Lessons Learned from the CISA Red Team Hack 

Dmitri’s fingers flew over the keyboard as he searched for an access window to the network at Metropolitan Utilities: the biggest electricity service provider in the tri-state area. Using a password he’d retrieved from the dark web, he connected to an employee computer, then moved silently through the network, scanning for a computer with better privileges. Through this, he hoped to access the systems controlling the power grid. He called over his shoulder, “Natalya, mne nuzhno nebol’shaya pomosch’. Would you build me a fake login webpage that matches theirs? If I send it to all the company’s staff, I might trick an administrator into handing over their username and password.”  

His partner nodded and emailed a link to the entire IT department under the pretext that there was a failed login attempt that needed investigating. Jason, a junior-level administrator, took the bait. What followed was a chain of events culminating in the effective barring of all administrators from the power grid. 

 “Bingo,” said Dmitri under his breath.  

And at this point the exercise concluded. “Krasnaya komanda! Krasnaya komanda!” (red team) laughed Natalya as Dmitri contacted the blue team, a.k.a, the IT and cybersecurity department of Metropolitan Utilities.  

Here is your problem . . . 

Three weeks before, the department had contracted Dmitri and Natalya’s cyber company to run a red team test on the network. Red teaming is a simulated cyberattack conducted by a group of ethical “white-hat” hackers. They use real-world techniques to breach an organization and identify any vulnerabilities that might prevent it from detecting an actual threat. In this case, the red team’s victory was the result of several basic security mistakes.  

The US government has classified electrical, natural gas, water distribution and several other industries as “critical infrastructure”: infrastructure vital to the survival of the nation. Attacks on such industries can be particularly damaging. Recently, the United States Cybersecurity and Infrastructure Security Agency (CISA) conducted a red team assessment resembling the fictitious example above at the request of a real-world critical infrastructure organization. No details about this organization were disclosed except the type of infrastructure—a utility company 

The red team was able to breeze through the company computers at blinding speed. During the simulated attack, the organization did actually discover the presence of the red team but lacked essential layers of protection—what we call “Defense in Depth”—which would have allowed for a prompter response. Instead, they relied on fancy antivirus software that could not sense the network traffic. Furthermore, their staff lacked appropriate network-protection training. It should have been provided to each employee in small, frequent bites. The company had previously contracted third-party providers for red team exercises, and its leaders had been made aware of these vulnerabilities. But they had underestimated the risk. Nothing had been done. 

The company had previously contracted with third party providers for red team exercises. But the leadership at the organization deprioritized fixing the previously discovered vulnerabilities.  They miscalculated the potential impact and likelihood of those vulnerabilities being used against them one day.   

CISA had several key recommendations, which included regular software updates and cleanses, as well as the use of multi-factor authentication (MFA) and segmented networks. MFA just means requiring more than a password for login. Authenticator apps like Duo and Microsoft Authenticator are designed for this, but there are simpler and less secure methods—for instance, receiving a text or email code. Segmented networks are also fairly self-explanatory. Consider the way a house is partitioned with walls. A network engineer can do the same to your network using firewalls, switches and routers, or through software installed on each computer (which is how your Cochise County Cyber Guys do it).   

Lastly, CISA recommended a shift from legacy system and network architecture to a modern Zero-Trust architecture. Zero-Trust, in the context of computers and networks, is something akin to home security. Doors are locked by default, and only close friends and family are allowed in. This is called, “Deny by Default, Allow by Exception.” 

If you’re a business owner and want to understand how to implement Zero-Trust in your organization, contact the Cyber Guys below. The threat is real, and it is growing. Fortunately, it is also preventable. In the case of Metropolitan Utilities, its first “attackers” had no malicious intent. Provided the blue team heeds Dmitri’s advice, they’ll be prepared in the event that a true black-hat team tries to take down the grid. Are our local utility companies up for the challenge? 

