-exposes/

RT. (2020, July 21). Not keeping it in the family: Personal data of 60,000 genealogy software users LEAKED. Retrieved from https://www.rt.com/news/495417-genealogy-software-users-leaked/

Terabitweb. (2020, July 21). Gealogy software maker exposes data on 60,000 users. Retrieved from https://www.terabitweb.com/2020/07/21/genealogy-software-maker-exposes/

Williams, C. (2020, July 30). Family history search software leaks users private data. Retrieved from www.wizcase.com/blog/mackiev-leak-research/

Oh (NO!) Canada: CRA targeted

 

 

Governments, local and federal, provide certain services to the people they represent. These may consist of snow removal, unemployment insurance, defense, assistance during disasters, and other services. Canada is clearly no different providing a vast number of services to its citizens. All of these services require data for processing and record-keeping. This data and the computer systems processing and storing these are certainly viable targets for the attackers.

Attack

To access these services, Canadian citizens need to login to the service portal. This was set-up much like any other login screen where the user puts in their username and password into the website. Normally, this runs very smoothly as the user puts their credentials in. The problems start when the user has the same password across many domains. There have been so many breaches, most people’s passwords are for sale and probably has been sold many times. These passwords provide the basis for the credential stuffing attack. The attackers use the passwords per person across many domains in the hope the user has used the same password several times. This makes the attacker’s job much easier since they already the sample passwords to begin their work with.

This is what happened in this case. The attackers used prior used passwords on other domains to check if the users have the same password across many different services. The attack was detected on August 7^th. While this occurred in Canada, this form of attack could occur anywhere. The successful attack is indicative of a systemic issue with user passwords. Using the same password is an incredibly bad idea for several reasons. The attack is a clear and shining example of this.

The attack, per the Office of Chief Information Officer for Canada affected 9,041 GC Key accounts and approximately 5,500 Canadian Revenue Agency (CRA) accounts. The GC Key accounts were used in a fraudulent manner in an attempt to access government services. Once this was detected the GC Key accounts were canceled.

Mediation

Fortunately, the attack was contained. The users should really not re-use the passwords, since this is the requirement for the attack. Each website or service really should have its own password. If the users have too many passwords to remember, there is always a password manager to handle the issue. The users should also use MFA. This severely reduces the potential for this type of attack to remotely occur. Post-attack, the affected users should monitor their online accounts. Once detected the citizens were contacted after the accounts were deleted. The users were informed on how to receive a new GC Key. Granted this was a hassle for the users, however, if the same password was not used across multiple domains this would not have been a problem. The CRA accounts access was disabled also. The Canadian agency is working with people to restore access to the CRA MyAccount.

From a law enforcement aspect, the Royal Canadian Mounted Police (RCMP) was contacted on August 11^th. The office of the Privacy Commission was contacted to alert them of a possible breach also.

This issue provided many lessons for users to use different passwords, and not use the same for several domains.

 

Resources

Breen, K. (2020, August 15). Hackers targeted thousands of cra, government service accounts in credential stuffing attacks. Retrieved from https://globalnews.ca/news/7278345/canada-hackers-credential-stuffing-attack/

Bronskill, J. (2020, August 18). CRA expects online services restored Wednesday following cyberbreaches. Retrieved from https://www.nationalobserver.com/2020/07/18/news/cra-expects-online-services-restored-wednesday-following-cyberbreaches

Coop, a. (2020, August 16). Thousands of government service and CRA accounts hit by credential stuffing attack. Retrieved from https://www.itworldcanada.com/article/thousands-of-government-service-and-cra-accounts-hit-by-credential-stuffing-attack/434578

Government of Canada. (2020, August 15). Statement on GC key credential service and recent credential stuffing attack. Retrieved from https://cybergc.ca/en/news/statement-gckey-credential-service-and-recent-credential-stuffing-attack

Government of Canada. (2020, August 15). Statement from the office of the chief information officer of the government Canada on recent credential stuffing attack. Retrieved from https://www.canada.ca/en/treasury-board-secretariat/news/2020/08/statement-from-the-office-of-the-chief-information-officer-of-the-government-canada-on-recent-credential-stuffing-attack.html 

IT World Canada. (2020, August 16). Thousands of government service and cra accounts hit by credential stuffing attack. Retrieved from https://o.canada.com/techology/tech-news/thousands-of-government-services-and-cra-accounts-hit-by-credential-stuffing-attack/wcm/

