Corporate Transparency Act Takes a Knock-Out punch
0
Dan Gavin
Corporate Transparency Act Takes a Knock-Out punch

The city might have appeared completely grey if not for the scattered, omnipresent flecks of color plastered over walls, over windows, on screens and billboards, and in the minds of the populace—Party-issued posters of a familiar man with a thick, bushy mustache, captioned, “BIG BROTHER IS WATCHING YOU.” George Orwell’s 1984 is, in essence, about control. The allegorical Party featured in the novel forces its followers into complete submission through surveillance and propaganda. Meanwhile, in the real world in 2024, the federal Corporate Transparency Act (CTA) has been described as Orwellian. It requires extensive disclosure of personal information about business owners, which some feel is an invasion of privacy and government overreach 

The CTA was enacted in January of 2021. It required over 32 million businesses with less than $5M in annual revenue to report beneficial ownership information to the Financial Crimes Enforcement Network (FinCEN). The deadline to report is January 1, 2025—or was, rather. But on December 3, 2024, a Texas district court issued a preliminary injunction, halting enforcement of the CTA nationwide. The plaintiffs argued that the CTA compels speech and association, infringing on First Amendment protections. They also raised concerns about privacy violations under the Fourth Amendment (unreasonable search and seizure).  

The presiding Judge Amos Mazzant wrote, “ . . . the government is unable to provide the court with any tenable theory that the CTA falls within Congress’s power. And even in the face of the deference that the court must give Congress, the CTA appears likely unconstitutional.” He added that corporate regulation has typically fallen under the states’ jurisdiction. 

At the time of the injunction, just over 8 million of the 32 million businesses had reported to FinCEN. Had the CTA not been put on hold, the remaining businesses would soon be subject to fines amounting up to $500 per day. The injunction is therefore critical to the livelihood of small businesses. The federal government has already appealed the case to the Fifth District Court. 

With the new administration beginning in January, it’s unclear what further steps may be taken to limit or halt enforcement of the CTA. Working jointly with Congress, the administration could revisit the actual contents of the law, amending transparency expectations or enforcement policies. They could deprioritize the funding of resources for enforcement. They might even manage to repeal the law altogether. 

If a chief goal of the CTA is, as FinCEN claims, to uncover money laundering schemes, the fact that one criterion for exemption is a prior year federal income tax reporting of over $5M seems odd. Any money-laundering company would need way more than $5M in revenue to conceal its crimes. Banks with revenue in the billions have been fined for money laundering in the past. In 2012, for instance, HSBC was fined $1.9B for laundering money for drug cartels and countries under sanctions. Later, in 2018, Dankse Bank was involved in a $230B money laundering scandal. And in 2020, Deutsche Bank was fined $150M for involvement in laundering activities related to Jeffrey Epstein.  

And it isn’t just banks. In my research, I still haven’t found one conviction for a business with less than $5M in revenue. The Unitech Group, a real estate firm, allegedly started and managed over 52 shell companies to launder money with a revenue of $36M. The Los Zetas Drug Cartel used an Oklahoma horse ranch and numerous shell companies to conceal and transfer millions of dollars of drug money to Mexico with revenues of over $13B. Other common businesses involved in money laundering include nightclubs and art dealers, again, with revenues well over $5M. 

You would think, then, that such businesses would be the focus of any transparency acts designed to prevent money laundering. Why does there need to be another huge government database containing private information, which the government has proven they cannot guard safely? (Think back to April 2024, to the Social Security Administration hack. 2.9 billion records were breached.)  

Was Judge Mazzant correct to describe the law as quasi-Orwellian? Is Big Brother trying to track the small business owner, infringing on his First and Fourth Amendment rights? 

Original article published in the Sierra Vista Herald here.

A Whirlwind of Trouble as Salt Typhoon Hacks Cellular Wiretap Infrastructure 
0
Dan Gavin
A Whirlwind of Trouble as Salt Typhoon Hacks Cellular Wiretap Infrastructure 

The morning of December 4, 2024 was a cold one, with a high temperature of 46 degrees—the sort of weather people generally prefer to observe from the comfort of their heated homes. But US senators had just received news about a cyberattack of unprecedented scope, so instead they gathered in Washington, D.C. for a classified briefing. The attackers were a highly skilled group known as Salt Typhoon. As I write this article, their attack is still going on. In fact, if you use a phone, it’s likely affecting you right now. 

