Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday November 24th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
In a few minutes Terry Cutler of Montreal’s Cyology Labs will be here to discuss recent news. But first a look at some of the headlines from the past seven days:
Huge hacks of third-party service suppliers again embarrassed companies. The government of Canada said almost 24 years of personal data held by two companies that help the military, the RCMP and federal employees move from job to job was recently stolen. One company oversees more than 20,000 relocations a year. Multiply that by 24 and its potentially 480,000 people.
UPDATE: Canada’s privacy commissioner says his office is investigating this incident.
Meanwhile in the U.S. a company that transcribes audio files from doctors said information on close to 9 million patients was stolen in a hack in March. Terry and I will talk about these incidents.
We’ll also discuss why Australia may have backed off a promise to make paying ransomware illegal, and we’ll talk about an incident where a Canadian man’s email was hacked and the SIM card on his smartphone was swapped by crooks.
Also in the news, a U.S. Senator demanded Attorney General Merrick Garland make public documents related to the Hemisphere phone surveillance program. It allows federal, state, local and Tribal law enforcement agencies to request searches of U.S. phone records, usually without warrants. The metadata records aren’t classified, Senator Ron Wyden argued. Search warrants are needed to get email and instant message metadata, so why not phone records?
Think the fingerprint print reader on your Windows laptop prevents other people from logging in? Not so, say researchers at BlackWing Intelligence. They were able to compromise the fingerprint database on three laptops, although it took them three months. How did they do it? Well, on two of the devices the manufacturer had turned off Microsoft’s Secure Device Connection Protocol to enable secure fingerprint readers. C’mon guys.
Crooks are just untrustworthy people. How bad? Some gang has named their ransomware after the VX-Underground group of threat researchers. The so-called vx-underground ransomware strain is really part of the Phobos ransomware family. Threat researchers are advised not to be fooled.
Fidelity National Finance, which provides title insurance and settlement services for the mortgage and real estate industries in the U.S., has been hit by a cyber incident. It may affect home purchases. An industry news service says transactions won’t be available until Sunday.
And Canada’s Security Intelligence Service warned scientists, academics and professionals they are wanted — by unnamed hostile governments who want their expertise. Be wary of offers of well-paying research placements or collaboration opportunities from suspicious international sources. If you get such an offer, call your organization’s security office, or the intelligence agency.
(The following is an edited transcript of the first of three news items we discussed. To hear the full conversation play the podcast)
Howard: First, I want to talk about the ongoing dilemma of paying ransoms to get back access to stolen or encrypted data. Last year the Australian government vowed to make it illegal for businesses and governments there to pay ransomware gangs. However, this week when it released a new cybersecurity strategy, no ban was proposed. Instead the government promised to work with industry to co-design options for a mandatory no-fault-no-liability ransomware reporting obligation for businesses to report ransomware incidents and payments. Why do you think the government backed off?
Terry Cutler: Because it doesn’t work. If you get hit with a ransom or attack you’re going to be faced with with a couple of options: Either pay the ransom and — hopefully — you get your data back, or you try to restore from backup. Hopefully your backups work. If you are able to restore from a backup you pray to God that [the attackers] didn’t take a copy of the data and try to extort you by leaking the data. So we know that the options are very limited. Even if you’re able to pay the ransom and get a decryption key there are a lot of instances where the databases are still corrupted. So [business and government] need to start focusing on reporting [attacks] and collaboration. Take, for example, the public sector. In Canada we know 24,000 incidents [last year] but only 300 or something got reported. So if law enforcement has more ammunition into what’s going on maybe they will be better able to work with governments go after some of these gangs.
Howard: And of course if there’s more reporting [by organizations] to law enforcement agencies then governments will devote more money to those agencies for fighting cyber crime and assisting the private sector.
Terry: We always hear stories that cyber security spending has increased to like $200 million, but cyber criminals are bringing in $300 billion so it doesn’t even compare. If you can start sharing your knowledge and your experiences [of cyber attacks] with others and the governments something’s going to get done eventually.