Jones, R.P. (2020, August 17). Cyberattacks targeting cra, canadian’s COVID-19 benefits have been brought under control: officials. Retrieved from https://www.cbc.ca/news/policies/cra-gckey-cyberatack

Kilpatrick, S. (2020, August 17). CRA resumes online service with new security features after cyberattacks. Retrieved from https://o.canada.com/personal-finance/cra-resumes-online-services-with-new-security-features-after-cyberattacks/

Kirk, J. (2019, December 31). How can credential stuffing be thwarted? Retrieved from https://covid19.inforisk.today.com/interviews/how-credential-stuffing-be-thwarted-i-4551

Muncaster, P. (2020, August 17). Canadian citizens lose #COVID19 funds after government account hijacking. Retrieved from https://www.infosecurity-magazine.com/news/canadian-citizens-credential/

Net News Ledger. (2020, August 17). Credential stuffing of government of Canada computers update. Retrieved from https://www.netnewsledger.com/2020/08/17/credential-stuffing-of-government-of-canada-computers-update/        

Rautmare, C. (2020, August 17). Credential-stuffing attacks affect canadian services. Retrieved from https://www.inforisktoday.com/credential-stuffing-attacks-affect-canadian-services-a-/4839

Rubins, A. (2020, August 19). Cyber-attack target 1,000s of canadian tax, benefits accounts. Retrieved from https://www.cybernewsgroup.co.uk/cyber-attacks-target-1000s-of-canadian-tax-benefits-accounts/

Security Info Watch. (2020, August 18). ‘Credential stuffing’ attacks wreak havoc on government accounts in Canada. Retrieved from https://www.securityinfowatch.com/cybersecurity/information-security/news/21150744/credential-stuffing-attacks-wreak-havoc-on-government-accounts-in-canada

TH Author. (2020, August 18). Canadian government issues statement on credential stuffing attacks. Retrieved from https://www.threatub.org/blog/canadian-government-issues-statement-on-credential-stuffing-attacks/

The Canadian Press. (2020, August 19). CRA resumes online services with new security features after cyberattack.

 

GDPR is perfectly applicable to vehicle cybersecurity

 

May 25, 2018, will certainly be in the mind of CISOs and data managers around the world for some time to come. At this point in time, the companies had to be compliant with the EU General Data Protection Regulation (GDPR). The focus of the act is for persons who are citizens of the European Union (EU) to have greater control over their data. As applied this provides for much greater accountability for the businesses handling, processing, managing, and storing a person’s data. The act is far-reaching, as it follows your data. Your data can be the obvious (e.g. name, address, username, ID number, race/ethnicity, genetic data, phot, and banking details). This also covers any data that can be used to directly or indirectly trace you. For the latter, this may be your IP address, cookie identifier, and other data points.

There are volumes of articles on GDPR, the fines, and how this applies to the enterprise. The issue not explored nearly as much is the application to embedded systems. These are present in equipment and machinery used globally in vehicles, trucks, farm equipment, and many other uses. These also use various apps for the user’s experience.

Data

For this article, we will not be focusing on who or which entity owns the data. This topic is reserved for law review journals. The GDPR is rather clear in the data created from the vehicle is the property of the owner. While this appears clear, there still may be issues. The connected vehicles connect a mountain of data now. This is going to increase substantially as time passes and the vehicles become more complex. This will apply to the user’s data within the vehicle’s infrastructure, managed by the processes, and uploaded to the cloud. While the data collected is rather substantial, the only data collected per the GDPR relates directly to the vehicle’s operation. This data is vital with many uses, including predictive analysis. With the data being pertinent for the vehicle’s operations, along with the analysis, there is a value held here. To keep the environment secure, the infrastructure would need to be secured and data encrypted, in the least.

Why is this important?

 The data not related or identifiable to a person is their private data. This describes their life. The data could be used for malicious purposes, to track people who have done nothing wrong, for predicting future activities (i.e. where they probably will be at a certain day and time), and other inappropriate uses. This data, while held at the company, would continue to be the target of the attackers. While this would not be ethical, there is a more direct dis-incentive for companies involved with this type of behavior. For every data or GDPR breach, there could be a fine of up to €20M or 4% of the annual worldwide turnover (revenue), whichever is greater. Recent fines, include $840k to BKR, $600k to Google (Belgium) and $50m to Google,  €99M to Marriott International, and £183m to British Airways. These amounts are significant. If a portion of these fines is paid, the amounts are still enough to get the attention of any person in finance and the Board.