Way back in October 2024, the Wall Street Journal first reported the attack. They suggested a link between Salt Typhoon and the Chinese government. Of course, you might be thinking. It’s always that. This time, though, the motives behind the operation are more mysterious. 

You really only need to worry about this if you have a phone—specifically, a phone with a Verizon, AT&T, or T-Mobile plan. Those seem to be the provider networks infiltrated by Salt Typhoon. I say “seem” because reports have been inconsistent. T-Mobile claims they’ve seen no evidence of malicious presence in their infrastructure. Verizon, on the other hand, admits a command-and-control (C2) presence. But all the providers mentioned above participated in the briefing on December 4. If nothing else, this demonstrates their mutual concern.  

The question is, what specific data has Salt Typhoon accessed? And how could it affect you? The participating service providers claim the attack only affected the infrastructure used to wiretap specific targets. That said, we don’t know the extent to which these providers have been logging information. And whatever that extent is, Salt Typhoon has access to it as well. Under Section 702 of the Foreign Intelligence Surveillance Act (FISA), the FBI cannot target US citizens randomly. But if the infrastructure to tap is in place, and can be turned on for anyone the FBI decides to surveil, it’s quite possible that Salt Typhoon could do the same without FISA-based reservation. Meaning anyone could be a potential target. 

Regardless of your paranoia level, there is something you can (and probably should) do: namely, following the counsel of Jeff Greene, the Executive Assistant Director for Cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA). “Our suggestion, what we have told folks internally, is not new here,” he says. “Encryption is your friend, whether it’s on text messaging or if you have the capacity to use encrypted voice communication. Even if the adversary is able to intercept the data, if it is encrypted, it will make it impossible.” 

What your Cochise County Cyber Guys recommend is an app called Signal. You can get it on either iPhone or Android, and once you do get it, you can install the companion app on your PC or MacOS. With Signal, you can send and receive encrypted files, text chats, individual and group calls. You can even hold Zoom-style meetings with screen sharing. All this is end-to-end encrypted. That means even Salt Typhoon (and the FBI) won’t know what you’re up to. 

Having said all this, we don’t condone illegal activity. We just think you have a constitutional right to privacy. Everyone does. 

This article was originally published in the Sierra Vista Herald here.

Lessons Learned from the CISA Red Team Hack 
0
Dan Gavin
Lessons Learned from the CISA Red Team Hack 

Dmitri’s fingers flew over the keyboard as he searched for an access window to the network at Metropolitan Utilities: the biggest electricity service provider in the tri-state area. Using a password he’d retrieved from the dark web, he connected to an employee computer, then moved silently through the network, scanning for a computer with better privileges. Through this, he hoped to access the systems controlling the power grid. He called over his shoulder, “Natalya, mne nuzhno nebol’shaya pomosch’. Would you build me a fake login webpage that matches theirs? If I send it to all the company’s staff, I might trick an administrator into handing over their username and password.”  

His partner nodded and emailed a link to the entire IT department under the pretext that there was a failed login attempt that needed investigating. Jason, a junior-level administrator, took the bait. What followed was a chain of events culminating in the effective barring of all administrators from the power grid. 

 “Bingo,” said Dmitri under his breath.  

And at this point the exercise concluded. “Krasnaya komanda! Krasnaya komanda!” (red team) laughed Natalya as Dmitri contacted the blue team, a.k.a, the IT and cybersecurity department of Metropolitan Utilities.  

Here is your problem . . . 

Three weeks before, the department had contracted Dmitri and Natalya’s cyber company to run a red team test on the network. Red teaming is a simulated cyberattack conducted by a group of ethical “white-hat” hackers. They use real-world techniques to breach an organization and identify any vulnerabilities that might prevent it from detecting an actual threat. In this case, the red team’s victory was the result of several basic security mistakes.  

