Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, September 23rd. From Toronto, I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In a few minutes I’ll be joined by David Shipley of Beauceron Security to discuss some of what happened in the past seven days. But first a review of the news highlights:
One of the biggest U.S. brokerage and wealth management firms, Morgan Stanley Smith Barney, agreed this week to pay a US$35 million penalty to settle allegations that it failed to properly dispose of hard drives and servers with the unencrypted personal information of about 15 million customers. The U.S. Securities and Exchange Commission said over a five year period a moving company with no experience in data destruction was hired to decommission the devices. But the moving company sold the equipment to a third party who resold them on the internet. Anyone who bought the devices would have been able to see confidential information. David and I will discuss this incident.
We’ll also talk about new details from Uber about its recently-discovered data breach. The company says a threat actor initially got in by using an external contractor’s username and Uber password. The company believes those credentials had been bought on the dark web after they’d been stolen from a personal device of the contractor’s that had been infected by malware. Uber makes employees and contractors use multifactor authentication for logins, but the hacker got around that.
We’ll look at another company falling to a third-party supply chain hack. The American video game publisher 2K Games said a threat actor got hold of the help desk login credentials of one of its vendors. The attacker used access to the help desk system to send poisoned email messages to 2K Games customers.
And because September is Insider Threat Awareness Month David will have some thoughts about this kind of attack.
Elsewhere a division of Bell Canada is still dealing with the effects of a ransomware attack. Bell Technical Solutions installs internet and phone services in homes and small businesses in Ontario and Quebec. The Hive ransomware gang says it got into systems and copied data in August. Bell says the names, addresses and phone numbers of an unspecified number of customers who booked appointments were copied.
American Airlines has acknowledged the personal information of some customers was stolen from the email accounts of some employees.
Website administrators and Google and Microsoft were warned about the harm an extended spell check utility for their browsers can be. Security researchers at a firm called Otto said that in Chrome and Edge browsers if the extended spellcheck is enabled anything entered in a website’s form fields — like passwords, names, birth dates, Social Security or Social Insurance numbers — is sent to Google and Microsoft. Enhanced spellcheck is different from the basic spelling checker that comes with browsers. Some websites are now defeating the extended spellcheck feature on their sites.
There are worries the latest encryptor for the LockBit ransomware code has been leaked. That would allow other crooks to use it for free to build their own strain of ransomware. According to one news report, a disgruntled developer took out his anger on the LockBit gang and published the code.
Finally, Bitdefender, Europol and the NoMoreRansom Project announced that a free decryptor for the LockerGoga strain of ransomware is now available. You know you’ve been hit by this strain if the encrypted files have the extension “.locked”. The alleged operator of this strain has been detained pending a trial.
(The following transcript has been edited for clarity)
Howard: Let’s start with the fine that Morgan Stanley’s wealth management division agreed to pay to settle allegations it failed over five years to safely protect the personal information of customers by not encrypting the data, and then failing to oversee the proper destruction of the hard drives and servers the data was stored on. As I said at the top of the show, unknown to Morgan Stanley the hard drives were sold on the internet. This got me wondering: Most organizations spend a lot of time on preventing cyber attacks. But how much time do they spend on protecting data by encryption, and making sure that when equipment reaches the end of its life it’s properly destroyed? What did you think when you heard about this?
David Shipley: I thought it was interesting that it got to the point where they’ve had a fairly significant fine. Thirty-five million to them might it end up just being the cost doing business. So let’s see if they actually change their processes and behaviour.
I think asset management is one of the hardest things that cross over into security. I think organizations do a reasonable job of trying to keep track of assets when they’re being used. But the problem is on disposal. That’s where this often goes sideways. This was a headache for me when I was doing IT at the University of New Brunswick trying to track down where things went from faculty computers and other places. This is a really hard challenge. One of the silver linings of going to the cloud and using AWS or Azure is this is part of the shared security model that they’re responsible for in terms of the data centre. So hopefully they’re doing that part. To your earlier point about encryption, there’s a stronger case there should absolutely be encryption for data at rest to prevent this kind of scenario from happening. Old-style applications that don’t support it really are presenting a greater risk. But if there was any sector that was going to have that problem it’s banking. They’ve got apps that are decades old when encryption wasn’t even a concept, so the legacy equipment of banks may still remain unencrypted. When shipping out surplus hard drives you better make sure those things are getting shredded.
Howard: One of the things that that that was astonishing was that Morgan Stanley wasn’t checking to make sure that the stuff that it was getting rid of was disposed of. There’s the old phrase, ‘trust but verify.’ They apparently hired a company that had no experience in data destruction. But especially if you’re a financial institution or a health care institution or a government, you’ve got to verify.
