Welcome to Cyber Security Today. This is the Week In Review edition for Friday April 30th. From my studio in Toronto, I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In a few minutes guest commentator Dinah Davis and I will talk about some of the interesting stories, but first a summary of what happened in the past seven days:
Ransomware – again – was in the headlines. After stealing what it says are schematics for Apple device from Taiwan manufacturer Quanta Computer and threatening to release them, the REvil gang removed the data from its leak site. The Bleeping Computer news service says that’s to give Apple and Quanta time to negotiate. The ransom demand has allegedly dropped to $20 million from $50 million. However, the gang says more Apple schematics will be released if there isn’t progress. REvil’s original deadline is tomorrow, Saturday, May 1st.
Another ransomware gang hit the Washington D.C. police force. It says 250 gigabytes of unencrypted data was copied. The gang threatens to release the names of police informants unless a ransom is paid.
And just as we recorded this podcast a Ransomware Task Force called for an international effort to fight ransomware. That report is one of the things Dinah and I will discuss.
Another item we’ll talk about is the scathing security diagnosis by the encrypted chat service Signal of a digital forensic tool called Cellebrite. It’s used by police in democratic and not-so-democratic countries to hack into smartphones they get their hands on. Briefly, Signal says Cellebrite’s application security is lousy.
Cyber experts urge organizations to give employees software-based password managers to keep track of all the passwords they have. However, these applications and their infrastructure better be bullet-proof. A manager called Passwordstate wasn’t. The update mechanism of the application was hacked. For two days last week anyone who downloaded Passwordstate updates had the manager compromised. This is what’s called a third-party or supply chain attack.
Finally, cyber crooks are fast to use news stories as hooks for their scams. Here’s another example: When Canadian wireless carrier Rogers Communications promised a refund to customers because of a nation-wide outage last week, attackers took advantage. According to CBC News, text messages are circulating pretending to be from Rogers with a shortened link to a $50 credit. The link would either install malware or be used to capture passwords. Be careful with text messages with links. Usually you can’t tell who they’re from, or where the links go.
(The following is an edited version of my talk with Dinah Davis, vice-president of research and development at managed security provider Arctic Wolf.)
I want to start by talking about the Ransomware Task Force recommendations.
It calls for co-ordinated diplomatic and law enforcement efforts to prioritize the fight against ransomware groups. In fact one section calls on countries to declare ransomware a national threat. Countries should force companies to report ransomware payments and require them to consider alternatives before making payments. And governments should require cryptocurrency exchanges to comply with anti-money laundering laws. There are lots of other recommendations. Is this achievable?
Dinah: I think some of them are very achievable and others are very long stretch goals. One of the things I really liked about it is that they put it into a framework: Four big steps – deter ransomware attacks, disrupt the ransomware business model, help organizations prepare and respond to ransomware attacks more effectively. There’s definitely things that we could be doing right away. Other things are going to take a lot more work, mostly diplomatic work to really push countries that are harboring ransomware organizations to not do that anymore.
Howard: By coincidence, the day this report is released, I did a big ransomware feature. I talked to a number of experts who said it bears repeating, again, that organizations have to do the basics to fight ransomware, and that includes patching your software regularly, use multi-factor authentication to prevent email and other logins from being hacked and encrypting sensitive data so if it’s stolen hackers can’t use it. And thorough awareness training for your staff to prevent them from clicking on email links.
I want to move now to the Cellebrite story.
Dinah: Cellebrite is an Israeli digital forensics company. They provide tools for the collection analysis and management of digital data. It’s often used by many law enforcement agencies around the world to extract data off of criminals, mobile phones by plugging the phone into the Cellebrite tool, which is called UFED. … The tool is used by well-meaning law enforcement and perhaps less well-meaning governments.
