This week I am spending a bit of time discussing The huge hack on SolarWinds Orion Software and why we will be feeling the repercussions for years — and yes it could have been prevented. Then we will talk a little bit more about Election fallout and how this hack might have something to do with it. Then Fire-Eye hack and New and Improved (well — another variation) of Ransomware and More so be sure to Listen in.
For more tech tips, news, and updates, visit – CraigPeterson.com.
Tech Articles Craig Thinks You Should Read:
Automated Machine-Generated Transcript:
Craig Peterson: [00:00:00] In case you didn’t hear, we have had a massive hack. We’re going to be talking about that and what it means to you. What it means to the federal government. What it means to organizations that are using SolarWinds. Oh my
Hi everybody. Craig Peterson here. Had a great discussion this week with Mr. Matt Gagnon Wednesday morning, as we usually do, and we’re going to continue that now. Let’s get into it in a little bit more depth.
You probably heard me pounding on that table and it was just unbelievable because the bottom line here is these particular hacks were effective because these supposedly “Professional Security People” did not follow the basics. They didn’t have the software configured according to the manufacturer of the software’s specifications.
So number one, read the directions.
Number two, they didn’t use the most basic of security controls that are out there.
You’ve got to watch these domains, capabilities, practices, processes. That’s what we are always talking about in the cybersecurity business. They were not monitoring outbound connections. They didn’t stop the call home stuff.
What I keep telling you guys, the easiest way to stop the spread of some of this nasty software is to use Cisco Umbrella. It’s just that simple. Cisco Umbrella for just regular people is free. How could you get better than that?
When you get into the business level, which you cannot buy on their website. You can buy some very good stuff from the Umbrella website, from Cisco then you get a lot more features and fine-tuning and granularity and stuff.
If they had just been using Cisco Umbrella, that probably would have stopped the call home. That’s what it does. Okay.
These are professional organizations that got hit here. Professional organizations.
We do not allow Willy nilly, outbound connections.
Some of these pieces of software pretend that they are a web browser and they just want to go to this website. If you’re allowing your employees on your network to go Willy nilly, wherever they want online, you got some problems.
If you’re just filtering for instance, Oh I’m not going to let them go to porn sites or something. Violence sites or Netflix to watch TV movies all day long. Instead of working, that’s not good enough. That might help to keep them paying attention a little bit more to their work. I’ve found frankly, much of the time, they spend trying to figure out how to get around those filters. We catch people doing that all of the time. You have to talk to them and explain why the most dangerous parts of the internet, from a security standpoint, are the parts of the internet where you are going to have some of that nasty content that they might be looking at for. Once they understand that, usually they wake up and smarten up, et cetera, et cetera. But if that’s all you’re filtering for.
How are you going to know that there is a piece of Chinese back door software on your network, that’s trying to get out? How are you going to know that there’s a Russian back door trying to get out? Or there is a hacker that’s in your network who is exfiltrating all of your data and then they’re going to hold your data. Not quite hostage to where it used to be, but they’re going to extort you and say, Hey, if you don’t pay up, we’re going to release all of this intellectual property to the internet.
The right way to do it is you only allow outbound connections to places they have to go for work.
We have a company, our client, just as an example, who is in the Department of Defense space. They are a subcontractor and they deal with parts for airplane engines, certain parts. As such, they have all kinds of federal regulations and those regulations mean that they can’t have data that gets stolen, that gets exfiltrated, right? That’s the whole idea. They’re supposed to be secure. So what do we do in a case like that?
The people that work there can only get two websites that are approved. There websites of their suppliers. Their websites of their clients and that is all. They cannot go anywhere else. Why? Because part of the problem here is what just happened this week.
What happened this week with this massive order? This has only happened five times before in all of history. We’ll talk about that, as well. What is this order? What happened is they tried to go out to some other websites.
Let’s say they got infected, and their computer had some nasty-ware on there that was trying to call home. Just do its ET thing, call home. It tries to get out of the network using what looks to be an innocent little web connection. It gets there normally. But if we block everything except the website that they absolutely have to go to, that software is not gonna be able to get out of their network, is it?
This is not rocket science. Yet we’ve got 18,000 organizations that look like they got hit in this massive cyber attack. Massive. There’s a company out there called SolarWinds. Now, SolarWinds we have used in the past. We stopped using them because of some of their practices. We just couldn’t, in good conscience use them. Knowing what they were doing and how they were doing it.
But SolarWinds has this network management software. They have sold it to government agencies, massive companies, 499 of the Fortune 500 companies use SolarWinds. They have this network management product called Orion. Apparently, they like any other good little software vendor-provided updates.
The updates between March and June 2020 apparently had a little extra payload.
Now, the way these actors, the bad guys got this payload into SolarWinds software really shows that it was a Nation-State.
Now of course the media is out there saying Russia, which is what they usually do. You’d think it was probably more likely to be China. But you know what we’ll probably never know because these people were very sophisticated. They basically reversed engineered a one-way hash function called SHA-1 which you should not be using anymore. It was thought to be relatively safe. They combined that with another vulnerability in a web server and in some software that supports the web server and is supported by the web server and bam they’re in.
SolarWinds sent out updates to their clients. Those updates included updates and went to government agencies, all, but one Fortune 500 company, and over 22,000 managed services providers.
Now, we’re going to talk about MSPs some more, and we’ve talked about them in the past. This is a big deal. Most businesses don’t do the information technology function themselves. They might have somebody that’s in charge of it, but that person is the person who goes out and tries to find somebody to take care of the systems or do an audit or whatever it might be that they’re trying to do. That makes sense, I think. So that’s what they’re trying to do. But do they really know what they should do? What they shouldn’t do? What should be done? What shouldn’t be done? That’s a subject that we’ll take up a little bit later.
This compromised software was distributed as a software update to SolarWinds customers by SolarWinds. It turned out that their software had this payload in it that now allowed an as yet unknown bad guy to get into the networks.
