Friday News for May 4, 2018
U.K.’s High Court Gives the U.K. Gov 6 Months to Fix Law
Privacy in the U.K. is a bit of wishful thinking. Besides having the most public surveillance cameras in the world (Wikipedia says there is one camera for every 14 people in the country), the government has attempted to kill privacy in other ways. The courts have struck down the now expired Data Retention and Investigatory Powers Act (DRIPA), but, until now, has not ruled on the replacement law for it affectionately known as the Snooper’s Charter. Now the U.K. High Court has said that law is incompatible with the EU Charter of Fundamental Rights. The government asked for a year to come up with a way around this ruling, possibly by creating a new law, but possibly not. The government is suggesting that they are only keeping data for serious crimes by redefining a serious crime as any crime where it is POSSIBLE that the person, if convicted, COULD be sentenced to 6 months in jail. That might include repeated jay-walking. The court said you have 6 months to fix the law or the court will consider your inaction a serious crime. Meanwhile, more challenges to the Snooper’s Charter are being filed (Source: The Register).
Why Did Atlanta Spend $5M Instead of Paying $50k in Ransom?
Atlanta was hit by a ransomware attack last month that knocked the city pretty much into the 1940s, technology wise. The Attacker asked for $50,000 in ransom to unlock the files, but instead, the city chose not to pay and has reportedly spent $5M recovering from the attack – so far. In fairness, the city likely did things after the attack that they should have done 5 years ago, but it is money they would not have spent if were not for the attack.
Fast forward to last week. The school district of Leominster, MA, northwest of Boston, was hit by a ransomware attack. While the details are sketchy, the distict says they had no choice other than to pay the ransom. I guess this means that they didn’t have backups of systems, didn’t have a disaster recovery plan, didn’t have an incident response plan and didn’t have a business continuity plan. I wish this was unusual, but it is not. The population of Leominster is 41,000. Attackers are targeting municipalities and even states (the Colorado Department of Transportation was down for the count for at least a week or two after an attack) because they know that, compared to private industry, the public sector’s cyber security posture is even worse. Paula Deacon, the Leominster Schools Superintendent said “we paid the ransom through a bitcoin system and are now awaiting to be fully restored”. They, apparently, paid the ransom last week and are still waiting. I have a bad feeling about this. Usually, if the files are going to be unlocked, it happens right away (Source: CBS Boston).
Google to Shut Down Google Link Shortener Goo.Gl
Unlike some of the Google services that they have abandoned in the past, this one is going to be gracefully shut down but as of this month, the wind down is starting. Google says that it is used too much by scammers trying to hid malicious links using their shortener. They also say that you can use their competitor Bit.ly if you still need a link shortener. But for users, this is just a reminder that clicking on any link shortener is a bit like playing Russian Roulette – you have no idea whether the link you are clicking on is malicious or not (Source: Google Blog).
“Massive” Flaw in Schneider Electric SCADA Control Software Gives Hackers Full Control Over Critical Infrastructure
“Full control” is the hacker’s nirvana and the IT team’s worst nightmare. In this case, the software controls oil and gas production, water plants, manufacturing and similar facilities and, with full control, the hackers could do anything from shutting it down to, possibly, with enough motivation, blowing it up. There are caveats, but still, it is scary. Given the FBI warning last month about state sponsored hacking of critical infrastructure, this is concerning. And, I bet, there are hundreds or thousands of Schneider installations that have not been and will not be patched (Source: Tech Republic).
Maybe Waiting to Deploy Patches Isn’t a Good Idea
Companies often wait a couple of weeks up to a month before deploying new patches as patches sometimes break things and waiting is good way to make sure that they break someone else’s system, but that strategy does have some flaws.
According to the SANS Institute, they were hacked within hours of making the honeypot server live. They say that hackers started going after the Oracle Weblogic bugs immediately after it was announced on April 18th.
SANS says patch fast or plan to recover.
You wait at your own peril (Source: The Register).