David: A hundred per cent. And I suspect this is the tip of the iceberg. This mistake only really becomes known because someone plugs in a hard drive [bought over the internet] and all of a sudden there’s a bunch of cool data. If they’re nerd-techie enough they’d dig into that data. Otherwise most people would wipe it and put it into service. Do I think that they’re unique [in not properly disposing of hard drives]? Absolutely not. I think your point is is entirely valid, that you should have the right to audit your suppliers. You should follow your disposals through the entire process, validate it’s working and then spot-check it from time to time. I don’t think this gets the attention it deserves. Your point about health care really lands because banking information is one thing and that can be very painful, but you can’t undo the loss of sensitive patient records.
Howard: And the hard drives that Morgan Stanley was getting rid of had encryption capabilities but the encryption hadn’t been enabled for years. Some of the devices came from local offices and branch servers as opposed to the Morgan Stanley data centre, so I’m not sure if this is a failure of data administrators to ensure that policies are enforced locally.
David: It could be, but I suspect it’s the legacy applications [that can’t be encrypted]. You’re [possibly] talking about banking infrastructure still running in Cobol and lots of other scary outdated approaches because they still work. It’s a nightmare and a half to update. So I don’t think necessarily this is is just a story of the OS wasn’t configured to enforce a Bitlocker or whatever. It may be that the use case for that hardware and software did not allow for modern encryption.
Howard: And the thing is Morgan Stanley, like other American broker-dealers, investment companies and investment advisors that come under the SEC regulations had to adopt written policies and procedures that address safeguards for the protection of customer records and information. Morgan Stanley consented to the SEC order that the firm violated the regulators safeguards and disposal rules.
David: I think the question is, do the consequences of violating these safeguards and disposal rules and having a negative outcome are significant enough that the bank is actually going to change its behaviours and improve its processes? Or is it, ‘This is a cost of doing business. We made a mistake. We’ll improve it going forward but we’re not going to sweat $35 million?’
Howard: I would hope that that’s not their attitude.
Item 2: New details from Uber about its recently discovered data breach. This attack started with a threat actor getting the username and Uber password of a contractor who is allowed to access Uber’s systems. It’s believed the attacker bought those credentials on the dark web after they’d been copied from the contractor’s personal device. That device had been infected with malware. The contractor did have multifactor authentication to protect their login. So when the attacker repeatedly tried to log into the contractor’s Uber account and got asked for the two-factor authentication code that access was blocked. However, the contractor eventually accepted one of these requests. I guess they were tired of being bombarded on their smartphone [with requests], and the attacker successfully logged in. We’ve talked about this before, I think. It’s a classic, ‘I hope the victim gets tired of being pestered’ attack.
David: Absolutely. I think this is the Okta scenario again. It was the same thing: An external contractor had their credentials stolen and was just bombarded with MFA authorization requests and they capitulated. This is the danger of app-based authorization of MFA, where the attacker can do the push notification and the victim just approves it to make it go away. It speaks to the importance of educating people that if you’re not 100 per cent confident that you initiated this request for MFA don’t approve it. It plays into a lot of the things that we see — persistence by these threat groups. And it plays into the fact that people eventually get fatigued and they get complacent. It’s about the importance of awareness education.
The other thing that comes to my mind about this particular breach is at what point does IT shut down a surge of login attempts that get an MFA challenge but aren’t responded to? Maybe they needed to lock the account after 10 of these. Can you actually set a threshold?
Howard: This is a case of multifactor authentication is great until the carbon-based units that infest the organization fail.
David: It’s one way to look at it. The reality is there are now phishing-as-a-service platforms [for crooks] that include MFA capture capability. I think this is the natural ebb and flow between the attack and defence side of cyber. MFA was a phenomenal tool but it’s like the overuse of antibiotics. We’re now finding it’s declining in efficacy.
Howard: What happened after the initial access was gained was also very disturbing. The attacker accessed several other employee accounts — Uber’s report doesn’t say how — which ultimately gave the attacker elevated permissions to a number of internal Uber tools including G-Suite and Slack. The attacker then was able to reconfigure Uber’s openDNS to display a graphic image to employees of some of the internal sites they were apparently able to copy.
David: What I’ve read from some of the industry reporting on this is there seems to be some belief that there was a network share with Powershell scripts with hard-coded credentials to the password vault for a bunch of these productivity tools for the admin account. And so once they got in past this credential side of things they found this network shareable to access the scripts. elevated their privileges, locked the Uber team out of those things and then just started to cause chaos. Thankfully, it seems that particular script and that password manager didn’t have the credentials to the actual user-facing components of Uber.
Howard: It seems the lesson is you’ve got to be prepared for multiple levels of defence so once an attacker gets initial access the damage that they can do is pretty limited, because you have a number of controls at various levels that ah prevent an attacker from getting deeper into into into your network.
David: Absolutely. And this goes back to the [cybersecurity] basics — least access privilege to users. I suspect part of what happens with a fast-growing startup [like Uber]. People are told to move fast and break things, as the motto goes, as they’re scaling and maturing. That’s okay when the firm is a hundred people but an Achilles heel that will later bite you as a larger enterprise.