Bike welds, spray paint, and cybersecurity 

On the corner of Fort Lane and Gentile Street, beside an aging strip mall with a drugstore, a five-and-dime and a Safeway, was an empty lot—empty except for the yellow, knee-high grass typical of August summers in my hometown. The whole field smelled drier than a canvas sack of wheat; some days the heat of the sun by itself was enough to burn it up. And there, along the trail, my old Huffster soared, leaning and squeaking all the way, with dust flying from its deflated tires. 

My best friend Tracy and I had been stress-testing our pedal bikes. His was a sparkling red Schwinn with a white stripe down the side, chrome fenders and all; mine was a weary old street bike Santa had picked up at the five-and-dime. It had started as a blue-and-yellow Huffy road bike with a banana seat, and in 1984, vintage road bikes weren’t super cool. BMX bikes were cool. So my 1977 Huffy had been rattle-can painted flat white. It now sported an orange saddle seat from my brother’s discarded ten-speed. The tires were balding and weather cracked, not BMX dirt-track style—road style. It was a Franken-bike. And it had spent way too many frigid winters leaning against the side of our trailer house. 

The one thing my Franken-Huffy had going for it was its weight: not a lot of steel in my steed. It was a feather. (The Schwinn, in contrast, was a steel tank. It rode like a tank, and it jumped like . . . well, a tank. In that, and only that, Tracy was jealous of the Huffster.) But here amid the tall, drooping, grass and stifling August air, the glory days of my cracked-tire, rattle-can abomination came to a sudden end. 

Midway through the final jump of its dwindling life, the Huffster came unglued—not literally, but almost. The welds holding both tubes to the gooseneck released their grip, weakened by the cumulative stress of too many jumps and too much extreme weather. I landed on my feet in the dust, kicking up a cloud, which settled at last over the faded, white frame. Then I turned. The rusty handlebars, forks and front tire looked as they always had; the sad remains of the powertrain had collapsed. 

In 1984, the Huffster died. But the Internet was just emerging from its digital nursery. What Tracy and I could not have known then as we strolled sullenly from the yellow field (making a quick stop by the drugstore for a cold Coke) was just how the Internet would affect our world forty years later. Its users have been conditioned to think of computer and network security as the products of intentional design. Truth is, security’s an afterthought. It quite literally is not a requirement. The systems you think are baked into your shiny new laptop have actually been cobbled together and hastily bolted on, much like the structures of the Huffster. And the comfy reassurances and guarantees from its makers are little more than a superficial, flat-white veneer. 

We advocate not just for a single coat of illusory security paint, but for many solid layers, as well as a healthy dose of foundational stability. It’s called Defense in Depth. It means you have several layers of protection. And maybe more importantly, you use a dedicated security company like Cybereye in addition to your regular IT company. 

Several of our stalwart readers here in Cochise County have informed us that the knowledge they’ve received through this column has helped them to avoid being scammed. I can’t tell you how thrilled I am for that. We are very grateful to the Sierra Vista Herald for allowing us space to rant about cyber crime. You, our beloved readers, can help us. If you’ve found valuable information here, tell your friends to get the paper so they can benefit, too. (Quality cyber training rarely comes at such a low expense, after all.) Help us reach out to local businesses. The Cyber Guys have a cybersecurity consulting business (also insanely affordable) based in Cochise County. Essentially, we provide preventative treatment for the cancer of ransomware, as well as other kinds of malicious ware. But we need your help spreading the word 

Computer security is what holds our digital world together . . . until it doesn’t. But my poor Huffster with its ruined tires and unsteady, cobbled structure had little more than a film of white paint for reinforcement, and even knowing this, I abused it without a second thought. Don’t fall into that same trap. 

QR Codes, Tattoos, and Quishing 

It was October 2011, and Tony, a 26-year-old web developer and gamer, scrolled through Google Images in search of tattoo inspiration as he made his way down the street to his apartment. He had just stood in line for four hours to get the new iPhone 4S, which had come out that very morning. He was excited about the eight-megapixel camera and the addition of a new personal assistant called Siri that responded to voice commands. All this he would have to try later; Tony loved few things more than pursuing the bleeding edge of technology, acquiring all the latest devices so that he could be among the first to use them. But one thing at a time, he thought. 

