{"id":25875,"date":"2022-07-22T15:12:46","date_gmt":"2022-07-22T19:12:46","guid":{"rendered":"https:\/\/www.itworldcanada.com?p=493777"},"modified":"2022-07-26T13:00:34","modified_gmt":"2022-07-26T17:00:34","slug":"cyber-security-today-week-in-review-for-friday-july-22-2022","status":"publish","type":"post","link":"https:\/\/technewsday.com\/staging\/cyber-security-today-week-in-review-for-friday-july-22-2022\/","title":{"rendered":"Cyber Security Today, Week In Review For Friday, July 22, 2022"},"content":{"rendered":"<p data-ar-index=\"0\">Welcome to Cyber Security Today. From Toronto, this is the Week in Review for the week ending Friday, July 22nd, 2022. I\u2019m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.<\/p>\n<p data-ar-index=\"1\"><iframe style=\"border: none;\" title=\"Libsyn Player\" src=\"https:\/\/html5-player.libsyn.com\/embed\/episode\/id\/23819327\/height\/90\/theme\/custom\/thumbnail\/yes\/direction\/forward\/render-playlist\/no\/custom-color\/000000\/\" width=\"100%\" height=\"90\" scrolling=\"no\" allowfullscreen=\"allowfullscreen\"><\/iframe><\/p>\n<table style=\"width: 100%;\">\n<tbody>\n<tr>\n<td><a href=\"https:\/\/www.amazon.com\/ITWC-Cyber-Security-Today\/dp\/B07BRNG89P\/ref=sr_1_1?s=digital-skills&amp;ie=UTF8&amp;qid=1522688435\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"aligncenter wp-image-396718 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2017\/09\/sub-alexa-200.png\" alt=\"Cyb er Security Today on Amazon Alexa\" width=\"200\" height=\"74\" border=\"none\" \/><\/a><\/td>\n<td><a href=\"https:\/\/www.google.com\/podcasts?feed=aHR0cDovL2N5YmVyc2VjdXJpdHl0b2RheS5saWJzeW4uY29tL3Jzcw%3D%3D\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"thumbnail aligncenter wp-image-408712 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2018\/09\/sub-gp-200.png\" alt=\"Cyber Security Today on Google Podcasts\" width=\"200\" height=\"74\" \/><\/a><\/td>\n<td><a href=\"https:\/\/itunes.apple.com\/ca\/podcast\/cyber-security-today\/id1363182054\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"aligncenter wp-image-396720 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2017\/09\/sub-itunes-200.png\" alt=\"Subscribe to Cyber Security Today on Apple Podcasts\" width=\"200\" height=\"74\" border=\"none\" \/><\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p data-ar-index=\"3\">Terry Cutler of Montreal\u2019s <a href=\"https:\/\/www.cyologylabs.com\/?r_done=1\" rel=\"noopener\">Cyology Lab<\/a>s will join me in a few minutes to discuss recent news in cybersecurity. But first a review of some of what happened in the last seven days:<\/p>\n<p data-ar-index=\"4\"><strong>The Canadian Anti-fraud Centre,<\/strong> which handles reports on all types fraud, has been victimized by a phishing scam. Crooks are sending out emails purporting to be from the centre warning victims their personal data is being misused. The goal is to trick people into clicking on a link to find out more. While the sender\u2019s address spoofs the Anti-fraud Centre, the link in the email is a tip-off that it\u2019s a scam because it goes to an address called \u201cmountainbuffalo.\u201d Terry and I will discuss how organizations can protect themselves from such scams.<\/p>\n<p data-ar-index=\"5\">We\u2019ll also talk about the big Rogers internet outage earlier this month.<\/p>\n<p data-ar-index=\"6\"><strong>Developers of e-commerce platforms<\/strong> have again been warned to tighten security around their applications. This comes after researchers at Recorded Future discovered payment card skimming scripts have been inserted into three online ordering platforms used by over 300 restaurants in the U.S.<\/p>\n<p data-ar-index=\"7\"><a href=\"https:\/\/www.justice.gov\/opa\/pr\/justice-department-seizes-and-forfeits-approximately-500000-north-korean-ransomware-actors\" rel=\"noopener\"><strong>The U.S. has seized<\/strong><\/a> cryptocurrency accounts with about US$500,000 stemming from ransomware attacks. Some of the money included ransoms paid by healthcare providers in Kansas and Colorado. North Korean hackers are believed to have been behind the attacks. An FBI investigation into the incidents led to the discovery of the previously unseen Maui strain of ransomware.<\/p>\n<p data-ar-index=\"8\"><strong>Four new ransomware strains<\/strong> <a href=\"https:\/\/www.itworldcanada.com\/article\/four-new-ransomware-groups-to-be-aware-of\/493428\" rel=\"noopener\">were described this week<\/a>. One is called Luna. According to researchers at Kaspersky, it goes after Windows, Linux and VMware systems. The other three have been spotted by researchers at Cyble. They are called Omega, Lilith, and RedAlert, which, like Luna, can exploit Windows, Linux and VMware systems.<\/p>\n<p data-ar-index=\"9\"><strong>Linux vulnerabilities<\/strong> and poorly-secured cloud application configurations are being leveraged to expand a criminal botnet. <a href=\"https:\/\/www.sentinelone.com\/blog\/from-the-front-lines-8220-gang-massively-expands-cloud-botnet-to-30000-infected-hosts\/\" rel=\"noopener\">Researchers at SentinelOne said<\/a> the botnet run by the 8220 Gang has jumped to include 30,000 hosts. Those infected devices are chewing up power on corporate servers for running cryptomining applications.