City of Shafter Shafted

 

Ransomware is prevalent in the current landscape. Seemingly there are at least one or two attacks published every week. There are certainly many more successful attacks throughout the nation on commercial entities and consumers. There are many reasons for this, including the ease of use and the financial return on the resources used to execute the attack. The targets are varied, but have one thing in common-there is data or a system the target needs to have access to or use. One of the familiar targets has been municipalities. These entities have historically had issues with budgets. These attacks certainly do not help with this concern, as the costs associated with a successful ransomware attack with the forensic work, along with uploading backed up data, tends to be rather costly. When there is an insurance policy with this type of attack specifically addressed is in place, the costs may not be as problematic to the municipality. If the fee is paid, there are also significant costs. Smaller municipalities may be targeted at a greater rate due to their lack of resources and trained staff in cybersecurity. One such recent victim has been the city of Shafter.

Attack

 The city in California unfortunately was the victim of a successful ransomware attack. The targeted IT system was compromised. As with ransomware’s mode of operation, the system was locked and subsequently shut down. Due to the system being locked down, the city hall was closed. Once discovered the city contacted federal law enforcement agencies. The focus is to find the attackers and the extent of the compromise.

Post-Attack

This was clearly a devastating attack. The take-away from this however is the need for cybersecurity and staff training. Granted this is not free, however, to place this in perspective, how much is a successful attack that locks down all of the systems, critical and not, so that the municipality or business is not able to operate. There are training sessions available to train the staff to reduce the opportunity for this to occur.

Resources

Johns, T. (2020, October 21). City of shafter hit by ransomware attack. Retrieved from https://bakersfieldnow.com/news/local/city-of-shafter-hit-by-ransomware-attack

 

Wright, A. (2020, October 20). City of shafter hit with ransomware attack. Retrieved from https://www.turnto23.com/news/local-news/city-of-shafter-hit-with-ransomware-attack and https://www.databreaches.net/ca-city-of-shafter-hit-with-ransomware-attack/

Opportunity to follow your own ransomware response kit

 

In this day and age, everyone and business is a target. If you have data, or your operation can be leveraged by shutting people out, which is nearly every business, you are a target. One of these is Tyler Technologies. This is a Texas-based company located in Plano. The company claims to be the largest provider of software and technology services to the public government. The company sells a wide range of services to state and local governments. A few of their products are appraisal and tax software, integrated software for courts and justice systems, enterprise financial software systems, public safety software, records/document management software, and others.  The company is very large and is publicly traded as TYL. There is an estimated 5,300 – 5,500 with 2019 revenues of over $1B. Their website is tylertech.com. Their clients consist of over 15k government offices. The clients are based in the US, Canada, the Caribbean, and Australia.

Attack

The company was aware of an issue on September 23, 2020. This appears to have been a ransomware attack. The sources noted the RansomExx ransomware group did this attack. This group has also been linked to the recent attacks on the Texas Department of Transportation and Konica Minolta attacks. The system was successfully attacked and compromised. On the bright side, this does appear to be limited to the internal systems for the phone and IT systems, versus every system. Unfortunately, the details of the attack were not released, however, this does appear to be a ransomware attack.

Post-Detection

The company discovered the unauthorized user on the system. In a prudent move, they shut down the points of access to external systems. This was done out of an abundance of caution. This kept the attackers from pivoting into other areas. After this, they immediately began the investigation. The company contracted with third-party IT security and forensic experts. They focused on conducting a complete review. As a result of this, they also implemented enhanced monitoring systems to verify this activity did not continue. They also contacted law enforcement.

