{"id":23366,"date":"2022-05-27T18:56:46","date_gmt":"2022-05-27T22:56:46","guid":{"rendered":"https:\/\/www.itworldcanada.com?p=485707"},"modified":"2022-05-31T12:00:02","modified_gmt":"2022-05-31T16:00:02","slug":"cyber-security-today-week-in-review-for-friday-may-27-2022","status":"publish","type":"post","link":"https:\/\/technewsday.com\/staging\/cyber-security-today-week-in-review-for-friday-may-27-2022\/","title":{"rendered":"Cyber Security Today, Week in Review for Friday May 27, 2022"},"content":{"rendered":"<p>Welcome to Cyber Security Today. From Toronto, this is the Week in Review for the week ending Friday May 27th, 2022. I\u2019m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.<\/p>\n<p><iframe style=\"border: none;\" title=\"Libsyn Player\" src=\"https:\/\/html5-player.libsyn.com\/embed\/episode\/id\/23232746\/height\/90\/theme\/custom\/thumbnail\/yes\/direction\/forward\/render-playlist\/no\/custom-color\/000000\/\" width=\"100%\" height=\"90\" scrolling=\"no\" allowfullscreen=\"allowfullscreen\"><\/iframe><\/p>\n<table style=\"width: 100%;\">\n<tbody>\n<tr>\n<td><a href=\"https:\/\/www.amazon.com\/ITWC-Cyber-Security-Today\/dp\/B07BRNG89P\/ref=sr_1_1?s=digital-skills&amp;ie=UTF8&amp;qid=1522688435\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-396718 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2017\/09\/sub-alexa-200.png\" alt=\"Cyb er Security Today on Amazon Alexa\" width=\"200\" height=\"74\" border=\"none\"><\/a><\/td>\n<td><a href=\"https:\/\/www.google.com\/podcasts?feed=aHR0cDovL2N5YmVyc2VjdXJpdHl0b2RheS5saWJzeW4uY29tL3Jzcw%3D%3D\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" loading=\"lazy\" class=\"thumbnail aligncenter wp-image-408712 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2018\/09\/sub-gp-200.png\" alt=\"Cyber Security Today on Google Podcasts\" width=\"200\" height=\"74\"><\/a><\/td>\n<td><a href=\"https:\/\/itunes.apple.com\/ca\/podcast\/cyber-security-today\/id1363182054\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-396720 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2017\/09\/sub-itunes-200.png\" alt=\"Subscribe to Cyber Security Today on Apple Podcasts\" width=\"200\" height=\"74\" border=\"none\"><\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p>In a few minutes I\u2019ll be joined by Terry Cutler, head of Montreal\u2019s <a href=\"https:\/\/www.cyologylabs.com\/?r_done=1\" rel=\"noopener\">Cyology Labs<\/a>, to discuss some of the news from the past seven days. First, a roundup of highlights:<\/p>\n<p><strong>Once again<\/strong> ransomware was big in the news: <a href=\"https:\/\/www.advintel.io\/post\/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape\" rel=\"noopener\">Researchers said<\/a> that for various reasons the Conti gang has decided to shut down its brand and instead work through affiliated gangs Terry and I will discuss if infosec pros should care.<\/p>\n<p><strong>Meanwhile<\/strong> a <a href=\"https:\/\/cyberint.com\/blog\/research\/ransomhouse\/\" rel=\"noopener\">new extortion group called RansomHouse<\/a> has emerged. According to one news site, it claims the Saskatchewan Liquor and Gaming Authority was a victim in December.<\/p>\n<p><strong>The latest<\/strong> annual Verizon Data Breach Investigation Report <a href=\"https:\/\/www.itworldcanada.com\/article\/human-error-tops-causes-of-data-breaches-says-verizon-report\/485343\" rel=\"noopener\">was released<\/a>. The authoritative report, which analyzes information on cyber incidents and data breaches from a large number of cybersecurity companies, found ransomware incidents were up 13 per cent last year over 2020.<\/p>\n<p>It also found mistakes by employees, partners and others were responsible for 14 per cent of all data breaches in 2021.<\/p>\n<p><strong>Terry and I<\/strong> will also look at a report that hackers found a way to open accounts on social media and other sites in a victim\u2019s name with just their email address with the goal of stealing their personal information.<\/p>\n<p><strong>Clearview AI<\/strong>, which sells facial recognition software to police forces, has been under attack for a long time for copying billions of images of people off the internet to use for comparative purposes. It\u2019s facing new problems: <a href=\"https:\/\/ico.org.uk\/about-the-ico\/news-and-events\/news-and-blogs\/2022\/05\/ico-fines-facial-recognition-database-company-clearview-ai-inc\/\" rel=\"noopener\">The United Kingdom\u2019s privacy commissioner has fined<\/a> the company the equivalent of over $9 million for using people\u2019s faces without their consent. And it ordered Clearview to delete the images of UK residents from its databases. Clearview has also been fined by regulators in France, Italy and Australia. In Canada, <a href=\"https:\/\/www.itworldcanada.com\/article\/bc-firm-criticized-by-canadian-privacy-commissioners-in-facebook-cambridge-analytica-scandal\/424395\" rel=\"noopener\">Clearview is fighting an order<\/a> by privacy commissioners here to delete the images of Canadians in its databases.