<\/p>\n<p data-ar-index=\"10\"><a href=\"https:\/\/thehackernews.com\/2022\/07\/cisco-releases-patches-for-critical.html\" rel=\"noopener\"><strong>Cisco Systems released<\/strong><\/a> security patches for a number of products, including its Nexus Dashboard for data centres and cloud network infrastructure, certain models of Cisco Small Business routers and the Cisco IoT Control Center.<\/p>\n<p data-ar-index=\"11\">Owners of Apple devices should make sure they have installed the latest security patches. This week the company issued updates for iOS, iPadOS, macOS, tvOS and watchOS. Usually they are installed automatically, but it doesn\u2019t hurt to check that\u2019s been done. It\u2019s more important than ever to be running patched devices after researchers at ESET discovered spyware called CloudMensis has been targeting Macs.<\/p>\n<p data-ar-index=\"12\"><i>(The following transcript has been edited for clarity. To hear the full discussion play the podcast)<\/i><\/p>\n<p data-ar-index=\"13\"><strong>Howard:<\/strong> Let\u2019s start with something that I didn\u2019t get a chance to discuss last week because I was off, <a href=\"https:\/\/www.itworldcanada.com\/article\/rogers-ceo-admits-outage-caused-by-maintenance-operation\/492031\" rel=\"noopener\">and that\u2019s the huge service outage suffered by Rogers subscribers two weeks ago<\/a> today. Almost its entire communications network \u2014 internet and cellular \u2014 went down for hours. That hit businesses, government departments and hospitals. Some people were unable to make 911 calls. It was an unprecedented event, and one that leaves the company open to complaints that it doesn\u2019t have resiliency. Rogers blamed the outage on a maintenance update by its programmers to its core network, which caused some of our routers to malfunction. Today Rogers will present a report to this country\u2019s telecom regulator, the Canadian Radio-televison and Telecommunications Commission, on what happened and what it plans to do to prevent a recurrence. Hopefully a version that hasn\u2019t been too sanitized will be made public. There will also be Parliamentary hearings. Terry, what did you think when this happened? Defensible or inexcusable?<\/p>\n<h4 data-ar-index=\"14\"><a href=\"https:\/\/crtc.gc.ca\/eng\/archive\/2022\/lt220712.htm\" rel=\"noopener\">Related content: What the CRTC wants Rogers to explain<\/a><\/h4>\n<p data-ar-index=\"15\"><strong>Terry:<\/strong> We\u2019ve seen these types of malfunctions happen in the past with other vendors and suppliers. So when I saw this happening I thought an update had gone wrong or there was something wrong in the core switch. In my mind it came down to three things: Human error, a disgruntled employee or, worse, a cyber attack from Russia because of the new sanctions imposed by the Canadian government.<\/p>\n<p data-ar-index=\"16\"><strong>Howard:<\/strong> But Rogers says, no, it was a maintenance update, it was completely our fault. It wasn\u2019t an update from a third-party supplier. What struck me is network maintenance updates wouldn\u2019t be uncommon at any telecom carrier. So why would this one have had such a huge impact?<\/p>\n<p data-ar-index=\"17\"><strong>Terry:<\/strong> In my experience even doing updates on a computer or a switch can be a problem. If a switch was set in limbo, for example, if it was malfunctioning but still showed signs that it was perfectly fine, the moment you do an update it could malfunction. That\u2019s why IT guys are always sweating whenever they\u2019re doing a firmware update or something, because if it goes wrong it\u2019ll fry the device. We\u2019ve seen cases where we were doing updates to a hard drive\u2019s firmware and it wiped out the drives. In this case the core switch update went wrong and all the switches and all the [cell] towers lost communications \u2014 but they were still in an online state and still able to answer requests. But they weren\u2019t able to fulfill the request because the routes and services were missing. What was interesting is why would anybody want to do a major update on a Friday morning? That was the only part that really bothered me. If you\u2019re doing major plays like this at least do it on the weekend, or at one o\u2019clock in the morning when maybe less load.<\/p>\n<p data-ar-index=\"18\"><strong>Howard:<\/strong> And of course one would expect that Rogers\u2019 developers would have tested and retested again on a parallel network to make sure that there wouldn\u2019t be a problem.