A Chicken Tale – A Cyber Parable

A Cyber Parable:  Imagine you are a chicken rancher. Your chicken are free-range, no antibiotics, and (most importantly) hypo-allergenic. So, people with egg allergies can use your eggs to make cookies and other goodies. If they ever inadvertently eat store bought eggs they would die. You can see the value in your eggs.  

You Are At Risk:  But who would even want to harm your business. You are small. You only serve a small geographic area. Imagine, you have a very elite clientele. Because your eggs are so unique, your clientele consists of some very influential and powerful people. If a criminal wanted to target a powerful person, they wouldn’t have to do it directly. All they have to do is gain access to your hen houses and plant store bought eggs. Then wait for you to deliver them to your clients. It doesn’t even matter to the criminal if they hurt others as well. Those would merely be collateral damage to the criminal. As long as their target was affected, their mission is complete.

Supply-Side Attacks:  This is pretty much how supply side software attacks happen. A legitimate software vendor with lackadaisical security on their software repository (the henhouse) gets infiltrated by a threat actor. A legitimate file (your precious eggs) gets infected with malware (store bought eggs), then the threat actor simply waits for the vendor to ship out the infected file. 

Does this happen? You bet it does. A few months ago, a huge software vendor named SolarWinds had this happen to them. It affected about 18,000 of their high value customers. 

Try This:  So now we find we can’t even trust the vendors to keep their software repositories (their hen houses) safe. But what can you do about it? Here’s what you can do. Before you install any new software or any update, you can upload the software to virustotal.com and have the file scanned for you at no cost. It’s not foolproof but will give you at least a small measure of assurance the file hasn’t been tampered with.

Some Cautionary Statements: There are two possible problems here. First, VirusTotal is a public website, so don’t upload any sensitive files. Second, VirusTotal will only report a file as malicious if: 1. VirusTotal has seen it before AND 2. The antivirus engines it uses to scan the file has verified the file is malicious. What this means to you is, if the good eggs were just switched out for bad eggs this morning,  VirusTotal will not know it’s bad. And you will install malicious software. So, with this technique, your mileage may vary.

Other Options:   There are other options for your protection that we have discussed in other articles like application whitelisting and ring fencing that can provide more protection.  Ask us or your local cyber team about it. 

Time to Put a Light on the Shadows

Missile Controls: During the Cold War, there were hundreds of top-secret nuclear missile silos around the United States and allied countries.  An example of the silo can be seen here in Arizona at the Titan Missile Museum.  Many of the silos are still in use today.  They are guarded with service members with extremely high- level security clearances where the details of the location and security procedures if exposed could give the enemy the upper hand.

National Security Issue: Understanding the importance to national security, what if I told you that for the last seven years, details of operations of nuclear weapons in Europe have been on the internet, freely available to anyone through flashcard-learning applications.  Since 2013, flashcard applications like Quizzlet, Cheg, and Cram were created by service members at six European bases to help them memorize security protocols about US nuclear weapons and the bases.  Details included the location of the exact shelters and “hot” vaults that contain the nuclear weapons.  Camera positions, frequency of patrols, and unique identifiers for restricted area badges were part of the package.  In addition, secret duress words that signal when a guard is being threatened were exposed. 

Security Breach: A journalist from Bellingcat looked up terms associated with nuclear weapons bases, like Weapons Storage and Security Systems (WS3), associated with air bases, and the flashcard apps showed up.  This was a huge security breach, and it went on for more than seven years! 

Shadow IT: This is a perfect example of the risks of Shadow Information Technology (Shadow IT).  Shadow IT is any technology that employees uses without approval or support from their IT department. Examples of Shadow IT include using personal emails, music streaming services, collaboration tools, and storage and sharing applications that have not been approved for use. 

Circumventing the System: The flashcard-learning applications are cloud-based applications open to the public.  The service members did not have a similar technology to help them memorize all the protocols, so they went to the web and used a specific free tool that helped them learn much more efficiently.  The members created Shadow IT because the military did not provide a secure solution. Sometimes, Shadow IT exposes to management the tools required to perform the tasks to get the mission accomplished.  If leadership acknowledged the requirement and created a secure solution, that sensitive information would have been kept secret. 

Big Risks: Shadow IT is a security risk.  It is projected that one-third of successful cyber-attacks are on data located in Shadow IT resources.  That’s because, if the IT department does not know about it, they can’t secure it.  When left unchecked, businesses risk proprietary data or customer data.  If exposed, that means loss in the marketplace, downtime, fines, or damage to reputation. 

