Being Sued for Not Caring – The implications of failing to secure your data

I recently spoke about the FTC’s lawsuit against Chegg, a major education tech firm, in one of the weekly tech tips interviews I provide our local TV news station. In this lawsuit, one of the first of its kind, the FTC is accusing Chegg of willfully neglecting their cybersecurity responsibilities resulting in 4 significant breaches of Chegg related data and systems in the last 3 years. This situation reentered my consciousness this week after the FS-ISAC included an article link in one of their recent weekly bulletins discussing this same situation. This topic deserves a little bit more conversation.

For far too long, organizations have been playing with fire when it comes to the safety and security of their data, both internal and customer related. Far too many businesses play the game of security by obscurity or sleep well at night assuming their organization is too small to be attacked. Others know there are legitimate threats facing their IT infrastructure and still choose to roll the dice with the misplaced comfort that cyber insurance will soften the blow to their bottom line in the event of a breach. Still others suffer through a significant compromise, but then fail to plug the holes in their infrastructure or add the necessary layers of defense to keep their organization’s IT resources safe in the future. The question we have to ask is “Why?”.

Is it all about cost? Is it arrogance? Is it apathy? Is it a lack of knowledge and understanding? It is probably yes to several of these questions for most organizations. We cannot stop shining the spotlight on these situations. We need to encourage good cyber hygiene, and if that fails, we need to add a good dose of guilt and constructive criticism. Because at the end of the day, it very well could be our data breached in the next attack or our money lost due to the failure of another organization. We are all truly in this together!

The following is a link to the WCYB tech tip article:

Cisco Network Compromise – No one is immune to the human factor

Multiple sources have reported the breach of Cisco’s own network, purportedly via a Cisco employee’s personal Google account. According to multiple sources, the employee in question was saving and syncing both personal and Cisco business credentials to the Google Chrome browser for ease of access. Once the employee’s personal Google account was compromised, the bad guys accessed the Chrome password history, harvested the Cisco business credentials, and were off to the races.

This situation further enforces the need for better, more frequent end user awareness education and the monitoring of employees to ensure bad practices are not in play. At the end of the day, we are all human and we will all make mistakes. We can only get better if we train more, talk more, and monitor effectively.

The following article from ThreatPost is a great overview of the situation and provides an interesting recap of how the bad guys overcame the Cisco VPN MFA controls. Enjoy the read and beware of these threats! TRAIN YOUR PEOPLE!!

Rethinking Software in the Organizational Hierarchy

I very much enjoyed this article from Pieter Danhieux via Dark Reading and this creative approach to the management of applications and hierarchical security. The concept of least privilege and the dangers of API controls are often discussed but frequently forgotten when developing and revising an overall security framework for an organization. Enjoy the read!

Follina Vulnerability – Microsoft Office Zero Day Threat

A zero-day vulnerability in Microsoft Office was discovered and reported over the weekend that involves remote code execution simply through the opening of a Word document, even in preview.  Microsoft has issued CVE-2022-30190 in response to this flaw, though this bug is generally being referred to as the Follina vulnerability.   When the malicious Word document is opened even in preview, the file executes malicious PowerShell commands via Microsoft Diagnostic Tool (MSDT).  This code works without elevated privileges and is currently evading Microsoft Defender detection.

The following are several blog posts and updates concerning this vulnerability, its functionality, and workarounds in the absence of a patch:

Microsoft Identifies new Sysrv-K Botnet Variant

Given the recent tanking of bitcoin value in the open market, you might think that the criminal exploitation of private computers for coin mining might start to slow, but I guess the cyber bad guys in the world need to compensate for their value loses and mine new coins.

This article from the great team over at InfoSecurity is a great overview. Enjoy and beware!

Space: The New Warfare Frontier – The conflict in Ukraine and its effect on all things space related

All large, modern military operations are heavily reliant on satellites to provide a variety of logistics and planning information related to battlefield operations. That information includes GPS coordination and navigation, topographic imaging, drone command & control, and many other surveillance functions. Threats to Russia’s satellite infrastructure by those in opposition to the invasion and ongoing conflict in Ukraine have prompted Russian officials to respond and to respond harshly.

The following article from the great team at InfoSecurity details the Russian response / denial to hacking attempts against their satellite infrastructure:

Simply put, military conflicts are not what they used to be. So far during the conflict in Ukraine, we have seen the Russian space authority make a less than vailed threat against the safety of the International Space Station. We have also seen the delay and/or cancellation of satellite launches from Russian space facilities for agencies, governments, and organizations that oppose Russian activity in Ukraine. There are many factors to take into consideration, both short term and long term, when considering orbital resources and the effect this ongoing conflict can and will have on national and international assets in space.

Russia is still a primary partner in the ISS program and still provides the primary transportation and recovery services for the space station. Those services will most likely be on hold for the foreseeable future. The Russian space agency also provides satellite launch services for many nations and private agencies around the world. Those services have become a bargaining chip for international negotiations moving forward.

