How the World Ends 
0
Dan Gavin
How the World Ends 

In today’s vernacular you might say you’ve been “click-baited”. Or maybe not. I’ll let you be the judge. I guess it will all come down to how you interpreted “World” and “Ends”. If you immediately pictured the metaphorical “world” or the global context of “world” and if your definition of “ends” means “completion of current state and transformation to something better,” then this most likely will not be what you expected. My intent is to reveal something more sinister and far more depressing. But I beg you to hear me out. After all, it’s only about 5 minutes of your time. 

In 1942 concentration camp victims created massive amounts of counterfeit British pounds in an effort to collapse the British economy. This wasn’t the first use of currency counterfeiting in war though. The technique has been around a long time. The British attempted it during the Revolutionary War; Napoleon used it against the Italians; even during the 15th century Italy employed it.  

Why would one country counterfeit the currency of its enemy? Were they intending to go on a shopping spree after invading their foe? Oh no, that’s not it. it’s more nefarious than that. 

See, here’s a dirty little secret. And it’s one that the Federal Reserve Bank and other central banks around the world would rather you not find out. Counterfeiting leads to hyperinflation. The effect isn’t immediate. It takes some time to get all the money out into circulation. But once it does, the effect can be horrific on the economy.  

Hyperinflation manifests itself in rising prices. At the grocery store, at the gas pump, at the movie theater. Everywhere regular people do their daily transacting. When prices rise everywhere at about the same time, this is the effect of inflating the money supply. It’s not a collusion among all the grocers. It’s more a collusion among Central Bankers. It’s not rich farmers gouging you at the store. It’s the ultra-wealthy oligarchs who control everything. 

By flooding your enemy’s economy with counterfeit bills, you dilute the value of the currency until it becomes worthless. It’s pretty easy as the British found out at the end of World War II. The counterfeited bills were so good, they couldn’t tell the fake from the real bills. The only thing they could do was to stop printing the legitimate pounds and wait for the money to dissipate naturally.  

In the US we’ve been experiencing inflation for some time. Actually, the Fed has a target of 2% per year. It’s intentional. This time, it just got out of hand. Not from counterfeiting, but from legitimate money creation.  

Take a look at the St. Louis Fed website. Just do an internet search for “M2 money supply”. In 2020 the money supply exploded. Not counterfeit. It was Legal Tender. Because of the lag time from currency flooding the economy and inflation we are now feeling the effects. Thank you, US Congress. 

If you have been wondering maybe the US Congress doesn’t always have our best interest at heart, perhaps you are onto something. Think about this. Like you, I live in Sierra Vista. I also own a small business. It’s nothing of significance but I like to think I make a difference in the lives of the people I serve. It’s my small way of pursuing happiness in my life.  

In 2021 Congress passed the Corporate Transparency Act (CTA). As a result, small businesses have to disclose all the details of their business ownership. We have to upload our business details into a government database. You know, the kind of database that is a major target of cyber criminals. The kind of database our government bureaucrats should protect but don’t. From a cybersecurity perspective, the data they require for compliance can easily be used in a social engineering attack to get YOUR information and to scam YOU. Even if you aren’t the small business owner. 

The funny thing about the CTA is that it affects only small businesses that almost exclusively do business locally. Corporations with over $5 million in annual revenue are exempt. The reason Congress claims they passed this legislation is to eliminate elicit money laundering. It’s supposed to be a way to financially suffocate terrorist cells. Most money laundering happens in companies handling greater than $5 million. The exemption is in the wrong direction. It will achieve the stated intent. It’s a shell game.  

Small businesses have little or no budget to hire cybersecurity professionals to protect their computers, networks and sensitive business data. They are the most vulnerable to cyber attacks like ransomware. so in reality what this Act will do is provide a convenient database containing millions of small businesses who characteristically have little or no cyber security controls protecting their data. All neatly packaged for any moderately skilled threat actor.  

Maybe it’s not the end of the world. Or maybe it is the end of the world as we have become accustomed to it. 