The US government has classified electrical, natural gas, water distribution and several other industries as “critical infrastructure”: infrastructure vital to the survival of the nation. Attacks on such industries can be particularly damaging. Recently, the United States Cybersecurity and Infrastructure Security Agency (CISA) conducted a red team assessment resembling the fictitious example above at the request of a real-world critical infrastructure organization. No details about this organization were disclosed except the type of infrastructure—a utility company 

The red team was able to breeze through the company computers at blinding speed. During the simulated attack, the organization did actually discover the presence of the red team but lacked essential layers of protection—what we call “Defense in Depth”—which would have allowed for a prompter response. Instead, they relied on fancy antivirus software that could not sense the network traffic. Furthermore, their staff lacked appropriate network-protection training. It should have been provided to each employee in small, frequent bites. The company had previously contracted third-party providers for red team exercises, and its leaders had been made aware of these vulnerabilities. But they had underestimated the risk. Nothing had been done. 

The company had previously contracted with third party providers for red team exercises. But the leadership at the organization deprioritized fixing the previously discovered vulnerabilities.  They miscalculated the potential impact and likelihood of those vulnerabilities being used against them one day.   

CISA had several key recommendations, which included regular software updates and cleanses, as well as the use of multi-factor authentication (MFA) and segmented networks. MFA just means requiring more than a password for login. Authenticator apps like Duo and Microsoft Authenticator are designed for this, but there are simpler and less secure methods—for instance, receiving a text or email code. Segmented networks are also fairly self-explanatory. Consider the way a house is partitioned with walls. A network engineer can do the same to your network using firewalls, switches and routers, or through software installed on each computer (which is how your Cochise County Cyber Guys do it).   

Lastly, CISA recommended a shift from legacy system and network architecture to a modern Zero-Trust architecture. Zero-Trust, in the context of computers and networks, is something akin to home security. Doors are locked by default, and only close friends and family are allowed in. This is called, “Deny by Default, Allow by Exception.” 

If you’re a business owner and want to understand how to implement Zero-Trust in your organization, contact the Cyber Guys below. The threat is real, and it is growing. Fortunately, it is also preventable. In the case of Metropolitan Utilities, its first “attackers” had no malicious intent. Provided the blue team heeds Dmitri’s advice, they’ll be prepared in the event that a true black-hat team tries to take down the grid. Are our local utility companies up for the challenge? 

Bike welds, spray paint, and cybersecurity 
0
Dan Gavin
Bike welds, spray paint, and cybersecurity 

On the corner of Fort Lane and Gentile Street, beside an aging strip mall with a drugstore, a five-and-dime and a Safeway, was an empty lot—empty except for the yellow, knee-high grass typical of August summers in my hometown. The whole field smelled drier than a canvas sack of wheat; some days the heat of the sun by itself was enough to burn it up. And there, along the trail, my old Huffster soared, leaning and squeaking all the way, with dust flying from its deflated tires. 

My best friend Tracy and I had been stress-testing our pedal bikes. His was a sparkling red Schwinn with a white stripe down the side, chrome fenders and all; mine was a weary old street bike Santa had picked up at the five-and-dime. It had started as a blue-and-yellow Huffy road bike with a banana seat, and in 1984, vintage road bikes weren’t super cool. BMX bikes were cool. So my 1977 Huffy had been rattle-can painted flat white. It now sported an orange saddle seat from my brother’s discarded ten-speed. The tires were balding and weather cracked, not BMX dirt-track style—road style. It was a Franken-bike. And it had spent way too many frigid winters leaning against the side of our trailer house. 

The one thing my Franken-Huffy had going for it was its weight: not a lot of steel in my steed. It was a feather. (The Schwinn, in contrast, was a steel tank. It rode like a tank, and it jumped like . . . well, a tank. In that, and only that, Tracy was jealous of the Huffster.) But here amid the tall, drooping, grass and stifling August air, the glory days of my cracked-tire, rattle-can abomination came to a sudden end. 