None of the tattoo ideas piqued his interest. Then suddenly it struck him: he could get a QR code of his website tattooed onto his forearm to show potential clients. At the time, QR code-scanning wasn’t a native feature in iPhone cameras (and wouldn’t be until 2017), but anyone with a scanning app could scan Tony’s forearm and see his website. It was an awesome sales tactic and a prime use of a technology that, while not exactly new, was on the rise in non-industrial settings. He generated the QR code and printed it for his tattoo artist, who meticulously inked his arm to match the printout exactly. 

Satisfied with its appearance, Tony showed the tattoo to his best friend, Joe. After Joe scanned Tony’s arm, he literally fell over laughing. The QR code tattoo hadn’t directed him to Tony’s website. Instead, it had shown him a YouTube video of a cat playing piano. 

A QR (Quick Response) code is a two-dimensional bar code that can be interpreted either horizontally or vertically and that contains encoded data. The codes were originally developed in 1994 to track products in a manufacturing plant but now have a wide range of uses, including marketing, making payments, connecting to Wi-Fi, accessing restaurant menus, providing directions, and many more. Generating QR codes is very easy, and there are free resources on the internet. I used www.qr-code-generator.com to generate the QR code for this article. 

Cyber hackers are also using QR codes. Except, they use them to fool users into downloading malicious code or password stealing.  Using QR codes for a phishing attack is called “quishing.”  Last summer, the cybersecurity company, Sophos, was targeted by a group of hackers.  The hackers sent an email to all employees that appeared to be related to employee benefits and retirement plans.  The email contained an Adobe PDF document that displayed a QR code.  Once the employee scanned the code with his phone, he was taken to a fake Microsoft 365 login form.  Once the employee entered their username and password, the hackers had his company credentials.   

Now, employees who’ve kept up to date on all our cybersecurity articles will understand what a phony link looks like and show caution. But in the case of a QR code scanned on a phone, the link is only up for a short time or is not shown in full, which makes it harder to scrutinize. Hackers may also use redirection techniques that cloak the final destination of a link. 

Sophos says they have observed an increasing number of quishing attempts over the past few months, and these attacks are growing more sophisticated. Andrew Brandt says, “Quishing documents now appear more polished than those we initially saw, with header and footer text customized to embed the name of the targeted individual (or at least . . . the username for their email account) and/or the targeted organization where they work inside the PDF.” 

Criminal organizations, perpetually fixed on business opportunity, now provide quishing services to the less talented hackers out there, and it is highly effective. To protect yourself, be wary of random QR codes from unknown sources. Be cautious of what turns up in your email inbox. If you’re on a computer, try reading the full link with Google Lens. Use your cybersecurity skills (courtesy of your favorite Cyber Guys) to alert yourself if something doesn’t seem right. Know your source before scanning. 

It never pays to be inattentive, but luckily for Tony, his problem stemmed from a harmless typo he made when he generated his QR code. He went back to the studio the following afternoon to get the QR code to his actual website tattooed on his other forearm. Lesson learned. 

This Midnight Blizzard brings an avalanche of trouble 

The wind howled; the snow swirled. It had been like this all day. (Why had Karen left Phoenix again? … Never mind.) She knew she should have been home hours ago. Now it was well after dark, approaching midnight, and the streets hadn’t been plowed. Driving home would be dangerous. She sighed. More from habit than necessity, she opened the door to the car, sat, reached for her phone, and checked her email. 

“What? Again?”  

Karen was sick of receiving these cybersecurity training reminders from IT. They were obviously unaware that she had an important and fast-approaching deadline. If she missed it, she would lose her biggest account and Christmas bonus. Her children were counting on this bonus. They had planned a cruise during spring break. She didn’t have time to waste. 

