Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday September 24th. I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
My guest commentator this week is Terry Cutler of Montreal’s Cyology Labs. He’ll be joining in a few minutes. But first a roundup of some of the bigger news from the past seven days:
Montreal-based voice over IP provider VoIP.ms struggled for much of the week with a sustained distributed denial of service attack that left customers across North America without phone service. This is one of the incidents Terry and I will discuss.
Another is the revelation that the FBI had penetrated the servers of the REvil ransomware gang this summer and got a decryption key that could have helped victim organizations. But instead of distributing the key the FBI held on to it for a couple of weeks because it hoped to take down the entire gang. Terry and I will discuss if that delay was justified.
We’ll also take a look at the misconfiguration by users of the EventBuilder platform for supporting webinars. Researchers discovered that information webinar attendees filled in when registering was left open on the internet. Hackers could have found and misused that data.
Ransomware attacks continue. The latest victims include two U.S. farming supply co-operatives. Crystal Valley had to shut its IT systems, preventing people from paying for grain. Earlier in the week NEW Cooperative was hit, with a reported ransom demand of almost $6 million. The BlackMatter ransomware gang reportedly threatened to double the ransom if the co-op continued to refuse to negotiate.
Separately, a cybersecurity firm that has assembled a database of stolen login credentials being marketed over the years by cybercrooks says over 600 of the credentials on its list apparently were from current or former NEW Cooperative employees. One popular password used by 120 staff was ‘chicken1.’ That password is logical – although a security risk – when you realize poultry feed is one of NEW Cooperative’s big products. It isn’t known if a bad password helped the NEW Cooperative ransomware attack.
Coincidentally, a cybersecurity vendor released a survey of Americans this week on their password habits. More than one in three respondents said they had tried to guess someone else’s password. Over 73 per cent said they guessed right – although admittedly half of the respondents were trying to guess one of their romantic partner’s passwords. Forty per cent said they were trying to guess their parents’ passwords. Family ties might give you an edge. Then again, with people talking about themselves so much on social media it’s no surprise cybercrooks look there for password clues.
Finally, Google said it will give some security help to owners of older Android devices. It’s making available a recently released application privacy protection feature for Android 11 to devices as far back as Android 6. It will be distributed through the Google Play store. However, few carriers offer operating system security updates for older versions of Android. So shouldn’t people be encouraged to buy a new device rather than stick with an old, unsecure one – even if it has a new added privacy feature?
(The following is an edited transcript of my talk with Terry Cutler. To hear the full conversation play the podcast)
Howard: We’ll start with the nasty, distributed denial of service attack on VoIP.ms. It’s been going on for days with the company still trying on Thursday, when this podcast was recorded, to get back to regular service. For those who don’t know, a DDoS attack is like pounding on an organization’s website. The goal is to knock it offline, preventing the victim from doing business. An attack can be launched by an activist group as harassment, or as in this case, it can be used by crooks to extort money to pay for the attack to stop. There are several reports that DDoS attacks are increasing. Terry, like ransomware this can be pretty devastating on a business.
Terry: Absolutely. The goal of a distributed denial of service attack is basically to knock the service offline and make it unavailable to legitimate users. We’ve seen this back as early as the 1990s. Think of it like a radio station saying, ‘Hey, be a ninth caller through to win tickets.’ All of a sudden you get fast busy signals. That means there’s such an influx of calls coming in, that you can’t get in. The same thing happens here where a whole bunch of computers are going to be trying to talk to your website or your service at the same time. And it just becomes so slow and no one can basically interact with the service.
Howard: I talked to two Canadian companies that are VoIP.ms customers, and both were able to continue doing business by email for the time being. But one of them temporarily had to sign up with a new phone provider and, and calls to their old phone number are being forwarded to this temporary one. But they told me that phone call service this way is still sporadic. Interestingly, they plan to stick with VoIP.ms when the crisis is over, which to their credit, shows some loyalty. What’s behind a DDoS attack. How does it work?
Terry: The way it works usually is that a bunch of computers or devices – usually hundreds of thousands or millions of devices – are infected. There’s a bot master who controls this botnet of infected computers. And it says, okay, go attack, VoIP.ms. If you clicked on a link you weren’t supposed to, your home machine could be part of a botnet. It’s extremely difficult to block these types of attacks. You need to have DDoS protection in place to be able to do that.