Vehicle Application

Vehicles collect and hold an enormous amount of data. This data partially consists of the user’s data. This data is private and confidential. This extra data, which may be collected by the vehicle, also could be used to identify the user. Based on what is currently done with the vehicle’s operations, the GDPR does apply. The next step is to determine the responsible party. *This article should not be used as legal advice; please seek your own legal advice from a qualified, licensed attorney.* For a clearer understanding, we need to clarify a few aspects. We need to know the purpose of the data collected, how the data is collected and does one party or several control the data. These questions are designed to bring the broad issue to a reasonable level of analysis.

 

Resources

 Feldman, B. (2020, July 24). How to think about GDPR as a vendor. Retrieved from https://securityboulevard.com/2020/07/how-to-think-about-gdpr-as-a-security-vendor/

GDPR.edu. (n.d.). What is GDPR, the EU’s new data protection law? Retrieved from https://www.gdpr.edu

Jung, M.M. (n.d.). Why is data protection so important in the context of connected and autonomous vehicles? Retrieved from https://www.dotmagazine.online/issues/on-the-road-mobility-connected-car/making-connected-cars-safe/data-protection-for-connected-cars

Lydian. (2020, May 14). Connected vehicles and GDPR-A status update after the public consultation. Retrieved from https://www.lexology.com/library/

Scaldis-Conseil. (n.d.). The impact of GDPR on ownership of connected data.

Valerio, P. (2018, June 7). GDPR: A security headache for connected car makers & OEMs. Retrieved from https://www.tu-auto.com/channels/services/

 

They learn hacking early these days

 

These are certainly interesting times we are living in. In particular, schools are either having virtual classes, in-person classes, or a mixture of these. This has seriously taxed the systems that were already under financial pressure. One area historically under-funded has been cybersecurity, s the focus of the K-12 and university systems has been to teach the students. Bearing this in mind, the systems may not have the budget to fully defend against cybersecurity attacks. A recent target was the Miami-Dade Public Schools System, which has approximately 275k students. This school system is the fourth largest in the country.

Attack

The Miami-Dade County Public school’s students began attending classes again this school year. To facilitate the return, the public school district was using an online learning system (MySchool online), which makes sense of all things considered. For some reason, a 16-year-old high school student, who happens to attend the targeted school system (a junior at the South Miami Senior High School), believed DDoSing the school’s e-learning system, crippling its functions, was a good idea. The high school student did this several times, shutting down access for several days. These attacks were clearly malicious and disrupted the teaching and student learning across the state.

Post-Attack

The student, while using a lower-level form of attack forgot one important thing-to cover his tracks. The investigators were able to locate him from the IP address the attacks originated from. A portion of the attacks did originate from outside of the US. This is such a basic step, it was even addressed in the iconic movie Hackers from the 1990s.

The FBI, Secret Service, and the Florida Department of Law Enforcement was involved with the investigation. The student, when questioned, admitted to eight DDoS attacks beginning on that Monday. The student didn’t code an app for this but instead used an online resource. There may be others involved with this set of attacks. This is not new, as the public school district has experienced more than a dozen of these since the 2020-2021 school year has started.

The student was arrested, as noted, and charged with Computer Use in an Attempt to Defraud. This is a third-degree felony. The student also was charged with Interference with an Educational Institution. This charge is a second-degree misdemeanor.

In Closing

Defending against certain attacks is not an overly complex set of operations. You may need to only contract with a third party to use their apps or services to protect your system. When you don’t plan for the inevitable, this seems to find you rather quickly.

 

Resources

850 WFTL. (2020, September). 16-year-old arrested for hacking miami dade school system. Retrieved from https://www.850wft.com/16-year-old-arrested-for-hacking-miami-dade-school-system/

Allen, K. (2020, September 3). 16-year-old arrested for hacking miami dade school system. Retrieved from https://abcnews.go.com/US/16-year-arrested-hacking-miami-dade-school-sytem/

Ampgoo.com. (2020, September 3). 16-year-old student arrested for allegedly crippling miami school system with cyberattack. Retrieved from https://www.ampgoo.com/16-year-old-student-arrested-for-allegedly-crippling-miami-school-system-with-cyberattack

L33T Dawg. (2020, September 3). 16-year-old arrested for cyberattacks on school’s online learning system.

