2018 threw some cybersecurity curve balls but it also looked a lot like 2017…only bigger. Teri Robinson reports.
Once upon a time, a Starwood breach exposed 500 million customers…
$3.2 billion was lost to phishing attacks… 2.3 billion account credentials were compromised… A ransomware attack on the Sacramento Bee exposed the records of 19.5 million California voters. The threat of millions of dollars in GDPR fines loomed large. If ever the story of cybersecurity in 2018 is spun as a fairy tale, it likely would be Jack and the Beanstalk. Fe Fi Fo Fum. Everything this year – threats, attacks themselves and consequences – consistently seemed bigger except, possibly, spending and the pool of qualified cybersecurity pros needed to fill a growing skilled worker gap. Oh yeah, and confidence. That most definitely was in short supply.
Need proof? Nearly two-thirds of respondents in a Ponemon Institute report said they don’t have confidence in their organizations’ ability to prevent serious damage from persistent attackers in their networks.
And a PwC study found that fewer than a third of businesses, $100 million and over, say are very confident that their boards are receiving adequate metrics on their companies’ cyber risk.
Is it any wonder, though? Outsized threats and attacks are both alarming to, and a strain on, security teams tasked with preventing and responding to them.
Cybersecurity issues dominating 2018, unlike Jack’s beanstalk, didn’t just spring up overnight after a few magic beans were tossed out of the window. Organizations have been working on many of them for a long time now – with varying success.
Into the breach
Large data breaches are a perennial favorite so it seemed fitting that the year ended with a couple of whoppers – at question and answer website Quora and Marriott.
The Quora breach, coming after an intrusions by a third party, compromised the data of 100 million users, exposing account and user data, including names, email addresses, user IDs, encrypted passwords, account setting and other personalization data as well as public actions and content, data from linked networks and non-public actions such as down votes.
“At 100 million records the Quora breach likely makes the unhappy list of top ten data breaches of all time,” says Anthony James, CMO of CipherCloud. It is part of a growing issue for security teams. “Mounting evidence points at stolen credentials being involved in the vast majority of breaches, and there is no sign of this trend slowing down,” says Stephen Cox, vice president and chief security architect at SecureAuth.
“Far too many organizations are relying on approaches that have simply been proven ineffective against modern attackers, and they must be careful to not develop a false sense of security even when they’ve adopted basic techniques such as two-factor authentication. These types of breaches will continue to proliferate unless organizations up their game for their employees and their customers.”
Just a few days after the Quora incident, Marriott announced malicious actors spent more than four years inside its Starwood reservation system obtaining access to 500 million guest records that included names, payment card information and other PII, the hotel chain reported today.
The cybercriminals gained access to, copied and encrypted a wide variety of data from guests using its reservation system, the company said. The Marriott IT team only discovered the breach on September 8, 2018 when the cybercriminals attempted to remove data from the U.S. system. This event led to a further investigation which uncovered that the long-running operation had been in place since 2014.
Since Marriott acquired Starwood Hotels in 2016, the malware likely was already in place and not yet discovered prior to the deal closing.
Ransomware is still not dead…
While 2018 saw a resurgence of many of the usual suspects – like Locky – some newer players like GandCrab captured headlines as well.
Breaking from typical ransomware distribution tactics, the attackers behind the malicious GandCrab relied on a pair of exploit kits – RIG EK and GrandSoft EK – to infect unwitting victims. Typically, these kits are served up in malvertising campaigns.
The finding was unusual, as exploit kits are more typically used to deliver downloaders, RATs, cryptominers and other trojans, Malwarebytes explained in a Jan. 30 company blog post.
First disclosed by researcher David Montenegro, who discovered it, GandCrab originally displayed a ransom note that says, “Welcome! We are regret, but all your files was encrypted!” The ransomware also allows victims to test-decrypt one chosen file from their PCs, as proof of legitimacy.
Adding to its quirkiness, GandCrab demands payment using the cryptocurrency Dash. “This is another sign that threat actors are going for currencies that offer more anonymity and may have lower transaction fees than [Bitcoin],” the Malwarebytes post says. Also notable: GandCrab’s server is hosted on a .bit domain, which exists outside of the normal ICANN-sanctioned Domain Name System and is instead served via the cryptocurrency Namecoin infrastructure.
