Welcome to Cyber Security Today. This is the Week in Review edition for the week ending October 14th, 2022. From Toronto, I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In a few minutes I’ll be joined by Terry Cutler, the head of Montreal’s Cyology Labs, to discuss recent cybersecurity news. But first a quick review of what happened in the past seven days:
Employers in Ontario with more than 25 workers had to start distributing a corporate policy this week on how they electronically monitor staff. That would include not only how employees access data, but whether the employer watches the number of keystrokes per hour of staff and if it turns on their computer video camera. Terry and I will discuss this new obligation on employers.
We’ll also look at new numbers on ransomware in Canada, and a report that employees aren’t being careful with corporate documents shared on collaboration platforms.
Network administrators with Fortinet firewalls and web proxies are being told to update the applications to the latest version because of a serious vulnerability. Fortinet said it has already seen one organization successfully attacked through this hole.
Linux and Unix administrators whose firms use the Zimbra Collaboration suite were reminded again to address a serious vulnerability in the application’s antivirus scanner.
Security researchers at Oxeye say a serious vulnerability in an open-source JavaScript sandbox library called vm2 can be exploited by hackers. Developers using this library should upgrade their applications to the latest version, which was released at the end of August.
Aruba has released patches for its EdgeConnect Enterprise Orchestrator to fix multiple security vulnerabilities. Network administrators running end-of-life versions of EdgeConnect should note the vulnerabilities affect these versions as well, so they need to either install the fixes or upgrade to the latest version.
Finally, developers churn out mobile apps almost daily, some of which are modified versions that promise enhanced features of a real app. However, there’s always a risk of using a modified version of anything. Researchers at Kaspersky warned this week that the ‘YoWhatsApp” messaging app is deploying Android malware. The malware allows a hacker to take over a victim’s WhatsApp account. The report says crooks often sucker people into downloading helpful-looking but infected apps through mobile ads. You have been warned.
(The following transcript has been edited for clarity. To hear the full conversation play the podcast)
Howard: Joining me now from Montreal is Terry Cutler. Congrats on the Canadiens beating the Leafs on opening night.
Let’s start with the new Ontario law obliging employers to have a written policy on the electronic monitoring of employees. I’ll give some background: The policy has to say whether there is any computer monitoring, and if so how and in what circumstances the monitoring is done. That can be as simple as a chart listing all the applications that says, for example, in one column that we use anti-virus; in another, this is the purpose; in a third, this is in general what it collects. The policy also has to show the purposes for which the data collected will be used. Monitoring can include things like a GPS tracker to track the movement of an employee’s delivery vehicle, sensors on how quickly employees scan items at a store checkout, the tracking of websites employees go to during working hours. This law doesn’t establish a right for employees to not be electronically monitored, nor does it create any new privacy rights. But it at least does let employees know what their employer is doing. What do you think of this?
Terry Cutler: I don’t think this is anything new, especially here in Quebec and for larger companies, because most of the time it’s mentioned in employee handbooks that new hires have to sign. It’s important to create an acceptable use policy because it tells employees what’s being done — that they’re being monitored on their use of the internet, that their computer is monitored so it’s up to date, things like that. An acceptable use policy document stipulates the constraints and the practices that the user must agree to in order to gain access to the corporate network or the internet or whatever resources they have. Many businesses and educational institutions already require that the employees or students sign this policy before they get granted access to the network. But the problem that we see is that most people forget what they signed about a few weeks later.
Howard: One lawyer I talked to said that one of the advantages of this Ontario obligation is it can open up a discussion with employees who may ask, ‘Do we really need this? Do we need this in the employee locker room?’
Terry: Let me give you a real example of a case that happened not that long ago: An employee was walking past another employee’s office and caught him with his pants down, literally. They reported this incident, and because this was a unionized worker he couldn’t necessarily be fired on the spot. They had to do an investigation into what this guy was doing. He was watching inappropriate content. That’s where it gives the power to the employer to have a discussion with that employee to see what they’ve been looking at.
Howard: And if necessary the company would monitor that particular employee because there was a complaint.
Terry: Exactly. Later on we found out that this employee was doing far more than just watching inappropriate content. He was actually running a prostitution ring [from his computer], setting up appointments and everything during working hours. That was enough information to install some more advanced monitoring software on this person’s computer to see what they were doing all day … And that led to the firing of the employee.
Howard: So that incident might be seen as an exception to the general corporate employee monitoring policy, but a lawyer told me that’s okay as long as the monitoring policy says there are special circumstances — such as special investigations — in which it may have to monitor what an employee is doing online.
