Marriott International has been fined the equivalent of $34 million by the U.K. Information Commissioner for failing to keep the personal data of over 300 million customers secure. That's a drop from the initially proposed fine of about $170 million.
Ontario’s new advisory panel on improving cybersecurity maturity of municipalities, school boards, hospitals and other provincially-funded agencies has agreed as a first step that its final report will encourage organizations to take a risk-based approach to their efforts.
However, how the panel will recommend the government put teeth into that has yet to be determined.
In an interview Wednesday shortly after the panel’s first meeting, chairman Robert Wong — executive vice-president and chief information officer of Toronto Hydro — said a risk-based approach is what the Ontario Energy Board (OEB) mandated the 65 local electric distribution companies like Toronto Hydro to do starting in 2018.
Each company has to fill out an annual Readiness Report on its cyber and privacy risk status.
The self-assessment uses the Ontario Cybersecurity Framework’s security controls. It’s a framework similar to the U.S. National Institute of Standards and Technology’s (NIST) cyber framework for measuring an organization’s risk level. The Readiness Report shows each distribution company has established cybersecurity objectives and assessed its current capability in meeting those objectives.
Asked if his panel might recommend the same for the broader public sector, Wong said it’s possible, but he didn’t want to presume what the panel would decide.
Financially-strapped public agencies would welcome cash to help hire infosec pros and buy equipment. On that topic, there was some hope from panel member Marc Coyle, IT manager for the City of Belleville. He spoke Wednesday briefly during a session of the annual cybersecurity conference of the Municipal Information Systems Association (MISA) of Ontario.
At Wednesday’s panel meeting, he recalled government officials saying, “funding cyberinfrastructure is a priority.”
Asked about that statement, Wong was cautious. “I didn’t hear it specifically in those terms. I think they acknowledged funding will be a consideration, but there are no specifics about that.”
What publicly-funded organizations don’t want, Wong suggested, is “a list of best practices.” Rather, he said, they want a roadmap to becoming more cyber mature. Many smaller organizations “are struggling to understand what their risks are.”
The advisory panel’s final report is due in two years, although Wong said it might issue interim reports.
Known as the expert panel on cybersecurity in the broader public sector (BPS), it was announced on Oct. 25 by Minister of Government and Consumer Services Lisa Thompson.
Wong said that at Wednesday’s meeting, Thompson asked the panel to assess and identify common and sector-specific cybersecurity challenges faced by BPS organizations and make recommendations on a provincial cybersecurity strategy.
“Our government is committed to strengthening our cybersecurity infrastructure,” Thompson said when the panel was announced. “As the threats of cyberattacks and hacking become more frequent globally, it’s imperative that we take action now to improve our defences within the broader public sector. Leveraging the skills and expertise of our panel members will allow us to strengthen the resiliency of our digital infrastructure as we collectively move more government programs and services online.”
The province has a number of tools at its disposal, including making grants or tax deductions to agencies for hiring more staff or buying cybersecurity software and hardware. It could also encourage sectors to follow the lead of Ontario’s universities and colleges, which share a CISO. The position could be supported by provincial funding.
The panel appointment comes as cyberattacks, particularly ransomware, are increasingly victimizing hospitals, universities, and schools.
In addition to Wong, the panel includes:
- Derek Bowers, chief information technology officer of the Town of Wasaga Beach;
- Marc Coyle, manager of information technology at the City of Belleville;
- Scott Currie, chief information officer at Toronto’s Hospital for Sick Children;
- Adam Evans, vice-president of cyber operations and CISO at the Royal Bank;
- Helene Fournier, executive director of Valoris for Children and Adults of Prescott-Russell;
- Antoine Haroun, CIO of Chief Information Officer of the Peel District School Board;
- Andrew Kirsch, founder of Kirsch Consulting Group;
- Carolyn Glaser, information technology services manager for the Thames Valley District School Board;
- Isaac Straley, CISO of the University of Toronto.
Wong said the invitation to be on the panel came suddenly in an email a few months ago.
Due to the COVID pandemic, Wednesday’s first-panel meeting was held online, and Wong expects much of the panel’s work will also be held virtually. The next session is scheduled for February. In between then, the panel will liaise with a working group of bureaucrats who will gather the requested information.
The post Ontario advisory cyber panel to urge public sector bodies to focus on risk-based strategies first appeared on IT World Canada.
Christopher Kayser admits he was once suckered by a phishing lure, which is ironic considering he’s a cybersecurity consultant, researcher and author of a recent book that tries to explain why people fall for such scams.
It was supposedly an email from an airline he regularly uses, Kayser said in an interview from his Calgary home. The email featured special pricing on fares. He clicked a link. Nothing happened, but that’s because the malware was silently downloading.
“And I looked at the screen and thought, ‘You silly bugger.'”
No serious harm was done. It did mean Kayser was one of the thousands of people around the world who have been duped since the age of the personal computer began. And it sort of makes him competent to write about social engineering.
His message to anyone with a computing device is “don’t be quick to click,” which, of course, he was that day.
“I try to tell people to slow down, think about what they’re looking at, understand that they have to be right every time they touch a keyboard, but the cybercriminal only has to be right once. And that one time can change your life if you lose your identity, your social insurance, if your bank account gets cleaned out, or if your credit gets ruined.
“So what I wanted to do is write a book that did two things: One is helping people that weren’t super-literate in how to protect themselves as best they could using technology [and] to remind people that becoming too close to technology is not necessarily a good thing. Sometimes the more advanced we get the less cautious we become, and that can be catastrophic.”
His book, Cybercrime through Social Engineering, is a 290-page distillation of cybercrime (hacker tools, ransomware, CEO scams, phishing, the phases of an attack) and how people and organizations can protect themselves (multi-factor authentication, cyber insurance, penetration testing the need to create effective cyber policies). Non-tech managers and individuals will find it a useful introduction to a vast subject and warning signs to look for.
The centre of the book is a concept Kayser and a Boston University colleague are developing called Required Elements for a Social Engineered Cyber Attack Theory (RESCAT) to explain how users of technology react to social engineering attacks.