<\/p>\n<p data-ar-index=\"19\"><strong>Terry:<\/strong> That is a great comment, I always hear, \u2018We have a development network, a testing environment, and then we have the production network,\u2019 which is supposed to be identical. In over 20 years of IT it\u2019s extremely rare that I see a development environment be identical to production. There\u2019s always some minor change, one minor difference and that minor difference could make all the difference in an outage.<\/p>\n<p data-ar-index=\"20\"><strong>Howard:<\/strong> What does this say about the ability of Rogers developers to write clean code?<\/p>\n<p data-ar-index=\"21\"><strong>Terry:<\/strong> I don\u2019t know if I would necessarily blame them, because you know they\u2019re all using industry-level technology like Cisco, Juniper, Ericsson and such. I think that maybe one of the routers was in a limbo state. Or one of the common problems that we see sometimes is what\u2019s called a unicode problem. That\u2019s where maybe a developer copied and pasted code from an HTML page into a text format and because it didn\u2019t convert properly there was a character that wasn\u2019t able to be interpreted properly which could cause the whole update to fail.<\/p>\n<p data-ar-index=\"22\"><strong>Howard:<\/strong> One of the things the crisis showed was how unprepared Canadian organizations are. They\u2019re too trusting that one internet supplier will do for all their needs. They\u2019re really betting that supplier is not going to have a major outage. But Interac, which runs the network that Canadian businesses rely on for credit and debit card payments didn\u2019t have the ability to switch to another network if the Rogers network went down. I suppose Interact might argue that over the years Rogers\u2019 network has been fine, but this incident also shows that Interact just wasn\u2019t prepared.<\/p>\n<p data-ar-index=\"23\"><strong>Terry:<\/strong> At the same time the Rogers network was still somewhat online. Phones could still connect to it, it just wasn\u2019t able to fulfill the request. But there was no failover.<\/p>\n<p data-ar-index=\"24\"><strong>Howard:<\/strong> As result of this incident Interact quickly said it will add another network for failover. But even before this incident businesses could have subscribed to an internet failover service to protect themselves if they wanted to shell out for that. Again, that\u2019s a cost. But I think that many organizations just trust the major Canadian carrier that they\u2019re with is not going to have problems.<\/p>\n<p data-ar-index=\"25\"><strong>Terry:<\/strong> One of the carrier network designs now is a technique called all-in-one IP, where all of the core services run in one location. The security policies are running in there, the routes, and then you have all the cell towers on it. The perimeter talks to the backend. [In an outage] those towers are technically still online but behind the towers. They can\u2019t connect to the core service. That\u2019s why sometimes you could be traveling and still connect to a Rogers tower. But then after that it just dies,\u00a0 so it stays connected. That\u2019s why the failover didn\u2019t kick in. We\u2019ve seen that happen countless times in the server world where the server is online but the service is in limbo.<\/p>\n<p data-ar-index=\"26\"><strong>Howard:<\/strong> Here\u2019s another thing: Telecom carriers have been meeting under Canadian federal guidance for years to share best practices to make their networks more secure. For example, the <a href=\"https:\/\/www.ic.gc.ca\/eic\/site\/smt-gst.nsf\/eng\/h_sf10727.html\" rel=\"noopener\">Canadian Security Telecommunications Advisory Committee<\/a> was established in 2010. It includes a telecom resiliency working group. So resiliency is no secret in the telecom industry. It makes you wonder what are they doing when they\u2019re having their discussions and the representatives from the various telcos go back to their offices. I\u2019ve been asking Ottawa about the work of that group. And all I got back was a statement saying resiliency is a shared responsibility between the public and private sectors.<\/p>\n<p data-ar-index=\"27\"><strong>Terry:<\/strong> This sounds like more like a best practices advisory committee: Here\u2019s a list of dos and don\u2019ts. But they don\u2019t have the specifics of Rogers\u2019 internal network. They might say okay, you need to add another billion routers to this network. But if those routers receive a bad update it won\u2019t make a difference. Some telecom sharing should be involved. For example, Rogers could work with Tellus and Bell, but then you\u2019re opening up vulnerabilities. And then there\u2019s competition. If you share how your network will be better \u2014 or worse \u2014 than the competition, they could start stealing your customers. It\u2019s a very fine line.<\/p>\n<p data-ar-index=\"28\"><strong>Howard:<\/strong> Rogers has acknowledged that <a href=\"https:\/\/mobilesyrup.com\/2022\/07\/15\/rogers-separate-wireless-wireline-traffic-prevent-outages\/\" rel=\"noopener\">it\u2019s now working on separating its wireless network from the internet network<\/a> so that one problem can\u2019t bring down both of them.