It will be very interesting to watch these situations develop over the weeks and months to come. We are seeing the Cold War rekindle and acts of fiction from recent TV shows and movies begin to come to life as scenarios play out on the “final frontier”.

The Ever Evolving Nature of Warfare: The Conflict in Ukraine and Cyberattacks

As strange as this may sound, military attacks are no longer simply about soldiers and tanks and planes and bombs. Needless to say, there is nothing simple about war, but thanks to state sponsored hacking and the connected nature of critical infrastructure, cyber warfare has become a new front for every new military conflict. The conflict brewing in Ukraine is no different.

Threat levels have been raised by numerous national and international cybersecurity organizations, and malicious cyber activity is already being monitored related to this current conflict. Please remember that the types of attacks associated with these nation state conflicts are not perfectly crafted and restricted to only military targets. They can overflow into civilian networks that can quickly spread around the world in a matter of hours. NotPetya is a wonderful example of targeted cyber warfare run amuck.

Take the time to prepare your environments and make sure all your controls are in place and up to date. The Internet is staged to see quite a bit of malicious cyber activity in the days and weeks to come.

Does the Vendor Matter? – Smartphone and Mobile Security in a Threat Filled World

Recently I was asked to discuss the cybersecurity risks associated with smartphones and the possibility that those devices could be compromised and information stolen. As part of the conversation, an all too familiar story was told about an older gentleman who had been prompted through a fear-based social engineering phone call to go to the bank and withdraw a significant amount of money to avoid some fictitious financial penalty. What was a little more unique in this situation was the fact that the older gentlemen had also been prompted to download an app on his smartphone that had in turn given the attacker control of that device. Fortunately, an alert bank employee noticed something strange during the transaction as the older gentleman continued to receive directions from the attacker via his phone. The bank employee intervened and, after some effort, was able to power off the gentleman’s phone and get to the bottom of the scam.

Sadly, this is not a terribly unique situation. Creative and malicious vishing (voice phishing) attacks take place everyday, targeting young and old alike. What is a little more concerning is the evolution of malicious applications and the use of these applications to take remote control of a device during a social engineering attack, thus giving the attacker near complete control over the situation and ramping up the fear factor for the victim.

In the situation with the older gentleman at the bank, his problems did not end once the attack was discovered and his phone was powered off. At that point, his smartphone, a low cost, prepaid Android device, was compromised and unsafe to use. The bank employee rightly recommended he factory reset the device or replace it, but neither option was honestly viable for the victim. He lacked the technical skill to properly reset the device and he could not afford to simply throw it away and buy another one. Because it was a big box store purchased prepaid device, he could not walk into a wireless carrier store and ask for help. He was stuck.

In talking through this situation, several questions came to mind. First and foremost, what can we (the IT security and cybersecurity community) do to help? That question prompted others – are certain mobile devices safer than others in terms of their ability to prevent these types of social engineering and malicious device takeover attacks, is this issue age related or more widespread, and what tips and tricks can we provide to help mitigate these types of cyberattacks? I want to take a moment and work through some of these questions and see if I can provide some answers that will help keep people safer when dealing with these types of attacks.

Are certain mobile devices safer than others?

This is a very loaded question and feeds into the ever present and ongoing debate of Google Android versus Apple iOS. Let me begin by stating that I am not here to advocate for one manufacturer over another – both device families has some great security features and both device families have the potential for compromise by a cyber bad guy. I do want to talk about some features and specific design methodologies provided by each manufacturer that can impact a victim, both positively and negatively, in the scenario we are discussing – vishing and remote device takeover. Let’s look at some relevant statistics to better frame this conversation:

  • Apple iOS is the more prevalent mobile phone operating system in the U.S. at 53% to Google Android’s 46%. (Statista 2022)
  • That said, the Android OS accounts for more than 50% of all malicious infections of devices in the U.S. followed by Microsoft Windows at 23% and Apple iOS at less than 1%. (Nokia Threat Intelligence Report 2021)

So, if Apple leads in terms of market share for smartphones, why is Google Android so far ahead in terms of operating system malicious infections? There are several reasons. First, Google Android, as an operating system, runs on many different platforms beyond smartphones. The Android OS can be found on a variety of IoT devices including smart TV’s, tablets, home automation systems, appliances, and many other Internet-enabled platforms. As such, the attack surface for Android OS is simply larger than Apple iOS. Second, the Google Android OS is a much more open and customizable platform in terms of the sources and types of applications that can be loaded to an Android device. Application downloads for the Android OS are not necessarily restricted to the Google Play Store and, as such, cannot be as closely vetted and verified when compared to the relatively closed application ecosystem of Apple’s iOS. Third, Google does not own and control all of the hardware platforms on which Android OS is loaded. Dozens of smartphone manufacturers use Android OS for their devices, and, therefore, those manufacturers can to an extent control the applications that ship on those devices. Once again, this is very different for Apple iOS as Apple manufactures all smartphones and tablets and devices that run their operating systems. Apple has built a closed, proprietary ecosystem for its “iDevices” and controls all applications that can be listed and downloaded from its App Store. This approach has made it significantly more difficult, though not completely impossible, to load malicious software on an Apple device and facilitate remote control. Given all of this information and each manufacturer’s approach to application installation control, it is a fair statement to say that Apple’s smartphones are a safer platform in this specific situation.

