This is the Week In Review edition for the week ending Friday February 26th. To hear the podcast click on the arrow below:
In a few minutes I’ll have a discussion with guest commentator Terry Cutler of Cyology Labs. But first a look at the news highlights of the past seven days:
Executives from tech companies faced questions from a U.S. Senate committee in the wake of the compromise of SolarWinds Orion network monitoring platform. What they wanted to know from SolarWinds, Microsoft, FireEye and CrowdStrike were two things: How was the cybersecurity industry caught off guard, and is it time for mandatory breach disclosure to an agency so warnings of hacks can be better distributed. The answer to the first question was if the attack is orchestrated by a skilled nation state with a lot of resources no one is immune. As for mandatory breach disclosure, there was a lot of support but also unanswered questions: Who should victim companies report to? Who should do the reporting? Should it be confidential? Will those reporting need legal liability so they won’t be sued? And should it be detailed disclosure or just a more general notification? Terry and I will talk about that later.
IT managers whose firms use VMware’s vCentre product for managing virtual environments are being warned to update the application quickly. This comes after a Chinese security researcher published a proof-of-concept attack on a vCentre plugin called vSphere Client. Unfortunately the researcher didn’t wait until VMware had issued the patch. It’s out now, so administrators should act fast.
The buying and selling of stolen login credentials is big business for crooks. A report this week from the cybersecurity firm Digital Shadows notes that with more people working from home because of the pandemic, prices are climbing. The average selling price of initial access to a corporate IT network is just over $7,000. The average price of more specialized remote desktop access is just under $10,000. Defences include not allowing remote desktop access over the open Internet, and forcing the use of multifactor authentication as extra protection for logins.
The number of companies victimized by vulnerabilities in a file-transferring software called Accellion FTA continues to grow. That prompted cybersecurity agencies in five countries including the U.S. to issue a global alert to organizations that use the utility to scour their systems and start considering moving to other file transferring options. That’s because support for FTA will end in April.
This week IBM released its annual look back at the previous year’s cybersecurity trends. It included an interesting number: The most common way victim environments were initially hacked last year was by scanning victim’s systems to look for vulnerabilities. That was the case in 35 per cent of incidents examined. That was the first time in years something other than phishing was the top initial attack point.
The issue of how much attackers can find out about your IT environment by external scanning is one of the topics I’ll be discussing with guest analyst Terry Cutler of Cyology Labs.
The following is a condensed version of our talk. To hear the full version play the podcast.
Mandatory incident reporting
Howard: At the Senate hearing there were a lot of questions about threat intelligence sharing. And that’s because the U.S. cyber and intelligence agencies — which get a lot of money — were caught off guard by the SolarWinds hack. It was up to SolarWinds and others to tell the world. They could have kept it quiet. SolarWinds could have just quietly issued a fix. So a number of Senators asked if there should be mandatory breach reporting to some American department or agency to spread the word fast about a new attack method. Perhaps the same thing should be done in other countries. What do you think?
Terry: I think there should be a disclosure at some point. But what happened [at SolarWinds] is in the nature of a zero-day attack: Basically, nobody knows about this attack that’s going on. So there’s no information to share. And when the breach does occur, the company has to investigate what exactly was taken, what was accessed before they can tell the public. This investigation can take days, weeks, months to do. But during that investigation period, that data or system is vulnerable. And that’s how the [SolarWinds] hackers were able to leverage that period of time to gain access to all the other corporations.
Q: So should the government be involved in incident reporting, or is it better left to the private sector?
Terry: I think it’s’ going to a better, more proactive and quicker to do it through the private sector. But again, it’s a very difficult subject because there’s company reputation involved. There’s a lot of time invested time in an investigation into what was disclosed, how much information can we actually tell the world about our breach without making us look like fools. Then eventually stuff does turn up later on, Look what happened to [the hack at the Demarais credit union]. They said only a certain amount of records were accessed and ended up being the whole thing. [Almost 10 million current and former customers].
Q: Do you have any thoughts about how much detail should be disclosed? One of the [Senate] witnesses talked about “notification”, not “disclosure.” Some people may think that’s a semantic distinction. I think the idea was if you’re only going to give notification, give us as few details as possible.