Howard: And DDoSs protection is offered by a number of companies like CloudFlare and Akamai in which they stand ready just in case your company is hit by an attack. Essentially they deflect this huge wave of queries that are pounding on your website.
So it’s vital that everyone patch their internet-connected devices, and that’s everything from computers to televisions to your internet router, to make sure that you’re not inadvertently compromised.
Terry: A lot of companies that we’ve worked with don’t have the DDoS protection in place because they never think it’s going to happen to them and, and it could be expensive, too. So they wait for the problem to happen.
Howard: That’s not very good. So as part of your organization’s security strategy, you need to think about whether your organization is vulnerable to a DDoSs attack. And then you have to think about what you’re going to do. What are some of the best practices for, for defending against DDoS attacks?
Terry: The first thing is to understand is if you’re actually under attack what some of the warning signs. The biggest one is, is your network slow, or spotty. Are you getting a lot of calls from users saying that their VPN keeps dropping or the website is busy. The biggest defence is make sure all your stuff is patched up. The other one is to make sure you have a strong network architecture, and leverage some cloud-based services as well.
Howard: Another item I want to talk about is the report that the FBI quietly held on to a ransomware decryption key for the REvil ransomware. This I found disturbing. The FBI apparently broke into REvil servers and copied the data decryption key. This is the key that will unlock all of the encrypted files that you get if you’re hit by ransomware. That’s what ransomware groups demand from victim organizations: Pay us X hundred thousand dollars and we’ll send you the decryption key. So for a couple of weeks, victim organizations who could have had a solution to a crippling attack by REvil were left on their own because the FBI apparently didn’t want to give away the fact that they’d infiltrated the group. Do you think that the FBI made a mistake?
Terry: That’s a tough call. I’ve been on that side of the fence, working for a private investigation firm where the job is not to tip off the bad guys that we have control of their system. These investigations take time to do. It’s not like, we’re going to take a copy of these computers and analyze it [quickly]. It’s could take five minutes. It could take weeks. In this case, I understand what the FBI did. They can’t give away the key, because they’re going to tip them off …
It reminds me of 2017 when the WannaCry [malware] came out. There was a flaw which was called EternalBlue which affected pretty much almost all versions of Windows that the ShadowBrokers leaked.
Howard: This was a case where the U.S. National Security Agency, which is their electronics spy agency. knew about holes in Windows and were happy to keep that a secret because that they could exploit those vulnerabilities against the computers of foreign governments. They could have told Microsoft, and Microsoft could have patched Windows and then reduced the risk around the world of successful cyber attacks.
Terry: But then the NSA couldn’t continue their spying.
Howard: That’s right. And that’s, and that’s the dilemma. And we only learned that the NSA knew of these vulnerabilities when the ShadowBrokers released what, what the NSA called the EternalBlue exploit.
Terry: And what’s interesting is that even today when I still do intrusion testing, I still sometimes come across this Microsoft patch that hasn’t been applied.
Howard: We talk a lot about configuration snafus. There was another one that was discovered this week in the use of the EventBuilder platform. This is a platform used by organizations hosting online events like webinars. With EventBuilder you can set up online registration pages, webinar, presentation pages, and recordings of webinars. The thing is the person using the EventBuilder tool has to be careful with the data. Some data like links to recordings can be left open on the internet. Other data like the data that’s collected on registration pages, where there are peoples’ names and their addresses and their and their phone numbers, needs to be kept private and offline. What happened here was security researchers scouring the internet for open databases came across EventBuilder data that should have been kept private. And the thing is EventBuilder is supposed to be easy enough to use so that non-IT people can handle it. But it seems some people didn’t read the instruction manual or they weren’t trained.
Terry: And you said it: Easy does not mean secure. [Users] are not thinking about if somebody gets a hold of my database what can they do with it? They just want to get their list up and running, get the registrants in there and do business as usual. If there was some training involved maybe the person who got trained is no longer with the company and can’t pass on that knowledge to others. Or if they get trained they’re not thinking about that the next time they use the platform. Sometimes that’s it. Unfortunately security takes a back seat on some of these things.