In this episode of the podcast (#197), sponsored by LastPass, former U.S. CISO General Greg Touhill joins us to talk about news of a vast hack of U.S. government networks, purportedly by actors affiliated with Russia. In our second segment, with online crime and fraud surging, Katie Petrillo of LastPass joins us to talk about how holiday shoppers can protect themselves – and their data – from cyber criminals.
Every day this week has brought new revelations about the hack of U.S. Government networks by sophisticated cyber adversaries believed to be working for the Government of Russia. And each revelation, it seems, is worse than the one before – about a purported compromise of US government networks by Russian government hackers. As of Thursday, the U.S. Cyber Security and Infrastructure Security Agency CISA was dispensing with niceties, warning that it had determined that the Russian hackers “poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations”
The incident recalls another from the not-distant past: the devastating compromise of the Government’s Office of Personnel Management in 2014- an attack attributed to adversaries from China that exposed the government’s personnel records – some of its most sensitive data – to a foreign power.
Now this attack, which is so big it is hard to know what to call it. Unlike the 2014 incident it isn’t limited to a single federal agency. In fact, it isn’t even limited to the federal government: state, local and tribal governments have likely been affected, in addition to hundreds or thousands of private firms including Microsoft, which acknowledged Thursday that it had found instances of the software compromised by the Russians, the SolarWinds Orion product, in its environment.
How did we get it so wrong? According to our guest this week, the failures were everywhere. Calls for change following OPM fell on deaf ears in Congress. But the government also failed to properly assess new risks – such as software supply chain attacks – as it deployed new applications and computing models.
Greg Touhill, is the President of the Federal Group of secure infrastructure company AppGate. he currently serves as a faculty member of Carnegie Mellon University’s Heinz College. In a prior life, Greg was a Brigadier General Greg Touhill and the first Federal Chief Information Security Officer of the United States government.
In this conversation, General Touhill and I talk about the hack of the US government that has come to light, which he calls a “five alarm fire.” We also discuss the failures of policy and practice that led up to it and what the government can do to set itself on a new path. The federal government has suffered “paralysis through analysis” as it wrestled with the need to change its approach to security from outdated notions of a “hardened perimeter” and keeping adversaries out. “We’ve got to change our approach,” Touhill said.
The malls may be mostly empty this holiday season, but the Amazon trucks come and go with a shocking regularity. In pandemic plagued America, e-commerce has quickly supplanted brick and mortar stores as the go-to for consumers wary of catching a potentially fatal virus.
To file in the “no one is immune from a sophisticated attack,” category, well-known and respected security firm FireEye publicly announced this week that it has experienced an attack by a state-sponsored (which means a foreign government) hacking group, which successfully obtained its “red team tools.” This is very concerning, as the red team tools include the “special sauce” FireEye uses to test its clients’ security maturity and vulnerabilities, and could be used as a roadmap for adverse nation states to hack into the U.S. government’s or private companies’ systems.
Kudos to FireEye for making this public so the U.S. government, critical infrastructure and private companies can be on the alert for the tools to be used against them. FireEye has stated that it is working on over 300 countermeasures to assist in combatting the use of its proprietary tools by these adverse threat actors.
Unfortunately, this incident is a cold, hard, awful reminder that even the most sophisticated security firm can become the victim of a cyberattack, and since that is the case, all companies are at extreme risk of an attack and exfiltration of data.
FireEye appears poised to assist in combatting the effects of the incident, so keep a close eye on those measures. We will keep you updated as well.
Brazilian airplane manufacturer Embraer’s data has reportedly been uploaded on a dark web website hosted by ransomware group RansomExx (a/k/a Defray 777) after Embraer reportedly refused to pay a ransom following a ransomware attack last month.
According to ZDNet, the hackers uploaded company files containing “samples of employee details, business contracts, photos of flight simulations, and source code, among others.”
In leaking the data and making it publicly accessible, sometimes selling it at auction, is designed by the attackers to put pressure on the company to pay the ransom to avoid legal obligations and regulatory fines or penalties, or to avoid access to confidential data by competitors and adversaries that can be used against the company.
Between Black Friday and Cyber Monday, consumers across the U.S. spent the weekend snapping up deals on home electronics like smart TVs, game consoles and appliances. Total season-to date holiday spending, including Cyber Monday, is over the $100 billion threshold according to data from Adobe.
Lots of factors drive consumer decisions to buy one product over another: price and features chief among them. But what about cyber security? Unlike, say, the automobile marketplace, concerns about safety and security are not top of mind when consumers step into a Best Buy or Wal Mart looking for a new flat screen TV. And ratings systems for cyber security, from organizations like UL and Consumer Reports, are in their infancy and not widely used.
Home Depot has agreed to settle a multi-state enforcement action by 46 U.S. states and Washington, D.C. arising from the data breach that occurred in 2014. Home Depot has agreed to pay $17.5 million to put the enforcement action behind it. The investigation was led by the Attorneys General of Connecticut, Illinois and Texas.
