Supply Chain Security: Safeguarding Critical Infrastructure from Cyber Threats 

Imagine you invented a hypoallergenic egg. For one, you’d be a zillionaire. For another, you’d be the hero for everyone who loves lemon merengue pie but is allergic to eggs. Now imagine a psychopath who wanted to hurt your customers. All they need to do is insert regular eggs into one of your delivery trucks. Mayhem and disaster would be the result. 

In today’s interconnected world, supply chains form the backbone of the global barnyard. Supply chains enable the seamless flow of goods and services around the world. But the increased reliance on digital technologies and third-party suppliers means supply chains have become prime targets for cyber-attacks. This poses significant risks to critical infrastructure and services (like electrical distribution grids). As organizations struggle with the challenges of supply chain security, the importance of building resilience to cyber threats has never been more apparent. 

Supply chain vulnerabilities, particularly those stemming from third-party software and hardware suppliers, present many cybersecurity risks. These risks vary greatly. Malicious actors inject malware into supplier networks to compromise the integrity of software or hardware components. And don’t forget about the everyday users who inadvertently expose sensitive data to unauthorized users. The interconnected nature of supply chains amplifies the impact of these vulnerabilities. A break in one link of the supply chain can cascade through the entire chain. This disrupts operations and causes widespread damage. 

One of the key challenges in supply chain security is the lack of visibility and control over third-party suppliers. Many organizations rely on a complex network of suppliers, each with their own cybersecurity practices and vulnerabilities. This diversity makes it difficult to enforce consistent security standards across the supply chain, leaving organizations vulnerable to exploitation by cyber adversaries. Outsourcing critical functions to third-party providers further complicates the security landscape. Sometimes it’s necessary to allow external partners access to sensitive data and systems. 

To address these challenges, companies need to recognize and accept the need to strengthen the supply chain. They must take steps to fortify cybersecurity strategy. This will involve adopting a proactive default-deny zero-trust approach to access, rather than merely reacting to incidents after they occur. Key elements of a zero-trust supply chain include: 

  • Access control: Creating a policy of default-deny for applications, users, networks, and devices. 
  • Risk Assessment and Management: Conducting thorough risk assessments to identify vulnerabilities and dependencies within the supply chain, and implementing zero-trust-based risk management measures to mitigate potential threats. 
  • Vendor Management: Establishing robust vendor management processes to vet suppliers, monitor their security posture, and enforce compliance with cybersecurity zero-trust standards and best practices. 
  • Supply Chain Monitoring and Intelligence: Implementing continuous monitoring and threat intelligence capabilities to detect and respond to cyber threats in real-time, both within the organization and across the supply chain. 
  • Contingency Planning and Response: Developing contingency plans and response strategies to minimize the impact of supply chain disruptions, including alternative sourcing options and incident response protocols. 
  • Collaboration and Information Sharing: Engaging in collaborative efforts with industry partners, government agencies, and cybersecurity organizations to share threat intelligence and best practices for supply chain security. 

By investing in these proactive measures, organizations can strengthen their supply chain resilience and reduce the risks posed by cyber threats. In a time of escalating cyber-attacks and supply chain vulnerabilities, safeguarding critical infrastructure and services requires a coordinated effort to fortify the weakest links in the supply chain. 

Supply chain security is paramount in safeguarding critical infrastructure and services from cyber threats. As organizations navigate the complexities of global supply chains, building resilience to supply chain vulnerabilities becomes imperative. By adopting a proactive approach to supply chain security and implementing robust risk management practices, organizations can mitigate the risks posed by third-party suppliers and ensure the continuity of operations in an increasingly interconnected world. 

Locals At Risk Due to Data Breaches – How to Protect Yourselves 

A data breach that occurred in 2021 could be affecting readers today.  On the dark web, a hacker named ShinyHunters is attempting to sell personal data of 73 million people who were customers of AT&T.  After initially denying the data was theirs, AT&T confirmed that the data appears to be from 2019 and impacts approximately 7.6 million current AT&T account holders and 65.4 million former account holders.   The data includes names, address, phone numbers and for some, even social security numbers (SSN) and birth dates.   Additionally, the security pass codes for 7.6 million accounts were also leaked.   If you were a DirectTV customer, your data may be included.   The subscriber base at the end of 2019 was almost 202 million subscribers, so it appears to be a partial data dump. 

