Posts

SolarWinds Hack: What Vladimir Putin Wants Every Business To Ignore

Summary of the SolarWinds Hack

Russian hackers inserted malicious code into a ubiquitous piece of network-management software (SolarWinds and other companies) used by a majority of governmental agencies, Fortune 500 companies and many cloud providers. The software potentially gives Russia an all-access pass into the data of breached organizations and their customers.

Immediate Steps to Protect Your Network

I would recommend having a conversation with your IT provider or security team about the following items, as much for future attacks as for the SolarWinds hack:

  • After reading through this summary, take a deeper dive into this WSJ white-paper: The SolarWinds Hack – What Businesses Need to Know
  • For small businesses, it is important that you check with any cloud software providers to make sure they have resolved any problems with affected software.
  • Patch all instances of SolarWinds network management software and all network management, security and operational software in your environment.
  • Make sure your security team keeps up with the latest fixes for the Sunspot virus.
  • Configure your network assets to be as isolated as possible so that your most confidential data caches are separate from less confidential data.
  • Review the security settings of every category of user on the system to tighten user-level access.
  • Make sure employees know the proper procedures for connecting remotely to your network. Verify that they aren’t using a free personal VPN to connect.
  • If you utilize Microsoft products, keep up to date with their Investigation Updates.
  • If there is a chance you have been affected, have a full security audit done of your network.

Details of the SolarWinds Hack

During the worst possible time – a contentious presidential transition and a global pandemic – dozens of federal government agencies, among them the Defense, Treasury and Commerce, were breached by a cyber espionage campaign launched by the Russian foreign-intelligence service (SVR). The SVR is also linked to hacks on government agencies during the Obama Administration.

Senator Angus King said Putin “doesn’t have the resources to compete with us using conventional weapons, but he can hire about 8,000 hackers for the price of one jet fighter.”

In addition to internal communications being stolen, the operation exposed hundreds of thousands of government and corporate networks to potential risk. The hackers infiltrated the systems through a malicious software update introduced in a product from SolarWinds Inc., a U.S. network-management company. This allowed unsuspecting customers of their software to download a corrupted version of the software with a hidden back door allowing hackers to access their networks from “inside the house”. SolarWinds has more than 300,000 customers world-wide, including 425 of the U.S. Fortune 500 companies. Some of those customers include: the Secret Service, the Defense Department, the Federal Reserve, Microsoft, Lockheed Martin Corp, PricewaterhouseCoopers LLP, and the National Security Agency. (Note: more recently, it has been discovered that SolarWinds wasn’t the only primary software infected.)

A Solar Winds spokesperson said the company knew of a vulnerability related to updates of its Orion technology management software and that the hack was the result of a highly sophisticated, targeted and manual supply chain attack by a nation state. Like the FireEye breach, this was not a broad attack of many systems at once, but a stealthy, patiently-conducted campaign that required “meticulous planning and manual interaction.”

SolarWinds Hack was a Supply Chain Attack

These supply-chain attacks reflect a trend by hackers in which they search for a vulnerability in a common product or service used widely by multiple companies. Once breached, it spreads widely across the internet and across dozens or even hundreds of companies before the compromises are detected. Many companies have increased their level of cyber-protections, but they do not scrutinize the software that their suppliers provide. This is a concern because corporations typically have dozens of software suppliers. For example, in the banking industry, the average number of direct software suppliers is 83. In IT services, it’s 55.

To understand the severity and national-security concerns of this breach, think of this as a “10 on a scale of one to 10”. The Cybersecurity and Infrastructure Agency ordered the immediate shut down of use of SolarWinds Orion products. Chris Krebs, the top cybersecurity official at the Department of Homeland Security until his recent firing by Trump, stressed any Orion users should assume they have been compromised. Other investigators say that merely uninstalling SolarWinds will not solve the threat and that recovery will be an uphill battle unlike any we have ever seen. While the hackers may not have gained complete control of all companies, all experts agree that it will take years to know for certain which networks the Russians control and which ones they just occupy and to be assured that foreign control has been negated. Because they will be watching whatever moves we make—from the inside.


John Sileo is a cybersecurity expert, privacy advocate, award-winning author and media personality as seen on 60 Minutes, Anderson Cooper and Fox & Friends. He keynotes conferences virtually and in person around the world. John is the CEO of The Sileo Group, a business think tank based in Colorado.

Data Integrity Attacks: How Cybercriminals Manipulate Rather Than Steal Your Info

john-sileo-data-integrity

You’re rushed to the hospital after a serious car accident. Doing her job, the admitting physician verifies your blood type prior to giving you a life-saving transfusion. But no one knows the hospital’s medical records have been hacked — but not stolen. In this case, your records have been changed, reflecting a blood type that if transfused, would likely kill or seriously harm you. Welcome to the age of data manipulation.

