Welcome to Cyber Security Today. This is the Week In Review edition for the week ending Friday April 9th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
With me today to discuss some of what’s been going on is Terry Cutler, chief executive of Montreal’s Cyology Labs, a cybersecurity consulting firm. But first a look at some of the noteworthy news in the past seven days:
Data on 553 million Facebook users are being given away on a criminal website. The information was stolen in 2019 and until now was being sold to hackers. Now it’s available for free. The data is divided by country and includes names, dates of birth and phone numbers. According to Facebook, the data was captured by scraping and not a hack. Still, it could be used for spreading telephone scams, phishing and creating fake ID.
Nation-state cyberattacks are becoming more frequent, varied and open, according to an academic study sponsored by HP. The report says the world is moving closer to a state of ‘advanced cyberconflict’ than at any time since the inception of the internet. Analysis of over 200 cybersecurity incidents associated with nation-state activity since 2009 also shows businesses are now the most common target of attacks from countries, followed by cyber defence firms, media and communications companies, government bodies and regulators, and critical infrastructure.
Last month a committee of 193 countries in the United Nations agreed to voluntary norms of behaviour in cyberspace. That includes not knowingly causing damage to critical infrastructure, which would include utilities and hospitals. A Canadian expert told me he is hopeful the agreement will have some effect on nation-state backed cyber attacks, but it may take decades.
SAP issued a warning to security professionals that echoed an old IT complaint: Applications aren’t being patched fast enough. Hackers are taking advantage of unpatched vulnerabilities in SAP software. That’s of concern because of the number of big businesses and governments that use the company’s applications.
Subscribers to the large file transfer service called We Transfer should be careful handling unexpected messages. A security firm reported this week that crooks are sending email messages to potential victims pretending to be from We Transfer and claiming files are ready to be sent to them. All they have to do is click on a link and then enter their We Transfer username and password. The goal of the crooks is to copy those credentials.
Finally, a warning went out to be careful with email job offer that seems exactly suited to you. The offer is for a position the same as your job title. It may be a scam. That’s because hackers are copying the titles of targets they want to go after from their LinkedIn profiles, then sending them job pitches with infected job application forms/
(The following is a condensed version of my discussion with Terry Cutler)
Howard: The first thing I want to talk about is the giveaway of Facebook subscriber data. Since the numbers are so big – data on over 500 million users, including names and phone numbers that had been sold to crooks up until now; it’s being given away. So how was that data captured in the first place?
Terry: Well, usually what happens is the cybercriminals will randomly generate phone numbers or emails into a text file and upload this via the Facebook contact manager app. And then what’s gonna happen is Facebook going to look at who’s got this phone number and then display the profile of the person. Then [they use] a secondary tool, which is used for scraping [the data]. We use these types of tools in our penetration testing efforts. It’s going to see that information and make a copy of it. It’ll look for things like first name, last name, phone number, or whatever was pulled up.
Q: How could Facebook have protected itself from a data scraping attack?
Terry: I’m not sure if they could have, to be honest, because what’s happening is in the settings of Facebook. There’s an option there for people to discover you via an email address or via phone number. You could go and change a setting in there right now. By default, it’s set to ‘Everyone,’ and you can set it to ‘Friends only,’ or ‘Friends of friends.’ But if [the accoun] is used for business purposes not everybody’s going to find you. So that’s why everybody sets it to ‘Everyone.’, But then these types of attacks can take place. Facebook has since fixed that flaw.
Q: With this kind of information that’s now available to a wider group of crooks, what could be done with it?
Terry: Spear phishing attacks. If they already know my first name, last name and email they could target me a bit better . . . ’Hey, Terry. We’re friends on Facebook. Here’s, here’s a link to’ whatever. So it’s going to sound more credible. Or they’re probably going to call me up and try to social engineer me to a scam, or send a smishing attack.
Q: So it still comes back to ‘Be careful when anybody sends you an email if it’s got a link in it’
Terry: Correct. I may pay attention to the [email] domain [of the sender]. You know, banks are not going to send you an email saying, ‘Hey, you know, collect your $25 now, log into your account.’ But it’s amazing how many Canadians fall for this. And they just got to pay attention to what they’re clicking on. It all comes down to awareness training in the end again.
Q: I want to move on next to the LinkedIn scam. And this is very troubling because hackers are using this tactic to go after particular targets. How does this work?
Terry: Because you can search for pretty much anybody on LinkedIn, [attackers] are going look for [a target on LinkedIn], say somebody in the cybersecurity space …. and will find out who he is and who he works for … And once they’re connected, the scammer might say, ‘Hey. We’re, we’re launching a whole new cyber program. I think you might be an interesting candidate. Let me send you over the job requirements.’ And they’re going to send a zip file.
And once he opens it, there could be a Word file in there. It could be an executable, it could be anything. But the moment he opens up that Word file it’s going to run a JavaScript macro. And it’s going to go out to the cloud and pull down malicious information, malicious code, which will then take advantage of possible flaws on the workstation and compromise it. And the, and the hacker will actually have full control as if he was sitting at the keyboard. So he’ll have access to transfer in and out of files, maybe turn on the [computer] camera.