Now there’s a statement that was filed with the securities and exchange commission. I’m looking at it right now by SolarWinds corporation and talking about the Orion products. They say that SolarWinds believes that the Orion products downloaded, implemented, or updated during the relevant period, starting in March this year, contained the vulnerability. Orion products download implemented before the relevant period and not updated, did not contain the vulnerability. It goes on and on. It says SolarWinds values of privacy and security of its over 300,000 customers.
I can’t believe that this would happen. So not only was SolarWinds caught up in this but so were many of their customers and you will find it interesting to know who some of their customers are because they have also been in the news lately for different reasons.
This is just fascinating. The biggest hack in recent history, and one, that’s going to have consequences for years, literally years.
Make sure you visit me online. Craig peterson.com.
We’ve established that there was a hack. We’ve established that the media thinks Russia did it and so do many security consultants. We’re not absolutely sure. We probably never will be.
What is this hack doing? How is SolarWinds tied into Dominion?
This hack has been absolutely scary as heck. One of the congressmen who got a briefing on Tuesday about what had been going on. Called this absolutely terrifying. Now that is a terrifying statement to make and the accusations are that Russian government hackers are responsible for this.
Now we’ve seen since March this software by SolarWinds called Orion, which was in place in 18,000 organizations, was compromised. Once it was in the network, it gave bad guys access to that network. Coming out this week on Thursday, we found that the feds have, in fact, said that yes, we were affected by this. Now affected, what does that mean? Ultimately, the pros and cons to this.
The list of affected US government agencies and entities include the Commerce Department, the Department of Homeland Security, the Pentagon, the Treasury Department, the US postal service, and the National Institutes of Health. Isn’t that amazing actually it is institutes, right?
This is a long list of suspected Russian hacks into the US as well as many of our allies and other nations out there. This is very scary to hear that because Russia has been using hackers, they have been using bots, and they have had other means to try and influence elections in the United States and elsewhere.
Before this latest election, we had the Democrats saying our election that elected President Trump there was influenced was hacked by the Russians. And of course, as you know of investigations for four years, they never really found that Trump was colluding with Russia.
I think the focus was absolutely wrong in those investigations. It should have been on what happened with our elections? How safe is our election software? How about the hardware? How about the mechanisms that are in place? The federal government does have guidelines for this election vote tabulating software and hardware. They have error rates that are allowed just like they have so many mouse parts that can be in peanut butter. They have error rates that are far lower than are being reported, right now. Oh, thousands of times more ballots were rejected than were allowed by law. But nothing is happening. Nothing happened.
They investigated one person, one, man, basically President Trump. A number of other people were caught up in this investigation as they laid traps for people.
We did not do a major investigation into these systems. To me, that is absolutely inexcusable. Now we’re seeing some other evidence that is something that I think we should be paying some attention to and that ties right into this hack of SolarWinds.
As I mentioned, all but one, of the Fortune 500 companies use their software. 18,000 different organizations installed the version of SolarWinds Orion products that were in fact known to not just be vulnerable, but have built into them hacking tools, which is just astounding to me.
Are we going to look into this now? Because looking right on this is from the Gateway Pundit.com. They went to dominion voting software. You can go to the homepage. They probably removed it by now, but it was there when I had a quick look on their website.
This emergency directive 21 dot 01. Very rare. Only has been issued five times in the last five years is saying remove all of this. Yet Dominion Voting is apparently a customer of SolarWinds and Dominion Voting brags about how they use SolarWinds. That is scary, very scary to me. Let’s talk about what it does mean.
It does mean that our friends Dominion Voting, who has been accused of having terrible software, all the way through having major backdoors in their software. Our friends over Dominion Voting could well, have been completely compromised by that is SolarWinds attack. Completely compromised.
We don’t know if they were but we do know that they were using it and they are the ones with our voting machines. This goes back to what I talked about last week, where I think there is only one solution to being able to be confident about votes.
Obviously, it’s too late now to deal with all of the potential voter fraud, software errors, hardware failures that have occurred in past elections. It really is too late based on the evidence I’ve seen, to quote Attorney General Barr. But how about the future? How about we do an investigation into these companies that are providing us with the hardware and software. Or better yet, my solution is we have ballots printed. Those ballots have serial numbers on them with a very good check sum. All we do with those ballots is we scan them on regular commercial, industrial scanners that keep pictures of those votes. So we have a hard copy that we can go to at any time of the votes. We can analyze them. We can compare it to the vote counts, et cetera. We take those pictures now and we run them through very inexpensive software.
Very inexpensive, under a thousand dollars to buy a license for some of the software. What that software does is it looks at the images that were taken by these scanners. And it goes ahead and tallies votes. If we use two or three different software packages, they should pretty much agree. Our error rate should be less than one in a hundred thousand or maybe even a million. Should be pretty darn low. Then we hand tabulate a few of these just to double-check, make sure everything is all right. We now have hard counts.
People add up the counts and as always, you have election observers from the two major parties and the minor parties they’re watching this whole process.
I am for absolute transparency here. I think all of those images of the votes should also be made available to anyone who wants to download them. This is the age of the internet. Why are we not making the images of the votes available for anyone who wants to look at them? Private individuals can tally the votes and come up with what should have happened, what the count should be.
You expect a little bit of variance, but absolute transparency. People add up those votes. It’s all audited. There are cameras running, webcams 24 seven watching the voting machines. Watching the election workers. Streaming to anyone who cares to look. Now we have absolute transparency. Now we can believe the vote.
That I think is the only way we can handle this.
We’re going to run through some checklists here about what gamers should be doing. If you’re giving a video game or one of these consoles to maybe some of your kids. I don’t dunno. Maybe your husband, maybe they are kids. We’re all kids. What should they be looking for this year?
We are talking about this massive hack we’ve been talking about, and we’re going to get into some other stuff right now. I wanted to mention one more thing. When we were just talking about this major hack may have been Russia, maybe China. Sometimes it’s really hard to tell who it is. If these are good hackers and these are by the way were very good hackers.
SolarWinds I just can’t hold them a hundred percent responsible for this hack because part of the problem was people not reading directions, not doing just the very basic practices that are established in the industry for trying to keep things safe.
So keep that in mind as well. But it is a huge problem. It’s something we all have to pay a little bit of attention to.
