Dharma Ransomware Attack - Week 8

A ransomware attack is one of the most critical security breaches.  Here is some general information about the ransomware. 

• ·        It infects computers through clicking an unsafe link or downloading unsafe programs. These can come in e-mails, torrents, botnets, or other forms of transmission.
•       Ransomware can’t be removed even when the computer’s owner flashes the BIOS, wipes the drive, or attempts to return to a prior restore point.
• ·        A ransomware often locks down user files and the ransom demand is made, while a unique decryption key is created and stored on the hacker’s servers. “If the ransom is not paid in time, or if any attempt to alter the program directly is made, the decryption key is permanently deleted, rendering all encrypted files inaccessible. If the ransom is paid in time, the decryption key is transferred and the files will be decrypted” (Alvarez, 2019).

On December 2018, a Phobos ransomware exploited open or poorly secured remote desktop protocol (RDP) ports.  It snuck inside the networks, encrypted files, and demanded a ransom be paid in bitcoin for returning the files.  The ransomware was created by Dubbed Phobos, which people believe this group also the creators of the Dharma ransomware.  “Phobos also contains elements of CrySiS ransomware — also related to Dharma — with anti-virus software detecting Phobos as CrySiS. The ransomware's file markers also differentiate it from Dharma. However, the attack methods and threat remain the same” (Palmer, 2019).  With so many similar ways of an attack, the researchers believed that Phobos ransomware was just the modification of Dharma ransomware. 

The Dharma ransomware attack happened on September 3, 2018, which was about 3 months before the Phobos ransomware.  Dharma ransomware hit the Altus Baytown Hospital (ABH).  It snuck into the ABH network with malicious code and infected the hospital's systems.  The Dharma ransomware was able to encrypt files and then demanded a ransom payment in return for access.  The files “included files containing patient information such as names, home addresses, dates of birth, social security numbers, driver license numbers, credit card information, phone numbers, and medical data” (Osborne, 2018).

The world will continue to deal with more data breaches and cyber attacks.  Therefore, it is the businesses’ responsibility to prepare and prevent themselves from all the possible security issues.  Now, it would cost business quite a bit of money and effort to build and maintain a strong security network.  If companies don’t have enough funds for security, they can go with the following options:

1.    Cloud solution: There are the services that provide the computing resources for business.  It includes everything, such as from application to the data center and obviously, the security network with the cloud is designed and secured by the best security experts.  The service is mainly through the internet on a pay for use basis. 

2.    Pay-as-you-go model: “One major benefit of the pay-as-you-go method is that there are no wasted resources, since users only pay for services procured, rather than provisioning for a certain amount of resources that may or may not be used. With traditional enterprise design, users architect data storage to handle the maximum workload. But with the public cloud, the pay-as-you-go method allows you to be charged only for what you store” (Rouse, 2015)

Reference:

Alvarez.  (2019).  Ransomware – What Is It and What Is Its impact.  Retrieved from https://www.alvareztg.com/ransomware-what-is-it-and-what-is-its-impact/

Osborne, C.  (2018, Nov 19).  Texas hospital becomes victim of Dharma ransomware.  Retrieved from https://www.zdnet.com/article/texas-hospital-becomes-victim-of-ransomware-patient-data-potentially-leaked/

Palmer, D.  (2019, Jan 21).  New Phobos ransomware exploits weak security to hit targets around the world.  Retrieved from https://www.zdnet.com/article/new-phobos-ransomware-exploits-weak-security-to-hit-targets-around-the-world/

Rouse, M.  (2015).  Pay-as-you-go cloud computing (PAYG cloud computing).  Retrieved from https://searchstorage.techtarget.com/definition/pay-as-you-go-cloud-computing-PAYG-cloud-computing

Recap for the first half of the Class - Week 7

For the last six weeks, I have had a chance to learned real practical lessons from the cybersecurity.  The first two weeks, I learned how to create the Threat Model Process.  Then the next two weeks, I have learned how to use the Threat Modeling tool.  The last two weeks, I have learned how to perform the system analysis for a case study. 

For the Threat Model Process, I have no experiences on this.  Working on creating the Threat Model Process, I had a chance to study, do research, read other classmates’ work, and getting back the valuable feedback from the professors and classmates give me a good understanding about the Threat Model Process.  Each enterprise would have a different type of businesses and each business required different security controls.  I believe that if the company could come up with their own Threat Model Process, which could review by the experienced security experts, then the company can just use the Threat Model Process to verify all the threats, vulnerabilities, and risks within the organization and monitor then mitigate them.  Having a good Threat Model Process and seriously practice on it, companies would be able to have a low number of security issues.