Midway through the final jump of its dwindling life, the Huffster came unglued—not literally, but almost. The welds holding both tubes to the gooseneck released their grip, weakened by the cumulative stress of too many jumps and too much extreme weather. I landed on my feet in the dust, kicking up a cloud, which settled at last over the faded, white frame. Then I turned. The rusty handlebars, forks and front tire looked as they always had; the sad remains of the powertrain had collapsed. 

In 1984, the Huffster died. But the Internet was just emerging from its digital nursery. What Tracy and I could not have known then as we strolled sullenly from the yellow field (making a quick stop by the drugstore for a cold Coke) was just how the Internet would affect our world forty years later. Its users have been conditioned to think of computer and network security as the products of intentional design. Truth is, security’s an afterthought. It quite literally is not a requirement. The systems you think are baked into your shiny new laptop have actually been cobbled together and hastily bolted on, much like the structures of the Huffster. And the comfy reassurances and guarantees from its makers are little more than a superficial, flat-white veneer. 

We advocate not just for a single coat of illusory security paint, but for many solid layers, as well as a healthy dose of foundational stability. It’s called Defense in Depth. It means you have several layers of protection. And maybe more importantly, you use a dedicated security company like Cybereye in addition to your regular IT company. 

Several of our stalwart readers here in Cochise County have informed us that the knowledge they’ve received through this column has helped them to avoid being scammed. I can’t tell you how thrilled I am for that. We are very grateful to the Sierra Vista Herald for allowing us space to rant about cyber crime. You, our beloved readers, can help us. If you’ve found valuable information here, tell your friends to get the paper so they can benefit, too. (Quality cyber training rarely comes at such a low expense, after all.) Help us reach out to local businesses. The Cyber Guys have a cybersecurity consulting business (also insanely affordable) based in Cochise County. Essentially, we provide preventative treatment for the cancer of ransomware, as well as other kinds of malicious ware. But we need your help spreading the word 

Computer security is what holds our digital world together . . . until it doesn’t. But my poor Huffster with its ruined tires and unsteady, cobbled structure had little more than a film of white paint for reinforcement, and even knowing this, I abused it without a second thought. Don’t fall into that same trap. 

This Midnight Blizzard brings an avalanche of trouble 
0
Dan Gavin
This Midnight Blizzard brings an avalanche of trouble 

The wind howled; the snow swirled. It had been like this all day. (Why had Karen left Phoenix again? … Never mind.) She knew she should have been home hours ago. Now it was well after dark, approaching midnight, and the streets hadn’t been plowed. Driving home would be dangerous. She sighed. More from habit than necessity, she opened the door to the car, sat, reached for her phone, and checked her email. 

“What? Again?”  

Karen was sick of receiving these cybersecurity training reminders from IT. They were obviously unaware that she had an important and fast-approaching deadline. If she missed it, she would lose her biggest account and Christmas bonus. Her children were counting on this bonus. They had planned a cruise during spring break. She didn’t have time to waste. 

On closer inspection, though, the email had nothing to do with training this time. Channeling all the security knowledge she had previously acquired through IT, Karen checked the sender address. 

“It’s good. It actually is from IT. It’s just for verification of my username and password. This one should be quick,” she thought. 

Oh no. Karen’s about to be the victim of a classic phishing-email-sender-verification oversight. And I’ll bet you’re thinking, “Tom, she checked the sender. She verified it really was from IT.” Yep. Most of our readers will notice from the start that Karen was astute. But it’s midnight. She’s tired and cupcake-drunk (ask me later), and she’s pushing up against a terrifying deadline. So, she did the only thing her amygdala would allow her to do: find the shortest path to safety. 

In this case, “safety” meant getting the annoying email out of the way so she could finish her report before the deadline. What she missed was context. IT never asks for a user to verify credentials in response to an email. Actually, she was instructed during on-boarding never to respond to an email requesting credential verification. The sender address was spoofed—a.k.a., faked. Yes, that’s a thing. 

The attack we’re scrutinizing this week is currently in use by a Russian attacker that Microsoft calls “Midnight Blizzard” (for real). The attack goes like this: thousands of emails are sent to users at various target companies. Attached to these emails is a file with a “.rdp” at the end of the name. This file will connect your computer with a server on the internet controlled by Midnight Blizzard. 