Even the Experts Can Be Fooled
0
Dan Gavin
Even the Experts Can Be Fooled

When even experts in social engineering can be fooled, it is important to ensure a defense in depth strategy for your business’ information security.  KnowBe4, one of the country’s largest providers of cybersecurity and social engineering training, got fooled by a North Korean IT worker intent upon loading their network with malware. 

KnowBe4 had a job opening. They were looking for someone for their internal Artificial Intelligence (AI) team.  What they received instead was a valuable training lesson in advanced social engineering. They were fooled. But unlike many companies, they disclosed the failure. Their experience might save others from a similar fate. 

Fortunately, they caught the imposter early enough so there was no breach or illegal access to the company’s systems.  They stopped him before he could do any damage.  Here is how it happened, how they stopped it, and some lessons learned. 

The human resources team did their jobs.  Background checks came back clean because the imposter was using a valid but stolen US-based identity.  They conducted 4 video conference-based interviews validating that the person matched the photo on the application.   The imposter took a stock photo and used AI to merge his features to the photo.  HR even verified his references. 

Once hired, the imposter asked to have his laptop sent to a farm. Not the kind you’re thinking of. It was “an IT mule laptop farm.”  The laptop farm is like an office filled with laptops and computers hackers use. They connect remotely from North Korea to the laptop farm. It was a good thing KnowBe4 restricted new employee access and didn’t allow access to the production systems. 

Once the imposter had been successfully hired and his laptop had been delivered, it was time for him to embed his malware onto the company network.  He downloaded and attempted to execute malware.  He then used some technical trickery to cover his tracks. 

The good news is the company security operations center (SOC) was alerted to potentially dangerous behavior and called the imposter.  The imposter claimed criminals must have compromised his router.  The SOC team quickly isolated his computer from the rest of the network preventing his access to valuable systems and data.  The imposter was unresponsive once he figured out that he was caught.  

Here are some lessons learned.  When a company uses remote workers with remote computers, the company should have a way to scan the device ensuring there are no other connections on the device.  When hiring workers, don’t rely simply on email references.  Do not ship laptops to locations that don’t match the applicant’s address.  Make sure applicants are not using Voice over IP (VOIP) phone numbers.  Lastly, watch for discrepancies in address and date of birth.  

With all the process failures, KnowBe4 did not suffer a breach.  They understood defense in depth.  They had multiple lines of defense in case one (the employee screening process) was breached.  All their laptops had endpoint detection and response (EDR) software loaded and they had a SOC watching over their network.  The EDR stopped the malware from executing and alerted the SOC. The SOC team isolated the computer right away and escalated the issue.   

When it comes to protecting your business, you cannot rely on the minimal protections.   Firewalls and anti-virus are useful, but they do not stop a hacker from entering through your email or your browser.  Technology, like EDRs and SOCs, may save the day, but must be backed up with tried-and-true policies and training.   Although KnowBe4 is an expert in social engineering, they got scammed due to lax hiring policies.  They have since updated their hiring policies.  Remember, a fool may learn from his own mistakes, but a wise man learns from the mistakes of others.   Be the wise man. 

Six ways to harden your digital profile 
0
Dan Gavin
Six ways to harden your digital profile 

“Kevin” was very frugal. He flossed daily, washed his hands often, wore deodorant, and never ate at McDonalds. He always came to a complete stop, separated his recyclables, ate more veggies than meat, and turned off the lights when he left the room. He also used a credit card responsibly; always paying it off every month. He had another card he used rarely and paid off just as quickly so his debt-to-credit ratio would benefit his credit score.  

One day Kevin’s 12-year-old clunker broke down for the last time. He needed a new car. The excitement was actually kind of cool. He researched the options and decided to go for sporty rather than practical this time. The test drive was thrilling. The smell of “new car” instead of “old tube socks filled with fries and candy” was a surprise. A welcome one. But right around the corner was another surprise. A very unwelcome one. Kevin’s credit score. Even though Kevin was ultra responsible in other areas of life, he was not used to checking his credit records regularly. He wasn’t even aware this was a thing. Someone had stolen his identity – and ruined it. 

