Friday Five 10/15
Giving security keys to at risk users, a summit to stop ransomware, and financial losses from cyberattacks pile up - catch up on the infosec news of the week with the Friday Five!
1. Governor Wants to Prosecute Journalist Who Clicked ‘View Source’ on Government Site by Lorenzo Franceschi-Bicchierai
A story to file under "You can't be serious." A report via VICE's Motherboard recaps news from St. Louis, where a reporter has drawn the ire of the state's Governor Mike Parson after merely clicking "view source" on a website. The reporter, Josh Renaud, did that on a website run by the state's Department of Elementary and Secondary Education and discovered a slew of unprotected social security numbers belonging to employees, teachers and administrators. Renaud's story is worth reading for some added context - the data, 100,000 SSNs in total, was removed on Tuesday after Renaud informed the department - but the real kicker came Thursday. That's when the Missouri Governor confusingly called Renaud a hacker and threatened criminal prosecution. It remains to see how this will play out but it certainly isn’t a great look for the state; it wouldn’t be the first time a politician has misunderstood the term “hacking” however.
2. A Telegram Bot Told Iranian Hackers When They Got a Hit by Brian Barrett
Much has been written about the problems with Telegram. Its had issues with its less than robust encryption but has also become a haven for COVID vaccine scams and antisemitism. It’s heavily trafficked by cybercriminals as well. We learned more about that this week in a WIRED story that pulled back the strings on a hacking campaign carried out by the Iranian APT group APT35. The gist of the campaign relies on Telegram to inform them when someone stumbles upon one of its phishing pages. Once a user lands on the page, details including their IP address, location, device, browser, and so on are shipped off to the group, information that can greatly help them glean more information on a potential victim. While it's not rocket science, the trick can certainly help the group better zero in on their target. As Ajax Bash, a researcher with Google told WIRED: “This helps them better engage with the target via follow-up emails because they'll know the email reached the target, was opened, read, and link clicked.”
3. Tech giants encouraging adoption of hardware-based auth keys by Bradley Barth
This news is technically from last week but this report, via SC Media, came out Wednesday: A positive, feel good story from Google that the company is working to supply 10,000 at risk users - think human rights activists, journalists, political campaign workers and even elected officials - with physical security keys to help prevent getting hacked. Anyone can buy Google's security keys - speaking from experience, the Titan ones are easy to use and helpful to users seeking an added layer of security. That Google is being proactive at distributing the keys for free makes for good press but it also helps to boost public awareness around key-based 2FA. We learned this summer just how low adoption rates of 2FA are. Twitter said in a transparency report in July that just a tiny fraction of its active users, 2.3%, had a form of two-factor authentication enabled between July and December last year. Google isn’t alone in trying to ring the 2FA bell; Amazon and Microsoft are pushing similar efforts. While it won't be fast, their moves take us one step further to a a world where we're less reliant on passwords.
Google Titan Security Key image via Tony Webster's Flickr photostream, Creative Commons
4. More than 30 countries outline efforts to stop ransomware after White House virtual summit by Jonathan Greig
If you're looking for any major takeaways from this week's ransomware summit, led by the United States, you might be a little let down. While it sounds as if the meeting was productive - 30+ countries attended - they found common ground and agreed that steps need to be taken to mitigating the growing threat. In a joint statement the countries said that ransomware is an "escalating global security threat with serious economic and security consequences" and that to help mitigate it, countries should collaborate further with law enforcement and implement policies to reflect the growing threat. One area the countries agreed needs their attention - and one that seems as if it can do the biggest damage - is disrupting ransomware groups' means of funding. "Taking action to disrupt the ransomware business model requires concerted efforts to address illicit finance risks posed by all value transfer systems, including virtual assets, the primary instrument criminals use for ransomware payments and subsequent money laundering."
5. Biz Interruption, Recovery Costs Drive Financial Losses From Cyber Attacks: Report by L.S. Howard
We've seen plenty of reports over the last year that recap just how much the COVID-19 pandemic has contributed to cyberattacks. The latest, via Allianz Global Corporate & Specialty (AGCS), looks at cyber-related claims over the past six years and shows a large spike last year, with many claims spilling over into 1H 2021. According to Allianz, it has received more than 500 cyber claims so far this year, among them, 60 relating to ransomware. That's already equal to the total number of claims it received in 2019. Some other further findings:
- The average total cost of recovery and downtime – on average 23 days – from a ransomware attack more than doubled over the past year, increasing from $761,106 to $1.85 million in 2021.
- Losses resulting from external incidents, such as distributed denial of service (DDoS) attacks and ransomware campaigns, account for the majority of the value of cyber claims (81%) analyzed by AGCS over the past six years.