At this point you may be thinking, “Big deal, that was 5 years ago. What use could that information be for hackers?”  Good question.  There is a treasure trove of data that hackers can use that may impact you.  First, hackers could have access to your current account if your security passcode has not changed since then.  AT&T is aware of this and are reaching out to these customers.  Hackers can use phishing and other social engineering techniques claiming to be AT&T support.  If you get an email or SMS text from someone claiming to be an AT&T representative, we recommend that you go “out of band” instead of replying or clicking the link.  Go to AT&T’s website that you know is valid. Contact them through the methods provided on their website.   

One of the biggest dangers of this breach was the stolen SSN and birth date information.  Along with your name and address, hackers can apply for credit cards in your name and run up debt in your name.   Hackers can use your SSN to access your bank accounts.  They could pose as you with the bank’s customer support performing fraudulent transactions and transferring funds.   Using your SSN, a hacker can access your credit reports and subsequently apply for a loan for themselves in your name.  There’s more, but you get the point. 

Vigilance is the optimal option.  We recommend setting up multi-factor authentication on all accounts that offer the option.  Your bank and your credit cards definitely have this available.  It is a little more work to access your account but more than worth the effort. Most accounts use a username and password for access.  Multi-factor authentication uses a second method to verify that the user is authorized.  This may come in the form of a code sent via email or text or using an application like DUO or Authenticator.  Monitor your credit card and bank accounts regularly.  Report suspicious activity right away.  Consider using credit monitoring services. 

Of course, good cyber hygiene with your passwords is always recommended.  Do NOT reuse the same password on multiple sites.  That makes it very simple for hackers to try that password on other accounts. If your information was part of a breach, change your passwords.  To see if your email address has been involved in a breach, visit this site, https://haveibeenpwned.com, and enter your email address.  This provides a list of breaches the account was involved.   

If the AT&T hack is too old to have you concerned, Circle K was hacked in January of this year.  Loyalty data and partial credit card information was revealed. 

Don’t think that you are not a big enough target.  Hackers go for the low hanging fruit. If it’s too easy to pass up, they will not.  The old adage, “an ounce of prevention is worth a pound of cure,” rings very true in the cyber world.   

Is the world headed towards Central Bank Digital Currency? 

The Bank for International Settlements (BIS), is the governing body for most of the world’s Central Banks, including the United States Federal Reserve Bank. The BIS plays a pivotal role in the global financial system and has been actively involved in discussions and research regarding Central Bank Digital Currencies (CBDCs). One of the potential applications of CBDCs, as highlighted by the BIS and other financial authorities, is to enhance the monitoring and regulation of financial transactions to combat illicit activities such as money laundering, terrorism financing, and tax evasion. Here’s how CBDCs could facilitate this: 

Digital Traceability: CBDCs inherently possess a digital footprint, allowing transactions to be recorded on a blockchain ledger (think of it like an accountant’s ledger book), which could be either centralized or distributed. This digital traceability means that unlike cash transactions, which are anonymous and untraceable, CBDC transactions can be monitored and audited by the issuing central bank and other regulatory authorities. This makes it more challenging for individuals or entities to engage in illicit financial activities. 

Enhanced Regulatory Oversight: With CBDCs, central banks and financial regulatory bodies could have real-time or near-real-time access to transaction data. This capability would significantly enhance regulatory oversight, making it easier to identify suspicious transactions as they occur and take swift action. Advanced analytics and AI algorithms could be employed to detect patterns indicative of money laundering or other forms of financial crime. 

Implementation of Compliance Checks: CBDC platforms can be designed to automatically enforce regulatory compliance. For instance, transactions exceeding certain thresholds can be programmed to require additional verification before they are processed. Similarly, transactions involving entities on watchlists or sanctions lists can be automatically flagged or blocked, ensuring compliance with anti-money laundering (AML) and counter-terrorism financing (CTF) regulations. 