<\/p>\n<p><strong>Finally,<\/strong> there\u2019s more fallout from the Cambridge Analytica scandal. The now-defunct British firm acquired personal information about tens of millions of Facebook users from an app developer. The city of Washington, D.C., <a href=\"https:\/\/s3.documentcloud.org\/documents\/22033846\/202205-3.pdf\" rel=\"noopener\">launched a lawsuit<\/a> against Mark Zuckerberg, who heads Facebook\u2019s parent company Meta. It alleges Facebook\u2019s failure to tell users their personal information may be shared with third-party applications without their knowledge misled subscribers. <a href=\"https:\/\/www.ftc.gov\/news-events\/news\/press-releases\/2019\/07\/ftc-imposes-5-billion-penalty-sweeping-new-privacy-restrictions-facebook\" rel=\"noopener\">In 2015 Facebook was fined $5 billion<\/a> by the U.S. Federal Trade Commission over the incident.<\/p>\n<p><em>(The following transcript has been edited for clarity)<\/em><\/p>\n<p class=\"western\"><strong>Howard<\/strong>: Ransomware gangs often rebrand as law enforcement agencies crackdown on them. But this week came news that the Conti ransomware gang, known for attacking big companies and government departments, is retiring its brand to instead work closer with other gangs. What do you make of this news?<\/p>\n<p class=\"western\"><strong>Terry Cutler:<\/strong> We\u2019ve heard this before \u2014 a group retires, then they come out of retirement and they rebrand. I think what\u2019s happening here is that there\u2019s just way too much heat on them [Conti] and some of their members may be getting a little scared. Some are asking the group to like tone it down a little bit. That\u2019s why I think they\u2019re switching now to smaller groups. I think after they threatened the Costa Rican government that\u2019s where they\u2019d rather just work with other operators like Karakurt or BlackByte. Remember, it\u2019s the Conti brand that\u2019s shutting down. The actors are still there. They\u2019re just shutting things down like the negotiation site, the chat rooms, the messenger servers and the proxy servers. That doesn\u2019t mean that the threat actors themselves are retiring.<\/p>\n<p class=\"western\"><strong>Howard:<\/strong> The research, which was done by a firm called Advanced Intel, argues that the recently and highly-publicized attack on government departments in Costa Rica has been used as a smokescreen for Conti\u2019s strategy shift. In the past couple of weeks Conti has made us think that it\u2019s trying to overthrow the government, but it\u2019s really restructuring. What do you think?<\/p>\n<p class=\"western\"><strong>Terry:<\/strong> I think that\u2019s part of their great grand finale, to use this as a publicity stunt. This way they can perform their own death, and then maybe, a rebirth. We have to see what\u2019s going to happen. But I also heard that things were a little bit toxic, too, because the group pledged their allegiance to Russia and was in favor of the invasion of Ukraine. Maybe that didn\u2019t sit well with other members. That\u2019s why there was some leakage of some private gang chat messages and logs.<\/p>\n<p class=\"western\"><strong>Howard:<\/strong> That would appear true according to some interpretation. The leak was a bit of vindictiveness by someone regarding the Conti endorsement of the Russian invasion of Ukraine.<\/p>\n<p class=\"western\">So for those of you who are keeping score, this report says Conti will focus on supporting data-stealing groups as <a href=\"https:\/\/www.accenture.com\/us-en\/blogs\/cyber-defense\/karakurt-threat-mitigation\" rel=\"noopener\">Karakurt<\/a>, BlackBasta and BlackByte, as well as ransomware groups called AlphaV\/BlackCat, Hive, Hello Kitty and <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/ransomware-spotlight\/ransomware-spotlight-avoslocker\" rel=\"noopener\">AvosLocker<\/a>. So if I\u2019m a cyber security leader at a company because Conti is doing this do I need to change my strategy in any way?<\/p>\n<p class=\"western\"><strong>Terry:<\/strong> First I\u2019d like to know who comes up with the names of these groups.