Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday, August 12th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
This week’s guest commentator is IT World Canada CIO Jim Love. We’ll talk about some of the cybersecurity news of the week. But first a quick review of some of the headlines:
Cisco Systems admitted that in May an employee fell for a text-based phishing scam that compromised the staffer’s multifactor authentication protection. The attacker copied data held in an employee’s cloud storage account. Jim and I will discuss this incident.
We’ll also look into a report that employees at Twilio and Cloudflare recently fell for a different text-based phishing scam last week, as well as news that some American and U.K. employees are so proud of their top secret security clearance they list it on their LinkedIn biographies — which would make it less than secret …
Canadian recreational vehicle maker BRP is still dealing with the effects of a cyber attack. The company, which makes Ski-Doos and Sea-Doos, hasn’t detailed what kind of attack it was hit with at the beginning of the week. But it said manufacturing at its Quebec plant won’t start again until this coming Monday, after a seven-day shutdown. Even then other operations remain suspended.
A cyber attack on a major distribution and logistics company has had one impact in Canada: Distribution of marijuana in the province of Ontario has been temporarily disrupted.
The number of cyber incidents involving simultaneous attacks from more than one threat actor seem to be increasing, say researchers at Sophos. In one incident three ransomware gangs consecutively attacked the same organization within a short period of time. Some of the victim firm’s files were triple encrypted.
Some application developers are fuming about GitHub’s intention to place tracking cookies on some of its subdomains. GitHub calls them “non-essential cookies.” They would be put on GitHub’s marketing web pages. The change would start September 1st and let GitHub personalize content and ads for enterprise users. But the Bleeping Computer news site reports that a lot of users aren’t happy. You have until the end of this month to register a complaint.
A former Twitter employee was convicted this week by a jury in San Francisco for giving personal information of users of the platform to the government of Saudi Arabia. Prosecutors argued the goal was to help silence critics of the Crown prince. A second Twitter employee allegedly involved in the activity got out of the U.S. before being arrested.
Finally, IT administrators using the Device42 asset management platform have been warned to update to the latest version. This comes after researchers at BitDefender discovered several severe vulnerabilities that could allow a hacker to compromise the platform and get into IT systems.
(The following transcript has been edited for clarity)
Howard: There’s a theme to the three stories that we’re looking at today, and that’s employees are still one of the weak points in security by clicking on malicious links, creating easily guessable passwords or using the same password on multiple sites. And through preying on the gullibility of people — also known as social engineering — a lot of employees fall for scams. Example one: In May an employee at Cisco Systems gave into pestering by a hacker pretending to be from a trusted organization and approved a multifactor authentication push notification on their smartphone that led to Cisco being hacked. Cisco says no data was stolen directly from its systems. But the hacker did get corporate data held by an employee in the personal cloud storage service called Box. For those who don’t know, what’s a push notification?
Jim Love: This should make things more secure. It’s the idea that you not only registered a website but something is sent and a notification is sent to another device [you have] and you use that to validate access. The classic example is if I try to go into Google it’ll send me a notification [on my smartphone] saying ‘click here to authorize.’ So you’ve got multifactor authentication. It doesn’t seem to always work exactly the way people want it to though. People don’t always treat these notifications the way they should, and some of them aren’t designed exactly the way I think they should be. And I think many security professionals would agree.
Howard: What did you think when you ah read about this Cisco incident?
Jim: One little mistake from an employee can undo a whole lot of work to build a corporate reputation. That’s the one thing that always goes through my mind. When are we going to get this [security] right? This is entirely preventable. And as much as multifactor authentication is a good thing, it’s done poorly. We have to start to work through this in a way that makes more sense.
Howard: One problem is that threat actors may fire repeated push notifications to a target’s smartphone at night when they’re trying to sleep, and the attacker hoping that they’ll approve the notification to stop their phone from buzzing.
Howard: It’s a clever strategy, but it’s one that just shouldn’t work. You shouldn’t be clicking on things on your phone when you don’t know the impact of them. But again, that’s a training piece.