I had a great question this week when I was on the radio, I was asked, Hey, please tell me that there are people in our government who are trying to do the same type of thing to other governments.
And you might’ve heard about what is it? I would call a person hack, right? This is what is called in the industry a honeypot. You probably heard about US Representative Eric Swalwell. He is a California politician, which makes a lot of sense. He has been in office since 2013 and he is also on a very. Interesting committee.
When we are talking about Representative Swalwell, his committee assignment includes him being on the Select Committee on Intelligence. Okay. Ranking member of its central intelligence agency subcommittee. He also retained his seat on the United States House Committee on science space and technology according to Wikipedia.
This is very scary because he fell for the oldest trick in the book. It also tells us just the links China will go to in order to hack our people, our country. Don’t worry, we’re going to tie all of this into our hackers. Okay.
He, as well as another politician from California. Yes indeed sitting us Senator she had a driver, I think it was for about 20 years who was a Chinese spy.
Eric Swalwell had this girlfriend and apparently, this happened when he was just a mayor before he had moved up to the house. Then, of course, moved into the intelligence committee. A lady who became his girlfriend was doing everything you might expect of a honeypot, a Chinese lady who was trying to get information out of him. I don’t know what information he got she got out of him. He had a lot of information.
Now. If this were to happen to a Republican, of course, just by default, the morals of a Republican would be well. I really messed up. I’m sorry. I resign. At least resign from the intelligence committee, but I resign from Congress. That has happened before. Much different response. It’s just amazing to watch from a Democrat and Republican.
Nancy Pelosi should have removed him from his very sensitive government positions. This guy has demonstrated that he can’t keep his well, you know what I mean, and not reliable when it comes to secrets. Why hasn’t the FBI said, I don’t care what you say, Ms. Pelosi, we want this Congressman removed?
The big question is how did we find out about this? What ended up happening that brought us to the point where we realized that Eric Swalwell was a major security risk and was on the select intelligence committee? On oversight committees. Okay. It’s scary, isn’t it?
This ties into this whole hacking agenda. It looks like we might have been hacking, as well. I’d be shocked if we weren’t. We have teams, red teams, in every branch of government, basically, that hack. That’s what they do. They’re hacking in order to see what weaknesses we have. But this has been barely reported at all.
This also happened last week. A major leak of official records from the Chinese communist party. Many of these Chinese communist party higher-ups are living and working in other countries, including the United States, Australia, United Kingdom of course, and this list that’s been uncovered has about 2 million members of the Chinese communist party.
Now, remember these people have sworn an oath to do everything they can to protect and build up the communist party. Okay. This database lists names, party positions, dates of birth, national identification numbers, ethnicity, telephone numbers of these members.
Now. Australia Sky News on Sunday reported that the database quote “lifts the lid” on how the party operates under president and chairman Xi Jinping. The leak shows that the party branches are embedded in some of the world’s biggest companies and even inside government agencies. Communist party branches have been set up inside Western companies, allowing the infiltration of those companies by CCP members who if called on are answerable directly to the communist party. To the chairman, the president himself.
So apparently along with the personal identifying details of almost 2 million communist party members, there are also details of 79,000 communist party branches. Many of them inside companies. Now there was some analysis done of this member, we’ve only had it for what about a week now, but the analysis has been done so far has been interesting, cause that’s revealed that both Pfizer and AstraZeneca, both companies who have vaccines for this COVID virus both of these companies together employed 123 party loyalists.
There were more than 600 party members across 19 branches working at British banks, HSBC and standard chartered.
In 2016, in addition, the Daily Mail’s reporting that firms with the defense industry interests, like Airbus, Boeing, and Rolls Royce employed hundreds of party members.
Now, when I found interesting is the response by the US media and the response by some of these companies. It’s been reported that some of these companies, when they were alerted to the Chinese party membership of some of their people said “we’re not interested in the political parties that our employees belong to.”
Which is just shocking. We’re not talking about basic parties here. We’re talking about what effectively is an enemy of the United States and frankly, we’re also looking at this hack as a declaration of war by Russia, by China.
China’s done this before, too. In fact, we think they were behind another major hack you’ve heard of just a few years ago.
The PS five and Xbox series X apparently are almost impossible to get. Best Buy just can’t get restock. But assuming you got one, what are some of the tips that you need to know? If you are playing games or your kids or grandkids are.
Video games, I’ve never gotten into them, but it’s probably my generation. Back when I was a teenager, we had these text-based games that we would play sometimes. You’re sitting in there on a teletype and you’re typing into this computer over 110 bod modem. Oh, my gosh.
It was fun, so you were in a twisty maze of tunnels? I can’t remember the exact wording and then you’d go left or right. And I never spent a whole lot of time on those things. Because I basically considered it a waste of time. I’ve played like Mario cart a couple of times when we got it for the kids and that’s probably the extent of it. I’ve played with some of these video games that Apple has released now as part of their arcade product. I am shocked at how good they are. How good the. Resolution is. And the movement of the phone itself can be read by the game. Your phone is your controller. So if you play games on these video devices or on a PC of some sort or even a Mac. You’re not too worried about availability because the software is easy, right? It doesn’t cost much to duplicate that software. Probably doesn’t even cost a penny, nowadays for the guys to download the game to someone. Of course, there are other charges and stuff involved, but it’s just so easy to do.
So we’re going to have a lot of them this year. Many of the people who are playing these games are the younger millennial generation, the Z generation, and both of them really have issues when it comes to security.
I mentioned this before in talking with my youngest son, about two weeks ago, about security. He just didn’t seem to care. Now, we had given him a really good firewall router and a wifi system built into it. All kinds of processing that was going on. It was a Cisco device. Cisco firewall. It was analyzing everything coming into his network, everything going out from his network. It does a very good job of it. It had a limit of, I think, it was 250 megabits worth of data flowing through it. He said megabytes, and I’d have to look at the specs on it. Actually, I do think it’s two hundred and 50 megabits and that particular device was great.