<\/p>\n<p data-ar-index=\"29\">The other thing that bothers me about this incident is that some people in the media are discussing it with complaints about the lack of competition in telecommunications here. You have a major outage and somebody says that shows that there\u2019s a lack of competition. I don\u2019t see the connection between a lack of competition and what appears to be a major mistake made by someone or some group within a major carrier.<\/p>\n<p data-ar-index=\"30\"><strong>Terry:<\/strong> This problem can happen to any carrier, including Telus and Bell, because they\u2019re using the all-in-one IP network design. I think what\u2019s going to happen is you want to add more redundancy. More technology, more complexity and prices are going to go up, but people don\u2019t want to pay more. I agree Rogers should be segmenting off its network. But if that\u2019s going to add more complexity and customers have to log in to two separate systems \u2026 they might not like it.<\/p>\n<p data-ar-index=\"31\"><strong>Howard:<\/strong> We certainly will look forward to seeing the Rogers report that was sent to the CRTC. And I certainly expect sparks to fly at the Parliamentary hearings that will be coming up shortly.<\/p>\n<p data-ar-index=\"32\"><strong>Terry:<\/strong> I think human error is going to be blamed. But at the same time it\u2019s extremely difficult to avoid these types of errors because you can go through several checks and testing, but you never know what\u2019s going to happen when they hit the upload button.<\/p>\n<p class=\"western\" data-ar-index=\"33\"><strong>Howard:<\/strong> Moving on, I thought we should look at the recent report of the new U<a href=\"https:\/\/www.itworldcanada.com\/article\/log4j-vulnerability-has-reached-endemic-proportions-says-report\/492741\" rel=\"noopener\">.S. Cyber Safety Review Board into the Log4j2l crisis.<\/a> You may recall that crisis began with a discovery late last year of a vulnerability in this open source library that allows logs to be kept in applications. Many developers add this tool to their applications rather than creating a logging library themselves. The problem is that Log4j is so widespread it\u2019s hard to update. Not only that, some have been abandoned by their developers and so aren\u2019t being updated.<\/p>\n<p class=\"western\" data-ar-index=\"34\">Here\u2019s one of the report\u2019s key findings: \u201cThe Log4j event is not over. Log4j remains deeply embedded in systems. And even within the short period available for the review board\u2019s review community stakeholders have identified new compromises, new threat actors and new learnings. As a result we in IT industry have to remain vigilant against the risks associated with this vulnerability and apply best practices.\u201d Do you agree?<\/p>\n<p class=\"western\" data-ar-index=\"35\"><strong>Terry:<\/strong> I agree. If we just back up a bit, the review board are housed under the U.S. Department of Homeland Security, and they\u2019re loosely modeled on the National Transportation Safety Board. It investigates train derailments and plane crashes. But the Cyber Safety Board\u2019s information is a bit limited on how much companies or governments are disclosing threats. So the report showed big warnings that companies need to address. The biggest is they\u2019ve got to work closer together. But we\u2019ve been talking about this for 15 years. The board calls the Log4j2 vulnerability an endemic. Which means that this is going to be lingering around for the next 10, 15 years because there are so many intricacies between the logging capabilities and not proper patching. Maybe some new flaws will be found \u2026 So even though the Apache Software Foundation issued patches the biggest problem is around patch management.<\/p>\n<p class=\"western\" data-ar-index=\"36\"><strong>Howard:<\/strong> So first of all, you\u2019re behind the eight ball as an IT department if you don\u2019t have an inventory of all your corporate applications.<\/p>\n<p class=\"western\" data-ar-index=\"37\"><strong>Terry:<\/strong> Absolutely. A lot of companies may say \u2018We\u2019re not vulnerable,\u2019 but they may have wrong information. So inventory is going to be key here. A lot of companies don\u2019t realize that they have Log4j running because they\u2019ve never done an audit or an asset inventory.<\/p>\n<p class=\"western\" data-ar-index=\"38\"><strong>Howard:<\/strong> And it\u2019s not merely that you have to keep an inventory of your applications, you need to have an inventory of what\u2019s in the applications. This brings up a concept called a <a href=\"https:\/\/www.linuxfoundation.org\/tools\/the-state-of-software-bill-of-materials-sbom-and-cybersecurity-readiness\/\" rel=\"noopener\">software bill of goods.<\/a> This has been a long proposed. It lists all the open source components that are inside an application. That will help IT departments know which applications have to be patched when vulnerabilities are found.