I have bad news. There is a very high probability your personal information (not just your name and address) is on the dark web. Your social security number, your birth date, your address. Most of what an online criminal will need to steal your identity.  I mention this because 2.9 billion records were recently hacked from National Public Data consisting of these items.   

You’re probably so tired of hearing this. You might even think, “what’s the use?” While this news is dire, it is actually worse than you think. With the exposed personal data (like SSN) combined with other information easily accessible on social media profiles, a criminal can build a detailed profile of a victim. Armed with the data, the criminal can port a cell phone number to a phone they control, intercept the one-time code sent from the victim’s bank account and wipe out the victim’s life savings. They can drain other investment accounts, open new lines of credit, purchase property on credit, etc. Anything you can do with your personal information; a criminal can do just as easily. 

This is going to take some time. Really you can significantly strengthen your digital life within less than 2 hours. While this is not intended to be a technical tutorial, and we cannot give legal advice here, you can do the following: 

  1. Use a password manager like Bitwarden 
  1. Enable 2 factor authentication on all your critical accounts (banking, investment, email social media, cell phone provider) 
  1. Create a free login and freeze your credit reporting account at Experian, Equifax, and Transunion. 
  1. Use good credential hygiene as we have always advocated here. 
  1. Remember, if you get an email, text message or phone call requesting you to unfreeze your credit and you didn’t initiate it, it’s probably a scam 
  1. If you receive a contact you did not initiate AND the person claims you are in trouble in any way AND it makes you feel anxious AT ALL, it’s probably a scam. Stop the communication and contact the purporting organization using a known-good number.  

Moving forward the world is going to be less trustworthy. You need to adopt a posture of zero trust. Be suspicious of everyone and everything. It could save you. 

The original article was posted to the Sierra Vista Herald and can be found here.

Driving Under Surveillance:  Your Car’s Silent Betrayal 
0
Dan Gavin
Driving Under Surveillance:  Your Car’s Silent Betrayal 

Previously, we discussed the fact that your mobile phone vendors are providing your location information (and more) to data brokers who, in turn, sell that information to advertisers. I have some alarming news for you, that is not the only way that you are being surveilled by today’s technology. Basically, if your device has a connection to the internet, there’s probably a way to spy on you whether that device is a phone, tablet, baby monitor, or your car. 

In the United States, your privacy is NOT protected. There is no settled law on what is or is not allowed to be collected from you electronically. Although law enforcement cannot collect the information without a warrant, they can purchase the information that is in the public domain. Almost all End User License Agreements (EULA) that are required before using your digital applications (like a browser), have a stipulation that you allow them to collect and even sell your data. This is all legal and very lucrative in the U.S. 

Unlike the U.S., the European Union (EU) has a law that protects the privacy of their citizens called the General Data Protection Regulation (GDPR). This law dictates that the personal data should only be stored as long as necessary with safe and secure processing. Two of the key rights included in the GDPR are: 1. The right to know what data is being collected and how it is used.  2. The right to have your data deleted from the databases. 

Previously we discussed how the applications on your devices gather your data and sell that to data brokers who sell advertisements. Do you realize that your car may be gathering data about you? In a typical new car these days, data can be gathered from your navigation system, Bluetooth, the Tire Pressure Monitoring System, cameras, and your infotainment system. Anyone can put a radio receiver at travel choke points and follow specific cars as they travel around. 

Did you know that car companies, like Kia, Nissan, GM, and many more, glean personal information about drivers after they pair their smartphones with a vehicle’s connected services? They can take that information and sell it to vendors and insurance companies. You don’t have to sign up to be tracked by GPS by your insurance company for them to know your driving habits. Just last week someone relayed a story about their friend whose insurance company cancelled his insurance through data the insurance company bought from the vendor. The company claimed that driver accelerated too fast and broke too hard for them to continue to insure him. They do not need to ask you how you drive; the insurance companies already know. 

