Welcome to Cyber Security Today. This is the Week in Review edition for Friday October 15th. I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
In a few minutes I’ll be joined by guest commentator Dinah Davis, Canadian-based vice-president of research and development at Arctic Wolf. But first a review of some of the news from the past seven days:
Finding ways to collectively fight ransomware was the goal of a meeting of 30 nations this week. Officials from Canada, the U.S., the U.K. and others met for two days online discussing tactics to improve the resilience of their critical infrastructure providers, how to disrupt cyberattacks, ways to impair the use of virtual currency to facilitate ransomware payments and how to use their governments’ collective muscle in international forums. That includes the United Nations, where in January discussions will start on a cybercrime treaty. Dinah and I will discuss what countries might do to fight ransomware.
We’ll also discuss a new U.S. law that tells a government cyber agency to recommend ways public school boards can better protect themselves from cyber-attacks.
And we’ll also talk about a new Microsoft report of a cyber campaign targeting defence companies with an old tactic: Automated password guessing.
More on ransomware: At BlackBerry’s annual Security Summit this week an official offered five ways IT departments can improve their ransomware defences. The number one way is patch your systems as soon as security updates are released.
And researchers at Symantec have discovered a new strain of ransomware. Called Yanluowang, those behind it threaten to launch denial of service attacks and delete the encrypted data on victims if they call police or ransomware negotiation firms.
Speaking of denial of service attacks, Microsoft revealed it fended off a huge attack in August against an unnamed European customer. Seventy thousand infected devices were leveraged in the attack. The lesson is people have to better protect their computers, routers, internet-connected surveillance cameras and the like by using strong passwords and installing security updates.
Convenience store chain 7-Eleven violated the privacy of Australian customers by snapping images of people filling out a digital survey about service in stores, says that country’s information commissioner. One apparent goal was to exclude survey respondents whose answers didn’t appear to be genuine from their facial expressions. But the commissioner said collecting biometric information wasn’t needed for the purposes of this survey. It also wasn’t clear customers consented to being photographed.
Regulators in Ireland have reportedly proposed fining Facebook up to $42 million for violating the European General Data Protection Regulation’s privacy rules. One of the violations is failing to notify its customers about how it uses its data. The proposed fine is being considered by data protection regulators in all EU countries.
And if you have an Apple device running the iOS operating system, make sure it’s running the latest version. Apple has reportedly quietly issued a security update.
(The following is an edited transcript of my talk with Dinah Davis. To hear the full discussion play the podcast)
Howard: Let’s start with that online meeting between 30 countries wanting to take joint action about ransomware. They were still meeting when we recorded this podcast so we can’t tell you what was agreed to, but is it important that nations meet on this to try to take collective action?
(UPDATE: Here’s what happened)
Dinah: The biggest problem with ransomware is they’re attacking from outside [victim] countries. So the really tricky part is prosecution because each country has different laws and different ways of going about things. And extradition laws are really complicated. So a combined effort here is really what is going to be needed to solve any of these problems.
Howard: The fact that Russia and China aren’t in this meeting, does that, uh, have any effect?
Dinah: It could. There’s a lot of hacking that comes from, from those places. But as many people as you can get to the table is better than not being at the table at all.
Howard: Australia proposed some tough new laws this week. Tell us about that.
Dinah: I thought this was great. I’m really hoping Canadian legislators are going to do similar things soon. First there are some legislative reforms introducing mandatory ransomware incident reporting. So if you are hit by ransomware, you’re going to have to report that to the Australian government. They’re wanting to modernize some of their legislation to ensure that the cybercriminals are going to actually be held in account for their actions. And they’re going to make it easier for police to seize criminal assets, presumably before it leaves the country. They also had some things for the business community, including a plan on raising awareness. I really liked the idea of the free cyber security assessment tool that businesses can run on their sites. And there would be $6.1 million in support services for victims of cybercrime, which I thought was great.
They’ve made some policy and operational response changes, the biggest one being creating a multi-agency task force called Operation Orcas. It will be led by the Australian federal police. So that’s great. Any time we see organizations banding together, even in one country, that means they’re going to be more co-ordinated. Finally, they have a cyber security national workforce program to improve the quality and quantity of the cyber security workers in Australia. That’ll end up working for both the government and for private businesses.
Howard: I like the idea of mandatory reporting of ransomware incidents. In fact, I like the idea of mandatory reporting of any kind of successful cyber attack — although as a reporter, I have somewhat of an interest in this in that I’d like to see public reporting of these incidents. What I’m afraid of is what the [Australian] government wants is private reporting so at least it has accurate statistics on the length and breadth of cybercrime. I’m not averse to naming and shaming people, though I understand the business community’s reluctance to stand up in public and say, ‘Yes, we’ve been hit,’ because there could be a business impact. But on the other hand, naming and shaming is a great weapon [to get businesses to improve cybersecurity].
Dinah: It is as long as you’re also doing other things to try and lift them up before it happens. I think also the reality of our world is that no matter what you do, if somebody wants [to breach your security controls] they’re getting in. I do think like there should be public reporting. I don’t know if we should be shaming, but we should be keeping businesses held accountable for their actions and how they respond to an incident.
