Sunday, July 11, 2021

Ransomware: To pay or not to pay?

If your company is the victim of a ransomware attack, should you pay your attacker? This one caused a bit of controversy when I wrote this for work, so I'm posting it here under the umbrella of "my personal opinion - on your own head be your final choice in this matter - don't sue me."

This isn’t an easy question to answer. It’s one thing to say “No, never pay a ransom”, but it’s another thing entirely to stare at the flashing lights of a data encryption hijack, with no immediate way of recovering essential data and your payment records and invoicing system crippled by malware. People do pay the ransom to release their files, but should they?

In July 2020 the US business travel management company CWT Global handed over an impressive US$4.5 million in bitcoin during a ransomware attack – setting a new ransomware payment record. Not really the sort of claim to fame that a company wants.

Reasons not to pay.

In October 2020 the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) released an advisory that paying ransomware ransom is now illegal, and people and companies can be fined for making payments to sanctioned hackers. Many other international law-enforcement agencies are considering similar actions, and are encouraging victims not to pay. Paying ransoms, however, is still technically not illegal in most of the world. So far we’ve not seen any evidence of enforcement of the advisory, but watch this space - It’s going to be tricky to explain to the IRS why you had to spend US$220,000 on bitcoin and where it went.

Paying a ransom encourages criminals into further criminal activity. Crime only pays if the victims pay. The more companies and individuals who pay, the more it encourages new black-hat hackers to enter the ransomware arena and launch attacks against other companies – or even a repeat attack against your company. If victims stand together and don’t pay, bad actors have no recourse other than to pack up their laptops and shuffle back to their dark web newsgroups. Is it better PR to stand firm and refuse to be bullied, standing with your fellow victims and promoting ransomware prevention best practices, than to look weak by paying for a company mistake? Very probably, and you don’t want to be seen as a target for other malware in the future.

It’s estimated that last year, over half of ransomware victims paid the ransom to restore access to their data. If your data is encrypted, the only way to reset the clock is with the hackers’ decryption key. It’s further estimated that around 20% of these people never heard anything else from their ransomers and their data stayed locked without them receiving any unlock code – essentially paying for nothing. While the percentage of organizations that recovered their data has increased, from 49% to 72% over the last 3 years [Cybersdefence Report, 2021], black hat hackers and the systems they use aren’t to be trusted. There is no guarantee of getting your data back. Hackers have also been known to further leak sensitive data for further financial rewards, regardless of payment.

Prevention is better than cure.

The average ransomware payment increased by 43% this year, to approximately US$220,000, and a company is hit by a ransomware attack every 11 seconds. There are a few cost-effective areas of preventative action that can be taken.

54% of all ransomware breaches begin with a phishing email. Digitally screen all mail, but also educate yourself and train your team on the different tactics behind a phishing attack. There are many ways hackers might attempt to fool your staff into granting them access to your network. Try running an internal simulated phishing attack across your company to get stakeholders familiar with your reporting processes and the sort of attacks they might see. Check my article, here, on how to do so. Discourage staff from visiting unapproved websites, and physically block staff from sites that have the potential to distribute malware.

Do you have a tried and tested disaster recovery plan? You should. Ransomware attacks should only be a part of this. What would you do if the phones went down? If you had a flood in the building? Or if your website was hacked? Your team needs to know the plan, who needs to do what, and what they need to do. Make sure stakeholders have a printed copy of this – there’s no point in having an encrypted disaster recovery plan in the event of a ransomware demand.

What do you do on Tuesdays? You patch. A regular and thorough software/OS patch management routine is important preventative maintenance critical for keeping machines up-to-date, stable, and safe from malware and other threats. ABP:
Always Be Patching. 

It's good practice for IT departments to back up company data regularly and securely, off-site. While this is by no means guaranteed, as some ransomware software has been seen to attack even (supposedly air-gapped) backed up files, it can be a help in some cases – though probably not for long as bots get more savvy and bad actors to have the time and resources to develop more sophisticated programs. Coding elements for following data to its backup resources are available for purchase on the dark web, and the black hat hacker community is not to be underestimated.

Install an anti-virus or web application firewall (WAF), Intrusion Prevention / Intrusion Detection Systems (IPS/IDS), and other controls to prevent ransomware from communicating with Command & Control centers. Cyber attackers “will penetrate the organization’s network and stay for months, sometimes years” prior to encryption, and this is the time they are vulnerable to detection and where you can prevent an attack before it happens. Also, invest in runtime application self-protection (RASP) to have protection against those known and zero-day attacks that patching may miss. Protecting with 2FA can also bolster your security posture.

