Welcome to Cyber Security Today the Week In Review edition for the week ending December 18th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
To hear the podcast click on the arrow below:
With me to analyze important events in the last seven days is Terry Cutler, CEO of Montreal’s Cyology Labs.Our focus will be two of the year’s biggest stories: One is the discovery that security patches for the Orion network monitoring platform used by thousands of companies and governments was infected to make it easy for hackers to break into companies. The other is a report into a huge data theft by an employee at the headquarters of a Canadian credit union.
But first a look at the week’s other headlines:
There were more claims by crooks that Canadian companies are among those recently hit with ransomware. They are threatening to release data stolen from Canadian firms, including a major airport. The airport said it had no current evidence of data theft, while a major construction company didn’t reply to my queries.
IBM has discovered a major bank fraud scheme that is stealing millions of dollars from financial institutions in the U.S. and Europe. It uses technology to log into accounts by simulating smartphones of customers. To banks it looks like a regular smartphone logging in. The crooks apparently already had stolen victims’ bank passwords. Financial institutions need to take better protections, like forcing customers to use multifactor authentication for logins.
Good news for Apple users: Developers now have to publish privacy labels with apps that summarize what personal information is collected and how it is used. Admittedly Apple relies on developers being honest, but it’s a step in the right direction. By the way soon Apple will require apps to get specific permission from users before they can track a users activity across the internet.
Cybersecurity researchers say they’ve found more than 45 million medical images such as x-rays lying unsecured on the Internet around the world. Those images are accompanied by personal data on patients. Poor security practices by medical labs and clinics are to blame.
Finally, security firm Avast says it found at least 28 bad apps for the Google Chrome and Microsoft Edge browsers in their respective company app stores. These are promoted by their developers as helpful aids for downloading content from Facebook and Instagram. What they really do is collect personal data from victims’ computers and smartphones. You’ve got to research every app before downloading.
OK, time for some serious talk with Terry Cutler.
It’s almost the end of the year but there’s still big events happening. One was the hack of the Orion network management software from a company called Solar Winds. An unnamed attacker — believed to be a country — modified the software updates to Orion earlier this year. That allowed the attacker to get into the computer systems to steal data. What’s alarming is Orion is used by some of the biggest companies and governments around the world.
I asked Terry how bad the damage could be. “I think it could be really, really bad,” he replied. From the reports I’m seeing right now there were hidden DLLs that were installed, but were programmed to activate weeks later. Those will also be known as logic bombs. And those I think are the future of cyberattacks. They’re planted, and on a specific time or an event the software will wake up and trigger the disaster. Think about this: If the attacker has full control of customers, and they don’t even realize they’re compromised, how hard is it for them to launch a ransomware attack?”
Companies trust the software updates they get, I pointed out. Is it up to firms to protect themselves or software companies to put ironclad protection around their applications? “It is it’s absolutely the vendors responsibility,” Terry said. “It’s very difficult [for firms] to protect.
“I’ll give you a real example. We did a penetration test years ago on a company that that public security. And we actually got access to their development server. Which allowed us to if we wanted to change their code. There were no checks or monitoring in place. And that’s the problem we see a lot with companies right now: They think they have a firewall and antivirus and they’re safe. But the problem is once the hackers get past that traditional security they have no internal detection processes in place to detect that there’s a hacker actually in the environment. So that’s where the big challenge is right now, there has to be a detection and response plan built-in.”
Our talk then turned to the data theft by a Desjardins credit union employee of personal information on almost 10 million current and former customers. Thanks to a report from the Privacy Commissioner of Canada this week, we got a lot of details. Briefly, the credit union kept data on customers in two databases. And both of them were off-limits to this employee. But company policy allowed one database to be copied by the marketing department for its use, I guess, presumably so it could develop financial products for companies, the marketing department’s copy of the data was supposed to be held in a restricted folder. It wasn’t. So the rogue employee was able to copy the data onto a USB stick and walk out of the office with it. Police are still investigating. But the report reveals all sorts of interesting facts. First, the credit union had lots of security policies. But some of them were ignored, like not making sure that data was restricted.
“I think that this is happening to a lot of companies,” Terry said. “They have these policies and procedures that the older employees are going to sign and then tuck it away in their drawer and forgot that they signed it years ago. But a lot of times, they don’t have the technology in place to enforce what they just signed. So we see this happen very often where the data is supposed to be kept in a secret location, which the other employees don’t have access to. But then they save the data to a common folder, which the whole company can see.”
I asked him about the value of data loss protection applications, which Desjardins was in the process of implementing. “We’ve seen it at the at some of the big four [Canadian banks]. The moment you try to print out documentation or data, research papers, or whatever it is, you’re blocked or monitored the whole time. We’ve even seen companies where somebody tried to steal all their data and actually keeps a log of every file they copied. So this way for doing the investigation, we’ll be able to see what files were copied to what USB device because there’ll be a signature in the registry of Windows, and it’ll tell you where that key was, or what key was used.”
To hear our full conversation play the podcast by clicking on the arrow at the top.