Welcome to Cyber Security Today. This is the week in review for the week ending Friday, March 10th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
In a few minutes Terry Cutler of Montreal’s Cyology Labs will be here to discuss recent cybersecurity news. But first a look at some of the headlines from the past seven days:
Researchers have found the world’s first malware that can hijack a Windows computer’s boot process even if it’s fully patched. Terry will have some thoughts. We’ll look at a report that law firms are increasingly being targeted by threat actors. And we’ll discuss what’s being done to help Canadian non-profits improve their cybersecurity maturity.
Acer, one of the biggest computer manufacturers in the world, has acknowledged a hacker got into what it says is a document server used by its repair technicians. This comes after a threat actor began selling 160GB of stolen corporate data. Acer says no customer information was copied.
A ransomware gang is trying a new way of squeezing victims. Rather than offer screenshots of the file structure of companies as proof they’ve been hacked, the Medusa gang created a 51 minute video of screenshots allegedly copied from servers at the Minneapolis Public School system. According to Bleeping Computer, the gang is demanding US$1 million by March 17th or it will publish all of the stolen data.
Personal information of members of the U.S. Congress and their staff may be at risk because of a data breach at a private healthcare insurance provider. According to the news site The Daily Caller, the House of Representatives’ chief administrative officer this week emailed congressmen about the hack. NBC News says the hack also involved data of members of the Senate. The initial news reports says data included names and email addresses but not detailed personal information.
UPDATE: The Associated Press says a broker on an online crime forum claimed to have records on 170,000 subscribers to the healthcare provider. Apparently they didn’t realize that of those an estimated 11,000 were Congressional members, staff or family members. A sample of the data made available for potential buyers included people’s Social Security numbers. It is reported that the FBI purchased the data and is no longer available. A sample of the data (This updates information and is not included in the podcast)
The developer of a game called The Sandbox is warning players not to fall for an email scam claiming to be from the company. This comes after an employee’s computer was hacked and their email was used to send spam with a malicious attachment. Those who got the message have been warned not to open, play or download anything related to it.
The U.S. Transportation Security Administration has told federally-regulated airports and aircraft operators to tighten their cybersecurity. This includes adopting network segmentation controls to ensure internet-connected operational technology systems can continue running if IT systems have been compromised; improving system access controls; and keeping all internet-connect systems patched.
Finally, a number of IT manufacturers this week released important security updates that IT administrators should pay attention to. These include patches from Cisco Systems for certain models of ASR enterprise routers, Jenkins for Jenkins Server and Update Center, Veeam for its Backup & Replication software, and Fortinet for devices running its FortiOS operating system FortiProxy web proxy.
(The following is an edited transcript of one segment of the conversation. To hear the full discussion play the podcast)
Howard: I wrote a story about a Canadian association that’s helping nonprofits improve their IT processes. This is the Canadian Center for Nonprofit Digital Resilience, which issued a report outlining the poor state of cybersecurity among many nonprofits, which range from groups helping the homeless to major Canadian hospitals. Many of them, especially the small ones, don’t believe that they’ll be targeted by threat actors. That’s a pretty head-in-the-sand approach.
Terry Cutler: Not-for-profits are not immune to cyber attacks. They should be just as concerned as for-profit organizations. In fact, not-for-profits may even be in greater risk because hackers know that they don’t have the money, the resources or the time to deal with cybersecurity. What’s key here is that the not-for-profits collect a ton of sensitive information, personal and financial information, such as donor information, employee records, and financial data. This can be very lucrative for a cyber criminal.
Howard: Smaller ones are not swimming in cash and so they feel they don’t have a lot of money that they can put into cybersecurity.
Terry: And donors don’t necessarily feel that they should be paying for cyber security. But there are cybersecurity services out there that won’t break the bank. They could at least contract, for example, for continuous vulnerability scanning, or dark web monitoring to see if their passwords are leaking. A cybersecurity advisory service could sit down with them and explain their risks and where they should be going.
Howard: The association is working on a cybersecurity framework that’s tailored for nonprofits. But in the meantime rather than wait for that deliverable nonprofits should be following baseline security controls that have been issued by several Canadian and American sources.
Terry: We have a couple of not-for-profits that we work with, and a lot of times they don’t have an IT guy on staff. So when you start talking this stuff to them it sounds gibberish. They start laughing in my face — like, ‘What are you talking about? What do you mean? I need stronger password security? I need to have monitoring of these types of events?’ So It’s very, very difficult. A lot of times they just hire their brother Jim to be the IT guy. They need to have an advisor they can call on to help guide them.
Howard: The association in its report issued goals that non-profit leaders should adopt. One is that boards and executives should understand the risks of not protecting data. Another is they should prioritize cybersecurity. What do you think?
Terry: There’s a Catch-22: They want to do cyber security, but they don’t have $30,000 a year to put towards it. They’re going to need to outsource this stuff to experts. They can only do best effort. They’re in a pickle.