Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, July 1st, 2022.
Today is Canada Day, so if you’re listening on this national holiday weekend, thanks for tuning in.
In a few minutes David Shipley of Beauceron Security will join me to discuss recent cybersecurity news. But first a review of some of the highlights from the last seven days:
Fed up with malicious botnets spreading malware, this country’s telecommunications regulator says mandatory botnet blocking will be part of the responsibilities of internet carriers here. But first the regulator will work out a framework carriers can use. David and I will discuss the implications.
We’ll also look at an advisory from the U.S. that government departments and companies subscribing to Microsoft Exchange Online should immediately switch from what’s called Basic Authentication for logging in users to the safer Modern Authentication.
A Hamilton teen who stole $48-million in cryptocurrency from an American entrepreneur by hacking his cellphone has been sentenced by a Canadian judge to one year on probation and banned from handling digital currency for a year. David will have some thoughts on the ease with which some cellphone carriers fall for SIM card swapping.
And we’ll examine what could have been a catastrophe for a Japanese city when an IT contractor lost a USB stick with personal data on all of the municipality’s 460,000 residents.
Elsewhere, the newly-formed Black Basta ransomware gang is claiming to have successfully hit 50 victims, while those behind the retiring Conti-branded gang claim to have successfully hit 46 organizations in April before dismantling their infrastructure.
The problem with claims by crooks is they are hard to confirm. For example Walmart this week denied claims by a gang saying it successfully hit the retailer. And at the time of this recording microprocessor manufacturer AMD was investigating a claim by a data theft and extortion group called RansomHouse that it stole 450 gigabytes of data from the company last year.
Security researcher Brett Callow of Emsisoft reported the Lockbit ransomware gang is finding new ways to squeeze victims to pay up. One is offering options on its data leak site for victims to pay to destroy stolen data. There’s also an option for crooks to buy the data. As time goes on the prices drop — so the longer the victim waits to pay, the more likely it is a crook will buy the data because it’s cheaper than the starting price.
Finally, cybercriminals and nation states aren’t the only attackers IT leaders have to worry about. According to an investigation published Thursday by the Reuters news agency, a number of companies are using hack-for-hire firms to get the dirt on competitors or information for lawsuits. At least 75 U.S. and European companies, three dozen advocacy and media groups, numerous Western business executives and lawyers have been the targets of these hacking attempts, says the story. Many hack-for-hire groups are based in India, the story says. Also on Thursday, Google said it has blocked browser access to websites and domains of some hack-for-hire firms based in the United Arab Emirates, Russia and India. These groups often use phishing messages to steal victims passwords, which, again, means security awareness training of employees is vital to fight these threats.
(The following transcript has been edited for clarity. To hear the full discussion play the podcast)
Howard: Let’s start with the decision by the Canadian Radio-television and Telecommunications Commission (CRTC), which is our national telecom regulator. It says internet providers here will have to block malicious botnets. Until now it’s been up to IT departments and individuals to fight malware. But ISPs will have to join the fight, says the regulator. On the other hand it won’t start for months until a blocking mechanism has been worked out. This raises a couple of questions: What do you think of this decision, and do you think that mandatory botnet blocking should be a responsibility of internet providers?
David Shipley: I’ll start off with do I think it should be the responsibility of the internet service providers? For some groups — the residential, retail consumer — there may be a good case. I don’t think there’s a good case for businesses, enterprises, governments, etc. They have IT teams, resources etc. I think on balance the potential for false-positive chaos outweighs the additional incremental benefits. For residential, sure — and that’s where I would focus my time. The CRTC is a regulator for residential. So they should say, ‘Let’s make sure all your ISP-provided equipment is patched on a regular basis so It doesn’t become part of a botnet.’ That’s where I would have started.
Howard: Canada’s major internet providers do botnet blocking now. But they don’t have a uniform process for doing it — and they don’t want it to be mandatory. So in submissions to the commission, for example, Bell said if the commission approves one type of blocking malicious actors are just going to choose a way to evade it. Another carrier argued that mandatory regulation would cultivate a false sense of confidence among Canadians leading them to believe that they don’t have to do much computer security themselves.