Briefly, they believe two factors — human nature and human curiosity — determine what people will do when faced with an enticement. As many infosec pros know by now, attackers try to manipulate people through emotions including fear, urgency, greed, guilt, helpfulness and obedience. But they also believe generations play a role in decision-making. For example, Traditionalists – those born before 1945 — are cautious and less likely to click. Younger groups who are more at ease with technology and think rules don’t apply to them may be more trusting. Which is why, Kayser writes, that a “one-presentation-fits-all” approach won’t be effective.
There’s a lot of research and testing of the model to be done, Kayser acknowledges. But if it’s accurate, he says it could help develop awareness programs to help users of technology be more aware when faced with something that looks convincing.
Actually, it wasn’t that supposed airline fare offer that triggered Kayser to write a book. It was a CBC interview with a firewall vendor who said his product catches 92 to 98 per cent of cyberattacks. Asked about the rest, and the rep said it was up to the user to catch. “That just about floored me,” Kayser said, figuring it left a “staggering” number of people who could face a cyber attack.
‘People need to know’
“Think of 4 billion people around the planet who are using smartphones, computers and look at cybercrime rates, look at legislative restrictions that inhibit the ability of law enforcement to successfully detect, charge, extradite, prosecute cybercriminals. Look at the wealth, look at the Darknet. Look at the risk-reward that goes on with being a cybercriminal.
“You have, I think, the most invasive and destructive form of crime in history going on and people need to know about this. They need to know how to reduce the rate of potential cyber victimization and how to become more cyber safe and cyber-savvy to the best of their ability,” said Kayser.
A 23-year veteran of the computer industry who started as a programmer and rose to become lead manager for a software project for a major Canadian bank before switching careers to manage financial portfolios, Kayser did well enough to go into semi-retirement. Then he studied criminal justice, eventually earning a Master’s degree at Boston University in criminal justice and cybercrime.
“Social engineering is ingrained in us,” he said, meaning at a young age people learn to manipulate others for a reward: Babies cry until they get fed, children throw tantrums until they get a toy. Parents tell their teenagers, “Clean your room and we’ll go to McDonald’s.” Bill Gates, Kayser observed, once said he uses “negative motivation” to spur employees.
Gullibility and forced habit
Still, after years of (sometimes sporadic) corporate awareness training and news articles, users still fall for scams. “It’s a combination of gullibility and forced habit,” Kayser said. “There are assumptions people make.” One is IT manufacturers are doing everything possible to make sure people aren’t victims. Another is their ISP is doing absolutely everything in its power to make sure nothing resembling malware gets through. That’s part of his RESCAT theory. Many assume, “The world is looking out for me.”
Another factor is people are in a rush. Many successful cyberattacks happen on a Monday when people come into the office to face a pile of emails. Staff want to be efficient. They read too fast, there are distractions and the caution that they might exercise on other days is gone.
It would help, Kayser says, if cyber awareness was taught in early grades.
Advice for CISOs
Asked what effective corporate cyber awareness training looks like, he pointed to efforts by Canadian banks. In one institution, keyboards have been configured to have a button staff can push to alert IT if they get a suspicious email. But organizations also have to set and enforce responsible use of technology, he said, such as refusing to allow personal surfing during working hours.
And beyond training it may be necessary to make corporate directors responsible for security incidents, he added. Meanwhile, CISOs have to understand the fact that everybody’s busy, stressed, particularly today.
“Most people are trying to do the best they can within the organization, but their priority is not cyber safety and cyber awareness … So it falls upon the CISO to develop education programs and processes that can safeguard employees through automatic processes as well as supplying employee education about the real risk of potential cyber victimization.”
Training needs to be tailored to the audience, he stressed.
The post Canadian cybercrime expert looks into the depths of social engineering first appeared on IT World Canada.
With human error being a leading cause of data breaches, organizations are putting more emphasis than ever on security awareness training.
But Canadian municipal infosec leaders were warned Tuesday that scaring employees into obedience won’t work.
In fact, argued James Norrie, CEO of CyberconIQ, a Pennsylvania-based threat awareness learning platform, CISOs need to understand human nature and the things that trigger the seemingly irresistible urge to click on a link or open that attachment.
“You have to make it OK to be vulnerable around cybersecurity in your organization,” he told the annual security conference of the Ontario wing of the Municipal Information Systems Association (MISA), being held this year online.
“To do that, you don’t want to sling fear and the fear of consequences,” he said in the keynote address. Phishing tests aim to catch people doing something wrong, he argued, which doesn’t help the mindset of staff. “So instead of reporting failure rates, report pass rates and talk about how you’re going to use this (training) to bolster people’s understanding of cybersecurity as a team sport.”
Most organizations have technology that will catch up to 92 per cent of cyber threats, he said. Of the remaining eight per cent or so, no amount of technology will improve that. But if employees can be taught to not execute on the attack, “then you can’t be compromised.”
Norrie, who also teaches cybersecurity at York College in Pennsylvania, argues awareness training has to be customized to employees rather than be generic. People can be broken down into four types, he said:
- “Risk Breakers,” who are happy following rules. But that makes them vulnerable to what Norrie called “deep fake” attacks seemingly from someone in authority who asks them to break the rules, like change the bank account money is sent to. Fortunately, because much of generic awareness training involves following a set of rules, they are the easiest group to train. Broadly they represent 38 to 40 per cent of employees;
- “Risk-Takers,” who represent 12 to 15 per cent of employees, want to comply with company rules but are more risk-tolerant and will make selective exceptions to rules. They may be vulnerable to cons involving fake “emergency or urgency” pleas;
- “Risk Shakers,” who like the freedom of choosing when to break the rules;
- “Risk Makers,” who trust their judgment, so rule-based training doesn’t work as well for them. They are likely to be fooled by what Norrie called “affiliated attacks,” such as from fake people on LinkedIn.
An effective awareness program will be tailored to offer specific training to these groups explaining why they are vulnerable to certain threats, Norrie said, by showing the context of a vulnerability. What it doesn’t involve, he stressed, is knowledge about technology.
Infosec pros enjoy the challenges of technology because it’s largely controllable, predictable and outcomes can be predicted, he said. However, he added, they need to understand human factors are much less predictable.
The COVID pandemic and the increase in staff working from home has made this work, Norrie argued. When working in the office staff may be more cyber-aware than when working from home, with all its distractions.
