Secure With Celerity Episode 18
DAVID TAYLOR [00:00:58] Hi and welcome to Secure with Celerity, the show where we dissect the week’s top cyber security news stories. I’m your host David Taylor and welcome back, Founder and CEO of Cyber Risk Aware, Stephen Burke, hi to you Stephen.
STEPHEN BURKE [00:01:10] Hi, David. nice to see you again. I hope you’re doing well.
DAVID TAYLOR [00:01:13] Yeah, very well. Thanks for coming on again. Appreciate you getting your insights on some of the new stories. So let’s jump right in. So first headline we’re gonna cover this is Northumbria Uni Campus is closed after a serious cyber attack. As this is a story that back end of last month in August, the university suffered a cyber attack and it’s unsure of what happened exactly. But there is some rumours and people can speculate that it might be a ransomware attack. Given that a lot of you know, a lot of educational organisations such as unis are targets for ransomware and fallen off the back of a backboard, which is what the US I.T. services company. And it was hit off the back of that. They serve as a lot of UK universities and colleges. So they’ve unfortunately, what tends to happen is that their Deputy Vice Councilor, Peter Francis, told students on Monday that the cyber incident caused significant operational disruption and that work was on the way to restore the I.T. systems as quickly as possible. But during the restoration’s, there was no access for students to the online portal blackboard or any other university platforms. Like I said, no official details were given on what caused it, but they believe it was ransomware. I think going back to it, we may have covered it on another episode of this, but Freedom of Information request the report, third of UK universities had been hit by ransomware attack in the last decade. Does that surprise you at all?
STEPHEN BURKE [00:02:50] No, not at all. And that same old ransomware keeps cropping up time and time again every single day. And unfortunately, universities, I think the context when we spoke about this the last time was around Coronavirus vaccine research and development. And that threat actors were potentially targeting these organisations to steal the data and obviously hold ransom and make money off the back of it. So does it surprise me that a particular university has been caught? No, not at all. I think when it comes down to cyber criminals targeting people, no matter what defences you have, it only takes one person to click on the link and ransomware will encrypt everything on that endpoint as well as the network and wherever ransomware has evolved. Now, to no longer just encrypting and wanting ransom, they are taking the data and looking to sell it and make money off the back of it. And to this university has been cut it, cut it not. And it’s effect that overseas students have had a tough time given that they haven’t been able to be on campus. And there’s been an anxiety around exam results and we won’t go into the debacle of the various algorithms that have gone into those results. And these students have been affected by that. But this just adds anxiety for folks. I feel for them more than anything that they just can’t use the systems that their campus should be offering them.
DAVID TAYLOR [00:04:12] Yeah. Especially just thinking back to when I was in university and I like to think I always downloaded the lecture slides beforehand. But if there’s anyone who is just relying on being online, you know, going on the portal and being able to download them, that’s not available. So what I want to do some last minute cramming and they can be screaming on that point. Do you think the unis are more susceptible to cyber attacks like this, given that that very, very large, you know, maybe not against global companies, but we’re looking talking about tens of thousands of students plus faculty on top. Everyone’s got a log in to the network.
