Serious Ransomware: Colonial Pipeline

Last Friday, Colonial Pipeline, the operator of the largest petroleum pipeline between Texas and New Jersey, was struck with ransomware. Today, U.S. gasoline prices are the highest since 2016 and pumps are empty on the east coast; a direct consequence of the hack.

If you have followed my posts on ransomware and cybersecurity in general, you know that I rant on the dangerous condition of industrial cybersecurity in the U.S. Maybe Cassandras like me will get some attention now that disregard for cybersecurity has slugged the average taxpayer in the wallet.

When the Space Force was established, I didn’t sleep any sounder, but I know my nights will be better when U.S. cyber defense policies are as coherently and vigorously executed as our conventional defenses.

Colonial Pipeline

Colonial says they will be back in operation by the end of the week. We will see. The average ransomware recovery time is over 15 days, which predicts another week of disruption. Time to recover depends on a number of things. The size of the enterprise matters; the more complex and extended the system, the longer it takes to bring the system back. Recovery also depends on how prepared Colonial’s IT team is for a ransomware attack. I notice the Dow is dropping today, probably due to gas shortage jitters, which suggests that the smart guys on Wall Street are not confident of a quick recovery from Colonial.

Colonial is big and complex. It is not clear whether Colonial’s pipeline supervisory control and data acquisition (SCADA) was penetrated by the hack, but the pipeline was forced to shut down, which suggests the attack went beyond the usual accounting and HR systems.

Here in Whatcom County, we had some experience with a pipeline SCADA failure in 1999 when 200,000 gallons of gasoline flowed into Whatcom Creek and caught fire. A fisherman and two boys playing along the creek died. Property damage was at least $45 million. The direct cause was accidental damage to the pipe from excavation years earlier, but National Transportation Board investigation concluded that the spill could have been prevented if the SCADA had functioned properly. There were clues that the SCADA system had been hacked, but not enough evidence to be certain. (I discuss SCADA vulnerabilities in some detail in my book, Personal Cybersecurity.)

DarkSide

The FBI reports that the attack came from a Russian group called DarkSide. The group is not known to be directly affiliated with the Russian government, but the government turns a blind eye to DarkSide attacks on non-Russian interests. Effectively, DarkSide operates like a 18th century privateer on the high seas marauding foreign shipping with royal protection. The DarkSide group offers ransomware software for use by others. Who else may be involved has not been reported.

Who’s to blame?

Blaming Colonial for the breach may come easy. My personal experience with industrial cybersecurity is not good. Industries with high fences and tight physical security, like energy corporations, are often dismissive of cybersecurity threats, preferring to rely on their raw physical defenses. Colonial may be the exception, but I’m reminded of the recent SolarWinds hack that was the result of a totally avoidable bonehead password mistake. If something similar emerges, Colonial’s IT department will be roasted on a spit.

Nevertheless, I am sympathetic. Colonial Pipeline and many other ransomware victims are being attacked with the aid of a foreign government. Of course they bear some responsibility for their own security, but when a foreign government attacks, they should reasonably expect that government resources will lead the defense.

If a refinery were threatened by incoming ballistic missiles from North Korea, we would look to the Department of Defense to deflect the attack. We would see the missiles as an attack on our nation. Would anyone fault a corporation for building a refinery without an anti-missile defense system? They would be in trouble if they tried!

When the Space Force was established, I didn’t sleep any sounder, but I know my nights will be better when U.S. cyber defense policies are as coherently and vigorously executed as our conventional defenses. Today, responsibility for cyber defense is divided between the Department of Defense, Homeland Security, and other agencies, including the National Institute of Standards and Technology (NIST) in the Department of Commerce.

How we lose

This is the way to lose. Ransomware is just one manifestation of the ways in which nations are attacking on the cyber front. North Korea steals cash. China steals intellectual property on covid-19. Russia disrupts pipelines. These are existential threats. A disconnected defense is suicide by disorganization.

Detecting Bogus Email

I’ve noticed from the flood of complaints in the news, on social media, and talking to friends, that dangerous email is worse than ever. The pandemic has shifted the bad hackers into high gear. I can help stem the flood.

I don’t have a special talent, only a suspicious character and a bit of technical knowledge.