“The entire public sector needs to be aware that everything they do has to reduce the probability of a successful cyberattack, reduce the total cost of a successful attack when it occurs” including everything from having cyber-secure policies and an incident response plan to cyber insurance. The goal is to build a cyber aware culture. “We have to make good cyber behaviour as natural as ‘Look both ways before we cross the street.'”
But CISOs “have to stop slinging fear,” Norrie maintained.
The post MISA Ontario 2020: Raise cyber awareness by targeted training, expert says first appeared on IT World Canada.
One of Canada’s oldest steel manufacturing firms says it has been hit with an undefined cyberattack.
In a statement released Sunday afternoon, Stelco said it was “subject to a criminal attack on its information systems.”
“In response, Stelco immediately implemented countermeasures in accordance with established cybersecurity procedures and policies that have been developed in collaboration with expert external advisors,” the statement reads. “The countermeasures taken were effective and limited the scope of the attack. Certain operations, including steel production, were temporarily suspended as a precautionary measure but have since resumed operations.”
The release also said Stelco is working with police to investigate the attack.
Stelco has facilities located in Hamilton and Nanticoke, Ont. that produce high-quality value-added hot rolled, cold rolled and coated sheet steel products used in the construction, automotive and energy industries across North America. Its parent company, Stelco Holdings Inc. is listed on the Toronto Stock Exchange.
Asked for comment, vice-president of corporate affairs Trevor Harris said the company had nothing more to say beyond what was in the release.
The statement said that Stelco continues to investigate the incident and the extent of the impact on its systems. Its backup and recovery plans were being implemented Sunday to fully re-establish its systems as quickly as possible. However, it added, some business functions may be adversely affected during this recovery process.
In its annual results released Feb. 18, the parent company Stelco Holdings Inc. said for the calendar year 2019 net earnings were $10 million on $1.8 billion of revenue, compared to net earnings of $253 million for 2018. During the year it shipped 2.4 million tons of steel products compared to 2.6 million tons for 2018.
The company suffered a net loss of $24 million on revenue of $435 million in the fourth quarter of 2019, in part due to what it called “an unprecedented drop” in average steel prices. In the first quarter of this year it lost another $24 million, while net income was zero in the second quarter.
'Ask what is responsible, not who.' when there's a cyber incident says one expert. Read why
The post SecTor 2020: Don't point a finger too fast after a hack, says expert first appeared on IT World Canada.
A Quebec-based consulting engineering firm has been awarded $160,000 to develop a model to help protect industrial control systems (ICS) of Canadian energy companies from cyber attacks.
The post Quebec firm gets 0,000 to develop ICS risk framework for energy sector first appeared on IT World Canada.
An attractive blonde follows a man onto an office elevator. “Nice to see you again,” she says to him.
He pauses. She must be right, he figures, so he smiles back. Then she compliments him on his scent.
The elevator arrives at his floor, which is security controlled. He inserts his access card into a slot in the elevator panel, and when the doors open, he turns to the woman and says, “Ladies first.”
The blonde is Paula Januszkiewicz, CEO of Cqure Inc., a Polish-based penetration testing and auditing company, who has just accomplished the first part of her assignment: Get unauthorized access to a customer’s office.
It’s lunchtime at the office she just entered. Staff are leaving their desks. Company policy is employees should make sure PCs are logged off the network before leaving computers unattended to prevent what is about to happen. Even if they forget, machines are configured to log off after five minutes. One staffer leaves his computer on. Januszkiewicz sits at his desk. She yawns or coughs, enough so other staff see a stranger sitting at someone’s desk. No one comes over to ask who she is.
So Januszkiewicz is free to insert a specially created USB key and hacks into the system.
There’s a lesson from this incident, Januszkiewicz told the SecTor 2020 virtual conference on Wednesday: If an attacker does things with confidence, they may get through anything from physical security to anti-phishing filters.
As the keynote speaker for this year’s conference, Januszkiewicz emphasized the importance of understanding how cyber attackers your infrastructure: As an object to be manipulated by knowing human behaviour.
Behaviour like being lazy in picking passwords. On assignment to penetrate an energy company Januszkiewicz found no problem guessing some employee passwords. She assumed at least one person would use the firm’s name and just add “2020.” She was right. Twenty-nine of 6,000 employees had that password.
Other bad user behaviours hackers take advantage of include:
- Falling for dropped USB scams. One study showed 90 per cent of people who find USB drives with a company logo in a parking lot will plug it into a company computer to find out who it belongs to. In fact, 60 per cent will do it even if there is no logo. Infected USB devices could run unapproved code. One solution is a whitelisting policy that prevents unapproved code from executing;
- Falling for phishing and clicking on infected attachments. There’s no shortage of examples, but Januszkiewicz spoke of a new one: A seemingly empty Excel spreadsheet with an infected picture hiding behind an empty cell. If an employee clicks on a cell trying to see if the spreadsheet has hidden information, the malware executes. One solution is strict access management to prevent admin accounts from being taken over by malware;
- Hacking lost smartphones. Seventy per cent of smartphone owners don’t password-protect their devices, one study shows. One solution: A strict company policy of reporting the loss of company or personal devices that access corporate data;
- Careless use of public Wi-Fi with devices that access corporate data—one solution: Better user awareness training.
Thinking like a hacker, Januszkiewicz said, will allow organizations to design successful cybersecurity strategies.
A New York state regulator has slammed Twitter for poor cybersecurity protection that allowed young hackers to seize control of several celebrities’ accounts in July to run a “double your bitcoin” scam.
“Given that Twitter is a publicly-traded, US$37 billion technology company, it was surprising how easily the hackers were able to penetrate Twitter’s network and gain access to internal tools allowing them to take over any Twitter user’s account,” said the report by the Department of Financial Services.
“Indeed, the hackers used basic techniques more akin to those of a traditional scam artist: phone calls where they pretended to be from Twitter’s Information Technology department. The extraordinary access the Hackers obtained with this simple technique underscores Twitter’s cybersecurity vulnerability and the potential for devastating consequences. Notably, the Twitter Hack did not involve any of the high-tech or sophisticated techniques often used in cyberattacks–no malware, no exploits, and no backdoors.”
In particular, it slammed the company for not having a CISO for seven months before the attack. “A lack of a CISO sends the message that cybersecurity is not a top priority from senior leadership,” says the report.