LexisNexis Risk Solutions and Verisk are consumer reporting agencies that use driver data to create a risk score that they share with insurance companies. A report can show a driver’s individual journeys, showing information like trip durations, distances, instances of speeding or abrupt driving maneuvers. If you have OnStar in your car, you likely consented to sharing this data when you bought the car perhaps without realizing it. There are multiple class action lawsuits against GM, OnStar and LexisNexis ongoing at the time of this writing claiming that their data was collected and used against them without their consent. 

If you are curious to see what data is being collected from LexisNexis, you can go to their website and request a report at https://consumer.risk.lexisnexis.com/request.  Your auto makers all have similar request forms. Some states (not Arizona) have laws allowing consumers to opt out of having their information sold to third-parties. 

This is just the tip of the iceberg with respect to how you are being tracked on the internet. We can cover more in later articles. If you would like your data protected similar to what the EU does with the GDPR for their citizens, contact your state and federal representatives. 

Cyber-attacks on voting infrastructure. Is there a backup plan?
0
Dan Gavin
Cyber-attacks on voting infrastructure. Is there a backup plan?

Imagine that during this upcoming election in November if no results were available until days after the election. On July 31st the Cybersecurity and Infrastructure Security Agency (CISA), in conjunction with the Federal Bureau of Investigation (FBI) released a public service announcement stating that there is potential for a Distributed Denial of Service (DDOS) attack on election infrastructure and adjacent infrastructure that supports operations. 

To better understand the situation, here is some background information. CISA was established in November 2018 to enhance the security, resilience, and reliability of the nation’s critical infrastructure. CISA is at the heart of mobilizing a collective defense to understand and manage risk to our critical infrastructure and associated National Critical Functions. Basically, CISA is charged with protecting US cyberspace as well as the nation’s critical infrastructure such as power, water, and even our elections.

A DDoS attack is a malicious attempt to disrupt the normal traffic of a targeted server, service, or network by overwhelming it with a flood of internet traffic. Hackers do this by using many compromised computer systems as a source of attack traffic. It is like a mob of people rushing to a store to block legitimate customers from shopping. Imagine tens of thousands of computers that have been loaded with malware without the users’ knowledge. Now imagine all those computers running a program at the same time against specific sites making continuous requests against the election infrastructure.

Now back to the announcement from CISA: 

“With Election Day less than 100 days away, it is important to help put into context some of the incidents the American public may see during the election cycle that, while potentially causing some minor disruptions, will not fundamentally impact the security or integrity of the democratic process,” said CISA Senior Advisor Cait Conley. “DDoS attacks are one example of a tactic that we have seen used against election infrastructure in the past and will likely see again in the future, but they will NOT affect the security or integrity of the actual election.”

CISA’s intent is to assure the public that the elections will not be affected even though there may be disruptions that may prevent the public from receiving timely information. However, if they know that adversaries may target the elections, how do they know that the elections will be safe and secure? How do they know that a DDoS against the voting tabulation network won’t block results from being collated. How do they keep a breach from occurring in the voting infrastructure? What happens if there is a major regional power outage due to cyber-attack? As we know from the CrowdStrike outage where Maricopa County’s Dominion voting machines got the blue screen of death update (see article from 2 weeks ago for more details), voting machines are on the network. Why would it just be periphery report structure and not the actual voting? As a cybersecurity professional the joint FBI and CISA statement provides more questions than answers. 

Perhaps to properly secure the election system, we need to employ the same cybersecurity strategies that businesses use in case of emergencies. There should be contingency plans ready in case of a cybersecurity event. Precincts, counties and states should be ready to manually count the votes for all the races in case of a regional or national cyber-attack. The people required to perform the required functions – counters, watchers, recorders should be prepared and ready. Knowing the risks, should manual counting of paper ballots at the precinct level be the primary method with machine backup?

It seems CISA and the FBI are placating the public and telling us not to worry. Maybe they should spend more resources into hardening the infrastructure and working with the local resources on contingency planning in case of emergency. 

This article was originally published in the Sierra Vista Herald found here.