Reduction in Anonymity: While the reduction in anonymity might raise privacy concerns, from a regulatory perspective, it limits the ability of criminals to operate undetected within the financial system. CBDCs can be designed to strike a balance between privacy and transparency, ensuring that while individual privacy is respected, there is enough transparency to deter and detect illicit activities. 

Global Cooperation and Cross-Border Payments: CBDCs can also facilitate improved cooperation between countries on financial oversight. With CBDCs, cross-border payments can become more transparent and faster, reducing the time window that criminals must move illicit funds across jurisdictions. Enhanced data sharing and cooperation between central banks and international regulatory bodies could further strengthen global efforts to combat financial crime. 

It’s important to note that while CBDCs offer these potential benefits for combating illicit financial activities, the implementation of such systems must carefully consider privacy rights and data protection laws. The challenge lies in designing a CBDC system that maximizes the effectiveness of regulatory oversight and crime prevention without infringing on individual privacy and freedoms. 

On October 19, 2020, the BIS General Manager, Agustin Carstens, called for “a unified programmable ledger in a public-private partnership”. He was talking about CBDC. Think of it as Bitcoin (blockchain) but without the privacy blockchain currencies afford. Mr. Carstens further stated, “for example, we don’t know who’s using a $100 bill today, we don’t know who is using a 1000 peso bill today. A key difference with the CBDC is that the central bank will have absolute control on the rules and regulations that will determine the use of that expression of central bank liability and also we will have the technology to enforce that.”  

So, in essence, Mr. Carstens is talking about a bank account with digital money which can be programmed for specific use. For example, the entity which controls the digital $100 in a given bank account could put an expiration date on the money thus ensuring it will be spent by a specific date. Or it could be programmed so it can only be spent on food, or rent, or gasoline. This programmability is only limited by the imagination of the controlling entity. 

Whether this is a good thing or not is conjecture. Either the BIS will restrict itself to a reasonable amount of control over every digital dollar and allow citizens of each nation to continue private individual control of their own private earnings or they won’t. 

The Anatomy of a Social Engineering Attack

John Podesta, a key staffer for the Hillary Clinton presidential election campaign received an email, appearing to be from Google, warning him that someone had attempted to access his account and prompted him to change his password. John clicked on the link and entered his current username and password. Unfortunately for John, this was a phishing email and the link that he used to change his password was set up by the hackers to steal his credentials. The hacker used his credentials to download all his emails. These emails were later released to the public by WikiLeaks causing a bit of a stir.

Why are we so susceptible to falling for these attacks? There are six (6) principles that social engineers use to deceive us. The first is reciprocity. Reciprocity suggests that people feel obligated to reciprocate favors received by others. If you do something for me, I will be happy to do something for you. Many scams use a free gift or a prize to entice the victims to click their link or provide information.

Another method that social engineers use is social proof. This concept suggests that people are more likely to conform to the actions if they see others doing it. This works especially well in ambiguous or unfamiliar situations. A familiar tactic would be the website that says 57 people in your area have recently purchased this item.

Authority is a huge tactic that social engineers use, and the one employed above to get John to click on that link. Scammers often pretend to be people from the government or your IT department or one of your trusted vendors. Since they are in authority, you usually trust them and do what they suggest.

Commitment and consistency suggest that once individuals make a public commitment or take a small initial action, they are more likely to remain consistent with that commitment or action in the future. Some phishing scams ask recipients to confirm their email addresses for security purposes. Once they click the link, the victim feels commitment to engage in the sender. The scammer subsequently asks for more personal information or login credentials.

Social engineers use “likability and empathy” to build rapport and trust with their targets by establishing a sense of familiarity and likability. They may mirror the victim’s behaviors, interests, or communications styles.

The final principle to discuss is scarcity. The emotion being pushed here is the fear of missing out. This may look like those familiar statements “for a limited time only” or “while supplies last.” This encourages the target to act quickly out of emotion, rather than slowly, logically, and methodically considering what is being offered.

Let us look at some of the scams out there to see what they are using. The tax collector scam impersonates an IRS agent usually contacting by text or a prerecorded voicemail. They may send you a form to pay and may ask for gift cards or bitcoin in payment. The scammer uses “Authority” to intimidate people to do what they ask, sometimes threatening arrest or revocation of driver’s license. They also use commitment and consistency. Once they pull the victim into the trap, they are committed to continue the discussion. Some issues to note on this scam are the IRS will not ask for payment in Bitcoin or gift cards. They will not send forms via email – forms pulled from the website. The IRS cannot revoke your driver’s license.