Manipulating data is the latest trend in cybercrime, and it’s on the rise. The most recent study by Ponemon Institute and Accenture warned that attacking data integrity is the “next frontier.” To understand how we got to this point, we need to take a look at the evolution of cybercrime over the past two decades and how hackers seek a variety of hacking outcomes.

An approximate cybercrime timeline

Early on, cybercriminals were mostly looking to restrict access to your data availability, using malware to launch Denial of Service attacks, where legitimate users are kept from accessing a network, information or devices. Their motivation was twofold: to test their hacking tools for larger campaigns and to disrupt business operations of predetermined targets. 

Next, hackers expanded their exploits to steal data out of large databases — such as the Equifax breach that compromised the personal information of 143 million Americans — and sell it for a profit on the dark web. The cybercriminals’ primary motivation was good old fashioned greed. 

Simultaneously, cybercrime expanded into espionage, using malware and other methods to obtain secret files from U.S. defense contractors, including plans for the F-35 jet from Lockheed Martin. 

Then came cyberextortion, like when Sony Pictures was hacked just before it released the anti–Kim Jong-un movie, “The Interview.” At the time, the FBI said North Korea was responsible for the attack, but five years later questions about the perpetrators and motives remain, which just goes to show how hard it is to identify cybercriminals. 

On the heels of cyberextortion came disinformation and influence campaigns, like those used with Brexit and the 2016 U.S. presidential election. 

The point of this brief history lesson is to demonstrate how quickly sinister actors migrate time-tested tools of crime (fraud, extortion, disinformation, etc.) into cyberspace.

Data manipulation is mostly unique to cyberspace

The old fashioned alteration of checks, IDs and airplane tickets aside, data manipulation is a crime that grew exponentially in cyberspace. Former U.S. Cyber Command and NSA head admiral Michael Rogers said his worst-case attack scenario would involve data manipulation “on a massive scale.” 

Despite Rogers’ warning, the U.S. government continues to drag its feet on combating cybercrime, including data manipulation, which is now being discovered only after the fact by security teams. And I’m expecting that data alteration attacks will quickly become one of the most pernicious and undetectable threats for nation-states and corporations around the world. 

To expand on my previous example, it’s no longer just your blood type at risk. It’s the blood type, address and information on the family members of every soldier, spy and diplomat serving the United States. The potential to inflict great harm is enormous.  

Cybercrime is like a virus altering your DNA

Data manipulation is unique among cybercrimes because it’s not about taking the information — it’s about altering the data. The information generally never leaves the owner’s servers, so the criminal raises no red flags that something is amiss. This makes it much harder to catch, and it can be much more destructive. Think maliciously altering flight plans with air traffic controllers, altering bank account balances, or appending your criminal record with fictitious arrests. 

Think of data manipulation as a virus that invades the body and alters its fundamental DNA. The damage is done quietly, and you may never know it happened.

The integrity of our data is at stake

In 2017, a Michigan man hacked the IT system of the Washtenaw County Jail and altered the release date of a friend who was serving a sentence there. The hacker used a social engineering campaign to trick workers at the jail into downloading malware on their computers and was then able to access and change the data. Luckily, staff noticed something was amiss and used paper records to verify the sentence But the scheme cost Washtenaw more than $230,000, and the criminal got access to the personal information of over 1,600 people.

Getting a friend out of jail is one creative use of data manipulation, but there are far more nefarious uses, such as altering operating procedures on nuclear facility instruction manuals, modifying software code in driverless vehicles, and changing the temperature threshold on refrigeration equipment or power turbines. And of course, as we’ve already experienced, altering votes or voter eligibility.

The stock market is another place that’s ripe for data manipulation. As the Wall Street Journal reported last year, 85% of stock market trades happen “on autopilot — controlled by machines, models, or passive investing formulas.” Consequently, if the underlying data that feeds the algorithms is altered by hackers, it could create widespread chaos in the markets and ultimately destabilize the global economy.

The biggest threat may be to the healthcare industry, which has become a prime target in ransomware attacks, and where the effects of data manipulation can be deadly. To underscore this point, researchers in Israel created malware that can add realistic but fake malignant growths to CT or MRI scans before they’re reviewed by doctors or radiologists. Likewise, the malware can remove cancerous nodules or lesions from patients’ scans. 

In April, The Washington Post reported on the malware and revealed that a blind study conducted by researchers at Ben-Gurion University Cyber Security Research Center had devastating results. “In the case of scans with fabricated cancerous nodules, the radiologists diagnosed cancer 99 percent of the time. In cases where the malware removed real cancerous nodules from scans, the radiologists said those patients were healthy 94 percent of the time.”

