Cyber 321: 25th June 2021 - Cybersecurity Without Insanity

Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action.

This week: Why we’re all getting an increasing number of unsolicited calls these days, what we know about the HSE attackers, and why you may need to check the T&C’s of your insurance policies.

This week’s action: If you don’t recognise the number, don’t answer the call.

THREE ARTICLES

1: What is going on with all these unknown callers?

We’ve all heard of phishing emails. This article explains why we also need to watch out for smishing (text messages designed to fool us) and vishing (live calls designed to fool us). As I mention in ‘ 1 action’ below, there is a growing problem of scam calls that appear to come from phone numbers of trusted organisations.

“The ultimate goal is to make money from you: either by stealing bank account or card information directly, or tricking you into handing over personal information and logins they can use to access these accounts.”

The advice includes: “Be wary of requests for your bank, personal or any other sensitive information over the phone; Exercise caution – don’t engage with any unsolicited callers, especially if they ask to confirm sensitive details; Never call back a number left via voicemail. Always contact the organization direct; Use multi-factor authentication (MFA) on all online accounts.”

I have written at least 100 words here before mentioning multi-factor authentication. This may be a new record. MFA makes it extremely difficult for the bad guys to take over your account. Use it wherever it is available.

2: What do we know about the HSE cybercriminals?

The recent attack on Ireland’s Health Service was the work of the Conti ransomware gang. This article by Palo Alto Networks summarises what we know about the gang. Putting aside their sales pitch at the end, it’s an easy read.

The author makes two important points:

Firstly, “[their] primary means of infection appears to be through phishing scams, and attackers are constantly upping their game in this area. [..] we are seeing increasingly sophisticated attacks in which the threat actors have done plenty of homework on their intended victims. [..] These approaches are not particularly clever or sophisticated, but often they are effective.
And secondly, “Conti has not demonstrated any signs that it cares about its reputation with would-be victims.” Even after payment of a ransom, they do not always ensure the victim can restore their data and systems – They just disappear, leaving the victim to deal with the aftermath.

3: Insurers may not be ready to pay your cyber-related claim

“The Central Bank [of Ireland] has warned insurers that they may not be financially prepared for the costs of meeting claims stemming from the rapidly growing number of hacks and cyber-attacks [because insurers] have not assessed whether they might be exposed to so-called ‘silent’ cyber – where legacy policy wording fails to exclude cyber risks. [The CBI spokesperson] compared the situation to the business interruption claims made against insurers by business shut by the pandemic, which he said the industry had failed to anticipate.”

Don’t assume your business insurance policy will cover you for the cost of a cyber-attack. Unless it is explicitly mentioned in the policy wording, you may need to sue your insurer to clarify matters.

TWO STATISTICS

1: 8.4 billion:

According to Cyber News, there are 8.4 billion stolen passwords included in a text file that was recently released on the Dark Web. “Considering the fact that only about 4.7 billion people are online, numbers-wise the RockYou2021 compilation potentially includes the passwords of the entire global online population almost two times over.” What to do? Firstly, Cyber News has a leaked password checker that you can use to see if your data is included: https://cybernews.com/password-leak-check/ . Secondly, have I ever mentioned that multi-factor authentication is a significant security measure, as it means a breached password is no longer enough for the cyber attacker to get into your account?

2: 50,000:

The title of this NBC article is stark: “50,000 security disasters waiting to happen”. There are 50,000 different drinking water / treatment facilities in the US. This level of fragmentation makes it difficult for a cyber-attacker to launch a countrywide attack to poison the US population. However, it also makes it far easier to poison a large number of people. Most of the 50,000 facilities are run as non-profit organisations that do not have the resources or skills to manage the cybersecurity of their systems. "If you could imagine a community center run by two old guys who are plumbers, that’s your average water plant." I doubt the situation in the US is unique.

ONE ACTION – If you do only one ‘cybersecurity’ thing this week, do this.

1: Do not answer

In Ireland, there is a growing problem of scam calls that appear to be coming from Garda station phone numbers or the Department of Social Protection. The scammers are trying to fool people into revealing valuable personal data, such as their PPS number. If you receive a call from a Garda Station or a government department asking for personal information, hang up. If the Gardai need to speak to you, they know where to find you!

As a general rule, if you receive a call from an unknown number (even a local mobile number), don’t answer it. If it’s important, they will leave a voicemail or send you an email. [Pro tip: You
can set up your mobile phone to divert unknown callers directly to voicemail. You can also block numbers that you know are not genuine callers.]