STEPHEN BURKE [00:04:47] I think that given the different levels of people that are on that network, you’ve got students who are probably lacking in experience, maybe lack of understanding of the cyber threats that they may be facing. And you’ve also got the attitudes that’s natural. It’s only a virus which is stereotypical of younger generations. Now it’s just a virus. It’s just it doesn’t hold any fear. And they want to access software very quickly. They just want instant access to tools to make their life easier. The digital identities, social media, all that good stuff. And so they’re are more likely to click on links, open attachments. Look at free offers to discount vouchers, whatever that may be. So they’re more likely to click. So there’s a gap there in raising awareness for those students to be aware that they are going to be targeted. And I know in the last year or so, we as a company, we were involved in the Freedom of Information request around students being targeted around grants. So when they were only going back to university, they were being targeted for the grants money that they were receiving. And they had lost a lot of money as a consequence of a scam around that. So we know historically that students can be targeted at the outset. But this doesn’t necessarily sound like a student’s target attack. It’s more the institution itself. And to go back to maybe answering your question around my surprise run universities coming to this. Not really. And because when we have spoken to certain universities, security awareness of staff has always been at the forefront of their minds. But they have had limited budgets and they’ve had limited technical capability to implement not only security awareness training, but also technical defences that would secure the network both externally and as well as internally. So it comes back to investment. And where does one prioritise what one should focus on? They’re no different than any other company when it comes to that, as in with limited time, people and money. And what should I spend it on? But universities. They have sensitive information, intellectual property. But they also have you know, they have a service to give to students. And there’s a lot of students in these universities. And if if the university can’t function well, then everything grinds to a halt and it’s bad for the reputation of the organisation. I think it was another story there a few months ago. I think it might have been a university in Darbi that then the heads of I.T., they just lacked the experience to be in the role to do the job. They had just been put in to do it, because maybe they had you know, they helped out technically issue sometimes. And so that lack of investment in the right people to take data protection, to take network security and information security seriously. And that’s probably another area that they have to focus on as well. I think that case actually ended up going to government and then the institution was found to have maybe not given proper factual information around the people that were assigned to it and post the investigation. That’s it. The institutions to do various things. And they didn’t do it.
DAVID TAYLOR [00:08:03] Going back to just you touched on, you know, as an organisation, having an attack like this stops them, stops them working as a business operations. And one bit in the story was that actually, as well as a cancelling and how many reschedule exams, it’s actually stopped and then able to take calls about clearing, you know, when students maybe didn’t make the graded and triangle for courses. So this has actually stopped a lot of students go to university and stop the university get a lot of student fees. So, yeah, definitely a big a big disruption for the university. Up onto our next story of the week, which is almost like a movie plot. When you really dig deep into it. This was the story of a Tesla employee what it even alleged ransomware plot. So I’ll try and give you the nuts and bolts of the story. But this was the story of a 27 year old Russian man named Egor Igorevich Kriuchkov. Sorry about that, I annihilated that name. Was arrested by the FBI in Los Angeles after inviting a Tesla employee of the Gigafactory manufacturing facility located just outside Reno to plant malware into the system. And so basically, the pair met in a bar after many drinks and the Russian future costs. Again, sorry, apologies. Initially said that, yes, the employee, if you would like to collaborate with a group and that carries out special projects. And then they would pay him $ 500,000 to insert install the malware onto the Tesla Network. The Tesla employee, being a good employee, then actually ran off the Tesla and told them what happened. They got the FBI involved and then they added surveillance on some follow up means and it was quiet and then they is quite crazy what kind of came out of the surveillance. And that was essentially that they’d beat up the amount of $1 million and they also have the Russian futuregrowth said that they could encrypt the malware so it could be traced back to this employee and hackers would distract the security staff with the DDoS attack on the Tesla servers. And they also claimed that they had another insider at a different company that had installed malware that hadn’t been called for three and a half years. And on top of that, they also proposed framing it as over Tesla. But here, fortunately. But, yeah, luckily enough, it went with the Tesla, told them, got the FBI involved. And they ended up arresting him. Is he gonna go away for quite a while? I would have thought. But yeah, sounds like a movie. Kind of shows that the body behind these ransomware gand and I guess like confidence, the cockiness of the ball, that they’re straight up just good to offer people money to try and get inside of record. Yeah. What are your thoughts on that, Stephen?