Miller, M. (2020, September 3). Teen arrested for alleged cyber attacks on miami-data schools. Retrieved from https://thehill.com/policy/cybersecurity/514998-teenager-arrested-for-alleged-cyberattacks-on-miami-dade-school-district

NBC News. (2020, September 4). Miami high schooler charged with cyberattacks that stopped online learning. Retrieved from https://pressfrom.info/us/news/science-and-technology/-527945-miami-high-schooler-charged-with-cyberattacks-that-stopped-online-learning.html

News & Guts. (2020, September). 16-year-old charged with cyber attack that brought down miami public schools. Retrieved from https://www.newsandguts.com/16-year-old-charged-with-cyber-attack-that-brought-down-miami-public-schools/

Odzer, A., Pipitone, T., & Hamacher, B. (2020, September 3). Student arrested in connection with cyber attacks on miami-dade public schools. Retrieved from https://www.nbcmiami.com/news/local/student-arrested-in-connection-with-cyber-attacks-on-miami-dade-public-schools/2287613/

Life isn't always a carnival!

 

At this point in time, a majority of the nations are not focused on leisure. At some point in the future, society will get back to some form of normal. At that point, we may look to recreational activities to assist with our decompression after being isolated for our extended time. One activity that increases in activity may be the cruise industry. One of the largest companies in the sector is Carnival Corporation. The business operates more than 100 vessels and is based in Florida. The vessels have brands that we all recognize, such as Carnival Cruise Lines, Princess Cruises, Costa Cruises, and AIDA.

Issue

The corporation holds a massive amount of data from operations (revenue, accounts receivable, accounts payable, vendor lists, banking information, etc.) and clients (name, address, credit card numbers, when their cruise will be, etc.). This made the cruise corporation a prime target. The attack was detected on August 15, 2020. The company notified law enforcement and began to investigate. To fill their expertise gaps, they contracted with other incident response persons. The corporation was required to notify the U.S. Securities and Exchange Commission (SEC) since this is publicly traded.

Breach

As this was a successful attack, their defenses were breached. The attackers were able to access and encrypt a portion of the data on their servers. This should sound unfortunately familiar as this is yet another successful ransomware attack. The attackers also downloaded files. This data likely included the personal data of guests and employees. The curious wrinkle with this is there may be a greater issue than just with the SEC if the guests and/or employees were EU citizens, with the GDPR in effect.

The odd part of this is they are not sure how far the breach went. The corporation believes this only affects one brand. Seemingly, they should know if more than one brand’s data was accessed. There are logs for the SIEM to examine, unless the attacker modified these.

Pattern

This is not Carnival’s first experience with a breach. Two of their brands, Holland America Line and Princess Cruises, appear to have been breached in 2019.

Ransomware has become such a mountain of a nightmare over the last four years. This is another example of what can happen with a simple error on the part of an employee.

 

Resources

BNP Media. (2020, August 18). Carnival corporation hit by ransomware.

Grieg, J. (2020, August 19). Carnival cruises hit with a costly ransomware attack. Retrieved from https://www.techrepublic.com/article/carnival-cruises-hit-with-costly-ransomware-attack/

Maritime Executive. (2020, August 17). Carnival corporation reports ransomware attack accessed data. Retrieved from https://www.maritime-executive.com/article/carnival-corporation-reports-ransomware-attack-accessed-data

Mogg, T. (2020, August 18). World’s largest cruise line operator hit by cyber attack. Retrieved from https://www.digitaltrends.com/computing/worlds-largest-cruise-line-operator-hit-by-cyberattack/

Norton, T. (2020, August 19). Carnival corp brand hit by ransomware attack. Retrieved from https://www.travelpulse.com/news/cruise/carnival-corp-brand-hit-by-ransomware-attack.html

Travolution. (2020, August 19). Carnival corporation cruise line brand his by ransomware attack. Retrieved from https://www.travolution.com/articles/116486/carnival-corporation-cruise-line-brand-his-by-ransomware-attack

Vigayan, J. (2020, August 18). Ransomware attack on carnival may have been its second compromise this year. Retrieved from https://www.darkreading.com/attacks-breaches/ransomware-attack-on-carnival-may-have-been-its-second-compromise-this-year/d/d-id/1338696

Oregon State University Ecampus breached!

