Welcome to Cyber Security Today. This is the Week In Review edition. From my studio in Toronto, I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In a few minutes guest commentator Terry Cutler of Montreal’s Cyology Labs will be here to discuss some of the interesting news of the past seven days. But first a roundup of what happened:
Employees of a company hired by the state of Pennsylvania to do COVID-19 contact tracing ignored privacy rules and compromised the health information of up to 72,000 people. They did it by sharing files online on people who may have been exposed to the virus. This is one of the items Terry and I will discuss.
Is your firm looking to get cyber insurance? If so it better be using multifactor authentication to protect logins from stolen passwords. That’s what a Canadian insurance broker told a webinar I covered this week. Tired of big losses from their cyber business, insurers are demanding more proof clients have tough security procedures, including MFA, or they won’t get cyber coverage.
Hackers are actively trying to find ways of bypassing multifactor authentication. A report this week from Symantec is a reminder of that. It notes the group behind the hack of SolarWinds’ Orion update mechanism also found ways of bypassing two-factor authentication on victims, as did attacks on Pulse Secure’s virtual private network appliances and on Microsoft Exchange servers. It’s been known for a while that text-based two-factor authentication services are vulnerable to attack. One way to prevent being exploited is by keeping your software updated and protecting your multifactor authentication technology from being hacked.
More on bypassing multifactor authentication. Hackers always look for ways to compromise Microsoft products because they are commonly used around the world. Proofpoint this week reported on the latest tactic: Tricking users of Office 365 into downloading malicious Office apps. Apps can enhance Office or provide productivity. These attacks start with compromising a victim’s company’s cloud account. Then a senior employee is emailed a link to an app that seems to come from their organization’s app store. If they fall for the scam the app allows access to that employee’s email and other accounts, usually for fraud. Companies should forbid the installation of Office apps unless they are from a verified publisher. They can also restrict who within their organization is allowed to create an application.
Hundreds of millions of Dell computers and servers running Windows are at risk from a buggy driver the manufacturer has been distributing for the past 12 years. The driver is part of utilities that come with Dell devices. A fix for Windows 10 devices is available now and will be installed if your computer allows the Dell notification service. Users of computers with Windows 8 and earlier should immediately remove the driver using a security update. A fix for these machines will be available soon.
Millions of Android smartphones that use modem chips from Qualcomm have a severe vulnerability that could be used by hackers. The good news is that Qualcomm, Google and smartphone makers were warned of this several months ago. Security updates are available from manufacturers and Android. Install them when your device makes them available.
(The following is an edited transcript of my talk with Terry Cutler)
Howard: Terry, I want to start with the incident in Pennsylvania that I talked about at the top of the podcast. I thought it was disturbing. Tell us about it.
Terry: This story broke on a Pittsburgh television station. A company was hired by the state to trace people who may have contact with somebody with COVID-19. It’s called contact tracing, and the problem is the employees weren’t safely storing personal data they collected. The information on individuals was stored inside a Google spreadsheet by employees and was being emailed to each other. But the problem was is that these documents weren’t protected by passwords. So any employees of the contracted company actually pretty much had access to them. And, of course, it violates all kinds of rules that are done are governed by the state on how to secure and handle data. So the documents could be basically opened by anyone on the internet who knew, or had access to the link and find them. … Unfortunately, this is just another case about convenience.
Howard: One of the problems I saw as is this involves a company hired by the state to do some work. State managers can’t directly oversee the work of these temporary workers. And the other thing of course is we’re in a pandemic and many people are working from home. And so even this company couldn’t have managers physically overseeing the work of employees to make sure that they were storing the documents and using the documents securely. How does a company solve that problem?
Terry: That’s really difficult. And here’s why: Obviously if all the employees were inside the corporate firewall there are ways to block Google apps and all these other places [for storing documents]. But when you work from home and you’re on your own home network you have no restrictions … And it also comes down to employee training, [but] because most of these folks just want to get this thing done as quickly as possible, no restrictions, and no limitations. Some folks don’t even understand what MFA [multifactor authentication] is, or don’t know how to enter their password into a secure and protected word document or PDF. So they just keep it as convenient and easy as possible for everybody. So cybersecurity takes a back seat. But the sharing of this personal information should have been a warning sign. Why didn’t anybody speak up and say, ‘Why are we sharing this valuable information with no protection on it?’ So that should have been flagged.
…I see this day in day out where people want to work from home safely and securely. So they, they drag and drop a whole bunch of corporate documents into their Google Drive or their One Drive to work from home. And then they start sharing it … It’s extremely difficult to block that because the administrators don’t necessarily have control over what the employee’s computer can do and can’t do, especially if they’re working from home. Maybe there’s a way that their VPN software can monitor all the traffic, [but] there might be ways around that. It really comes down to policies and procedures – and making sure your disaster recovery plans are in place in case of these accidental things happening.
Howard: One of the other things that I want to talk about is multi-factor authentication, because that was big in the news this week. At a conference I covered an insurance broker said insurance firms are now demanding companies use multifactor authentication to protect their logins, or they won’t allow them to buy cyber insurance coverage. In fact, even if your firm already has cyber insurance coverage it will be cut if multi-factor authentication, isn’t enabled. That’s quite a whip.
Terry: I understand them. Especially with the rise of ransomware. If you don’t have EDR (endpoint detection and remediation) they might not insure you either. The [data breach] costs are astronomical for these folks [insurers]. I see a lot of companies that have to have MFA installed, but only for a select group of people – not everybody has it. [But] there’s ways now to bypass multifactor authentication.
Howard: And that one of the other things this week. Symantec issued a report on the various ways that attackers are trying to get around multi-factor and two-factor authentication. Even though, even though multi-factor authentication is beneficial for an organization, you’re way better off having it than not
Terry: But there are ways around that. I’ll give you a perfect example. It happened to a client about a month or two ago. He had two-factor authentication installed on his system. He got an email, a phishing attack, which asked him to sign into his email account. So he types in his username and password. And then all of a sudden he receives this [code for] two-step verification, and he types it in. What we didn’t know was the cybercriminals were monitoring [his email account]. The moment he typed in his username and password, they typed it immediately into his provider’s account, which made him receive the text message. And then he entered the TFA, which gave it to the cybercriminals. And they took over his account, and caused a business email compromise.
Howard: Symantec offered a number of pieces of advice to organizations to avoid really sophisticated, multi-factor bypass attacks: Make sure you review and reduce the services and accounts that don’t require multifactor authentication. Keep up to date on patches for all of your software, and consider a threat model where multifactor authentication may be bypassed so you’re ready. The other thing is use a zero-trust architecture in addition to multifactor authentication.
Terry: There was a problem with the Office 365 [mentioned in the news summary], where you receive a phishing email and it looks like it’s coming from your domain. But what happens is once you’ve signed in, you get a prompt that says, ‘We need to install this plugin.’ And it asks for access to read your inbox, indexing and searching … ‘Do you consent?’ And most people are gonna say, ‘Yeah, of course.’ But this is not an authorized application. It’s able to bypass your multi-factor authentication. Microsoft has suggested now you’ve got to be a verified partner in order to be able to send out these links, but the cybercriminals are already one step ahead, because now what they’re doing is they’re compromising accounts that are already legitimate customers, and then using them as a jumping point to attack another company.
Howard: So one of the defenses is denying the ability of your users to install applications unless the department approves.