Jim: You know, even when you’d have a technical breach where somebody finds a zero-day [vulnerability] in the code or something like that, it normally takes a person taking an action or failing to take an action to make the thing [ the vulnerability] work, and this is a classic example. Why should you be able to get multiple requests from something? And why would you just go clicking on them? First of all, that’s bad. That’s a training problem. If you’re trying to design a security application you see a number of these things coming time after time after time. Shouldn’t you do what my phone does and say, ‘Warning this looks like fraud?’
Howard: IT administrators should note what happened after the attacker got into the Cisco network: They didn’t immediately just root around the system. They first added their own mobile phone numbers to an employee’s account or accounts for allowing authentication to Cisco’s VPN. That way the attacker had more than one account for network access.
Jim: You should be able to restrict the access [to user accounts]. There’s a lot of things that went wrong in this. It’s easy to be a Monday morning quarterback, but this should be a warning to people to take a look at their systems and remember that multifactor authentication is great but there’s this thing called MFA Fatigue. We covered this in an edition of This Week in Ransomware that I did. Forty-eight per cent of office workers said security was a hindrance. And 31 per cent of the aged 18 to 24 said they tried to circumvent security. We’ve got to train people well and we have to design the system so that they don’t make people want to subvert them.
Howard: Well, you can have an IT system where your employee has an account with their username their password, and for multifactor authentication, there’s a phone number and the employee can only have one phone number for authentication for sending the second factor code. You need an administrator’s approval in order to add more than one phone number. Of course that also means that you have to make sure administrator accounts are thoroughly protected because one of the first things that an attacker tries to do is elevate privileges so they can get administrator accounts. But my point is that there’s a way that IT can choke this kind of an attack off by making sure that extra phone numbers aren’t added on without good authorization.
Jim: It takes good design, but the more layers you put on the more difficult you make work for people as well. I had a problem with my bank this week I thought one of my credit cards was compromised. So I phoned the bank to cancel my card, and they asked me to identify myself. They asked me a number of questions that I didn’t know the answer to because I was in the middle of nowhere and didn’t have my credit card statement with me. So I have a potentially stolen credit card I can’t report because I can’t identify myself. That’s when you get these rigid policies that stop making sense. You’re right that at one point or another if there’s movement in privileged accounts or if it’s a change in things that’s suspicious. People need to look into them. I don’t know how well you can do that at scale, though. It may just be one of those things where we really have to go back and relook at the design of security itself and ask, ‘Are we doing it right?’ … A phone message is so easy to fake, so if you’re sending a push notification by over your phone its pretty easy to mess with. So how do you do this? I don’t think having a physical authentication key on a smartphone would be good. Biometrics are a way that we might get past part of this. We really do have to go back and relook at this stuff that we think is protecting us.
…
Howard: Coincidentally, the Cisco hack proved the point of a presentation that I covered online on Wednesday from the Black Hat cybersecurity conference in Las Vegas. The point was IT and security managers have to choose phish-resistant multifactor authentication solutions, not just any MFA solution. The presenter was Roger Grimes of KnowBe4 and he said he’s got many tricks to lure people into doing things and hack them when he does penetration tests. For example, if he can find out their smartphone number and the county they live in he’ll send a text message to them pretending to be from the county with a warning that there’s a water leak and they shouldn’t drink the water. Would the person like to be sent a push notification when the water is safe? And if they click yes, Grimes can download malware. That’s a perfect example of of a social engineering attack.
Jim: I don’t even know how you’d get past that one. I’ll now be more cautious. I get notifications from Hydro and from all kinds of places asking if I’d like a push notification when me power comes back on. Yeah, I would. If you hadn’t alerted me to that one I think I might have fallen for that. But that’s why we need people to improve design.
Howard: An example of phish-resistant multifactor solutions come from the FIDO Alliance, which is the Fast Identity group of vendors who have put together solutions that are very hard to compromise. One of them for example is a physical security key that a user has to plug into their USB port in order to access sensitive websites and applications like email. That’s probably an ideal thing for people who are IT administrators, network administrators and even senior executives.
Jim: But what do you do about phones? There’s no USB on phones. FIDO does do a neat thing. They share the public [soft encryption] key when they’re exchanging information to approve you, but they keep the private key and the information on your phone. Which means you can be challenged on your phone for that private key. It’s not shared outwardly so there’s a layer of protection. It’s really quite well thought out. But we should be thinking through the scenarios and saying, ‘Maybe there’s just stuff you shouldn’t be able to do on your phone –particularly administrator accounts. Maybe you should have to carry a laptop around with you if that’s your job.’
