Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, November 3rd, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
In a few minutes Terry Cutler of Montreal’s Cyology Labs will be here to discuss recent news. But first a review of some of the headlines from the past seven days:
Forty-eight countries in the International Counter Ransomware Initiative met in Washington this week for their third annual strategy session. Among other things they pledged their national governments won’t pay data ransoms. Terry and I will discuss what this means.
We’ll also talk about allegations of wrongdoing made by a financial regulator against SolarWinds in the wake of the hack of its Orion platform, cyber attacks on libraries and the departure of BlackBerry CEO John Chen.
This was a big week for promises of more safety in artificial intelligence applications. President Biden issued an executive order to U.S. federal departments buying AI solutions. They have to see proof from developers their AI applications are secure and don’t foster discrimination.
In Britain 28 countries signed the voluntary Bletchley Declaration. They pledged to encourage developers to boost the safety of AI systems through testing before applications are released.
Meanwhile Microsoft announced a Secure Future Initiative, promising to transform the way it develops software with automation and artificial intelligence. It will apply systemic processes to integrate cybersecurity protection against emerging threat patterns as engineers code, test and deploy Microsoft products and services. Microsoft will also add more default multifactor authentication security for its products. And Microsoft will roll out a new automated key management system. This comes after Microsoft admitted China-based hackers got hold of a Microsoft signing key to access Outlook email inboxes.
Identity management provider Okta is notifying about 5,000 employees that their personal information was copied when one of its service providers was hacked. That provider is Rightway Healthcare, which provides healthcare management services for business employees. Rightway said a hacker got hold of a data file with a list of patient names, Social Security numbers, and health or medical insurance plan numbers.
Deer Oaks Behavioral Health, a Texas-based mental healthcare provider, is notifying over 171,000 people some of their personal information may have been copied by an attacker earlier this year. Copied was information including names, addresses, dates of birth, Social Security numbers, diagnosis codes and treatment service type.
Americans looking for work can turn to reshipping companies to pick up a few bucks. All they have to do is repackage and forward a product that gets sent to them so it can go to a restricted country — like Russia. But they may be working for crooks who bought the goods with stolen credit cards and set up these shipping services. U.S. cybersecurity reporter Brian Krebs wrote an article this week exposing the scam. It’s a good read.
Finally, financial intelligence experts from five countries were in Canada this week to participate in the fifth annual Cyber Challenge. This year’s exercise focused on using data mining tools to find leads in cryptocurrency movement that could be tax evasion or money laundering. None of my listeners engage in anything illegal like that so you have nothing to worry about.
(The following is a transcript of part of the discussion. To hear the full conversation play the podcast)
Howard: We’ll start with a meeting in Washington this week of nations agreeing to work together to fight ransomware,
This was the third meeting of the International Counter Ransomware Initiative. There are 13 more countries in the group, bringing the total to 48 — although missing are Russia, China and North Korea. This year there was no public session at the end. Instead after working two days behind closed doors the group issued a press release saying they continue to share resources and work together to disrupt gangs and the financial networks they use for support. Two things of interest: One is they are looking at ways artificial intelligence can help their work. The other thing is that the countries pledged their national governments won’t give in and pay ransoms for access to stolen or encrypted data.
Note this pledge doesn’t apply to state, provincial, county or municipal governments. Nor is there a promise to forbid companies from paying. What do you think about this pledge? Will it mean much?
Terry Cutler: It’s obviously a high-level pledge. We’re sending a message that these countries are not going to pay ransoms, they’re going to stand united. But in some cases might a threat actor be targeting them because they perceive possibly reduced profitability? As you mentioned, it’s a limited scope. It doesn’t mean that the local governments or even companies will be forced not to pay if they get hit with ransomware. What are they going to do to get their data back? And Russia, China and North Korea are not listed in there. That’s where most of the threat actors come from. I think that the ransomware gangs are going to recognize this pledge, and that’s going to make me focus their shift towards targets that they believe are going to pay.
Howard: Can Western governments — Canada, the U.S., Britain, Germany and so on — can they make it illegal for a business to pay a threat actor for stealing or compromising their data?
Terry: Let’s think of a hospital that is ransomed. They’re facing a life-and-death situation. If they pay the ransom they can be up and running in a couple of hours. If they don’t pay the ransom they might never come back online because maybe their backups got destroyed. So now they’re forced to pay this ransom. It’s going to be a very tough call.
Howard: Wait a minute. You say an institution can be back up in a couple of hours. That’s not quite true, because you can’t trust that the ransomware gang hasn’t left some malware sitting there. Therefore you’re going to have to go through a full examination of your IT network before you can put critical systems back up, to make sure that you’re not going to get whacked again.
Terry: That’s absolutely true. We’ve seen cases where we a customer had to pay the ransom. We got the decryptor key and launched the script against the encrypted data and the data becomes available immediately. However, all the holes are still in place so they can come back and hit you again. I absolutely agree with you on that.
Howard: What about making at least it mandatory for companies to report that their firm has decided to pay. That way governments at the very least have some data about how common it is. That’s the rule now in the in United States: If pay a ransom you’ve got to let the Department of Homeland Security know about it. [actually, to DHS’s Cybersecurity and Infrastructure Security Agency (CISA). The obligation only covers firms in critical infrastructure sectors].
Terry: I talked about this at the recent MISA Ontario event [the annual cybersecurity conference of the Ontario branch of the Municipal Information Systems Association] recently where we put up a slide with a list of all the cyber instances that are happening in various sectors. You know, there are 24,000 incidents in the public sector have occurred. But only 300 have been confirmed or disclosed. Obviously a lot of folks are sweeping their attacks under the rug. So the more information that you provide law enforcement allows them to build more ammunition to go after these cyber gangs and shut them down.
Howard: Successful ransom attacks are hitting records this year. Why? Let me give you a couple of examples: Just this week a Canadian group of hospitals that share a services provider acknowledged that last week’s cyber attack was ransomware. In a few minutes, we’re going to be talking about ransomware attacks on libraries and Bleeping Computer just reported that this week’s attack on the Toronto Public Library system was ransomware. Boeing has just confirmed that it’s looking into a cyber incident after the Lockbit ransomware gang said it stole a tremendous amount of data from the aircraft manufacturer. Why is ransomware again hitting records?
Terry: I think a couple of issues are going on here. It’s around the whole profitability issue [for gangs]. Ransomware is proven to be a highly profitable venture for these cyber criminals. And of course they’re spinning off a bunch of new gangs. And cryptocurrency makes it easier for cyber attackers to demand and receive payment completely anonymously. We’re also seeing the rise of ransomware as a service, where the the tools [for creating cyber attacks and ransomware] are sold or leased. Also, if you remember back in 2020 when we started working from home because of Covid that accelerated digital transformation for a lot of companies, but they weren’t expecting to have all their employees work from home. Because they had to rush to get [remote working] technology up and running it led to a lot more potential vulnerabilities in IT systems.