Save time, stress, and tens of thousands of dollars

An attack at some point is statistically inevitable, with an all-time high of 69% of organizations having been victimized by ransomware in 2021, so spend a fraction of what you could lose on preventative measures and not on paying criminals. A small investment in time, effort, and funds right now are better than chaos later.

Tuesday, May 04, 2021

Hacking the Death Star: Imperial Cybersecurity 101.

Jokes about brute ‘Force‘ attacks aside, if we were rebel scum how would we hack the galaxies’ most secure data centre?


Today is May 4th, the traditional day for celebrating one of the greatest franchises in movie history. As such, and having a geek streak a parsec wide, we thought (at work) that it’d be fun to set ourselves a challenge. I'm an avid and weekly Star Wars RP player (Savage Worlds system - Pew Pew), so how could we plan and execute an attack against The Death Star, the galaxies’ premier evil planetoid and residential superlaser? Not wanting to get in hassle for publishing this on a company website - cease-and-desist from Disney is never a good way to start the month - I'm publishing it here.

To begin with, we’ve got to exercise our geek muscles and actually look at the Star Wars universe for clues. Hacking is known as ‘slicing’ in the Star Wars universe. Yes, I'm going to do this properly and take this way too seriously.

If there’s one thing that the films Rogue One, New Hope, and RotJ taught us, it’s that Imperial files are woefully unencrypted. No 2FA, no 32-bit encryption, just sitting there on a data stick waiting to get left on a seat in a cantina or on the number 13 transport. The files themselves aren’t going to be a problem. There’s no wi-fi in the Star Wars universe – a concept unimaginable to Mr. Lucas in 1977. Secure messages are run around the Death Star corridors by toaster-looking robots (MSE-series ‘mouse’ droids) and held on ‘code cylinders’ peeking from the top pockets of classically-trained English actors. 

Datacards store and transfer data to and from datapads in the same way floppy disks and USB flash drives are/were used with computers – R2-D2 carried a Datacard with the first Death Star plans on it, given to him by Leia Solo (née: Organa, actually née Leia Amidala Skywalker) at the Battle of Tatooine.

DataCore’s are repositories of bulk information, but there appears to be little connection to them from the outside world – and as such may be air-gapped and therefore the most ‘secure’ element of the Imperial data security policy (though criminally inaccessible to off-site teams). The only cloud in which the Empire work is probably Bespin.

Data can be transmitted, however, to a ship in orbit or to another secure location – though this seems to require aligning transmission dishes, further family appropriate drama, and considerable personal sacrifice that’s best avoided.

There is also the HoloNet, as mentioned in Clone Wars and featured in SW Rebels, which appears to be an Imperial controlled broadcast network that also lets citizens look up information akin to Wikipedia and with websites, etc.

Apart from ‘radio’ communications and transmissions, it appears that everything requires physically plugging into a wall socket. It’s all quite primitive, actually, and does seem to leave the Empire prone to any Datacard or grubby R2-unit with a virus on it.

Now that we’ve set the scene we can lay out a plan, hopefully without the untimely demise of too many Bothans, using the knowledge of cybersecurity (edge, application and data) that I've crammed into my brain as ongoing writer and content creator for one of the world's largest cybersecurity providers.


Approaches:

Most Imperial staff aren’t the sharpest tools in the woodshed. Stormtroopers, the foot soldiers of the Galactic Empire, even less so. Transmitting a ‘secure’ message containing malicious code, waiting for an unsuspecting Imperial trooper to click on the latest specs in an advert for the BT-16 perimeter droid - they say it's quite a thing to see - seems a solid approach to introduce malicious code into the network: “Send us 20,000 Galactic Credits to unlock your files and data!” If only The Empire had anti-phishing training as part of their HR policy.

Imperial offices seem to have a substantially higher IQ, though the path to career progression seems somewhat unforgiving. We can, however, assume that the most intelligent, shrewd, and (possibly) security-conscious make it to Moff without being shot by the plucky proletariat or choked to death by their line manager.

These officers are better trained and unlikely to click on phishing emails. It’s possible any attack could come from within, however. Disgruntled or previous employees, perhaps now seeing the error of their ways, with legacy security codes (”It’s an older code, but it checks out”) and with default access to parts of the DataCore that may contain information inappropriate for their access level. It would be simple for such individuals to leave with classified documents (Mon Mothma herself was a former Galactic Republic Senator) or sabotage important data (like Galen Erso in Rogue One). If only The Empire had data risk analytics.

