Cyber 321: 2nd July 2021 - Cybersecurity Without Insanity

Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action.

This week: Multi-factor authentication is not foolproof – We can still be fooled. Ransomware negotiation is a growing cottage industry. The EU and the US are hoping to share more information about cyber-attacks. One ransomware gang laundered $500 million before being captured. If you own one of 30 million Dell devices, you need to update it.

This week’s action: Even if you use mulit-factor authentication, you still need to verify links, review third-party access to your important accounts, and verify your browser plugins

THREE ARTICLES

1: Multi-Factor Authentication is not foolproof

While the use of multi-factor authentication makes it extremely difficult for an attacker to gain access to your account, it is not foolproof. It just requires the human to be fooled. This article discusses some of the tactics used by the bad guys to fool the human.

For example, in a ‘man-in-the-middle’ attack, they set up an exact replica of the legitimate website that will sit between you and the legitimate site. They then fool you into entering in your credentials (including the second-factor security code) into this replica site, which in turn immediately logs in to the legitimate site behind the scenes. Or they fool you into granting ‘OAuth’ access to your account to their seemingly legitimate third-party application – A common way for attackers to gain access to email accounts, with the access persisting even after you change your password. And finally, they gain access to everything you type into a browser when you are fooled into adding their plugin to your browser.

2: Do not pay the ransom. But, if you need to pay it, maybe you need a negotiator

If you suffer a ransomware attack, the authorities will tell you to never pay the ransom. For society, this is the correct response – Paying the ransom only encourages future attacks. But if it’s a choice between paying a ransom or closing your business because you have no alternative path to recovery, I can understand why you may not be immediately concerned about the future of society.

If you do need to pay, maybe you could use the services of a ransomware negotiator. This article discusses the emerging cottage industry, and how some have found themselves in this role almost by accident. For one negotiator, most requests for his assistance “were from those who could not afford costly attorneys or insurance policies to cover the digital setbacks”.

If you are thinking about making a payment, the FBI still advises that you to tell law enforcement authorities as early as possible as they may still be able to assist (e.g. to try to recover the payment after it is made). They also warn that making a payment to a US-sanctioned entity could result in the firm facing criminal charges. So, even in the depths of a ransomware attack, it is possible for you to make things even worse.

How to defend yourself? Look at the measures you can implement now to prevent an attack and to minimise the impact of one. If you don’t know where to start, my guide to the basics will get you started.

3: Sharing is caring

This article discusses emerging attempts within the EU to “push governments and businesses to exchange information [about cyber-attacks] on a “need to share”—rather than a “need to know”—basis”, so others can improve their defences. Alongside this development, the US has also committed to working “more closely with Brussels to counter a spate of ransomware attacks that have crippled critical infrastructure”. “By the end of 2022, the recommendation said, participants will be able to share technical data on threats through a virtual platform and mobilize “rapid reaction teams” of cybersecurity experts to respond to incidents.”

This is a positive development but don’t think it will provide an army of experts to help you respond and recover from an attack. Unless you run infrastructure of critical importance to the country, you’ll still be on your own.

TWO STATISTICS

1: 30 million:

30 million Dell devices, including business and consumer laptops, are affected by recently discovered security flaws in the BIOS software installed by Dell before each device leaves the factory. 30 million sounds like a lot. But after seeing the number of laptops shipped out of their assembly facility in my hometown of Limerick (before the shameful capitalists shut the place down and moved it to Poland), I’d say 30 milliion is probably a drop in the ocean. But still – If you have a Dell device, check if it is impacted and update it if necessary.

2: 500 million:

One cybercriminal gang (called Clop) laundered USD $500 million in ransomware payments before it was finally tracked down by law enforcement authorities in the Ukraine. Clop is described as only one of “several ransomware groups that hack into organizations”. Cha-ching.

ONE ACTION – If you do only one ‘cybersecurity’ thing this week, do this.

1: Trust Nothing. Verify Everything.

Given the sneaky ways that criminals can find ways around your multi-factor authentication defences, your default behaviour online should be to trust nothing and verify everything.

1 – Always verify that links will bring you to the legitimate site that you expect. Or type the correct URL directly into your browser rather than clicking on links contained in an email.

2 – Regularly check what applications have been granted access to your important accounts (especially your email accounts) – It is sometimes called ‘OAuth access’. Search online for step-by-step guides specific to your environment (e.g. Here if you administer Office365 accounts.)

3 – Regularly check the plugins installed on your browser (and remove those you no longer use or trust).