You’re cruising the web. You have software of a machine gets infected, trying to get out. It’ll shut it down just as all of this. His roommate, who calls himself a gamer, didn’t like that at all. So he ordered a gigabit network coming in. It’s a gigabit over RF cable modem, which is crazy. Cause you’re not going to get it and we had previously explained, Hey, listen. Your biggest problem is going to be latency turnaround. It’s not going to be the bandwidth. We showed him these statistics that our router had gathered that he never used more than 10 megabits of the worth of bandwidth, which is, pretty normal.
I’ve read some studies on it and 10 megabits, 20 megabits. That’s the max that is used by these video games. He knew better, cause he’s in his twenties, and he’s a professional gamer, almost. Not that he makes money from it, but he’s a professional gamer and he has been talking in the gaming community.
So rule number one is they don’t need as much bandwidth as they think they need. What they need is a, basically a jitter-free line so that they can talk to their friends without any problems while they’re playing the games. They need a very quick turnaround, so the round trip time needs to be fast.
I brought up with my son, Hey, listen. You realize that he went out and upgraded the line and then ripped out, while you were gone, the firewall. He put in a better one than handles a gigabit and of course, yeah, no better. The wifi that he has in the house that his friend purchased as his roommate, does not provide gigabit over the Wi-FI. It just doesn’t happen. It can’t happen on any of this consumer stuff when you get right down to it and you look at it hard, right?
Many companies are lying to us. They publish these specs. They give all of this data and it is so misleading. I said, this is a problem now because you have security at the bottom of the pile, when it comes to your network now. Anything that gets onto his machine is going to get onto yours. The firewall was actually a zero-trust basis and would not allow his friend’s gaming computer to access his computer or anything else on the network that it wasn’t explicitly allowed to access. And you do you know what he told me? He said he doesn’t care.
Now. I don’t know. So if this is your dad and you’ve been doing internet cybersecurity for 30 years, and you’re just getting carried away type thing that you get from an under 30 five-year-old son.
I’ve got kids that are actually that age too. There certainly is a difference, a major difference. I don’t know what it is, but the stats that I’ve seen in the studies I’ve read are showing that these younger millennials and generation Z, which this of our kids is right on that cusp, don’t care about cybersecurity. Part of the reason is that they just have given up. Now, I’ve been fighting it for over 30 years. I haven’t given up yet, but they have, it’s just a fact of life.
Just like you have to be on social media and you have to post these pictures of your wonderful life. It’s just crazy.
Here are seven tips and I got these from dark reading, a great website, but obviously, I’m going to comment on them a much different way than Dark Reading’s approach to it.
But I really liked these points.
Number one, we’ve got to make sure our kids and ourselves understand that personal information needs to be kept personal. Now, I know every one of us in this country has had our data stolen. It’s guaranteed. It hasn’t all been stolen and it’s from a snapshot in time.
For instance, the Equifax hack. Yes, indeed. That’s pretty much everybody in this country, Canada, much of Europe’s personal information. Our salaries, our home addresses, our social security numbers. Everything was stolen, but that’s years ago. By the way, that was probably done by the Chinese communist party. Remember that they’re socialists. We talked about this last week. They steal stuff. That’s what they do because they just can’t compete. They don’t like competition. They want to sit on their hands for the most part. Now, China’s done some interesting things. With trying to combine the ability to have some free trade with the government-controlled economy, right?
They’re not just like we are. Not capitalists, they are not communist there. There’s never, ever even with the Soviet Union and what happened in Venezuela and Cuba, they have never actually achieved pure communism.
We don’t have pure capitalism here either. Don’t let them share personal information, make sure they realize that every little bit of information they share, they may be sharing with a hacker. Someone that’s going to break in. We had break-ins in our neighborhood. This was probably about five years ago. A bunch of break-ins bunch of stuff stolen. Our house at that time was never broken into. It turned out that it was a kid from the neighborhood whose family had moved out and he knew things about people in the neighborhood and when they worked and when they were taking vacations. So he came back in and he started stealing from the houses, he’d break into them and steal stuff. In some cases, apparently, kids had given him codes to be able to enter houses. It’s amazing.
It reminds us again of another, a best practice. That we should be exercised in business and you need to exercise in your home as well. That is when someone leaves a job. What do you do? You shut down their accounts, do it all automatically. That’s the way it should work. You archived their data so they can’t get back in. Now we’ve seen instances where network people who had been doing network work at a business left and stole just tons of things, shut down networks, change passwords because that hadn’t happened.
And in this case, It’s a good idea to change the code on your door lock pretty frequently. Keep track of who has what code, right? Doesn’t that make sense to you? Then on top of that, with these fancier new ones where you can use the Bluetooth, the cell phone To program it.
So you just bring the phone close to the door and it automatically unlocks, it gets more complicated. It’s easy to set up, but we’ve got to make sure we erase them.
So number one, don’t share personal information. The next one, obvious as heck. We talk about it all the time but take care of your home network. Don’t do what my son did and put in a cheap router. My son’s roommate did make sure it’s secured using multi-factor authentication. Now there are some ways around some of this, so that’s why I recommend you do not use texting for multi-factor authentication. Use something like DUO or 1password or Last Pass or Google Authenticator. It’s really going to help.
Stay away from chats. Now, this is difficult because much of the social stuff that goes on with gaming is over chats that are built into these games. So just be careful when they’re in chats because it is used by these honeypots and others to get personal information. Kids don’t realize, Hey, listen, dad is a high up in this company and I probably shouldn’t be talking about that because honeypot to go after our kids, to get at us.
Avoid third party stores, apps, turn off Universal Plug And Play. (UPNP) If you still have it on your network and beware of scams when playing online. So some good tips for the kids.
This latest declaration of war as it’s been called may be bad enough for government agencies and bigger companies, and 22,000 managed services providers. But man ransomware.
Then follow up to our last hour, DNI, the Director of National Intelligence Ratcliffe was supposed to have come out with a report as of yesterday about the elections and about foreign interference. Because of disagreement within the National Intelligence Community, it did not get released, at least not yet. It should be out fairly soon.