Q: This isn’t the first LinkedIn scam that’s come around. And LinkedIn’s a big problem because, of course, you want people to see your profile. You list what your current job is and, and some of what your background is. But in this particular scan, people are taking advantage of a title, and you get a job pitch for that position. And you’re going to think, wow, this is, this is really great. It fits exactly the kind of work that I’m doing.’
Terry: Exactly. And there’s not too much they can do about it, right? Because [LinkedIn] is required to do business. And the same thing happens when companies are putting out job postings for candidates. They have to sometimes be very specific about what type of candidate they’re looking for. But the more stuff in this job board posting, the more you’re telling the cybercriminals about the inner workings are at this company.
Q: So if you’re getting an email and, and the email has a form that you’re supposed to fill in for this amazing job that you’ve got, and the attachment is in fact is infected, isn’t your antivirus going to detect that?
Terry: It’s supposed to, but here’s the kicker. The file doesn’t have malicious content in it. And that’s where the trick comes in because the malicious part gets downloaded after the file has been opened. And once the, once the code executes on the machine, like via PowerShell or whatever it’s going to do with JavaScript, only then will the antivirus detect that there’s some weird user behavioral stuff happening. That’s where it should kick in and cut the process. So, and so anybody that’s using free antivirus stuff — which I can’t believe, but they are – that’s how they’re going to get breached.
Q: How can people protect themselves against LinkedIn scams?
Terry: The obvious thing is to make sure you’re running sophisticated enough antivirus anti-malware software on your machines. There’s a lot of them out there. And you want to make sure it’s got the anti-ransomware component on it. Don’t go with the free stuff. Go with the pro stuff. And you just got to pay attention to what you’re clicking on. Hopefully your company even has capabilities that detect malicious software being downloaded in advance.
Q: And one other thing: If you’re not looking for a job and therefore you’re not expecting a job offer to come popping up in your email you need to, to treat that with some caution.
Terry: Correct. But it’s curiosity: ‘What can this guy be sending me? That’s so specific to me that, I mean, obviously it looks like this guy did some research on me, so maybe I am the perfect candidate for this guy?’
Q: The last thing I wanted to talk about is a report this week from Palo Alto Networks on security problems created by companies that have been rushing to cloud computing services because of COVID, or for other reasons. It shows that there’s been a jump in the number of security mistakes that organizations are making in using the cloud. What are the kinds of things that they point out that they’re seeing?
Terry: The biggest one comes down to misconfigurations. In a way COVID-19 forced businesses into digital transformation. But at the same time their IT guys don’t know much about cybersecurity. Sometimes they’ll be asked to enable, let’s say, web services software, but because they’ve never done it before they enable everything on the server. But when they do that more ports get opened, more services become available.
The other issue I see often, especially with Office 365, is that they don’t activate two-factor authentication because the users have never worked with MFA [multi-factor authentication] in the past. It hinders their productivity, they’ll say, it becomes a nuisance. But then when they get breached and their inboxes are compromised … it becomes very, very costly. Or we’re going to see a lot of misconfigured databases, especially if you’re working with Oracle or SQL. Sometimes it requires specific niche specialties to secure this technology.
Q: In your firm’s practice, what kinds of problems are you detecting when organizations move workloads to the cloud?
Terry: Mostly misconfigured email settings, we’ll have IT guys spying on other people. That’s come up a lot. I’ve actually worked on two cases this year alone, where we have IT administrators that are reading the executives’ inboxes and using it for their personal gain. Or we’re seeing access logs not being enabled properly. So if users are not supposed to be logging in at all hours of the night, all of a sudden there’s some logins happening at 4:00 am, let’s say, because their passwords have leaked onto the dark web. If their auditing will only last 30 days instead of 90 there’s no way for us to properly trace back what really happened. Or we’ll see things like folks that have migrated to Amazon cloud and didn’t secure their software properly. And [hackers] are able to rip out all of the static passwords that have been saved in their database administrator.
Q: This report says that one big problem IT departments aren’t using enough security automation tools to spot these issues when they move to the cloud. Do you agree?
Terry: I do. Absolutely. So here’s the thing: A lot of folks, especially business owners that I speak to, their common thing was, ‘Oh, my IT guy has it covered.’ Well, usually it’s like your family doctor. Would you ever ask your family doctor to perform laser eye surgery on you? Most people would say no. This is where a cybersecurity expert is going to come in and compliment them because we are trained to think and act like malicious actors. So we’re able to find these flaws or misconfigurations that the IT guy wasn’t aware of. The other thing, too, is these, some of these [security] tools are pretty pricey. And even though these tools are in place, the IT guy doesn’t know what he’s looking at. He’s just seeing a bunch of alerts. Logs could be false positives. They are getting bombarded with alerts to a point where they actually just disable it because they’re fed up of receiving 2,000 emails a day. And then when a data breach occurs, they could have been collecting event log data for the last six months but because nobody’s watching it, they didn’t know they got breached six months ago. That’s why there’s not enough cybersecurity experts in the field right now to help protect everyone.