Effected

The company does not believe any of its client data, client services, or hosted systems were affected. With certain systems shut down, the local government’s client’s did not have access to certain services (e.g. paying their water bill or court payments online). Ironically, Tyler Tech had used the threat of ransomware as a selling point for many of its services. This included the ransomware survival guide and the ransomware incident response checklist. Apparently,

Lessons

You have to maintain a cyber vigilance. That is our environment. The employees still need the training to recognize ransomware and cybersecurity is everyone’s problem. When you under-estimate the attacker’s tenacity, you probably won’t like the results. The employee training needs to be on-going through the year, not only as part of the mandatory training. When you don’t emphasize the importance of the employee’s role with keeping the business safe, their focus will lapse and you’ll be in the news feed, using your own ransomware response guides.

 

Resources

Abrams, L. (2020, September 23). Government software provider tyler technologies hit by ransomware. Retrieved from https://www.bleepingcomputer.com/news/security/government-software-provider-tyler-technologies-hit-by-ransomware/

Bizga, A. (2020, September). Government services firm tyler technologies hit by ransomware. Retrieved from https://hotforsecurity.bitdefender.com/blog/government-services-firm-tyler-technologies-hit-by-ransomware-24193.html

Johnson, O. (2020, September 23). Tyler technologies suffers apparent ransomware attack. Retrieved from https://www.crn.com/news/security/tyler-technologies-suffers-apparent-ransomware-attack?itc=refresh

Kovacs, E. (2020, September 24). Government software provider tyler technologies hit by possible ransomware attack. Retrieved from https://www.securityweek.com/government-software-provider-tyler-technologies-hit-possible-ransomware-attack

Krebs, B. (2020, September 23). Govt. services firm tyler technologies hit in apparent ransomware attack. Retrieved from https://krebsonsecurity.com/2020/09/govt-services-firm-tyler-technologies-hit-in-apparent-ransomware-attack/ 

Menn, J. (2020, September 23). Software vendor tyler technologies tells U.S. local government clients it was hacked. Retrieved from https://www.reuters.com/article/idUSL2NZGK25A?utm_medium=Social

Tyler Technologies. (n.d.). Website unavailable. Retrieved from https://www.tylertech.com/DesktopModules/EasyDNNNews/DocumentDownload.ashx

                             

It's all in the family tree; including the data!

 

The latest craze has been with finding out about one’s history. This does not refer to those events that have molded our life, but to where we and our families originated. This may be in the UK, Europe, Africa, or another part of the globe. Once DNA testing became reasonably priced, this market opened up. We’ve seen the tests with the swab. While these are non-intrusive physically, these are able to tell much about you. This can show your relative who has also taken the test with the same service, health disposition, and much more.

               One such manufacturer is The Family Tree maker software. Their software, first released in 1989, has gone through many corporate owners over the years. These include Broderbund, The Learning Company, Mattel, Ancestry.com, and finally to McKiev, who presently is tasked with managing the code.

Oops!

               These services hold a large amount of data, accumulated from each person. This information has value and needs to be protected. By the company accepting this, they are responsible for its safekeeping. The issue in this instance, much like too many others, was a misconfigured cloud server. This was found by a team from WizCase led by Avishai Efrat. The Elastic Search server was not configured correctly. This allowed the server, along with all its data, to be insecure and accessible by anyone who wanted to check it. If the data would have at least been encrypted, it would have been a little bit better, however, this was not even the case.

               The cloud server had 25 GB of data available with 60,000 users data. This included a nice selection of data for people to view and download. This included the user’s email addresses, geolocation data, IP addresses, system user IDs, support messages, technical data (e.g. error logs), refunds (if applicable), and subscription type and status. Imagine what you could do with a credential stuffing attack with this data!

               This is also very useful for a phishing attack. With this data, the attackers would be able to create more and better content for their phishing attacks. This data is also perfectly usable for spam. Interestingly enough, competitors could also use this for their business. They could use a script to filter for keywords of unhappy customers or subscription status and target them as clients.

Post-Detection

               This was unfortunately was not a surprise. There have been too many of these being noticed. WizCase did notify the company of the oversight. WizCase did not receive a response from the company. They must have received this though since the company closed the cloud server after the email was sent.