Always remember, whether it’s the IT department asking for password verification, the IRS notifying you of an audit, or a Nigerian prince asking for a loan, the rule is the same: never respond to any communication asking you to verify anything. Never trust any information you receive in an email, phone call, or text. When in doubt, hang up the call, close the email or text, and make contact using a phone number you know is good. 

Even if Karen had chosen to remain in Phoenix, it would have served her to be wary of a blizzard. And it will serve you, too, whether in the blistering heat storms of Arizona or far beyond. 

Darkness Rising 
0
Dan Gavin
Darkness Rising 

In the darkness the stranger dragged Frodo’s little frame banging each creaky stair along the way. After ducking through the narrow doorway he deposited his charge onto a scratchy straw mattress. “Are you afraid?” was the first thing the sweaty stranger uttered as his heavy boots thundered across the worn planks. His heart pounding in his throat, the only words Frodo could squeak out were, “A little”. As the looming figure swept hastily through the dank air dousing each candle with his filthy fingers, he scolded Frodo, “Not frightened enough! I know what hunts you.” 

The hunters from the Tolkien world of Middle Earth may have once been fiction. Then and there, it was a world of sinister forces bent on destroying most, and dominating the rest. Driven by a delusional Dark Lord, the seeping despair of Mordor seemed inevitable. Here and now, the veneer of fiction is worn precariously thin. Like butter scraped across too much bread. Sinister, dominating, and delusional forces are wreaking actual havoc. Frodo timidly lurks inside each of us as we naively peer through the computer monitor into the depths of Mordor itself.  

Before anyone in Middle Earth feared the rise of the Dark Lord Sauron, there was a shadow in the east. But too many were too busy being normal in the light to fear the abnormal darkness they couldn’t see. Like the people of Middle Earth, there is a darkness looming. Lurking. Creeping. No, Mordor is not the Dark Web. Mordor isn’t even distant. Mordor isn’t rising. It has risen. It is here. Mordor is your email. Or your favorite website. Mordor is a text message, or even a phone call from your son or daughter.  

You see, back in the 1900s when the internet was born, security wasn’t an afterthought. Nor was it a forethought. In the 1900’s when the internet was shiny like a new penny, when people planted gardens and helped a stranger. Work was where you went. And home was where work didn’t dare go.  

Now the new millennium has dawned. Work has invaded home. People don’t help strangers, or plant gardens. The internet has a patina. Or a mold. Or a fungus. Or a crust. And internet security is still mostly unthought. It’s sad that the millennial dawn did not bring the hope, or relief as promised. Dawn brought chaos. The Internet brought chaos.  

Since the internet was raised without rules or boundaries, like the Dark Lord Sauron, it is we who must change if we hope to defeat it. Our insistence that we can continue to do things the same way day after day is like carelessly giving a lift to a hitchhiker. Maybe it’s like thinking there will always be toilet paper at the store. Or that store-bought tomatoes are as good as those you used to grow in the back yard.  

At the end of Frodo’s story, the darkness of Mordor actually arrived at the shire. In the story of your world, you can’t really see the darkness. But the darkness can see you. In Frodo’s world, the antagonist was the aggressor. It’s usually the aggressor who has the upper hand. Oh, Frodo eventually won. But because he started too late there was a lot of pain between his home under the hill, the Mount called Doom, and back again. 

The Destruction of Tyre and the Security of Cloud Applications 
0
Dan Gavin
The Destruction of Tyre and the Security of Cloud Applications 

The city island of Tyre was a beautiful, powerful, and strategic Phoenician trading city in the eastern part of the Mediterranean Sea.  Its defenses were so great that it survived a 13-year siege from the great Babylonian conqueror, Nebuchadnezzar starting in 586BC.  The people were proud of how impenetrable they were.  That’s why when Alexander the Great came along in 332BC, they did not negotiate with him.  So, Alexander’s army razed Old Tyre which was on the mainland next to the great island city of Tyre.  The army used the rubble of Old Tyre to create a land bridge to the island of Tyre where they laid siege to the city for 7 months when they utterly destroyed the city and the people.  

