Published on October 16th, 2021 📆 | 7821 Views ⚑
0Cyber Security Today, Week in Review for Friday, Oct. 15, 2021
Welcome to Cyber Security Today. This is the Week in Review edition for Friday October 15th. Iâm Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
Â
In a few minutes Iâll be joined by guest commentator Dinah Davis, Canadian-based vice-president of research and development at Arctic Wolf. But first a review of some of the news from the past seven days:
Finding ways to collectively fight ransomware was the goal of a meeting of 30 nations this week. Officials from Canada, the U.S., the U.K. and others met for two days online discussing tactics to improve the resilience of their critical infrastructure providers, how to disrupt cyberattacks, ways to impair the use of virtual currency to facilitate ransomware payments and how to use their governmentsâ collective muscle in international forums. That includes the United Nations, where in January discussions will start on a cybercrime treaty. Dinah and I will discuss what countries might do to fight ransomware.
Weâll also discuss a new U.S. law that tells a government cyber agency to recommend ways public school boards can better protect themselves from cyber-attacks.
And weâll also talk about a new Microsoft report of a cyber campaign targeting defence companies with an old tactic: Automated password guessing.
More on ransomware: At BlackBerryâs annual Security Summit this week an official offered five ways IT departments can improve their ransomware defences. The number one way is patch your systems as soon as security updates are released.
And researchers at Symantec have discovered a new strain of ransomware. Called Yanluowang, those behind it threaten to launch denial of service attacks and delete the encrypted data on victims if they call police or ransomware negotiation firms.
Speaking of denial of service attacks, Microsoft revealed it fended off a huge attack in August against an unnamed European customer. Seventy thousand infected devices were leveraged in the attack. The lesson is people have to better protect their computers, routers, internet-connected surveillance cameras and the like by using strong passwords and installing security updates.
Convenience store chain 7-Eleven violated the privacy of Australian customers by snapping images of people filling out a digital survey about service in stores, says that countryâs information commissioner. One apparent goal was to exclude survey respondents whose answers didnât appear to be genuine from their facial expressions. But the commissioner said collecting biometric information wasnât needed for the purposes of this survey. It also wasnât clear customers consented to being photographed.
Regulators in Ireland have reportedly proposed fining Facebook up to $42 million for violating the European General Data Protection Regulationâs privacy rules. One of the violations is failing to notify its customers about how it uses its data. The proposed fine is being considered by data protection regulators in all EU countries.
And if you have an Apple device running the iOS operating system, make sure itâs running the latest version. Apple has reportedly quietly issued a security update.
(The following is an edited transcript of my talk with Dinah Davis. To hear the full discussion play the podcast)
Howard: Letâs start with that online meeting between 30 countries wanting to take joint action about ransomware. They were still meeting when we recorded this podcast so we canât tell you what was agreed to, but is it important that nations meet on this to try to take collective action?
(UPDATE: Hereâs what happened)
Dinah: The biggest problem with ransomware is theyâre attacking from outside [victim] countries. So the really tricky part is prosecution because each country has different laws and different ways of going about things. And extradition laws are really complicated. So a combined effort here is really what is going to be needed to solve any of these problems.
Howard: The fact that Russia and China arenât in this meeting, does that, uh, have any effect?
Dinah: It could. Thereâs a lot of hacking that comes from, from those places. But as many people as you can get to the table is better than not being at the table at all.
Howard: Australia proposed some tough new laws this week. Tell us about that.
Dinah: I thought this was great. Iâm really hoping Canadian legislators are going to do similar things soon. First there are some legislative reforms introducing mandatory ransomware incident reporting. So if you are hit by ransomware, youâre going to have to report that to the Australian government. Theyâre wanting to modernize some of their legislation to ensure that the cybercriminals are going to actually be held in account for their actions. And theyâre going to make it easier for police to seize criminal assets, presumably before it leaves the country. They also had some things for the business community, including a plan on raising awareness. I really liked the idea of the free cyber security assessment tool that businesses can run on their sites. And there would be $6.1 million in support services for victims of cybercrime, which I thought was great.
Theyâve made some policy and operational response changes, the biggest one being creating a multi-agency task force called Operation Orcas. It will be led by the Australian federal police. So thatâs great. Any time we see organizations banding together, even in one country, that means theyâre going to be more co-ordinated. Finally, they have a cyber security national workforce program to improve the quality and quantity of the cyber security workers in Australia. Thatâll end up working for both the government and for private businesses.
Howard: I like the idea of mandatory reporting of ransomware incidents. In fact, I like the idea of mandatory reporting of any kind of successful cyber attack â although as a reporter, I have somewhat of an interest in this in that Iâd like to see public reporting of these incidents. What Iâm afraid of is what the [Australian] government wants is private reporting so at least it has accurate statistics on the length and breadth of cybercrime. Iâm not averse to naming and shaming people, though I understand the business communityâs reluctance to stand up in public and say, âYes, weâve been hit,â because there could be a business impact. But on the other hand, naming and shaming is a great weapon [to get businesses to improve cybersecurity].
Dinah: It is as long as youâre also doing other things to try and lift them up before it happens. I think also the reality of our world is that no matter what you do, if somebody wants [to breach your security controls] theyâre getting in. I do think like there should be public reporting. I donât know if we should be shaming, but we should be keeping businesses held accountable for their actions and how they respond to an incident.