Howard: I think we’ll probably expect that countries will take a more concerted stand at stopping cryptocurrency payments over the internet flowing internationally because cryptocurrency is one of those that really allows criminals to leverage ransomware. If you can make a victim make an anonymous payment you’re going to see money pretty fast. If nations can find ways to chop that off, that’s going to go a long way to stopping ransomware.
Dinah: Yep. Though it’s difficult because of the distributed nature of cryptocurrency and the fact that it doesn’t stay in one specific location. It’s the beauty of it, which is also the downside.
Howard: What about business responsibility for stopping ransomware? We talk about what governments can do, and they can do a lot of information sharing, threat sharing, they can go after cryptocurrency transactions. What about the business responsibility? And I ask because this week I learned that ransomware groups were claiming to have hit at least seven small to medium-sized Canadian organizations in the past month or so. One was as small as a two-person business association for a city in Western Canada. Another represents actors and others in the entertainment business in the province of Quebec. Others are a hotel and a manufacturing firm. What can we do to get businesses to realize they’ve got to put more investment into fighting cyber crime?
Dinah: I think the awareness programs that we have today are helpful. I think the reporting by journalists this [ransomware] is actually happening is helpful. But there probably need to be laws and regulations: If this happens to you, here’s what you have to do. Here’s what you have to provide to your victims, that kind of thing. From the business’s perspective, they need to ensure that they’re doing everything that they can, even if it’s not some crazy security monitoring or whatever for a two-person company. Just doing the basics of good computer hygiene and not clicking on links does go a long way. So we, we have to hold people accountable for the data that they hold and for the information that they have, no matter the size of the company., We also have to be reasonable and helpful in trying to help them do better.
Howard: So many companies don’t seem to realize the value of, of the data that they hold, especially small and medium companies. They may think, ‘I’m not like a big retailer Canadian Tire that would have a database filled with customer names and credit card numbers — great stuff that people want to steal. But many companies forget there’s valuable information just in the employee information that they hold. They’ve got an employee’s name, address and date of birth. That’s terrific information for counterfeiting identity. A lot of companies, I think, forget about that.
Dinah: I think they do. And I think this is where especially if you’re a small business, you want to use tools that have been out there for a while. So instead of rolling your own contacts or employee database maybe you use Office 365, or Google Workspace that have security built-in already. And then you still have to make sure you have strong passwords and MFA [multifactor authentication and all those things, but the more you’re using tools that have been highly vetted the better it is going to be for you.
Howard: We’ll get to passwords in a second. Let’s turn to the new U.S. law for helping school boards. Unlike in, in Canada, the federal government in the United States has some jurisdiction over local school boards. This new law, tells the U. S. Cybersecurity and Infrastructure Security Agency to help school boards. Can you talk a bit about what this is about?
Dinah: This is about a concerted effort to raise awareness within the schools about cybersecurity and bringing them support from the federal agencies on how to manage and handle that. They don’t have the resources to figure out how to do this themselves. And so having these agencies come in point out where there’s holes and then help them along is also part of this law. This is great. It’s saying that at the very highest level of the U S cyber security is important for children and [protecting] their data.
Howard: I’m not sure how effective Canadian provinces are at making sure that local school boards have the resources to protect their systems from cyber attacks.
Dinah: I’m not hopeful on that one, just based on my own personal experience of sending my child to school. For example, in fourth grade the very first time they got Google Classroom they had four-character passwords for students that were very, very simple . So simple that each of the students could guess the other student’s ones. Immediately I asked to change my daughter’s password, and it was a big deal. I had to go to the teacher and then the teacher had to change it for her … I think they’ve since changed that password policy, but it’s just another example of there’s always this trade-off between usability and security. A fourth-grade teacher is thinking, ‘I’ve got to make this easy. These kids are going to forget their passwords, and then I’m going to be forever trying to reset their passwords.’ Versus, ‘We need to make sure that they are secure and that they have their own privacy and that no one else is messing with their things.’
Howard: Passwords, passwords, passwords, Microsoft issued a report this week saying 250 firms in the U. S., Israel and other countries that use their Office 365 productivity suite have been targeted with password spraying attacks. What’s a password spraying attack?
Dinah: It’s when attackers use a list of like commonly known [stolen] passwords, plus guessed usernames of a company. The interesting thing about this one is they believe that it’s likely Iran that is running the attack. The interesting thing is [in this campaign] attackers are very active between Sunday and Thursdays between 7:30 a.m. and 8:30 p.m. Iran time. In Iran, Friday and Saturday is the weekend.
Howard: Technology companies have been trying for some time to get people weaned off of passwords, so that they don’t have to remember passwords. Then they don’t have to use password managers to keep hold of things. And so slowly, gradually, Microsoft, Google and others are adding capabilities so that people can use more safer methods than passwords. What are the best ways IT departments can make sure their firms aren’t victimized by password spraying?
Dinah: This is not hard: Make users have unique passwords that are more than 12 characters long, and install two-factor authentication – the biggest thing, two factor authentication. Pretty much will kill any password spraying attempt because even if they get the password they don’t have the two factor off. So unless it’s really co-ordinated and they’re going to do a two-pronged approach and try and figure out a way to break the TFA, then it’s not going to work.