Serious Ransomware: Colonial Pipeline

Last Friday, Colonial Pipeline, the operator of the largest petroleum pipeline between Texas and New Jersey, was struck with ransomware. Today, U.S. gasoline prices are the highest since 2016 and pumps are empty on the east coast; a direct consequence of the hack.

If you have followed my posts on ransomware and cybersecurity in general, you know that I rant on the dangerous condition of industrial cybersecurity in the U.S. Maybe Cassandras like me will get some attention now that disregard for cybersecurity has slugged the average taxpayer in the wallet.

When the Space Force was established, I didn’t sleep any sounder, but I know my nights will be better when U.S. cyber defense policies are as coherently and vigorously executed as our conventional defenses.

Colonial Pipeline

Colonial says they will be back in operation by the end of the week. We will see. The average ransomware recovery time is over 15 days, which predicts another week of disruption. Time to recover depends on a number of things. The size of the enterprise matters; the more complex and extended the system, the longer it takes to bring the system back. Recovery also depends on how prepared Colonial’s IT team is for a ransomware attack. I notice the Dow is dropping today, probably due to gas shortage jitters, which suggests that the smart guys on Wall Street are not confident of a quick recovery from Colonial.

Colonial is big and complex. It is not clear whether Colonial’s pipeline supervisory control and data acquisition (SCADA) was penetrated by the hack, but the pipeline was forced to shut down, which suggests the attack went beyond the usual accounting and HR systems.

Here in Whatcom County, we had some experience with a pipeline SCADA failure in 1999 when 200,000 gallons of gasoline flowed into Whatcom Creek and caught fire. A fisherman and two boys playing along the creek died. Property damage was at least $45 million. The direct cause was accidental damage to the pipe from excavation years earlier, but National Transportation Board investigation concluded that the spill could have been prevented if the SCADA had functioned properly. There were clues that the SCADA system had been hacked, but not enough evidence to be certain. (I discuss SCADA vulnerabilities in some detail in my book, Personal Cybersecurity.)

DarkSide

The FBI reports that the attack came from a Russian group called DarkSide. The group is not known to be directly affiliated with the Russian government, but the government turns a blind eye to DarkSide attacks on non-Russian interests. Effectively, DarkSide operates like a 18th century privateer on the high seas marauding foreign shipping with royal protection. The DarkSide group offers ransomware software for use by others. Who else may be involved has not been reported.

Who’s to blame?

Blaming Colonial for the breach may come easy. My personal experience with industrial cybersecurity is not good. Industries with high fences and tight physical security, like energy corporations, are often dismissive of cybersecurity threats, preferring to rely on their raw physical defenses. Colonial may be the exception, but I’m reminded of the recent SolarWinds hack that was the result of a totally avoidable bonehead password mistake. If something similar emerges, Colonial’s IT department will be roasted on a spit.

Nevertheless, I am sympathetic. Colonial Pipeline and many other ransomware victims are being attacked with the aid of a foreign government. Of course they bear some responsibility for their own security, but when a foreign government attacks, they should reasonably expect that government resources will lead the defense.

If a refinery were threatened by incoming ballistic missiles from North Korea, we would look to the Department of Defense to deflect the attack. We would see the missiles as an attack on our nation. Would anyone fault a corporation for building a refinery without an anti-missile defense system? They would be in trouble if they tried!

When the Space Force was established, I didn’t sleep any sounder, but I know my nights will be better when U.S. cyber defense policies are as coherently and vigorously executed as our conventional defenses. Today, responsibility for cyber defense is divided between the Department of Defense, Homeland Security, and other agencies, including the National Institute of Standards and Technology (NIST) in the Department of Commerce.

How we lose

This is the way to lose. Ransomware is just one manifestation of the ways in which nations are attacking on the cyber front. North Korea steals cash. China steals intellectual property on covid-19. Russia disrupts pipelines. These are existential threats. A disconnected defense is suicide by disorganization.

Home Network Setup: Smart Kitchen Crisis

You may call it a smart kitchen. I call it a home network setup disaster: four hackable Linux computers installed and configured by kitchen appliance designers who are, at best, inexperienced in computer security. And I am ashamed to admit I didn’t put them through a security audit before we chose them. We wanted a convenient and efficient kitchen; I knew full well that my security worries would not have a voice in any decision.

Home network setup
Cool cat in smart refrigerator

Last week, Rebecca and I went shopping for new kitchen appliances: a refrigerator, range, hood, and microwave. We are not much attracted by network-connected kitchen appliance features—I supposed we’re old-fashioned in our cooking habits—but the appliances we chose all have Wi-Fi.

