Welcome to Cyber Security Today. This is the Week in Review edition for the seven days ending Friday May 14th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In a few minutes guest commentator Dinah Davis, vice-president of research and development at managed service provider Arctic Wolf, will be with me to discuss what we think were notable events. But first some of the headlines from the past week:
Outrage and worry erupted after one of the biggest gasoline pipelines in the U.S. was hit by ransomware. Colonial Pipeline decided out of an abundance of caution to shut its service, which provides fuel to almost half of the East Coast. Operations were restarted on Wednesday.
Also on Wednesday President Biden signed an executive order to toughen cybersecurity in the federal sector. It removes barriers to cyber threat information sharing between American agencies and the private sector. It also orders federal departments to implement mandates multifactor authentication and use encryption to protect data.
Ryerson University’s cybersecurity policy exchange called on the Canadian government to find ways of stopping misinformation, disinformation and fake news from being spread on private messaging services. These are services like Facebook Messenger, WhatsApp and Telegram. A report says many of these platforms are being used to spread hate, unwanted sexual comments and materials that incite violence.
A student’s eagerness for free software led to a ransomware attack on a European biomolecular research institute. The student worked as an intern at the institute. They hunted the internet for a free version of a data visualization tool. What they got was an infected application that stole the student’s password, which allowed the ransomware gang access to the institute’s computer network.
Another research institute, the Fermilab particle accelerator in the U.S., was also in the news. Researchers discovered all sorts of open IT services. That led to documents and systems with usernames and passwords, as well as file attachments with sensitive research information.
I regularly urge people to only use trusted mobile app stores like the Google Play store or Apple App Store for downloading apps. One reason is Google and Apple try hard to keep malware out of the stores. This week Apple said it rejected 150,000 apps last year for being spam or misleading, and 215,000 apps for privacy violations. But with 1.8 million apps in the store some bad ones slip by.
Finally, a German regulator has forbidden Facebook from collecting user data from its WhatsApp message service for the next three months. Some 60 million Germans use WhatsApp. This has to do in part with Facebook’s new data-use policy for WhatsApp users. A controversial new worldwide data sharing policy with Facebook comes into effect tomorrow. Last week WhatsApp promised it wouldn’t cut users off if they didn’t agree to the new terms.
(The following is an edited transcript of my discussion with Dinah Davis. To hear the full talk play the podcast)
Howard: The Colonial Pipeline attack it’s been on everybody’s mind this week, which is why we’re giving it scrutiny right off the top.
Dinah: On Friday, May 7th Colonial Pipeline disclosed that they had taken its systems offline because of a security incident. Colonial supplies the gasoline for a very large portion of the United States and taking down its systems also meant that their operational systems went down too. So leaves people very worried about getting gas.
Howard: Just as we were recording this podcast news came out that Colonial actually paid $5 million in ransom
Dinah: And the crazy part is it looks like they did get the decryption software from DarkSide, but it was so slow to use that they’ve still had to restore from their backups. So it was almost useless paying for it.
Howard: One thing this incident may point to is the lack of readiness of critical infrastructure firms. It isn’t clear because we don’t know how the attack started, but more importantly, it seems that the operational network of the company, which runs the pipeline was not hit. So the company says it closed the pipeline temporarily as a precaution. Colonial told the Associated Press that the it network is strictly segregated from the pipeline control systems. I hope it is. A Canadian expert I spoke to said that Canadians shouldn’t be smug that the attack happened south of the border because it could have happened here. Do you have a sense of the readiness of Canadian critical infrastructure providers to withstand cyber attacks?
Dinah: I don’t really, but this is a wake-up call for everyone in the world. As if SolarWinds and other things weren’t enough either, but this could happen to any of us. Any company can have a bad day, but are you actually ready for this if it happens to you? When it happens to you?
Howard: The interesting thing I thought was stealing data from a critical infrastructure supplier could be as damaging as actually damaging its operations. So for example, in Colonial’s case, it says it temporarily closed the pipeline out of an abundance of caution. Well, that caused gasoline shortages. My point is, if you’re an attacker, you can get companies to do that. It’s as effective as compromising the pipeline.