STEPHEN BURKE [00:11:02] Yeah, I totally agree. It does sound far fetched them from a movie, but actually it’s very useful for people to realise that this is what goes on and it goes on more than we think. And whether it be cyber criminals targeting money mules who are people who are down on their luck and basically receiving an email that says, I’ll give you $500 dollars and you go to various banks and withdraw cash out at various times. And that’s just, you know, cyber criminals targetting people who are down on them to make money? And when you’re down on your luck and you need money or you’re of your job, and particularly in these times, you’re more likely to do it and you’re not a criminal. You’re just somebody who’s hard up and you’re trying to put food on the table or whatever it is. So these pressures can happen. And if we go back to this story where you’ve got supposedly they were friends going back a few years before and out of the blue, made contact via WhatsApp and tried to hook up. And they went to a few bars or restaurants before to fight on, even when they eventually made this offer of 500,000 so it was obviously profiling and assessing this person and making the offer. So when it comes to insider threats, you would often talk about on ourselves. You’ve got the accidental insider. You’ve got the compromised insider but also a malicious insider. Not malicious insider, potentially what could have happened here. So kudos to Tesla for the culture that they have cultivated where A staff for security aware, and B, they have told staff to maybe be aware of such attacks. And if so, what to do? Which will be to report it to the authorities or to the company itself. And therefore, they can respond to it in kind. So that should be celebrated. It should be promoted to every other company in the world to say, you know, we need the help of our staff to protect the network. We’re technically not going to be able to stop everything from happening. Therefore, we rely on you. Yes. As a responsibility and an obligation to do what but it also should be a willingness to do what? And based on the cultures that we look after our staff or one family and you know, we’re obviously doing innovative things in Tesla and given the intellectual property that they’re operating on. And obviously, the share price has gone through the roof recently. So there’s all sorts of information on that network that’s so valuable that, you know, I think it’s a good news story for The Insider in reporting it. But it’s also a case study or a reference for auto companies to say, look, our staff need to be aware of this. And how could one recreate a scenario like that? Maybe by running a tabletop exercise or something like that to showcase that this can happen. And it’s not fiction.
DAVID TAYLOR [00:13:47] Yes, definitely that’s a really good point. Hopefully many of our companies will take hold of it and maybe do it, you know, pass it out and communicate out to the rest of the company that these things do happen and, you know, maybe get some more policies in place, that people are aware that if it does happen, they know to go to. Well, you no really, really good story. Who knows? There’s definitely gonna be a movie in this or a similar plotline probably coming out, as you know cyber security is is huge in the world now. And, you know, there’s already a few TV series about it. But I think more and more as time goes on, the new action films are going to be probably about people hacking. I think it always has been and some of…
STEPHEN BURKE [00:14:27] The sums of money involved, David. Like, they are talking about 6 to 4 million based on order instances of this ransomware attack. If you look at Garmin and Travelex and what this companies’ poor on force of folks, you know, who do a great job security wise just suffered an unfortunate incident. They had to pay to get back up online. So 4 to 6 million if I’m paying an insider half a million or a million, you know, the still good profit margins to be made there. And hence why copy and they think they’re untouchable. You know, they think they’re anonymous and they can’t be traced. But not the serious money involved in that. So it’s not gonna be the last time that we hear of certain stories like this. But it does go to show that if you focus on your staff and you invest what potencies, what, 200 grand, a quarter of a million? In raising awareness across a company that you could save the company 6 million. The major cost benefit analysis there, if you focus on that.
DAVID TAYLOR [00:15:28] Definitely. Right. Moving on to a slightly less Hollywood and exciting story, but next headline is Slack users unwittingly phished with malicious payloads. Some of this story was thread, actors have been hosting malicious files on Slack, phished Slack and actually non-Slack users. They found that since late June, the platforms Cloud storage domain, which is slack-files.com if you’re in a public platform with regularity on the official led on which has led no before researchers to sumise thae Slack users isn’t the referral url domain, which is slack-redirect.net minus the act of being duped with malicious payload. So in a nutshell, hackers are put in malicious files and hosting them on Slack and then using them in phishing campaigns to give a bit more legitimacy to them. And I guess people not second guess, you know, if you guess if you are a company that uses slack and you’re used to get a lot of files on, it would be really busy. But you get this emal, come through. Oh, yeah. It’s just like your old domain. We’re gonna click on it. Especially, I think, for June COVID-19 and all working from home, a lot more people are using these collaborative platforms like Slack. So with on over episodes of this,we’ve actually talked about the Teams is being used a lot, Zoom, a lot of phishing on there and pipe extravagant measures that have been used but I think it’s looking at the last time we see this. What’s your I mean, you guys cyber risk aware, you do a lot of cyber training. You do a lot to be efficient, don’t you?