We had no choice. Appliances that are not networked are scarce in 2020. You either accept that your kitchen will be networked, or you shop for used appliances. Since replacing one set of used appliances with another set of used appliances was not on our agenda, we have four Internet of Things (IoT) devices scheduled for delivery.

IoT device security

Now, I am forced to think seriously about securing the home network setup of our kitchen against cyber-attack. Forty years ago, when the industry began to hook computers together with TCP/IP and Ethernet, I would never have guessed that home kitchen security would become a topic in 2020.

Why am I worried? I am not as frantic as my well-known colleague, Bruce Schneier, who wrote a popular book about the Internet of Things called Click Here to Kill Everybody, but I share his concerns. Most IoT devices are full-fledged multi-purpose computers: as powerful, versatile, and hackable as the workstations of only a few years ago.

The computer in our new three-speed range hood is more powerful than the coveted Sun SPARC that sat on my desk at Boeing Computer Services in the 90s. The computer in that range hood is also subject to almost any hack reported in the news over the last decade. Ransomware has shown up on a coffeemaker, of all places.

IoT botnets

To top it off, some security professionals expect large IoT botnets will be used in attempts to disrupt the U.S. national election next month by scrambling voter registration or bringing down vote tallying software.

A botnet is a collection of compromised computers under the central control of a botmaster who orchestrates the hacked devices. Thus, botnets are huge covert supercomputers that execute crimes like sending out waves of spam or jamming websites with meaningless traffic. Before the IoT, criminal gangs grabbed control of personal computers and enrolled them in botnets by tricking users into fiddling with fake email or installing bogus doctored applications. It’s easier now.

IoT devices have simplified criminal botnet recruiting. Some of these devices are so poorly secured, criminals can scan the network for vulnerable targets, then take over using default accounts and pathetically weak default passwords. In this way, enormous IoT botnets can be formed quickly with automated scripts.

Users don’t notice that their IoT devices have been invaded because they seldom interact directly with the device. We might never notice that our sleek new smart refrigerator has become a robot thug at the beck and call of a foreign national in a dacha overlooking the Volga river.

The IoT is growing uncontrollably

Log on to your home network router and look at the list of connected devices. I imagine our list is longer than most because my home office is practically a development lab with an assortment of Windows 10 lap and desktops and a Linux tower I use as a server. Both Rebecca and I have two smart phones each (one for phone calls, another without a cellular card for fun), and we also have several tablets distributed in various rooms. We also have smart TVs, Amazon Fire Sticks, and Alexas.

Every time I look at the router’s device list, it has grown longer. What used to be a cute two-line list of his and hers computers has become a configuration management database worthy of a fair-sized business. In the old days, I could glance at the list and know instantly that some bright neighbor kid was filching bandwidth. Now, puzzling it out is a job in itself. When our new appliances are installed, I imagine making sense of the network will get more difficult.

Home network setup crisis

Frankly, I’ve reached a home network management crisis. I no longer feel in control. I’m not sure I will know if I’ve been hacked.

This must change.

Fortunately for me, I’ve helped large enterprises manage their networks for a long time. My quiver has some razor sharp arrows. I can figure this out. No three-speed range hood will bring down our network.

I’ll keep you posted. In the mean time, basic computer hygiene will have to do. Check it out the six rules. They go a long way toward keeping you safe.

Fall 2020: Ransomware Still Hurts

I was at cruising altitude over the mid-west the first and only time I watched ransomware bite a victim. I had tried not to listen as the lady sitting next to me placed a call using the old-style in-flight cell phone mounted on the bulkhead in front of us. I used to fight for those delightful 737 bulkhead seats with a few inches extra leg room. Later, she asked me if I knew what to do about the blue screen on her laptop. I would have told her not to make the call if she had asked me earlier. A full-screen message in fixedsys hardware font instructed her to call a 900 number to fix her laptop. She said she had been charged a hundred dollars for the call and she gave them her credit card number. Clearly exasperated, she still couldn’t use her laptop.

Oh boy, I thought. This person is in for trouble.

That must have been over twenty years ago. Ransomware attacks have become more frequent and vicious in 2020. IT departments are more familiar with ransomware and better at recovery, but the attacks are still nasty: the cost of each attack on U.S. businesses averaged over three-quarters of a million dollars, which I suspect is under-reported because cyber-insurance often pays up on ransom demands, but insurers don’t like to reveal that they are easy targets. Despite the costs, close to 95% of victims get their data back. The majority restored their data from backups, but over a quarter paid the ransom. See the Sophos 2020 ransomware report.