How to Avoid It: To protect your business, find out all the tools that are being used by your staff.  Provide amnesty to anyone using unauthorized apps. This provides insight into what is required for their tasks and gives you a chance to confer with your IT or cybersecurity professionals to determine a secure way forward.  Whitelisting application tools provides insight to management into what applications are used on the work network, and management can decide what is allowable.  There are no secrets when a whitelisting tool is used.  Shadow IT is exposed to the light.

Moral of the Story: Whether you are protecting nuclear warhead secrets, or your company’s process to beat the competition, Shadow IT can have a negative impact on your operations.  Discover what is out there and find a way to secure it. 

Catching Wild Pigs

How to Catch a Wild Pig: You catch wild pigs by finding a suitable place in the woods and putting corn on the ground. The pigs find it and begin to come every day to eat the free corn. When they are used to coming every day, you put a fence down on one side of the place where they gather. When they are comfortable with the fence, they begin to eat the corn again, and you put up another side of the fence. They become oblivious to that, and they start to eat again.

Continue until you have all four sides of the fence put up with a gate in the last side. The pigs, habitually coming to eat the free corn, enter through the gate to eat; you slam the gate on them and catch the whole herd. Suddenly the wild pigs have lost their freedom. They run around and around inside the fence, but they are caught.

It Happens to Us: Is this a ranching piece or the Cyber Tripwire?  There is a parallel to the wild pig parable and what is known as “cybersecurity fatigue.”   According to the National Institute of Standards & Technology, security fatigue is “a weariness or reluctance to deal with computer security.”  When asked to make more computer security decisions than they are able to manage, people tend to experience decision fatigue, which leads to security fatigue. Every day, people on their computers are being asked to make a multitude of cybersecurity decisions:  “What’s the password for this site?”  “ Should I open this email?”   “Is it OK to click this link?”   

Collaboration Tools: Due to the pandemic, more people are working remotely, leading to the skyrocketing usage of collaboration tools, like Discord, Teams, and Slack.   The users who are collaborating, sharing links, and sending files, lack the concern of whether the link is legitimate or if the file has embedded malware.  (Was that a fence that just went up? Nothing to see here—it’s normal.)    We’ve been lulled into thinking that we can disregard security concerns for these collaboration tools.

Hackers Take Over: Recently Talos, Cisco’s cyber intelligence division, wrote an article about how hackers are using collaboration tools to evade organizational defenses.  The hackers improperly use the legitimate collaboration tool, which is not blocked, to distribute their malware. This happens because many of the security perimeter controls existing on email or web browsers are not in effect with these collaboration tools; thus, hackers prey upon employees’ cybersecurity fatigue. This fatigue works in the hackers’ favor because users are accustomed to passing information such as links and files through these chat tools thinking they are secure.  (What’s that fence doing there? It’s all normal—nothing to see here.)

Your Counter Measures: Organizations should take measures to combat this, like whitelisting applications and employing endpoint detection.  “Least privilege” should be employed, meaning regular users are not running as administrators.  Remember:  If you click on a malicious link as administrator, now that malware becomes the administrator of your system.  Micro-training, another option for better cybersecurity for your employees, consists of weekly three-minute videos sent via email to keep the protection of your business in the top of their minds.

Pay Attention: Be careful while using your organization’s collaboration tools.  Treat files and links in those tools just like you would in emails.  Stay alert.  That way, when you are happily eating your free corn in the field, and the next day there is a peculiar-looking fence, you’ll know it’s time to run!

The Stuffing Will Make You Sick

The Conflict: For years, my mother-in-law insisted on stuffing the turkey – with stuffing. She wanted the stuffing to get all the turkey deliciousness by absorbing the juices. I didn’t really like it because the stuffing was soggy, and we had to cook the bird longer. That meant dry breast meat.

The Solution: Now, our family is in charge of the thanksgiving meal. We don’t stuff the turkey. We brine it. Then smoke it. The result? Juicy turkey breast, and crisp, fluffy stuffing. I win.

The Concern: The problem is with putting stuffing in the bird, you can end up with salmonella poisoning if you don’t get the center of the bird up to 160 degrees. That’s what the experts say, anyhow. I’ve never felt like it was worth the risk to test that hypothesis. So, I just kept my mouth shut and soaked the dry breast meat in salty gravy.

Credential Stuffing: There is another stuffing that will make you sick. It’s called “Credential Stuffing.” It works like this: You read a really captivating Cyber Tripwire article about passwords. You’re instructed to make them long. Thus, you create a portmanteau of the first name of every grandchild and their birth year. Then to make it really strong, you put an exclamation point at the end. NO ONE will ever guess that! You have your new favorite password.