I think that most employees would know that their employer keeps track of who accesses data through logins. Arguably the greatest worry of an employee is whether the employers are secretly monitoring them for productivity by doing things like monitoring the time that they’re on on the keyboard, looking at what websites they’re on and secretly turning on their computer microphones and cameras. In your experience is secret monitoring common in the workplace?
Terry: No. Usually we just see the basic stuff, like monitoring what websites the employee is visiting during business hours or watching the GPS movements of the employee’s delivery vehicle. But they could deploy technology that allows them to turn on the microphone or video camera if there is reasonable doubt [about a violation of corporate rules]. Let me give an example: We had to investigate a case where an employee was creating fake quotes to defraud his employer. One of the company’s clients was looking for pricing on a specific item and received a quote from the [suspect’s] company as well as one from a competitor. What was interesting is that the quotes looked identical, except for one being a dollar off. The client called up the vendor, who became suspicious. However, we were told we couldn’t install monitoring software on one person’s computer. It had to be deployed to a group. That way it doesn’t look like one person is being singled out. But this guy got caught creating fake invoices. He was also showing up to work all of a sudden in a Porsche. And he was buying a house in Florida while making only $50,000 a year. He was making extra money scamming his own company’s customers.
Howard: There are fears that with more people working from home employers want some sort of secret surveillance to measure the productivity of those people who are out of the office. Are you seeing that?
Terry: I am. But at the same time there has to be a fine balance between flexibility and productivity. I’ll give an example: At one o’clock in the afternoon on a beautiful sunny day I want to go take a ride on my bike. I figure I can catch up on my work after dinner. That may be OK for some employers but not for others if an employee is often unreachable or stuff isn’t getting done. That’s when there has to be a discussion with the employee — and why an employer may want to deploy surveillance technology.
Howard: This Ontario law only applies to companies with 25 employees or more, although when you’re counting employees that will include people who are on definite term or specific task contracts, probationary employees, staff out on strike or locked out as well as those on a leave of absence. Shouldn’t it apply to all companies, whether there are two employees or 10 or 15?
Terry: I think it could lead to abuse of power. Especially for small business owners that are constantly watching if their employees are surfing the web. It can also often lead to a toxic work environment because if they see that their employees are always on Facebook or searching job boards that’s going to make the business owner very uncomfortable and will start treating his employees differently.
Howard: Should this law be copied by all provinces and U.S. states where it isn’t already mandatory?
Terry: I think most of the basic items are already in place because you need it in place in order to help protect the company from cyber-attacks.
Howard: It wouldn’t be a Week in Review if we didn’t talk about ransomware. Yesterday, as part of Cyber Security Awareness month, Palo Alto Networks released Canadian data. Last year there were over 140 reported successful ransomware attacks against Canadian organizations. Of them, 52 organizations in Ontario were hit, 45 in Quebec, and 24 in British Columbia. Researchers didn’t see any criminal leak sites posting breaches of organizations in the Canadian provinces of Nova Scotia, Prince Edward Island, Yukon, Northwest Territories and Nunavut. Interestingly, 27 different ransomware groups claimed they had hit victims in Ontario alone. Just for context, worldwide there were 2,566 victims were named on ransomware gang leak sites. Assuming that crooks don’t lie, that was an 85 per cent increase in the number of victims compared to 2021. However, a number of security companies say ransomware attacks are down so far this year compared to 2021. What are you seeing — are the number of ransomware attacks going up or down?
Terry: The keyword here is “reported.” What about all the others [firms] that tried to sweep it under the rug? Let me give you a real example: We had to do an incident response on a company that got hacked by its IT guy. He told the business owners that no, you don’t need to have antivirus installed on your Exchange server, it just slows things down. What happened was ransomware infected the whole company. But instead of engaging an incident response firm to help clean it up, they wanted to remove the evidence and not even contact their clients that they got breached and data leaked out … Going back to your question about if it’s going up or down, there’s a lot of activity happening now. We’re seeing a lot of ransomware gangs that are either merging or their members are getting arrested. I think that they’ve made enough money over the years to stay more low-key. But to be honest, I think they’re preparing for something much bigger.
Howard: There was an article in the Washington Post in August that took a look at the supposed drop in attacks. One expert suggests ransomware gangs are attacking smaller companies that are unlikely to report to police, so these attacks are out of the headlines. There was another expert who thinks that gangs may not be boasting about their successes on their websites as much as they did last year.
