Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, August 25th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
I had internet trouble this week when construction crews laid down a new driveway, knocking me offline for a few days. And my phone line apparently melted under the hot asphalt. Which is why IT World Canada CIO Jim Love is hosting today’s discussion of recent news with Terry Cutler of Cyology Labs. I got internet back just in time to record the news highlights. Jim and Terry will be here in a few minutes to talk about zero trust, the cyber attack by former Tesla employees and more.
Also in the news in the past seven days, European companies that used two data centres in Denmark owned by Certiqa Holdings are scrambling to recover after a ransomware attack last week encrypted all of the data centres’ servers. That includes their primary and secondary data backups. According to a news report, the data centres say data restoration for customers is impossible.
Question: Is this scenario part of your organization’s disaster recovery plan?
North Korean gangs have been trying this week to cash out the equivalent of $40 million in stolen bitcoin, says the FBI. They’re warning exchanges to be wary of dealing with transactions involving six bitcoin addresses. In June alone North Korean groups stole more than US$200 million in virtual currency.
Separately, researchers at Cisco Systems warned that North Korea’s Lazarus group is exploiting an unpatched vulnerability in ManageEngine’s ServiceDesk application. The thing is, a patch for this was issued last year.
A British jury convicted an autistic 17-year-old member of the Lapsus$ gang of fraud, blackmail and misusing a computer. An 18-year-old autistic gang member whose mental health deemed him unfit to stand trial could not be convicted. But the jury found he committed 12 offences. The Lapsus$ gang’s successful hacks were the subject of a recent U.S. report that exposed weaknesses in organizations’ IT security. An alleged gang member was arrested in Brazil.
Personal information of over 2.6 million users of the Duo-lingo language learning app is being offered for sale on a hacking forum. The hacker says the data was scraped from an internet-exposed application programming interface. The company is looking into the report but says any data lost wasn’t because of a hack.
And IT administrators running the Openfire chat server are warned to install a patch as soon as possible if they haven’t done so already. The developer, Ignite Realtime, put out that patch in May to plug a vulnerability. The thing is, say researchers at VulnCheck, several thousand Openfire servers still aren’t patched. And there’s a new way to exploit that vulnerability.
(The following transcript is an edited version of the first part of the discussion between Jim Love and Terry Cutler. To hear the full conversation play the podcast)
Jim Love: The overall theme that seemed to jump out when we were we were flipping stuff back and forth [for topics] this week was stuff that we count on that might not be as dependable or as impervious as we thought. There are a number of stories I think we’ve both seen this week that drive this home. First we’ll talk about zero trust. Zero trust is supposed to be the big thing, and yet there are serious holes in it and serious ways people can get around it.
Terry Cutler: Zero trust is a concept that’s that’s gained significant attention recently because it challenges the traditional security approach to how you authenticate trusted devices regardless the location or the origin. But zero trust also offers a lot of complexities. The biggest one is when you start deploying a zero trust infrastructure it involves a significant amount of complexity in your organization: They need to reconfigure the existing infrastructure, implement new security controls, establish strict access policies. This could be really resource-intensive, and it might require specialized expertise to come in and help you get set up correctly. Of course this is going to cost the company a lot of money — and they may also have the problem where older systems might not even work together … [If not done right] the user experience is going to really deteriorate. Users as it is right now have a problem with just MFA (mutlifactor authentication) so imagine they have to authenticate multiple times throughout the day or throughout this session. They’re going to complain like crazy and just have a really poor experience. We’ve also seen a lot of significant management overhead [of a zero trust infrastructure] because there’s a lot of components: There’s going be a lot more [network] segmentation, a lot more continuous monitoring — and maybe if there are a lot of false positives it could be a real big mess.
Jim: We always knew it would be difficult to implement and I think everybody who espoused it said that … And we all know what happens when people get disgruntled about security: They start trying to evade it.
Terry: We’ve seen where if people don’t have access to something they start sharing their passwords, they start using another person’s device just so they can get their job done more effectively. But when things like that happen they could lead to a lot of potential false positives.
Jim: My bank compromised my credit card, not because I was using it effectively but because I wasn’t using it the way I always. There were a couple charges I didn’t [usually] have and my credit card shut down on me. So when we get these interruptions they’re big, either in personal or work life. And the last thing we need is disgruntled people bypassing security. Is there any remedy for this?
Terry: The whole point [of zero trust] is to get visibility on your network and and remove as much noise and complexity as much as possible. We’ve even seen cases where you’re trying to reconfigure the whole attack surface. But what’s happening is that a zero trust model prevents lateral movement from happening on your network, but at the same time if a device gets compromised the attacker now becomes one with the endpoint. It might also be able to bypass all the authentication methods.
Jim: One of the basic things we tell people to do is have strong passwords, don’t let other people use your machine and things like that. But if your passwords are stolen it really doesn’t matter how good they are. And credential theft just seems to be growing and growing and growing.
Terry: We do quite a bit of incident response. One that jumped out last year was [an organization’s] administrative password leaked onto the dark web. When we ran a credential scan to show them what was leaked they were surprised. What happened was the attackers used the password and were able to shut down the EDR [endpoint detection and response] solution and were able to lock up the [organization’s] computers. What’s interesting, though, is that they did not deploy ransomware. Because they had administrative access they enabled [Windows] Bitlocker, locked up 400 computers and then charged $10,000 per computer [to unlock them].
Jim: What do we do as security professionals?
Terry: There’s no silver bullet to stop a hacker from getting in right? The goal is to make it as difficult as possible. You need to have multifactor authentication turned on. I know it’s a pain in the butt for a lot of people, but it’s a necessity. If somebody does get hold of your crappy password they’re going to get blocked by that two-step verification … Not only that, you need to turn on port protection with your cellphone provider, which means that you have to show up in person with identification in order to transfer your line from one carrier to another. [Then an attacker can’t control your phone and get the two-factor authentication code to help them log in to your account].
Jim: The other thing is don’t put sensitive things like passwords in an email.
Terry: Here’s an example of what happened to a customer: [An attacker] got access to one of his computers and were able to use that session and log into other computers on a network. The company hired us to do a penetration test and so we did the pen test and provided the report by email with the password. The attackers were able to read [the victim’s] inbox, opened our report to find all the vulnerable systems. Then they started attacking the other environments … A lot of companies right now have insider threat monitoring and are saying, ‘I have a firewall, I have encryption, I have strong passwords. I’m safe. I don’t need anything else.’ But attackers know this. They’re not trying to hack your firewall and get detected when all they have to is send a crafted email to one of your employees have them click on a link. The average time that an attacker is in your network is 286 days before being detected. They’re in there harvesting as much information as they can — and then they’re going to launch a ransomware attack.