Recurring

               The misconfigured cloud servers are not new, unfortunately. Many of these have been found and successfully attacked. Many of these attacks have been published showing the extent of the issue. When you read through a handful of these, it makes you wonder if the engineers just threw it up there and hoped for the security through obscurity. It never ceases to amaze how the misconfigured cloud servers keep happening. There are so many resources available, this really shouldn’t happen this often. This is not even considering the secondary person the engineers have looking at the build prior to signing off on the cloud server being in production.

Affected

               If you know someone who was affected by this, or for general information, there are a few helpful hints. On the bright side, at least they did not collect the user’s social security numbers. Going forward, users should continue to watch what they share online. People want to share everything on social media. If possible, they should share as little as possible. This is not the popular route to take these days, but I prudent.

               With phishing emails, the email service stops most of these. Generally the filter is dialed in well so this is not an issue. A handful will make it through though. The users should not open just any attachment or link unless they are expecting it. UPS is not going to send the same notice of delivery with the same shipping number to 30 people. Your bank is not going to send you an email with their link.

 

Resources

IT Security News. (2020, July). Unsecured server leaks family tree maker customer details-Experts’ comments. Retrieved from https://www.itsecuritynews.info/unsecured-server-leaks-family-trees-maker-customer-details-experts-comments/

Muncaster, P. (2020, July 21). Genealogy software maker exposes data on 60,000 users. Retrieved from https://www.infosecurity-magazine.com/news/genealogy-software-maker-exposes/

RT. (2020, July 21). Not keeping it in the family: Personal data of 60,000 genealogy software users LEAKED. Retrieved from https://www.rt.com/news/495417-genealogy-software-users-leaked/

Terabitweb. (2020, July 21). Gealogy software maker exposes data on 60,000 users. Retrieved from https://www.terabitweb.com/2020/07/21/genealogy-software-maker-exposes/

Williams, C. (2020, July 30). Family history search software leaks users private data. Retrieved from www.wizcase.com/blog/mackiev-leak-research/

Oh (NO!) Canada: CRA targeted

 

 

Governments, local and federal, provide certain services to the people they represent. These may consist of snow removal, unemployment insurance, defense, assistance during disasters, and other services. Canada is clearly no different providing a vast number of services to its citizens. All of these services require data for processing and record-keeping. This data and the computer systems processing and storing these are certainly viable targets for the attackers.

Attack

To access these services, Canadian citizens need to login to the service portal. This was set-up much like any other login screen where the user puts in their username and password into the website. Normally, this runs very smoothly as the user puts their credentials in. The problems start when the user has the same password across many domains. There have been so many breaches, most people’s passwords are for sale and probably has been sold many times. These passwords provide the basis for the credential stuffing attack. The attackers use the passwords per person across many domains in the hope the user has used the same password several times. This makes the attacker’s job much easier since they already the sample passwords to begin their work with.

This is what happened in this case. The attackers used prior used passwords on other domains to check if the users have the same password across many different services. The attack was detected on August 7^th. While this occurred in Canada, this form of attack could occur anywhere. The successful attack is indicative of a systemic issue with user passwords. Using the same password is an incredibly bad idea for several reasons. The attack is a clear and shining example of this.

The attack, per the Office of Chief Information Officer for Canada affected 9,041 GC Key accounts and approximately 5,500 Canadian Revenue Agency (CRA) accounts. The GC Key accounts were used in a fraudulent manner in an attempt to access government services. Once this was detected the GC Key accounts were canceled.

Mediation

Fortunately, the attack was contained. The users should really not re-use the passwords, since this is the requirement for the attack. Each website or service really should have its own password. If the users have too many passwords to remember, there is always a password manager to handle the issue. The users should also use MFA. This severely reduces the potential for this type of attack to remotely occur. Post-attack, the affected users should monitor their online accounts. Once detected the citizens were contacted after the accounts were deleted. The users were informed on how to receive a new GC Key. Granted this was a hassle for the users, however, if the same password was not used across multiple domains this would not have been a problem. The CRA accounts access was disabled also. The Canadian agency is working with people to restore access to the CRA MyAccount.