 

 

Oregon State University (OSU)  is located in Corvallis, OR. As with most universities and schools, there is a virtual option for the students, so they don’t have to attend full time. OSU is no different. The university has in place its own Ecampus, the online education program.

Attack

The attack occurred this summer and was detected on July 27, 2020. The attackers were able to breach and compromise a server on the OSU Ecampus. After this was detected, OSU began its investigation. The university also contacted state and federal authorities on this matter. As part of the process, the FBI was also contacted. The hope is with all this assistance the university and law enforcement are able to find the attackers and also decipher how this happened.

Data

The breach affected approximately 1,700 students and faculty members. The server had their personal information, which was accessed. The records accessed contained names, and OSU email addresses. While this is not optimal, this would not be classified as critical. With other instances, the person’s personal mailing addresses, and phone numbers may have been exposed. This brings the issue to a new level. Fortunately, there was no social security numbers or financial data involved.

Post-Breach

OSU immediately had begun to mitigate the security issues detected so this would not happen in the same way again. The compromised server was updated to remove the cybersecurity issues and placed back online. The university has notified the affected students and staff. They are offering free credit monitoring and other services. Oddly, this is not the first time there has been a breach in recent history with the university. The last breach was in May 2019 and affected 630 records. While the details of the attack method were not disclosed, this is another example of why cybersecurity is so important.

 

Resources

Albany Democrat-Herald. (2020, September 3). Computer breach at OSU exposes personal info of 1,700 students and faculty.

New Haven Register. (2020, September 4). Computer breach at OSU exposes personal info of 1,700. Retrieved from https://www.nhregister.com/news/article/Computer-breach-at-OSU-exposes-personal-info-of=15542681.php

The Associated Press. (2020, September 5). Computer breach at OSU exposes personal info of 1,700. Retrieved from https://www.kezi.com/content/news/computer-breach-at-OSU-exposes-personal-info-of-1700-572.330491.html, https://www.usnews.com/news/best-states/oregon/articles/2020-09-04/computer-breach-at-osu-exposes-personal-info-of-1-700, and https://www.seattletimes.com/seattle-news/northwest/computer-breach-at-osu-exposes-personal-info-of-1700/

Of all places to steal from...

 

 

Non-profits, as indicated by their name, are not designed to profit from their activities. They provide services, goods (e.g. clothing or food), and other items to those who can’t afford them. By design, there is not the profit motive in work with these organizations.

               When you are planning an attack, one of the first areas you can look at are the crown jewels, or what the attack is focused on. The attackers may also have the mission of simply being malicious. However, with how the attacks have been operationalized, generally, there is something (e.g. money or data) the attackers want.

Target

               A recent breach has been no exception to this. The Jewish Federation of Greater Washington was recently targeted and breached. This organization is a non-profit located in Maryland. The not-for-profit has 52 employees.

Attack

               There are cybersecurity dangers regardless of where you are working. To resolve these, the user needs awareness as a general baseline of what to and not to do. Their systems, if not using the business’ equipment, have to be up-to-date. Having outdated, unpatched apps and programs creates an opportunity for attackers and allows for an easier attack. This is analogous to leaving the front door shut, but unlocked.

               In this learning experience, a staff member, working from home on their system, was successfully attacked. The compromise led to the attacker stealing $7.5M. The attack and theft was possible due to one person’s oversight and the organization not maintaining a proper level of cybersecurity for the staff.

               The attack was not known to the organization until August 4^th. This was detected by a security contractor and not the organization. The red flag in this instance was an anomalous amount of activity with a staff member’s email account.

Post-Attack

               After this was detected, the FBI was contacted. As the investigation continues, there is no comment as to who may have accomplished this. While this is an issue, the CEO, Gil Preuss, did announce the compromise from a virtual conference call with the employees.

               The organization also investigated the breach. The data indicated the attacker had access long before the issue was detected by the cybersecurity contractor. The time period for the unauthorized access was estimated to have started early in the summer. The investigation continues on the systems and servers as these are being analyzed for other cybersecurity issues. Wisely, the organization is no longer allowing the staff to use personal computers for the workplace. The issues abound with allowing this at any time, and especially now with the pandemic forcing most people to work from home. The organization appears to be reviewing what other controls to put in place to mitigate the potential for this to occur again.