On closer inspection, though, the email had nothing to do with training this time. Channeling all the security knowledge she had previously acquired through IT, Karen checked the sender address. 

“It’s good. It actually is from IT. It’s just for verification of my username and password. This one should be quick,” she thought. 

Oh no. Karen’s about to be the victim of a classic phishing-email-sender-verification oversight. And I’ll bet you’re thinking, “Tom, she checked the sender. She verified it really was from IT.” Yep. Most of our readers will notice from the start that Karen was astute. But it’s midnight. She’s tired and cupcake-drunk (ask me later), and she’s pushing up against a terrifying deadline. So, she did the only thing her amygdala would allow her to do: find the shortest path to safety. 

In this case, “safety” meant getting the annoying email out of the way so she could finish her report before the deadline. What she missed was context. IT never asks for a user to verify credentials in response to an email. Actually, she was instructed during on-boarding never to respond to an email requesting credential verification. The sender address was spoofed—a.k.a., faked. Yes, that’s a thing. 

The attack we’re scrutinizing this week is currently in use by a Russian attacker that Microsoft calls “Midnight Blizzard” (for real). The attack goes like this: thousands of emails are sent to users at various target companies. Attached to these emails is a file with a “.rdp” at the end of the name. This file will connect your computer with a server on the internet controlled by Midnight Blizzard. 

Always remember, whether it’s the IT department asking for password verification, the IRS notifying you of an audit, or a Nigerian prince asking for a loan, the rule is the same: never respond to any communication asking you to verify anything. Never trust any information you receive in an email, phone call, or text. When in doubt, hang up the call, close the email or text, and make contact using a phone number you know is good. 

Even if Karen had chosen to remain in Phoenix, it would have served her to be wary of a blizzard. And it will serve you, too, whether in the blistering heat storms of Arizona or far beyond. 

Voting Village In Vegas: Gambling Or Voting? 

As you walk through the lobby of Caesar’s Palace, you marvel at the grand marble pillars and the sea of glittering chandeliers. You are floored by the opulence and glitz that surrounds you. The lobby bustles with tourists looking to win big, and their excitement fills the air. As you open the door to the conference room, though, the atmosphere does a complete 180. Computers, voting machines and E-polling devices fill the room wall to wall, with network and power cables snaked between them. Blinking lights pulse to a steady rhythm. You’ve just stepped into the DEF CON Voting Village. 

White hat hackers (the good guys) travel here annually from around the world to hack into voting machines and report whatever vulnerabilities they find to vendors and authorities. This year, their convergence at Caesar’s Palace took place from the tenth of August to the twelfth. They’ve been meeting since 1993, figuring out how to hack anything from security systems to light bulbs to cars. They started hacking voting machines in 2017.    

That first year, it took them two minutes to hack the system remotely and manipulate the votes. This year, one participant modified the touch-screen voting platform to show a video of Rick Astley’s “Never Gonna Give You Up”—just a fun little prank to demonstrate the system’s vulnerability. But beyond that, they found many real issues. For instance, they were able to use a USB drive to scramble the machines’ tallying capabilities. Though many more issues were found, they’ve been kept closely guarded so as not to fall into the hands of bad actors. 

The hacking team provided their results to the vendors. Unfortunately, none of the vulnerabilities they discovered will be fixed in time for the election. The vendors claim that there isn’t enough time, and that the process is much more complex than the tailoring and debugging of your monthly Microsoft updates. Many of the vulnerabilities DEF CON identified in their first Voting Villages were found again this year. Harri Hursti, Voting Village’s co-founder, said in an interview at the end of the event, “There’s so much basic stuff that should be happening and is not happening, so yes I’m worried about things not being fixed, but they haven’t been fixed for a long time, and I’m also angry about it.” 