The hackers — who are facing criminal charges — took over the Twitter accounts of politicians, celebrities, and entrepreneurs, including Barack Obama, Kim Kardashian West, Jeff Bezos, and Elon Musk, as well as Twitter accounts of several cryptocurrency companies regulated by the New York State Department of Financial Services.
What worries the regulator is there are well-documented examples of social media being used to manipulate markets and interfere with elections, often with the simple use of a single compromised account or a group of fake accounts.
“The Twitter Hack demonstrates the need for strong cybersecurity to curb the potential weaponization of major social media companies. But our public institutions have not caught up to the new challenges posed by social media. While policymakers focus on antitrust and content moderation problems with large social media companies, their cybersecurity is also critical. In other industries that are deemed critical infrastructure, such as telecommunications, utilities, and finance, we have established regulators and regulations to ensure that the public interest is protected. With respect to cybersecurity, that is what is needed for large, systemically important social media companies.”
The attack started on the afternoon of July 14 when one or more hackers called several Twitter employees and claimed to be from the company’s help desk responding to a reported problem the staffer was having with Twitter’s virtual private network. Since switching to remote working, VPN problems were common at Twitter. The hackers then tried to direct the employee to a phishing website that looked identical to the real Twitter VPN website and was hosted by a similarly named domain. As the employee entered their credentials into the phishing website, they would simultaneously enter the information into the real Twitter website.
For protection, Twitter strengthens logins by making employees use multi-factor authentication. However, because the hackers were logging into the real site, if a staffer entered their MFA code on the fake site, the attackers could copy it into the real site.
To aid the attack, the hackers used personal information about the employees to convince them that the callers were real Twitter staff and could, therefore, be trusted. The report doesn’t say how the attackers got this information other than speculating it did research to identify staffers and their titles.
Some were suspicious
While some employees were suspicious and reported the calls to Twitter’s internal fraud monitoring team, at least one employee fell for the scam. Getting into this person’s corporate account didn’t get the attackers what they wanted, which was the ability to take over celebrity Twitter accounts. They took the time to wander around Twitter’s internal websites and learn more about the company’s systems. That gained them information about how to access other internal applications.
On July 15, the hackers targeted Twitter employees who had access to certain internal tools to help take over accounts. Some of them were part of the department responsible, in part, for responding to sensitive global legal requests, such as court orders or content removal requests, as well as for developing and enforcing policies to prohibit abusive online behaviour.
Initially, the hackers went after valuable so-called “original gangster” (“OG”) Twitter usernames, which are usually designated by a single word, letter, or number and adopted by Twitter’s early users. Access to a hijacked OG account could be resold for bitcoin. To show off their prowess, the hackers tweeted screenshots of one of the internal tools from some of the accounts.
Next, the hackers upped their game, going after “verified” accounts of well-known people who want the blue verified badge as a source of authenticity. But a hacked verified account would make fraudulent demands for bitcoin appear more legitimate. The first hijacked verified account belonged to a cryptocurrency trader—direct messages sent from that account asking for 0.01 bitcoin for trading information. After hijacking Twitter accounts of cryptocurrency exchanges, the hackers sent tweets suggesting a bitcoin giveaway, with a link to a scam address. Finally, the attackers gained access to verified accounts of celebrities and fired tweets with the scam offer to millions of their followers.
Exchanges moved quickly
Overall, 130 Twitter user accounts were compromised. Of those, 45 accounts were used to send tweets. Hackers also downloaded data from seven of those accounts through Twitter’s “Your Twitter Data” (“YTD”) tool, which provides a summary of a Twitter account’s details and activity.
The report says the hackers stole approximately US$118,000 worth of bitcoin through the scam.
The report credits cryptocurrency exchanges whose Twitter accounts were hacked with responding quickly to block impacted addresses after being notified by the regulator. Still, Gemini, Square, and Coinbase said that a handful of customers fell for the scam and transferred $22,000 in bitcoin to the hackers’ accounts.
But it came down hard on Twitter, particularly for not having a CISO for seven months before the hack. “A lack of strong leadership and senior-level engagement is a common source of cybersecurity weaknesses. Strong leadership is especially needed in 2020 when the COVID-19 pandemic has created a host of new challenges for IT and cybersecurity. Like many organizations, in March, Twitter transitioned to remote working due to the pandemic. This transition made Twitter more vulnerable to a cyberattack and compounded existing weaknesses.”
‘Didn’t implement significant compensating controls”
Early in the year, the department issued guidance to its regulated firms to identify and assess the new security risks created by remote working because of the pandemic, the report indicated. But Twitter was dragging its heels.
“Twitter did not implement any significant compensating controls after March to mitigate this heightened risk to its remote workforce, and the hackers took advantage.
“To its credit, Twitter has advised the Department that it is now implementing additional security controls to prevent similar attacks in the future, such as improved MFA and additional training on cybersecurity awareness, and in late September 2020, it announced the hire of a new CISO. But the consequences of the Twitter Hack show why it is critical for Twitter and other social media companies to implement robust controls before they experience a cyber incident, not after.”
Among the report’s recommendations are that cryptocurrency exchanges have to proactively identify and quickly block addresses known to be used by fraudsters. It also says that — where possible — some companies are restricting cryptocurrency asset transfers only to addresses that have already been approved. However, adding a new address can take a day or more.
“Twitter’s access management and authentication failed to prevent unsophisticated hackers from getting to the powerful internal tools,” the report notes. While Twitter limit access to the internal tools, over 1,000 employees still had access to them for job functions, user account maintenance and support, content review, and responses to reports of Twitter Rules violations. Since the hack, Twitter has further limited the number of employees with access to internal tools, even though it caused a slowdown of some job functions.
The report also says Twitter has abandoned application-based MFA in favour of a physical security key.
Finally, the report suggests a U.S. federal regulator be created to oversee social media platforms. “The risks posed by social media to our consumers, economy, and democracy are no less grave than the risks posed by large financial institutions,” it argues. “The scale and reach of these companies, combined with the ability of adversarial actors who can manipulate these systems, require a similarly bold and assertive regulatory approach.”
The post Twitter slammed by U.S. regulator over bitcoin scam first appeared on IT World Canada.
Six members of Russia’s military intelligence unit have been accused of being behind some of the biggest known cyberattacks, including the NotPetya wiper, which caused over $1 billion in losses around the world, and malware that twice knocked out power to large parts of Ukraine.