Discussion

               In our current situation working from home, for the most part, is not an option. This has taken the form of necessity. The users may feel a little more at ease working from home, and let their guard down. They may also not have the same level of defensive measures in place. For the measures in place, the apps and programs may not be patched or up-to-date. All of these create the potential vulnerability the attackers look for. Unfortunately, all it takes is one person in the right department or with access to other systems, and there’s a breach.

               Cybersecurity does not take a break from the office. This is a 24 hour a day, everyday task. The users still have to be vigilant. There is no vacation or sick day for cybersecurity.

               On a the last point, please push for more training for the users. They do not need to be cybersecurity experts. They do however need to be aware of what to look for, and what not to click on. A stranger is not going to send you a link for their cousin’s hilarious birthday party or a picture of their kitten that you have to open to see the details in the kitten’s fur.

               From the finance administrative side, there should have been controls or alarms in place to monitor any large transfers at once or in a short period of time. This may have also limited the depth of the attack.  

 

Up, up, and away (with my data)

 

 

               Our need for more data, information, and these in a timely manner have driven research through the years. Many years ago, this was accomplished through ye olde snail mail, with the 5 ¼ or 3 ½ discs/disks. Later this advanced with the thumb drives. The downloads over modem took forever, and you hoped there was not an issue with the phone line, otherwise you may need to start over. The internet and infrastructure sped downloads speeds to incredible rates by comparison. The advances continue not only with internet speeds, but also other transmission methods. With the global economy and data requirements, satellites are a new focus. One area, in addition to communications, the satellites are used for is GPS. This is used with vehicles, ships, airplanes, commercial trucking, military, and any other industry moving freight or people. There are few industries not using this technology in one form or another. The satellite technology has provided for increased economic productivity and better user experience for the various use cases. An example is GPS used in our smartphones and vehicles. Gone are the days with the huge fold-out maps or purchasing a CD with maps and printing off the route.

               While the benefits are clear, there is also an area not addressed fully. The cybersecurity with the systems required further attention. Just as with other electronics, this can be attacked. These aren’t theoretical forms of attack. These have been shown to work. In 2019, software used by satellites (VxWorks) was shown to have vulnerabilities to be exploited. When executed, the attacker could take control of the satellite from anywhere. In certain instances, the software is proprietary, which would shift the attack to alternative areas on the attack surface. With the increase in the number of satellites, this is going to continue to be an issue. It would be an understatement to state these need to be tested and use the current industry standard cybersecurity measures.

 

Oxymoron in application

 

With the current state of the pandemic, the business operations have vastly changed from a year ago. One area of change has been voting. Previous to this turn of events, voters had the opportunity to vote in person, or send in their ballots. While this has not been problematic in the past, technology has provided an additional option. E-voting is being researched and used in limited circumstances. The first significant, notable usage was in Iowa for their democratic caucus. While this was used for their caucus and not the vote, this provided a test on how it could or could not work. This has been termed a disaster, with good reason. In 2020 this was attempted with an epic fail. Per reports, the app was not tested properly, did not properly function, and placed the spotlight on what could go wrong-spectacularly.

               After this epic fail, one would think a company whose primary business is e-voting would accept any viable assistance from responsible, reputable cybersecurity pentesting companies. The final report or deliverable would provide a roadmap to ensure, as much as possible, there were minimal issues, and the issues that were encountered are not critical. This assistance would provide an assurance or work to ensure the spotlight does not show on the e-voting business in a negative aspect.

               Well this is not always the case. Voatz is in the business of creating e-voting software. The company wants the CFAA (Computer Fraud and Abuse Act, commonly used as a threat against cybersecurity researchers) to be broadly interpreted so anyone (i.e. cybersecurity researchers) who violate the Terms & Conditions (T&C), which no one really reads, to face federal criminal charges. The loose application would allow for wider prosecution and allow the businesses more avenues to dissuade anyone, including those without malicious intent, from being transparent about their oversights. This effectually would have most in the industry with their head in the sand.

               Possibly what brought this to the forefront, among their own lack of cybersecurity focus, was MIT researchers discovered many flaws in their e-voting software. The very software we depend on for our elections, which can’t be redone without a massive amount of work, expense, and a significant amount of global ridicule and embarrassment. To attempt and put this in a positive frame somehow, Voatz hired their own cybersecurity researchers, whose research arrived at nearly the same conclusion. In short, the Voatz software is holier than Easter Sunday.

               In closing, in cybersecurity as with most things, the more eyes on the objective the better. Also, the responsible thing to do with a product or service is to test it until the cybersecurity vulnerabilities are at a minimum and manageable, which does not appear to have occurred here.