Hursti seems concerned about the threat foreign adversaries pose to US elections. He noted that it took his team only two-and-a-half days to find and take advantage of the faults in the system. “If you don’t think this kind of place is running 24/7 in China, Russia, you’re kidding yourselves,” he said. I agree. Any organization with the resources and an incentive can easily hack this infrastructure.   

Jake Braun, another co-founder of the event, noted in a podcast in August that the E-poll books are especially easy to hack and are notorious for breaking often. This could cause serious delays. He recommends that polling stations print multiple copies of the voter registration lists for each district. 

In our column on voting machines this past spring, I noted that the calibration of the touchscreen affects how the voters’ input maps to different locations on the screen.  If the calibration is incorrect, it could alter the voters’ choices.  During early voting for the November election, there are reports that this has happened in both Tarrant County, TX and in Shelby County, TN. The screen showed the proper vote, but the printed copy showed a vote for the unselected candidate.  If you are using the touch screen device, check your printed ballot. 

Although gambling might be the heart of Las Vegas, it should not be the heart of Election Day. Using this infrastructure to determine who governs our land is like pulling a handle of a slot machine in Caesar’s lobby 

NSA And Your Privacy, How To Hide In Plain Sight 

Lightning flashes, splitting the darkness and casting a brilliant, grey light upon the boxy concrete building. The sight evokes a feeling of dread. It’s funny. For all its striving, the government cannot seem to communicate any other feeling in its architectural designs. This site would benefit from a flower bed or a colorful flag . . . but razor wire? 

I’m referring to the euphemistically-named Utah Data Center in Bluffdale, Utah—once a plot of dry desert grass, now a sprawling federal compound comprising a total of twelve cooling towers and two Chiller plants. Chilling is right. The Wall Street Journal calls it a “symbol of the spy agency’s surveillance prowess”.  

Edward Snowden, National Security Agency (NSA) contractor turned snitch, pulled back the curtain at the Intelligence Community Comprehensive National Cybersecurity Initiative Data Center (in case you’ve ever wondered whether Doublespeak exists outside the book 1984). Behind the curtain sits a wizard of data storage capacity some have estimated at yottabytes or zettabytes—a.k.a., “tons and tons”. For perspective, 400 terabytes can store every book that has ever been written. Given that the suspected capacity of the Utah Data Center is a trillion times greater, its wizardry could hold a trillion copies of every book in the world. 

But they aren’t actually storing books. They’re storing copies of every text message, every email, every phone call, and every web search any of us has made since 2013. And now that the Artificial Intelligence genie is out of its lamp, we know how easy it is for this “benevolent” spy agency to find anything they want. (Hang on a second, my tin foil hat is sliding off a little.) 

Now, I’m often told by passers-by, “The government doesn’t care about me. I’m a nobody.” That’s true. They don’t care about you. Until they do. In 1932, approximately 3.9 million “nobodies” were starved to death in Ukraine. According to an authoritative article on History.com, the reason was (partly) “to punish independence-minded Ukrainians who posed a threat to [Stalin’s] totalitarian authority”. 

Here in Cochise County, we have a lot (terabytes, maybe?) of independent-minded citizens—nobodies, if you will—posting messages to Facebook and Instagram, Snapping, Tweeting, DM-ing, emailing, chatting over the phone without reserve. We nobodies have a choice to make: we can either continue to have faith that our privacy protections are guaranteed, or we can hide. 

If you’d like to hide, then consider encrypting all your communications. Two excellent choices are the Signal app for texting and phone calls and Proton Mail for all your email communications. I use them, and I know a lot of brilliant people who do the same, not because we have anything illegal to hide, but because we believe our private communications should remain private. 

