Get Your Copy.
The Countermeasure is delivered to your inbox each Saturday, giving you insights on enterprise security developments you may have missed.
Crime Goes Meta
In This Issue:
- Crime goes meta
- Mobile security is a hot mess
- It's about the money—and the opportunity
Crime Goes Meta
The trend of ransomware attacks on municipalities continues: $1.1 million in two weeks – Florida cities pay out big to ransomware gangs. Since the attack on Baltimore proved that recovery from backups can be very costly, more organizations are considering paying a ransom: Pledges to Not Pay Ransomware Hit Reality. From the article:
"While risk analysts and security experts continue to recommend that companies keep focused on securing their systems and speeding incident response to minimize the impact of crypto-locking ransomware, they are now also recommending that companies be prepared to capitulate.
In a June 5 report, for example, Forrester Research published a guide to paying ransomware, advising its audience to consider third-party firms that negotiate with cybercriminals to ensure the best outcome."
This is sound—though unpalatable—advice. But anyone considering following it should probably read this, too: Biz tells ransomware victims it can decrypt their files... by secretly paying off the crooks and banking a fat margin. This details the dubious deeds of Red Mosquito, a firm that supposedly helped companies hit by ransomware decrypt their files. Instead, it apparently charged a hefty fee, used some of it to pay the ransom, and pocketed the rest.
In other words, now there are scams about helping you recover from scams. Crime is getting meta.
Part of the reason that more organizations are considering paying a ransom is that ransomware has evolved to aggressively hunt for and encrypt backups. Take measures to isolate your backups from the rest of your network. Make sure the login credentials for the backup servers are unique. Take a page from Amazon's book and severely limit employees' access to anything that isn't essential for doing their jobs: (AWS CISO Talks Risk Reduction, Development, Recruitment). Test your backups, and practice restoring from backups.
If you do get attacked, you’ll be understandably upset, but don't let that cloud your thinking when you’re looking for professional help. And—just a thought—if you’re looking for someone to help you with incident response, maybe don't pick a company named after a blood-sucking parasite?
Mobile Security Is a Hot Mess
This was probably a terrible week to work at a cellular service provider: Global Cyberattack Campaign Hit Mobile Carrier Networks. The hackers involved in this attack were probably state-sponsored, and the purpose of the attack was to get the phone metadata of a few VIPs. This revealed both who they called and where they went.
Needless to say, the infosec community had some caustic critiques of mobile companies' security. In this article, Global Cyberattack Campaign Hit Mobile Carrier Networks, one executive says, "I was surprised at the extent and the length of the campaign as reported. I mean, it's a long time for this type of activity go undiscovered or un-analyzed."
And then there was this: Here's how I survived a SIM swap attack after T-Mobile failed me - twice. It's not related to espionage; it's just an unfortunately-timed story about terrible security practices at a mobile provider. Here's a sentence no one wants to read: "Two days later, T-Mobile let the hacker steal my phone number again."
SIM-swapping is an increasingly popular form of attack. The criminal collects some information about you on social media, enough that they can convincingly pretend to be you in a call to your phone company. They ask the phone company to move your phone number to a new SIM card. If the phone provider falls for the ploy, the criminal then has a way to hack into any of your online accounts that require a PIN to be sent to your phone for verification. The PIN will be sent to the attacker, since they have the SIM that is now associated with your phone number.
There are measures that your phone provider can put in place to reduce the risk of this happening. But once they have those policies, they need to actually follow them—something T-Mobile apparently did not do.
Read the SIM swapping article. It provides some advice on reducing the chances that a SIM swap attack will be successful, and also tells you what to do to recover from such an attack. You also need to put pressure on your mobile carrier to explain what they are doing to shield you from these attacks. If you think it will help, tell them that phone companies in Mozambique are doing security better. (They are; see this article for details: The SIM Swap Fix That the US Isn't Using).
It's About the Money—and the Opportunity
Cyber-espionage gets a lot of press, but seven out of ten attacks are by ordinary criminals who are in it for the money: Breaking the Endless Cycle of "Perfect" Cybercrimes. This article says, "Once profits start declining and/or attacks begin to fail, cybercriminals have evolved their campaigns." Translation: if you’re dealing with criminals, as opposed to state actors, your defenses don't have to be perfect; you just have to make it hard enough to attack you that it will be unprofitable to do so.
This means you need to know what the current set of most likely threats is, to make sure your defenses are inconvenient enough to attackers. Some of the recent trends in cybercrime are discussed in this article: Email Threats Continue to Grow as Attackers Evolve, Innovate. It mentions "the increasing use of malicious URLs in emails rather than attachments, a trend toward use of HTTPS domains for hosting malicious sites, and new variants of impersonation fraud." Also, "increasing significantly in the first quarter was the number of URL links pointing to malicious files hosted on widely trusted cloud-hosted file sharing sites, such as Dropbox, OneDrive, Google Drive, and WeTransfer."
So, um, about WeTransfer: WeTransfer security failure results in file transfer emails being sent to the wrong people.
1) Stay educated about evolving threats.
2) You need to have a talk with your employees or co-workers. Popular cloud-based file sharing sites like WeTransfer or Dropbox are convenient, but this is not remotely the same thing as being secure. If you have a company policy requiring everyone to use an alternative file-sharing method—something with encryption would be a good start—then it will be easier to identify e-mails that contain a Dropbox or Google Drive link as phishing attempts.
Resource of the Week
The Motherboard Guide to Not Getting Hacked, version 3.0. While not exactly new, this guide is regularly updated, and provides clear and comprehensive advice. Given this week's heap of news about mobile phone providers, the section on mobile security seems particularly apt.
Tweet of the Week
'We don’t have Alexa, so to be funny, I yelled at my TV, “Alexa, pause the movie!” And Alexa did. And we looked around like O_O. Turns out a new remote we got for our old Firestick turned my TV into Alexa. So now I’m looking around. Anything could be Alexa. Toaster, throw rug.' – Robin DeRosa - @actualham
Apparently, a necessary part of shopping is double-checking whether or not your purchase will be listening to you. Grand.
Podcast of the Week
- Open-heart nerdery: Boffins suggest identifying and logging in people using ECGs. Of course, when someone inevitably figures out how to collect and spoof your ECG data, you'll need a new heart.
- This phishing campaign uses an odd tactic to infect Windows PCs with two forms of trojan malware. Tell your friends and co-workers: if the "invoice" attached to that e-mail is an .iso file, don't open it.
- Google creates educational tools to help kids spot fake news. Is there a way we can force adults to take this course too? Asking for a friend.
- Wipro wasn't a one-off: Same hacking crew targeted scores of firms, big and small – researchers. The hackers "were said to have used off-the-shelf phishing templates to compromise the Indian outsourcer, as well as hitting a number of other companies. Those templates appeared to have been drawn from a counter-phishing training product." Well, that's one way to try to sell an executive on corporate anti-phishing training: Tell them that the bad guys already took the course, and the good guys need to catch up.
- A Socio-Technical Approach to Cybersecurity's Problems. You don't have to be hacked to be damaged by malicious online activity. Worth a read.
- Could Foster Kids Help Solve the Security Skills Shortage?
- Malicious Microsoft Word docs warning: Think before you click on unexpected emails
- Millions of Dell PCs vulnerable to attack, due to a flaw in bundled system-health software
- Cyber-Risks Hiding Inside Mobile App Stores