June 8, 2021
Good morning, everyone!
This week’s critical vulnerabilities:
Patch All the Things!
Danger, Will Robinson! Amazon is taking liberties with your Internet access
Today, June 8th: If you use Alexa, Echo, or many other Amazon devices, you will be automatically opted-in to their new Amazon Sidewalk:
The new wireless mesh service will share a small slice of your Internet bandwidth with neighboring Sidewalk-capable devices that don’t have connectivity. Sidewalk will also help your Amazon devices to a sliver of bandwidth from other Sidewalk users when you don’t have a connection.
The security and privacy implications of this are staggering, in particular since it's an opt-out service; many people (and many office networks!) will have no idea they are in this program.
Follow these steps to opt-out:
So how exactly did Colonial Pipeline get ransomware?
Why, I’m glad you asked that! Because it is 100% positively a lesson in how to get hacked. Honestly. According to this article, three problems:
The hack that took down the largest fuel pipeline in the U.S. and led to shortages across the East Coast was the result of a single compromised password [to] a virtual private network account…. The account was no longer in use at the time of the attack but could still be used to access Colonial’s network ... The account’s password has since been discovered inside a batch of leaked passwords on the dark web. [emphasis added]
So, let’s break this down:
- Multi-Factor Authentication was not in use (otherwise having the password wouldn’t have been enough to get in)
- An account no longer in use was still active on the VPN and had access to network resources
- That account’s password was on the dark web and no one knew about it nor changed it. (How to fix this problem in a previous newsletter).
And did you hear that they paid $4.4 Million for the decryption tool?
Federal government getting serious about ransomware
Last week, Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger released a memo urging organizations of all sizes to take basic steps to protect themselves against ransomware:
Among the steps Neuberger said companies should take are implementing multifactor authentication, bolstering security teams, regularly testing backups and updating patches, testing incident response plans and separating and limiting internet access to operational networks.
Pop Quiz: How many of those things have I written about in this newsletter? 😀
Also last week, it became known that the US Department of Justice plans to give ransomware investigations a priority similar to that of terrorism investigations.
Of course, the U.S. Treasury Department announced last fall that “Facilitating ransomware payments to sanctioned hackers may be illegal”, and in the past few weeks, numerous current and former federal officials have spoken publicly about the need for a ban on ransomware payments.
Are the insurance companies making things worse?
There’s been a lot of chatter lately about the explosive growth of ransomware – with attribution (by many) laid at the door of cyber insurance carriers who encourage customers to pay the ransom (and the insurance of course pays it for them) as the fastest means of ending the problem. One large insurance company in Europe recently announced that they would stop writing cyber-insurance policies in France that reimburse customers for extortion payments made to ransomware criminals.
Soooooo, what to do?
- Prevent: Patch all the things, think before you click
Guess what I plan to write about next week? See you then!
Talk to you again soon!
Security Awareness Training Goes Live Again!
Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Thankfully, live training is making a comeback! So wherever you and your employees may be, I can deliver a fun and informative training session in whatever format you prefer.
Contact me to schedule your employee training sessions. They're fun! ☺