The NSA plays an important role in safeguarding our Republic. May they continue to do so. Like lightning in a storm, may they shed light on the darkness that threatens to swallow us 

Butch Cassidy, the Sundance Kid, and the Money Mules 

On a dry and pitch-dark night in early June of 1899, the tired old engineer of the Union Pacific Railroad train thought he saw a flicker up ahead. Since he was just outside of Wilcox, Wyoming, he assumed those two lanterns meant that the bridge ahead was washed out. He rolled the engine to a stop to find two masked men held the lanterns. With the “Hole-in-the-Wall” gang led by the famous duo of Butch Cassidy and the Sundance Kid running loose in these parts, he knew this was trouble. Soon four more bandits joined the first where they found the safe. When the security guard refused to open the safe, they laid dynamite and blew it open. The team of bandits made off with $50K in cash plus jewelry, gold, and diamonds.  

Executing the heist was one thing, but getting away with it was another. Sundance handled the heist, and Butch handled the get-away. While Sundance’s team was busy cold-cocking engineers and blowing up safes, Butch was setting up a chain of horses to get the gang out of danger. They ran the horses until exhausted and picked up fresh horses, so they were far out of reach of any possible pursuing posse.  

Cybercrime today is a lot like the Wild West. The hackers are experts at executing the modern-day bank heist via the cyber realm. They skillfully slip into critical computers, crack passwords, and open up the victim’s bank account. Now how do they get the money out without being tracked? I’m glad that you asked. They use money mules. 

A money mule is someone who transfers the money from the victim’s account and wires the money into the hacker’s account. They are the middlemen of the operation. The money mules have no idea that they are actively participating in a criminal activity. They think they have a part-time job that pays well. Sometimes they call themselves transfer agents. Money mule recruiters tend to target people looking for part-time, remote employment, and the jobs usually involve little work other than receiving and forwarding bank transfers. They advertise just like any other recruiter. Initially the mules are given busy-work, menial tasks for the first week where the criminals weed out the bad workers. If they are late to work or lazy, they are fired. A money mule must be reliable. It could cost the organization a large amount of money.  

On a given day the mule would watch the “company’s” message board for instructions. It would say something like: “Good morning. Our client, Acme Corp, is sending you some money today. Please visit your bank, withdraw this payment in cash, and then wire the funds in equal payments, minus your commission, to these three individuals in Eastern Europe.”  

Evil Corp, a Russian hacker group, used money mules in their operations and is in the news again. There have been multiple arrests in the United Kingdom, France, and Spain. Some of the arrests were the unwitting money mules. The United States Department of Justice worked with European authorities as many of the Evil Corp victims were located in the United States.  

Evil Corp’s leader, Maksim Yakubets, is still on the loose. Just like the Wild West, there is a bounty on his head, $5M. His father-in-law, Eduard Benderskiy was named and sanctioned by Western authorities recently describing him as a protector of the Evil Corp crime organization.  

If you see a post on social media or an unexpected direct message with a promise of easy money by being a money transfer agent, you may want to reconsider that opportunity. It could land you in jail. If you are like Butch and Sundance, you could end up surrounded by the Bolivian army in South America. Don’t take the bait.  

Darkness Rising 

In the darkness the stranger dragged Frodo’s little frame banging each creaky stair along the way. After ducking through the narrow doorway he deposited his charge onto a scratchy straw mattress. “Are you afraid?” was the first thing the sweaty stranger uttered as his heavy boots thundered across the worn planks. His heart pounding in his throat, the only words Frodo could squeak out were, “A little”. As the looming figure swept hastily through the dank air dousing each candle with his filthy fingers, he scolded Frodo, “Not frightened enough! I know what hunts you.” 

The hunters from the Tolkien world of Middle Earth may have once been fiction. Then and there, it was a world of sinister forces bent on destroying most, and dominating the rest. Driven by a delusional Dark Lord, the seeping despair of Mordor seemed inevitable. Here and now, the veneer of fiction is worn precariously thin. Like butter scraped across too much bread. Sinister, dominating, and delusional forces are wreaking actual havoc. Frodo timidly lurks inside each of us as we naively peer through the computer monitor into the depths of Mordor itself.  