Howard: Item 3: The American video game publisher 2K Games said a threat actor got hold of the help desk login credentials of one of its vendors. After that the attacker was able to send email messages to 2K Games customers with malicious links. This is more evidence that some companies aren’t prepared to stop third-party attacks.
David: It’s interesting that this is story of the third-party supply chain. It negatively impacts Okta, Uber and now 2K Games. It also shows that attackers are evolving: They realize that if they can land inside a trusted environment as they’re island hopping to attack others it’s a great way to bypass email filtering controls and all kinds of other security controls to stop phishing. Because now attacks are literally coming from a real email server and a real organization that may have communicated with you in the past. They’ve got all the perfect technological and all the perfect social engineering infrastructure to pull off some nasty shenanigans, and I expect more of this. This is part of the ebb and flow as email filters have gotten more sophisticated and phishing campaigns have been more difficult to execute. Now you [the attacker] have got to get inside a trusted environment. I’ve been on the other side of a trusted environment that gets compromised in a past life, and the consequence of this can be severe, particularly depending on how many malicious emails go out. You can end up getting your corporate domain blacklisted by all the major email filtering providers, so essentially you disappear off the internet. And that has huge business consequences. It can take days to get unspooled and get Google or Microsoft to unblock you.
Howard: And this case is another example of a help desk can be a vulnerable part of your organization.
David: Absolutely. You have to look at, ‘What if I was an attacker? How could I cause the most chaos for my organization?’ A lot of times people think of ransomware. But now attackers are branching out and getting more clever. And I would say, depending on how sophisticated this attack was and how much money they made from actually sending those malicious links out, this could be a replicable model that becomes a real pain for companies over the next year
Howard: The final item we’re going to talk about is Insider Threat Awareness Month. Insiders are employees as well as anyone who’s allowed access to an organization’s computer network such as partners and contractors but who abuse their access. According to the annual Verizon Data Breach report, over the years insiders account for about. one-third of all successful cyber attacks studied. This means that outsiders — including hackers who get hold of contractors’ passwords — are the biggest threat. So how much attention should IT security leaders pay to insider attacks?
David: The label for this concerns me, because it can set the environment up where the IT team thinks that the employee base within the company is the problem. The reality is the employee base within the organization exists to perform the business of that organization. They are the organization’s single greatest asset. So our number one challenge isn’t to see them as insider risk. It’s to see them as untapped security potential and as assets, and to switch this from a negative framing to a positive one. The reality is only a small, small fraction inside this ‘Insider Threat’ category are actually malicious. I think we spend a lot of time creating an adversarial relationship, whereas we should create a more positive relationship by enabling people. I’ve seen this: I was able to lower the click rate [the rate at which people fall for a phishing test] at my university from 30 per cent to less than five per cent by better education, enabling and empowering people and helping them become part of the security story. Then you can better spend your attention on how do we apply good security principles to lower the risk of truly malicious people.
What also comes to mind is the Desjardins data theft [by an employee of a Quebec–based credit union]. But if you’re running around thinking a third of your company is your problem you’re missing an opportunity to turn them into an asset.
Howard: And the thing about the Desjardins theft is that it raised a whole bunch of side questions. If recall correctly, he stole the data of close to 10 million current and former customers. But perhaps 4 million of them were accounts of people who had left the bank. There was no real reason why the bank still had to keep their data hanging around. So instead of data on 10 million people that hacker stole he might have only gone away with 5 million. That’s still a hell of a big number. But the point is it’s an example of how keeping old data can bite you badly.
David: One hundred per cent … That’s not the only case in Canada. A few years ago McDonald’s had an employment database breach of people who applied for jobs online. Most were hired but some weren’t. Had the company trimmed that [unneeded] data they would have significantly lowered their cost for breach notification and overall damages.
Howard: Some consider that insider threats include scenarios where the attacker pretends to be an employee or even the CEO through deep fake videos, vishing phone calls and emails, and even misinformation on social media sites to convince employees to either click on a malicious link or send money to an account controlled by a thief. Would that fit your definition of an insider attack?
David: No. I think that’s social engineering by criminals … Your people aren’t the threat. They’re the victims. Our job [in IT] is to help defend them and enable them and help them raise the flag when they’re being targeted by an outside criminal group…. We have to remember we’re there to enable the business and the mission. I’ve dealt with so many employees who are victims of social engineering over the years, and they go through such awful feelings of regret and embarrassment. These people aren’t a threat.
Howard: So what are the top three or five things that organizations should do to blunt the threat of an insider attack?
David: First, establish a positive security culture in your organization where everyone feels part of the security team. We’re all the security team. Tell them what they can do is when they see something suspicious tell us about it — particularly email-based social engineering attempts or phishing. Be part of raising the alert to the organization. Second, implement least access privilege for employees. This goes back to our story about Uber: How are we making sure that people only have access to the things that they need to have access to? Third, better monitoring of the use of identities and logins. When you see weird things that could be MFA abuse, shut it down before someone gives in out of exhaustion.