Howard: You mentioned biometrics a little earlier. One of the things that Roger Grime said is you can’t rely only on biometrics for secure login. You need to have a biometric — facial recognition or a fingerprint — plus the user has to enter a pin number or a password. That’s what makes it multifactor authentication.
Jim: That’s why we don’t talk about one-factor authentication. Multifactor is in there. It just makes it exponentially harder if I’m going to take a biometric signal and ask you for another identification point. But again, you’ve got that careful balance between getting in the way of people doing their job. I have an authenticator app that I use for some things, and I do that because I don’t trust push notifications. But if I lost my phone …
Nothing’s perfect, and I think that’s the other piece of this. But you want to make it as hard as possible [for the attacker].
Howard: Roger Grimes told this scary story in his presentation. He was involved in a case where a company lost $20 million to a ransomware attacker. Why? The CISO approved a push notification eighty times even though the message clearly indicated that the sender was was based in Russia. And this was a company that was obviously not based in Russia. And they asked him why you keep saying yes to this multifactor push notification? And he said, ‘Well, that’s what I was told to do.’ Grimes says no, that wasn’t what he was told, although it’s possible that he misunderstood something that IT told him. But his point was there was an indication on this notification that it wasn’t coming from inside his company and he ignored it.
Jim: I always say to people if you’re going to do things that stupid print your resume up in advance, because they’re going to take your computer when they fire you. No CSO in the world should have ever done that. But that’s an extreme case. But you found one [the county water warning trick] that might have fooled me. We’re all going to be fooled, and that’s why I want employees to ask questions. I want them to say, ‘Doesn’t seem right?’ And if the CSO can’t lead then they have no right to have that job.
Howard: Example number two of careless employees: Employees just don’t seem to think about what they’re posting on social media. Fortune.com reported this week it found American federal workers and military personnel are listing sensitive things on their LinkedIn accounts and one is that they have top secret clearance. And it and it wasn’t only Americans who were doing this. Apparently government workers in the U. K. are doing the same thing now. How is it that people don’t realize that threat actors scan Linkedin for potential targets? They’re looking at what people list on their bios. This kind of information is going to make them stick out.
Jim: Again, it’s a question of policies and training people to not put a target on their back. Hackers are looking for places where it’s easy, where they’re going to get a return [on their time]. You want to give them as little information as possible. That’s a training issue. The crazy thing is, if you got top secret clearance or whatever aren’t you getting the training that prevents you from doing something like that? What were these people thinking? It just drives me insane that somebody would not have training at that level.
Howard: People don’t think. And I’m sure they’re proud –‘Hey, I’m not just an employee in the X department I’m important. I got Top Secret Clearance.’
Jim: Until until my boss sees this Linkedin post, in which case it should be taken away. This is a classic case. Anybody who’s out there listening should think about it and ask, ‘Do we make it easy to find the people who may be able to be hackable? Are we giving hackers clues on social media? This is the type of conversation we need to have with employees.
Howard: And it can be innocuous information, too. It reminds me of a story presenter at the RSA conference gave a couple of years ago: An executive of a firm in Texas was really proud of the fact that he coached his daughter’s softball team and an attacker picked that up [on social media], so when he was out of town at a tournament the attacker was able to compromise the executive’s email account and sent a message to the executive assistant saying, ‘Hi Susan, something’s come up and I’d like you to look after this. We have a new supplier and we have to send them a $2 million advance on orders that are to come. Please forward $2 million to this person. Here’s the account number.’ And then he ended the message by saying, ‘You don’t have to email me back with confirmation that you’ve done this. I trust you.’ And there was $2 million gone.
Jim: That happens all the time, even in a relatively small business when somebody’s on vacation. I’ve heard of things where hackers wait to see somebody get on a plane so that they could actually send a message like that, knowing that that victim couldn’t be reached for four hours. That comes from a posting that says, ‘I am in the airport getting ready to fly to Vancouver.’ We give away so much information. That makes it all more incumbent on us to have the type of training that says anybody could have this information and could use it … The best thing to do if you’ve got a question [about an email] is pick up the phone, talk to the person and ask ‘Did you send this?’
