Lessons Learned from the CISA Red Team Hack 

Dmitri’s fingers flew over the keyboard as he searched for an access window to the network at Metropolitan Utilities: the biggest electricity service provider in the tri-state area. Using a password he’d retrieved from the dark web, he connected to an employee computer, then moved silently through the network, scanning for a computer with better privileges. Through this, he hoped to access the systems controlling the power grid. He called over his shoulder, “Natalya, mne nuzhno nebol’shaya pomosch’. Would you build me a fake login webpage that matches theirs? If I send it to all the company’s staff, I might trick an administrator into handing over their username and password.”  

His partner nodded and emailed a link to the entire IT department under the pretext that there was a failed login attempt that needed investigating. Jason, a junior-level administrator, took the bait. What followed was a chain of events culminating in the effective barring of all administrators from the power grid. 

 “Bingo,” said Dmitri under his breath.  

And at this point the exercise concluded. “Krasnaya komanda! Krasnaya komanda!” (red team) laughed Natalya as Dmitri contacted the blue team, a.k.a, the IT and cybersecurity department of Metropolitan Utilities.  

Here is your problem . . . 

Three weeks before, the department had contracted Dmitri and Natalya’s cyber company to run a red team test on the network. Red teaming is a simulated cyberattack conducted by a group of ethical “white-hat” hackers. They use real-world techniques to breach an organization and identify any vulnerabilities that might prevent it from detecting an actual threat. In this case, the red team’s victory was the result of several basic security mistakes.  

The US government has classified electrical, natural gas, water distribution and several other industries as “critical infrastructure”: infrastructure vital to the survival of the nation. Attacks on such industries can be particularly damaging. Recently, the United States Cybersecurity and Infrastructure Security Agency (CISA) conducted a red team assessment resembling the fictitious example above at the request of a real-world critical infrastructure organization. No details about this organization were disclosed except the type of infrastructure—a utility company 

The red team was able to breeze through the company computers at blinding speed. During the simulated attack, the organization did actually discover the presence of the red team but lacked essential layers of protection—what we call “Defense in Depth”—which would have allowed for a prompter response. Instead, they relied on fancy antivirus software that could not sense the network traffic. Furthermore, their staff lacked appropriate network-protection training. It should have been provided to each employee in small, frequent bites. The company had previously contracted third-party providers for red team exercises, and its leaders had been made aware of these vulnerabilities. But they had underestimated the risk. Nothing had been done. 

The company had previously contracted with third party providers for red team exercises. But the leadership at the organization deprioritized fixing the previously discovered vulnerabilities.  They miscalculated the potential impact and likelihood of those vulnerabilities being used against them one day.   

CISA had several key recommendations, which included regular software updates and cleanses, as well as the use of multi-factor authentication (MFA) and segmented networks. MFA just means requiring more than a password for login. Authenticator apps like Duo and Microsoft Authenticator are designed for this, but there are simpler and less secure methods—for instance, receiving a text or email code. Segmented networks are also fairly self-explanatory. Consider the way a house is partitioned with walls. A network engineer can do the same to your network using firewalls, switches and routers, or through software installed on each computer (which is how your Cochise County Cyber Guys do it).   

Lastly, CISA recommended a shift from legacy system and network architecture to a modern Zero-Trust architecture. Zero-Trust, in the context of computers and networks, is something akin to home security. Doors are locked by default, and only close friends and family are allowed in. This is called, “Deny by Default, Allow by Exception.” 

If you’re a business owner and want to understand how to implement Zero-Trust in your organization, contact the Cyber Guys below. The threat is real, and it is growing. Fortunately, it is also preventable. In the case of Metropolitan Utilities, its first “attackers” had no malicious intent. Provided the blue team heeds Dmitri’s advice, they’ll be prepared in the event that a true black-hat team tries to take down the grid. Are our local utility companies up for the challenge? 

SS7 SMS Attacks, a Throwback to the Phreaking of the 70s 

This article will be hard for you to read. Not in the way all my other articles are hard to read. This one will be emotionally hard. And let me give you the call to action right now (in the government we call it the Bottom Line Up Front (BLUF)).  