The big talk and the disagreement between various people who are in the organization, one of those jobs for life things, right? The deep state as President Trump has called it. Is that how much involvement did China really have? How much involvement did Russia have? I strongly suspect. Russia had a lot of involvement here in hacking. In fact, even our voting machines, as we talked about in the last hour because of the SolarWinds hack. How about China? They’re saying it looks like it could be a major influence and have had a big impact on the election, in a number of ways, but we’re not going to get into that right now.
Those big hacks have been very successful against larger companies all, but one, of the Fortune 500 apparently was affected and some 22,000 managed services providers countrywide use it according to SolarWinds, about 18,000 businesses. Were using the affected or infected, depending on how you want to look at this, but using the affected software. That’s a real big deal, frankly. How about you and me? What does it mean to us as business people, as home users, et cetera? I want you guys to understand this a little better, so I’m going to explain it and I appreciate all the comments I’ve had about how much you guys appreciate me doing a little deeper dive into this far deeper than most anyone else can. You get these guys on the radio that just talk about absolute fluff in technology. Mainly because they don’t know any better. I’ve just been doing this for too long.
One of these commentators, a lady who’s had her own radio show for years. Just amuses me to know she was a marketer for years before she got on the radio. Maybe that’s why she’s a lot more successful on the radio than I am, but I’m much more successful in tech than she is.
You as a regular end-user, you’re probably not badly affected by this hack, this SolarWinds hack, and all of the subsequent hacks that happened. It’s probably not a huge deal for you because your home computers were not running this Orion software from SolarWinds, and you’re probably not using any of the other software that’s out there. I’m continually reminding everybody and I’m covering this as well in my Windows Hardening Course, which’s coming up soon.
When I was recording this week, it made me think about this a little bit, that you and I, as home users know better than to buy things like Norton and try and use them or some of these other antivirus products, because in this day and age with Windows 10, just not considering anything else in the network, but just the computer itself, you are probably best off using Windows Defender and making sure your computer stays up to date.
You also know if you want to spend a couple of bucks. There is some other good stuff out there that’s going to help and one of those is Malwarebytes. In fact, I’m going to try and include a link to some of them Malwarebytes stuff this week. Malwarebytes is another good little piece of software to have, and how much I like Umbrella.
You’ll find that online, of course, umbrella.com and you can get the free version. You can get the paid version. If you are a business, you need to talk to a reseller, like me, and have them set you up with the business version. Those three things are going to go a very long way.
Obviously, you need to lock down Windows and harden it. That’s why we’re doing this whole little course coming up here soon. If you are a business now you might be in some trouble. I have been saying now for three, four years, as well as the FBI has been saying this and I covered it in some of the FBI InfraGard webinars that I hosted. If you’re an MSP, if you’re a managed services provider or break-fix shop, in other words, if you take care of other peoples and more particularly businesses computers, you are a major target. You have to pull up your socks.
Now, the Department of Defense with this cybersecurity maturity thing that they’ve come out with CMMC. They have made it very obvious because he specifically says it that if you are a managed services provider, you have to meet the requirements that the Department of Defense is putting on to their customers or their suppliers. I think that makes a lot of sense.
If you are a managed services provider, you probably have pretty much, if not completely full access to your customer’s computers and networks. So if you have a customer, that deals with the Portsmouth Naval shipyard, for instance, that is a Federal Government DOD facility and if those DOD contractors that are out there on base have to meet certain requirements for cybersecurity, you would expect that you as a managed services provider have to meet those same requirements.
The answer is yes, absolutely you do. We’re talking about some serious policies and procedures, some serious hardware to help make sure everything’s working right. Some serious monitoring of the hardware and the software and the alerts. It’s a lot of work.
We’ve talked about it before. Basically, if you have less than 200 people, you probably can’t afford it. There is no easy button when it comes to the NIST 800-171 or the CMMC standards. So you turn to one organization, that’s a managed service security services provider and you expect that they are going to be able to take care of you. I don’t think that’s unreasonable.
What should you be doing? How can you have these guys take care of you? The answer is almost none of them can. No, they’ll say so. They’ll put a nice little logo up on their site and, Oh my gosh, aren’t we just, Mr. Wonderful, Mrs. Wonderful. In reality, many of these companies know the buzz words. They know the key phrases, but they are not up to snuff when it comes to doing security or including their own security.
So they’ll go to other vendors. They go to distributors, try and get some help. This goes back to how I started out here, talking about these tech shows, where the host really knows very little about the actual technology. You want someone that understands. If you want a good meal, you’re going to go to one of these celebrity chefs. They know the business and they know the business from the start to the end. You’re not going to go to a fry cook for Wendy’s, in order to get a great meal. Now, you might get a decent meal.
So the Department of Defense is now pushing all of these standards down to the MSSP’s. This is why we are actually a Master Managed Security Services provider. We provide security services through and for these Managed Services Providers, I think that just makes a whole lot of sense, but these companies have access to other businesses.
Computer networks have been under attack forever and this now proves my point I’ve been trying to make for years. Which is the SolarWinds attack was directed at 22,000 companies that call themselves Managed Services Providers. Why? Because that’s where the money is, that’s where the access, the keys to the kingdom are for so many companies and so many government agencies are these managed services provider.
Now, this is difficult because I promise this week to get something out about selecting a managed services provider. I have something, if you want a copy of it, make sure you email me ME@craigpeterson.com because I got a little checklist that I put together. It’s one of these generic ones.
I’m not trying to say, Hey, you got to hire me. You know how that goes? Where they put out an RFP, requests for proposal and there’s only one company in the whole world that could possibly meet all of those specific requirements. Been in business for 30.6 years, is located within two miles of us, et cetera, et cetera. No, that’s not what this is. This is a real nice generic list that you can use to help evaluate anyone out there that is going to be helping you out with your security.
So whoever it was, the Russians, most likely knew what they were doing. So they got not only the 22,000 managed services providers that got them in their site, but they also got all of these government agencies, and all, but one, of the Fortune 500 is right there in their sites.
They are not stupid. This was a very difficult hack and they pulled it off. They would have been continuing to pull it off, frankly, for a very long time.
So if you outsource your IT, which you have to do, because that’s the only easy way to get some real talent part-time, which is what most small businesses need. They don’t need necessarily full-time on their staff, but they need full-time attention. and you got to pay attention.
