Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday December 3rd. I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
I’ll be joined in a few minutes by Jim Love, IT World Canada’s CIO, to discuss a couple of security-related incidents from the last seven days. But first a look back at some of the news:
An American company that tests DNA has acknowledged the theft of personal information of over 2 million people earlier this year. The data came from old backups of an unused database. Jim and I will discuss this incident.
We’ll also look into an email campaign targeting employees of furniture maker Ikea. Staff are getting phishing messages from the email addresses of people they know.
A report from Google is a reminder that configurations and employee errors can still lead to data theft in cloud applications and services. Many successful attacks on cloud applications are due to poor cyber hygiene and not implementing basic security controls, Google said.
Consumer electronics giant Panasonic said some data on a file server had been accessed by a third party last month.
Medical clinic Planned Parenthood Los Angeles said the personal information of 400,000 patients was stolen in a ransomware attack in October. Hackers accessed names, dates of birth, addresses, insurance identification numbers, clinical data, diagnoses, treatments provided and prescription information.
An American judge sentenced a Russian man to 60 months in prison for being the head of a company that provided what’s called “bulletproof” IT hosting services for cybercriminals. This followed the sentencing of two partners to 48 months and 24 months respectively in prison. A fourth man who pleaded guilty to a charge will be sentenced shortly. Bulletproof hosting companies are used by threat actors to distribute malware, steal data and create botnets.
Also this week the last of six people involved in an international smartphone SIM hijacking group was sent to prison by an American judge. Hijacking SIM cards allows hackers to take over and steal data on the phones, as well as use the phones to access victims’ bank and cryptocurrency accounts and corporate email accounts. Police estimate this gang, which called itself ‘The Community.” stole tens of millions of dollars of cryptocurrency. Sometimes the gang bribed a wireless phone company employee in their attacks. Other times they called victims posing as a mobile provider employee.
Finally, owners and administrators of HP LaserJet and multifunction printers are urged to check for device security updates after security researchers discovered vulnerabilities affecting 150 devices.
(The following is an edited version of the discussion with Jim Love. The hear the full version play the podcast)
Howard: Let’s start with the huge theft of data from a lab in Ohio called DNA Diagnostics Center. In August it realized there had been a data breach. On investigation, it found an archived database of personal information of more than 2 million collected between 2004 and 2012 had been copied between May and July of this year. This database belonged to a national genetic testing organization the company bought in 2012. The database was never used by DDC. According to one news report, the copied data includes peoples’ names and their credit or debit card numbers, as well as their financial account number and platform account number with the other genetic testing company.
What struck you about this incident?
Jim: A couple of things: One is we keep talking about ‘know your data, know what data you have and know where it is.’ And that’s really important. By the way, I don’t want to seem to be preaching to these people. This is a really tough one: You buy a company, you absorb it and you’ve got all this data there, and so what’s in there? The fact that people have data that’s not used, that’s not abnormal. The stats tell you that there’s something like 70 percent of data is dark data, and dark data by nature is stuff that you’re not using for analytics. So maybe it’s not on anybody’s radar. But this is one of those things also where you can have a focus problem. This is a medical company and they’re talking about DNA, so maybe they’re crown jewels. But you can’t ignore the other elements of data that you have, so you have to widen your vision and look for data if you bought a company. You’re responsible for it. But this could have happened: They’re focused on the medical data [not the data from the acquisition] and medical data is sexy and everybody wants to be talking about protecting that. And that’s great, but don’t forget the nuts and bolts.
So a couple of things: When you’re buying a company you have to do a credible inspection of the data. There’s also a lesson about good [cyber] hygiene. I’m of two minds on this: I hate deleting data because I’m an analytics guy and at heart I want all the data that’s there. But you keep data at a cost, so when there’s data that no longer has a use should you really keep it offline, and air gap it. Know your data, move stuff out that you don’t need. When you need it, move it back in.
Howard: I think that when companies buy other companies they’re probably more concerned about the financial ramifications and making sure that they can start recovering their investment, and they may just forget about the other company’s data. They may have bought a company to take out a competitor. They don’t care about the other company’s data.