The BLUF is this. You will need to do two things. First, you will need to log into all your bank, other financial accounts, and your email accounts. Set the security to Multi Factor Authentication turned on and make sure you ARE NOT using SMS or text message for delivery of the One Time Passcode. The second thing you will need to do if you are in a relationship where you do not trust your partner, is to either reset your phone to factory settings, or dispose of the phone and buy a new one. Then ensure they NEVER have access to your phone unlocked. Ever.  

Now, the reason for all this. The technical parts that follow are necessarily grossly oversimplified. In 1975, the telecommunications industry developed a security protocol to reduce the impact of “phreaking”. Phreaking was a way to trick the telecom network into allowing long distance calls for free. The protocol was not secure. It hasn’t really been updated. And it is all over your cell phone. It’s called SS7. By abusing it, anyone can intercept your phone connection from anywhere in the world and access your text messages and phone calls, without installing any malware. And you will never know.  

So, if you use text messages (SMS) for that One Time Passcode from your bank, all an attacker needs are your phone number, username, and password.  They can render you penniless. Your financial accounts and your email accounts are probably the most important part of your digital life. Treat their logins with the utmost care. 

That’s the first part. The second is this. If you are now, or have ever been, in an abusive or otherwise untrustworthy relationship what follows might sound familiar. Bob, (names have been changed for privacy) met Jane, the girl of his dreams. He thought it was cute when Jane insisted that they share their phone PIN codes. The cuteness ended there. Eventually Jane began to insist on more and more control over Bob’s life. Without reciprocating. Eventually, Bob found all the contacts in his phone had been deleted. All the female contacts. And Jane had changed her PIN. 

It’s just a PIN code. You don’t have anything to hide is your initial thought. But this sweet new addition to your life may have a dark side. This adorable partner could (with as little as $175) install spyware on your phone. Or buy a phone for you with the spyware already installed. The spyware literally gives them access to everything. Including both cameras and the microphone.  

People make a huge fuss over the need to keep Social Security Numbers (SSN) private. But did you ever think the secrecy of your phone number would be more important than your SSN? When it comes to your phone number, in the words of Gandalf, “Keep it secret. Keep it safe.” Fortunately, unlike your SSN, you can get a new phone number. 

In addition to factory resetting the phone, setting up non-SMS-based MFA for your online accounts, you should SERIOUSLY consider using the Signal app for all your communications. For the SS7 hack, it will help by encrypting all your communications (voice and video calls, and text messages) so eavesdroppers can’t eavesdrop. 

There are many more details. I’m more than happy to chat about it if you want to email me. Just no phone calls.  

Six ways to harden your digital profile 

“Kevin” was very frugal. He flossed daily, washed his hands often, wore deodorant, and never ate at McDonalds. He always came to a complete stop, separated his recyclables, ate more veggies than meat, and turned off the lights when he left the room. He also used a credit card responsibly; always paying it off every month. He had another card he used rarely and paid off just as quickly so his debt-to-credit ratio would benefit his credit score.  

One day Kevin’s 12-year-old clunker broke down for the last time. He needed a new car. The excitement was actually kind of cool. He researched the options and decided to go for sporty rather than practical this time. The test drive was thrilling. The smell of “new car” instead of “old tube socks filled with fries and candy” was a surprise. A welcome one. But right around the corner was another surprise. A very unwelcome one. Kevin’s credit score. Even though Kevin was ultra responsible in other areas of life, he was not used to checking his credit records regularly. He wasn’t even aware this was a thing. Someone had stolen his identity – and ruined it. 

I have bad news. There is a very high probability your personal information (not just your name and address) is on the dark web. Your social security number, your birth date, your address. Most of what an online criminal will need to steal your identity.  I mention this because 2.9 billion records were recently hacked from National Public Data consisting of these items.   

You’re probably so tired of hearing this. You might even think, “what’s the use?” While this news is dire, it is actually worse than you think. With the exposed personal data (like SSN) combined with other information easily accessible on social media profiles, a criminal can build a detailed profile of a victim. Armed with the data, the criminal can port a cell phone number to a phone they control, intercept the one-time code sent from the victim’s bank account and wipe out the victim’s life savings. They can drain other investment accounts, open new lines of credit, purchase property on credit, etc. Anything you can do with your personal information; a criminal can do just as easily. 