Drop me an email. email@example.com. I’ll be sure to get it back to you.
Ransomware is no longer just the domain of basic hackers or even NationStates. Like what we saw with this massive SolarWinds hacks and targeting managed services provider. It is now changing ransomware in a big way.
What is behind the headlines and really helping people to try and understand it a little bit better? I’ve always been told I’m good at and something I do enjoy doing. I guess that’s a good thing, right? For you guys, as well as for me.
Ransomware has been evolving over the years. We’ve talked about it here on the show before, but the idea behind ransomware that those people who aren’t familiar with has changed from really one idea, now, to two core ideas.
So the first idea is the one you may be familiar with which is they get some malware on your computer. However, it might be, they might be sending an email phishing email, trying to trick you into clicking on something and then installing some software. It might be via a worm or a remote hack, right? It could be a little virus that gets in, but the idea behind ransomware is that it gets on your machine and then it phones home.
Some of this stuff is very fancy. You can go onto the dark web and you can find ransomware for cheap money. You can even buy ransomware as a service. So what you do is you send out the ransomware to email addresses, right? The ones you’ve bought or stolen or harvested from the internet. Another reason, by the way, you should never have your email addresses up on a website where it’s easy for software to grab.
Ransomware as a service does everything. Some of these companies, my gosh, you pay them either a fixed fee or a fixed fee plus a percentage of your take and they’ll run the whole gamut for you. They’ll provide tech support for people who get ransomware.
Here’s what will happen. That person clicked on that email. They installed that software that got the virus. There was a drive-by worm, whatever it might be and in the background now starts encrypting all of the major files. It looks for things like word docs and Excel spreadsheets, et cetera and it encrypts them all. It calls home first, nowadays, for instructions and tells the bad guys, “Hey, here’s the key I’m using to do the encryption.” It gets really fancy today. We’ll get into that one in a minute.
Then it pops up on your screen. “Hey, all your files are encrypted. You got ransomware to contact us.” It gives you an email address or something else to contact them with. It has a big takeaway. It says, “Hey, you’ve only got so many hours to contact us, or the ransom goes up and goes up” To try and get you to move, and then you will pay via Bitcoin. Almost always.
Which, by the way, has been driving up the value of Bitcoin. Because people have been buying it in order to pay ransoms. So that’s what we’re used to.
The newer ransomware does things a little bit differently. So it gets onto your machine in much the same way. But the next step that it takes once it’s on your machine, is it starts looking at files and finding files and usually it’ll wait because what it’s doing at that point now is it’s pumping, poking a hole out of your network, back to the main controller for the ransomware guys.
So it gets on your machine. It grabs the names of some of the files. It then connects back to home. It calls home. Once it’s called home, it sends the names of your files and then it sits there. Now the ransomware guys are pretty busy actually. Cause so many people to fall for this stuff and haven’t done what they needed to do to keep the ransomware out. The ransomware guys, usually within a few days, will then remote control your computer and they’ll poke around and they’ll find, Oh wow, here’s client lists. Oh my gosh, personal information. I can sell that for as much as $20 a record. That’s a lot of money, right? Especially for someone in Eastern Europe, which is where most of these things come from. Then what will happen is they will look around some more and they’ll start trying to spread laterally, East, West, inside your network. So now they’re inside your network and they say, Oh my gosh, there’s 20, 30, 40, 50 machines in here. It’ll try and infect these other machines using the same or different techniques where it tries to spread like a worm, or a little virus, going around inside your network. And then it says, Oh my gosh, this is a medical office. Oh my gosh, this is a Department of Defense manufacturer. It’s. Oh, wow. Wow.
When they got all of these records, all of these data. They might find things like also bank account numbers and transfer numbers, ACH accounts. All of this stuff. That’s what it’s looking for. Now. It’s doing all of this in the background. You don’t realize what’s happening. Your computers just work in a way at this point that is probably not even slow. Then the next step that they take is they decide, okay, what are we going to do? You know what? I think that we can extort money from this person if we pull these files. So they’ll grab a bunch of files. They don’t remove them from your computer. They just make a copy of them from the computer, from your file server or wherever they are in your network. It may be all of your files and may just be a few of them. Once they’re done with that, they will either encrypt everything and hold for normal ransom or not.
If they hold you for normal ransom, the same normal stuff applies a little red screen comes up. Oh, you’ve got ransomware. We can help you fix it. Contact us, give us a copy of this number. Take a picture of the screen and then off you go buying Bitcoin and paying them off.
Remembering because you listened to this show that the Department of Justice may come after you if you pay the ransom for supporting terrorists and terrorist demands, but that’s a separate issue.
Now you get your key to decrypt and according to the FBI, about half of the time, you’ll get all your files back.
Okay. So far that all sounds pretty normal, but the next part is what they’ve been doing more recently, which is. Okay guys, thanks for paying that, by the way. We are a different company. We’re a different group of bad guys, and we have copies of some of your files and unless you pay us. We’re going to release those files out on the internet, the dark web, or maybe the regular web put them up in a paste bin or wherever they might want to put them.
Pastebin is a website that hosts these files, zip files, and other things with all kinds of information in it. That is obviously sensitive because why would you pay extortion otherwise? So that’s what they do.
Secondarily, they try and get you to pay them to not release your data. Okay. So in many cases, you have paid twice, you paid once to decrypt the data you paid a second time in order to gain access to that data. Or excuse me, just stop other people from gaining access to your data.
Does that make sense to you guys? That’s what they’ve been doing.
Now we’ve got a new scale that these ransomware guys have. They are really catching up quickly with the Nation States that we’ve been talking about earlier. These are called advanced persistent threat groups. Just the regular gangs now have stepped it up.
You can get this show and many others via podcast. Just go to my website, Craig peterson.com.
Ransomware has gone from being opportunistic over to the other side, where they may spend months or even years on a network and a business and a government. So we’re going to talk about the East-West spread of ransomware.
We’ve had a major hack this week that has affected federal government agencies, all but one of the Fortune 500 agencies. It’s affected 22,000 of these managed services providers potentially at least 18,000 organizations are confirmed with being affected by this.