Jim: But you don’t just buy the company, you buy the company’s assets and we all say data is an asset. So do due diligence. You have to know all the assets you’re buying. But the second piece is you’re buying their failings, too. It’s a good lesson for all of us. You’re not just buying the strengths of a company, you’re buying their weaknesses too and you better be bit pretty sharp about that.
Howard: And asset management is knowing your hardware assets and your software assets. That’s one of the basics of cyber hygiene.
Another thing that struck me here is that this data wasn’t encrypted — and I suppose because they’d forgotten about it for 10 years it’s not a surprise that it it wasn’t encrypted.
Jim: My theory is encrypt whatever you can.
Howard: I suppose it could have been worse because it seems they didn’t have medical data in this database. It was mostly credit card and debit card data. And it was at least 10 years old and going farther back. Don’t credit card companies these days issue new cars every four years, so wouldn’t a lot of this data be useless to a crook?
Jim: I’m not an expert in monetizing stolen data, but if they got passwords, how many people have changed their passwords [in 10 years]? I still think it’s a danger and people need to be warned.
Howard: The Ikea attack is interesting. Employees are getting phishing emails from staff at partner companies or suppliers of email. Some of these email messages are being inserted into a chain of messages between people, so that not only is the sender’s email address legitimate the phishing message looks like it’s a continuation of an email conversation an employee is having with another firm. It isn’t clear whose email system has been hacked here. Ikea has only noted that the internal corporate alert being sent to its staff is about suspicious emails coming from outside the companies. Have you come across this before?
Jim: The event, yes. This is the horror movie for a CISO or CIO, and that is somebody breaks into the trusted chain. We spend a lot of time trying to teach our employees to do the right thing and watch suspicious emails that come in. But when the trusted chain is broken they [the attackers] are now in the trust level. People don’t look at the third email they get in the string. So even all the training we do gets blown away. There are two issues in this: The supply chain piece has been there. But. I think we all live in fear of people who find clever ways to get into that that the places we trust there are fewer and fewer of them. But when they do that they get missed.
Howard: So how do you protect employees from this kind of attack?
Jim: There’s software out there that will help [people] evaluate their email. It can help stop spot anomalous software. Another thing is training. People need to read stuff and ask themselves, ‘Does this really sound right?’ I’ve seen some really good ones [phishing emails] recently and have I been fooled? Probably. But I’ve caught a number of them, too, because you look at them and say, ‘Would that person act like that?’ I’ll give you an example of the type of behaviour we want to see: I sent an email to a friend of mine and I asked him about his opinion on something, and I sent him a link. I don’t normally send him links. I got a phone call from him asking, ‘Jim, was this you?’ And if that was the behaviour that we need to have in companies. People are our biggest line of defence.
Howard: One thing listeners can do is periodically look in their Outbox and check to see if the messages that are going out from your email are ones you wrote.
Jim: Except it doesn’t always happen in your Outbox. So if you send stuff from your phone you might not see it in your corporate outbox. But that’s good to do. But the second thing is there are products that’ll keep you from pinging out to or sending emails out to other sites. Or even accessing the IP addresses of suspicious sites.
Howard: The last news item that we’ll look at is the ransomware attack and theft of the personal information of 400,000 people from Planned Parenthood Los Angeles. It’s a clinic that performs abortions, medical tests, advises people on birth control. A lot of sensitive personal information was captured. We don’t know a lot of detail about this hack but it strikes me this is another example of the need for encrypting data.
Jim: It is. But I have to tell you my heart goes out to these not-for-profits — and here I’m going to do a little bit of a commercial for CISOs because I do the same thing for CIOs: Find and ‘adopt’ a not-for-profit. Help them because they don’t have big money to spend on on cybersecurity. Be a volunteer for a little while and help your local not-for-profit because they have valuable information. This [the Planned Parenthood attack] is an example of the bad guys going, ‘We can attack these not-for-profits because they don’t have the resources …’ Maybe [the stolen data] is about depression or your child’s medical disability. They [non-profits] need to encrypt the data and we need to help them …
We’ve also got to get better at detecting exfiltration of data, particularly at small businesses … They should look at things like Canadian Shield [offered by the Canadian Internet Registry Authority (CIRA)]. There’s a free version.