Before anyone in Middle Earth feared the rise of the Dark Lord Sauron, there was a shadow in the east. But too many were too busy being normal in the light to fear the abnormal darkness they couldn’t see. Like the people of Middle Earth, there is a darkness looming. Lurking. Creeping. No, Mordor is not the Dark Web. Mordor isn’t even distant. Mordor isn’t rising. It has risen. It is here. Mordor is your email. Or your favorite website. Mordor is a text message, or even a phone call from your son or daughter.  

You see, back in the 1900s when the internet was born, security wasn’t an afterthought. Nor was it a forethought. In the 1900’s when the internet was shiny like a new penny, when people planted gardens and helped a stranger. Work was where you went. And home was where work didn’t dare go.  

Now the new millennium has dawned. Work has invaded home. People don’t help strangers, or plant gardens. The internet has a patina. Or a mold. Or a fungus. Or a crust. And internet security is still mostly unthought. It’s sad that the millennial dawn did not bring the hope, or relief as promised. Dawn brought chaos. The Internet brought chaos.  

Since the internet was raised without rules or boundaries, like the Dark Lord Sauron, it is we who must change if we hope to defeat it. Our insistence that we can continue to do things the same way day after day is like carelessly giving a lift to a hitchhiker. Maybe it’s like thinking there will always be toilet paper at the store. Or that store-bought tomatoes are as good as those you used to grow in the back yard.  

At the end of Frodo’s story, the darkness of Mordor actually arrived at the shire. In the story of your world, you can’t really see the darkness. But the darkness can see you. In Frodo’s world, the antagonist was the aggressor. It’s usually the aggressor who has the upper hand. Oh, Frodo eventually won. But because he started too late there was a lot of pain between his home under the hill, the Mount called Doom, and back again. 

The Destruction of Tyre and the Security of Cloud Applications 

The city island of Tyre was a beautiful, powerful, and strategic Phoenician trading city in the eastern part of the Mediterranean Sea.  Its defenses were so great that it survived a 13-year siege from the great Babylonian conqueror, Nebuchadnezzar starting in 586BC.  The people were proud of how impenetrable they were.  That’s why when Alexander the Great came along in 332BC, they did not negotiate with him.  So, Alexander’s army razed Old Tyre which was on the mainland next to the great island city of Tyre.  The army used the rubble of Old Tyre to create a land bridge to the island of Tyre where they laid siege to the city for 7 months when they utterly destroyed the city and the people.  

That story comes to mind when I hear businesses say they don’t need cybersecurity protection because their data is in the cloud.  It is safe and sound and no one can hack it because it is not on site.  It’s hiding in the cloud.  Here are three reasons why they are wrong: Keyloggers, Stealers, and RATs.  

A keylogger is malware designed to record the keystrokes made on a computer or mobile device. A keylogger captures everything you type, including emails, passwords, messages, and search queries. This information is then sent to a third party.    

On a typical morning for a cloud-centric business, an employee would start work by opening email.  On an infected system, the keylogger has access to your business email to either spy or use the account for financial gains. The attacker is hoping your multi-factor authentication is sent to compromised email account.  Next the employee logs into the business apps that are in the cloud.  This could be a healthcare system, logistics system, or financial system – whatever makes that business move forward. Perhaps an administrator pays an invoice with bank account information or username and password to the bank.  Maybe they use a credit card to pay the invoice instead.    That’s right!  All that information is now in the hands of the hacker thanks to the keylogger.  

Stealer malware or infostealer malware targets user credentials, browser data, cryptocurrency wallets, and any other personal data on your device.  Not only can it take the usernames and passwords saved in your browser, but it can also steal the credentials from certain applications and accounts that are not run on the browser.  Some stealers have been able to access cypto-wallets such as Phantom, Binance, Coinbase, and more.  Stealers gather similar information compared to keyloggers, but they don’t have to wait for anyone to login and start typing.  They search your device for the information that is already available. 