From a law enforcement aspect, the Royal Canadian Mounted Police (RCMP) was contacted on August 11^th. The office of the Privacy Commission was contacted to alert them of a possible breach also.

This issue provided many lessons for users to use different passwords, and not use the same for several domains.

 

Resources

Breen, K. (2020, August 15). Hackers targeted thousands of cra, government service accounts in credential stuffing attacks. Retrieved from https://globalnews.ca/news/7278345/canada-hackers-credential-stuffing-attack/

Bronskill, J. (2020, August 18). CRA expects online services restored Wednesday following cyberbreaches. Retrieved from https://www.nationalobserver.com/2020/07/18/news/cra-expects-online-services-restored-wednesday-following-cyberbreaches

Coop, a. (2020, August 16). Thousands of government service and CRA accounts hit by credential stuffing attack. Retrieved from https://www.itworldcanada.com/article/thousands-of-government-service-and-cra-accounts-hit-by-credential-stuffing-attack/434578

Government of Canada. (2020, August 15). Statement on GC key credential service and recent credential stuffing attack. Retrieved from https://cybergc.ca/en/news/statement-gckey-credential-service-and-recent-credential-stuffing-attack

Government of Canada. (2020, August 15). Statement from the office of the chief information officer of the government Canada on recent credential stuffing attack. Retrieved from https://www.canada.ca/en/treasury-board-secretariat/news/2020/08/statement-from-the-office-of-the-chief-information-officer-of-the-government-canada-on-recent-credential-stuffing-attack.html 

IT World Canada. (2020, August 16). Thousands of government service and cra accounts hit by credential stuffing attack. Retrieved from https://o.canada.com/techology/tech-news/thousands-of-government-services-and-cra-accounts-hit-by-credential-stuffing-attack/wcm/

Jones, R.P. (2020, August 17). Cyberattacks targeting cra, canadian’s COVID-19 benefits have been brought under control: officials. Retrieved from https://www.cbc.ca/news/policies/cra-gckey-cyberatack

Kilpatrick, S. (2020, August 17). CRA resumes online service with new security features after cyberattacks. Retrieved from https://o.canada.com/personal-finance/cra-resumes-online-services-with-new-security-features-after-cyberattacks/

Kirk, J. (2019, December 31). How can credential stuffing be thwarted? Retrieved from https://covid19.inforisk.today.com/interviews/how-credential-stuffing-be-thwarted-i-4551

Muncaster, P. (2020, August 17). Canadian citizens lose #COVID19 funds after government account hijacking. Retrieved from https://www.infosecurity-magazine.com/news/canadian-citizens-credential/

Net News Ledger. (2020, August 17). Credential stuffing of government of Canada computers update. Retrieved from https://www.netnewsledger.com/2020/08/17/credential-stuffing-of-government-of-canada-computers-update/        

Rautmare, C. (2020, August 17). Credential-stuffing attacks affect canadian services. Retrieved from https://www.inforisktoday.com/credential-stuffing-attacks-affect-canadian-services-a-/4839

Rubins, A. (2020, August 19). Cyber-attack target 1,000s of canadian tax, benefits accounts. Retrieved from https://www.cybernewsgroup.co.uk/cyber-attacks-target-1000s-of-canadian-tax-benefits-accounts/

Security Info Watch. (2020, August 18). ‘Credential stuffing’ attacks wreak havoc on government accounts in Canada. Retrieved from https://www.securityinfowatch.com/cybersecurity/information-security/news/21150744/credential-stuffing-attacks-wreak-havoc-on-government-accounts-in-canada

TH Author. (2020, August 18). Canadian government issues statement on credential stuffing attacks. Retrieved from https://www.threatub.org/blog/canadian-government-issues-statement-on-credential-stuffing-attacks/

The Canadian Press. (2020, August 19). CRA resumes online services with new security features after cyberattack.