The “pig butchering” scam uses “likability and empathy” to capture the victim’s trust and “commitment and consistency” once the victim is engaged. This scam usually starts with a wrong number text or a dating app. Once the scammer builds trust, they mention their success in Bitcoin and connection to an insider. This is the concept of “scarcity.” They share their fake website for trading with the victim.

When the victim uses the site, they watch their money grow and invest more money hence the name of the scam. They are fattening the victim up until they cut contact and take their money. Do not use any digital wallet that you have not thoroughly researched.

So, if you are approached via email, text, or phone slow down, take the emotion out, and determine if it is legitimate. If the proposal sounds too good to be true, identify what social engineering principles are being employed and why.

Original article can be found here.

Cybersecurity Risks in Achieving UN SDG 16.9 with Blockchain Technology

The United Nations (UN) Sustainable Development Goal (SDG) 16.9 aims to provide legal identity for all, including birth registration, by 2030. This ambitious target underscores the critical importance of identity in accessing a wide array of services and rights, from voting to healthcare. As we harness technology to realize this goal, blockchain emerges as a promising solution (1) for its ability to offer secure, decentralized, and tamper-proof ledgers. However, the integration of personally identifiable information (PII), personal health information (PHI), and other significant life events into a blockchain ledger brings to the forefront significant cyber risks that must be addressed.

Blockchain technology offers a revolutionary approach to managing digital identities, ensuring that every individual on the planet has a unique, unfalsifiable, and secure identity. By leveraging blockchain, we can create a system where all forms of PII and PHI are securely encrypted and stored, making them accessible only to authorized individuals and entities. This could dramatically reduce identity theft, fraud, and unauthorized access to personal information.

Using blockchain to manage sensitive data introduces complex cybersecurity challenges. While blockchain itself is highly secure due to its decentralized nature and cryptographic hash functions, the endpoints interacting with the blockchain, such as user devices and applications, remain vulnerable to hacking, phishing, and other forms of cyber-attacks. This vulnerability could lead to unauthorized access to the blockchain ledger, risking the exposure of sensitive personal information.

Second and maybe more importantly, blockchain data is permanent. It therefore presents a double-edged sword. Using blockchain to record EVERY event in your life ensures that once an event is recorded, it cannot be altered or deleted. This means it is an immutable history of an individual’s life events. This immutability raises concerns regarding the right to be forgotten. One may accurately suspect every individual has made choices they’d rather forget. This is not feasible with a blockchain-based digital ID. In Europe, the right to be forgotten is enshrined in data protection regulations like the General Data Protection Regulation (GDPR). Modifying or deleting personal data from a blockchain, once entered, is inherently difficult, if not impossible. This poses significant privacy concerns.

The concentration of vast amounts of PII and PHI in a single ledger, even if decentralized, creates a highly attractive target for cybercriminals. A breach could have far-reaching implications, potentially exposing the intimate details of individuals’ lives. While blockchain technology can significantly contribute to achieving SDG 16.9, ensuring the cybersecurity of such a system is paramount. And not to get overly controversial, errant governments could use the information in your personal life ledger to restrict access to important assets like your bank, or your job. This is already happening in China.

To mitigate these risks, a multifaceted approach is necessary. First, enhancing the security of endpoints through regular updates, robust encryption, and user education on cybersecurity practices is crucial. Second, implementing dynamic consent mechanisms where individuals have control over who accesses their information and for what purpose can help address privacy concerns. Additionally, exploring technological solutions, such as zero-knowledge proofs, can allow for the verification of information without revealing the information itself, further safeguarding privacy.

International cooperation and the development of global standards for blockchain security in the context of digital identities are essential. This would ensure a unified approach to tackling cyber risks, fostering trust in blockchain-based identity systems.

