Hacker Tracker | July in Review

Where are we in the world of cybersecurity? It’s easy to miss the cybersecurity threats and attacks happening right in our “backyard”. Our goal at PK Tech is to educate and offer proactive steps for cybersecurity safety. It’s important to be aware–without being afraid–of the cybersecurity threats that are real threats for your business. PK Tech aims to be a leading educator and support tool in the world of cybersecurity.

Check out our monthly “Hacker Tracker” for the latest in cybersecurity hacks, breaches and updates…

#1 – Twitter’s big hack bares broad dangers | 7.16.20

• Hackers took over the accounts of Joe Biden, Barack Obama, Elon Musk, Bill Gates and other notable figures to push a cryptocurrency scam.
• The cyber scam allowed the posting of a message luring people to deposit bitcoin in a specific account.
•  The real fallout came as business leaders, politicians and everyday users realized that their chosen network for real-time information is even more vulnerable to being hijacked than they thought.
• View the Source

#2 – College recruitment database leaking nearly 1 million students’ GPAs, SAT scores, IDs, and other personal data | 7.22.20 

• An unsecured Amazon S3 (Simple Storage Service) bucket, or database, containing nearly 1 million records of sensitive high school student academic information was recently discovered.
• Included in this unsecured bucket are GPA scores, ACT, SAT, and PSAT scores, unofficial transcripts, student IDs, and students’ and parents’ names, email addresses, home addresses, phone numbers and more.
• High school students, being largely minors, are protected under various laws, while students in general have their academic records protected under the Family Educational Rights and Privacy Act (FERPA). This federal law, amongst other things, provides parents the “control over the disclosure of personally identifiable information from the education records.” When the student turns 18 or enters college, the rights transfer from the parents to the students. 
• Regardless, the parents or student chooses who to disclose the information to, and an unsecured database removes that choice and that control from them. 
• View the Source

#3 – Garmin is experiencing a company wide outage after apparent ransomware attack | 7.24.20

• After initial reports pointed to a ransomware attack (via ZDNet), Garmin has now publicly confirmed that it’s been hit by a cyber attack and that it’s working to bring its servers back online over the next few days.
• Garmin’s servers and factories have been shut down since July 23 and are only slowly starting to go online again. To deal with the issue, the company entered a maintenance mode for multiple days, which is why all of its services were offline for some time.
• Some customers lost access to older logs, but those will likely be available again once the company regains full control over its encrypted servers.
• View the Source

Lessons Learned From This Month’s Hacks

#1 Twitter

What was the root cause of Twitter’s massive hack of high profile accounts? Did they zipline in Mission Impossible-style and steal a floppy disc? No, it was a failure of internal staff falling for a coordinated social engineering attack. Your people are your most significant security threat. Most small businesses are one click from complete failure because they don’t take necessary security precautions that require a small investment that doesn’t return a visible result immediately. 

Lesson: assess your risks with a competent IT Company, and intentionally and incrementally add security measures and tie them to business goals. One goal might be: remain in business if an employee clicks on the wrong link. Let’s put a quality Endpoint Protection platform in with anti-ransomware capabilities. That’s the beginning of the journey, find a competent and evolving IT Company to guide you through it as the landscape changes.

#2 College recruitment database

This one appears to be an incompetent AWS Developer that set up cloud resources in AWS and didn’t understand what they were doing. Improperly and insecurely configured IT resources, such as leaving the default permissions on a solution, will eventually come to light. And in this case, it’s devastating to the organization.

Lesson: understand that using the public cloud opens you up to new attack vectors. AWS can be secure when set up with the right controls, just like anything in the public cloud. You, the client, needs to ask: what risks am I opening myself to by going with this solution? Was this developer the cheapest guy in town or a highly qualified organization with an intentional focus on setting things right and securely? If your organization is as large as the #2 example, you must use a third-party cybersecurity consulting firm to check their work for vulnerabilities routinely. 

It’s unlikely for small businesses ever to engage other IT Companies to check your primary IT Company’s work. Know that this may change in the future, as organizations are dropping like flies and filing insurance claims every day due to cybersecurity attacks. For now, small businesses must add “securing the business from cyber-threats” to the business plan and be intentional on incrementally getting better. 

#3 Garmin

Ouch. It’s early, but we’re guessing an employee clicked on the wrong link, and then the attack replicated throughout the infrastructure. It also could have been external-facing vulnerability that attackers exploited to gain access and replicate ransomware throughout the infrastructure. Either way, think about the optics of what happens after a ransomware attack on such a public-facing organization: 

• Attackers were able to be completely shut down their website/factories/apps via one hacking event. This is a confidence-shaking failure across the board. How and why would factories be internally linked to the infrastructure that has the maps on it? Segregate networks!
• From what we’ve read, they elected to pay $10 MILLION for the decryption keys. Three things come to mind: 1) Who do you think is on the receiving end of that payment? Hard to say, but many believe it’s funding terrorism. 2) By paying it, they are stimulating a booming sector that now has even more players attracted to it due to how effective it is. 3) This organization appears to drop the ball on proper IT security practices, solutions, risk assessments, etc.. It’s sad to read these headlines repeatedly; IT and IT Security are a part of your BUSINESS GOALS and not a COST TO BE MINIMIZED. Ten million toward prevention would still put them ahead, the lawsuits, reputation repair, stock value loss will follow Garmin around for years.

Lesson: if you’re a malicious actor, the lesson is crime pays, aim for large companies, and they’ll do the math and cut a check. This is ridiculous. 

If you’re a small business, the lesson is: it doesn’t matter how big or small you are, a specific type of company is being targeted, but typically only the big ones hit the news. What type of company? The ones who don’t take security seriously, aka, the majority of small businesses and even many large companies.

Do the following: add “securing the business from cyber-threats” to your next big brain strategy meetings and start budgeting for it. If you started a business in a war zone, you’d allocate money for your defenses. The second you plugged your company into the internet, you entered a war zone. The war is in your parking lot, and MOST small businesses don’t even lock their doors. Work with a competent IT Company and be intentional about security before you’re a casualty of war.