Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday, February 12th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
To hear the podcast click on the player below:
I’ll talk later in the show with Terry Cutler, head of cybersecurity provider Cyology Labs, about a story that captured headlines around the world. But first a quick look at some of the biggest stories of the past seven days:
Hackers who got into a Pennsylvania law firm last year may have copied personal and medical information on as many as 36,000 patients of the University of Pittsburgh Medical Center. News is only emerging now that the hospital is notifying people that someone was able to see files on them held by a law firm that does work for the hospital. The hackers did it by accessing the email accounts of several law firm employees for almost three months last spring. Data that may have been copied included names, dates of birth, social security numbers. driver’s licence numbers, Medicare or Medicaid identification number and more. I suspect the law firm was handling cases involving billing disputes because the information also included patients’ bank or financial account numbers well as billing information. The lesson here for all organizations is there’s damaging information sitting in email accounts, particularly in attachments. Email and attachments have got to be protected.
SitePoint, a website that sells books and courses for web developers, has confirmed its user database of over 1 million people was copied and is now available to hackers. After SitePoint users complained of getting email extortion demands and fake cryptocurrency giveaway emails, the company sent a notice to users acknowledging the breach. SitePoint says it has reset passwords on all accounts so users now have to enter new credentials. SitePoint suspects the hacker got into its system by compromising a tool from another software company it uses to monitor the company’s GitHub software development account.
The founder and managing director of cybersecurity provider Emsisoft says one of its systems was breached in mid-January. The system evaluates and benchmarks possible solutions for storing and managing log data generated by its products and services. This evaluation system was supposed to only have databases with technical logs. However, there were 14 email addresses of customers in one of the databases. The cause of the breach was an employee who misconfigured an application. As a result of this attack the company says it is spending more to spot configuration issues. It is also creating an isolated environment for testing and benchmarking, making sure the system only has artificially-generated data.
Police in Ukraine say they have closed one of the world’s largest phishing services. Working with law enforcement in the United States and Australia, the criminal service was aimed at banks and their customers in at least 11 countries. More than 200 active buyers of the software were identified from computers and mobile phones seized.
Finally, information security professionals are still shaking their heads at news that a cyber attacker was able to get into the water treatment management console of a Florida city and change the amount of sodium hydroxide in the drinking water. Fortunately, an employee saw the changes being made on his computer screen and restored the concentration to the right level. Apparently the attacker was able to get into the internet-connected management system by using a Windows program for remote access.
The Florida incident is my discussion topic with guest analyst Terry Cutler of Cyology Labs. Terry’s been a penetration tester and called in on incident response, so knows the many ways hackers get into systems.
The following is a condensed version of our discussion. To hear the full talk play the podcast.
Q: Fortunately this particular incident ended well. But before I get into the depth of this, tell me about the difference between an IT, an information technology, and an OT, an operational technology network, which is what water treatment plant is basically on
Terry: Let me try and simplify this as much as possible: An IT infrastructure is like your Windows operating system — your emails, hardware, and software. This side of the house usually is much more resilient to cyberattacks because it can often recover if an attack has occurred. But on the operational side, think of this as your production system. It’s your manufacturing line, your production lines, things in mining environments or your farming, or even HVAC (heating, ventilation air conditioning). They don’t have a lot of resilience built into them because they’re built for specific purposes.
I’ll give you an example. So back in the nineties when these systems were being deployed, it made sense for an operator to go out into the field and view the dials [on equipment] and get data one by one. Then in the 2000s they had the genius idea, ‘Let’s network these things so that we can access them all from a centralized location and save on costs.‘ But I think what happened here is that maybe the operator didn’t want to check with the firewall group or IT group to change the firewall rules and such. So they just installed a jump box with [remote access software] TeamViewer on it, so that, so that they can get their job done faster. And, you know, somehow this password got out or, or got hacked. The details are still coming out.
Q: At the first press conference when this was announced on Monday, it was mentioned that remote access to this Florida city’s water treatment plant was through TeamViewer. And then, interestingly, CNN was told that that the TeamViewer software that the utility was using hadn’t been used in six months. How does an IT administrator not know about software not being used. or did they know and they just left it sitting there?
Terry: This is why [vulnerability] audits are so important, because you have to come out with a Zero Trust model [for access security]. IT guys need to run vulnerability assessments very frequently to see what’s been installed on [systems] because sometimes there may be applications they didn’t put there, maybe a hacker got in and installed back doors or remote control software. And maybe something like that happened. We don’t know.