Please do not take this specific conclusion and extrapolate that Android devices are less safe overall when compared to Apple devices. Both operating systems have their specific strengths and weaknesses. Google Android OS, for example, provides one of the most flexible and secure identity management platforms available, providing numerous secure ways to validate the identity of the device user and ensure physical compromise is extremely difficult for the bad guys. Android’s flexibility and portability has also created opportunities for lower cost smartphones and tablets that have brought internet access to people and places it otherwise may not have reached. That said, everyone needs to understand the potential security challenges with these devices in certain situations and take proper precautions.

Is the growth of malicious device infection and the prevalence of social engineering attacks age related?

I am sure many people will read the details of the incident at the start of this article and focus on the word “older” that was used to describe the victim and draw the conclusion that this type of scheme is designed to prey on novice internet users. Those people would be both right and wrong. This type of scam is often targeted at older Americans, but not because of a lack of internet experience. Consider these statistics:

  • 10 years ago, less than 46% of Americans over the age of 65 used the Internet. That number is now greater 75%. (Pew Research)
  • Over 61% of Americans over the age of 65 have a smartphone. (Pew Research)

Older Americans are quickly becoming savvy Internet consumers, but this same demographic has a specific set of fear triggers that make them particularly susceptible this is type of social engineering attack including a fear of lost income or the failure to meet a particular commitment. Younger Americans also fall prey to these types schemes on a regular basis. The cyber criminals simply make a few tweaks to the script based on clues gathered during the initial conversation. Younger people tend to fear a loss of services or damage to their reputation via social media or a threat to their children. At the end of the day, it is important to remember that the cyber bad guys have developed strategies to adapt their attacks based on the audience they reach and all of us are targets.

Tips and Tricks to Stay Safe

Here are a few tips that can help you avoid the pitfalls of this type of social engineering attack and keep you and your personal information safe:

  • Do your own research – When you receive a call from someone supposedly representing Microsoft or Amazon or another merchant claiming some type of issue (fraudulent transaction, late shipment, account compromise, etc.), pause, take a moment to think about the situation, and question what you are being told. DO NOT take any action based on the recommendations of the person on the other end of the phone call. Politely tell them you will research the issue and call them back on a publicly published phone number. Go to the merchant or organization’s website. Check your account. Call or chat with their publicly listed support team. At the end of the day, very few if any merchants will call you with these types of issues and they will always provide valid information via legitimate websites.

  • Think before you download – Never download applications for your smartphone or tablet via a link sent to you or from an unknown website. Use the Apple App Store or the Google Play Store for all application downloads. Read and verify the app reviews and the number of historical downloads.

  • Be willing to hang up – As mentioned earlier, do not allow yourself to feel pressured to do something that makes you uncomfortable. It is ok to hang up, look up a valid phone number for the organization in question, and call that number back once you have more information.

  • Multi-factor authentication is your friend – One of the most important things you can do to protect your identity and the applications and services you use on your smartphone and/or via the web is to set up multi-factor authentication (MFA) for all associated accounts. From Amazon to PayPal to your local Bank, nearly all major websites and services support multiple MFA options for authentication. Most can leverage a token or randomly generated code from your smartphone as the second factor of authentication. This will prevent access to your accounts by the cyber bad guys even if they get access to your username and password.

  • Use unique passwords for all websites and services – It is very important to NOT reuse the same password for multiple websites, services, and applications. Most usernames are tied to a person’s email address, so if a cybercriminal gets a password for one site or application, it is not hard to use that same email address and password to access that same user’s other services and websites. In order to make the use of unique passwords for all websites and applications easier to manage, I highly recommend pairing this strategy with a reliable, encrypted and secure password manager. This tool will allow you to store and easily recall all your unique accounts in a safe and secure manner. 1Password, LassPass, and KeePass are good options to consider.

  • Secure your mobile devices with passcodes / passwords – Modern smartphones and tablets have made local device authentication very easy, so there is no good reason not to protect your devices with a passcode or password. This level of protection better secures your device in the event it is lost or stolen or if it is accessed in some way remotely and the screen is locked. This can be as simple as a 6-digit code or as complicated as a long alphanumeric passphrase. Fortunately, most current smartphones and tablets can frontend this code with facial recognition authentication like FaceID or biometric authentication like a fingerprint reader.

In talking through all of the factors and mitigation strategies associated with this particular type of social engineering attack, the most important piece of advice I can share is this – “learn to control your fear”. Bad guys prey on fear. They manufacture fearful situations. If you can remain calm, take a deep breath, ask a few relevant questions, and do a little research, you should be able to safely navigate these types of threats without any harm.

Stay Safe!