Congress Just Made It Easier for You to Get Scammed 
0
Dan Gavin
Congress Just Made It Easier for You to Get Scammed 

I hope you like jail food. Because if you own a small business or you have your assets protected by a trust, you might be eating a lot of it next year. But I wouldn’t expect you to know this. Unless you have the habit of visiting US Government websites like congress.gov, or the press release site for the US Department of the Treasury. 

OK. I’m abusing my hyperbole permissions … a little. Truth is that most people still haven’t heard of the “Beneficial Ownership Information Reporting Rule and Beneficial Ownership Information Access and Safeguards Rule” (BOI). These are new rules imposed by the Financial Crimes and Enforcement Network (FINCEN). You see, as it turns out, Congress “exceed[ed] the Constitution’s limits on [their] power” (AGAIN). Those aren’t my words by the way. That’s a direct quote from the FINCEN website.  

The rule we are now required to comply with (or suffer the consequences) is in connection with the Corporate Transparency Act. According to the US Government, “Corrupt actors frequently use opaque legal structures—such as shell companies—to hide and launder the proceeds of their crimes. In the U.S. anti-money laundering (AML) regime, the lack of timely access to adequate, accurate, and current beneficial ownership information has been identified as a gap.” And as you may have now guessed, you and I get to bridge that gap. They even kindly helped us by making it a felony if you fail to do your part. 

You might be thinking, there you go again Tom, making your baseless accusations. But I’m just the reporter here. On the fincen.gov site, they provided a synopsis of a recent court ruling in Alabama that the US Congress exceeded their constitutional limits with this one.  

“On March 1, 2024, in the case of National Small Business United v. Yellen, No. 5:22-cv-01448 (N.D. Ala.), a federal district court in the Northern District of Alabama, Northeastern Division, entered a final declaratory judgment, concluding that the Corporate Transparency Act exceeds the Constitution’s limits on Congress’s power and enjoining the Department of the Treasury and FinCEN from enforcing the Corporate Transparency Act against the plaintiffs.” 

The plaintiffs in this case are members of the National Small Business Association (NCBA). As a result of the court ruling, FINCEN will not require the members of the NCBA to file the BOI. The rest of us do. So, my question is, if it is unconstitutional for them, isn’t it also unconstitutional for the rest of us? In the suit, the plaintiffs allege that “the CTA’s disclosure requirements exceed Congress’s authority under Article I of the Constitution and violate the First, Fourth, Fifth, Ninth, and Tenth Amendments” (corpgov.law.harvard.edu). 

Additionally, according to law.harvard.edu, “the court determined that the CTA is not authorized under Congress’s taxing powers because, although the collection of beneficial ownership information under the CTA can help the IRS with tax collection, simply being useful to tax collection is not sufficient to invoke tax powers.” There it is. This is really nothing more than an easier way for the IRS to decide who to audit. For auditing must be efficient. Oh, and by the way, banks are already required to provide your businesses information to FINCEN making this redundant.  

There are many reasons a small business owner (including trustees of trusts) should be concerned. But from an information security perspective, this will be another federal government mismanaged database containing vital Personally Identifiable Information (PII) which when it is stolen (and it will be for sure), the threat actors will have you name, address, birthdate, driver’s license number, and the s-corp, LLC, or trust for which you are the owner. The consequences are dire enough that you need to have your attorney help you report. If you do it wrong, you will face fines of $500 per day and up to 2 years in jail. Congratulations. Another tax you never agreed to.  

On the surface, having this information in the hands of a terrorist might not seem like a big deal to you. But think about it like this, if a threat can derive monetary value for your company, they use it to decide whether to target you for data theft. Then they use the information they steal from you to target you and your customers with scams. In the old days, the proportion of bad people who had physical access to you was incredibly small, so your world was pretty safe. The internet has created an artificially high concentration of the worst people on the planet with immediate access to you.  

The United States is a representative Republic. We are the governing body. The three branches of government answer to us. But if we don’t push back, they don’t feel that. 