I’ll share with you a quick story that happened to me about six years ago when I didn’t know too much about OT. I doing a penetration test on an energy company and I got into one system which had two network cards in it.
So I’m like, ‘Okay.’ But then I got access to a Siemens system. And it had these dials on it … I took a screenshot and sent it to the IT manager. And about 20 minutes later I got an email to come to his office. And when I go in there, it’s full of VPs and there’s yelling going on. They asked, ‘How did you get access to this? … I was assured that nobody can touch this network! It was segmented out. Only one specific server can see this network.‘ But when I had breached the Windows server I was able to do a pivot and access that private network that only that machine can see. So now I can see both networks at the same time. …. And that’s when I realized the OT world is very fragile and very buggy. And I got in with the username ‘admin.’ with no password.
… When a lot of vendors come out with new OT technologies they have to enable backward compatibility with older systems. And it’s very, very hard to blend them.
Q: The state of Massachusetts put out an alert to all of the municipalities and water treatment plants in the state. And they said as far as they were able to determine all of the employees at this [Florida] water treatment system shared the same password for remote access, and the software appeared to be connected directly to the internet without any type of firewall protection installed.
Terry: I’m shaking my head, but you know these old OT systems were never designed to be connected to the internet because there’s so many vulnerabilities.
Q: The computers that the water treatment plant were connected to used Windows 7, which has not been supported by Microsoft for almost 13 months. Could that have played a role?
Terry: I come across this very often. Whenever I do penetration tests I come across Windows XP, Windows 7, and these are all out of date and unsupported operating systems. But what happened is that the software that controls these operational technology systems doesn’t run on Windows 10. So [companies] have no way of maintaining that software, so they’re forced to keep the old stuff running. They‘ve got to reach out to the vendors to get some guidance from them on how to properly secure them 0r probably segment them off [from the rest of the network.] Or phase them out, upgrade. But then you have budget issues.
Q: You were talking about whether this could have been a disgruntled employee or just someone who accidentally or deliberately was able to crack the password. It could have been a nation-state. Do you have any guesses?
Terry: I think it was just somebody that stumbled across it, I think they were using it as a testing ground. I think they were in there to see what could be done with this specific system: ‘Let’s try it on a small community first, before we go after the big guys.’
… There’s a lot of data breaches happening and [often] the problem comes down to password reuse or credential stuffing attacks. People are registering their corporate accounts on other social media accounts and such and using the same password. That happened actually to a new client where their administrator password leaked onto the dark web. And that’s how they received a business email compromise [attack]. People don’t realize that they need to change their passwords on a frequent basis and make sure they have the multi-factor authentication turned on, you know, segment out, uh, very critical systems. Uh, there’s a lot of stuff that can be done, but, um, the problem is that these older OT technologies, um, they cannot be, they cannot be hardened because they’re just too old or don’t have the capability.
Q: Let’s talk about solutions. One solution is don’t allow remote access,
Terry: Obviously that’s good planning. But going back to my example at the energy company. The system that I accessed was completely off-limits. There was supposed to be no access to the system except for one specific computer, which the guy had to remote into as a terminal server to access. But yet because of a flaw in the server, I was able to jump to that network. So it’s a very, very hard balance, especially now, as we’re starting to see more zero day attacks that are coming out, which are flaws that have been found in an operating system that are not made public yet.
Q: Here’s another solution: Don’t connect your systems through the public internet. Pay the money and use a dedicated private line.
Terry: You would think that would be good practice, but it’s all about convenience now.
Q: And of course there’s another solution: For all logins use multi-factor authentication as an extra layer of security.
Terry: Correct. But again, some of these older systems might not be able to handle that, which means you have to have another intermediary point where a user is going to sign in using multifactor into a terminal server, which can only access that one network.
Q: In a lot of ways it seems to me this Florida incident emphasizes again the importance of following basic cybersecurity principles.
Terry: Another issue, too, that I see is around default passwords, you know, the whole admin/admin thing. When we do a penetration test, one of the things we check for is default credentials. I love a lot of people tell me, ‘Yeah, yeah. I changed the administrator password,‘ but don’t realize that maybe the FTP or SSH ports are still enabled on those boxes, which still have the default admin /admin [username/password] enabled on them, which allowed me to bypass the web version of their administrator console. And I could change the password again if I want. So they need to make sure that all these types of passwords are changed. A cybersecurity audit or a penetration test is going to find this stuff, and it’s not that expensive.