STEPHEN BURKE [00:17:09] Yep, not absolutely, this is exactly what we do. We have companies simulate real world scenarios that staff have become aware of, what this looks like and what the cyber criminals are doing in this case is they’re not pushing a malicious attachment in an email. They’re pushing a link. And most email defences will look at the link and they’ll say, okay, what kind of deal? Unless they have your real rewriting, which will rewrite it to be more secure and upsy Scottish, which on an enemy’s a mid-sized companies won’t have that employed and that therefore the malicious payload which when clicked, will come in won’t have been scanned. So therefore that’s how they are getting that folks on it, it looks like a slack link again, people are more likely to click on the link. And because people are using Slack, they see Slack. That’s all they see. They don’t sleep, they don’t see sleep, they read their dot net extensions. They just see with the ones stereo test people’s behaviour and we see what we want to see, we don’t take the extra few seconds to think before we click and we’re so busy or doing lots of different things. So that’s all that cybercrime was a preying on is that click mentality and it looks similar to what I normally use. Then it’s more likely that people will click on it. But again, email defences that maybe look at attachments, they would take away the attachment by having a link here. They don’t have to worry about the attachment being blocked and all liquid stuff from the cybercrime perspective. So that’s why they’re made to look like we’ve seen this before and with likes of One Drive or Dropbox links and whatnot. And again, the whole point is to circumvent the email defence control that would strip out the attachments by having a link it’s less likely to be blocked and therefore users gets to the user, which reinforces the point that staff need to be made aware in an effective security awareness program to say the companies say to them, we need your help to defend the network. We’re not going to block all malicious emails. Cyber criminals are targeting you to get to our systems and our data. We’re going to run realistic phishing simulations to help you understand what it looks like and what to do. Like what happened to Tesla. What to do if something happens. Hilton reported to. And that should be celebrated. And it’s super effective, given that, you know, you can’t block all these things from getting through. So that’s my feedback in relation to.
DAVID TAYLOR [00:19:33] Yeah, I think I think well, celeriac, we do simulate fishing as a service as well. And we actually do it in-house as well to our own employees. I think as well as educating people is just keeping it front and centre that these e-mails do exist and they do happen and I know we actually have some processes in our company that if it’s not simulate phishing email, but it actually a phishing email and we have got to report it. And when it is reported, it gets communicated out that everyone and emails come from this. This emails come out, make sure you delete it and get rid of it. Just so it’s kind of front and center, because a lot people in your busy day, especially if they’re coming from a domain that you’re used to clicking on, likes Slacks you’re not gonna worry too much about it. So just for the viewers to give them a bit of some visuals on, like what an attack might look like. And we’ve got some slides or some screenshots that we’ve got. So in this instance, it was somebody sending a phishing email on the left hand side, we’ve got an email there. Say, I think it went to accounts payable. Click on the link that interclick to PDF and that has the Slack domain. And actually, if you hovered over on the email, you’d actually say, yes, it’s a Slack domain as well. There’s nothing too sketchy there. And then they ask you to sort of open a download that PDF and just go to the next slide. It actually this is when it starts to get a bit more phishing and devious so it opens up and it says, right, you need to log in windows, be able to view it. First of all, that probably trick my ears, because why am I open up windows to view a PDF? But anyhow. But yeah, there was a Microsoft log in and we’ve got a bit of a close up on the URL, and that’s where it’s a fake one. So you’ve mentioned it before, the Dropbox and SharePoint One Drive, they are, I think that one of the biggest, most impersonated companies out there because everybody’s using Microsoft. Those people using windows, I think is one good for people to remember that. You know, if you’re working on you work laptop and someone clicks on something and you click on it, it’s asking you to sign into Windows but you’ve already been using Word. You’ve been using PowerPoint. There’s you know, just take a second and go hang on. Do I need to… is this legit? Then that’s when you can go and look at your url like on last slide is clearly wasn’t a Slack to me. Copying things like that that people can do just to kind of, you know, lack extra precaution of I should only be signed in one be necessary.
