[BreachExchange] Expert: We Are Not Learning Enough From Cyberattacks

Destry Winant destry at riskbasedsecurity.com
Wed Mar 4 10:24:09 EST 2020


https://www.govtech.com/security/Expert-We-Are-Not-Learning-Enough-From-Cyberattacks.html

(TNS) — One of the things that troubles Rob Cheng about the frequent
cyberattacks that hit businesses and government entities, including
incidents in Siouxland, is that nobody seems to learn much from them.

"The reason why this keeps on happening is that, we're not learning
from every attack. We're not getting better. And, so it just keeps on
getting worse," said Cheng, CEO of antivirus software company PC
Matic.

Cheng, a former executive at Gateway computers in North Sioux City,
talked to The Journal on Wednesday after meeting with Iowa Attorney
General Tom Miller about cybersecurity issues earlier in the week.


Experts Warn of Voting Machine Vulnerabilities in N.C.Cybersecurity
World Watched New Bedford, Mass., AttackVirginia Approves 2020
Election Cybersecurity Standards

The city of Wayne, Nebraska, fell victim to a ransomware attack on
Feb. 18. Their files were encrypted and their computer-based systems
went down. The hackers demanded a shockingly high price to release the
files -- $500,000.

In December, the city of Sioux City was notified by a third-party
vendor "that alterations to the vendor’s application code could have
enabled the unauthorized copying of payment card information from the
City’s Internet browser window during certain payment transactions,"
according to a letter the city sent to residents.

In all, 3,563 of the city's parking ticket and utility billing system
customers were impacted -- their name, address, payment card number,
expiration date, and CVV potentially exposed. It's not known precisely
what type of software security measures the city or its third-party
vendor had in place, as the city's main IT person was not available to
comment on the situation at the time of this writing.

Two Sioux City eye clinics separately fell victim to ransomware
attacks within months of each other in late 2018 and early 2019, one
of which might have exposed the personal health information of some
40,000 patients.

There have been much bigger incidents elsewhere. During the past
several months, Louisiana Gov. John Bel Edwards has declared and later
renewed a state of emergency repeatedly after the state's Office of
Motor Vehicles and other state entities fell victim to cyberattacks.

In 2019 the city of Baltimore fell victim to a massive ransomware
attack -- and oddly enough, the hackers in that case demanded only
around $75,000, less than a sixth of what was demanded of Wayne. The
Baltimore Sun reported that the attack cost the city an estimated
$18.2 million in all, though the city refused to pay the ransom.

In a traditional ransomware attack, an attacker remotely encrypts
(scrambles the information, turning it into a hard-to-decipher code) a
victim's computer files and demands payment to remove the encryption.
The payment almost always is demanded not in dollars but in Bitcoin, a
crypto-currency that's virtually impossible to track. Bitcoin prices
ebb and flow compared to dollars, and the dollar value of the 13
Bitcoins demanded by the Baltimore hackers later inflated to around
$100,000, according to NPR.

Ransomware traditionally has infected computer systems through emails,
though Cheng said that more recently, another ransomware method --
something called RDP, or remote desktop protocol -- began to appear on
the radar.

RDP was intended as a means to do legitimate remote maintenance on
networks, and is still used as such. But RDP was built by humans, and
as such, other humans found a way to manipulate its flaws.

And then there's a whole new ransomware program called "Sodinokibi,"
which is even more insidious than its predecessors. It encrypts files
and asks for a ransom, which is standard ransomware practice, but it
also steals the files.

"If you don't pay the ransom, they're gong to start leaking the files
out," Cheng said.

The city of Wayne said it did not yet know how exactly the ransomware
made its way into the city's systems.

"We don't know for certain, and probably never will," said Wayne City
Manager Wes Blecke. "We're definitely still dealing with it."

The city has reached out to the FBI and the Nebraska State Patrol, and
they have the National Guard on-call to examine their system. The FBI
did point out some of their system's vulnerabilities -- vendors having
access to their system, employees working on computers from home and
so-called "phishing" emails.

"We definitely need to do a better job of looking at those
vulnerabilities," Blecke said.

Blecke said his own work computer uses McAfee antivirus software, but
he couldn't say what the rest of the city uses for antivirus
protection.

Paying the half million-dollar ransom was never really considered as
an option for the northeast Nebraska city during the attack.
Fortunately the city kept backup files -- recorded on old-fashioned
tapes -- and they only lost about 10 percent of their data, give or
take, after wiping their system clean and re-installing the lost data.

"That's an incredibly high ransom amount, is what I've been told," Blecke said.

Cheng said paying a ransom is never a good idea, for obvious reasons.
Yet, sometimes desperate victims comply with the hackers' demands --
and it doesn't help that some entities have obtained insurance
policies that will pay the ransoms.

"People are paying the ransoms. When you pay the ransoms, then you're
almost guaranteeing that they're going to come back, and they do," he
said.

It's rare for perpetrators of ransomware attacks, and indeed most
cybercrimes, to ever face charges.

"That's part of the reason why it's growing, is because they know
they're not going to get caught," Cheng said.

Crypto-currency, with its many layers of secrecy and anonymity, goes a
long way in ensuring the perpetrators are never apprehended.

While little is known in general about most perpetrators of
cybercrimes, Cheng said they generally operate internationally.

"It's not Americans hitting Americans. This is clearly a foreign
thing," he said. "And all of it is coming from countries that the
United States does not have extradition (agreements with)."

Cheng wants the public to focus more on the holes and weaknesses that
exist in the current cybersecurity paradigm.

Being smart about passwords is one oft-repeated way to shield yourself
from cybercriminals -- using the same password for everything,
including your work, banking, social media, online shopping and
elsewhere, is ill-advised. If hackers can figure out the password used
on one site, they have the key to all of them.

Yet a poll released in 2018 found that 59 percent of people use the
same password everywhere.

"Stop doing that, stop it," Cheng said of using only one password.
"They know your personal passwords."

At some point in the future, Cheng is hopeful computer programming
will patch up the security holes, guarding against human follies and
malevolence.

One idea he floated is a "VIN number" for computers -- an immutable
number, like the VIN of a car, that identifies each computer. The
current equivalent of that, the IP address, is too easy for criminals
to circumvent.

"In the long run, I believe that we're going to have to create a new
generation of computing that does everything we want, but is also
secure. Fundamentally built to be secure so these things don't
happen," he said.


More information about the BreachExchange mailing list