Howard: We discussed the issue about not making ransomware payments on our November 3rd podcast, just after 48 countries met in Washington and agreed their national governments would refuse to pay ransoms. It’s one thing to make that commitment for yourself – ‘My government won’t pay.’ It’s another thing to force businesses not to pay. And it appears harder to bring the private sector and other sectors, like universities and hospitals, to agree.
Terry: Until you’re faced with a ransomware attack you can be an armchair critic. But let’s take for example hospitals. They may deal with 18,000 endpoints [to protect] and backups are happening all over the place. The [IT and medical] teams are not working together. When an incident occurs they got to loop in 25 people to try and piece together what happened. The whole IT system is down and it’s going to take at least 400 hours to bring it back to a point that’s usable. Is it going to be cheaper to pay the ransom, or is or do bring in a SWAT team of IT folks to bring the systems back up? They’re working around the clock, which might cost three times the amount of the ransom. Of course they’re going to say pay the ransom.
Howard: Let’s get to the bottom line: If the United States is not going to pass legislation and ban businesses from paying, what government around the world will?
Terry: I think Canada is in a great spot because of our robust cybersecurity strategy. And we’re one of the most active in international collaborations around cyber threats when you compare us to other G7 countries. But there has to be a collaborative approach [to fighting ransomware]. Canada can do one piece of the puzzle. Singapore has a great tech hub, great expertise there too. You got China in the mix as well. You’ve got the U.K. Everybody’s got a piece of the puzzle that needs to be solved. They need to be working closely together to build up a strategy that can be disseminated to the small businesses and public sectors in their countries.
Howard: Among other things, the new Australia cybersecurity plan says the country will work with businesses to create a cyber incident review board, which will conduct no-fault incident reviews of big events to improve cyber security. This sounds very much like the U.S. Cyber Safety Review Board, which you may recall issued a report earlier this year on the Lapsus$ gang. The idea is an independent agency investigates and reports on lessons learned from major cyber incidents. Usually we rely on legislative investigations, which are seen as political. Or investigations by financial or privacy regulators or even reports by security vendors, which can give some insight into breaches. This idea of having a cyber safety review board is pretty good. I think every country should have one.
Terry: One of the challenges we’ve seen throughout the years is IT isn’t collaborating with the forensics guys or network architects. Had we all been working together properly and sharing information we’d be able to to thwart these cyber attacks more quickly. There needs to be way more collaboration, lessons learned, and sharing stories. That happens whenever I go to conferences: I often share stories of what we’re doing with incident response …
Howard: What do you think of the new Australian cybersecurity plan?
Terry: There’s a great list of talking points in there. But a lot of it is the same old stuff with a new spin. For example, the report is broken up into three groups: From 2023 to 2025 it [the government] will focus on ‘straightening the foundations.’ Which is great because a lot companies don’t have the basics in place — They still don’t have multifactor authentication turned on, they think ‘ Who’s going to want to attack us? We make fiberglass for a living; who’s going to want to hack us?’ So they need to get the foundations in place. From 2026 to 2028 to goal is to expand the reach. So they get more [cybersecurity] awareness out there. And in 2029 to 2030 they are supposed to ‘lead the frontier.’
But a lot of times companies — small businesses especially — don’t have the time money or resources to deal with cybersecurity. That’s why I meant by ‘Same old things. New spin.’ There needs to be proper methodology and step-by-step guides [for organizations] and it has to be easy enough for companies to implement to prevent ransomware attacks.
Howard: The plan does promise help for small and medium businesses.
Terry: Again, you have to disclose it [a ransomware attack], and if you’re in a situation where you have no choice to pay the ransom cyber insurance is supposed to kick in. But if you don’t have the basics in place why should they be insured?
Howard: By the way, Canada is due to update its national cyber security action plan soon. The current one covers the period 2019 to 2024.
Discussion about this post