David: I don’t know how much the ‘We don’t have to do much computer security’ argument holds. The point about if they picked one particular approach criminals are going to evade it is 100 per cent. Listen the security industry: The criminal industry is constantly playing the cat-and-mouse game. ‘If you go DNS-based domain blocking, we’re going to make sure that we’re either rotating the domains so fast that your blocking is going to be ineffective at best, or we’re going to use combinations of internet protocol addresses and ports and other technologies.’ I think it’s going to be tough to build a comprehensive solution that blocks botnets and that works at speed. As we have more devices — and remember we’re making this grand transition to IP v6 so we’re not talking about a small number of IP addresses anymore — your ability to rotate through decreases, particularly if attackers build botnets out of IoT devices around the world. This is going to be a cost burden on organizations. It’s going to be interesting to see how it plays out. I don’t buy for a second that they’re going to get a technologically neutral, robust, resilient technology implemented at all the major carriers anytime in the next five years. It will be haphazard.
Howard: But they do it already, but not in a uniform way. So why isn’t it within the power of the commission to say, ‘You guys do it but Canadians want it done efficiently and we’re going to mandate a minimum set of standards?
David: The big three internet providers could pull something together. But not the rest of them. And who’s paying the bill? The regulators say we need you to do this, who’s going to actually pay for it? If there’s no funding from the government or the regulator, guess what? We’re all about to pay a new blocking fee on our bills. At the time when Canadians are complaining about the already skyrocketing costs of everything I guess the internet was missing the inflation joy ride and we want to Jack prices up there as well … What I’m desperately afraid of is they screw this up because of the impact to people. We are heading into another wave of the pandemic and remote work is here to stay, so what happens when through no fault of your own you’ve got a device in your household that’s part of a botnet and your ISP is blocking it? That means cutting people off inside Canada from the internet until they remediate and clean up their household IT environment. Maybe there’s erroneous data. Maybe it’s accurate. This is such a complex, wicked problem that I think oversimplifying it, rushing something to meet a regulatory mandate could cost Canadians a lot.
Howard: There are three possible techniques for botnet blocking as I understand it: Domain-based blocking, internet-protocol-based blocking and protocol-based blocking. Can you talk about how they differ?
David: Domain-based blocking is going to basically mean that anything like that’s coming from, say, “davidsbadsite.com”, is going to get blocked regardless of that site being served by multiple servers, maybe with different IP addresses etc. Anything that’s associated with that domain is blocked. That’s relatively easy. The CIRA (the Canadian Internet Registry Authority) has the Canadian Shield. You can sign up for it, it works on your mobile device and your computer, and it’s built into the Firefox browser. It’s very similar to Google Safe Browsing and Microsoft’s Smart Screen technology.
IP-based filtering filters anything coming from an IP address. The problem with that is, as I mentioned before, if you’ve compromised a small business’ IT environment and you’re using them to launch attacks from it’s their IP address that gets blocked. And if I’m a criminal operator I’ve built botnets on people’s computers, mobile devices, routers, etc., and I can rotate through those very, very quickly. This is what they call fast flux. You might be blocking an IP and it might be bad for 35 minutes before the routers reset and that persistence is gone. It’s no longer a threat. How long does that IP stay bad and whose IP is that associated with? Port protocol blocking is what IPS do now. They’ve been nailing peer-to-peer movie file sharing, music file sharing sites. They’ve got decades worth of experience doing that. That’s where all of them have an interest because they hate getting those stupid copyright notices [from content creators] and then trying to feed them to their customers. Protocol or port base blocking is the one ISPs are most familiar with, and it’s also fraught with potential errors. And none of these three are guaranteed to be right, and so the chance for error or false positive blocking is very, very high.
Howard: Would a carrier have to do all three of these to be effective? Could it do all three?
David: That’s the thing. The argument in front is saying just do one. So if a threat actor knows you’re blocking based on domains they’re going to set up IPs and other things that aren’t going to end up getting triggered based on that [blocked] list. I think you do have to do domain blocking. We know the domain blocking works. But then it comes down to what else to try. And then there’s the question of [blocking] speed. The way that the criminal ecosystem will respond is rotating through things faster and being more targeted with how they do things. I don’t believe this [blocking] is a silver bullet. Is it going to shut down some of the stupider ones? Sure. Is it a good thing in general to go after botnets? Yes. But the devil is going to be in the details of how they build this out, how they actually share blocking information and will it be co-ordinated with Microsoft and Google so we actually have a coherent defensive layer from the browser right to the network? Or is everyone going to do their own thing — in which case if you are an unfortunate small business or university in Canada, which is where a lot of malware tends to get pumped out of, and you get on the bad list how long is it going to take you to get off the list? What’s the process going to be for getting off those lists? What’s the appeal going to be if you ask them to take you off it and they say no? The administrative side of this is even more complex than the technological side — and the technological side isn’t easy.
