Welcome to Cyber Security Today! This is the Week in Review edition for the week ending Friday, May 26, 2023. I’m Howard Solomon, US cybersecurity reporter for ITWorldCanada.com and TechNewsday.com.
In a few minutes, Terry Cutler from the Montreal Biological Laboratories will be here to comment on the latest news. But first, look at some of the headlines from the past seven days.
Four American states were settled 2020 Data Breach Claims Against Vision Insurance Benefits Company. Information of 2.1 million people was stolen with that breach. Terry and I will look into that incident.
We will also investigate the spread of a fake image on Twitter purporting to be of an explosion near the Pentagon. We’ll discuss why Cisco Systems isn’t patching new vulnerabilities found in old small business switches, why companies keep unnecessary data for so long, and a Canadian data breach victim fighting the taxman.
In ransomware news, a Cuban ransomware gang claimed responsibility for an attack on the Philadelphia Inquirer news service.
The Snatch ransomware gang is responsible for an attack on the Canadian Nurses Association.
German car and weapons maker Reinmetall said it was hit by the Black Basta ransomware group last month.
The city of Dallas, Texas, still dealing with the aftermath of a ransomware attack more than two weeks ago, was forced to close its municipal courthouse on Monday. It is expected to reopen by Tuesday, May 30.
The BlackCat ransomware gang has added a new tool. According to Trend Micro researchers, it’s a Windows kernel driver with a digital signature. The driver is used with a stand-alone client to try to monitor and kill security programs on computers and servers.
Android users of an app called iRecorder-Screen Recorder have been warned to delete it. This comes after ESET researchers discovered a spyware vulnerability last August. The app has been live since September 2021 and has been downloaded 50,000 times.
And Samsung smartphone owners are urged to install the latest patches after the discovery of four critical vulnerabilities.
(The following has been edited Shorthand in one of the discussed topics. (Play the podcast to listen to the full conversation)
Howard: Let’s start with a $2.5 million data breach settlement between four US states and a vision insurance benefits company called EyeMed Vision Care. With a username and password in 2020, a hacker accessed a company email account used by staff. That account had messages and attachments with personal information from 2.1 million subscribers. The data included names, dates of birth, full or partial Social Security numbers, medical diagnoses and other information. In addition to copying data, the attacker used access to their email to send customers 2,000 phishing messages that appeared to come from the company in an attempt to obtain their credentials. A few things stood out to me from this attack. First, nine employees broke company rules and shared the same username and password. Second, the company was in the process of implementing multi-factor authentication, but had not installed it in the email system before the attack. And third, the company hired consultants to do a risk assessment, but the email system was not evaluated.
Terry, what do you think of this?
Terry CutlerThere is a lot to uncover here. The first part is about nine employees who avoided company rules. I still can’t believe they actually share usernames and passwords. It should be in the employee handbook. This is a no-no, because if you share your username and password, someone can log in as you. Now the onus is on you to prove it wasn’t you. The other thing they [the hacker] over 2,000 have been sent [phishing] letters. This is like living off the land. If they are sending emails from a legitimate company [account] no one will question it. It’s not fake. Everything goes back to legal. It will appear in the inbox, and when people see it, they will click on the links, and then they will reveal their password, or even infect the company, depending on what they clicked on. As for doing external risk assessments, but not including the email server, we’re seeing this more and more in our own penetration testing. The client company says: “Oh, we’re using Office365, we don’t need it rated. Microsoft has it covered. But they don’t realize that Office365 is not secure. When we do audits, we’ll find a lot of things, like multi-factor authentication isn’t enabled or applied inconsistently, or their password policy never expires. Can it receive and send malicious email attachments? Because we’re going to send an email to the inbox and see if it’s there or not. We are also going to check the temporary exception rules. We will also look for third-party applications such as LinkedIn, for example, to sync LinkedIn contacts. We’ll see if it does [Office365] is capable of sharing contacts and possibly leaking some personal information, such as OneDrive for Business. Is it used on unmanaged devices, is automatic external email forwarding enabled? These are all features available in Office that can be completely misconfigured.
Howard: Let me take them one by one. First of all, there is clearly a failure in security awareness training if nine people ignore the password rule.
Deficient. I think this is because most employees are probably not tech savvy.
Howard: Another thing, and you talked about this a little bit. How do you do a risk assessment and not include email?
Deficient. Many times when we do an estimate, the client wants to exclude it because they think it’s covered by someone else. It is not so. We have to continually educate them as to why it is not covered and it has to be included in the risk assessment.
Howard: Another thing I mention. As part of the settlement, the company had to agree to implement a written information security program, regularly log and audit network traffic and access attempts, create an incident response plan, and a number of other things. So one of the lessons for me is that you don’t want a regulator to publicly tell you to do these things after an attack.
Deficient. We give a lot of evaluations. Some of our audits are called pathfinding assessments, where we look at where you are now and where you need to be. And many times they don’t [incident response] placing playbooks. They have no idea about their incident response plan. who is contacted, when and where? All that does not exist. And many times they don’t have the proper documents. So if [the regulator] “You have to start logging, create all these programs,” etc., this requires expertise. And if you don’t have a budget, especially if you’re a nonprofit, you won’t be able to hire professionals. This is where outsourcing comes in. But it costs a lot of money. And many times companies will feel they don’t need to have it until it’s too late. For example, I’m currently dealing with a company that doesn’t even have a firewall. They just have a regular ISP modem and that’s it. They don’t feel like they need endpoint protection for their machines or how important the information is. They think a cyber attack will never happen to them, they only have seven employees.