<\/p>\n<p class=\"western\">Your defences really come down to visibility [on the network]. The goal here is to shrink your attack surface as much as possible. We know there\u2019s no silver bullet to stop a hacker, but you want to make it as difficult as possible for them to get in. A lot of companies right now don\u2019t have the right tools or the automation in place, or maybe not even working with the right outsourced partner. So I don\u2019t think they\u2019re going to fare well in a cyberattack, because there\u2019s so many ways for an attacker to get into your system. IT is dealing with phishing attacks, untrained users, stolen passwords, unpatched systems, they don\u2019t have EDR [endpoint detection and response software] in place, there\u2019s no network monitoring, no log management \u2026 The IT department has to deal with all these ways that attackers can get in. And on top of that IT people are not necessarily trained in cybersecurity or incident response and forensics. They need to team up with a cybersecurity expert or firm to keep an eye on their infrastructure.<\/p>\n<p class=\"western\"><strong>Howard:<\/strong> Listeners may recall that a year ago an international group of researchers and vendors called the <a href=\"https:\/\/www.itworldcanada.com\/article\/task-force-calls-for-international-action-against-ransomware\/446710\" rel=\"noopener\">Ransomware Task Force<\/a> issued a report, which in part called on governments to take more action to fight ransomware groups.<a href=\"https:\/\/securityandtechnology.org\/wp-content\/uploads\/2022\/05\/rtf-progress-report-may22-1.pdf\" rel=\"noopener\"> Last Friday it issued a first-year report<\/a> looking back at what was accomplished. Admittedly fighting cybercriminals in the digital era is no small task, but most researchers including the annual Verizon Data Breach Investigation report \u2014 which was released on Tuesday \u2014 agree that ransomware is only increasing. However, some governments and insurance agencies think it\u2019s slowing down or at least stabilizing. This lack of consensus is a challenge, the Ransomware Task Force authors. Briefly, the Task Force believes that of its 48 recommendations there\u2019s been tangible progress on 12, such as promises by a number of governments to work together to fight ransomware. Here\u2019s an example: The U.S. said that it\u2019s about to convene a joint [inter-department] ransomware task force which was mandated under a recently passed federal law. My question to you is, are governments doing enough \u2014 and in particular is Canada doing enough to fight ransomware?<\/p>\n<p class=\"western\"><strong>Terry:<\/strong> Here\u2019s the biggest challenge. It\u2019s all around attribution \u2014 finding out where these people [threat actors] are, and as you know it\u2019s really difficult to find out who\u2019s behind these attacks because there\u2019s so many ways to hide their tracks. And the moment they\u2019ve uncovered one server there might be no logs on there or if there are logs the guy\u2019s hidden another one. So eventually\u2019s gonna be no logging. In some cases there\u2019s going to be human error \u2014 maybe the [victim\u2019s] backups weren\u2019t done properly and there\u2019s months of data missed. You\u2019re faced with the challenge of do we pay to get our data back or do we not pay it and lose our data? \u2026 That\u2019s a big challenge, especially with small businesses: If you don\u2019t pay that ransom and you don\u2019t have a proper backup that you\u2019re going to go out of business. But when organizations don\u2019t pay attackers lose their main revenue stream. That\u2019s why they\u2019re going to go after small medium small and medium businesses, and critical infrastructure providers \u2026 That\u2019s why I think the focus now is going to be on helping organizations prepare and respond to these types of attacks.<\/p>\n<p class=\"western\"><strong>Howard:<\/strong> Also this week, researchers at Cyberint released a report on a new extortion group called RansomHouse. It specializes in stealing data and then holding it for ransom. So it doesn\u2019t bother with encrypting data. According to the Bleeping Computer news site, the Saskatchewan Liquor and Gaming Authority was one of its none victims. <a href=\"https:\/\/www.saskatchewan.ca\/government\/news-and-media\/2021\/december\/28\/cyber-security-incident-at-slga\" rel=\"noopener\">In December the authority acknowledged<\/a> being hit by a cyber incident. That forced it to temporarily take IT systems offline. This is seemingly part of a new trend for threat groups to just forget about infecting a firm or government with ransomware \u2014 just steal the data and hold it for ransom.<\/p>\n<p class=\"western\"><strong>Terry:<\/strong> Again, it all comes down to no [network] visibility inside these organizations \u2026 There\u2019s a tactic that I tried a couple of years ago where you could do some advanced Google searches to see if customers\u2019 data leaked because they were misconfiguring their database backups. And it was actually copying the data to another server, but it was unlocked. So we would try and contact these customers and say, \u2018Your data is is visible. How about we come in and do a cyber audit to help lock you down.\u2019 And we would be accused of being the hackers trying to extort them. That\u2019s why it\u2019s very difficult to try and help organizations take cyber security seriously.