STEPHEN BURKE [00:21:59] I couldn’t say it any better. If you’re asked for any credentials, whether internal, on your corporate network or at home, whether it be to online banking or something that has your sensitive personal information on it and anything that asks you to log in or put in a two factor code, it should raise an instant. Hang on a second. What’s going on here? Why am I being asked to do that? Don’t just do it and hope for the best. It’s why am I doing. Does this make sense? This doesn’t normally work like that. It should be default not to do it. I supposed to click rush DDoS and then go, you know, maybe I should have done that. It doesn’t have to be that way with Security Awareness Month coming up next month. And this is timely for me to be thinking about this simulation, security awareness, training courses and videos. And it just all helps to build that network of human sensors, that human firewall that people talk about. But it’s so effective, cost effective. And it’s not like one ransomware event could cost you minutes, but it’s one person, one email. So it’s not to be sniffed at in terms of how effective it is in conjunction with the other technical defences that one should have. I’m not saying don’t have them, but they only go so far. And don’t assume because you have I’m not sure in a good place, which is, I suppose, my finishing point on this is people inside an organisation, they feel it’s the job of IT security or IT to protect the network. It’s not their responsibility. I think that it’s this change. It’s everybody’s responsibility. It’s a business risk. It’s not just a 19 risk. And collectively, as the human sensors network of human sensors, we can all do our bit to protect the network and obviously report phishing emails. Don’t click. Think before you click. All that stuff all adds up to protecting it.
DAVID TAYLOR [00:23:54] Yes, some great points. We’ll move on to a final story. And that is that WordPress websites have been attacked by a file manager plugging vulnerability where press is huge, a lot of websites sit on it. This story is 700,000 WordPress websites. It’s thought of WordPress file manager plugin, which has a critical vulnerability that’s actually been exploited by hackers. So what’s the plugin? basically it’s the file manager? This is a tool upload, archive, edit and delete any files or folders on a website’s back end. So pretty, pretty important stuff. So the hackers are now exploiting versions 6.8 and below the file manager. They’re using this to inject the websites with malicious code. And there’s actually another interesting turn in this story it’s the hackers are actually password protected the websites compromise to using this to stop of the hacking groups from getting in. And basically, there’s a lot, you know, that just kind of shows how I guess how good or how bad of a critical vulnerability this is that it’s so hot that, you know of hackers are having to password protected to stop or hackers get in. I think it was called the Word fence, which was a WordPress security firm, said that it had blocked over 450,000 exploit attempts the last several days alone. So, yeah, definitely. Clearly a hot target for the hackers. And but luckily, the makers of WordPress file manager has issued an update, which is the version 6.9. And that was on September the 1st. And that seems to resolve the screening issue. But I think there’s probably a lot of websites, a lot of people WordPress plugin that probably haven’t got the update yet.