Howard: I think weâll probably expect that countries will take a more concerted stand at stopping cryptocurrency payments over the internet flowing internationally because cryptocurrency is one of those that really allows criminals to leverage ransomware. If you can make a victim make an anonymous payment youâre going to see money pretty fast. If nations can find ways to chop that off, thatâs going to go a long way to stopping ransomware.
Dinah: Yep. Though itâs difficult because of the distributed nature of cryptocurrency and the fact that it doesnât stay in one specific location. Itâs the beauty of it, which is also the downside.
Howard: What about business responsibility for stopping ransomware? We talk about what governments can do, and they can do a lot of information sharing, threat sharing, they can go after cryptocurrency transactions. What about the business responsibility? And I ask because this week I learned that ransomware groups were claiming to have hit at least seven small to medium-sized Canadian organizations in the past month or so. One was as small as a two-person business association for a city in Western Canada. Another represents actors and others in the entertainment business in the province of Quebec. Others are a hotel and a manufacturing firm. What can we do to get businesses to realize theyâve got to put more investment into fighting cyber crime?
Dinah: I think the awareness programs that we have today are helpful. I think the reporting by journalists this [ransomware] is actually happening is helpful. But there probably need to be laws and regulations: If this happens to you, hereâs what you have to do. Hereâs what you have to provide to your victims, that kind of thing. From the businessâs perspective, they need to ensure that theyâre doing everything that they can, even if itâs not some crazy security monitoring or whatever for a two-person company. Just doing the basics of good computer hygiene and not clicking on links does go a long way. So we, we have to hold people accountable for the data that they hold and for the information that they have, no matter the size of the company., We also have to be reasonable and helpful in trying to help them do better.
Howard: So many companies donât seem to realize the value of, of the data that they hold, especially small and medium companies. They may think, âIâm not like a big retailer Canadian Tire that would have a database filled with customer names and credit card numbers â great stuff that people want to steal. But many companies forget thereâs valuable information just in the employee information that they hold. Theyâve got an employeeâs name, address and date of birth. Thatâs terrific information for counterfeiting identity. A lot of companies, I think, forget about that.
Dinah: I think they do. And I think this is where especially if youâre a small business, you want to use tools that have been out there for a while. So instead of rolling your own contacts or employee database maybe you use Office 365, or Google Workspace that have security built-in already. And then you still have to make sure you have strong passwords and MFA [multifactor authentication and all those things, but the more youâre using tools that have been highly vetted the better it is going to be for you.
Howard: Weâll get to passwords in a second. Letâs turn to the new U.S. law for helping school boards. Unlike in, in Canada, the federal government in the United States has some jurisdiction over local school boards. This new law, tells the U. S. Cybersecurity and Infrastructure Security Agency to help school boards. Can you talk a bit about what this is about?
Dinah: This is about a concerted effort to raise awareness within the schools about cybersecurity and bringing them support from the federal agencies on how to manage and handle that. They donât have the resources to figure out how to do this themselves. And so having these agencies come in point out where thereâs holes and then help them along is also part of this law. This is great. Itâs saying that at the very highest level of the U S cyber security is important for children and [protecting] their data.
Howard: Iâm not sure how effective Canadian provinces are at making sure that local school boards have the resources to protect their systems from cyber attacks.
Dinah: Iâm not hopeful on that one, just based on my own personal experience of sending my child to school. For example, in fourth grade the very first time they got Google Classroom they had four-character passwords for students that were very, very simple . So simple that each of the students could guess the other studentâs ones. Immediately I asked to change my daughterâs password, and it was a big deal. I had to go to the teacher and then the teacher had to change it for her ⊠I think theyâve since changed that password policy, but itâs just another example of thereâs always this trade-off between usability and security. A fourth-grade teacher is thinking, âIâve got to make this easy. These kids are going to forget their passwords, and then Iâm going to be forever trying to reset their passwords.â Versus, âWe need to make sure that they are secure and that they have their own privacy and that no one else is messing with their things.â
Howard: Passwords, passwords, passwords, Microsoft issued a report this week saying 250 firms in the U. S., Israel and other countries that use their Office 365 productivity suite have been targeted with password spraying attacks. Whatâs a password spraying attack?
Dinah: Itâs when attackers use a list of like commonly known [stolen] passwords, plus guessed usernames of a company. The interesting thing about this one is they believe that itâs likely Iran that is running the attack. The interesting thing is [in this campaign] attackers are very active between Sunday and Thursdays between 7:30 a.m. and 8:30 p.m. Iran time. In Iran, Friday and Saturday is the weekend.
Howard: Technology companies have been trying for some time to get people weaned off of passwords, so that they donât have to remember passwords. Then they donât have to use password managers to keep hold of things. And so slowly, gradually, Microsoft, Google and others are adding capabilities so that people can use more safer methods than passwords. What are the best ways IT departments can make sure their firms arenât victimized by password spraying?
Dinah: This is not hard: Make users have unique passwords that are more than 12 characters long, and install two-factor authentication â the biggest thing, two factor authentication. Pretty much will kill any password spraying attempt because even if they get the password they donât have the two factor off. So unless itâs really co-ordinated and theyâre going to do a two-pronged approach and try and figure out a way to break the TFA, then itâs not going to work.
Gloss