That story comes to mind when I hear businesses say they don’t need cybersecurity protection because their data is in the cloud.  It is safe and sound and no one can hack it because it is not on site.  It’s hiding in the cloud.  Here are three reasons why they are wrong: Keyloggers, Stealers, and RATs.  

A keylogger is malware designed to record the keystrokes made on a computer or mobile device. A keylogger captures everything you type, including emails, passwords, messages, and search queries. This information is then sent to a third party.    

On a typical morning for a cloud-centric business, an employee would start work by opening email.  On an infected system, the keylogger has access to your business email to either spy or use the account for financial gains. The attacker is hoping your multi-factor authentication is sent to compromised email account.  Next the employee logs into the business apps that are in the cloud.  This could be a healthcare system, logistics system, or financial system – whatever makes that business move forward. Perhaps an administrator pays an invoice with bank account information or username and password to the bank.  Maybe they use a credit card to pay the invoice instead.    That’s right!  All that information is now in the hands of the hacker thanks to the keylogger.  

Stealer malware or infostealer malware targets user credentials, browser data, cryptocurrency wallets, and any other personal data on your device.  Not only can it take the usernames and passwords saved in your browser, but it can also steal the credentials from certain applications and accounts that are not run on the browser.  Some stealers have been able to access cypto-wallets such as Phantom, Binance, Coinbase, and more.  Stealers gather similar information compared to keyloggers, but they don’t have to wait for anyone to login and start typing.  They search your device for the information that is already available. 

A Remote Access Trojan (RAT) is a type of malware that allows hackers to gain remote control over an infected computer or device. It allows the hacker to use a limited set of commands providing access.  Sometimes they steal data. Other times they may install additional malware or spyware. They could reconfigure your local firewalls or shut down other security measures.  RATs are usually distributed through phishing or emails with an Adobe PDF attached.  The PDF calls an executable file to download the RAT.  

What can you do about all this, you ask?   First of all, do not fall for phishing and social engineering via email or text.  Do not click on a link from a user you don’t know.  Secondly, make sure you have set up multi-factor authentication everywhere possible especially anything dealing with money, but may also include social media, emails, and business applications. Making sure your anti-virus is up to date is a start, but that doesn’t stop zero day/ new malware.  Monitor your accounts.  If you run a business, you should have endpoint detection and response (EDR) installed on all your computers.  This is an application running on your computer that watches what is written and executes on your system and prevents unauthorized execution.  Talk to your local Cyber Guys for details.   

Just because all your applications and systems are in the cloud doesn’t make you bulletproof.  Don’t be like Tyre and find out too late that Alexander is building a land bridge in the front yard.   

Hidden Vulnerabilities: Why Cybercriminals Target Small Town Businesses 
0
Dan Gavin
Hidden Vulnerabilities: Why Cybercriminals Target Small Town Businesses 

Week after week, we write about the latest breach or how hackers use social engineering to get into corporate and government systems, but as you read this in Cochise County you think these types of things only happen to big corporations in big cities.  You may think: “My small business is not worth the hackers’ efforts.”  I’ve got news for you; your small or medium-size business is worth their effort.  Why?  Because some businesses make it so easy for them. As we do forensic investigations locally in Cochise County, we have met some of the victims.  Sometimes healthcare providers post a banner on their web pages discussing their breach and compromised data. 

One of the most common way hackers get unauthorized access to local business systems is to scan for open ports on public facing servers. A port is simply a door into your network. The port in particular that they love is the one used for remote access.  In this case think of this port as the magic wardrobe that the children found to enter Narnia. During COVID when many switched from working at the office to working at home, the local IT guru opened that famous port so that users could remote into their server or desktop using Microsoft Remote Desktop.  It was a great solution because it is easy, and it works.  Unfortunately for many, it is not at all secure and is a favorite target for our worldwide hackers.   