On the opposite side is a secure encrypted messaging app called Signal, founded by Moxie Marlinspike. In December 2020 Cellebrite announced that they can decrypt the Signal app. This is a pretty big deal. And they described on their website how it’s done. The issue was that celebrate had root access to an unlocked Android device. That means that all they had to do was open the app and read the messages. So they kind of got laughed at. On December 23rd, Moxie Marlinspike wrote an article on his blog that described why it wasn’t actually breaking any of Signal’s encryption. Cellebrite quickly updated the post to remove all the details …
This week Moxie published a report on the Signal website about the vulnerabilities UFED tool that Cellebrite makes. To do that he had to get one for himself. He says when out for a walk he saw a small package fall off a truck. [It was a Cellebrite briefcase]. So let’s think about what the Cellebrite tool actually doe: You connect your phone to their software and it does is it tries to find all the data on the phone, parse it out, look at it and then return it to the user in a readable fashion.
You would think that the Cellebrite tool would sanitize the data or at least pull it in a way to make sure that any of the data that they’re pulling off there couldn’t hurt their own tool. Well, turns out no. In fact, it’s actually a lot worse than that. One of the [software] libraries that they’re using in the product was last updated by them in 2012. Since then, there’ve been hundreds of security updates to that software library that they’re using that is not included in their product. So now their product is actually quite insecure. Think of the ramifications of that: Can they prove that everything they pull off the device actually came off that device? It could be hacked [by police, or anyone]. Moxie said it’s possible to execute arbitrary code on a Cellebrite machine simply by including especially formatted but otherwise innocuous files in any app on a device that is subsequently plugged into Cellebrite and scanned,
Howard: One wonders if this is going to have wider consequences. I say that because I saw a new story that said an American lawyer is going to appeal the conviction of his client, which was based on data that was pulled from his client’s cell phone using Cellebrite. He’s going to argue that the evidence should be excluded because the data pulled by Cellebrite has severe defects.
Finally, I want to look ahead. Thursday, May 6th is World Password Day, to remind IT managers and individuals of the need to choose better passwords and to protect them better. Unfortunately too many people use insecure passwords. Here’s an example this week, a cybersecurity company told me about a successful ransomware attack that started with a hacker figuring out a lawyer’s password. That password was “BMWman.”
My source thinks that it was a brute force attack, that by going through a list of passwords and going through some educated guesses he (the hacker) came up with that password. I think it’s also possible that the hacker had researched that lawyer and found he was a BMW enthusiast and guessed that perhaps that may be his password. That’s how hackers work.
Dinah: Either one is possible. “BMWman” is not that complicated … And if the guy’s got lots of pictures of BMWs [on his social media page] that could also have been where they went with that.
Howard: For all you car enthusiasts, I sure hope that your password isn’t “PorscheMan,” or “FerrariMan.” What’s your advice on passwords?
Dinah: I’m going to say it every single time: Use a password manager. All of the things they tell you not to do with passwords: Never show it to anybody else. Don’t repeat it. Don’t use a password twice. Length is better than anything long passwords. The best way to do that is use a password manager where you only have to remember one really good password and then it does the rest for you.
Howard: Think about a passphrase, because it’s easier to remember and no one’s likely to guess. So for example, if your initials are A.L.R., make a password like AppleLyonRocket. In my opinion all you need to remember or three or four main passwords — your computer login, your email and your work login and your bank. If you have a fingerprint scanner you don’t have to even have a password for your smartphone or your laptop. And use a password manager.
Dinah: That’s key because 90 per cent of socially engineered attacks happen using passwords.
Howard: One other thing I want to mention in association with passwords, don’t forget to enable multi-factor authentication wherever any service or login that you have will allow it. And it managers need to remember that the whole multi-factor authentication mechanism needs to be protected as well. Make sure that the administrator who oversees access management and the multi-factor authentication system uses a key or a token, not SMS text, for retrieving their authorization code. And if your smartphone is used as the administrator’s authentication mechanism, make sure that hackers can’t add a second phone that can receives the code. That’s one of the ways that MFA gets bypassed.
The Canadian Cyber Security Center has this guidance on choosing passwords.