Alerts, Best Practices, Hacks, Legal, News Bites

Security News bites for the Week Ending March 15, 2019

March 15, 2019 CyberCecurity Leave a comment

Jackson County Pays $400,000 in Ransomware

Following a ransomware attack on March 1st, 2019, Jackson County, Georgia decided to pay hackers a ransom of $400,000.

The county population is 67,000 according to Google. While hackers may not be explicitly targeting these small municipalities, they may be. After all, small municipalities likely have poor cybersecurity practices and are likely to be willing to pay exorbitant ransoms in order to restore public services.

After the attack, the county said that they decided to pay the ransom because they thought, given their shoddy security practices, it would take them months and cost them even more to rebuild their systems.

Who gets to pay the price of their poor security practices, unfortunately, are the county residents. The county budget for 2017 was about $40 million, so a $400k hit represents about one percent of the total annual county budget. There is no indication that the county had any insurance. In addition to the actual ransom, the county hired a consultant, had downtime and is in the process of recovering from the outage. Hopefully, the county will institute better security practices now that the horse is out of the barn, costing residents even more money.

This same ransomware, Ryuk, was used in the recent newspaper attacks, but other than delaying the printing of several newspapers like the NY Times by a few hours, the impact was minimal – likely due to better cybersecurity practices in the private sector than the public sector.

There are at least 10,000 municipalities across the country, the vast majority of them are small and with no cybersecurity expertise, so, to the hackers, this is a bit like shooting fish in a barrel — expect more attacks and millions in ransom paid. Source: Bleeping Computer.

Consider Security Basics

Journalists were able to waltz into an undersea fiber optic cable landing station in the UK because engineers forgot to close or lock the gate to the fiber hut.

For terrorists, that would be a wonderful way to destroy a very high speed Internet link.

As is often the case, even though there were surveillance cameras at the building, no one came to question the reporters as to why they were there.

So, locking the doors and monitoring the surveillance cameras might be a “basic” security measure. Source: The Register.

Google Now Allows You to Disable Insecure Two-Factor Authentication Methods

Two-factor authentication is a great way to improve security but nothing is perfect. There are many methods of two-factor authentication, including a phone call and a text message.

Now Google will allow Corporate G-Suite administrators to disable less secure two-factor methods if they choose to (a feature that Microsoft Office has had for a long time, so Google is playing a bit of catch-up).

If you want to force users to either use the Google Authenticator App or a Yubi Key as the only approved second factor, you can do that. MUCH – repeat MUCH – more secure. Source: Bleeping Computer.

App 63red Security Lacking; Developer Threatens Messenger

63red, an app that was developed by conservative news site 63Red Safe, is supposed to provide a directory of places that were safe to do things like wear your MAGA hat without being harassed.

Soon after it was released, a French security researcher discovered that the security of the app was less than perfect. Inside the code of the app the researcher found the developer’s email, password and username in plain text, Also, there was no security in the app’s API and other security issues.

Developers react differently to being told their app is not secure. In this case the developer reported there was no breach, no data changed, minor problem fixed. The first two statements are accurate but misleading. He called it a politically motivated attack.

The developer called the FBI on the researcher, claiming he hacked them, when in fact all he did was look at the source code and then use what was in the code to test the security. Theoretically, that could be considered exceeding your permissions under the Computer Fraud and Abuse Act, but there are specific exceptions for security research.

The app has now been removed from the app store, apparently due to security issues.

If you are going to fire back at a security researcher, you probably need to make sure that you are on solid ground. Sources: The Daily Beast and Ars Technica.