<\/p>\n<p class=\"western\" data-ar-index=\"39\"><strong>Terry:<\/strong> But some of the issues we\u2019re going to find in the future \u2014 and we\u2019ve always had this problem \u2014 is when you start mass deploying the updates. It might break some functionality somewhere and if you\u2019re the IT guy you don\u2019t know how these services are being used. Your job is to make sure the service is online but the moment you patch it, it could break a functionality. Next, your help desk is lighting up [with complaints] and you have no idea what just broke.<\/p>\n<p class=\"western\" data-ar-index=\"40\"><strong>Howard<\/strong>: And I think it all points to how imperative it is for developers to have secure code writing practices.<\/p>\n<p class=\"western\" data-ar-index=\"41\"><strong>Terry<\/strong>: But at the same time they\u2019re under the eight ball, too, because upper management wants this release to come out ASAP even though it\u2019s not finished yet. They might roll it out half-baked because of the pressure. So unfortunately, when things are rushed vulnerabilities could be created.<\/p>\n<p class=\"western\" data-ar-index=\"42\"><strong>Howard:<\/strong> But rushing shouldn\u2019t be an excuse.<\/p>\n<p class=\"western\" data-ar-index=\"43\"><strong>Terry:<\/strong> I agree, but it\u2019s a problem.<\/p>\n<p class=\"western\" data-ar-index=\"44\"><strong>Howard:<\/strong> Another thing I want to look at today is a warning from the Canadian Anti-fraud Center that it\u2019s the victim of a phishing scam. As I said at the top of of this podcast, someone has been sending out emails from a spoofed CAFC address to people claiming a fraud complaint in their personal information has been sent to the center. To see details the victim has to click on a link. That link is infected. The email looks convincing because it has a reference number and it\u2019s written in good English and in particular the sender\u2019s email looks legitimate but there are clues that this email is fraud. One of them is that email link. Look closely and it doesn\u2019t go to the antifraud center. It goes to some internet address called \u201cmountainbuffalo.\u201d Sharp-eyed people shouldn\u2019t be fooled, but it struck me that the spoofing of the email address could fool a lot of people.<\/p>\n<p class=\"western\" data-ar-index=\"45\"><strong>Terry:<\/strong> This is classic phishing. We [penetration testers] use similar techniques when we phish employees at a company to make sure they\u2019re doing their awareness training properly. We can change the display name of the sender and make it look like it came from anybody \u2026 Users need to be suspicious of a sense of urgency in these emails suggesting you need to click on something. Instead you should be trained to just hover over links before you click on them. And maybe the English in the message might be broken. Those are ways to know if it\u2019s a phishing scam.<\/p>\n<p class=\"western\" data-ar-index=\"46\"><strong>Howard:<\/strong> How can organizations protect their brand from being spoofed like this?<\/p>\n<p class=\"western\" data-ar-index=\"47\"><strong>Terry:<\/strong> It\u2019s extremely difficult. I get this question all the time. \u2018How come spamming is still happening? Why don\u2019t you just shut these systems down?\u2019 It\u2019s because scammers will set up a system on a legitimate IP and start sending out spam emails as if it\u2019s like coming from the Antifraud Center. When there\u2019s enough complaints against that domain the internet provider will block that IP from ever working again. But then the scammers will just set up a new system with a new IP address and carry on. It\u2019s very very difficult to stop these scammers from spamming everybody.<\/p>\n<p data-ar-index=\"48\">The post <a href=\"https:\/\/www.itworldcanada.com\/article\/cyber-security-today-week-in-review-for-friday-july-22-2022\/493777\">Cyber Security Today, Week in Review for Friday, July 22, 2022<\/a> first appeared on <a href=\"https:\/\/www.itworldcanada.com\/\">IT World Canada<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This episode features a discussion on the huge Rogers internet outage, Log4<\/p>\n","protected":false},"author":17,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[360,16],"tags":[389],"class_list":["post-25875","post","type-post","status-publish","format-standard","hentry","category-podcasts","category-security","tag-cyber-security-today"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/25875","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=25875"}],"version-history":[{"count":4,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/25875\/revisions"}],"predecessor-version":[{"id":26025,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/25875\/revisions\/26025"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=25875"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=25875"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=25875"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}