Ransomware has evolved into blackmail. We are all familiar with the concept of ransomware, whereby critical operational data, which includes personal data is encrypted by hackers, and hence inaccessible to the business. In order to get access, i.e. the decrypted data (the key is owned by the hacker), they need to pay a fee. The fees are significant, this article gives an insight, e.g. a recent case resulted in a fee to be paid of $350 000.
So the business gets back their operational files, and this is where the blackmail kicks in. The hackers will request a second ransomware fee of between $100 000 and $2 000 000 for the data to be deleted or they will make it public!
What is surprising, or maybe not, is that the victims are actually paying. Especially those in private healthcare, who can’t afford the damage to their reputation should it get out that they have been hacked, and sensitive data has been stolen…. and they don’t report the breach as is required by law (in the U.S.) and Europe, and other countries globally.
If you are worried about this trend, and we all should be, then protect your data as it should be (GDPR Art 32 requires this is done). Get the experts in, they cost much less than what a ransomware demand will, if they get to you first. And it could be that it is not so difficult to fix, you maybe surprised!
Edited: PrivSec have a free ‘fireside chat’ session on ransomware, and what to do if it happens to you, you can book here.
I’ve been thinking more about the Sony Pictures story…. it has been mentioned that it could be an insider job… what this means is that all information needs to be protected, not just within the organisation, but between each individual, identity.
Every business process in an organisation should be protected cryptographically, there should be a thread of traceability leading to the originating source. Only authorised parties involved in any digital interaction should have access to information being moved around, or as a matter of fact, information at rest. All email communications should also be encrypted.. and only the creator of the content and recipients should be able to read communications, and attachments. Creators of information should have absolute traceability in every one of their digital interactions, that could be a part of a business process.
But how to do this? Like an elephant… you know how to eat an elephant? Eat a small piece at a time so you don’t get indigestion. So the answer is that one should take, and work with one business process at a time, building piecemeal a secure water-tight shield across an organisations information assets, including their people.
More than 2 million passwords have been stolen from popular web services such as Facebook, Google, Yahoo, Twitter, LinkedIn, etc. All the popular press are reporting on this (here is something in English and Swedish).
Now what is interesting is the analysis on the stolen passwords by Trustwave. Trustwave did a similar study over 6 years ago on passwords exposed from MySpace, and this shows that nothing has changed, if anything password complexity is even weaker now than what it was in 2006. It seems that users are choosing simplicity over complexity.
So what’s so surprising? It is quite naive to assume that we will use complex passwords, especially across our social networking accounts. This is why we are increasingly accepting single sign-on using Facebook, LinkedIn, etc., to authenticate to other web services. The last Gartner conference on identity talked about needing to re-work how we do identity, i.e. make it ‘people-centric’, now where have I heard that one before 😉
I think it’s a great initiative this Bug Bounty Program. Apparently quite a few companies are doing this, i.e. payment to white hat hackers, who report a security flaw.
Facebook has this initiative. However when a researcher and white hat hacker (Khalil from Pakistan) reported a flaw to the FB security team, they responded saying it was not a flaw. Well this was just a little bit annoying. He tried a couple of times for them to understand, and then he said, ok warned them that he would exploit the flaw.
The flaw allowed anyone that is not in your friends list to post directly on your FB Wall! So Khalil posted a message onto Mark Zuckerberg’s Wall. Facebook refused to pay the bounty amount to Khalil on the premise that he didn’t follow protocol.
Now this is old news… about a week old. However, what is new is that the CTO of a company called BeyondTrust decided that Khalil should be compensated for his service and created a crowd-sourced fund for the researcher, with a goal of reaching $10,000 after which the amount will be deposited in Khalil’s account. In addition to that, Maiffret deposited $3,000 from his own pocket to the fund. In less than 24 hours, 79 people contributed nearly $9,000 into the fund. Read more HERE.
There has been more written on this hack by David Kearn (a known propeller-head in identity management) in his blog Virtual Quill. Read what he has to say if you are interested.
Bring Your Own Identity (BYOI) is on the band-wagen with BOYD (Bring Your Own Device). Wired journalist relays a sobering story of how his digital identity got stolen through trusting third-party identity providers.
Basically Hackers were able to swipe his mac, iPhone and hack into his twitter account to send twitters that were damaging to Mat Honan’s reputation. He was using iCloud, the hackers hacked into his iCloud account, and they got in because Apple uses the last 4 digits of his credit card as a form of authentication. They got the last 4 digits that are incidentally stored as clear-text by Amazon through a bit of social engineering. Know I bet you want to read the whole story? Read more here.