Just One Password: Next, you proceed to change all of your passwords to that new, really strong one. Instagram, Facebook, Bank of America, Linkedin, Gmail… the list goes on. Every website you use regularly now has a really strong password—the same password.

The Opening: All it takes is for a threat actor to get the password database from one of those sites, and they will have your email address and password for every other site, especially your email account.

Textbook Scams: What they do next is textbook. They log into your email account and send spam emails to everyone in your address book, straight from your account! One of my clients received an email this week from the victim of an attack just like this.

The email read something like, “Hey, when you get a second, I have something important to talk about. Let me know your availability.” If the recipient replied, there was an immediate response. It read, “Thanks for getting back with me. My daughter was diagnosed with cancer. I’m hoping you can help out financially. Just send me some Google Play gift cards.” This was a classic gift card scam.

The Process: Gift card scams and their variations, “The Refund Scam,” the “Fake Tech Support Scam,” almost always involve gift cards. Here are a few characteristics to watch out for:

  1. Someone CALLS YOU on the phone promising an unexpected monetary award (refund or sweepstakes).
  2. Maybe you get a scary pop-up screen on your computer notifying you of several viruses detected. The screen has an 800 number prominently displayed (Remember: Emotion shuts down the logic center of your brain.).
  3. The person on the phone almost ALWAYS has a non-American accent (No prejudice here. Just fact.).
  4. The person on the phone, or the fake tech support person “accidentally” refunds you too much money.
  5. They need you to “help them get that overpayment back or they will lose their job” (Preying on your natural goodness.).
  6. They instruct you to buy several thousand dollars in gift cards.
  7. Or, they may instruct you to use Western Union to wire money.
  8. Or, they may instruct you to get physical cash from the bank and ship it via FedEx.

Notice the Signs: No matter what the person tells you, or what you see on the computer screen, these are tell-tale signs of fraud. If you find yourself in a situation like this, immediately hang up the phone and contact the cyber guys from CyberEye BEFORE any transactions take place.

Cyber Food Poisoning: Undercooked stuffing can make you sick. Credential stuffing leading to a gift card scam is no less annoying than food poisoning.

The Flight of the Auk

Adaptability: One of the fundamentals of survival is the ability to adapt quickly to a changing landscape.

In June 1844, the last Great Auk was killed, ironically, so it could nest permanently in a dusty museum.

Akin to the Dodo: The Great Auk was a helpless, hapless, flightless bird that bred in colonies on some rocky islands in the North Atlantic. You may never have heard of it. Perhaps, because the sly insult “strong as an Auk” doesn’t sting like “cunning as a Dodo”, and “Auk”, could be linguistically confused with “Ox”.

What Is It: The Great Auk is similar to a penguin: flightless and helpless. Why aren’t the penguins extinct, too? They live in Antarctica. People haven’t gone there in great numbers. For the Auk, they lived on an island used by sailors as a pantry for restocking supplies, like bird meat. Antarctica isn’t somewhere people regularly frequent for the same purpose. It’s inconvenient, and inconvenience to humans may have saved the penguin.

Extinction: Whether Dodo, Great Auk, or Wooly Mammoth, the end was the same—extinction. Extinction due a cataclysmic collision of unfortunate events. The animals had developed defenses ideal for the geographic bubble in which they lived which was a specific geographic ecosystem.  Suddenly their bubbles popped. The conditions changed. Their serene world careened into the 19th century, and they lost. They lost because of an inability to adapt.

We Adapt: Humans are different. We don’t adapt to suit our environment. We adapt our environment to suit ourselves. This is our axiom. Now, whether this application of adaptation is a moral one, is not the purpose of this discussion.

Change to Survive: Situations and environments change. Those who most nimbly adapt will survive. The others will not. For a case study, look at Sears. They OWNED the mail-order business. Then came Jeff Bezos in his tiny garage selling books—over the internet. No threat there. Until it was one. It was too late for Sears. Sears SHOULD HAVE owned the online mail-order business. The same way they owned the magazine mail-order world. Like the Great Auk, they failed to recognize a threat. With their ineffective wings and clunky feet, Sears bumbled into the 21st century, failing to adapt quickly when the environment changed.

The Trouble of Inconvenience: For Sears to change its business model would have been inconvenient. People don’t like inconvenience. We develop a bubble of comfortable systems and familiar procedures. We actively reject anything that may disrupt the playful bubble of familiarity.

Hard for the Bad Guys: As defenders of our world, we can use this natural human aversion to personal inconvenience to our advantage. If we make it sufficiently inconvenient for a cyber-criminal to successfully attack us, it may demotivate them and cause them to seek a softer target.