Airline And Emergency Services Halted Worldwide Thanks to A Simple Update 
0
Dan Gavin
Airline And Emergency Services Halted Worldwide Thanks to A Simple Update 

On Friday morning, Karen came to work for Delta Airlines at 4:30AM like she always did to help the early bird travelers check in and catch their flights.  When she booted up her computer, she saw something she had not seen in 20 years.  It was the “Blue Screen of Death.”   She asked a co-worker, and her computer was showing the same thing.   What was she going to do with all those travelers that can’t check in?  By 10:00AM EDT, Delta had cancelled more than 600 flights.    By Saturday, July 20th, over 4,000 flights would be cancelled throughout the airline industry globally leaving passengers stranded or dealing with hours of delay.   

What happened?  Shortly after midnight, CrowdStrike, a security software provider, pushed out a single content update to its 24,000 customers worldwide.  It was a small update designed to stop new attacks hackers have been using.   On installation, the configuration update triggered a logic error that resulted in the famous Blue Screen of Death.  CrowdStrike could not just back out the patch.  The customer computers were inoperable.  There is no automated way to back out the software.  It required a “Safe Mode” boot which requires someone to be physically next to the device and enter a set of keystrokes during boot.  Only then could the bogus file be removed allowing the computer to operate as normal.   

The impact of this mistake was felt worldwide.  Several states, including Arizona, experienced 911 service outages.   By 3:00AM, the Federal Aviation Administration announced that all Delta, United, Allegiant, and American flights were grounded.  Transportation services in the Northeast, including trains and buses were experiencing delays.  Global banks reported services disruptions, from Australia, South Africa, Israel, and New Zealand.  Hospitals in Germany and the UK were cancelling all non-urgent surgeries due to the event.   Even locally, Maricopa County reported that their Dominion voting machines were malfunctioning due to the automatic update.   

CrowdStrike is a leader in the cybersecurity space.   Their Falcon Sensor product is an endpoint detection response tool.  It goes onto each individual computer and searches and stops known malware from firing.  The company was founded in 2011.   Some may recall that CrowdStrike was called to investigate the alleged Democratic National Convention server hack in 2016.  Since then, the small company has enjoyed tremendous growth and success.  The company says its customers include 298 Fortune 500 companies, eight out of the top 10 financial services firms, seven out of the top 10 manufacturers, six of the top 10 healthcare providers and eight out of the top 10 food and beverage companies.  With this many big names, you can see why the impact of this failed Falcon Sensor update caused such a huge problem.  

It is appalling that any company, much less a global leader like this, would automatically push out software which they had not validated.      There have been rumblings on the internet that this could have been done on purpose for some nefarious reason, but I disagree.   CrowdStrike should have manually validate their software at the developer level and then again at an independent test and verification department level and then again at a pilot customer site before pushing anything out to the world.    

As for the customers caught up in this, we would not recommend immediate auto-updates for anything.   While working in the industry, we regularly waited a day to test the vendor updates and ran through a suite of tests before releasing it to our customers.  The fact that there was no control at the customer level made this event that much worse. 

This event shows us the need for every business to have disaster recovery and contingency plans. Whether it’s due to cyberattacks, technical issues, or natural disasters, having an effective plan is crucial for maintaining business continuity and minimizing downtime. 

In a world where we are increasingly dependent on computers for our businesses to function, be ready to run the old school way as a backup – just in case.    

The original article was published in the Sierra Vista Herald and can be found here.

MK-Ultra and the Patriot Act: A Privacy Dilemma
0
Dan Gavin
MK-Ultra and the Patriot Act: A Privacy Dilemma

MK-ULTRA. It was a “classified covert mind-control and chemical interrogation research program, run by the Office of Scientific Intelligence”. It began in the early 1950’s. The Central Intelligence Agency (CIA) insists it has been shut down. But a 14-year veteran of the CIA, Victor Marchetti, has stated in many interviews, that the claim is a “cover story.” The program is likely still in operation.

From the CIA’s own website we read that the CIA is “prepared to accomplish what others cannot accomplish and go where others cannot go” and that they are “the Nation’s eyes, ears, and sometimes, its hidden hand”.

Since they are the self-declared extra-legal arm of the US government, and from their history the extra-ethical arm of the country, we may deduce there are many activities conducted by the Agency we simply cannot see. Yet.

