Welcome to Cyber Security Today. This is the Week in Review edition for Friday October 8th. I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
In a few minutes guest commentator Terry Cutler of Montreal’s Cyology Labs will join me for a discussion. But first a look at some of the top stories of the past seven days:
The biggest news was an equipment configuration error by someone at Facebook that led to an almost seven hour outage of service for Facebook, Instagram and WhatsApp. Terry will delve into this embarrassing event.
A configuration error also was behind this week’s hack of the Twitch video streaming platform. Its source code and other corporate data were leaked by an anonymous person. This person claimed they did it to protest Twitch’s seeming inability to stop offensive postings, dubbed “hate-raids,” against users who are members of minority groups. Twitch urges victims to report incidents. Regardless of motives, stolen data is stolen data. And how did the activist get it? According to Twitch, they took advantage of a misconfigured server. As protection Twitch has reset
And news came out about a slip-up by someone overseeing a database of subscriber information belonging to the British newspaper The Telegraph. The 10TB database was left open on the internet in September where anyone could have found it. Much of the data with subscriber names and email addresses was not encrypted.
Cybersecurity Awareness Month continues, with many tech companies issuing surveys on cybersecurity problems. One was from the Insurance Bureau of Canada, which surveyed 300 small businesses with under 500 employees. This number caught my eye: Only 16 per cent of firms in this year’s survey said they hold employee seminars or workshops on cyber security. Terry and I will discuss best practices for employee awareness training.
Companies in the U.S. that do business with the federal government could be taken to court if they don’t report data breaches. This is under a new Civil Cyber-Fraud initiative by the Justice Department. The goal is to ensure the U.S. isn’t caught off guard by theft of sensitive information from critical systems in the private sector. It’s also to punish firms that don’t follow recommended cybersecurity standards.
Meanwhile two U.S. Senators have proposed legislation that would oblige firms in the country to report that they have made ransomware payments. They’d have 48 hours to notify the Department of Homeland Security. The goal is to give the government more information about the extent of ransomware payments. It isn’t known if the bill has enough support to be passed.
More on ransomware: News came out this week that a gang that hit a Texas school district did more than send an extortion note to the board. When the board refused to pay a ransom it copied the gang emailed parents and threatened to release stolen data on their children. The board said it has no evidence personal data was stolen. This extra squeeze tactic has also been used against customers of businesses and patients of medical clinics.
Finally, if you’re a subscriber to Google’s Gmail or its other services and haven’t turned on two-factor authentication for logging in, you soon won’t have a choice. Google said by the end of the year it will automatically enroll 150 million of its users, and two million YouTube users, to what it calls two-step verification. This greatly decreases an attacker’s chance of getting into your account. It’s good protection.
(The following is an edited transcript of my talk with Terry Cutler. To hear the full conversation play the podcast)
Howard: You had a surprising cyber incident this week. Tell us about it.
Terry: I was cleaning my house on Saturday afternoon and I get this [phone]message out of nowhere from this woman in Brazil asking, ‘Are you the Terry Cutler that’s hitting on me? The one I’m in love with?’ It turns out that she was chatting [onine] with this fake Terry Cutler who was using my photos and my my my bio and my kids’ photos to build a fake [online] profile. He convinced her to transfer about CDN$67,000 over 13 different transactions to multiple fraudsters.
What’s happening is a lot of folks that have an online public presence are going to be faced with this. It’s a Catch-22: You need to be online to do business. But cybercriminals can take this information and use it for nefarious purposes by conning other people. This is not the first time this has happened to me, by the way. This is the third time.
Howard: So one of the lessons here is that if if you’re someone who has a high profile, unfortunately the less you put on the internet the better for you.
Terry: The guy even had photos of my kids that I posted on Instagram … But there were a lot of red flags that she didn’t pick up on. For example, she never met the person. She’s never even had a video call with the person. It was all done by email. But when you read some of the text … ‘I’ll love you to the sea and back and to the moon.’ Who falls for this stuff?
Howard: Have you got some tips for people to make sure that they don’t fall victim to [online dating] scams like this?
Terry: You need to do research, because this person was in a so-called romantic relationship for three months prior to contacting me. That’s just how it works: First, the scammer will romance you for at least a couple of weeks to a month to gain your trust. Once they have you on the hook then they start asking you for favours, usually in financial ways. You gotta do your research on who these people are. Have video calls with them to see if it’s really them. [The woman in Brazil] said he sounded like you but I never saw his face because every time we did a video call t was always grainy, like it was really poor quality. Well, today’s video cameras are all HD so there should be no excuse for any grainy footage unless the internet is really low.
And the scammer’s going to try to isolate you from friends and family. ‘No, don’t tell anybody [about us] because they’re going think poorly of you doing online dating.’
Howard: I want to move on to the Facebook outage because this is a really embarrassing incident — although I suppose all IT configuration mistakes are embarrassing. Facebook says that someone made a mistake and changed a router configuration.
This appears to involve the Border Gateway Protocol, or BGP, on a router. What is BGP?