GandCrab uses an RSA algorithm to encrypt victims’ files, generating the public and private keys on the client side and demanding ransoms ranging anywhere from $600 to $700,000. So far, the ransomware has evolved into five major versions and decryptors are available for several of them.
GandCrab wasn’t the only newcomer, though. If ransomware 2017 was defined by WannaCry then 2018 was the year of SamSam, which cut a relatively wide swath across the world with at least 67 targets, 54 in the U.S., being struck in 2018, according to a Symantec report.
Despite such high-profile incidents affecting the city of Atlanta, the Colorado Department of Transportation and the Port of San Diego, the largets number of victims, 24 percent, were in the healthcare field, Symantec reported.
Meanwhile, the press, public sector and municipalities only accounted for four percent of the attacks each. Manufacturing, utilities/energy, construction and insurance firms each garnered six percent of the strikes, while banking and finance were each hit seven percent of the time. Education and professional services five percent each, with the remaining 31 percent of the attacks not being classified.
SamSam proved to be a thorny challenge for security teams. It is atypical of ransomware attacks in that its entire attack process is manual, Peter MacKenzie, global malware escalations manager working in Sophos Technical Support, told SC Media during the Black Hat 2018 show in Las Vegas.
Grammatical errors were a clue that the attackers likely didn’t speak English as a first language, the attacks didn’t rely on the typical badly worded spam email with an attachment.
Instead, the attacks were old school, using “tools that attempt as many logins as quickly as the Remote Desktop Protocol will permit,” Sophos said in a report.
Once in, attackers spread the “payload laterally across the network; a sleeper cell that lays in wait for instructions to begin encrypting,” Sophos said.
Because SamSam encrypts document files, images, and other personal or work data, as well as “configuration and data files required to run applications (e.g., Microsoft Office),” Sophos said “victims whose backup strategy only protects the user’s documents and files won’t be able to recover a machine without reimaging it first.”
Early in December, the Justice Department indicted two Iranian men behind the SamSam attacks. Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri allegedly “extorted victims by leaving a ransom note in the form of a file on each computer encrypted by SamSam Ransomware,” read the indictment, unsealed a U.S. District Court in New Jersey. “Each victim’s ransom note told the victim that its files were encrypted, told the victim that it would have to pay Bitcoin to get the decryption keys.”
Once the attackers received the ransom, two Bitcoin exchangers, identified by the Treasury Department as Ali Khorashadizadeh and Mohammad Ghorbaniyan, allegedly turned it into Iranian riyals.
Like many college students who cram the night before a test – and some writers who test the limits of their editors’ patience with their procrastination – many companies pushed off GDPR compliance, believing either it didn’t apply to them, it was too costly or overwhelming or they could afford to wait and see just how serious regulators are about admonishing and fining companies who falter on privacy.
That’s likely a big mistake. The European Union spent a lot of time putting together, debating, reviewing and finalizing GDPR, which governs how data is handled, shared and protected, and the organization is not about to abandon its efforts now that the regulation has been brought to bear.
“Regardless of industry, scope or scale, all organizations need to be prepared for these changes and the impact it could have on their business, and should employ a basic set of cybersecurity considerations to defend against today’s growing cyber risk,” says eSentire Founder and Chief Security Strategist Eldon Sprickerhoff.
The new rules give citizens more control over their own private information and it’s intended to give businesses clarity and legal certainty. At the same time, the new regulations also give companies headaches and a fair amount of anxiety. Significant fines for violations – four percent of global turnover – speedy breach notifications loom, and uncertainty reigns over how enforcement might play out. A few organizations, like Facebook after its Cambridge Analytica, are breathing a sigh of relief their transgressions occurred before the rules took effect.
“Regulators say they aren’t hunting for examples, but really they’d like to find a company that served as a good test case,” says Michael Magrath, director of global regulations and standards at OneSpan, formerly Vasco.
Steve Durbin, managing director of the Information Security Forum (ISF), agrees that regulators likely would have set an example with the social media giant, which recently admitted that the data analytics firm Cambridge Analytica broke its privacy and data use policies by gleaning data from 87 million Facebook users without their permission.