When it comes to cybercrime, the best defense is a good offense

Because the defense of data integrity is in its early stages, there is very little that organizations can do to defend against manipulation once the cybercriminals have cracked into critical databases. Few organizations possess the tools to accurately detect and eliminate data manipulation, and those tools are more than a year away. 

In the meantime, your solution is to keep criminals out of your data in the first place, using the tools that I talk about in every one of my presentations. When it comes to data integrity, prevention beats recovery every time.

John Sileo is the founder and CEO of The Sileo Group, a cybersecurity think tank, in Lakewood, Colorado, and an award-winning author, keynote speaker and expert on data integrity, cybersecurity and tech/life balance.

Gadgets Attract Thieves at Starbucks – Privacy Project Episode #01

On this episode of Privacy Project, John confronts a coffee drinker about leaving their laptop totally alone as they talked outside on the phone at Starbucks.

America’s top Privacy & Identity Theft Speaker John Sileo has appeared on 60 Minutes, Anderson Cooper, Fox & in front of audiences including the Department of Defense, Pfizer, Homeland Security and hundreds of corporations and associations of all sizes. His high-content, humorous, audience-interactive style delivers all of the expertise with lots of entertainment. Come ready to laugh and learn about this mission-critical, bottom-line enhancing topic.

John Sileo is an award-winning author and keynote speaker on the dark art of deception (identity theft, fraud training, data privacy, social media manipulation) and its polar opposite, the powerful use of trust, to achieve success. He is CEO of The Sileo Group, which advises teams on how to multiply performance by building a culture of deep trust.

Cybercrime on the Rise: Reported Losses over $550 million!

According to a new article in the Wall Street Journal, cybercrime has significantly risen 22.3% in 2009 from 2008. Identity thieves and white collar criminals have taken to the internet and caused over $550 million in reported losses. There were also over 60,000 more complaints of cybercrime in 2009. Many experts say the plummeting economy is responsible for the great rise last year.

The article goes on to discuss the new and more technologically savvy way that criminals are stealing our information.

Criminals’ tactics also are changing, with a growing number of crimes involving malicious applications installed on mobile devices and embedded in news and celebrity gossip Web sites. In this type of crime, Web criminals are using search-engine optimization to allow fake Web sites to rise to the top of searches. When users click on the links or pop-ups, malware or key loggers infect their computers, usually with the intent of hijacking personal and financial information such as bank passwords and account information. Scam artists also are switching from email to social-networking sites to perpetrate “phishing” scams designed to steal sensitive information from victims.

Top scams now include nondelivery of ordered merchandise, fraudulent emails claiming to be from the FBI seeking personal and financial information, identity theft, credit-card fraud, online auction fraud, and job and investment scams. Online auction fraud, which was a top complaint in the past, has declined and losses have fallen as awareness and auction-site security protections have improved, officials said.

In order to minimize your risk, share as little personal and identifying information on the internet as possible. The less that is out there, the less there is to steal. Verify web addresses and don’t click on unknown links or advertisements that come through on email and other sites. If you are the least bit suspicious don’t enter financial information onto the site!

John Sileo became one of America’s leading Social Networking Speakers & sought after Identity Theft Experts after he lost his business and more than $300,000 to identity theft and data breach. His clients include the Department of Defense, Pfizer and the FDIC. To learn more about having him speak at your next meeting or conference, contact him by email or on 800.258.8076.

Identity Theft Expert: Theft Runs Rampant as Economy Tumbles

matrixvortex1At the Privacy Project, our success is your nightmare (unless you are my speaking agent).

Business at the Sileo Group and engagements as an identity theft speaker are up 400% compared with the same period last year. I am booked for exactly 4X as many identity theft prevention and privacy leadership speeches in the first quarter of 2009 as I was in 2008; and 2008 brought me more work than I could handle on my own. Some of this is due to an extensive contract with the Department of Defense, but not all of it.

I’m not sharing our success to blow my own horn, though admittedly, it is satisfying to finally share some good news with you after having lost so much to this crime.

I’m sharing because our success gave me cold sweats at 3am this morning.

Why? Because the strength of my business is inversely proportional to the safety of yours. My business is thriving because identity theft is thriving, and that is not my purpose for being in business. I am in the identity theft prevention business to put myself out of a job. When I say it keeps me awake at night, I’m being sincere. At 3am this morning, I spent several hours deciphering the underlying causes responsible for the exploding demand for identity theft speakers… even as the meetings and speaking business has suffered drastically at the hands of the spiraling economy. And then it came to me; I realized that the answer was contained in the question… Read more