I may be struck down for this hubris, but I’ve never been tricked by a bogus email, even though I’ve sent and received email almost from the day it was invented. I don’t have a special talent, only a suspicious character and a bit of technical knowledge. I’ve evolved some robust techniques for weeding out the bad emails.

I’m not talking about spam. Spam is unrequested commercial email, which is annoying, but not vicious. I’ll even admit that a few times, I’ve welcomed a spam message that brought me something new. The stuff I’m concerned with today is fraudulent and malicious email that is intended to do harm rather than legitimately sell a product or service you don’t want.

These emails are often called “phishing,” a term that is a little too cute for a farm boy who shoveled chicken droppings every Saturday morning until he left the farm for college.

Email is convenient. I remember when we had only a few choices for communicating: go to see the person, call them on the telephone, or send them a letter. Each method was useful, charming, and pestilential at times, sometimes all at once. I gripe about my overflowing email inbox but clicking away the chaff is a lark compared to a line up at my desk or a phone ringing constantly. Writing letters was, and still is, an art, but it’s called snail mail for a reason. As annoying as it can be, and handy as Slack and other messaging style services are, email is still a communications workhorse.

Mail, telephone, and in-person fraud, harassment, and other scatter-shot deviltry abounded long before email. The worst of us never tire of devising new mischief to soil other peoples’ lives, but the rest of us have developed instincts, habits, customs, and laws that civilize our lives and tamp down the shenanigans that plague us.

Here, I’ll explain how I keep up with the email crooks.

However, instincts, habits, customs, and laws have not kept up with electronic innovation. Here, I’ll explain how I keep up with the email crooks.

I have a series of steps I go through with email. I divide the process into three phases: suspicion, confirmation, and reaction.

Suspicion

Do I expect this email? Do I know the sender?

If it’s Tuesday and I always get an email from my friend Peter on Tuesday, I feel safe reading it. Actually, at least half of my inbox is expected email from known senders. Faking a phone call or handwritten letter is more difficult than faking an email because voices and handwriting are laden with familiar clues to identity, but faking an email from a friend, outside of spy fiction, is still extremely difficult. Trust your intuition, it’s more powerful than you may think. If something feels off, check it out.

However, intuition breaks down as relationships get more remote, especially in impersonal business email, but you have a great advantage: criminals are seldom as fastidious as legitimate email users. They’re in it for easy money and they usually don’t care about the impression they make or attracting return customers.

As a consequence, they don’t pay proofreaders and formatting professionals to ensure that their emails are perfect. Few businesses will send out emails with misspellings or sloppy formatting, but criminals often do. At best, they will copy an existing piece of legitimate email and make a few changes. If you spot misspellings, grammatical errors, misalignment of type, uneven borders, colors that are not quite right, be suspicious.

Why was this email sent? What’s its point? Does the sender want me to do something? Is there money
involved?

Always be suspicious of any transaction you did not initiate. People and businesses are like slugs. They almost always react to stimulus from their friends and customers, but they seldom reach out unless they have something new to sell to you. Whenever there is money involved, be certain you understand exactly what the transaction is and why you are engaged in it.

Confirmation

If suspicion has set off alarm bells, check it out.

Uniform resource identifiers

Every savvy computer user should know a little about the Uniform Resource Identifiers, or URLs. Although URI is technically correct, everyone calls them URLs (Uniform Resource Locators.) Computing and network engineers have been evolving and improving the concept for over thirty years. They are a formal way of unambiguously naming almost anything and a key to computer based communication.

We are all familiar with them, whether we realize it or not. We all know web addresses like https://example.com. And email addresses like mailto://marv@marvinwaschke.com . Librarians know ISBN (International Standard Book Numbers). Even telephone numbers are now examples of naming systems that follow the URL standard.

Well. That’s fine for engineers and librarians, but what about ordinary users? Why should they know about URLs? Because knowing what a legitimate URL looks like often makes a fraud stand out like a black eye.

In another post, I’ve detailed reading URLs. Check out how here.

Recent hacker tricks

Lately, I’ve noticed that hackers have gotten very fancy with the characters in their URLs. I could indulge in a technical discussion of fonts versus character sets at this point, but I will simply say, look carefully at the characters in URLs. If I see an accent, squiggle, superscript, or an extra curlicue anywhere, I assume I am under criminal attack. Legitimate URLs and text avoid this. Hackers love it.