The high-profile Uber breach, too, likely would have set regulators’ hair on fire. If GDPR had been in play during the latest Uber hack, the ride-sharing company would have faced stiffed consequences – or maybe it would have chosen a more prudent, secure route by promptly revealing the attack that compromised the personal data of 57 million customers and drivers, and by taking bold steps to mitigate the damage.
GDPR is “designed specifically to deal with such occurrences, says Dean Armstrong QC, cyber law barrister at Setfords Solicitors.
Social media in the cross hairs
The past year hasn’t been kind to social media…not that it should have been. In fact, it peeled back the curtain on questionable practices that compromised security and/or privacy.
Early in 2018, Facebook suspended Cambridge Analytica – the data analytics firm used by the Trump and Brexit campaigns to target voters – for violating its policies when it collected the personal data from accounts of millions of Americans without their permission.
The problem sprang from an app developed by Cambridge University professor Aleksandr Kogan called thisisyourdigitallife that harvested data for the firm, owned in part by hedge fund operator Robert Mercer and once led by former White House adviser Steve Bannon. About 270,000 Facebook users signed up to take a paid personality test through the app. Their data and that of their friends, counting in the millions, was passed along to Cambridge Analytica.
“We exploited Facebook to harvest millions of people’s profiles. And built models to exploit what we knew about them and target their inner demons,” whistleblower Christopher Wylie, who worked closely with Kogan, said then. “That was the basis the entire company was built on.”
By passing along information from users who had not given permission to a third party and then also not properly deleting that data, Facebook said Kogan and Cambridge Analytica broke its rules.
“Although Kogan gained access to this information in a legitimate way and through the proper channels that governed all developers on Facebook at that time, he did not subsequently abide by our rules,” Facebook Vice President and Deputy General Counsel Paul Grewal said in a post announcing the suspension of Cambridge Analytica, its parent Strategic Communication Laboratories (SCL), Kogan and Wylie. “By passing information on to a third party, including SCL/Cambridge Analytica and Christopher Wylie of Eunoia Technologies, he violated our platform policies.”
When Facebook first learned of the violation back in 2015, it removed Kogan’s app “and demanded certifications from Kogan and all parties he had given data to that the information had been destroyed,” Grewal wrote. “Cambridge Analytica, Kogan and Wylie all certified to us that they destroyed the data.”
But apparently that was not the case and Facebook “received reports that, contrary to the certifications we were given, not all data was deleted,” Grewal said.
After Facebook took a pounding for its lax policies, the company hustled to restore trust. The social media giant’s first step was banishing the major players associated with the data analytics firm, followed by a mea culpa from CEO Mark Zuckerberg, then an expansion of its bug bounty program to include data misuse by app developers and raising the strength visibility of its privacy tools.
The increased scrutiny on Facebook bled over to other social media platforms as well, spawning ramped up vigilance in protecting user data.
Open buckets everywhere
The development environment was also in the hotseat after misconfigured servers exposing critical information began to trend on the internet. In fact, they were all the rage. In Tesla’s case, trade secrets were exposed. For Robocent, it was voter data. GoDaddy’s cloud configuration information was revealed for all to see. Details on 1.3 million customers of a Walmart jewelry partner were left wide open.
The companies involved were chastised – how can this happen yet again? It seems that after security researchers uncover a handful of open AWS S3 buckets or Microsoft Azure and Google Cloud databases, organizations would wise up and “batten down the hatches,” as Cloud Daddy founder and former NYC Law Department CIO Joe Merces advises.
The importance – and potential for compromise – of the information exposed to the public is breathtaking. Staggering really. And that most incidents haven’t resulted in a damaging breach or criminal action are strokes of luck and nods to the abundance of illegal ventures that preoccupy cybercriminals these days.
The security soft spot doesn’t lie in the cloud infrastructure itself, the experts say.
“I think the persistent problem is not because major cloud providers are inherently insecure,” Rich Campagna, CEO at Bitglass, maintains.
Nor are the bulk of exposures reported the result of malicious intent. Most, in fact, are the result of human error or perhaps straight up ignorance.