Contact CyberEye – They Know: Unfortunately, this article doesn’t provide the space to list everything you can do to introduce inconvenience into your cyber defense plan. Feel free to contact the Cyber Guys from CyberEye for details.

Recognize the Threat: Both the 19th century Great Auk and the 20th century Great Sears, didn’t recognize the threat early enough. At best, the great Auk could have changed breeding sites to a less convenient location, then decrease the frequency of human interaction. Sears could have bought Amazon’s business model for a few thousand dollars and adapted to it.

Make Adjustments: In 2021, if your business survives the tragedy of COVID, the most likely cause for failure will be a lack of flexibility in your business processes. There is a cyclone of cyber-criminal activity on the near horizon. There are threats we’ve never even considered about to drop anchor just offshore.  Sadly, change is the axiom of the cyber-threat landscape.

The Saga of the Stolen Stingray

Protect It: I imagine one day I’ll own a 1970 Corvette Stingray. It will have its own garage. I’ll lock the garage doors when I’m not using it to make sure it’s safe. I’ll put an alarm on the building—to be sure. And I WON’T leave the keys in it!

Hijacked: A few months ago, my mother-in-law told me her email “broke.” For a few days, she hadn’t received any emails in her Outlook Client. So, I took a peek at her Cox webmail. I found a message stating the account was locked, due to suspicious activity. After a couple hours with tech support, we were able to get in. We found the account had been sending hundreds of spam emails every day. A criminal had hijacked her mail.

Recently I read a blog post in Dentaltown from a dentist victimized like this. His email account had become an unwitting offender. How did this happen to them? Will it happen to you? How can you prevent it?

Credential Stuffing: These email accounts fell victim to what we call a “credential stuffing attack.” It’s often performed by software known as “bots.” See, websites should be storing your username/password pairs (AKA “credentials”) in an encrypted database, but they often don’t. It’s like storing a 1970 Corvette Stingray in your garage (keys in the switch), and then leaving the door wide open. You’d never do that, but websites do—all the time!

Darkweb Dump: Criminals break into those websites and scoop out your credentials. Then, those same criminals dump your credentials on the darkweb. Other crooks snag these breached credentials from darkweb, Amazon-like sites. They then code their bots with lists of credentials, including yours. Finally, the bot logs into your email account.

Picture this:  You use your Gmail address as the username to log into scrapbook.com. Then, you use the same password for scrapbook.com that you use for your Gmail account. A criminal breaks into scrapbook.com. If the database isn’t encrypted (the doors were left open), the thieves steal your credentials. In essence, the criminal drove away in your beloved Stingray! It happened because you used the same key for every door you own: Your house, your Stingray garage, your business office, your mailbox…  You get my point? Worst of all, you left a copy of the key taped to the front door of your house, right in plain sight.

Unique Passwords: We often recommend in these articles that you make sure and use unique passwords for the bucketload of websites you log into. Certain sites are more critical, for example, your email account, as well as your bank account and other accounts containing your financial information. Use a password manager like Bitwarden. If you use a long, unique passphrase, instead of a short password,  and you use a different passphrase for each site you visit, then you reduce the chance of becoming a credential stuffing victim.

Your BlueTooth Is Showing

Is Your Bluetooth On?: I’ll bet the Bluetooth on your phone is enabled right now. How you can tell: when you get in the car and it automatically switches to the hands-free option. This is how most people operate. It’s convenient.

What Is It?: So, what is Bluetooth? It’s like Wi-Fi but for short distances and its built into nearly every smartphone. In an iPhone you use it to Airdrop files to your friends. It connects to your wireless earbuds so you can listen to Sgt. Pepper’s Lonely Hearts Club Band. It can also be used to steal files off your phone without your knowledge.

Snarfing: I’m referring to the attack tactic called Bluesnarfing. This attack exploits a weakness in some mobile phone Bluetooth implementations and it provides unauthorized access to the personal information stored on your phone.

How It Works: Here’s the scenario. You are attending an event outdoors and properly observing the government recommended social distance of six feet. Maybe you’re at the grocery store or one of the few remaining restaurants in town that still allow sit-down dining (like Dickies over by Food City). Someone sits six-feet next to you. They then create a Bluetooth connection to your smart phone, and capture the data stored on it. All without your notice or consent!

Exposure: Why is this important to you? This attack can expose your emails, contact lists, and text messages. Literally anything you store on your phone. Do you have a photo of your drivers license or social security card in there? Anything else you don’t want to become public?