Terry: Right. Because a lot of times, if you say too much and you’re able to explain how the hack happened it’s going to give ideas to copycats who go after other companies that haven’t done the updates.
Q- So, so one possibility is the information would be disclosed in confidence to a government agency like a government intelligence department, or perhaps hybrid variety where government representatives sits as well as industry members. It would be seen as an independent agency.
Terry: I think it’s a work in progress …
Q: From your years in the security industry, do you think that there’s enough threat sharing?
Terry: I think there’s some really great resources for threat sharing. I think … we’re getting information overload. I’m subscribed to a bunch of threat feeds and I got 913 unread mails. It’s just [hard] keeping up with all this stuff.
What attackers can learn before a hack
Q: I want to turn now to talk about what attackers can learn about your IT environment through port scanning and scanning the Intenet [before a hack]. Port scanning is an old technique. Scanning the internet with the Shodan search engine gives attackers all sorts of information. For example, in the VMware story I talked about earlier, a Shodan scan reportedly shows over 6,000 vulnerable servers are connected to the Internet. That’s valuable intelligence to an attacker. What can attackers learn for free before launching an attack?
Terry: Script kiddies will start port scanning. But the ones that really want to get in are going to do a bit more work. They’re going look at stuff like port scanning, maybe what job postings you’re looking for. If you’re looking for an IT administrator, you’re going to list software that [candidates] need to be familiar with. That tells the attacker what operating systems and software are running in your firm. And with that information they might, through open source intelligence tools, map out how your network is set up.
They want to find out who your vendors are, who your CEO of the company is, maybe where he lives, or even sometimes maybe, maybe where his kids go to school. Listeners might be thinking that’s a bit creepy. Why do you want to know where his kids go to school? Well, imagine if [an attacker] did a spoof call to his cell phone that his kid’s been injured, how fast is he going to leave his office or his house? …
Q: I raised this because of that IBM report, which said that scanning for vulnerabilities has now become a big part of attackers‘ toolkits. What information can an attacker find out about your network?
Terry: There’s some great stuff they can find out about. Things like what software is running on your environment right now, the versions and what vulnerabilities exist for them. … A lot of companies are lacking in proper patch management. They’re also faced sometimes where some of their software can’t be updated because it’s going to break older legacy technology or software. So the hackers always have that little window of opportunity to take advantage of.
Q: What can you tell us from your experience as a penetration tester when you’ve been hired test an organization’s defenses. What have you discovered?
Terry: Humans are the weakest link. So a lot of times I do social engineering — not just the phishing attacks, but I actually like to show up in person. I could share two stories … I was hired to hack into a company from the outside, and I couldn’t do it. So I dressed casual and drove up to their office, walked up the receptionist and said, ‘I feel really embarrassed. May I please use your washroom? I’ve been driving around for hours. I’ve got the kids in the car … I promise it’ll never happen again.’ The bathroom was behind the counter. So she buzzed me in. When I was in there I left two [compromised] USBs in the stalls and walked out. About two hours later, a curious employee plugged it one … and the software allowed me to get backdoor access into their system. And I was able to bypass all their security.
Another one was a retail company. I walked into one of their outlets. I looked for an employees that would have headphones on and stocking the shelves. And I said, ‘Hey, I’m from It. I’m doing an upgrade. Can you let me into the server room in the back?’ He’s like, ‘Okay.’ That shocked me. So my heart was racing at this point, right. So he brings me in the back and I could see him in the right place. I say I’m going to go for lunch. And I come back with my two colleagues, we’re going to finish this upgrade. I went to see the same guy … and he hands me the key [to the server]. He never asked me who I was when I’m working there. I had no ID. When we’re in the back our equipment was all over the tables their employees couldn’t work there. And the entire time we were there, nobody wants asked us what the heck we’re doing there, or give us your names, who areyou’re working for? And three hours later we compromised the whole domain and had full access.
Port scanning is not the problem. It’s when you start seeing the exploitation of the systems, that’s when you know that you need to beef up the security.