Howard: The CRTC has said that any framework that gets created for network-level botnet blocking — meaning by ISPs — has to be technologically neutral. And it must not be limited to a particular type of blocking so ISPs can adopt to technological changes and techniques employed by bot masters.
David: And again, what’s the cost of this? I think the banking coalition submission to the commission and a few others said 20 to 30 per cent of ISP traffic is acknowledged to be botnet traffic. So now we’re going to be asking ISPs to be the traffic cops in a co-ordinated, regulated, uniform fashion. That’s not going to be easy. That’s not going to be cheap. I’ve got so many concerns about this. It’s a great example of wishful thinking and a silver bullet: ‘We’re just going to do x and it’s going to gonna solve it,’ without necessarily understanding all of the unintended consequences. If it was easy and cheap to do carriers would have done it already because then they would be optimizing the actual traffic flow in line with their business. So it’s going to be neither easy or cheap to do, which means we’re all about to pay more for internet.
Howard: The commission has ordered its staff to look at the creation or the designation of an independent body that will create a block list of domains or IP addresses that all providers have to use. And then that way there will be some uniformity on what’s blocked. There would also be an appeal mechanism so you can appeal if your company is on the blocked list. Commission staff have nine months to report back on the possible creation of such a body, and there will also be industry consultation. The CRTC also says no blocking mechanism can be used for commercial, competitive or political purposes. So does that go some way to meet your concerns? Is this going to work or is the devil in the details?
David: I think you know the devil’s in the details … What are the timelines for an appeal? I’ve had some interesting experiences with Google and Microsoft. My company provides simulated phishing platforms, and the test phishing emails are so good that sometimes Microsoft thinks they’re real phishing attacks and so does Google and they get blocked. So we have to work through their appeal process. Most times we get stuff lifted after 24 hours, but sometimes we’ve seen things go on for weeks. So I have grave concerns about how fast botnet blocklist appeals will take and who’s going to mediate them. And then you’ve got to think about edge cases. It says blocking can’t be used for political purposes. But what if I compromise the Liberal Party WordPress website and it gets blocked by all the carriers? Well that’s going to have a political impact, right? This is a hornet’s nest for ISPs and a classic case of the limitations of security idealism and pragmatic reality.
Howard: Let’s move on to the alert from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) about Microsoft Exchange Online. This cloud-based service offers two methods of authentication for users that IT administrators can set up. One of them is called Basic Authentication. The other is Modern Authentication. Briefly, Basic Authentication doesn’t support multifactor authentication. Modern Authentication does. And while Basic Auth will be disabled by Microsoft on October 1st, this agency says Exchange email administrators should switch now. Why would this be a good move?
David: Attackers know these are the last few months to try and get whatever easy wins from highly automated attacks [on Exchange Online], so they’re scaling up. CISA and others are noticing this. There are so many stolen username and password databases out there that it’s trivial for an attacker to build collections. I know someone who’s got a 28 billion username and password combination collection — and it wasn’t hard for them to build that. Basic Auth literally only needs a username and password. It is a four lae highway for brute force hacking. The problem is there are a lot of legacy apps and processes and that don’t support Modern Authentication standards like OAuth etc.
I find the timing kind of curious because you know CISOs and IT and security professionals who’ve been working through every single holiday weekend through most of the pandemic are exhausted. Are they going to make the time you do this before October? I don’t know. I think we’ll see a mad rush in September, but I just can’t see it happening in July and August.
Howard: Is it a hard move?
David: It depends if there are custom applications. That’s the part that Microsoft highlights in its advisory. What are you using to access these services? Are there applications partly moved to the cloud? If you’re using older versions of software that only supports Basic Auth you now have to buy new software. So there can be a cost component to it as well. Do you allow basic authentication for SMPT auth, because a lot of the printers that we use, even in enterprise environments, are incapable of any kind of modern authentication. Some devices weren’t built to do two-factor authentication. That’s probably where the biggest hiccups are going to be.