While blockchain presents a promising though possibly troubling pathway towards achieving UN SDG 16.9, it is imperative to navigate the associated cyber risks with a strategic, multifaceted approach. In this way, we can cautiously use blockchain technology to provide secure and immutable digital identities for all (if a person chooses to participate, but that’s another argument for another article), thereby unlocking access to essential services. One could even speculate that tying essential life services to a digital ID might do more harm than good.

Original article can be found here.

(1) https://unite.un.org/sites/unite.un.org/files/emerging-tech-series-blockchain.pdf

Every Move You Make, Adware Is Watching You

How were the U.S. intelligence services able to track Vladimir Putin’s movement without a local spy, special satellites, or hacking? They simply bought advertising data for the country of Russia.   Although it did not track Putin’s phone, the data tracked his entourage’s phones.  The phones belonged to his drivers, security personnel, political aids and other support staff through advertising data.  

With the prevalence of smartphones, who needs a map anymore?  Our phones are GPS tracking devices capable of taking us anywhere in the country – just put the address into your map application and you have turn-by-turn instructions.   Your phone is constantly sending your exact location to your map app … as well as almost every other application running on your phone.   

There is a saying about free applications.  If it’s free, then you are the product.  It turns out selling your data, to include location, is a billion-dollar business called the advertising exchange.  Advertisers bid on the exchange for a block of data in a particular geographic area.   In 2020, for a few hundred thousand dollars a month, you could access the global feed of every phone on earth.  Here’s how it works.   Whether you have an iPhone or an Android phone, your device has been given an “anonymized” advertising ID. It’s a long string of numbers and letters and looks like gibberish.   The advertisers don’t know your name, but they do know your location.  That is helpful for them to serve up targeted ads for the local restaurants or stores.  Other data includes the specifications of your device, what other applications you may have loaded on your phone, and even your browsing habits.  

Even though your advertising ID is anonymized, it is relatively easy for anyone who buys the data to find out where you live, work, and shop.  They can find out who you know and how often you visit them and for how long. They know what your hobbies are whether they are running, target practice, knitting, homebrewing, hiking, or biking.   

The military uses of this technology are alarming.   One of the companies that was developing their tools for the intelligence community began with data in the U.S.  They tracked phones that were in McDill Airforce Base, FL.  This is the home of the US Special Operations Command units.  They watched the phones go to Canada, Turkey, and end up in a small town in Syria.  Without trying, they uncovered a forward operating base of the deployed Special Forces personnel in the anti-ISIS campaign.   

Some of these advertising data mining tools are being used in the United States by government agency, such as the DIA, FBI, US Customs and Border Protection, Immigration and Customs Enforcement, and the Secret Service.  They would use this data for finding border tunnels, tracking down unauthorized immigrants, and trying to solve domestic crimes. 

What apps can track you? Look at your privacy settings on your phone to find out.  

Apple Advertising – View Ad Targeting Information is on by default which opens a wide range of information for the advertisers to see. 

The biggest setting that provides advertisers your GPS location is “Location Services.” Without this, your map program will not work and many other apps that you may depend on, so it is not the greatest idea to turn this off altogether. However, you should review the apps that use it and decide for yourself what you want to share. Almost all my installed apps used to have access to my location – from weather and driving directions, to grocery stores, browsers, banking, and insurance. Set these as you see fit.  

Another area inside location services is called system services. Look at those options. Significant Locations tracks your every movement. Mine is off. I would also caution against the use of the “improve analytics” for any application and “product improvement” settings. They pull even more data from your phone. 

Be careful where you take your phone.  Every move you make, every step you take, Adware will be watching you.   

Original article can be found here.

EMP Effects on the Power Grid versus Cyber Attack

We live in a marvelous time where technological advancements have boundlessly expanded human capabilities and opportunities.  Unfortunately, we also live in a time where the specter of electromagnetic pulses (EMPs) looms as a stark reminder of our vulnerability. An EMP is a burst of electromagnetic radiation emanating from certain types of high energy explosions, such as a nuclear detonation in the atmosphere, or from a suddenly fluctuating magnetic field. The concept, while sounding like something straight out of a science fiction novel, carries significant implications for modern society. 

