Ransomware (& the importance of backups)

By Chris Williams

“A backup is worth a thousand bitcoin.”
While not a literal exchange rate, the above quip does contain some truth in regards to ransomware attacks: if you still have access to your (unencrypted) data, then you don’t have to pay the ransom.

Backups methods (and pitfalls)

Many IT professionals advise scheduling a nightly backup as well as a periodic offsite backup utilizing multiple drives in a rotation, regularly scheduled cloud backup service, or both. The goal is to maintain multiple versions of the backup so that a “clean” backup isn’t mistakenly overwritten by an infected backup; versioning is easy in concept but poor management of physical media can result in errors that undermine the protection backups are supposed to offer.

Example: the Acme Company uses a tape drive for its weekly full backups; there are six tapes that are rotated sequentially meaning six versions of the backup data should exist at all times. One week, an administrator is supposed to rotate from tape #2 to tape #3, but by mistake he replaces tape #2 with tape #1 and the backup on that tape is subsequently over-written. If a problem emerges that requires restoring from backup tape #1, the company is now in serious trouble because that data is gone—instead they’ll be forced to use the backup from tape #6 and lose an additional week of data unnecessarily. (Full disclosure, both tape drives and weekly backups are considered archaic, but this scenario illustrates the point well.)

Many cloud backup solutions automate versioning so that there is no margin for error. Once the solution is configured, each subsequent backup sent to the cloud will be tracked separately so that administrators can restore from virtually any point in time (provided the backups go back that far). As far as commercially available products go, Carbonite seems to be reasonably popular for SOHO users and some medium-sized businesses as well.

Test restore procedures

Test backup and restore procedures periodically. Even if your scheduled backups execute as planned with no errors, there’s plenty of storage left on the media (or cloud), and all looks well, do yourself a favor and test the integrity of the data as frequently as is reasonable. Few things are worse than a false sense of security, and corrupted or unusable backup data is exactly that.

Scenario: Acme Company is infected with ransomware first thing Monday morning. Management decides to restore from Friday’s “known-good” offsite backup—however, due to physical damage to the backup media, the data is corrupt and incomplete (or worse, can’t be restored at all). Once again, the company is forced to rewind an additional week by using the previous backup. This could have been prevented by regular testing, which would have detected the physical media issues.

The takeaway

Ransomware is one of the most pervasive threats facing individuals and organizations today. The best medicine is, of course, prevention. However, the next best defense is to take away the hacker’s leverage—being able to recover your data without paying bitcoin for the decryption key saves money, reduces downtime, and perhaps mostly importantly doesn’t reward criminals for their behavior. If every user and every business maintained backup data properly, ransomware simply wouldn’t be profitable enough to continue.

Current Events – Top 5 Cybersecurity Developments of 2016

By Chris Williams

To kick off the new year, we’ll take a look back at 5 of the most important cybersecurity events and trends from 2016, along with the circumstances that made each noteworthy.

5 – IoT-fueled DDoS attacks result in highest throughput events in Internet history

The threat posed by distributed denial of service (DDoS) attack has increased significantly over the past year; as attack techniques including reflection and amplification become more sophisticated, the amount of traffic which can be directed to attack a target now measures in hundreds of Gbps and will likely break the 1 Tbps threshold (if it hasn’t already) in a single attack before long.

We examine some of the causes and implications of this trend in greater detail, in an earlier article: https://paradoxprimeia.com/2016/12/06/mirai-ddos-iot-security/

4 – Among the first publicized instances of a nation state employing cyber warfare to influence the democratic process of another nation state

No voting machines were breached, and no tallies were altered—one cannot say that the election was “hacked” in a strict sense. Instead, information was obtained illegally by a team of hackers and then disseminated for use in a large-scale information campaign designed to influence the outcome of the election by shifting public opinion; a much more roundabout method that creates a measure of “plausible deniability” for all those involved, to be sure.

According to what has been released, the team that breached the Democratic National Committee’s network and obtained incriminating emails from key DNC personnel was not working directly for Russia. This is hardly a surprise. According to those same reports, however, investigators have been able to determine the origin of the hackers as well as their financial ties to Russian stakeholders; this, combined with various intelligence that demonstrates Russian officials had some knowledge in the campaign, paints a fairly compelling albeit circumstantial case.

However, the “who/what/when/where/why/how” isn’t necessarily the most pressing issue we face—our follow-up question should be, “what comes next?” Since the floodgates of political interventionism have apparently been opened, and the United States still has yet to address a multitude of issues with its critical infrastructure (among many other targets), there is ample cause for concern. Could a more direct election hack be next? Could we face a Stuxnet-style attack on our nuclear plants, or an attack similar to the one which took down power stations in the Ukraine? With the latest attacks in Kiev also being linked to Russia, it’s definitely a question worth asking.