“If you provide a capability to a customer that they can make a mistake [with], they probably will,” Baffle Co-founder and CEO Ameesh Divatia says, noting that everyone makes mistakes. The sheer number of people who “touch” data in the cloud increases the likelihood of exposure.
And Merces says the persistence of open buckets is greater than reported.
“The problem is systemic, not for just large organizations,” he says. “If the big guys do it, what’s happening with smaller organizations? The exact same thing!”
While tales of open S3 buckets are more prevalent, or at least more prominent, the problem of open buckets and misconfigured servers is pervasive across all platforms and can be attributed to sweeping changes in development and operational environments.
A once dim view of the cloud as insecure and risky has given way to, if not a full-on embrace, then at least an acceptance that the clould is necessary. Craving the flexibility and reach the cloud gives them to touch customers, share information and roll out services more quickly, once leery organizations have rushed to the cloud at surprising pace. In fact, about 93 percent of U.S. businesses rely on cloud computing, with more than three million data centers operating nationwide to deliver cloud services, the Information Technology & Innovation Foundation (ITIF) says.
As a result, the pressure has landed squarely on developers to turn around apps and services more quickly at the same time that another notable change – from private to public cloud – has shifted the security equation.
“They gave the keys to the kingdom to developers,” who previously were accustomed to working in closed, controlled environments “under the watchful eye of IT,” Campagna says.
The trials and tribulations of the cloud are legion. When everything was in the data center, development might have been more deliberate and plodding but security was easier, or at least more straightforward.
“When you migrate to the cloud, woes and security challenges more than double and not just because you’re running a private data center, too,” says Merces. “You have more to do with the added challenge of battening down the hatches without killing innovation.”
A vote for election security
Amid the blue and red banners dotting social media, mailers, billboards, flyers and just about everything else, Election Day finally rolled around. After all the guesswork and polls, Americans didn’t know which way the political winds were going to blow or whether security measures taken by many states were going to hold…or whether some sort of nightmare would unfold.
Were Russians creeping around social media trying to influence voters? Was a wily and well-placed political operative using privileged access to tinker with a voter registration database? Or was a hacker exploiting a vulnerability in a voting machine or data storage system to manipulate voting data?
“The 2018 midterms are the most secure elections we’ve ever held, thanks to the efforts of election officials around the country,” David Becker, executive director and founder of the Center for Election Innovation & Research, said before the election. “While there’s no finish line in election security, states are partnering with the federal government on cybersecurity like never before. There is zero evidence to suggest votes were changed in 2016, and voters should feel confident their votes today will be accurately counted.”
Becker’s words echoed those of Department of Homeland Security (DHS) Secretary Kirstjen Nielsen who called the midterms “the most secure election” the country has ever had during a Council on Foreign Relations meeting on election security.
That didn’t mean everything was running smoothly or that Election Day would wrap up without a hitch, devoid of cybersecurity issues. After all, the U.S. election “system” is actually a set of state and local systems, diverse and dispersed. While this means there is no single vulnerability that hackers can exploit to bring the whole she-bang down, it also means states are without a national standard or requirements to serve as guidelines for officials, who mostly don’t have deep cybersecurity knowledge or training.
Just days before an already contentious governor’s race in Georgia drew to a close, the Republican candidate, then Georgia Secretary of State Brian Kemp, accused the Democratic Party of Georgia of “a failed attempt to hack the state’s voter registration system.”
Kemp’s office said it would comment on the probe. “I can confirm that the Democratic Party of Georgia is under investigation for possible cybercrimes,” Kemp’s press secretary, Candice Broce, said in a release. “We can also confirm that no personal data was breached and our system remains secure.”
The allegations, which were made without evidence, were immediately denounced by Democrats and called into question by security pros who pointed to numerous previous vulnerabilities in the state’s election system that some contend Kemp’s office ignored.
And on the eve of the midterms, Facebook, which has been actively shutting down inauthentic accounts, said in an alert the FBI had discovered online activity that may be linked to foreign actors.
“Our very early-stage investigation has so far identified around 30 Facebook accounts and 85 Instagram accounts that may be engaged in coordinated inauthentic behavior,” Nathaniel Gleicher, Facebook’s head of cybersecurity policy, wrote. “We immediately blocked these accounts and are now investigating them in more detail.”
