08/09/2020

Enterprise–Grade Malware

There’s a certain irony about how GPS company Garmin can tell me my maximum heartrate equation; however, it has no location information on its own data.

As someone who spends a good deal of time trying to think ahead for customers and imagine the worst, itcan be difficult when customers don’t see things the way you do. In some ways this has been a sobering few weeks. The theory goes something like this: “I can’t put Multi–Factor on Bob because he is just too IT illiterate.”

The bottom line is that if Bob is IT illiterate he needs MFA more than anyone else, and if he can’t manage MFA there are probably a great many other things Bob can’t do. At this point you may have heard the words “Sack Bob!”. This, however, is not my plan as I simply cannot conceive of someone who cannot do MFA. If Bob managed to turn up for work with vaguely matching socks and shoes, then he can do MFA – there’s no question about it. Ultimately, there is no excuse for not using these tools to secure your identity and it is needed now more than ever. Much more. In the last few days it hass a certain irony about how GPS company Garmin can tell me my maximum heartrate equation; however, it has no location information on its own data.

As someone who spends a good deal of time trying to think ahead for customers and imagine the worst, it become clear just how at risk people are.

Avoiding Big Problems with Basic IT Requirements

I almost wouldn’t mind if we were asking customers to solve Fermat’s last theorem, but all we are asking is that you have a good password (tested by a blacklist), a Nitec–approved policy so that some people don’t wheedle out of having a decent password and Multi–Factor Authentication so that when (not if) staff get duped into handing over their passwords the hacker still can’t get in. And if you think you can’t be duped you’re wrong. I can’t say it any plainer than that. You are so wrong.

I think also I see an element of the blasé. People have had a few scrapes with losing some data and it wasn’t the end of the world for all of them. Note the nuance here. It was still almost the end of the world for a few.

This is a very dangerous state of mind. The average hacker doesn’t understand what they have stumbled across but that doesn’t mean all hackers are clueless, and as we shall see with a case in point this month some of the script kiddies of yester year have grown up and their tastes have changed. So, rather than getting off on being a pain or being seen as a 1337 (or Leet) by their peers they are much happier with cold hard (virtual) cash. And, like that new iPhone that can now see every hair of Auntie Gladys’s beard, their tools have got a bit better. They have looked at the tools from a few years ago and examined the areas of weakness that caused law enforcement to get the better of them and IT techs to best them in data recovery, and have consequently spent some time refining their methods and levels of devastation.

IT is a Business Necessity

As a timely aside, I come across customers on a semi–regular basis who see IT as something entirely distinct from their company.

I should clarify that “Nitec” is not indispensable, and  I would like to think that were an atomic bomb to land in the Technology Park a few tears would be shed and the odd candle would be lit. But let’s face it, the world would move on and other IT providers would be found. That is a different thing though from saying that you could survive without your IT.

I had one customer in the last few weeks who cancelled their online backup contract. While I totally accept that times are tough and some segments have been hit very hard indeed, it did strike me as a little odd that the customer had singled out their online backup as the area to cut back on. At the risk of sounding terribly tone–deaf to people’s problems in the age of Covid–19, this is definitely not the time to be cutting back on protection. Quite the opposite. And the cold hard truth, even if we would rather not hear it, is that without IT systems most of us don’t really have a business. You may think you could continue to be an effective architect, lawyer or accountant in the modern age if all your electronic files disappeared. I’m sorry but I beg to differ, and I doubt your customers would be understanding. Even if you had hard copies, which are less and less by the day, you might struggle to survive if you need to recreate the data electronically to action it.

GarminGate

Anyway, apologies for the rant. Now for the meat and potatoes of today’s chat. Garmin, “WastedLocker” and an estimated $10M in ransom payment.

The highlights:

  1. Hackers got into Garmin’s network and spent a significant period watching it to find out how it operated, how the backups worked and how to take it out completely.
  2. Once ready, they encrypted a chunk of Garmin’s data and Garmin could not get it back. The data was lost on the 23rd July and on the 26th their systems were still down.
  3. Garmin, realising that they had been bested, agreed to pay the ransom, which was thought to be $10M. Once paid, the hackers released the decryption key and they got their data back on July 27th.

 

Considering the above, I beg you to engage with your account manager to get at least a base line of security. Look in your Customer Portal and ask about the red bits. Some of these things are free so you have literally no excuse. You need to be doing everything you can keep people out of your stuff. Trust me, the shift from “blasé–ing it” to “bricking it” can happen quicker the blink of an eye.

  • Connectwise
  • Logitech
  • Microsoft Partner Gold x 6
  • HP Enterprise
  • HP Preferred Partner, Gold
  • Aruba
  • Mimecast
  • Watchguard
  • Citrix
  • BT
  • Webroot
  • Arcserve
  • APC
  • Plantronics