The U.S. Justice Department said Monday that a federal grand jury in Pittsburg returned an indictment accusing the hackers and their co-conspirators of conspiracy, computer hacking, wire fraud, aggravated identity theft, and false registration of a domain name.
The alleged purpose of the attacks was to support Russian government efforts to undermine, retaliate against, or destabilize:
- The neighbouring countries of Ukraine and Georgia;
- The 2017 elections in France. It’s alleged the conspiracy included spearphishing campaigns and related hack-and-leak efforts targeting French President Macron’s “La République En Marche!” (En Marche!) political party, French politicians, and local French governments;
- Efforts to hold Russia accountable for its use of a weapons-grade nerve agent, Novichok, in the U.K. This relates to April 2018 spearphishing campaigns targeting investigations by the Organisation for the Prohibition of Chemical Weapons (OPCW) and the United Kingdom’s Defence Science and Technology Laboratory (DSTL) into the nerve agent poisoning of Sergei Skripal, his daughter, and several U.K. citizens;
- The 2018 PyeongChang Winter Olympic Games in South Korea after Russian athletes were banned from participating under their nation’s flag as a consequence of Russian government-sponsored doping effort. This refers to cyberattacks, which culminated in the Feb. 9, 2018, destructive malware attack against the opening ceremony, spearphishing campaigns and malicious mobile applications targeting South Korean citizens and officials, Olympic athletes, and partners and visitors, and International Olympic Committee (IOC) officials.
The New York Times quoted the Russian Embassy in Washington as strongly denying the allegations. “It is absolutely obvious that such news breaks have no bearing on reality and are aimed at whipping up Russophobic sentiments in American society, at launching a ‘witch hunt’ and spy mania, which have been a distinctive feature of the political life in Washington for several years,” the embassy’s press office said.
The six allegedly were behind the KillDisk and Industroyer malware, which caused blackouts in Ukraine in December 2015 and December 2016; the NotPetya wiper worm, which caused nearly $1 billion in losses to three companies along; and Olympic Destroyer, which disrupted thousands of computers used to support the 2018 PyeongChang Winter Olympics.
All are alleged to be officers in Unit 74455 of the Russian Main Intelligence Directorate of the Russian army (GRU). They are believed to be in Russia and unlikely to ever face trial in the U.S.
Released in 2017, NotPetya is believed to have been originally aimed at people in Ukraine because those behind it began by compromising the update mechanism for a Ukrainian tax software called MEDoc. But experts believe it escaped to infect computers in 65 countries that hadn’t installed a Windows patch Microsoft had recently released. That led to many infosec pros arguing that good patch management could have stopped the spread of the worm.
Among the companies whose IT systems were badly battered by the worm were shipping company Maersk, FedEx’s TNT division in Europe and pharmaceuticals manufacturer Merck. Merck was quoted as initially estimating recovery costs would hit US$175 million, plus another $135 million in lost sales. FedEx initially claimed it lost US$400 million due to lost business.
Merck made a cyber insurance claim for US$1.3 billion to cover restoring or replacing servers and PCs and loss of business. However, its insurers have refused to pay, arguing the incident was an act of war. The dispute is still before U.S. courts.
Less than a year later, U.K. government cyber analysts pointed the finger at Russia, a conclusion Canada agreed with.
Cybersecurity researchers have the gang behind these attacks by various names, including “Sandworm Team,” “Telebots,” “Voodoo Bear,” and “Iron Viking.”
“No country has weaponized its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite,” National Security Assistant Attorney General John Demers said in a statement. “Today the department has charged these Russian officers with conducting the most disruptive and destructive series of computer attacks ever attributed to a single group, including by unleashing the NotPetya malware. No nation will recapture greatness while behaving in this way.”
“The FBI has repeatedly warned that Russia is a highly capable cyber adversary, and the information revealed in this indictment illustrates how pervasive and destructive Russia’s cyber activities truly are,” said FBI deputy director David Bowdich. “But this indictment also highlights the FBI’s capabilities. We have the tools to investigate these malicious malware attacks, identify the perpetrators, and then impose risks and consequences on them. As demonstrated today, we will relentlessly pursue those who threaten the United States and its citizens.”
U.S. authorities thanked the governments of the U.K., Ukraine, Georgia, New Zealand and South Korea for their help, as well as Google, Cisco Systems, Facebook and Twitter.
The post Six Russian military officers indicted by U.S. grand jury for huge cyber attacks first appeared on IT World Canada.
For more than 20 years, countries have been trying to negotiate some way to bring order over cyberspace. During those years cyberattacks have only increased.
In fact, for the past three years, two United Nations bodies — the Group of Governmental Experts (GGE) and the Open-Ended Working Group on security (OEWG) — have separately been working on the same governance issues, with little progress to show. This is often portrayed as fighting between Western and authoritarian governments.
However, some experts, including Josh Gold, a former research assistant at the University of Toronto’s Citizen Lab who specializes in cyber governance, think a quiet proposal by France and Egypt earlier this month may pave the way to getting something done.
Called a Programme of Action on Advancing Responsible State Behaviour in Cyberspace (PoA for short), it suggests creating a new body that can split governance into several issues to be dealt with individually. Where there is consensus, countries will start acting. Where there isn’t, those issues will be left alone.
A problem with both the GGE and OWEG is they both rely on consensus. If one country objects, resolutions fail. A cyber PoA gets around that. Its goal would be urging countries to implement cyber principles they agreed to in 2015.
It’s one of several suggestions for ending the dual-track GGE and OWEG talks on norms for cyberspace and moving to a single body. The future of the OWEG will be discussed in December.
If there is unanimous approval the PoA proposal could be part of the OEWG’s final report, which is scheduled for release in March 2021.
A cyber PoA “could eliminate redundancy, duplication, and the added cost of having two bodies dealing with essentially the same thing,” Gold, who just left Citizen Lab, said in an interview last week.
Gold said the proposal hasn’t even been finalized or officially made public. Among diplomats, it’s called a “Food for Thought” document. However, it is getting notice.
Earlier this month a blog by two French researchers argued that a cyber PoA “allows for concrete discussions and progress within working groups devoted to specific issues.” In that sense, they wrote, it could combine the best of the Group of Experts and the Open-Ended Working Group.