3 – Ransomware continues to increase in prevalence, cybersecurity experts talk preparedness

Although ransomware has existed in some form for the better part of this decade, 2015 and 2016 both saw significant leaps in both the complexity and ubiquity of this unique strain of malware. By the end of 2016, losses to consumers and businesses skyrocketed to an estimated $1B; that figure puts this rapidly expanding form of cybercrime in a position to potentially replace credit card fraud as the top fiscal threat to organizations and consumers. It’s of course too early to see what 2017 holds, but we can only hope that increased awareness of the risks (as well as mitigating strategies such as appropriate back-up procedures for critical data) causes this trend to reverse itself.

In the meantime, hospitals, retailers, law enforcement agencies, and even private users should all be wary of suspicious files, unsolicited emails, and other potential vectors that we’ve discussed in previous posts. Like many attacks, a human element must be exploited in order to be successful; cybersecurity experts continually point to users as the most easily exploitable target, but training methods have not kept pace with threats.

2 – Apple sets a precedent by favoring consumer privacy over the demands of intelligence agencies

The terrorist attacks which occurred in San Bernardino in late 2015 had consequences which will almost certainly influence consumer privacy and data security for many years—due not to the nature of the attacks themselves, but rather the course of subsequent investigation and legal maneuverings which continued well into 2016.

At issue was one of the iPhones used by the attackers, which was locked using Apple’s built-in device encryption feature; the FBI requested Apple to provide them a means of bypassing that encryption, but their request was refused on the grounds of privacy protection. (There were other factors, however the premise “If we give you a backdoor then anyone can potentially have the same backdoor” is a fair argument which summarizes Apple’s position). Even after the conflict had escalated to a lawsuit, Apple stayed the course, declining to provide a workaround to investigating agencies; however, since the FBI eventually found another way of cracking the phone’s security measures, the suit was dropped and the whole affair essentially fizzled out.

Apple’s refusal to cooperate is a polarizing topic, with their stance drawing both praise and criticism from cybersecurity professionals. Regardless of how that debate plays out, the important thing to note is that private companies cannot be compelled to provide consumer information to government agencies without due process—at least not yet. Additionally, Apple was among the first companies of its size to publicly decline putting a backdoor into their systems; technology and telecom companies have historically complied with even the most invasive of federal programs in the interests of national security.

1 – Data breaches result in billions of compromised consumer records throughout organizations worldwide

The following is a “short list” of data breaches which were publicized (not necessarily took place) in 2016:

  • Yahoo 1 billion user accounts
  • Yahoo (again) 500 million user accounts
  • MySpace 360 million user accounts
  • LinkedIn 167 million user accounts
  • Office of Child Support Enforcement 5 million records
  • 21st Century Oncology 2.2 million patient records
  • Verizon 1.5 million enterprise clients
  • Centene 950,000 patient records
  • IRS 700,000 taxpayer records
  • FBI 20,000 employee records
  • DHS 9,000 employee records

Over the past few weeks we’ve examined data breach trends and discussed some potential safeguards which consumers should be cognizant of. You can check out these articles at:

https://paradoxprimeia.com/2016/12/23/recognizing-computer-threats-data-breach-awareness-1/

The takeway

If 2016 was any indication, the cybersecurity landscape for 2017 will consist of a vast array of threats; consumers, businesses, and governments are all susceptible in part because of the common (human) element. User training & awareness programs should be considered by all organizations, regardless of size.

Copyright © 2017 ParadoxPrime IA, All rights reserved

Recognizing Computer Threats – Data Breach Awareness, Part I

By Chris Williams

Data breach

If it seems like data breaches are becoming more and more commonplace all the time, that’s because it’s true: the frequency of data breach and security incidents that result in some level of data leakage is on the rise. On top of that, the public’s perception of these incidents is becoming more acute. This is in part because a larger percentage of data breaches are being publicized than ever before. Due to the prevalence of both national and state laws which require companies to notify consumers when their personally identifiable information (PII) is compromised, it is essentially unavoidable: organizations must have procedures in their incident response plans to deal with these types of contingencies. Private organizations such as Payment Card Institute (PCI) have their own rules concerning how breach notifications must take place; they typically enforce such policies through audits and by assessing non-compliance penalties.

Breach notifications

Best practice after a data breach is to send breach notification notices out as soon as the scope of the incident has been reasonably well determined; this is both for compliance purposes as well as for good “public relations”. On the other hand, companies that are slow to publicize data breaches are often maligned in the court of public opinion. Despite the bad PR that can occur when a company’s security practices are implicated after a security incident, some public forgiveness can be gained by simply being forthcoming. Additionally, when organizations provide supplemental services such as credit monitoring to data breach victims, the extra expense is typically justified by the positive effect on consumer confidence. Transparency, expediency, and ownership of the incident are surprisingly effective tools in retaining customers after an incident occurs.