EMPs can disrupt or destroy electronic devices and systems, potentially crippling infrastructure, communication networks, and any technology reliant on electricity. The pulse works by inducing high voltage currents in electronics and electrical systems, overwhelming circuits and rendering them inoperative. The range and severity of an EMP’s effects can vary depending on the altitude and magnitude of the explosion. The higher the altitude of detonations the larger the land area affected. 

The threat of EMPs is certainly dramatic.  Experts consider the likelihood of such an attack on the United States to be low. The complexity of executing an EMP attack, together with the global ramifications of detonating nuclear weapons, places it firmly in the realm of extreme scenarios. However, it serves as a theoretical benchmark for understanding vulnerabilities within the national power grid. 

Contrastingly, a more plausible threat to the U.S. power grid comes from cyber-attacks and physical sabotage. Unlike the broad, indiscriminate impact of an EMP, targeted attacks on the power grid can be conducted by nation-state actors, terrorist groups, or even nefarious skilled individuals. These attacks can disrupt power supply, damage infrastructure, and incite chaos without the need for nuclear intervention. The barrier to entry is significantly lower.  

The power grid (a complex network of power plants, transmission lines, and distribution centers) is integral to the functioning of the country. Therefore, it is a tempting target for our adversaries. Cyber-attacks, in particular, have become increasingly sophisticated, with potential attackers exploiting vulnerabilities in software and hardware to gain control over systems, shut down operations, or even cause physical damage.  According to a report from the security firm, Armis, global attack attempts on utilities increased 200% in 2023 compared to 2022.   

Comparing an EMP scenario with the more likely threat of cyber-attacks or physical sabotage on the power grid highlights significant differences in preparedness and response. While the former requires hardening electronics and infrastructure against an overwhelming and indiscriminate force, the latter necessitates robust cybersecurity measures, physical security enhancements, and continuous monitoring of the grid’s health. Today the only truly viable solution to the cyber threat is called “Zero Trust.” 

Zero Trust is a security strategy where one of the main principles is that each request is verified even if it lies behind a corporate firewall. It’s like going to Costco. You need to show your membership card to get in and check out. Another principle is to limit user access to just those areas necessary to do their job.  And lastly, in a Zero Trust environment, the designers assume a breach and structure the network to limit the damage that an incident could cause.  

The U.S. government and utility companies have recognized these threats. The Executive Branch has decreed Zero Trust is the future. Such an initiative includes upgrading existing cyber defenses moving from a default-allow to default-deny; conducting regular vulnerability assessments; and participating in national grid security exercises. These efforts aim to mitigate the risks posed by targeted attacks, ensuring the resilience and reliability of the power grid. 

While the concept of an EMP attack captures the imagination with its catastrophic potential, the reality is that more mundane threats pose a greater risk to the U.S. power grid. Cyber-attacks and physical sabotage represent tangible, immediate challenges that require ongoing attention and resources to defend against. By understanding and implementing a Zero-Trust approach for these likely scenarios, the United States can ensure the stability and security of its power grid against the evolving landscape of threats in the digital age. 

Original article can be found here.

The Cyber Guys: Never Again – Stop Being Fooled by Email Spoofing 

Every two or three months I get the same email from my “boss.”  It goes something like this.  “Dan,  I need a favor and I need it done by the end of the day.  Can you please purchase six $100 Amazon gift cards for the company? It’s for an upcoming event to celebrate our employees.  Just email me the gift card numbers.  Please don’t let anyone know.  It’s a surprise. I’m super busy so don’t call, just reply to this email.”   Since I had a company credit card, I went online and made the purchase.   Wait…. Just kidding.   

What I really did was I checked the Display Name of the sender.  It was the name of my boss, but not the usual way he displayed it.  When I looked at the return email address, I noticed that it was not from a company address, but instead it came from a random Gmail account.  This is one type of email spoofing called “Display Name Spoofing.”  It is the easiest type of email spoofing.  The hacker went to the company website and got the name of the founder.   From there the hacker just updated his email display name to match.   

There were several things about the email that got my hacker spider senses tingling.  Did you catch them?  One of the most common social engineering tricks is to push a sense of urgency.  I need it by the end of the day.  Another giveaway was that it was a secret so if I believed it, I would not tell anyone.  Gift cards are a common tactic for scammers.  Did you notice how the hacker did not want me to validate by an alternate means of communication?  Don’t call.    For me, the biggest hint was the fact that I really don’t have a company credit card and could not have done what was asked.   