Dinah: I agree with you. Any way that an attacker can put pressure on you to pay is good for the attacker. So if you are forced to turn off the service that you are providing, such as gasoline or energy. people will be clamoring to get that back.
Howard: So one lesson is you’ve got to be prepared for a cyber attack … because you’re not going to be able to block every attack.
And data theft alone can be costly because it may include confidential business information, on acquisitions, on product pricing. A company may shrug about that, but what may be stolen is personal information of employees. That’s very dangerous because employees sure don’t want their dates of birth, the social insurance numbers, maybe their bank account numbers, if the company’s making direct deposits for salaries – and that may be worth paying a ransom for. So I think this incident is just more of an incentive for firms in critical infrastructure to tighten their cyber risks.
Dinah: DarkSide has two main goals: They want to grab as much data as possible because they want to find a lever for you to pay [to recover]. And then once they’ve got your data, they’re going to encrypt everything … They have affiliates, the people who actually will use their software to run the attack. The affiliates retain about 75 per cent of the ransom if it’s less than $500,000, but up to 90 per cent, if the ransom is over $5 million. DarkSide has stated that the affiliates are prohibited from targeting hospitals, schools, universities, non-profit organizations, and public sector entities. They’re also prohibited from targeting organizations in the Commonwealth of Independent States – Russia, Kazakhstan, Belarus …My guess is [DarkSide] are trying to lay low after this one because they did not expect something this high profile to hit them and nor did they want it.
Howard: It was interesting that Darkside issued a statement this week seemingly in response to FBI allegations that it’s linked to the Russian government. And here’s, here’s what it said: “We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government. Our goal is to make money and not creating problems for our society. From today, we introduced moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
It sort of sounds like they’re embarrassed causing long lineups at American gas stations and attracting the attention not only of the FBI, but also the President of the United States. I talked to Greg Young, vice-president of cyber security at Trend Micro, who said one possibility is this group got in over their heads, and they’re now “uncomfortable.” And this would fit with a theory that one of DarkSide’s affiliates did the hacking before the gang leaders realized that it was a major pipeline. Note that in its statement DarkSide now promises to check companies that his partners want to hack. Mind you another expert I talked to doesn’t think that it’s a coincidence that a big American target was hacked after the U.S. levied sanctions on Russia for the SolarWinds attack. So what do you think: Did DarkSide get blindsided by its partner?
Dinah: I don’t know, but who’s to say that the partner isn’t a state actor and DarkSide didn’t know that?
…
Howard: The other story I want to look at is the European biomolecular research lab that was hit by ransomware. In this case, a student intern was looking for a free version of a data visualization tool. And when he couldn’t find it, he downloaded a cracked version of the tool [to his personal laptop]. It should be no surprise that that was filled with malware. And that ended up stealing his password, which the ransomware group exploited. What lessons do you see from this incident?
Dinah: First off, you never want to buy software or download it for free from unproven sites. That’s prime location for threat actors to place malware. So to the university, maybe it should be easier for students to procure the necessary software that they need to do their work. Maybe there needs to be more budget set aside to ensure that that they are able to get the tools that they need instead of being forced to go and download a malicious version because they wanted to be able to do something critical for their research that they can’t afford to do themselves.
Howard: The other thing that struck me was here’s a research lab and apparently their interns don’t have two-factor authentication to protect logins. That’s not very good. And it sort of suggests that perhaps this lab doesn’t have two-factor authentication for any employees. Another thing is if you have an intern, you may want to give them a company-approved laptop. If not, maybe deny interns the ability to have remote access.
(The discussion turned to awareness training for students)
Dinah: I remember when my daughter was in fourth grade and they were first given Google accounts. And they were given a four-letter password, which was part of their name. And they were not allowed to change it. And I said, ‘We have to go change that.’ I had to call the teacher and explain that we needed the password changed. I wanted to make sure that none of her friends could have fun infiltrating her account and posting things in the class chat that she didn’t want said about her. It was shocking to me that [simple password policy] was what was happening.