Gold also said Australia recently released an informal discussion paper outlining the pros and cons of the proposal.
Meanwhile, Russia, which insisted in 2018 on creating the OEWG on security, is now proposing creating a new Working Group with a five-year mandate. To some that essentially would keep countries just talking.
By contrast, the cyber PoA, which is based on a 20-year-old UN program for limiting the international distribution of small arms, is aimed at accomplishing goals. The suggestion is it would start with a “political declaration” reaffirming that international law applies in cyberspace and the 11 norms of responsible state behaviour in cyberspace agreed by consensus in the 2013 and 2015 GGE sessions. Crucially, the 2015 agreement was adopted by the entire UN. After that, the goal of the PoA would be getting countries to implementing what has already been agreed to.
Briefly, the 2015 GGE:
- Recognizes the principle of state sovereignty, the settlement of disputes by peaceful means, and non-intervention in the internal affairs of other States, applies to cyberspace.
- Recognizes that states must comply with their obligations under international law to respect and protect human rights and fundamental freedoms.
- Agrees that UN should play a leading role in developing common understandings on the application of international law and norms, rules and principles for responsible State behaviour.
- Agrees with other norms, rules, and principles on the responsible behaviour of States. One was that countries should not conduct cyber activity that intentionally damages critical infrastructure. Another is that states should not harm authorized computer emergency response teams (CERTS).
A cyber PoA would focus on how countries are implementing these principles. The suggestion is it would meet every year, with nations publicly presenting their progress. The world would see who isn’t progressing. Every five years there would be a consensus-based review conference, which would potentially allow the introduction of new norms or resolutions.
So far 40 countries have signed on to the proposal including Egypt, Singapore, Japan, Norway, Ecuador, Gabon, the United Kingdom and the European Union. Canada and the U.S. aren’t among them.
In response to a question from IT World Canada, Global Affairs Canada said the government is interested in the Programme of Action proposal. “The proposal offers a way forward that would allow the UN and the international community to focus on implementing the acquis of previous UN Groups of Governmental Experts when it comes to norms of State behaviour, confidence-building measures and the applicability of international law in cyberspace.
“Canada welcomes the broad and diverse support that this proposal has received among UN member States and looks forward to discussing this proposal in more detail at the December 1-3 OEWG informal meeting, which will focus on the future UN cyber mechanism.”
A separate UN body is also looking at possible rules to smother cybercrime. Called the ad hoc committee of experts on cybercrime, it was created in December 2019. Before COVID-19, it had been scheduled to meet in New York in August 2020. So far, Russia has support for a resolution proposing the creation of a global cybercrime treaty. However, Global Affairs Canada says Canada and others believe nations should use existing tools. One of them is the 2004 Budapest Convention, which sets out common procedures for law enforcement co-operation in cybercrime cases. One expert says Russia’s attempt to get a treaty advances its long-standing goal of replacing the Budapest Convention.
The GGE approach had been showing promise until 2017 when countries failed to reach a consensus on a final report.
Gold was watching the OWEG as part of his work for Citizen Lab, even attending three sessions as an observer in New York before the pandemic shut down in-person meetings. In a column for the Council on Foreign Relations, he summarized proposals made to the OWEG in April.
About 120 countries have either joined statements of others or given statements, he said. “That’s been really valuable for different countries to hear what others are thinking, and it helps with the back and forth. A lot of countries understand things better. Not every country has diplomats who have been dealing with cybersecurity issues for decades, so this [discussion] helps get other countries on the same level. The whole group serves as a confidence-building measure in that when things are tense or when views are misunderstood there’s a forum where countries can get together and speak.”
At the moment the second draft of a final resolution is circulating. Canada is among the countries proposing changing certain wording of the draft including guidance on implementing the norms agreed to by the 2015 GGE.
Since physical meetings of the OEWG have been replaced with phone calls it’s hard to assess the mood, Gold said. There are new proposals from the informal September meetings, but he says the movement is “stagnating.” There are also meeting proposed for November and December.
Asked if at this point there is a movement to the necessary consensus, Gold said, “based on what I’ve heard from diplomats they give it a one out of three or 50/50 chance of a [final] report.”
The post Proposed new body may break UN logjam over cyberspace governance first appeared on IT World Canada.
Experts offer advice for increasing cyber awareness training including leadership from management, make training ongoing and creating a culture of awareness
The post Cybersecurity Awareness Month: Advice from five experts first appeared on IT World Canada.
UK Information Commissioner finds airline's failure to protect personal data 'unacceptable'
Microsoft says it, and several tech companies, have at least temporarily taken down the Trickbot botnet, a Russian-based network of devices that has infected more than a million computers since 2016 and is behind scores of ransomware attacks.
“We disrupted Trickbot through a [U.S.] court order we obtained as well as technical action we executed in partnership with telecommunications providers around the world,” Microsoft said in a statement Monday. “We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems.”
Microsoft says these moves represent a legal approach that its Digital Crimes Unit is using for the first time to get the court order: Copyright claims against Trickbot’s malicious use of its software code. “This approach is an important development in our efforts to stop the spread of malware, allowing us to take civil action to protect customers in the large number of countries around the world that have these laws in place.”
Criminals being well-funded and with the ability to find other systems to host their malware, it isn’t clear how long Trickbot will be out of commission. In fact, Microsoft took care to say it has “disrupted” the botnet. “We fully anticipate Trickbot’s operators will make efforts to revive their operations,” Microsoft acknowledged, adding, “we will work with our partners to monitor their activities and take additional legal and technical steps to stop them.”
Cyber criminals are tenacious. The re-birth of the Emotet botnet in 2019 is a recent example. It was down for four months after its command and control (C&C) servers had been shut down — either by law enforcement or a security researcher. But operators may have shut it down to rebuild the infrastructure.
UPDATE: ZDNet reports that the Trickbot operators have replaced the seized domains and command and control servers with new infrastructure.
In a statement, ESET said that over the years Trickbot compromises have been reported in a steady manner, making it one of the largest and longest-lived botnets. “Trickbot is one of the most prevalent banking malware families, and this malware strain represents a threat for internet users globally,” said Jean-Ian Boutin, the company’s head of threat research.