We’re thinking it’s Russia, but who knows? You cannot really tell. In the last segment, we went through the major changes in ransomware over the years. As I mentioned, the intro, opportunism, that’s been the name of the game. They just send out a lot of feelers. They do a lot of scanning and they find somebody that is just vulnerable. That’s the bottom line. They want vulnerable businesses. Once they find a vulnerable business, they move to the next step. That next step in the past has been just encrypting everything so that you and I really have no way to respond to it.
It has gotten fancier. These advanced persistent threats are what the name implies. They’re an advanced attack method. They’re persistent. In other words, once they’re on a network or on a machine, they stay there and there is a threat because of these ransomware groups, such as DAPL, painter, and revival. Have gotten on to the networks have been very targeted at what networks are trying to get onto.
They want networks of businesses and these cyber-criminal hackers find vulnerabilities on the networks as they move around inside the network. That’s what East to West is moving around inside finding other vulnerabilities. They often spend months laying the groundwork to compromise the systems with ransomware before finally unleashing the attack and encrypting the network.
They’ve found that phase two, which was let’s get on the network. Let’s find the valuable files. Let’s hold them for ransom. That just takes a long time. If they’ve stolen people’s credentials, if they’ve stolen, social security, numbers, bank, account numbers, credit card numbers, et cetera. It takes a long time to sell them and get their money back. So they really aren’t trying and to speed things up, frankly, spending months on a network isn’t unheard of and it’s become more and more common.
These threat groups will hide for even years before they are detected, if they’re detected at all, their goal is surveillance of the network. Finding all of the weaknesses and then stealing sensitive data, rather than just making money right off the bat with ransomware. These groups are making millions of dollars per attack. It’s become so effective that many businesses if you look at their filings with the security and exchange commissions, are buying Bitcoin in preparation for a ransom. Isn’t that something, in other words, they expect a ransom to happen. So they’re just buying Bitcoin. So they have it to pay if it happens. Okay.
So the there’s been this transition from being opportunistic. Into the types of threats, we’ve seen from NationStates here for years. It is much more profitable for these bad guys to completely cover an organization with ransomware. Now, remember that’s not necessarily the primary target, but it’s also a really good cover for them because now you’re trying to deal with the ransomware threat.
So what do you do if you have ransomware? The best thing is don’t get it in the first place. We’ve gone over that quite a few times here on the show, but the basics: Make sure you’re running windows defender, Make sure that you are using Umbrella, so they have a hard time calling home.
Make sure you go on to the next stage as well. Maybe add Malwarebytes.
You also have to protect that network. I am a Cisco reseller and we have techs that are fire jumper certified. We know what happens. We can come in afterward and do clean up. This, unfortunately, is how we pick up most of our customers. Or we can go in beforehand and help to protect you because you want to stop them from getting in.
The regular email filters just aren’t enough. So we run it through just all kinds of tasks. We had an email from one of our clients here just about a week ago saying, Oh, I got this email. It seems to be fishing. How did that get through? Yeah, we stopped a thousand of those. It’s types of emails and one snuck through. Nothing’s perfect.
We’ve got to remember that as well. So if it does get in someone bringing in a thumb drive from home or using the VPN into the office, that hasn’t been properly protected. Most of them aren’t, by the way, everybody that gets in, what do you do then? Hopefully, you have a good backup. You’re probably going to have to wipe all of your machines. Depending on the threat involved, that might be pretty difficult because they can get into different parts of the machine that you just can’t get them out of.
The next evolution of ransomware is that these groups gain more experience with these successful attacks. That time where they’re taking between that initial compromise could be months or even years, that amount of time will become much shorter. Meaning there’s less time to potentially detect this suspicious activity before it’s too late.
We know from what Talos has been reporting, as well as others, that the compromise timeframe where they poke around inside your network is nowadays somewhere between three and five days. So you have a few days to catch them in your network.
Now, if you don’t notice them, well it’s probably a little bit too late, but again, hopefully, have good backups.
Having good backups means, by the way, the three, two, one principle on backups. It means that you need to be testing them as well. Make sure you can restore your business from backup and you might even want to do what we’ve done for our bigger clients, a one a multi-national where we had backup hardware there at their facilities. So if something were to happen, let’s say that there was a fire in the front part of their building, where their main data center was, we could transfer all operations to the back part of the building, where we had our own servers sitting there that could take over at an instant notice. Then we also have servers in the cloud that have all of their data. In an attempt to keep them up to date in almost real-time so they can stay in business. That’s what you need to do. If you’re going to survive ransomware.
Now there are also normal things. Make sure you’re applying security patches to everything. Make sure you are using multiple network segments that can not communicate with each other. So for instance, your building control systems should be on a completely different network than your office workers’ computers, and those computers should be on a completely different network than this server. They should be going through a firewall to get to the server and an internal one.
You should have multiple layers of firewalls. In this company, I’m thinking of, this multi-national, we have seven layers of firewalls that you have to pass through in some cases, depending on where you are. That helps keep them out. Okay.
The security patches you got to do, you’ve got to patch all of your internet of things devices.
You cannot let people bring personal devices in. It just goes on and on.
These are the types of controls, the best practices that we need to have. All right.
You’ve probably heard of contact-tracing apps. Who knows what’s going to happen with that virus over the next year or two years or what viruses might be coming after that. We’re going to talk about the safety of the apps themselves.
One of the big things that have been pushed in many parts of the world is contact tracing. Some states require us if we go to a restaurant to give our name, right? To give our phone number for contact. If there was someone at the restaurant who calls up the restaurant and says, “yeah, Hey, I came down with COVID-19 symptoms”, then the restaurant’s supposed to call up everybody who was there at the restaurant. Now, how effective is that? I really don’t know.
It’s people, I would not want to give my information to people. I think we should just assume that we’re living in a world with viruses and we should take precautions. If I was in the groups, one of the groups that were very susceptible to the virus. I think I would take a lot more precautions and frankly, isn’t that the way it should be. If you are susceptible, then maybe you should lockdown. Not shut down – locked down, everybody else.