Circle back

Legitimate businesses have no problem confirming their enquiries. For example, if you get a question about your account with XYZ company, call their publicly listed number— not the one a hacker gives you— and ask for an explanation. You may be bounced from desk to desk and have to wait on hold, but eventually you will get an answer. Either a confirmation of a legitimate issue, or a statement that you can ignore the bogus email.

If XYZ is a company I would continue to deal with, the answer will be prompt, courteous, and helpful. If the process is difficult or the responses are impolite, I would look for an alternate for my future business. However, I always wade through to the end before accepting a hack. Personally, I will tolerate drek to deal with a situation, but I will take steps to avoid future drek.

Reaction

Two main routes can be used to report cybercrimes. I use both.

I am stubborn. I won’t knuckle under to cybercrime. When I am subjected to cyber assault, I report it and do my best to stop it. Frankly, with the state of cyber crime laws and enforcement, I don’t expect to see immediate results. I seldom anticipate that the criminal who assaulted me or my equipment will be punished, but I want to see cyber laws and enforcement strengthened. I hope international organizations will be formed or strengthened to punish or neutralize off-shore criminals. Nothing will change if crimes go unreported.

Two main routes can be used to report cybercrimes. I use both.

You can report crimes to law enforcement. I went into the details of reporting to local and federal law enforcement here. The Federal Trade Commission has a site for reporting identity theft and aids in recovery. They also have a site for reporting fraud.

Another way to report cybercrime is to report it to the organization that is affected. For example, if I received an email about Microsoft Office from m1crosoft.com (notice the “one” instead of an “i”), I would forward the message to phish@office365.microsoft.com . Many companies, especially tech-oriented companies, have facilities for reporting fraudulent emails. I use Google to find the proper procedure. American Express, as another example, requests fraudulent mail be forwarded to spoof@americanexpress.com.

Tedious, but worth it.

Our local, state, and federal governments and these companies all want to shut down the criminals. But they can’t unless we refuse to tolerate this form of crime and report it. Tedious, but worth it.

Two Factor Authentication

Two factor or multi-factor authentication makes computing more secure. You’ve probably seen it already and you will see more of it. I highly recommend it, with some caveats. I remain skeptical of biometric authentication. Facial, fingerprint, and retina recognition are all convenient, but they also have issues that are not ironed out yet. No matter how optimistic the sensor makers’ marketing, faces, prints, and retinas can’t be replaced when they are compromised, and there are reports of gruesome compromisations. Multi-factor authentication adds extra steps to authentication, but there is no question that additional factors increase security.

What is multi-factor authentication?

As the name suggests, multi-factor authentication requires the authenticity to be established in multiple ways. The user name and password authentication that has been used for decades uses a single piece of evidence to prove you are who you claim to be: knowledge of the correct password. Two-factor authentication adds another piece of evidence. The second piece of evidence could be a second password, but all passwords are vulnerable in the same ways, so it is better to use more than one kind of evidence.

Security specialists often talk about three types of evidence of authenticity: what you know, what you have, and what you are. A password is something you know that no one else does. A physical key is an object that only you have. Your fingerprints, your facial appearance, your retinal pattern, and your DNA are examples of something you are.

An example

Physical safes commonly use single factor authentication, sometimes multi-factor authentication. Most single factor safes have combination locks. To enter a single factor safe, you simply enter the correct sequence of numbers. If you write the sequence down, someone could find the paper; or someone could look over your shoulder and watch you dial the combination. Whoever finds the paper or watches you has access to the safe. Sneaking in is a challenge, but by no means impossible.

Bank vaults frequently have two combinations each known to a single bank officer. To open the vault, both officers must dial in their combination. One officer may be incautious or a fraudster, but the double combination prevents a single officer from getting in without a witness.

We have a safe in our home that requires both a combination and a key. I know the combination, but without the key, I can’t get in. If thieves were to successfully snatch the combination, they would still have to find the key. Often, even I can’t find the key, so they’ll have a job to get into our safe. In this way, our two-factor, key and combination safe is an annoyance, but more secure than a single-factor combination-only safe.

Multi-factor user authentication

Typical two-factor authentication uses a password and something else. One common method uses a text message sent to your phone containing a four to eight-character token. After correctly entering your password you must enter the token that is automatically sent to your phone when you enter the correct password. In other words, you must both know your password and have your phone to get into the account. Another variation is to email a token. In that case, you must both know your password and have access to your email account. These methods are harder for criminals to deal with than a simple password.