Howard: Example three: Employees at Twilio fell for a text-based phishing scam last week responding to messages pretending to be from the company’s IT department. The message would say something like their password had expired, so they had to tap on a link to update their password. Or they got a message saying that an event in their calendar had changed so the calendar had to be updated and they had to tap on their phone for the change. And when the victims logged in they logged into a fake website that copied their credentials and that led to the theft of Twilio customer data. This is an old trick. In fact, after Twilio admitted its employees fell for this Cloudflare acknowledged that some of its staff did as well. It was the same kind of attack Although the Cloudflare attack was stopped. Why? Because all Cloudflare employees need to have physical security keys [Like a Yubikey or a Titan key] that they plug into their computers for extra authorization in order to log in. [Having an employee’s username and password isn’t enough for a hacker if they don’t have their security key].
Jim: That works all the time. My favorite for this phishing is a message that appears to come from the human resources department: ‘We’ve got three new prime parking spots available. If you want one this link and log in.’ [And the hacker steals the credentials.] That one worked in a company where I worked big time. It’s about the training: You should never, ever, follow a link and put in a password if the link comes to you [in an email or text]. Go to the website the regular way you get there. It’s easy to fool people [with a spoofed URL]. “ITworldcanada.com” could be “ITworldcandas.com” and nobody spots the “s” in there. That’s one of the instructions people have to get. It this case it came back to a good old physical key. There’s a really good lesson in this: Maybe it’s the way to go in a lot of circumstances. We talk about multifactor authentication, not just two-factor authentication. If you have to take a couple of steps then chances are you’re going to make it more difficult for the hacker.
Howard: These three incidents point to the importance of regular security awareness training. What techniques have you found that helps make training messages stick?
Jim. One is security is a continuing conversation. It is not one-time training, and I think you can prove that from the stats people gather. All of these people probably had a bit of security training. But you have to have an ongoing conversation. If you are responsible for security in your organization take every opportunity that you can to have to have a conversation and help people understand it. Step two is to teach there are no stupid questions. If someone could phone me several times and ask me the same question about security I am going to be open with them, I’m going to be patient. I’ve told them you can call anybody in our IT department. Three is that we as executives have to hold ourselves to account and demonstrate that even when it’s inconvenient for us we won’t bypass security. That’s a way of getting across to the staff that we are as restricted by this as you are, we will not violate the rules ourselves. I’ve seen that a lot where executives don’t feel that they’re held accountable for these things. Maybe you have to be held to a higher standard. The fourth thing is, this [security training] doesn’t have to be dull. We’ve done security videos that are just fun on phishing and on creating safe passwords so people can talk about them.
Fifth is teach that every employee should admit when they’ve made a mistake. I told you this [county water phish] would have fooled, and that push notification would have fooled me. I know better now. When I talk to my staff I talk about the dumb things I’ve done. You have to let them know that we’re all in this together. And it’s a wonderful thing if somebody on my staff questions something and asks, ‘Jim do you really think that’s secure?’
Howard: Before we wrap up we shouldn’t forget the organization’s role. We’ve talked a lot about employees making mistakes, but organizations play a role in creating holes in their defenses by doing things like not enabling multifactor authentication, not making sure that employees use strong passwords and not encrypting data.
Jim: I say that we don’t fail on technology. We fail in our imagination. Some organizations do things because there’s a checklist. I despair of some security training that teaches you to go through a checklist. It should teach you to ask questions and to think about what you’re doing. And if that’s done well then people when you’re enabling multifactor authentication you ask, ‘How could I break it?’ There are lots of people out there who will give you all kinds of examples like we’ve discussed to think about ‘How would somebody get past that? Is it implemented well?’ Because it’s not that you implement technology, it’s that you implement it well. Those are the basics. We’re still at the level where people aren’t using strong passwords. On your [intranet] website there are rules for employees right now about creating passwords with a special character and a capitalization … Yet someone got that from a checklist. Everybody knows that length of a password is more important than complexity, but there are sites today where I can’t put in a more secure password because they won’t let me. Poor design is something we always have to go back and question.