All this being said, with the sheer number of incidents happening, consumers still need to understand how to minimize their risks. It is important to know what steps to take if an incident occurs targeting a service provider or retailer that they utilize. It is also vital to recognize that not all organizations are forthcoming when a breach occurs, even if the law says they should be.

Webmail accounts: use unique passwords

A data breach that compromises your email account password can mean more than just a loss of privacy (although that is of course the primary concern since most of us are uncomfortable with the prospect of strangers reading our emails). Exposure of personally identifiable information (PII) is often linked to identity theft and other forms of fraud; criminals may use this info directly or sell it via black market. This information is used to open fraudulent bank accounts, make purchases with compromised payment cards, and so on. Many users fail to consider the considerable level of PII that is exposed during a data breach. The following non-comprehensive list includes a few good examples:

Correspondences with companies you do business with, including healthcare providers (noteworthy because of the depth of information these companies retain); lists of personal friends, family members, and associates; employment-related messages such as recruitment or application emails; vacation plans; event invites; receipts for purchases, often with partially visible payment information; billing and shipping addresses; and much, much more.

A compromised webmail account can provide hackers with tremendous detail regarding your personal life—and accounts you may have with e-commerce sites and other services—therefore it is important not to re-use any passwords across multiple different services.

Scenario: compromised webmail password

Tom uses Yahoo for webmail. Tom’s yahoo.com email address is also the user name for his Amazon account, and the passwords for his Yahoo and Amazon profiles are identical. Let’s imagine his Yahoo password is stolen during a mass data breach; hackers can then gain access to his inbox, and read all of his messages. From there they determine that he has an Amazon account by skimming through transaction emails. Their next step will of course be Amazon.com. By simply entering the same password used to access his Yahoo inbox they will easily gain access to Tom’s Amazon account, because the password was re-used for both accounts; by contrast, they could not have done so if the passwords were different. (They would, however, still have his Amazon user name since it’s the same as his Yahoo email address).

Amazon, like most e-commerce retailers, allows customers to re-use payment cards that they have previously saved.  Whoever has access to Tom’s account also has access to make unauthorized purchases—without even having to provide a credit card.

The takeaway

Breach notification laws exist to protect consumers whose protected information may have been affected by a security breach. Unfortunately, these laws are not as comprehensive or as compelling as they could be, and so many companies are still slow to report & publicize incidents.

Using the same credentials for multiple email and/or other accounts is inadvisable. This practice creates a single point of failure by which attackers can gain access to all of your private data. Monitor your inbox for unsolicited messages, and check your Sent folder from time to time. Again, just because your webmail provider has not announced an incident does not mean no such event has taken place.

There’s plenty more so say about this topic: we’ll be back soon with part II!

Copyright © 2016 ParadoxPrime IA, All rights reserved

Mirai, DDoS Attacks, and the State of IoT Security

By Chris Williams

Mirai

A malware package designed to infect network-connected devices that lacked security, gaining remote access to a large number of hosts (bots) for the purpose of conducting distributed denial of service attacks. Hackers control infected bots from a centralized platform or control server—this control server can issue arbitrary commands to the entire botnet, send additional malicious payloads (malware) to individual bots, and more. The “Mirai” malware infects a wide variety of improperly secured smart devices, leading to renewed criticism of the IoT and its often lackadaisical security standards; for instance, attackers can potentially compromise web cams and digital video recorders based on publicly known factory default credentials. Manufacturers often hard-code these credentials so that they cannot be changed during configuration of the device.

Mirai’s source code was released into the wild in October 2016, following a series of attacks in which Mirai-powered botnets proved devastatingly effective. Among those targeted were noted Cybersecurity blogger Brian Krebs (KrebsOnSecurity.com) whose site was protected by Cloudflare’s DDoS mitigation services at the time. Subsequently, attacks on the Domain Name Service provider Dyn were conducted, at least in part, using Mirai-powered botnets; this series of attacks caused major outages across a number of high-profile retailers and service providers.

Device Vulnerabilities

Vendors that manufacture “smart” devices traditionally have not put security on the forefront of their design goals; many such devices, for example, transmit credentials in clear text—thus being susceptible to potential vectors such as eavesdropping, sniffing, and man-in-the-middle attacks. Many more devices ship with weak default passwords which end-users are never required to update. Looking up these credentials is possible via a simple Google search thanks to a number of Internet resources (plus the manufacturer’s own documentation, in many cases). Additionally, not all vendors publish regular updates to address security issues, and those that do generally do not make such updates mandatory. Instead, manufacturers expect end-users to keep track of and install the latest firmware—not a realistic expectation for a large portion of these products’ target audiences.