Flaws in message-based authentication

These methods are good, as long as access to your email account or phone is secure. However, email is just another account to secure, which would be better done with multi-factor authentication. To do that, you would have to have another secure email account. At a certain point, the complexity becomes unbearable.

Cellphone issues

The cellphone method also has problems with phone numbers and SIM cards. Phone numbers are assigned to SIM cards. Usually, when you buy a new phone, the you move your SIM card and your phone number, contacts, and other information moves with you. However, the service providers can reassign phone numbers to a new SIM, say when your phone is lost or destroyed, or you get a new phone that is not compatible with your old SIM.

The ever considerate and conciliating providers can easily transfer your phone number to a new SIM. They hesitate to hassle a customer too much when numbers are reassigned and they do not press a requesting customer for too much identification and verification, which means that criminals with a handful of information can get your phone number transferred to their own phone. To make matters worse, cell carrier employees are not guaranteed to be honest: they might be bribed or they may be criminals themselves. As a result, criminals have found it fairly easy to get phone numbers reassigned without the owner’s consent.

Once your phone number has been transferred, the criminal can use it to gain access to your accounts, change passwords, run up bills, and drain your bank.

The cellular providers have not been forthcoming on how often this happens, but anecdotal evidence says the practice is on the rise. There are a few things to do to protect yourself. If your provider offers a PIN for changes to your account, take it. Most important, when your number changes, you will get a notification on your phone and it will no longer work. Call your provider as quick as you can when you get a notice. Criminals can wreak havoc in minutes with a stolen phone number.

A stronger method

A better alternative is to use another authentication factor that does not depend on sending a token to you. This can take several forms, but they all involve a small application that runs on a device in your possession that produces tokens. When the application is set up, your authenticator and the application exchange information that syncs the application with the authenticator. One method provides tokens that change with the date and time. If you can’t supply the unique time-based token from the app that corresponds to your account, access is denied. Another implementation relies on a private key held on the device. An elegant implementation places the token generator in a USB device similar to a thumb drive. Plug the “key” in, authenticate, and the USB device supplies the correct token. These methods do not rely on communication after the initial setup. Neither WiFi or a cellular connection to the key device is necessary.

I noted with approval in this article in the Washington Post, that the federal government will soon require two-factor authentication for administrators of all government web sites. The method chosen by the feds is better than relying upon calling or messaging the phone. They are using Google Authenticator, which runs on an Android or Apple phone.

These methods are more secure, but not all multi-factor sites accept tokens from all authenticator apps, so you may not be able to use your choice on all accounts.

There’s a podcast on Lawfare explaining Google’s approach to advanced security that is informative.

How Computers Work

I will be teaching a new class at the Ferndale Public Library on Saturday, September 22, 2-3pm. My grandson Christopher and I made ourselves available for an hour every two weeks to help people with their computing questions and problems last year, taking the summer off. We found out a lot about the kinds of difficulties folks have with computers.

As an engineer, I can’t work with anything unless I know how it works. Many people know how to use a computer, more or less, but they don’t know how it works—what’s happening inside those desktops, laptops, tablets, and phones. In the Saturday class, I’ll be talking about how it all works. When you understand how computers work, using them becomes easier for a lot of folks. Computers have tremendous power, and many limitations. Asking them to do things that are not possible or extremely difficult, causes frustration, and often, users don’t know what is easy and what is hard. In this class, I’ll try to lay the groundwork for understanding, rather than simply pushing the buttons on computers.

Putting the class together has been a challenge. I plan to explain digital computing in ways that I haven’t seen outside a few engineering classes. I hope the presentation will be clearer, easier to understand, and more revealing than anything I have read or seen for beginners. Christopher is a teenager who used computers from preschool, I wrote my first program in 1967. Between the two of us, we cover a lot of territory.

Christopher and I will also be back on every 1st and 3rd Wednesday at the Ferndale Public Library from 3p to 4p, starting Wednesday, September 5. Last year, we handled questions on email, setting up a Linux development environment, and folks who may have been hacked. We’re excited to see what will be bothering folks this year. We’re ready for anything… I hope.