Howard: Another story was related to the apparent lack of multifactor authentication or the quality of the type of MFA took place when a Canadian teenager who hacked the smartphone of an American entrepreneur two years ago and made off with US$48 million in cryptocurrency was sentenced to a year’s probation and banned from having anything to do with digital currency for a year. According to news reports the teen convinced the victim’s carrier to swap his SIM card to a phone owned by the teen. The implication is that once the teen had control over the phone he could steal the victim’s cryptocurrency with control over the phone. The teen was able to intercept two-factor authentication requests. This was one of Canada’s biggest SIM card swaps and may have been certainly one of the biggest ones in the United States. What does this say about the security procedures of cell phone carriers?
David: SIM swap attacks have been huge, specifically targeting cryptocurrency firms. There has been progress made by carriers here in Canada around educating their teams and support staff, but the reality is social engineering works for a reason. It’s never going to be fully bulletproof. There was a major case a few years ago of employees who were bribed to unlock. So if you’re holding millions of dollars in cryptocurrency the lesson that you need to learn is cell phone-based text message two-factor authentication is not an appropriate means of protecting your asset. That’s just enough security for the value of the asset or information. App-based multifactor authentication is more robust.
But this story also blows away this myth that cryptocurrency is more secure because it’s cryptocurrency. No. …
We used to talk about MafiaBoy in Montreal as being Canada’s most elite hacker, but this Hamilton kid just I think it took the cup for at least the biggest moneymaker as a Canadian hacker.
Howard: It struck me, though, that the heart of this story is it’s still easy to persuade cellphone carriers — you sing them a song about you’ve got to change phones, and you do some research on your target and you find out their date of birth other things. Carriers really have to toughen up their procedures before approving the changing of a SIM card on a customer’s account.
David: I guess I’m in a contrarian mood on this podcast today. I hear what you’re saying but carriers are also trying to offer customer service. What happens to the legitimate person who plunked their phone in the lake on their summer vacation and are trying to get back up and running, and now they’ve got all these hassles getting a new SIM card. Or is this should you be relying on your phone for that [cryptocurrency] bank count? You’re not wrong that these companies probably could step up the game a little bit but this goes back to shared responsibility.
Howard: Finally, I want to look at a report about an IT contractor in Japan who was working for a municipality there and he lost the USB key of municipal information that had personal information on everyone who lived in the city. This is a bad news/good news story. The man had copied the data onto the key to take it to a call center, and it was approved apparently. But he might he must have decided that he was going to take it to the call center for downloading the data the next day because that night he went out after work for a drink. He lost the bag with the USB key. That’s the bad news. The good news is the key was password -protected and all the data was encrypted. That’s really good news.
David: It is. The only thing that I’m terrified about is how strong was that password? What’s really interesting is was this a data breach? In some countries if it could be demonstrated the data was encrypted to a high enough standard then it may not qualify as a privacy breach [and therefore customers wouldn’t have to be notified]. I think you should fess up. There are also two other things: How do we educate people about security: This is what risk looks like. You might be approved to do this with a portable hard drive … There may be a legitimate purpose for doing this. But if you do it you’ve got to treat it like a valuable asset and be on your guard. The other thing is what are the ways that the municipality could have moved this data more securely than putting it on a portable device?
Howard: But the good news is the municipality had processes and the contractor obviously followed the processes: If you’re going to put personal data on a removable device it has to be password protected and encrypted. From the municipality’s point of view it looks like it did all the right things.
David: But that’s a hell of a lot of data. You have no better method of securely transferring it than a portable device? Which by its physical nature carries inherent risk. … Unless this municipality is in some remote location with no fiber optic connectivity whatsoever this could have been done better.
Howard: So one option would have been secure file transfer over the internet.
David: Or maybe even over a secure private network. Sometimes in IT we can be guilty of thinking everything looks like a nail and a hammer. So we’re just going to use the hammer to do something. Well no, the better tool for this would have been something else, and I think that’s the lesson for organizations. The password and the encryption are good things, but it’s like someone got into a head-on collision and the airbag went off and they didn’t die and they didn’t have serious injuries. Great. But what were the root causes of that head-on collision and how do we avoid that collision in the future?