Although there is little one can do to prevent sniffing or MITM exploits (HTTPS is not even an optional configuration setting on most of these devices), protecting the networks in which they reside is perhaps more feasible. In many cases, this entails disabling the SSID broadcast, setting up MAC filtering, and implementing a secure WPA-2 key—all measures which will keep honest people honest but won’t necessarily deter a sophisticated attacker. Securing routers and implementing network-based firewalls can mitigate attempts to locate and compromise IoT devices from the Internet. Regarding the weak default credentials, best practice is to change any vendor-supplied passwords where possible (not always an option, as mentioned above). Make sure the new credentials meet with standard complexity and length requirements as well. Users should also visit device manufacturers’ websites and download/install updates.

Botnets

Several components comprise the malware packages used to create botnets. Included are: a backdoor, with which the attacker can gain remote access to an infected host, and various payloads which can then be executed against that host, such as keyloggers, sniffers, adware, spyware, etc. An attacker can, from a remote location, execute arbitrary commands on the victim, as well as use them for a variety of other criminal activities, from spamming to participating in DDoS attacks. In the latter-most case, an attacker will direct thousands, tens of thousands, or even millions of infected hosts to send requests to a specific target.

The goal is to overwhelm both its processing power and its network bandwidth such that it crashes, stops responding, or at least becomes unreachable for the duration of the attack. Attacks can be relatively brief, just long enough to make a point, or sustained. Sustained DDoS attacks can last indefinitely, at least until the hackers reach some kind of objective (usually ransom, occasionally a political goal).

Botnets consist of so many victim hosts that it is impossible to monitor and direct them all individually—hence the need for control servers that can communicate with the entire botnet simultaneously through a single administrative console; this gives attackers the ability to launch highly coordinated and effective attacks which would otherwise not be possible.

Reflected and amplified DDoS

Current DDoS attack techniques exhibit a high level of sophistication. It is much more than simply pointing bots at a target and ordering them to start sending malicious traffic until that target goes down. Instead of each participant in the attack having to interact directly with the victim, hackers use reflection techniques to conduct these advanced attacks. Reflected attacks exploit a third party to “bounce” the malicious traffic from, thus concealing the identities of attacking hosts as well as that of the command server. Additionally, amplification techniques significantly increase the payload of malicious traffic which hits the target.

An example of an amplified and reflected DDoS attack:

  • Attacker botnet A sends a barrage of specially crafted DNS queries to host B, a DNS server
  • These queries use a spoofed IP address and appear to be coming from host C, which is the actual target of the attack
  • Host C received responses from Host B instead of the attacking botnet
  • Changing the type to “ANY” or using DNS extensions which increase the size of the DNS response (for instance encryption, which adds additional overhead to each packet) significantly inflates the amount of traffic
  • The extreme volume of requests floods Host C so that it cannot consistently respond to legitimate traffic—it begins refusing connections, drops packets, and may even crash

DNS infrastructure: single point of failure

The Friday, October 21st attacks against managed DNS provider Dyn brought down Etsy, Twitter, PayPal, Pinterest, and dozens of other clients for several hours. The scope and sophistication of the attacks caught many off guard, as there had not previously been large-scale attacks of this nature against the DNS infrastructure itself. Additionally, these events illustrated a weakness that had previously received very little (if any) attention: managed DNS without a layer of additional redundancy is still a risk. Most of the companies affected by Dyn’s managed DNS outage did not have any form of back-up domain name resolution strategy in place—no secondary provider was available on “stand by” in case of such an event. Thus, managed DNS became a single point of failure for these companies and the sites/services they offer, and the failure (or lack of) business continuity planning was very evident in retrospect.

The volume of traffic, from a network throughput perspective, was among the largest in Internet history. This event was significantly larger than previous DDoS attacks, which is alarming since they have been steadily becoming more sophisticated over the last few years. Experts estimate the total traffic generated by both the Krebs and Dyn attacks at 600-700 Gbps, which is enough to overwhelm just about any target, even those using DDoS mitigation services such as Cloudflare. (For reference, most DDoS attacks still generate < 10 Gbps.) We can conclude from this data that DDoS mitigation alone does not eliminate the risks satisfactorily.

Pressure device manufacturers

As widely-publicized DDoS attacks using botnets become more common, including those directed at public DNS infrastructure, consumers and security experts alike are asking, “How can we make these products more secure?” There is no clear answer, however, given the lack of industry-wide standardization. We do not presently have way to force these vendors to improve the security of their devices.

One can hope that a coalition of vendors, retailers, experts, and consumer advocates will come together and author an enforceable, open source compliance standard. Or, we may see legal intervention on the part of the U.S. government. (Not likely, however, given past reluctance to formulate nationwide security standards outside of federal agencies and other specific contexts like educational institutions). Short of either happening, consumers can still opt to put financial pressure on these vendors. If non-secure products fail to continue selling, vendors will move to make their products more secure in the future.

 

Copyright © 2017 ParadoxPrime IA, All rights reserved