“Throughout its existence, this malware has been distributed in a number of ways. Recently, a chain we observed frequently is Trickbot being dropped on systems already compromised by Emotet, another large botnet. In the past, Trickbot malware was leveraged by its operators mostly as a banking trojan, stealing credentials from online bank accounts and trying to perform fraudulent transfers.”
What makes Trickbot so dangerous, says Microsoft, is its modular capabilities that constantly evolve, infecting victims through a “malware-as-a-service” model. “Its operators could provide their customers access to infected machines and offer them a delivery mechanism for many forms of malware, including ransomware. Beyond infecting end-user computers, Trickbot has also infected a number of “Internet of Things” devices, such as routers, which has extended Trickbot’s reach into households and organizations.”
Trickbot’s operators can also quickly tailor its spam and spear-phishing campaigns. Recent messaging topics have included Black Lives Matter and COVID-19. Microsoft believes Trickbot has been the most prolific malware operation using COVID-19 themed lures.
Trickbot is also known to deliver the Ryuk crypto-ransomware.
The post Trickbot botnet disrupted by Microsoft and alliance of tech companies first appeared on IT World Canada.
One of the things that our Detection and Response Team (DART) and Customer Service and Support (CSS) security teams see frequently during investigation of customer incidents are attacks on virtual machines from the internet.
This is one area in the cloud security shared responsibility model where customer tenants are responsible for security. Security is a shared responsibility between Microsoft and the customer and as soon as you put just one virtual machine on Azure or any cloud you need to ensure you apply the right security controls.
The diagram below illustrates the layers of security responsibilities:
Fortunately, with Azure, we have a set of best practices that are designed to help protect your workloads including virtual machines to keep them safe from constantly evolving threats. This blog will share the most important security best practices to help protect your virtual machines.
The areas of the shared responsibility model we will touch on in this blog are as follows:
- Identity and directory infrastructure
- Network Controls
- Operating System
We will refer to the Azure Security Top 10 best practices as applicable for each:
1. Use Azure Secure Score in Azure Security Center as your guide
Secure Score within Azure Security Center is a numeric view of your security posture. If it is at 100 percent, you are following best practices. Otherwise, work on the highest priority items to improve the current security posture. Many of the recommendations below are included in Azure Secure Score.
2. Isolate management ports on virtual machines from the Internet and open them only when required
The Remote Desktop Protocol (RDP) is a remote access solution that is very popular with Windows administrators. Because of its popularity, it’s a very attractive target for threat actors. Do not be fooled into thinking that changing the default port for RDP serves any real purpose. Attackers are always scanning the entire range of ports, and it is trivial to figure out that you changed from 3389 to 4389, for example.
If you are already allowing RDP access to your Azure VMs from the internet, you should check the configuration of your Network Security Groups. Find any rule that is publishing RDP and look to see if the Source IP Address is a wildcard (*). If that is the case, you should be concerned, and it’s quite possible that the VM could be under brute force attack right now.
It is relatively easy to determine if your VMs are under a brute force attack, and there are at least two methods we will discuss below:
- Azure Defender (formerly Azure Security Center Standard) will alert you if your VM is under a brute force attack.
- If you are not using Security Center Standard tier open the Windows Event Viewer and find the Windows Security Event Log. Filter for Event ID 4625 (an account failed to log on). If you see many such events occurring in quick succession (seconds or minutes apart), then it means you are under brute force attack.
Other commonly attacked ports would include: SSH (22), FTP (21), Telnet (23), HTTP (80), HTTPS (443), SQL (1433), LDAP 389. This is just a partial list of commonly published ports. You should always be cautious about allowing inbound network traffic from unlimited source IP address ranges unless it is necessary for the business needs of that machine.
A couple of methods for managing inbound access to Azure VMs:
- Use just-in-time (JIT) VM access
Just-in-time will allow you to reduce your attack service while also allowing legitimate users to access virtual machines when necessary.
Network security groups contain rules that allow or deny traffic inbound to, or outbound traffic from several types of Azure resources including VMs. There are limits to the number of rules and they can become difficult to manage if many users from various network locations need to access your VMs.
For more information, see this top Azure Security Best Practice:
3. Use complexity for passwords and user account names
If you are required to allow inbound traffic to your VMs for business reasons, this next area is of critical importance. Do you have complete confidence that any user account that would be allowed to access this machine is using a complex username/password combination? What if this VM is also domain joined? It’s one thing to worry about local accounts, but now you must worry about any account in the domain that would have the right to log on to that Virtual Machine.
For more information, see this top Azure Security Best Practice:
4. Keep the operating system patched
Vulnerabilities of the operating system are particularly worrisome when they are also combined with a port and service that is more likely to be published. A good example is the recent vulnerabilities affecting the Remote Desktop Protocol called “BlueKeep.” A consistent patch management strategy will go a long way towards improving your overall security posture.
5. Keep third-party applications current and patched
Applications are another often overlooked area, especially third-party applications installed on your Azure VMs. Whenever possible use the most current version available and patch for any known vulnerabilities. An example is an IIS Server using a third-party Content Management Systems (CMS) application with known vulnerabilities. A quick search of the Internet for CMS vulnerabilities will reveal many that are exploitable.
For more information, see this top Azure Security Best Practice:
6. Actively monitor for threats
Utilize the Azure Security Center Standard tier to ensure you are actively monitoring for threats. Security Center uses machine learning to analyze signals across Microsoft systems and services to alert you to threats to your environment. One such example is remote desktop protocol (RDP) brute-force attacks.
For more information, see this top Azure Security Best Practice:
In addition to turning on security, it’s always a good idea to have a backup. Mistakes happen and unless you tell Azure to backup your virtual machine there isn’t an automatic backup. Fortunately, it’s just a few clicks to turn on.
Equipped with the knowledge contained in this article, we believe you will be less likely to experience a compromised VM in Azure. Security is most effective when you use a layered (defense in depth) approach and do not rely on one method to completely protect your environment. Azure has many different solutions available that can help you apply this layered approach.
If you found this information helpful, please drop us a note at firstname.lastname@example.org.
To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
The post Best practices for defending Azure Virtual Machines appeared first on Microsoft Security.