Gleicher said while the company usually waits until it’s deeper into an investigation to make a public announcement, the close proximity to the midterm elections prompted Facebook to detail the facts and actions taken.
On Election Day states reported issues, including malfunctioning and crashing voting machines and broken scanners. Mike O’Malley, vice president of strategy at Radware, said that “antiquated software, programming issues, and interference questions are all part and parcel to having an outdated voting system based on a patchwork of thousands of county election networks” This, combined with a “consistent history of voter rolls being hacked, county clerk offices being penetrated, all make today completely unsurprising.”
After Russia meddled in the election and a long litany of incursions, influence campaigns and flaws unfolded, most states stepped up, using federal funding to bolster security. The government doled out $380 million in Help American Vote Act (HAVA) funds to states to use as they saw fit. Louisiana, one of five states with paperless voting machines, will use nearly $5.9 million it received to replace 10,000 or so direct-recording electronic machines (DREs).
In Florida, whose election system was thrust into the national spotlight for the “hanging chad” incident during the controversial 2000 presidential election, counties use voting machines that don’t provide paper records. It also doesn’t require robust post-election audits, according to a report from the Center on American Progress, which also took issue with the state allowing voters overseas to return their ballots electronically by fax. The more than $14.5 million approved funding is unlikely to fix all of the state’s election security woes but various counties have put their money to use bolstering firewalls, purchasing hardware and software to bolster security and adopting multifactor authentication, among other measures.
Arizona Secretary of State Michele Reagan commissioned a top to bottom study of the state’s election security posture the results of which were released in October. The 15-page report, compiled by Gartner, came up with a series of recommendations, including leveraging modern identity and access management technologies to control access to election systems based on user identity and strengthening processes, documentation and standards to facilitate comprehensive management, maintenance and use of current-state technology, that will bolster election security.
While the spending spree has started, most states reserved the bulk of their dollars to bolster security in the next two years leading up to the 2020 presidential election. Both state and federal officials were vigilant as the midterms pass. On election night Nielsen and her DHS crew operated a “virtual war room,” bringing together members of the intelligence community, political parties and others “so as things evolve…we can respond.”
Facebook, too, created its own war room, including “two dozen experts from across the company – including from our threat intelligence, data science, software engineering, research, community operations and legal teams,” Samidh Chakrabarti, director of product management, civic engagement, at the social media company, said in a blog post.
National Guard cybersecurity units in three U.S. states – Wisconsin, Washington and Illinois – were summoned up to provide support for the midterms in case of a cybersecurity event.
“The activation of these National Guard cybersecurity units begs the question, if we have such defenses available and they are effective, why don’t we deploy them more widely?” asks Paul Bischoff, privacy advocate at Comparitech.com. “Other states should be doing the same, particularly swing states.”
It’s Mueller time
While the Mueller probe started in 2017, picking up where former FBI Director James Comey’s investigation left off, 2018 is when the special counsel’s efforts bore fruit. The special counsel indicted a cadre of 13 Russian nationals and three Russian organizations leveraged social media to sow division and influence the 2016 presidential election, with some of the activity intended to bolster then-presidential candidate Donald Trump and erode support for his opponent former Secretary of State Hillary Clinton, according to the 37-page indictment.
The individuals and groups – Internet Research Agency LLC, Concord Management and Consulting LLC, and Concord Catering – accused of running afoul of the Federal Election Campaign Act (FECA) that “prohibits foreign nationals from making any contributions expenditures, independent expenditures or disbursements for electioneering communications,” were charged with identity theft and other fraudulent activities for presenting themselves as Americans on social media platforms.
The indictment included eight criminal counts. Count one alleges a criminal conspiracy to defraud the United States, by all of the defendants,” Deputy Attorney General Rod Rosenstein said during a livestream. “Count two charges conspiracy to commit wire fraud and bank fraud by Internet Research Agency and two of the individual defendants.”
The remaining counts charged “aggravated identity theft by internet research agency and four individuals,” Rosenstein said, cautioning that there were no allegations “that any American was a knowing participant in this illegal activity” or “that the charge conduct altered the outcome” of the presidential election.