 

GDPR is perfectly applicable to vehicle cybersecurity

 

May 25, 2018, will certainly be in the mind of CISOs and data managers around the world for some time to come. At this point in time, the companies had to be compliant with the EU General Data Protection Regulation (GDPR). The focus of the act is for persons who are citizens of the European Union (EU) to have greater control over their data. As applied this provides for much greater accountability for the businesses handling, processing, managing, and storing a person’s data. The act is far-reaching, as it follows your data. Your data can be the obvious (e.g. name, address, username, ID number, race/ethnicity, genetic data, phot, and banking details). This also covers any data that can be used to directly or indirectly trace you. For the latter, this may be your IP address, cookie identifier, and other data points.

There are volumes of articles on GDPR, the fines, and how this applies to the enterprise. The issue not explored nearly as much is the application to embedded systems. These are present in equipment and machinery used globally in vehicles, trucks, farm equipment, and many other uses. These also use various apps for the user’s experience.

Data

For this article, we will not be focusing on who or which entity owns the data. This topic is reserved for law review journals. The GDPR is rather clear in the data created from the vehicle is the property of the owner. While this appears clear, there still may be issues. The connected vehicles connect a mountain of data now. This is going to increase substantially as time passes and the vehicles become more complex. This will apply to the user’s data within the vehicle’s infrastructure, managed by the processes, and uploaded to the cloud. While the data collected is rather substantial, the only data collected per the GDPR relates directly to the vehicle’s operation. This data is vital with many uses, including predictive analysis. With the data being pertinent for the vehicle’s operations, along with the analysis, there is a value held here. To keep the environment secure, the infrastructure would need to be secured and data encrypted, in the least.

Why is this important?

 The data not related or identifiable to a person is their private data. This describes their life. The data could be used for malicious purposes, to track people who have done nothing wrong, for predicting future activities (i.e. where they probably will be at a certain day and time), and other inappropriate uses. This data, while held at the company, would continue to be the target of the attackers. While this would not be ethical, there is a more direct dis-incentive for companies involved with this type of behavior. For every data or GDPR breach, there could be a fine of up to €20M or 4% of the annual worldwide turnover (revenue), whichever is greater. Recent fines, include $840k to BKR, $600k to Google (Belgium) and $50m to Google,  €99M to Marriott International, and £183m to British Airways. These amounts are significant. If a portion of these fines is paid, the amounts are still enough to get the attention of any person in finance and the Board.

Vehicle Application

Vehicles collect and hold an enormous amount of data. This data partially consists of the user’s data. This data is private and confidential. This extra data, which may be collected by the vehicle, also could be used to identify the user. Based on what is currently done with the vehicle’s operations, the GDPR does apply. The next step is to determine the responsible party. *This article should not be used as legal advice; please seek your own legal advice from a qualified, licensed attorney.* For a clearer understanding, we need to clarify a few aspects. We need to know the purpose of the data collected, how the data is collected and does one party or several control the data. These questions are designed to bring the broad issue to a reasonable level of analysis.

 

Resources

 Feldman, B. (2020, July 24). How to think about GDPR as a vendor. Retrieved from https://securityboulevard.com/2020/07/how-to-think-about-gdpr-as-a-security-vendor/

GDPR.edu. (n.d.). What is GDPR, the EU’s new data protection law? Retrieved from https://www.gdpr.edu

Jung, M.M. (n.d.). Why is data protection so important in the context of connected and autonomous vehicles? Retrieved from https://www.dotmagazine.online/issues/on-the-road-mobility-connected-car/making-connected-cars-safe/data-protection-for-connected-cars

Lydian. (2020, May 14). Connected vehicles and GDPR-A status update after the public consultation. Retrieved from https://www.lexology.com/library/

Scaldis-Conseil. (n.d.). The impact of GDPR on ownership of connected data.

Valerio, P. (2018, June 7). GDPR: A security headache for connected car makers & OEMs. Retrieved from https://www.tu-auto.com/channels/services/