<\/p>\n<p class=\"western\"><strong>Howard:<\/strong> Companies shouldn\u2019t feel they\u2019re defenseless. They actually have quite a bit of control over their defenses.<\/p>\n<p class=\"western\"><strong>Terry<\/strong>: One of the things they need to do is a cybersecurity audit, especially if they haven\u2019t had a penetration test done in a long time \u2014 and a penetration test is essentially what hackers are doing. They\u2019re giving you a free penetration test \u2014 but if you fail you just lost your data. The difference with us on the ethical hacker side is that we\u2019re going to provide you a report that shows you all the vulnerabilities. And it\u2019s going to cost far less to get a proper audit done than having your data ransomed.<\/p>\n<p class=\"western\">Howard: The last story that I want to look at was an interesting report about crooks tricking people into getting social media and other accounts that they didn\u2019t know they had.<\/p>\n<p class=\"western\"><strong>Terry:<\/strong> Cybersecurity researchers were able to reveal that hackers can actually hijack your online account before you even register them. They did this by exploiting a flaw that\u2019s now been fixed in most popular websites like Instagram, Linkedin, WordPress, and Dropbox. It\u2019s called a pre-hijacking attack. The hacker needs to know your email address. They can find this out either by email correspondence or through data breaches. The attacker then creates an account on a vulnerable site. The site sends confirmation emails to you. The hope is you get annoyed by this email and confirm or create the account. If you do either you use the password the attacker set up. If you ask for a password reset the hacker sees that, too. The problem is there\u2019s a lack of strict verification of email registrations. The best way to deal with this is that once you\u2019ve registered your account immediately activate two-step verification.<\/p>\n<p class=\"western\"><strong>Howard:<\/strong> So this is another form of what\u2019s broadly called a social engineering attack. The crooks are betting that you\u2019re going to get tired of being pestered by a notification about an account you didn\u2019t know you had and so you\u2019ll ask for a password reset. But one way or another the crook still has access, so eventually they\u2019re going to start to get personal information about you. This is especially dangerous if what they do is they get hold of your Linkedin account. There\u2019s a number of techniques that the crooks can use so I\u2019ve simplified it. Isn\u2019t this a major failure of websites and their process management?<\/p>\n<p class=\"western\"><strong>Terry:<\/strong> It\u2019s a registration process. Sites want to make it as simple as possible for users to be on-boarded, because if it\u2019s complex either they won\u2019t subscribe or they\u2019re going to start emailing the support hotline. But it\u2019s up to sites and people to secure their accounts. Cybersecurity is everyone\u2019s responsibility. Multifactor authentication is one of the biggest keys to stopping these breaches and people are still not using it.<\/p>\n<p>The post <a href=\"https:\/\/www.itworldcanada.com\/article\/cyber-security-today-week-in-review-for-friday-may-27-2022\/485707\">Cyber Security Today, Week in Review for Friday May 27, 2022<\/a> first appeared on <a href=\"https:\/\/www.itworldcanada.com\/\">IT World Canada<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This episode features a discussion about the latest move by the Conti ransomware gang and more<\/p>\n<p>The post <a href=\"https:\/\/www.itworldcanada.com\/article\/cyber-security-today-week-in-review-for-friday-may-27-2022\/485707\">Cyber Security Today, Week in Review for Friday May 27, 2022<\/a> first appeared on <a href=\"https:\/\/www.itworldcanada.com\/\">IT World Canada<\/a>.<\/p>\n","protected":false},"author":17,"featured_media":20668,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[360,16],"tags":[389],"class_list":["post-23366","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-podcasts","category-security","tag-cyber-security-today"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/23366","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=23366"}],"version-history":[{"count":4,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/23366\/revisions"}],"predecessor-version":[{"id":23497,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/23366\/revisions\/23497"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media\/20668"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=23366"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=23366"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=23366"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}