Attacks on federal, state, and local government have increased and voting places are subject to disruption through ransomware. There are hints that this increase is from cyberattacks from hostile countries, but there is also big money in hacking, so don’t discount greed as motivation.

What Is Ransomware?

Ransomware is a malicious attack on a device that disables the device and extracts some form of payment from the device owner to return the device to normal. As hacks go, ransomware is a relatively simple way for unorganized hackers to extract money from computer networks. Unlike the lady on the plane’s case, hackers usually encrypt critical data and demand payment for decrypting it. Ransomware has encrypted hospital data files and caused at least one death. Payment is usually in the form of cryptocurrency, which is harder to trace than common credit card payments and cash transfers, but not impossible.

Ransomware’s starting point is usually social engineering in the form of a phishing expedition, email that tricks users into installing malicious code. The sudden transition to working from home this year has increased confusion at work, particularly around IT, which is a gift to hackers. Unfamiliar work equipment and routines have made tricking users into unwise clicks easier. Fake invoices and made up court cases are favorite phishing tackle for luring in unsuspecting victims.

These days, who can resist a friend’s urges to click on a tear-jerking web site or a friendly IT guy asking for your password? Make sure the person asking is your friend, not a masquerading criminal and be extremely cautious about giving out credentials like passwords. Make anyone who asks for them explain exactly why they need it and don’t be shy about making phone calls for verification.

Good News for Individuals

I have not seen reports that ransomware attacks on individuals have increased, perhaps because hacking businesses, healthcare facilities, and government is more lucrative. IBM reports a shift toward deep-pocketed large corporations as targets, especially manufacturing, which is perceived as more sensitive to downtime.

Still, I haven’t heaved any sighs of relief: easy DIY ransomware kits are easy to buy and do not require much expertise to implement, encouraging amateurs to try their hand at terrorizing their friends and neighbors and the pandemic has made keeping your cool under attack more difficult.

Protect Yourself

Your most effective protection from infection is not to get infected. To protect yourself follow elementary computer hygiene:

Elementary Computer Hygiene
  • Beware of social engineering
  • Use strong passwords
  • Download and install with caution
  • Patch operating systems and applications
  • Avoid dodgy sites
  • Scan regularly for malware

For more explanation of elementary computer hygiene, see Six Rules for Online Security.

Windows Defender Anti-Ransomware

Windows 10 anti-ransomware facilities is excellent in theory, but can be annoying in practice.

Ransomware protection is buried in Settings under “Update and Security.” Choose “Windows Security” from the menu on the left, then click “Virus & threat protection.” A new window will pop. You may have to scroll down to see “Ransomware protection.” Click “Manage ransomware protection.” Turn the “Controlled folder access” switch on.

With “Controlled folder access” on, Windows 10 blocks unrecognized programs from accessing files in a set of critical directories (folders). In theory, this will prevent ransomware from touching your treasured data and documents. How well this will work in practice depends on how well your use of your computer corresponds to Microsoft’s notion of typical usage. If you install lots of applications and add folders for yourself outside the norm, you may have to change the lists of protected folders and permitted programs.

If your computing life is pure vanilla, or you continually configure controlled folder access to your usage of your system as your usage changes, this is excellent protection; exactly what a good IT department does to protect corporate assets. But if you don’t take the trouble to keep the system properly configured, it will drive you up a wall.

I use Windows ransomware protection and like it. However, the fact is, an individual who follows basic computer hygiene is not likely to suffer a ransomware attack and the trouble to keep this facility configured may not be worth the trouble. Protected folders decrease your risk, but not as much as basic hygiene.

When You Are Attacked

If you are invaded by ransomware, backups are your best assurance of successful recovery from an attack, but they must also be protected. Using cloud storage, such as DropBox, Microsoft OneDrive, or Google Drive help, but are not absolutely foolproof. Smart hackers encrypt your backup copies as well as your originals. This is why simply copying your files to another disk drive on your desktop is not adequate protection. Secured cloud backups are much safer. An external disk drive that you switch off or disconnect when not in use is not convenient, but ransomware can’t get to a disconnected or powered-down drive.

A vulnerable file contains anything that will cause you distress if lost. Oddly, if you bought the content, you probably don’t have to worry much about backing it up. You can almost always get a replacement copy, but material you created yourself, paid someone to create for you, or were given as a gift, is often hard or impossible to recreate. Photo, videos, and sound recordings are in this category.