In a redacted Memorandum for the Record dated June 9, 1953 Director Gottlieb penned these words about MK-ULTRA, “The estimated budget of the project at XXXXXX is $39,500.00. The XXXXXX will serve as a cut-out and cover for this project and will furnish the above funds to the XXXXX as a philanthropic grant for medical research. A service charge of $790.00 (2% of the estimated budget) is to be paid to the XXXXXX for this service.”

The direct quotations printed above are from the CIA Freedom of Information Act (FOIA) page on their website. Therefore, I’m not making any unsubstantiated claims. I’m just the messenger for their own message. From this point forward I will be making wild unsubstantiated claims and speculate like an unrestrained adolescent.

MK-ULTRA isn’t the only CIA program to use US citizens for experimentation. It’s just the one we used for this article. But since smoke indicates fire, maybe we should feel free to speculate. Which leads me to the technical portion of this article.

Most people treat the details of their personal life on the World Wide Web very carelessly. People who (in person) are very guarded and suspicious, disclose the most sensitive information about themselves on Facebook, or in an email. Which, by the way, are both unencrypted and easily accessible by anyone.

Most people use Gmail and Google Docs – the free one. They are under the mistaken impression that since they have it protected with a password, only they have access to it. They forget that Google also has access to it. And through the PATRIOT ACT, so does any arm of the Federal Government, or law enforcement; even without a warrant. The Big Tech companies like Google, Microsoft, Apple et.al. provide wonderful free cloud-based services like email, word processor, spreadsheets, etc. We fail to understand the scope of the reach tech companies have into our lives.

You may think, “but I am a law-abiding citizen. I have nothing to worry about.” The truth is, you are only partially correct. In his blog, Moxie Marlinspike, the creator of the encryption tool Signal, said the following, “Imagine if there were an alternate dystopian reality where law enforcement was 100 percent effective, such that any potential offenders knew they would be immediately identified, apprehended, and jailed.” Our entire culture has evolved when a critical mass of citizens pushed back against laws we collectively decided were outdated or just plain wrong. That couldn’t have happened in a world where even a whiff of social disobedience is detectable.

This may sound a little like the movie “Minority Report”. If law enforcement could peer into the digital lives of us all, would they possibly use artificial intelligence to prognosticate whether someone was contemplating a crime? Would there be a law to punish such a person? Furthermore, have you ever made a comment that might be construed as terrorist leaning? I bet you have but you didn’t know.

Truth be told, maybe we all have lives that we should have the power to keep private. Even from the CIA.

This article was originally published here.

One Click That Shutdown 15,000 Businesses, the CDK Hack 
0
Dan Gavin
One Click That Shutdown 15,000 Businesses, the CDK Hack 

What started out as a peaceful shift for one of the country’s largest Auto Dealer Software-as-a-Service vendor, turned into a nightmare.  By 2:00AM, the security team determined that they needed to shut down two of their data centers to stop the ransomware from spreading.   

The vendor is CDK Global and they provide software services for over 15,000 car dealerships nationwide. They provide a platform that handles all aspects of an auto dealership’s operation including customer relationship management, financing, payroll, support and service, inventory, and back-office operations.  On June 19th, CDK announced there was a cyber incident they were investigating, and services were not available.   They started restoring service later in the day, but then they had a second cyber incident which caused them to take the systems offline again.   

What makes the problem more complicated is that their clients are always connected to their network through an “always-on” VPN. This provides a tunnel from the client to the data centers.  Normally that would be a good thing, but in this case, the always-on VPN just extended a network that was poisoned by ransomware.  They recommended that the clients disconnect so that the hacker could not “pivot” from the CDK network to the client dealership network.  What was even more critical was that the CDK software had administrative privilege on the client systems to do software updates. Hacking that software would give the attackers admin access to the local computers.  Thankfully no clients reported any contagion.  