Terry: Border Gateway Protocol is a protocol that that pretty much gets your traffic on the internet to where it needs to go and as quickly as possible. In this specific case there were multiple failures that happened. Facebook does routine maintenance on their systems, and they have tools that connect all their data centres together. They also do [software] audits to catch configuration mistakes made by employees. But for some reason this time there was a bug in the auditing system. So when a mistake was made the auditing software didn’t pick it up. So all of their data centres became disconnected from the network. So every Facebook data centre became its own island, and they couldn’t communicate with each other. So you’ve got very large facilities at Facebook and also smaller facilities, which act as what’s called DNS (domain name servers), which are like the phone books of the internet. So whenever you need to access something on Facebook those smaller data centres will handle those requests then talk internally to fetch that information. But because the internal network was down there was no request being able to give back to you.
Howard: We partly laugh because Facebook is used by all sorts of people for sending pictures of themselves sitting and reading and they talk to their cousins and that, but there are businesses that use Facebook for sending out messages about their firm. So this is serious stuff when Facebook goes down.
Terry: And it was very frustrating. Because there’s no more communication coming from the Facebook data centres BGP says, ‘I guess this is down, stop updating and stop broadcasting these [Facebook] addresses …
And some of their employees got locked out of the system. So people had to actually physically go to Facebook data centres to resolve the problem because everybody’s working from home [and couldn’t fix things online].
Howard: And I read that that there were employees who couldn’t get into the data centre because their ID cards, which they would swipe to get in or they’d be read by an RFID wireless reader wouldn’t work because the readers would have been internet-connected. What would cause a configuration problem? Why would somebody be playing around with it?
Terry: Obviously the [software] audit failed … We’ve had some customers that were fairly large that required BGP routing. One tip: You want to make sure you have redundant routes. So don’t stick all your eggs in one basket with one ISP (internet service provider). Always get a second ISP. So if one route goes down you have a backup.
Howard: Finally, we should talk about Cyber Security Awareness Month. I think that most employees are aware of the importance of cyber security but some may have trouble putting it to use at work and the evidence is configuration mistakes. Cyber security depends enormously on effectively training staff. Tell us about your experience in effectively getting lessons out to employees.
Terry: It’s very very difficult because even though you’re putting users through awareness training you’re theoretically still costing the business money because they’re not doing their work. They’re in video training or whatever the training is. And what we’re noticing also is that the retention of some training fades over time, so you need to be doing training often. It’s not just a one-time shot. It’s also got to be continuous testing your employees because threats are changing so often and so quickly that something you learned at the beginning of last year might have evolved this year. You want you always want to make sure you keep your employees on your toes. Have a year-long [awareness] campaign, and test users at least on a weekly or monthly basis.
… Have gamification, like ‘the top employee of the month gets a free gift card’ or something that’ll incentivize them to take training seriously … But many think ‘IT’s got it covered. Just let me do my job. Let me just click on my links. I can handle it.’
But, there’s so many red flags that go off in these users’ faces that they don’t see.
Howard: In preparing for this podcast I went over some of my old stories and I came across one that I wrote from a conference where cyber security leaders of two Canadian banks basically threw up their hands. One of them said there are some employees you can’t train, or in his words, ‘You can’t fix stupid. Do you think that’s true?
Terry: It is true. I even have a t-shirt that says it. [Some people] don’t realize that when they click on these links they get the company infected, don’t realize there are bigger ramifications — the company can lose money, there could be layoffs. And if you’re constantly the one causing this issue it can cost you your job.
Howard: At the top of the podcast I quoted a small business survey that had been released this week by the Insurance Bureau of Canada that found that 16 percent of the respondents said their firm does no cyber security training at all.
Terry: We’re finding out the insurance firms are going to start cracking down on companies because they’re losing three to five dollars for every dollar they’re getting in [in insurance premiums]. At one point they’re gonna say, ‘If you don’t have EDR (endpoint detection and remediation), if you’re not training your users on a regular basis, we’re not even going to insure you. Why should we when you’re so negligent and we find problems with patching?’ When we do these audits we find all these basic problems all the time. I’m still coming across [companies with] one unpatched vulnerability that came out in 2017 called EternalBlue.
Howard: I want to go back to that conference I covered. One security expert who was working for a bank argued that organizations should put a five minute delay on their emails to give systems enough time to thoroughly scan messages for bad executables. What do you think of that?
Terry: We’re starting to see more of what’s called fileless malware Antivirus or whatever they have won’t pick it up as malicious the moment they open the document. Scripts will auto-run and pull down the malware and then execute it on the machine. amd by then the file’s already been validated. It’s clean. It’s got a green light ready to go but then now malware just executed on it. So delay won’t help.
Howard: One other thing that experts have told me is the importance of measuring the effectiveness of your awareness training. So for example, first find out how many staff fail a phishing test, then you do training and then you test again and if there isn’t a measurable decline in click rates you’re doing something wrong. You haven’t changed behaviour.
Terry: Yes, because how do you know where to go if you don’t know where you’ve been? So you want to show the progress. … When we do the phishing campaigns the first thing we do is send out an unannounced phishing campaign and we see how many people click on it. Usually we get a high rate, like 80 per cent of the people clicked on this link or submitted information they weren’t supposed to … You’ve got to find who’s been doing a good job. Then reward them, say in a monthly newsletter: ‘Emily from HR was sent 13 [test] emails and she didn’t click on any of them. We want to like be like her.’
Howard: There are lots of companies that offer free awareness training advice to IT departments who want to put together a cybersecurity awareness training program. Many of these firms may be your company’s IT suppliers, so you should check that out.