In any large organization, it’s likely that developers will use 3rd-party code, especially when on a tight deadline like the building of the second Death Star. Sometimes this leaves security teams out-of-the-loop and leaves a blind spot, making it hard for Imperial Security Officers to monitor all dependencies. It’s likely that Imperial dev teams will utilize reusable software components, developed to be either freely distributed or sold by an entity other than the original (Genosian) vendor, to design the likes of landing bay forcefield controls or even planetoid propulsion systems. This means there may be code making calls outside of the secure network – which is a nightmare for regulatory compliance and for possible interference from malicious Rebellion clients. If only The Empire had runtime self-protection. 

Malicious code can do anything any other program can do, like writing a warning message on a screen, stopping a trash compactor program from running, setting off a claxon, or making millions of voices suddenly cry out in terror as their planet is evaporated… Without database security, it may be possible to piggyback malicious code on, for example, supply chain code or outdated security cyphers from a Lambda Shuttle requiring permission to enter the atmosphere of the forest moon of Endor. It may be introduced by an inquisitive Astromech droid, recently arrived from some back-water hive of scum and villainy, careless about where they put their malicious dongle. Malicious code could go undetected on infected Imperial systems, quietly monitoring applications and any outbound connections. Once critical information is stolen, such as personnel information, plans, or passwords, the information could then be transmitted to any attacking ground force (for example).

We can safely assume that the Death Star has a HoloNet presence, for propaganda (and possible recruitment) purposes at least - perhaps with a contractor login area. If it doesn’t it’s a tragically missed opportunity by the Galactic Empire Public Relations department (yes, that’s actually a thing). If it does then it’s going to be a prime target for attack by Rebellion slicers, who could easily use a denial of service attack - utilizing the thousands of droids, vehicles, and apps out there in the Star Wars universe to bombard the Death Star HoloNet pages with thousands of requests. This would overload the HoloNet site, crashing it or making it run slowly so that it becomes unusable and ruins the experience for normal citizens. A bit of DDoS protection wouldn't go amiss here.

One can assume the Empire has a backup plan in place against any malicious attack – unlike the Jedi who managed to lose an entire planet and appear to have no alternative storage or rollback capability. Regardless, any of the above assaults would make for unwanted disruption and embarrassment, legal issues, downtime, and a very angry Sith Lord that could be easily avoided with the right precautions. We had a lot of fun writing this.

Here’s wishing you and yours a very happy May 4th. May the odds be in your favour and may the Force be with you. Always.


Big thanks to Imperva for letting me write this in work time.

Monday, March 01, 2021

The Current State of Play

This blog has become like a bidet - seldom used, and when it is used it's not for the purpose it was intended. Life in Ireland, despite Covid, has become busy. For the past 4-months I've been power-learning a new subject: Cybersecurity.

If you follow me on Twitter you'll know that I'm somewhat password paranoid, having spent an evening at the start of Lockdown 1 investigating the fringes of the Dark Web and having found my own email address and password for sale c/o a hack on my domain name provider. Sobering.

I now work for a cybersecurity software firm full time as Content Marketing Manager. This isn't a product-specific role (application security, cloud, bot, edge, whatever) like the bulk of our marketing team, but rather about creating graphical, written, video and audio content for our sales teams, customers, prospects and campaigns. This includes brand and content strategy, including social, obviously. It's interesting, uses my full skillset, and right up my street.

It's a steep product learning curve, but it's a ground-breaking company with an excellent product offering. Our new UK offices are based in Belfast, but I'm working from home in Omagh right now and the 'new normal' means location isn't a factor any more. My colleagues are awesome and it's solid and stable stuff, which counts for a lot these days. I'm feelin' like I'll be happy here indefinitely.

Northern Ireland is being very kind to me and I've no plans to return to England. I'm house hunting around Gortin, Omagh and Newtownstewart, in Co. Tyrone, for something I can turn into an AirBnB or B&B in my dotage. Fingers crossed, pending surveys and mortgage shenanigans, I hope to be in somewhere by late-spring. 

My sweary Who fan podcast has had a revival, which has been fun. VTT games have replaced table-top, such is the way of things, but I'm still playing and reffing a couple of nights a week. It's a social luxury I know many people don't have and I'm always grateful for the company of good friends - back to back against the darkness. Not a lot of space here for model-making and painting, but I hope to resolve that when I move. There are other projects in the works.

No promises on any regular blog updates - life is busy. Time to shed a few Covid inches, brush up on my Premiere Pro, and embrace the DIY.