Cyber Security Today Week in Review for Week ending Feb. 2, 2020

Advertisement: Click here to learn how to Generate Art From Text

Welcome to Cyber Security Today. This is the Week in Review ending Friday, 2nd February 2024. I’m Howard Solomon, contributing reporter on cybersecurity for and in the U.S.

David Shipley, from Beauceron Security, will be here in a few moments to discuss the latest news.

This includesMore revelations 23andMeYou can also find out more about the following:MicrosoftCanadian government officials have been notified of recent data breaches.Investigation of a hacking incident at Global Affairs this country’s foreign service; the FBI’s testimony before Congress on the cyber threat from China; Canada’s Proposed cybersecurity law for critical infrastructure providersYou can also read about the Ransomware cost Johnson Controls $27 million.

Also in the NewsTwo new vulnerabilities have been discovered in the past week for Ivanti Connect Secure VPN gateways and Policy Secure.

A cyberattack against Fulton County,This includes the city Atlanta The temporary closure of some government IT system.The county has been working to restore services. The county continues its efforts to restore services.

One or more students are at an innovation academy accessed the school district’s IT system without authorization.This attack is not related to the attack in the county.

Three Americans were chargedWith stealing over US$400 million during a 2022 SIM-swapping assault. Security reporter Brian Krebs believesThe funds were taken from the now defunct FTX cryptocurrency trading exchange.

Linux administrators and application developers were warned to make sure they’re running the latest version of the operating system. That’s because Researchers at Qualys have discovered four vulnerabilities.

The AlphV/BlackCat ransomware gangAfter the FBI shut down its infrastructure in Decembre, it is now trying desperately to survive. It may now be lying about successful attacks to get headlines — and possibly to trick victims into paying. That’s according to a researcher at RedSense. Dark Reading is reporting that he has told the news site. this week that while AlphV claimed an attack on a defence contractor, but other than a few screen shots there’s no evidence the company was compromised.

Juniper Networks also released updates to fix high severity vulnerabilities in their SRX and EX firewall series.

To hear the full conversation, play the podcast. To hear the entire conversation, play the podcast.

Howard:Topic one: Timing matters. The genetic testing service 23andMe revealed new details last week about its massive data breach, and the Canadian Government admitted that the IT network of the department of foreign affairs was hacked.

What are the commonalities between these incidents? It took time for these incidents to be detected. In the case 23andMe hackers were on its system for 5 months. In the case Global Affairs, the hacker was in the system a month before it was detected. What does this say, David?

David ShipleyThis kind of presence is right on the edge of the median dwell times for cyber attacks as measured by Mandiant. Dwell time is a measure of the amount of time that criminals spend in a network prior to launching an attack, such as ransomware, or being detected by defenders. Dwell time has been decreasing from 21 days to 8-10 days in 2022. Median is just one measure. It’s not necessarily average. Average can be skewed by folks to the left or right of the median, so it’s really interesting. These attacks should’ve been caught earlier. I suspect if attacks were using normal tools in the 23andMe case that are regularly present in the IT environment — what we regularly call living-off-the-land — it’s going to be hard to spot unless the company has a very, very good monitoring program. And again, in the case of 23andMe, given that this was using a multitude of breached user accounts unless they were watching for logins from geographies outside of the private country of the user they’d likely have no clue what was happening — other than potentially looking for failed login attack patterns.

In the case Global Affairs, I’m very, very interested in learning more about the VPN tool that the government referred to as being a part of the breach. Was this a zeroday vulnerability or a routine misconfiguration that was a part of the breach? Was this a well-known vulnerability? If so, why wasn’t it patched? I can’t imagine December 20th [when the hack reportedly started]The IT team had a wonderful time there [at Shared Services Canada]To be doing anything. I hope the federal government will be more transparent about what happened, how it occurred and lessons learned. If they used a product from a commercial vendor, many other organizations could learn from this.

Howard:I thought that detection was a key part of a strategy for cyber security.