This time, they did not fool anyone, but understand they are putting out hundreds of these emails a day.  All they needed was for one to hit and it was a successful day at the office.  I’ve heard of other spoofs locally where they pretended to be the boss and asked the accountant to transfer large amounts of money to a partner to close a deal.  Don’t think that all hacks are from around the world.  In that case, they knew the boss had been traveling and was unavailable.  The key to avoid falling prey to that is to have a policy where any use of company money requires “out of band” verification.  If the request comes via email, the accountant must call the boss to get verbal verification.   

Diligence is key not to get duped by this scheme.   There have been cases where instead of a supervisor, the hacker pretended to be a vendor.  The hacker sent an invoice supposedly from the vendor but with a different account to send the funds.   I’ve heard of this happening several times in this little town.  Pay attention.  Call and ask about it, stating that you noticed the account information changed.   That would stop the scam in its tracks.   

Another technique for hackers to spoof email is to create fake display names and email addresses using Simple Mail Transfer Protocol (SMTP). SMTP is a protocol used for sending messages.  This is called “Legitimate Domain Spoofing.”  A third type of spoofing is called “Look-Alike Domain Spoofing.”  An example would be amaz0n.com (zero instead of o) or gooogle.com.  Hackers get real domains that can easily be mistaken for the legitimate company.  

There are several technical ways to spot spoofing which I’ll provide below.  Check to see if the Sender Policy Framework (SPF) passes the test.   The SPF checks to see if the sender’s address is associated with the email domain it was sent from. DomainKeys Identified Mail (DKIM) works to verify that the email has not been altered between the sender’s and recipient’s servers.  Businesses can also set up Domain-based Message Authentication, Reporting and Conformance (DMARC) for the email which lets the recipient know that the email is protected by SPF and DKIM. 

How to check SPF, DKIM, and DMARC status on Gmail: 

    1. View the email in question. 

    2. Click the three-dot icon in the top right corner of the email. 

    3. Select “Show original.” 

    4. Check and see if the email is marked “pass” or “fail” for each section. 

How to check SPF, DKIM, and DMARC status on Outlook: 

    1. View the email in question. 

    2. Click the three-dot icon in the top right corner of the email. 

    3. Hover over “View” and then select “View message details.” 

    4. Scroll through the details and view “Authentication-Results” to see if the email is marked “pass” or “fail” for each section. 

Now that you know the social engineering queues and you have the technical skills to verify the email, in the words of the 70s rock band, The Who, you “Won’t Get Fooled Again.”   

Original article written for the Sierra Vista Herald here.

The Cyber Guys: Critical Vulnerabilities in Voting Machines – Easy To Hack

J. Alex Halderman, a Computer Science professor at the University of Michigan, walks into a courtroom in Georgia. He borrowed a pen from the defense attorney and in under a minute he had broken into a Dominion voting machine where he could make the results anything that he wanted without a trace of his breach. 

Dr. Halderman was an expert witness that demonstrated just how vulnerable these voting machines are to tampering. He used a pen to hold down the power button on the voting machine. He waited 7 seconds until it came up in “safe” mode. From there he could open files and change the contents of files to include the results and audit files without a password.

Later Dr. Halderman showed how with just a $30 purchase on Amazon, he was able to create a technician card for the voting machines that gave him super user access. Once programmed, a hacker could make as many technician cards as needed and distribute across the voting area.

At this point you might be thinking, OK, but how many computer science professors are going to hack a voting machine? Well, it turns out in August of 2018 at a DEFCON hackathon conference, it took an 11-year-old boy 10 minutes to hack a simulated Florida state voting website and change the results of the election. There was not just one child, but 30 of the 50 children with age ranging from 8 to 16 were able to hack the simulated election website. 

Over the last 6 years there have been many lawsuits concerning the use of these machines all over the country. Not only in Georgia, but Pennsylvania, Michigan, Texas, Arizona, and more.