The multi-state investigation followed Home Depot’s data breach that affected 40 million customers who used self-checkout terminals in its U.S. and Canadian stores between April 10, 2014, and September 13, 2014. According to the investigation, hackers used a vendor’s username and password to infiltrate Home Depot’s network and deployed malware to access the customers’ payment card information. In addition to the credit card information, at least 52 million people’s email addresses were exposed.
In announcing the settlement, Connecticut Atty. Gen. William Tong stated that companies collecting sensitive personal information “have an obligation to protect information from unlawful use or disclosure… Home Depot failed to take those precautions.” In addition to the monetary settlement, Home Depot has agreed to hire a Chief Information Security Officer, upgrade its security procedures and provide employee training. Home Depot denies liability in the matter.
I have done more online shopping this year than ever before, and I know that I am not alone. With the holidays approaching, this will only increase because of the pandemic, and hackers and fraudsters know it.
A recent report by GBG entitled “GBG State of Digital Identity: 2020,” states that 47 percent of individuals have open up a new online shopping account, 31 percent have opened a new social media account and 35 percent a new online bank account in 2020. In addition, one third of consumers 75 years or older have opened a new online account in 2020.
Additional depressing statistics from that report states that one in five individuals have been affected by identity fraud this year and were informed that their personal information has been exposed following the data breach. Therefore, one third of consumers have become more aware of and consumed about fraud and believe their personal information is exposed on the dark web.
GBG estimates that during the upcoming holidays, each online retailer will have to combat an average of 20,000 fraud attempts.
With these statistics in mind, a recap of tips to think about to protect yourself while online shopping during this holiday season may be helpful:
- Be wary of emails with unbelievable sales that ask you to click on embedded links or attachments
- When shopping online, visit the retailer’s actual website instead of a link that has been provided to you through an email
- Use a credit card and not your debit card for all ongoing shopping
- Use a dedicated credit card for all online shopping so if there is a compromise of that credit card it is limited to that one credit card
- When asked if you want the online shopping site to save your credit card number, click “no thanks”
- Be wary of gift card promotions or requests
- Watch your credit card account statements closely
- Check your credit report frequently
During this holiday season, support your local retailers, shop safely and have a happy, safe and healthy Thanksgiving.
Today marks two weeks since Election Day 2020 in the U.S., when tens of millions went to the polls on top of the tens of millions who had voted early or by mail in the weeks leading up to November 3.
The whole affair was expected to be a hot mess of suffrage, what with a closely divided public and access to the world’s most powerful office hung on the outcome of voting in a few, key districts sprinkled across a handful of states. Election attacks seemed a foregone conclusion.
Election Attack, Anyone?
Memories of the 2016 Presidential contest are still fresh in the minds of U.S. voters. During that contest, stealthy disinformation operations linked to Russia’s Internet Research Agency are believed to have swayed the vote in a few, key states, helping to hand the election to GOP upstart Donald Trump by a few thousands of votes spread across four states.
In 2020, with social media networks like Facebook more powerful than ever and the geopolitical fortunes of global powers like China and Russia hanging in the balance, it was a foregone conclusion that this year’s U.S. election would see one or more cyber incidents grab headlines and – just maybe- play a part in the final outcome.
But two weeks and more than 140 million votes later, wild conspiracy theories about vote tampering are rampant in right wing media. But predictions of cyber attacks on the U.S. presidential election have fallen flat.
From Russia with…Indifference?
So what happened? Did Russia, China and Iran decide to sit this one our, or were planned attacks stopped in their tracks? And what about the expected plague of ransomware? Did budget and talent constrained local governments manage to do just enough right to keep cyber criminals and nation state actors at bay?
To find out we invited two experts who have been following election security closely into the Security Ledger studios to talk.
Joining Allan is a frequent Security Ledger podcast guest: Adam Meyers the Senior Vice President of Threat Intelligence at the firm Crowdstrike back into the studio as well. Crowdstrike investigated the 2016 attack on the Hillary Clinton presidential campaign and closely monitors a wide range of cyber criminal and nation state groups that have been linked to attacks on campaigns and elections infrastructure.
To start out I asked both guests – given the anticipation of hacks targeting the US election – what happened – or didn’t happen – in 2020.
As always, you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloud, Stitcher, Radio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted.
The UK National Cyber Security Centre (NCSC) issued an alert on October 16, 2020, to raise awareness “of a new remote code execution vulnerability (CVE – 2020 – 16952)”, which affects Microsoft’s SharePoint product. According to the alert, “successful exploitation of this vulnerability would allow an attacker to run arbitrary code and to carry out security actions in the context of the local administrator on affected installations of SharePoint server.”
The NCSC recommends applying security updates promptly, “but in this case the NCSC has previously seen a large number of exploitations of SharePoint vulnerabilities…against UK organisations…NCSC is issuing this alert to ensure that system owners are aware of this vulnerability and to ensure remediation actions are taken.”