Don’t fall into the trap of blind faith in your backups. Your enemies are broken media and backup programs that don’t copy everything you value. Test them periodically. Make sure they are actually backing up your critical files. A business with valuable assets at stake should rehearse restoration. But they seldom do.

Phones, Tablets, and Apple

Personally, I don’t worry about ransomware on my phone because I don’t keep much data there. If I am ever hit with ransomware on my phone, I plan to do a hard factory reset, restore my contacts and stored photos from the cloud and go on my way. Whether you need to worry about ransomware attacks on your tablets depends on how you use them. I have two Microsoft Surface tablets that I use much like laptops. I protect them as if they were a laptop or a desktop.

I am not a heavy Apple user or an expert, but Apples have no special protection against ransomware, although the Apple “walled garden” enforces basic hygiene somewhat better than Windows, so they may be a bit less susceptible.

Final Word

Elementary computer hygiene is the secret to avoiding ransomware and a host of other computer problems. I never knew the outcome of the episode with the woman sitting next to me, but her first mistake was ignoring hygiene rule one: she was socially engineered into making that phone call.

Ransomware– You Don’t Have To Pay!

Monday, 3/28/16, what appears to be a ransomware attack forced a hospital in Maryland and Washington D.C. to shut down their network. Ransomware attacks on hospitals have been increasing. Attacks on individuals are also on the rise.

Ransomware is the most direct route from a victim’s wallet to a hacker’s pocket. The hacker infects a computer, tablet, or phone with malware that makes a threat and demands a ransom. Extortion. Pure, simple, and lucrative. Ransomware has extorted hundreds of millions of dollars from innocent victims during the last few years. Despite some notable busts, the number of assaults has increased each year for several years.

The Course of an Assault

An assault follows a predictable course. The initial infection comes from executing an attachment from a malicious phony email, or clicking a web site that is a drive-by infector. Then comes the threat and demand—the choke and puke, as it is called. The victim is ordered to pay, usually in bitcoins.

Threats

Sometimes the threat is idle. The victim might click on a dodgy site that promises salacious celebrity photos. Shortly thereafter a realistic image pops up that looks like it came from the FBI, the county prosecutor, or whoever. The pop up accuses the victim of downloading something illegal. Send money and the charges will be dropped. Another variant pops a message saying that the victim’s computer is infected with a deadly virus. Buy this expensive software to clean it up or suffer the consequences. In most cases, threats like these are entirely bogus. A good anti-virus scan will probably take care of the infection.

File Encryption Threats

There is another type of ransomware that is a more serious threat. These infections disable the victim’s computer by encrypting the victim’s files. The encryption is strong and nearly impossible to decrypt without the key, which the hackers will gladly supply, for a ransom, usually between three hundred and eight hundred dollars for an individual. Businesses are hit for larger ransoms.

These criminals are ruthless and heartless. Lately, hospitals have become a favored target, no doubt because the threat to patients ups the urgency. A hospital in the Los Angeles area recently paid out $17,000 to get their files back. Around a dozen other hospitals have been hit.

Solutions

This threat is so effective, on at least one occasion, the FBI recommended paying the ransom, but you don’t have to fall victim to these file encryption attacks.

First, follow basic cyber hygiene. Don’t open email attachments unless you are absolutely certain the email is from a trusted source. Don’t visit dodgy web sites. Use an anti-virus and run scans regularly. Keep your system and anti-virus up to date. These steps will protect you from infection in most cases.

If your defenses don’t protect you, a good backup will still keep your data safe. What makes a good backup? It must be kept current, either by frequent runs or continuous backup. Most ransomware will encrypt any drive that is accessible to the infected computer, so your backup must not be connected directly. The easiest way to do this is with a reputable cloud backup service, not a cloud storage service. Cloud storage services, such as Dropbox or OneDrive, will not provide a full restore. They can help, but a regular backup is more likely to completely restore your system.

Using backups, Methodist Hospital in Kentucky was able to recover from a ransomware attack that put the hospital into an internal state of emergency for four days. They did not pay the demanded ransom.

In a Pig’s Eye

If you have a reliable backup, when the ransom demand appears, raise your right hand in a fist and shout out “in a pig’s eye,” completely reinstall your OS to get rid of the malware, restore your data files from your backup, and return to normal. You might not need to completely reinstall, but reinstalling is a sure way to remove all malware. You will have to update and patch the system. That will probably be automatic, but you should check.