A Remote Access Trojan (RAT) is a type of malware that allows hackers to gain remote control over an infected computer or device. It allows the hacker to use a limited set of commands providing access.  Sometimes they steal data. Other times they may install additional malware or spyware. They could reconfigure your local firewalls or shut down other security measures.  RATs are usually distributed through phishing or emails with an Adobe PDF attached.  The PDF calls an executable file to download the RAT.  

What can you do about all this, you ask?   First of all, do not fall for phishing and social engineering via email or text.  Do not click on a link from a user you don’t know.  Secondly, make sure you have set up multi-factor authentication everywhere possible especially anything dealing with money, but may also include social media, emails, and business applications. Making sure your anti-virus is up to date is a start, but that doesn’t stop zero day/ new malware.  Monitor your accounts.  If you run a business, you should have endpoint detection and response (EDR) installed on all your computers.  This is an application running on your computer that watches what is written and executes on your system and prevents unauthorized execution.  Talk to your local Cyber Guys for details.   

Just because all your applications and systems are in the cloud doesn’t make you bulletproof.  Don’t be like Tyre and find out too late that Alexander is building a land bridge in the front yard.   

SS7 SMS Attacks, a Throwback to the Phreaking of the 70s 

This article will be hard for you to read. Not in the way all my other articles are hard to read. This one will be emotionally hard. And let me give you the call to action right now (in the government we call it the Bottom Line Up Front (BLUF)).  

The BLUF is this. You will need to do two things. First, you will need to log into all your bank, other financial accounts, and your email accounts. Set the security to Multi Factor Authentication turned on and make sure you ARE NOT using SMS or text message for delivery of the One Time Passcode. The second thing you will need to do if you are in a relationship where you do not trust your partner, is to either reset your phone to factory settings, or dispose of the phone and buy a new one. Then ensure they NEVER have access to your phone unlocked. Ever.  

Now, the reason for all this. The technical parts that follow are necessarily grossly oversimplified. In 1975, the telecommunications industry developed a security protocol to reduce the impact of “phreaking”. Phreaking was a way to trick the telecom network into allowing long distance calls for free. The protocol was not secure. It hasn’t really been updated. And it is all over your cell phone. It’s called SS7. By abusing it, anyone can intercept your phone connection from anywhere in the world and access your text messages and phone calls, without installing any malware. And you will never know.  

So, if you use text messages (SMS) for that One Time Passcode from your bank, all an attacker needs are your phone number, username, and password.  They can render you penniless. Your financial accounts and your email accounts are probably the most important part of your digital life. Treat their logins with the utmost care. 

That’s the first part. The second is this. If you are now, or have ever been, in an abusive or otherwise untrustworthy relationship what follows might sound familiar. Bob, (names have been changed for privacy) met Jane, the girl of his dreams. He thought it was cute when Jane insisted that they share their phone PIN codes. The cuteness ended there. Eventually Jane began to insist on more and more control over Bob’s life. Without reciprocating. Eventually, Bob found all the contacts in his phone had been deleted. All the female contacts. And Jane had changed her PIN. 

It’s just a PIN code. You don’t have anything to hide is your initial thought. But this sweet new addition to your life may have a dark side. This adorable partner could (with as little as $175) install spyware on your phone. Or buy a phone for you with the spyware already installed. The spyware literally gives them access to everything. Including both cameras and the microphone.  

People make a huge fuss over the need to keep Social Security Numbers (SSN) private. But did you ever think the secrecy of your phone number would be more important than your SSN? When it comes to your phone number, in the words of Gandalf, “Keep it secret. Keep it safe.” Fortunately, unlike your SSN, you can get a new phone number. 

In addition to factory resetting the phone, setting up non-SMS-based MFA for your online accounts, you should SERIOUSLY consider using the Signal app for all your communications. For the SS7 hack, it will help by encrypting all your communications (voice and video calls, and text messages) so eavesdroppers can’t eavesdrop. 

There are many more details. I’m more than happy to chat about it if you want to email me. Just no phone calls.