 

rUUh roh: University of Utah and it’s insurance provider pay ransom

 

Until a thorough and robust method to stop ransomware, this phenomenon is going to continue to flourish. This popular method to attack is simple, and profitable to the attackers. Once this was successfully monetized, there was no turning back for the attackers. Another glaring example occurred this July with the University of Utah.

Attack

The University of Utah has been added to the list of ransomware victims (e.g. Michigan State University (MSU did not pay the ransom and the data was placed on the dark web), Columbia College of Chicago, Canada’s Royal Military College in Ontario, and the University of California at San Francisco (paid $1.14M)). The university’s Information Security Office (ISO) was notified on July 19^th of the attack. The focus of the attack was the College of Social and Behavioral Science (CSBS) servers. The central servers were not affected. The attackers have not been identified as of yet, which is not unusual. This group of attackers is likely the same which has been making the rounds, attacking other universities. The data indicates this, and the others may have been perpetrated by the NetWalker ransomware gang. As mentioned previously, this method of attack tends to be profitable. It is estimated the group has received more than $25M this year alone with these attacks.

Actions by the University

After the breach, the attackers encrypted the servers, which prompted the ransom demand. The university did act affirmatively and isolated the servers from the remainder of the network and the internet. They began an investigation and notified law enforcement. In addition, they are working with a third party specializing in these attacks to resolve the issue. No other systems were impacted by this. The affected students and staff were directed to change their university passwords on July 29^th.

Ransom

To regain their systems, the university and its insurance provider did pay $457,059.24 in Bitcoin. Thankfully the university had in place cybersecurity insurance to cover at least a portion of the ransom, as the university paid the remainder. While I generally don’t recommend this course of action, in this instance the attackers were able to secure sensitive data and allegedly they would have released this online for everyone to see and likewise secure if the ransom was not paid. This data included sensitive information for the employees and students. While this included only 0.02% of the data on the servers, this could still be a rather large amount of data that would have been placed online, without the ransom being paid. The issue is the university is depending on a group of attackers who breach systems and extort funds from the target. It is notable the fee was to remove the threat of the data being published. The university did restore the data from back-ups.

Lessons Learned

First and foremost, please train your staff to watch for this type of email or other communication. The method of attack is relatively simple. The attacker(s) send emails with malicious links or attachments. The humans, which are the primary attack surface, click the link or attachment, and the CISO begins to have issues quickly. Alternatively, based on the circumstances, the group could simply breach the targeted system, which may take more time and resources in comparison to the first option. The training and continued training is the first line of defense. Naturally, there is also the SIEM and other apps that also are required to attempt to severely limit the issue. With implementing these in earnest, not merely checking the box, the potential to correct the problem is on the right track. Until then, the attackers are going to use this method as much as possible, and collect as much as possible, to the detriment of the victims.

 

Resources

Cimpanu, C. (2020, August 21). University of Utah pays $475,000 to ransomware gang. Retrieved from https://www.zdnet.com/article/university-of-utah-pays-457000-to-ransomware-gang/

Dudley, G. (2020, August 21). University of Utah paid hackers $457k after ransomware attack. Retrieved from https://www.ksl.com/article/50008933/university-of-utah-paid-hackers-457k-after-ransomware-attack

Hamilton, E. (2020, August 21). The university of Utah just footed a $475,000 ransomware bill. Retrieved from https://news.knowledia.com/US/en/articles/the-university-of-utah-just-footed-a-457-000-ransomware-bill-fae31fb0a1a1ae1ac148c4e67e5dfba60b78f42f

Kass, D.H. (2020, August 26). University of Utah pays nearly $500k to ransomware gang to recover data. Retrieved from https://www.msspalert.com/cybersecurity-breaches-and-attacks/ransomware/university-of-utah-pays-nearly-500k-to-ransomware-gang-to-recover-data/

Raymond, A. (2020, August 21). Cyber swindlers take university of Utah for nearly $500k in ransomware attack. Retrieved from https://www.deseret.com/utah/2020/8/21/21396174/cyber-swindlers-take-university-of-utah-for-nearly-500k-in-ransomware-attack

Pierce, S.D. (2020, August 21). University of Utah pays more than $450,000 in ransomware attack on its computers. Retrieved from https://www.sltrib.com/news/2020/08/21/university-utah-pays-more/