David: It is, but it’s certainly not the only part of of a strategy. And you know, people’s perception of what detection actually is capable of doing, what catching something that’s abnormal when it looks and walks and talks everything that’s normal because you know … Stop and step back for second. Global Affairs will be able to access logins from all over the globe. That’s where staff are. That’s where their embassies are, working remotely from internet service networks associated with those various countries. Many of the easy ways people might detect something become much more difficult. It’s tough, but they do have some really really good tooling. So what I’m hoping is that we learn more about who the attackers were.

Howard: Well, 23andMe didn’t know about the incident until the hackers advertised that they had stolen data.

David:This is the worst possible way to find out about a breach.

Howard; This was the second hack at Canada’s Department of Global Affairs in two years. Does this say anything about government security?

David: I’ll use a hockey analogy: First shots on goal on the federal government are astronomical, Everybody’s trying to get into the net, so they’re never going to be perfect defenders. They’re too big of a target for too many players who have the money and patience to keep taking shots until they score. Second, the government should come out and tell us if this was a regular cybercrime which would be disappointing if it got past its defenses or a nation-state, which is more understandable. It’s what we do to other countries. This is exactly what our intelligence agencies will be pursuing. It’s part of the great game and frankly, it’s fair game in spying This is what I would expect but I would like to understand the context.

Howard: Well, the Canadian government hasn’t given details about how Global Affairs was hacked two years ago. You know, silence isn’t golden.

David: It’s incredibly frustrating. We need to see the federal government take the lead that some provinces, like Nova Scotia, have shown. They did a fantastic job of being transparent, accountable and honest during the MoveIT hack. And we need the federal government to lead by example, particularly in a time when they’re going to be passing legislation that will force others to provide it with information about their cyber incidents. It should do this as a gesture of goodwill.

…… ….

Howard:Topic 6: American Cyber Leaders Rid China

Christopher Wray, FBI director, testified before Congress on March 13 that China is trying to preposition malicious software on the IT system of critical infrastructure providers in the United States so they can strike whenever they want. He also claimed that the FBI, under a court order had disrupted a [Chinese]The botnet was made up of hijacked American routers with the goal of spreading malware. This botnet was created the group security researchers call Volt Typhoon. The congressional committee also heard complaints against China from the Director of Homeland Security and the Cyber Security and Infrastructure Security Agency, as well as the commander of U.S. Cyber Command. How likely is it that this saber-rattling will affect China’s cyber strategy?

David: I don’t think it’s going to affect it a whit. I think we should also recognize that the Americans are doing it to China, and they did it to Russia. You’d be insane as a modern country to not be trying to get a foothold in these things as part of a holistic conflict strategy that might involve a proportional response. You know — you get hacked, the power grid goes down in Cincinnati and maybe you turn power off in Shanghai as a proportional response, versus let’s go straight to World War III. This is The Great Game. I find the timing fascinating, and the reason I say that is I was reading CNN earlier this week and we had President Biden and President Xi saying China’s agreed not to do election interference.

By the way, President Biden, free advice: Canada signed a nonaggression treaty with China back in the day under Prime Minister Trudeau about cyber after they raided our cookie jar and they didn’t keep their end of the bargain. Keep your election non-interference certificate with a large grain of sand.

Howard:This bot was made up of routers for home offices from Cisco Systems and Netgear, which are no longer eligible to receive security updates. This is yet another example of old equipment posing a security threat.

David:This is a continuation of what we discussed in 2023 about internet of things regulations in security, reasonable equipment lifespans and reasonable expectations from customers to keep their devices secure. Maybe we have to get to the point of saying, ‘As a responsible maker of technologies that can have a dual purpose — that is, they can be a great home router but also can become part of a zombie bot army used by the Chinese to shut down the power in Cincinnati — you have to keep these things patched and updated for 10 years. These patches should be applied automatically, ideally. Two things: People who are busy moving their regular lives aren’t trying to be cyber security network engineers at home. And that at the end of an equipment’s life you actually have to make it stop working when when there’s a reasonable notice period. ‘This thing is going to be out of security in 12 months and we’ve notified you and at the end of that 12 months it’s not going to be able to connect to the internet anymore.’ Maybe that’s the solution for home internet routers so they can’t be a threat to national security.

Leave a Comment

Leave a Reply

Your email address will not be published. Required fields are marked *