But it’s not just Dominion machines that have vulnerabilities. In the summer of 2020, students from the University of Pennsylvania conducted an audit of the ES&S voting system1. ES&S claims to be the world’s largest e-voting system vendor, supporting more than 67 million voter registrations with 97,000 touchscreen voting machines installed in 20 states, with optical ballot readers in 43 states. 

The team reported numerous critical vulnerabilities existed in nearly every component of the ES&S system. They identified serious and undetectable attacks that could be carried out by poll-workers and even individual voters. What makes matters worse is that these attacks are not limited to the local machines. There are several attacks that propagate like a virus to the backend systems on the network affecting all the results of a precinct or an entire county. According to their report, virtually every mechanism for assuring the integrity of precinct results and backend systems can be circumvented. With these machines, they found that almost every major component of ES&S can be altered or replaced by other components with which it communicates. In other words, there are many ways to get to the back end to modify the results. 

The calibration of the touchscreen affects how the voters’ input maps to different locations on the screen. If the calibration is incorrect, it could alter the voters’ choices. For example I vote for Alice for the school board on the touch screen, but the machine selected the opponent, Bob. This happened in Pennsylvania in the 2023 Superior Court election. When a voter would select ‘yes’ or ‘no’ on their ballot for one of the candidates, the vote was recorded on the paper ballot and the machine for the other candidate.

Some countries like Argentina and the Philippines have recently banned the use of the machines due to their vulnerabilities. There is talk in different states around the country about doing the same. What should we do to ensure that each voter’s choice counts?

The original article was published in the Sierra Vista Herald here.

The Cyber Guys: Swatting customers, cyber hackers’ new extortion method

What you are about to read is fiction, but the scenario is feasible and, in a few months, may be likely.

Bob was sitting on the couch watching the Chiefs play the Bills. The Bills had just made a touchdown, bringing the score to Bills 17, Chiefs 10. Suddenly the front door burst open and a heavily armed group of people flowed into his home. In moments Bob was on the floor face down, arms behind him zip tied. Bob was under arrest.

Bob wasn’t guilty of a crime. He was the victim of a horrible extreme prank called “swatting.” Someone had accused Bob of posting extreme anti-government threats on social media. Bob’s social media account had been compromised, then filled with anti-government rants. Enough evidence to justify the temporary chaos you just witnessed.

Why was Bob targeted? Unfortunately, he was the client of a medical center that recently had fallen victim to a cyber-extortion group. The patient information was stolen (including Bob’s) and the threat group promised that if the ransom wasn’t paid, the threat group would make life a literal hell for the patients.

Because Bob had the bad habit of reusing his passwords it was trivial for the threat group to take over Bob’s social media account using his stolen credentials and make those false posts. Bob became the first of many to endure such humiliation.

The story is fictitious. But the threat is real. Swatting as a service is the latest tactic threat actors are using to coerce businesses into paying cyber ransom. You are truly just a pawn. Because cyberattack reports are so common today, we’ve become overwhelmed and desensitized to the implications of the threat. But now the implications are physical. Visits from actual police to your home. So far, the police visits have resulted in only momentary inconvenience for the victim and a waste of police resources. But it is conceivable this will escalate.

You are probably thinking, “There’s no way this could happen. Who would ever go to such an extent just to get money?”

The reason you think this is because you are not evil. But there are truly evil people who absolutely don’t care about the pain this causes innocent people. The effort it would take to conduct such a campaign as described above is very little on the part of the threat actor, especially in the age of artificial intelligence.

An AI bot can easily craft the content for social media posts at scale. The level of effort on the part of the human is then as little as copying and pasting the content into a compromised social media account.

But you can do something to make sure it isn’t you who suffers. First, if you don’t absolutely need social media, you can cancel your accounts. One principle of cybersecurity is “if you don’t need it, remove it.” If you do use your social media accounts, make sure you use a password manager like Bitwarden to create and securely store your passwords.

Lastly, you do have a right to ensure your data is secure. The tactic described above has been used against medical centers. Your protected health information is governed by the Health Information Portability Accountability Act. You have the right to ensure your medical provider is protecting you. Ask it to provide you with evidence it is doing more than the bare minimum. If it refuses to show you, then you may consider changing doctors.

I know this sounds extreme, but so is “swatting.”

Original article was featured in the Sierra Vista Herald and can be found here.