This attack caused widespread disruption at car dealerships with no ability to track and order car parts, conduct new sales and offer financing.  Some dealerships shut down completely, while others reverted to the tried-and-true method of pen and paper assisted by spreadsheets.  They are projecting to have all their clients fully operational by July 4th.   However, the damage has been done.  The disruption comes at a cost to CDK and the dealerships an estimated $944M. 

The attacker is purported to be a hacking group identified as BlackSuit, who although only starting a couple years ago, have been responsible for over 95 breaches across the globe.  They are known for using a technique called “double extortion.”  During the breach, they upload the victim’s data to their server before encrypting (locking) the data on the client system.  They request a ransom for the key to unlock the data allowing the victim to continue operations.  Additionally, they also threaten to release the data on the dark web if the victim does not pay a second ransom.  

This breach may have been avoided if CDK fully implemented Zero-Trust methods.  In a Zero-Trust environment, it is assumed hackers are on the network and only trusted applications can run.  Application whitelisting would have stopped this attack in its tracks.  Whitelisting allows only those known trusted applications to run on the network.  Any new application, like ransomware, would not be allowed to run. 

The attack also highlighted the importance of being prepared for anything.  All businesses should have a Contingency Operations Plan written and validated prior to any incident or emergency.  Those dealerships that adapted the process without a computer could continue to sell and service vehicles.  Those that did not have a plan suffered. 

The ray of sunshine in this otherwise dreary incident was that our local dealerships were unaffected by the attack. All the dealerships from Sierra Vista to Tucson escaped this disaster as they do not use the CDK service for their management.  

For CDK, one improper click costs them and their clients a billion dollars.  Implementing Zero-Trust concepts and employing continuous cybersecurity training would have been a much more cost-effective solution.  The problem is many companies don’t really understand that until it is too late. 

The original article was published in the Sierra Vista Herald here.

How Bilbo Baggins Almost Hacked Your Email 
0
Dan Gavin
How Bilbo Baggins Almost Hacked Your Email 

In the story created by JRR Tolkein, “The Hobbit”, little Bilbo Baggins was just a hobbit. But he became a burglar. No one suspected that this little Shireling was capable of such great feats. Although he did have great feet. The least suspecting of all was the dragon Smaug. Smaug had a great treasure. You see dragons love gold. It turns out they love gold even more than dwarves.  

But Bilbo was not after the gold. He was after something much more precious. The Arkenstone.  With his special ring, Bilbo became the first hobbit burglar.  

The next part of the story you are about to read is true. The names have been withheld to protect the victims. 

I received a phone call recently from a client who had a concern about an email. In this case it was an email sent from their own account rather than the typical phishing email one would receive. The email was requesting an ACH wire transfer from my client. My client, I was informed, did not use ACH transfers. How could that be?  This request was coming from their legitimate email account. What happened? 

All the evidence points to a compromised email account. The burglar had created a rule in the account that moved very specific sent emails to a folder called RSS feeds. This folder is almost always added by default to your Outlook client. It’s a folder almost no one uses, and even fewer users look at it. Certain emails were redirected to the RSS folder so that the legitimate user had no knowledge that it existed.   However, it was very easy for the threat actors to simply monitor this folder. As soon as a targeted message appeared, the burglars crafted a follow-on email requesting the ACH transfer. The legitimate email was simply asking if an invoice was payable, and the burglar asked for a transfer of funds to his account.  

Fortunately, this story has a happy ending. Thanks to the diligence of a very astute employee, this discrepancy was caught and the theft was blocked. The resolution to this almost tragic episode was quite simple. Change the password to the email account.  Make the password long and enable multi-factor authentication. Never re-use passwords.  This is like putting a dragon at the gate.  

Unlike Smaug, you don’t have an Arkenstone. But what you may not have thought about is your email. It is often the gateway to your gold. You must be as vigilant with it as if it were gold itself. You may want to consider having two email accounts. One account is for your entertainment, and a separate one is used to access and manage your financial accounts. And the latter? Protect that one with a dragon as if it were the Arkenstone itself.  

This article was originally published in the Sierra Vista Herald here.

Copyright © 2024 CyberEye Call us at: ‪(520)224-8981