DAVID TAYLOR [00:25:43] Yeah, well, this brings up several things that we’ve talked about before, David, and one is Kaizo management. It is such a low hanging fruit security item, security control that, let’s face it. You’re catching vulnerabilities. That’s what cyber criminals want to exploit, is exploit vulnerabilities to get a foothold onto website in this case. Get a data that may be hosted, given it’s a file manager. There’s gonna be data on that website. What data is it? Should it be internal? Or maybe it’s publicly available information. Who knows? It could be to reputational damage or could lead to a breach of GDPR or any of what data has been uploaded, depending on the company that’s using WordPress, WordPress. What can I say? It’s every year to something of WordPress, unfortunately, it’s so widely used. It’s great as a content management system, easy of deployment. But there are constant vulnerabilities and always out there. Which leads to a lot of attacks. Which ties to a point around the commercialisation of cyber crime. You’ve got so many people providing different services, denied the service, ransomware as a service, phishing as a service. But then you’ve got these tools that are able to exploit websites that, you know, like he said to you for $50 for one month. And you could try and find out all the WordPress sites out there that are vulnerable to this blogging because they haven’t been patched. And guess what? You can now go on your merry way, David. And you don’t have to be a seasoned cyber criminal to do that. Which is why if you can ring-fence once you’re in, you’re in and no one else can get in. Well, then that’s ultimately what they’re trying to do, is they’re trying to safeguard their own money that they’re going to make out of this subject, obviously, what data they’re going to get at. But patch management front and center, it just has this low hanging fruit for people. They think they’re doing patch management and by turning on automatic updates on desktops and whatnot, are they doing software? I would challenge every company I use of dating software on the network. It’s easier to do the operating systems less so on the software because you’re going to impact the business. And this is the point we brought up the last day, David. It was, how know, gonna get the buy in from the business to turn machines on and off to reduce in order for the patch to become effective? And what software is even more troublesome? And because of the fear that maybe the piece of software may not come back on the way it should do if it’s on the server. But, you know, it has to be done. And software, unfortunately, is often left behind WordPress is software. It’s on us on a server. It is a website as much as anything. And it can be patched, it should be patched. It’s now available from the first. It should be highly critical action item for most people that look at it and see, you know, they may not have it. Just because you have WordPress doesn’t mean you have this particular in itself. And so that should be something to look at. But by running a regular vulnerability assessment scan of your network, you should, you would find this.
DAVID TAYLOR [00:28:40] Definitely, I think this is maybe slightly different, given that it is the software. But what when we have Josh here is our Lead Security Analyst in Celerity who’s usually on here it. We were talking about remote working yesterday and how the patch is quite difficult and that sort of thing spins. And it’s very difficult, actually. He says it’s quite difficult the best of times, but now a lot people are working remotely. That just makes it even harder, is that right?
STEPHEN BURKE [00:29:09] It’s about visibility. And we talked a we we wrote an article about coming back to the office, asking the questions of staff to say, what equipment did you use? Did you use personal equipment? Did you use the equipment we gave you? That may have been less secure because the rush to get it out there and we just never had the time to properly catch it and properly deployment ever. But you know what accounts we’re using. Did you give it to family members? Did you give your passwords someone? Did they install software onto this device? That visibility is gone. There are so few companies, even companies that had, you know, minus service providers who are monitoring their corporate network. They do not have visibility of when people were working from home. And so that big gap has to be risk assessed before people come back into the office. And those devices can be trusted to connect properly. Whereas the data be has gone outside of Europe, for example. And so, yes, it is difficult and it’s not impossible. And yes, you can monitor and point to voices. You’ve got solutions like network access control that ensure that does a common build the standard that if a device connects to the network, whether it be by the VPN or what not or not. The Mac solution can tell you when the system is out of whack with what the standard should be. And as in patched level should be this, operating system should be this. So there are ways and means to get around. It just requires knowledge that those solutions exist. It does sometimes require investments to do it, given that work from home ain’t going to go away anytime soon. It sounds to me that this is going to be a core focus for people to be looking at is a visibility of what people are doing be making them aware of social engineering and different attacks that may happen against people, but also see what they should or shouldn’t do on those devices systems of who to give access to. But then just the devices themselves would knock them that you maintain a level that, you know, you could stand up in front of anybody and say, look, we we install patching, we’re updating it, and we see the software is where it needs to be. What more can I have done? It becomes an industry wide issue as opposed to an individual company issue. And that’s somewhat of a better place to get.
DAVID TAYLOR [00:31:23] Perfect. Well, I think that’s a great point for us to finish on that statement. But yeah, I’d just like to thank you for coming on again. I really appreciate your advice and your expertise on this on this area and hopefully get you one to live show in the future. For everyon else, thanks for watching Secure with Celerity. And we’ll catch you on the next update. See you then.
STEPHEN BURKE [00:31:44] Thanks, David.