It’s possible to scan the entire internet in hours. In 2019, a researcher named Robert Graham scanned the entire IPv4 address space for the remote desktop port and found around 3 million exposed servers. That’s exactly what the bad actors do.   Once they find the open port, the first tactic they try is to determine the type of server and use the default usernames and passwords from the manufacturers.  Many people never remove and reset these.  The next thing hackers will attempt a password cracking technique.  Some techniques are sophisticated like the credential stuffing attack, where hackers look on the dark web for actual cracked passwords for the business which was hacked.  They are hoping that people will reuse their passwords.  Another technique is to run a dictionary attack where common usernames and passwords are automatically attempted.  We see this occur locally where the port is opened for maintenance and within an hour there are failed login attempts from North Korea, China, Russia, and Iran. It really happens here in Cochise County. 

Many business owners believe that they are safe from cyber-attacks because their IT person assured the owners that they have the best firewall the world has ever seen along with the latest and greatest anti-virus.  This is a good start, but the bad news is unless you block internet and email traffic on the firewall, it won’t stop phishing emails.  Your anti-virus won’t stop brand new malware.  According to Verizon’s 2023 Data Breach Report, around 90% of breaches are linked to phishing emails. The others are related to downloading malware through internet browsing.   

Some business owners might say they are safe and don’t need cyber security because their software is cloud-based.  In that case, what happens when an employee downloads a key-logger program that was on a link in their email?   The hacker has access to all company data and if that employee had administrative privileges, the hacker has total control.   

If a breach or ransomware attack could shut down your business for more than a day or if a breach would make you liable to your clients, your business needs solid cybersecurity.  We recommend a defense-in-depth strategy where there are multiple layers of defense.  Start with the basics of up-to-date firewalls and anti-virus, then add endpoint detection response that stops malware from executing, then get some monitoring and user training.  You follow that up with solid security policies. 

Don’t be an easy target.  Harden your business with a defense-in-depth strategy to thrive in the digital world.  Get a cyber risk assessment done to make sure that you are not low hanging fruit for the lazy hacker. 

Even the Experts Can Be Fooled
0
Dan Gavin
Even the Experts Can Be Fooled

When even experts in social engineering can be fooled, it is important to ensure a defense in depth strategy for your business’ information security.  KnowBe4, one of the country’s largest providers of cybersecurity and social engineering training, got fooled by a North Korean IT worker intent upon loading their network with malware. 

KnowBe4 had a job opening. They were looking for someone for their internal Artificial Intelligence (AI) team.  What they received instead was a valuable training lesson in advanced social engineering. They were fooled. But unlike many companies, they disclosed the failure. Their experience might save others from a similar fate. 

Fortunately, they caught the imposter early enough so there was no breach or illegal access to the company’s systems.  They stopped him before he could do any damage.  Here is how it happened, how they stopped it, and some lessons learned. 

The human resources team did their jobs.  Background checks came back clean because the imposter was using a valid but stolen US-based identity.  They conducted 4 video conference-based interviews validating that the person matched the photo on the application.   The imposter took a stock photo and used AI to merge his features to the photo.  HR even verified his references. 

Once hired, the imposter asked to have his laptop sent to a farm. Not the kind you’re thinking of. It was “an IT mule laptop farm.”  The laptop farm is like an office filled with laptops and computers hackers use. They connect remotely from North Korea to the laptop farm. It was a good thing KnowBe4 restricted new employee access and didn’t allow access to the production systems. 

Once the imposter had been successfully hired and his laptop had been delivered, it was time for him to embed his malware onto the company network.  He downloaded and attempted to execute malware.  He then used some technical trickery to cover his tracks. 

The good news is the company security operations center (SOC) was alerted to potentially dangerous behavior and called the imposter.  The imposter claimed criminals must have compromised his router.  The SOC team quickly isolated his computer from the rest of the network preventing his access to valuable systems and data.  The imposter was unresponsive once he figured out that he was caught.  

Here are some lessons learned.  When a company uses remote workers with remote computers, the company should have a way to scan the device ensuring there are no other connections on the device.  When hiring workers, don’t rely simply on email references.  Do not ship laptops to locations that don’t match the applicant’s address.  Make sure applicants are not using Voice over IP (VOIP) phone numbers.  Lastly, watch for discrepancies in address and date of birth.  