What Risks?: Maybe you think the risk isn’t very high. I mean, how important are you really? In a way, this is conceptually similar to ransomware attacks. Your data is held for ransom. If an attacker gets access to any sensitive data on your phone, they can simply email you anonymously and request a few Bitcoin to have the data deleted. In case you were wondering, at the time of this writing, Bitcoin traded for $11,345.96 per coin. So yes, it’s worth the effort for someone to steal your data.

Please Stop It: Now you may be wondering how you can stop this attack, or if it’s even worth it to try. I mean, are you really at risk? Mitigation is easy. Turn off the Bluetooth when you are in public places. It takes almost no effort on your part. As for risk. Do you have sensitive data on your phone?

What Bugs You?: Now that I have your attention. Bluesnarfing isn’t the only thing that should terrify you. The really scary one is Bluebugging. Bluebugging allows an attacker to have COMPLETE control over your phone. If your phone is Bluebugged, an attacker can make and receive calls over your phone, AND eavesdrop on YOUR phone calls.

Opportunity: Some of this may have sounded like scenes from Mission Impossible, but Bluesnarfing and Bluebugging aren’t make-believe.  And you don’t need to be Ethan Hunt to become a target. As with Ransomware, sometimes all a cyber-criminal needs is an opportunity. Leaving your Bluetooth on all the time is convenient for sure. For both you AND the criminal.

Rise of the Cyber Lamb Chops

Sock Puppet Fame: In the 1950s, a ventriloquist, named Shari Lewis, put a sock on her hand and became famous. Lewis created the persona of a 6-year-old sheep, named “Lamb Chop,” that spoke the punch-line to her jokes. A sockpuppet helped her rise to fame with a very popular 1990’s children’s program. Fame and fortune from a sock!

Cyber Sockpuppets: Social media today has thousands of sockpuppets. No, Lamb Chop hasn’t taken over. A sockpuppet is a phony online identity using “real” accounts for the purpose of deception. Originally, this term referred to people who responded to their own blog posts, or authors who applauded their own books, while criticizing their competition. Nowadays, sockpuppets are used for a wide range of objectives. They are used to shower praise on a person or organization or to antagonize them; they are used to manipulate public opinion, to circumvent restrictions and suspensions, or get others banned from web sites. For instance, Utah Senator Mitt Romney acknowledged operating a secret Twitter account, “Pierre Delecto,” in order to defend himself against criticism — his sockpuppet.

Impact: The impact of sockpuppets would be marginal, except for the fact that nation-states create armies of sockpuppet bots to divide people and dispense misinformation. A single operative may monitor hundreds of sockpuppets, and an organization may use hundreds or thousands of operatives. The bot may simply “re-tweet,” “like,” or “re-post” a divisive headline or comment. 

The Difference: While a human Twitter user may post a few times a day, a bot may tweet hundreds of times per day, all day, on a specific topic. One study by USC analyzed election-related tweets sent in September and October 2016 and found that 1 in 5 were sent by an automated sockpuppet. Some social media platforms have developed software to identify and block bots, so puppeteers have developed something called Cyborgs. These Cyborg accounts mix human subtleties with the 24/7 work ethic of a bot. These are much harder to identify.

U of A: Awareness of threats is a step in the right direction. Michelle Menninger, a student in the University of Arizona’s Cyber Operations program recently made this comment to me,

“Technology opens up an entire world to my kids that could easily destroy their innocence. Being in the Cyber program gives me the opportunity to speak openly with them about the dangers of technology and allows me to be in control of it, instead of letting technology control us.”

Nation States Involved: Nation-state actors use technology to attack the U.S. and spread misinformation in order to destabilize our republic. An article on Wired calls the Russian campaign of disinformation “Active Measures” (https://www.wired.com/story/a-guide-to-russias-high-tech-tool-box-for-subverting-us-democracy/). Their objective is to get Americans to argue about an issue – any issue, as long as it’s divisive. These sockpuppets may appear as someone trusted in your community to draw you into the fray and make you think there is an actual human behind an idea or a movement. They spread lies or half-lies, innuendos, and fake news. They are looking to degrade civil discussion of a given topic and inflame opposing views. For these actors, a divided America is much less of a threat than a united one. 

Be Alert: We are all susceptible to these propaganda campaigns on social media. With all the re-posting and re-tweeting, sometimes it is hard to find the origin of a comment. However, awareness that a sockpuppet army, whose intent is to manipulate public opinion, is out there may provide some protection from taking the bait.

So, the next time you are on social media responding to a post that got your blood boiling, keep in mind that you may be arguing with “Lamb Chop.”