Terry: I totally agree with that. I think what’s happening is that ransomware gangs don’t just rely on their leak sites. That’s where they used to post the alleged victims’ identities and their data to put pressure on them to pay [for decryption keys]. What we’re seeing now is more focus on the gangs directly contacting the customers — and their employees — to pressure them to pay. We’re also seeing gangs that are being dismantled, like Conti, who apparently got dismantled back in May because all of the internal workings of the gang got leaked. Whatever the truth is behind these numbers, I don’t think ransomware is dying off anytime soon.
Howard: Just before we started recording this show a company called Guidepoint Security released their third quarter report [Registration required] on the number of reported ransomware attacks that it’s seeing. That report said there is a little bit of a slowdown. Among other things, interestingly enough, they also said eight new ransomware groups had emerged between July and September.
Are organizations taking more precautions to avoid being victimized by ransomware — or any cyber attack.
Terry: To be honest, 2022 has been a really great year for us when it comes to proactive cybersecurity work. Usually it’s always been, ‘We’ve been hacked, come help us out.’ But now they’re contacting us for audits, penetration tests and managed services. I think that the small-medium guys have caught on that it’s very difficult to find and keep a cyber security expert because there’s not enough qualified professionals in our field … so companies are learning that it’s cheaper to outsource cybersecurity initiatives and monitoring and managed services.
Howard: Another item I want to look at is a survey that was released by a company called Hornetsecurity on the use of confidential information by employees on corporate collaboration platforms. It found that 45 per cent of respondents said that they send confidential and critical company information on Microsoft Teams. Half of the respondents said that they send business-critical documents and data on their personal devices. Forty-eight per cent admitted sending messages on Teams that they shouldn’t have. This is a very timely survey during Cybersecurity Awareness Month for two reasons: It suggests a lot of employees need more awareness training, and a lot of organizations need better security policies. What struck you about this?
Terry: I’m guilty. I could be on a client call and all of a sudden they’re sharing network diagrams with me or password information, or I’m sending them log information. Obviously, we look at convenience — everybody’s on the call and we’ve got to share the data. But we have to keep in mind that once we share this information we no longer control it.
Howard: On the other hand, don’t we expect that confidential documents are going to be shared on what is an internal communications platform? How else are you going to communicate? Take a paper document and go from office to office and office in a building and physically hand it to someone? So what’s the problem here?
Terry: Over the years chat systems have been really convenient ways to interact with our colleagues and customers, especially on platforms like Teams and Slack. But if we send out these documents they could land in the wrong hands. We need more awareness training. But organizations also need to review their policies and implement whatever tools they can to minimize their risks. There should be some policies that can be enabled in Teams that allow them to prevent sharing of documents. So employees will share that document via email instead. You need to find a way to make sure that the office suites are secure .. Office 365 out of the box is not configured correctly. You need to implement some advanced features in order to protect the data.
Howard: The last item that we’ll look at is more consumer-orientated, and that’s the evolution of phone-based scams against Americans and Canadians. A report by Trellix outlines what are dubbed BazarCall campaigns by crooks. This category of scams doesn’t rely on victims clicking on links in messages. Instead they get an email that convinces them to phone a company for more details. So so for example, the email could be about a charge that the victim doesn’t expect for a purchase or renewal of a product or subscription. To be convincing the crooks use brand names like Geek Squad, Norton, McAfee, PayPal or Microsoft. The email the victim gets says that they’re going to be charged for something unless they call a special number. When they, call a crook pretends to be a call centre representative. They try to convince the victim in one of several ways to download so-called helpful software, which, of course, is really malware.
Terry: The crook will say, ‘We’re going to cancel the subscription, but we need to remote [connect] into your computer. Then they’ll say, ‘Your computer is running a virus. We need to remediate this,’ and it could lead to a locking of the computer via ransomware. This scam has been around for many, many, years. One of the earlier versions was a browser lock. You’d be surfing the web, minding your own business and all of a sudden you visit a web page and your screen goes blank or your speakers say, ‘Alert, alert’ and a voice says your computer has a virus. Call this number.
Howard: What should consumers do to make sure that they’re not victims of this kind of scam?
Terry: It really comes down to user education. There are so many new scams coming at consumers it’s very really hard to keep up. That was one of the reasons I launched the Fraudster app months ago so to help educate consumers. Most of the scams are being run from call centres offshore, so victims and police can do very little. However, some ethical hackers are hacking back and exposing scammers. One of the more famous YouTube channels is called Scammer Payback. It’s really entertaining how they reverse the connection and actually start deleting scammers’ victim files.