With all the process failures, KnowBe4 did not suffer a breach.  They understood defense in depth.  They had multiple lines of defense in case one (the employee screening process) was breached.  All their laptops had endpoint detection and response (EDR) software loaded and they had a SOC watching over their network.  The EDR stopped the malware from executing and alerted the SOC. The SOC team isolated the computer right away and escalated the issue.   

When it comes to protecting your business, you cannot rely on the minimal protections.   Firewalls and anti-virus are useful, but they do not stop a hacker from entering through your email or your browser.  Technology, like EDRs and SOCs, may save the day, but must be backed up with tried-and-true policies and training.   Although KnowBe4 is an expert in social engineering, they got scammed due to lax hiring policies.  They have since updated their hiring policies.  Remember, a fool may learn from his own mistakes, but a wise man learns from the mistakes of others.   Be the wise man. 

Cyber-attacks on voting infrastructure. Is there a backup plan?
0
Dan Gavin
Cyber-attacks on voting infrastructure. Is there a backup plan?

Imagine that during this upcoming election in November if no results were available until days after the election. On July 31st the Cybersecurity and Infrastructure Security Agency (CISA), in conjunction with the Federal Bureau of Investigation (FBI) released a public service announcement stating that there is potential for a Distributed Denial of Service (DDOS) attack on election infrastructure and adjacent infrastructure that supports operations. 

To better understand the situation, here is some background information. CISA was established in November 2018 to enhance the security, resilience, and reliability of the nation’s critical infrastructure. CISA is at the heart of mobilizing a collective defense to understand and manage risk to our critical infrastructure and associated National Critical Functions. Basically, CISA is charged with protecting US cyberspace as well as the nation’s critical infrastructure such as power, water, and even our elections.

A DDoS attack is a malicious attempt to disrupt the normal traffic of a targeted server, service, or network by overwhelming it with a flood of internet traffic. Hackers do this by using many compromised computer systems as a source of attack traffic. It is like a mob of people rushing to a store to block legitimate customers from shopping. Imagine tens of thousands of computers that have been loaded with malware without the users’ knowledge. Now imagine all those computers running a program at the same time against specific sites making continuous requests against the election infrastructure.

Now back to the announcement from CISA: 

“With Election Day less than 100 days away, it is important to help put into context some of the incidents the American public may see during the election cycle that, while potentially causing some minor disruptions, will not fundamentally impact the security or integrity of the democratic process,” said CISA Senior Advisor Cait Conley. “DDoS attacks are one example of a tactic that we have seen used against election infrastructure in the past and will likely see again in the future, but they will NOT affect the security or integrity of the actual election.”

CISA’s intent is to assure the public that the elections will not be affected even though there may be disruptions that may prevent the public from receiving timely information. However, if they know that adversaries may target the elections, how do they know that the elections will be safe and secure? How do they know that a DDoS against the voting tabulation network won’t block results from being collated. How do they keep a breach from occurring in the voting infrastructure? What happens if there is a major regional power outage due to cyber-attack? As we know from the CrowdStrike outage where Maricopa County’s Dominion voting machines got the blue screen of death update (see article from 2 weeks ago for more details), voting machines are on the network. Why would it just be periphery report structure and not the actual voting? As a cybersecurity professional the joint FBI and CISA statement provides more questions than answers. 

Perhaps to properly secure the election system, we need to employ the same cybersecurity strategies that businesses use in case of emergencies. There should be contingency plans ready in case of a cybersecurity event. Precincts, counties and states should be ready to manually count the votes for all the races in case of a regional or national cyber-attack. The people required to perform the required functions – counters, watchers, recorders should be prepared and ready. Knowing the risks, should manual counting of paper ballots at the precinct level be the primary method with machine backup?

It seems CISA and the FBI are placating the public and telling us not to worry. Maybe they should spend more resources into hardening the infrastructure and working with the local resources on contingency planning in case of emergency. 

This article was originally published in the Sierra Vista Herald found here.

Copyright © 2024 CyberEye Call us at: ‪(520)224-8981