We’ve never done anything quite this way before. You find typhoid Mary, and she gets quarantined, not everybody else. That’s always the way we’ve done it. And it just makes a lot of sense.
One of the proposals that have come out that they’re saying, Hey, this is going to help us in the today and into the future, are these contact tracing apps? I’m looking at an article right now that was over on dark reading saying that they tested nearly 100 contact tracing apps. Now, these are apps that are on your smartphone that might use Bluetooth for proximity detection to another phone. They might use some other technologies. I’ve seen some that actually start to squeal and make noise. If you get close to somebody else that’s running one of these apps. So that, okay, I’m within the one-meter limit.
Of the nearly a hundred they tested, they found 40% had significant security issues. Either using GPS locations or Bluetooth proximity detection in order to determine your potential exposure to somebody else. Now, these are mostly apps that are not using this new Apple and Google exposure notifications protocol. I found that kind of interesting Apple has been very good at trying to preserve our privacy. In fact, there’s a huge fight already going on between Facebook and Apple. If you have the latest version of iOS, you can go into the app store, look at an app, and I would challenge you to do that.
If you’ve got your phone right now, iOS phone, and you’re up to date, open up the app store search for the Facebook app. Then once you’re on the Facebook app page, scroll down a little bit and it’ll have a section in there on security that goes on for pages and pages. Yeah. More button. Okay. Read more of what it is that Facebook is doing with your data. So Facebook’s pretty upset about that saying this is going to hurt small businesses who need to micro-target, and they’re not wrong about that. Apple is saying, Hey, we’re trying to preserve the privacy and security of people who use Apple equipment, which I absolutely do agree with.
Well, a company known as Guardsquare, which is a mobile security firm analyzed 75 contact tracing apps, 52 Android apps, and 43 iOS apps and found that 40% did not use the Apple Google protocol that Apple and Google worked together on this to come out with.
The bottom line here, what is it is going to be safe? How can we protect user privacy? This protocol is designed to protect it. Most of those applications used GPS system data too. Figure out your location of other people and linked it to the phone numbers or in some cases, passport identifiers.
Now, GPS can be fairly accurate, but if you want it really accurate, you have to add to some other data that is transmitted by all major airports, because there’s a variance. The density of the atmosphere, which can vary depending on whether it’s raining, how much water is in the air, snow, and other things. They transmit variances that can be used in conjunction with GPS to get an actual, accurate location. Once you get into a building or have you ever been inside a big city and found all of a sudden your GPS data is just terrible. Your automatic map stuff just isn’t working, right? Those big buildings are blocking the signals from some of the satellites that you are depending on. That’s what they have found with these apps. Many of them are trying to use GPS. They are gathering that and keeping the information and selling the information, which is a bad thing. It’s not terribly accurate. Okay.
So first off don’t use these apps at all. If you’re in one of the risk groups, You are also now relying on other people to have the same app or the same protocol being used in order for your app to do any good at all, because they are combining the data from everyone that’s self-reporting in an area to figure out if there’s potential exposure. If they’re not self-reporting, if they don’t have that same app, you’re not going to get any information.
So in June, Guardsquare looked at 17 different Android apps and found only one that fully encrypted and obfuscated data.
They have done a survey here in the last month and it has gotten a little bit better, but of those 95 apps, they found 32 Android apps and 25 iOS apps actually use the official API of the exposure notification system created by Apple and Google.
So bottom line, don’t use these contract contact tracing apps. They’re not useful. They’re not useful, if not enough, people are using them. Then to top it off, they are not encrypting the data and anonymizing the data.
FireEye, man, this is the company that found out about that SolarWinds breach that we spent the first hour talking about today. FireEye is a security research company. Part of what you should be doing and is required to do is to have red team blue team exercises. What that means is you have people who are attacking your network, and then you have people who are defending the network. So you have a team of people whose goal is to break in and another team whose goal is to defend. You might remember. I talked to him about a company that hadn’t been hired to do this out. Where was it? Missouri or something. They tried to break into the courthouse that they had been hired to test. Then there was a dispute over turf and everything else, and these guys went to jail and they had to go to court. The whole thing was quite the mass. Okay.
That’s a red team- blue team type strategy. We don’t do physical incursions ourselves. It’s just a little bit too risky for us. It takes more people more time, but we do the type of Computer incursions and FireEye has red team tools that are used to break in. That is a problem because FireEye was compromised as part of this SolarWinds hack. Their tools were stolen. These are the FireEye red team tools that are used by their security teams to break into businesses. This is the gift that’s going to keep on giving.
You might remember the NSA was broken into and their red team tools were stolen. The tools they use to monitor foreign governments and officials hack into computers. Well, this is a real problem. Okay. Many of these red team tools that were stolen from FireEye have already been released to the community and there’s even an open-source virtual machine called commandoVM. Just absolutely unreal.
Apparently, none of the red team tools that were stolen by the attacker contain zero-day exploits and they apply well-known methods to break in. In other words, if you had been patching your systems, taking care of it, unlike what happened with so many companies out there. Right?
Home Depot, what happened to them? The TJX community of businesses, Equifax on and on Who did not keep up with best practices or even patches you might be okay. But if you are more of a security guy, like I am they have released hundreds of countermeasures that you can use, including things like Open IOC, Yara, Snort, ClamAV, all tools that we use here as well. There’s a whole FireEye git hub repository. Git Hub is where people can distribute software and things. It’s usually used by the open-source community and they’ve got directions and what you can do and everything else. So I think FireEye has responded extremely well to this. It’s going to hurt their business. No doubt. It’s going to hurt a lot of other businesses. No doubt, but I really like what they have done and you can look it all up online.
If you want a little more information. Just email me ME@craigpeterson.com and it might be time for me to put together with other, a little course, Oh, maybe a big course on how to use these tools to test your own security as well as to defend your security.
That’s it for today. Thanks for joining me. Make sure you join me online as well. craigpeterson.com.
More stories and tech updates at:
Don’t miss an episode from Craig. Subscribe and give us a rating:
Follow me on Twitter for the latest in tech at:
For questions, call or text: