Tag: Cybersecurity

Monday Wake Up Call – May 24, 2021

The Daily Escape:

Sun, clouds and Saguaros, North Scottsdale AZ – photo by rayredstonemedia61

After three decades of digital technology development, it’s evident that cybersecurity isn’t being adequately ensured by Mr. Market’s “invisible hand.” In remarks at the White House last Thursday, Biden said:

“…private entities are in charge of their own cybersecurity…and we know what they need. They need greater private-sector investment in cybersecurity.”

Wrongo’s last assignment was as CEO for a division of a F500 defense contractor. We were targeted by Chinese and other hackers thousands of times per day. By 2005, the parent company was investing tens of millions annually on cybersecurity. Most non-defense firms have come to investing in cybersecurity slowly and without large funding.

We again became painfully aware of the issue when hackers shut down the Colonial pipeline on Mother’s Day, bringing back gas shortages and long conga lines of cars trying to fill up. We subsequently heard that Colonial paid the hackers $4.4 million in Bitcoin to regain control of their networks.

From the New Yorker:

“…we are a country that has seen nearly a thousand reported ransomware attacks on our critical infrastructure since 2013. This includes transportation services, wastewater facilities, communications systems, and hospitals. The average recovery cost of a ransomware attack for businesses is around two million dollars.”

Even though private companies are most vulnerable to counterattacks, they continue to set their own cybersecurity standards largely based on operational and economic priorities, even if their negligence exposes the public to risks. So why won’t companies fix their mess?

Most in the private sector think that cybersecurity regulations will cost too much, which they do not want to pay, or may be incapable of paying. Many in the private sector also consider requirements for better cybersecurity to be yet another form of government regulation.

Mostly, it’s about money and secondarily, about a shortage of IT skills. Some argue that the incentive structure is backwards. Companies often think the costs of adding robust cybersecurity to be higher than their likely losses from a cyber theft. In a way, they are self-insuring, but that ignores the harm to their customers that occurs when personal information is stolen, or when you can’t buy gasoline.

CEOs are concerned primarily with the short-term profits and stock prices of their corporations. Companies have regularly absorbed losses incurred by security breaches, rather than reveal weaknesses in their internal cybersecurity systems, all in the name of protecting management reputations.

In 2015, Obama’s DHS designated dams, defense, agriculture, health care, and twelve other sectors of the economy as “critical infrastructure,” meaning that they:

“…are so vital to the US that their incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety.”

But while the DHS issued cybersecurity guidelines to those sectors, most companies operating critical infrastructure (like Colonial) are privately owned, and they ignored them. That includes 80% of the energy sector, including pipelines, power generation, and the electricity grid. DHS said in 2015 that those industries needed to develop a common vision and framework to deal with cyber threats.

But corporate America never developed that vision and framework.

In 2019, a European cybersecurity researcher using open-source tools available to anyone, identified and mapped the location of twenty-six thousand industrial-control systems across the US whose internet configurations left them exposed and vulnerable to attack. But you know, they would be prohibitively expensive to fix.

On May 12th, Biden issued an executive order that directed federal agencies and their contractors to abide by a host of stringent new cybersecurity regulations and reporting requirements. The order also required IT service providers and companies that operate industrial-control systems, to inform the government about cybersecurity breaches that could affect American networks.

Biden’s order is a significant workaround for the lack of government control of cybersecurity in the private sector. Many of the cloud services and software packages used by government agencies are also used in the private sector. So, Biden is creating the likelihood that those standards and requirements will be more broadly adopted. That would be similar to auto-emissions standards: When California raised its standards, 12 other states decided to adopt those requirements, and five automakers agreed to design all their new cars to meet them.

Something similar could occur with cybersecurity. Like with Covid, we’re again learning that there’s a very good reason for a robust central government that has the will to write and enforce 21st Century regulations.

Time to wake up America! Corporations aren’t your friends. From sending jobs abroad, to out-of-control share buybacks, to failing to invest in cybersecurity, they need much closer scrutiny. To help you wake up, let’s dust off Depeche Mode with their 1989 hit “Personal Jesus”:

Facebooklinkedinrss

Trump Failed to Protect Government Networks

The Daily Escape:

Old cabin in winter – photo by Julie Williams

Various thoughts about US cyber security: First, along with the news about the cyber hack of the US government, comes news that Trump’s twitter account was hacked in October:

“Dutch prosecutors have confirmed that Donald Trump’s Twitter account was hacked in October despite denials from Washington…. The hacker…Victor Gevers, broke into Trump’s account @realDonaldTrump on 16 October by guessing the US president’s password…”

The password? MAGA2020. Gevers told the Dutch paper De Volkskrant that the president was not using basic security measures, like two-step verification:

“I expected to be blocked after four failed attempts. Or at least asked to provide additional information,”

The current US government-wide hack is a true disaster. The cyber security firm FireEye working with the FBI, has reported that the hack was caused by an infiltration of its network security via a software product made by the firm, Solar Winds. Reuters reported:

“On Monday, SolarWinds confirmed that Orion – its flagship network management software – had served as the…conduit for a sprawling international cyberespionage operation. The hackers inserted malicious code into Orion software updates pushed out to nearly 18,000 customers.”

Reuters earlier had reported that a researcher informed SolarWinds last year that he had uncovered the password to SolarWinds’ update mechanism, the vehicle through which its 18,000 customers were compromised. The password was “solarwinds123.”

That isn’t even as strong as Trump’s password. Right now, the damage is uncertain, but it seems extensive. NYT reported:

“…the Treasury and Commerce Departments, the first agencies reported to be breached, were only part of a far larger operation…. About 18,000 private and government users downloaded a Russian tainted software update…that gave its hackers a foothold into victims’ systems, according to SolarWinds, the company whose software was compromised.”

FireEye’s analysis shows that once the virus had infected the targets, it started ‘phoning home’ within 14 days. Sounds like quite a few people in the Trump administration were asleep at the switch: (brackets by Wrongo)

“Two of the most embarrassing breaches came at the Pentagon and the Department of Homeland Security….[who] issued an obfuscating official statement that said only: ‘The Department of Homeland Security is aware of reports of a breach. We are currently investigating the matter.’”

Tom Bossert, Trump’s original Homeland Security advisor in 2017, has an op-ed in the NYT that claims the hack was the work of the Russians. Whether that’s true or not, he’s correct about what has happened since:

“The magnitude of this ongoing attack is hard to overstate. The Russians have had access to a considerable number of important and sensitive networks for six to nine months….For those targets, the hackers will have long ago moved past their entry point, covered their tracks and gained what experts call “persistent access,” meaning the ability to infiltrate and control networks in a way that is hard to detect or remove.”

It will take years to know for certain which networks the hackers are monitoring. Politico reports that Trump has tried to gag the administration’s intelligence community leaders from reporting on the extent of the breach to Congress:

“During a National Security Council meeting on Tuesday night, national security leaders were instructed not to reach out to Capitol Hill for briefings on the massive hack without explicit approval from the White House or ODNI, according to people familiar with the episode.”

This is more dereliction of duty by the Trumpers.

We shovel money at the NSA, the CIA, and Homeland Security, but rarely ask what we get in return. How much compromise of our systems will it take to get accountability from these bureaucrats? It’s staggering that we continue to spend on a bloated military when the most crippling attacks we’ve faced in the past 20 years involve box cutters and computer hackers.

It’s hard to know which was worse: That the federal government was blindsided by a state controlled intelligence agency, or that when it became evident what was happening, White House officials said nothing.

This much is clear: While Trump was busy complaining loudly about the voter hack that didn’t happen in an election that he clearly lost, he’s been silent about the fact that someone was hacking our government. He can hide from this for another five weeks, and after that Biden will doubtless dig into it.

Republicans have spent six weeks crying fraud about the presidential election. But for this? Absolute silence. If this had happened during a Democratic administration, we’d have Republican hearings and talking points for the next 10 years. Where’s their outrage?

Facebooklinkedinrss

March 1, 2018

The Daily Escape:

The Wrong family is at its annual temporary winter headquarters in Florida, enjoying this view. Blogging will be intermittent until March 12th, when we will be back in residence at the Mansion of Wrong. 2015 photo by Wrongo.

A few cartoons. When will the GOP start complaining, saying “Armed union thugs are patrolling our schools”:

Trump refines his role:

US Cyber Command chief Adm. Mike Rogers said Trump hasn’t granted him the authority to disrupt increased cyber threats. Trump, no longer jumping to the rescue. He’s just the security monitor:

Facebooklinkedinrss

Our Election System Is Under Threat

The Daily Escape:

The Dark Hedges near Ballymoney, County Antrim, Northern Ireland. (Featured in the Game of Thrones as the King’s Road) – photo by Colin Park

America is also walking down a dark path. We need to work on the integrity of our election process. From the WSJ:

To understand the scale of the hacking attempts against election systems in the 2016 presidential election, consider South Carolina. On Election Day alone, there were nearly 150,000 attempts to penetrate the state’s voter-registration system, according to a postelection report by the South Carolina State Election Commission.

If hackers were that persistent against a state that President Donald Trump won with 54.9% of the vote, what did they try to do in the states that were in play? Quite a bit, it turns out. More from the WSJ: (emphasis by the Wrongologist)

In harder-fought Illinois, for instance, hackers were hitting the State Board of Elections “5 times per second, 24 hours per day” from late June until Aug. 12, 2016, when the attacks ceased for unknown reasons, according to an Aug. 26, 2016, report by the state’s computer staff. Hackers ultimately accessed approximately 90,000 voter records, the State Board of Elections said.

The next day, Illinois temporarily took its voter-registration database and public-facing website offline. No records were altered, according to the state, and the issue was resolved before Election Day. The hackers haven’t been identified.

Many hackers, including state-sponsored ones, use automated programs to target hundreds or even thousands of computers to check for vulnerabilities. All of this is done by bots. This happens to ALL websites, (including Wrongo’s) not just to election systems. Confirming intrusions can be difficult, even if intrusion detection technology is deployed. But many municipalities and counties have not deployed it, since it can be very expensive.

Time Magazine reported that the number of actual successful intrusions in the 2016 election cycle, where hackers gained sufficient access to attempt to alter, delete or download any information, was “fewer than a dozen”.

The tally of hacking (or attempted hacking) into state election databases was widespread in the 2016 election. Jeanette Manfra, acting deputy undersecretary for cyber-security and communications at the Department of Homeland Security, said at a Senate Intelligence Committee hearing last month:

There is evidence that 21 states were targeted by hackers

From the NYT:

By 2020, cyberattacks could try to alter or erase voter registration databases…or do something else to interfere with actual voting on Election Day…public confidence in the fairness of our electoral process could decrease further, even if the hacks are unsuccessful, as incendiary and unsupported claims about voter fraud, cheating and altered vote totals spread via social media.

America needs to start from the premise that one state’s (any state’s) insufficient protections against hacking in presidential elections affects us all. From mobile device management to company firewalls, companies like Fleetsmith can provide cybersecurity to numerous companies, protecting them from hackings and it’s time for the US government to follow in their footsteps and do the same, otherwise, there may be detrimental impacts. Protecting government databases is critical and needs to be done yesterday. From Wrongo’s experience as a former provider of outsourced services to both state and federal governments, it is clear that the IT staff at many government agencies lack the expertise or budgets to harden the electoral system against attacks.

We have been discussing the hacking of the voter databases, not vote results. These databases have little to do with the actual vote tallies in a given election. But if the US developed one giant database that recorded everyone’s votes along with names, addresses, and SSNs, people’s identities could be stolen.

Unfortunately, that’s exactly what Trump’s Presidential Advisory Commission on Election Integrity plans to build. Nearly all states have said that they will not comply with the commission’s request for voter data. When the winners of one election cycle try to pick the rules, referees and judges for the next cycle, it’s clearly a system at risk of shutting out true democratic input.

The story of possible Russian hacking in our 2016 election, and the possible Trump family involvement in the Russian efforts diverts our attention from the real story, which is that cyber security in the US is a gaping vulnerability.

It threatens our security, our economy and our democracy.

We need a musical break. Over the weekend, there was a two-day Rock concert at Dodger Stadium in Los Angeles called “Classic West”. Many old groups performed over two days. Here, we focus on the Eagles, who played with the son of the late Eagle, Glenn Frey. His 23 year-old son Deacon Frey stood in for his legend of a father, in front of 50k fans, who accepted him as part of the family. It was a fitting tribute. The Eagles also added Vince Gill, who sang “Take It to the Limit“, and “Lyin’ Eyes“. But here is Deacon Frey delivering an emotional moment on “Take It Easy“:

https://www.youtube.com/watch?v=ZQCFwL3uoPE

Those who read the Wrongologist in email can view the video here.

Facebooklinkedinrss