“The conspiracy had as its object impairing, obstructing and defeating the lawful governmental functions of the United States by dishonest means in order to enable the defendants to interfere with U.S. political and electoral process, including the 2016 U.S. presidential election,” the indictment read.
Mueller also indicted 12 Russian military officers, part of Russia’s GRU military intelligence unit, for hacking into the Democratic National Committee (DNC) systems in an effort to influence the 2016 presidential election.
The fruits of those break-ins – a trove of documents – were spread under the auspices of Guccifer 2.0 and DCLeaks, according to Deputy Attorney General Rod Rosenstein, who said Russian operatives also hacked a state election board and nicked data on 500,000 voters.
And members of the Trump campaign – from former Campaign Manager Paul Manafort, attorney Michael Cohen, former Deputy Campaign Manager Rick Gates, former aide George Papadopoulos and former National Security Adviser Gen. Michael Flynn – also found themselves in court answering to Mueller or prosecutors in jurisdictions like the Southern District of New York.
A trio of sentencing memos filed early in December in cases against Cohen and Manafort offer the strongest indication yet of repeated contact or coordination between members of the Trump campaign and Russian operatives at a time when Russia was attempting to interfere in and exert influence on the 2016 presidential election.
Cohen, Mueller’s office acknowledged, presented a false narrative in the days leading up to the Iowa caucus about the status of the “Moscow Project,” a proposed deal to build a Trump Tower Moscow, “deliberately” shifting “the timeline of what had occurred in the hopes of limiting the investigations into possible Russian interference in the 2016 U.S. presidential election – an issue of heightened national interest.”
After initially lying to Congress and to the special counsel’s team, Cohen came clean, admitting to trying to “minimize his role in and what he knew about contacts between [the “Manhattan-based real estate company” – the Trump Organization – he worked for] and Russian interests during the course of the campaign.”
Mueller said Cohen has been assisting his office since September 2018, meeting in seven proffer sessions to provide “the SCO with useful information concerning certain discrete Russia-related matters core to its investigation [widely agreed to be Russian interference in the election] that he obtained by virtue of his regular contact with the Company executives during the campaign.”
Cohen also offered up details not only about his own contacts with Russians, but also about Russian nationals’ efforts to reach the campaign as well as “relevant and useful information concerning his contacts with persons connected to the White House during” 2017-2018.
While Mueller remained relatively mum on details and declined to recommend sentencing for Cohen, noting only that his cooperation should persuade the court to allow his sentence for lying to run concurrently with any imposed in the Southern District of New York case, the New York-based prosecutors in a separate filing dropped the proverbial hammer on Cohen for a variety of felonies, including violating campaign finance laws when making hush money payments to two women at the behest of the president (referred to as Individual-1 in the filing), and called for him to serve four years.
The 55-page memo from the Southern District of New York acknowledged Cohen’s cooperation with Mueller’s office but contended that the seriousness of his crimes and the level of his cooperation with its office demand a formidable punishment.
“Cohen’s crimes are particularly serious because they were committed on the eve of a Presidential election, and they were intended to affect that election,” the memo read.
Separately, in a heavily redacted memo, Mueller outlined how Manafort lied about contacts with Russian national associate Konstantin Kilimnik, who has connections to Russian military intelligence, and had ongoing interactions with the Trump administration even after he had entered into a plea deal. Manafort was also in attendance at a controversial meeting at Trump Tower in 2016 with Donald Trump, Jr. and Russian lawyer Natalia Veselnitskaya to get dirt on Clinton.
The Manafort and Cohen memos were filed just a few days after Mueller recommended that former National Security Adviser Gen. Michael Flynn avoid prison time for lying to the FBI since he has offered “substantial assistance” on a number of ongoing investigations, including Mueller’s.
Slaying the giants
Whether security pros scale the beanstalk or chop it off at the bottom, like Jack they’re locked in a battle to conquer or at least mitigate the damage caused by the giants that threaten security and privacy, but without forfeiting the golden eggs – data – that drive business. The tale is fraught with pitfalls and controversy – and successes – with the next chapter to be told in 2019.