This is going to take some time. Really you can significantly strengthen your digital life within less than 2 hours. While this is not intended to be a technical tutorial, and we cannot give legal advice here, you can do the following: 

  1. Use a password manager like Bitwarden 
  1. Enable 2 factor authentication on all your critical accounts (banking, investment, email social media, cell phone provider) 
  1. Create a free login and freeze your credit reporting account at Experian, Equifax, and Transunion. 
  1. Use good credential hygiene as we have always advocated here. 
  1. Remember, if you get an email, text message or phone call requesting you to unfreeze your credit and you didn’t initiate it, it’s probably a scam 
  1. If you receive a contact you did not initiate AND the person claims you are in trouble in any way AND it makes you feel anxious AT ALL, it’s probably a scam. Stop the communication and contact the purporting organization using a known-good number.  

Moving forward the world is going to be less trustworthy. You need to adopt a posture of zero trust. Be suspicious of everyone and everything. It could save you. 

The original article was posted to the Sierra Vista Herald and can be found here.

Locals At Risk Due to Data Breaches – How to Protect Yourselves 

A data breach that occurred in 2021 could be affecting readers today.  On the dark web, a hacker named ShinyHunters is attempting to sell personal data of 73 million people who were customers of AT&T.  After initially denying the data was theirs, AT&T confirmed that the data appears to be from 2019 and impacts approximately 7.6 million current AT&T account holders and 65.4 million former account holders.   The data includes names, address, phone numbers and for some, even social security numbers (SSN) and birth dates.   Additionally, the security pass codes for 7.6 million accounts were also leaked.   If you were a DirectTV customer, your data may be included.   The subscriber base at the end of 2019 was almost 202 million subscribers, so it appears to be a partial data dump. 

At this point you may be thinking, “Big deal, that was 5 years ago. What use could that information be for hackers?”  Good question.  There is a treasure trove of data that hackers can use that may impact you.  First, hackers could have access to your current account if your security passcode has not changed since then.  AT&T is aware of this and are reaching out to these customers.  Hackers can use phishing and other social engineering techniques claiming to be AT&T support.  If you get an email or SMS text from someone claiming to be an AT&T representative, we recommend that you go “out of band” instead of replying or clicking the link.  Go to AT&T’s website that you know is valid. Contact them through the methods provided on their website.   

One of the biggest dangers of this breach was the stolen SSN and birth date information.  Along with your name and address, hackers can apply for credit cards in your name and run up debt in your name.   Hackers can use your SSN to access your bank accounts.  They could pose as you with the bank’s customer support performing fraudulent transactions and transferring funds.   Using your SSN, a hacker can access your credit reports and subsequently apply for a loan for themselves in your name.  There’s more, but you get the point. 

Vigilance is the optimal option.  We recommend setting up multi-factor authentication on all accounts that offer the option.  Your bank and your credit cards definitely have this available.  It is a little more work to access your account but more than worth the effort. Most accounts use a username and password for access.  Multi-factor authentication uses a second method to verify that the user is authorized.  This may come in the form of a code sent via email or text or using an application like DUO or Authenticator.  Monitor your credit card and bank accounts regularly.  Report suspicious activity right away.  Consider using credit monitoring services. 

Of course, good cyber hygiene with your passwords is always recommended.  Do NOT reuse the same password on multiple sites.  That makes it very simple for hackers to try that password on other accounts. If your information was part of a breach, change your passwords.  To see if your email address has been involved in a breach, visit this site, https://haveibeenpwned.com, and enter your email address.  This provides a list of breaches the account was involved.   

If the AT&T hack is too old to have you concerned, Circle K was hacked in January of this year.  Loyalty data and partial credit card information was revealed. 

Don’t think that you are not a big enough target.  Hackers go for the low hanging fruit. If it’s too easy to pass up, they will not.  The old adage, “an ounce of prevention is worth a pound of cure,” rings very true in the cyber world.   

You can view the original article from the Sierra Vista Herald here.