Fighting the security battle so our customers don’t have to
IoT devices are becoming more prevalent in almost every aspect of our lives—we will rely on them in our homes, our businesses, as well as our infrastructure. In February, Microsoft announced the general availability of Azure Sphere, an integrated security solution for IoT devices and equipment. General availability means that we are ready to provide OEMs and organizations with quick and cost-effective device security at scale. However, securing those devices does not stop once we put them into the hands of our customers. It is only the start of a continual battle between the attackers and the defenders.
Building a solution that customers can trust requires investments before and after deployment by complementing up-front technical measures with ongoing practices to find and mitigate risks. In April, we highlighted Azure Sphere’s approach to risk management and why securing IoT is not a one-and-done. Products improve over time, but so do hackers, as well as their skills and tools. New security threats continue to evolve, and hackers invent new ways to attack devices. So, what does it take to stay ahead?
As a Microsoft security product team, we believe in finding and fixing vulnerabilities before the bad guys do. While Azure Sphere continuously invests in code improvements, fuzzing, and other processes of quality control, it often requires the creative mindset of an attacker to expose a potential weakness that otherwise might be missed. Better than trying to think like a hacker is working with them. This is why we operate an ongoing program of red team exercises with security researchers and the hacker community: to benefit from their unique expertise and skill set. That includes being able to test our security promise not just against yesterday’s and today’s, but against even tomorrow’s attacks on IoT devices before they become known more broadly. Our recent Azure Sphere Security Research Challenge, which concluded on August 31, is a reflection of this commitment.
Partnering with MSRC to design a unique challenge
Our goal with the three-month Azure Sphere Security Research Challenge was twofold: to drive new high-impact security research, and to validate Azure Sphere’s security promise against the best challengers in their field. To do so, we partnered with the Microsoft Security Response Center (MSRC) and invited some of the world’s best researchers and security vendors to try to break our device by using the same kinds of attacks as any malicious actor might. To make sure participants had everything they needed to be successful, we provided each researcher with a dev kit, a direct line to our OS Security Engineering Team, access to weekly office hours, and email support in addition to our publicly available operating system kernel source code.
Our goal was to focus the research on the highest impact on customer security, which is why we provided six research scenarios with additional rewards of up to 20 percent on top of the Azure Bounty (up to $40,000), as well as $100,000 for two high-priority scenarios proving the ability to execute code in Microsoft Pluton or in Secure World. We received more than 3,500 applications, which is a testament to the strong interest of the research community in securing IoT. More information on the design of the challenge and our collaboration with MSRC can be found here on their blog post.
Researchers identify high impact vulnerabilities before hackers
The quality of submissions from participants in the challenge far exceeded our expectations. Several participants helped us find multiple potentially high impact vulnerabilities in Azure Sphere. The quality is a testament to the expertise, determination, and the diligence of the participants. Over the course of the challenge, we received a total of 40 submissions, of which 30 led to improvements in our product. Sixteen were bounty-eligible; adding up to a total of $374,300 in bounties awarded. The other 10 submissions identified known areas where potential risk is specifically mitigated in another part of the system—something often referred to in the field as “by design.” The high ratio of valid submissions to total submissions speaks to the extremely high quality of the research demonstrated by the participants.
Jewell Seay, Azure Sphere Operating System Platform Security Lead, has shared detailed information of many of the cases in three recent blog posts describing the security improvements delivered in our 20.07, 20.08, and 20.09 releases. Cisco Talos and McAfee Advanced Threat Research (ATR), in particular, found several important vulnerabilities, and one particular attack chain is highlighted in Jewell’s 20.07 blog.
While the described attack required physical access to a device and could not be executed remotely, it exposed potential weaknesses spanning both cloud and device components of our product. The attack included a potential zero-day exploit in the Linux kernel to escape root privileges. The vulnerability was reported to the Linux kernel security team, leading to a fix for the larger open source community which was shared with the Linux community. If you would like to learn more and get an inside view of the challenge from two of our research partners, we highly recommend McAfee ATR’s blog post and whitepaper, or Cisco Talos’ blog post.
What it takes to provide renewable and improving security
With Azure Sphere, we provide our customers with a robust defense based on the Seven Properties of Highly Secured Devices. One of the properties, renewable security, ensures that a device can update to a more secure state—even if it has been compromised. While this is essential, it is not sufficient on its own. An organization must be equipped with the resources, people, and processes that allow for a quick resolution before vulnerabilities impact customers. Azure Sphere customers know that they have the strong commitment of our Azure Sphere Engineering team—that our team is searching for and addressing potential vulnerabilities, even from the most recently invented attack techniques.
We take this commitment to heart, as evidenced by all the fixes that went into our 20.07, 20.08, and 20.09 releases. In less than 30 days of McAfee reporting the attack chain to us, we shipped a fix to all of our customers, without the need for them to take any action due to how Azure Sphere manages updates. Although we received a high number of submissions throughout multiple release cycles, we prioritized analyzing every single report as soon as we received it. The success of our challenge should not just be measured by the number and quality of the reports, but also by how quickly reported vulnerabilities were fixed in the product. When it came to fixing the found vulnerabilities, there was no distinction made between the ones that were proven to be exploited or the ones that were only theoretical. Attackers get creative, and hope is not part of our risk assessment or our commitment to our customers.
Our engagement with the security research community
On behalf of the entire team and our customers, we would like to thank all participants for their help in making Azure Sphere more secure! We were genuinely impressed by the quality and number of high impact vulnerabilities that they found. In addition, we would also like to thank the MSRC team for partnering with us on this challenge.
Our goal is to continue to engage with this community on behalf of our customers going forward, and we will continue to review every potential vulnerability report for Azure Sphere for eligibility under the Azure Bounty Program awards.
Our team learned a lot throughout this challenge, and we will explore and announce additional opportunities to collaborate with the security research community in the future. Protecting our platform and the devices our customers build and deploy on it is a key priority for us. Working with the best security researchers in the field, we will continue to invest in finding potential vulnerabilities before the bad guys do—so you don’t have to!
If you are interested in learning more about how Azure Sphere can help you securely unlock your next IoT innovation:
- Visit the Azure Sphere website to learn more.
- Get started.
- Secure your IoT deployment during the security talent shortage.
- Cybersecurity best practices to implement highly secured devices.
The post Why we invite security researchers to hack Azure Sphere appeared first on Microsoft Security.