According to the alert, the vulnerability affects:
- Microsoft SharePoint Foundation 2013 Service Pack 1
- Microsoft SharePoint Enterprise Server 2016
- Microsoft SharePoint server 2019
It is important to note that SharePoint online, which is part of Office 365 is not affected by the vulnerability.
The NCSC “strongly advises that organisations refer to the Microsoft guidance…and ensure the necessary updates are installed in affected SharePoint products. It is also important to keep informed of any possible updated future updates to the guidance…”
Hall County, Georgia reported on October 7, 2020, that it was the victim of a ransomware attack that disrupted some of its systems, including email and telephone services in public buildings and the sheriff’s offices. Last week, the county indicated that in addition to telephone and email services, the ransomware attack also affected the county’s election administration system that verifies voters’ signatures on absentee ballots.
The county states that the ransomware attack (believed to be DoppelPaymer malware) will not affect voters’ ability to cast ballots, but it could slow down the county’s ability to process absentee ballots. According to public reports, there have been 13,703 absentee ballots cast in Hall County as of October 23. This incident is being reported as the first example of a ransomware attack affecting the 2020 election.
The ransomware attack will not completely thwart the ability of election clerks to count valid ballots. The County is able to use a statewide signature database in the event that it is not able to get the County signature matching system up and running, and as a last resort, they can go back to the old days and match signatures with voters’ registration cards.
Predictions are that hackers will be increasing the frequency and mode of attacks until election day, and that they believe that the closer the attack is to election day, the higher the chance is to score a payment.
You probably heard about the recent hack of Twitter accounts that took place on July 15, 2020. The hackers took over several prominent Twitter accounts, which resulted in a scam that netted over $118,000 in bitcoin for the hackers. One of the most startling things about the cyberattack was that it was led by a 17-year-old along with his accomplices. The hackers took over the accounts of well-known individuals including Barack Obama, Kim Kardashian West, Kanye West, Bill Gates, Elon Musk and many others, and tweeted a “double your bitcoin scam” from these Twitter accounts directing people to send bitcoin to fraudulent accounts.
The New York Department of Financial Services (NYDFS) issued a detailed report last week regarding this hack into the social media giant. The report found that “the Twitter Hack happened in three phases: (1) social engineering attacks to gain access to Twitter’s network; (2) taking over accounts with desirable usernames (or “handles”) and selling access to them; and (3) taking over dozens of high-profile Twitter accounts and trying to trick people into sending the Hackers bitcoin. All this happened in roughly 24 hours.”
How did the hackers do it? According to the report, the first phase of the attack started with the hackers stealing credentials of Twitter employees the old-fashioned way by using social engineering. The hackers posed as Twitter IT employees and contacted several Twitter employees claiming there was a problem with Twitter’s Virtual Private Network (VPN). The report stated that the “hackers claimed they were responding to a reported problem the employee was having with Twitter’s Virtual Private Network (VPN). Since switching to remote working, VPN problems were common at Twitter. The Hackers then tried to direct the employee to a phishing website that looked identical to the legitimate Twitter VPN website and was hosted by a similarly named domain. As the employee entered their credentials into the phishing website, the Hackers would simultaneously enter the information into the real Twitter website. This false log-in generated an MFA [multi-factor authentication] notification requesting that the employees authenticate themselves, which some of the employees did.”
The hackers then went surfing within the Twitter system looking for employees with access to internal tools to take over accounts. This led to the second phase of the attack: taking over and selling access to original gangster (OG) Twitter accounts. According to the report, an OG Twitter account refers to accounts designated by a single word, letter, or number and adopted by Twitter’s early users. The hackers discussed taking over and selling the OG accounts in various online chat messages. On July 15, the hackers “ hijacked multiple OG Twitter accounts and tweeted screenshots of one of the internal tools from some of the accounts to the accounts’ respective followers.
The final phase of the hack involved taking over various cryptocurrency company accounts and directing users to a link to a scam bitcoin address. According to a tweet sent out by Twitter on July 16, approximately 130 accounts of high-profile verified users (those Twitter accounts that you see with the blue check mark) were taken over by the hackers with tweets asking people to send bitcoin, with the promise that the high-profile user would double the amount to be given to a charity. The bitcoin address was fraudulent, the tweets were not sent by the actual users, and the hackers were able to collect more than $118,000 in bitcoin.
The NYDFS began its investigation because the cryptocurrency companies are regulated entities. According to the report, the department instructed the cryptocurrency companies to block the hackers’ bitcoin addresses if they hadn’t already done so. This move prevented over a million dollars’ worth of fraudulent bitcoin transfers.
We write all the time about the critical importance of cybersecurity practices and protocols such as multifactor authentication, employee training regarding phishing, and using secure passwords. The general consensus appears to be that the Twitter hack was not a sophisticated one, but that the hackers knew what they were after and knew how to accomplish their goal. The NYDFS report stated that “the Twitter Hack is a cautionary tale about the extraordinary damage that can be caused even by unsophisticated cybercriminals. The Hackers’ success was due in large part to weaknesses in Twitter’s internal cybersecurity protocols.”