For the Threat Modeling Tool, which is the tool that is used to perform a systematic analysis of attack vectors.  Through the homework and exercise for the class, I would be able to search, know, and learn many different Threat Modeling Tool, such as:

•    SecuriCad by Forseeti – It is the “is a threat modeling and risk management tool that enables you, the user, to get a holistic understanding of your IT infrastructure, incorporating risks from both structural and technical vulnerabilities” (Kumar, 2013)

•    ThreatModeler – It is the tool that helps to “Identify, predict and define threats across the entire attack surface to make proactive security decisions and minimize overall risk” (Threat Modeler, 2019)

•    Irius Risk – “this tool helps create a threat model and derive security requirements in no time using a straightforward questionnaire based system” (Kumar, 2013).

•    SD Elements by Security Compass – It is “An Advanced Automation Platform that Builds Security, Compliance, and Policy into Applications” (SecurityCompass, 2019)

•    Microsoft Threat Modeling Tool 2016 - is a free tool that was designed by Microsoft.  It is one of the best tools that can help any organization to create the threat modeling process.

For the system analysis, I have not had any experiences in performing any system analysis before.  I came from a software development background and I have done a lot of design documents for various projects.  However, system analysis is something that is a new concept for me.  Though the assignment for the last two weeks, I had a chance to perform the system analysis for a case study.  It was a good learning lesson.  Along with reading the assignment, reviewing other classmates’ work, and especially the feedback from the professor, I have a good understanding of how to perform a system analysis.  For example, when performing a system analysis for a company, I should identify all the current assets, processes, and policies within the current IT environment.  Explain their function and their effects if something bad happens to them.  A system analysis should be succinctly and all the complicated technical terms must be translated to the common business terms for the readers, mostly executives to understand. 

So far, I really enjoy this class.  It gives me a deeper knowledge and practical exercise for threats/vulnerabilities analysis.  I am looking forward to the other half of this class to continue to learn more about security and different aspects of the cybersecurity field. 

Reference:

Kumar, A.  (2013, Dec 7).  List of Threat Modeling Tools.  Retrieved from https://vitalflux.com/list-of-threat-modeling-tools/

Threat Modeler.  (2019).  An automated threat modeling solution that secures and scales the enterprise software development life cycle.  Retrieved from https://threatmodeler.com/

SecurityCompass.  (2019).  SD Element.  Retrieved from https://www.securitycompass.com/sdelements/

Aadhaar - Biggest Data Breach in 2018 - Week 6

Data breach is one of the security threats that will continue to grow in the future.  Hackers are trying to make money from the data that they steal.  This threat does not only hurt the businesses, but it also hurts the customers or the citizens.  Following was the biggest data breach that happened last year, which was 2018.

Aadhaar data breach happened in India.  It hit the Indian database that keeps identifying and biometric information of more than 1.1 billion registered Indian citizens (Whittaker, 2018).  The citizens who registered with the Indian government with their fingerprints and biometric data will have the benefit of opening the banks, buying a phone SIM card, enrolling utilities, using government basic services, and receiving state aid or financial assistance. 

According to ZDNet, hackers had “access to the Aadhaar database through an API, which the company relies on to check a customer's status and verify their identity” (Whittaker, 2018).  The API (Application Programming Interface) was not secure and had no access controls in place, which left a security hole that allow hackers to retrieve private data on each Aadhaar holder.  “The affected endpoint used a hardcoded access token, which, when decoded, translates to ‘INDAADHAARSECURESTATUS,’ allowing anyone to query Aadhaar numbers against the database without any additional authentication” (Whittaker, 2018). 

Another security issue with the API was “the API didn't have any rate limiting in place, allowing an attacker to cycle through every permutation -- potentially trillions -- of Aadhaar numbers and obtain information each time a successful result is hit” (Whittaker, 2018).  This security hole allowed the attacker to send thousands of requests to the database each minute and get the information.  Therefore, this caused a huge number of data breaches, which impacted 1.1 billion people.

Not only hackers, but anyone with some knowledge and experience with the API can access the government’s database.  “The Tribune newspaper said its reporters were able to access names, email addresses, phone numbers, and postal codes by typing in 12-digit unique identification numbers of people in the government's database, after paying an individual about $8. For another $5, the newspaper said, the individual offered reporters software to print out unique identification cards, called Aadhaar cards, that can be used to access various government services including fuel subsidies and free school meals” (Doshi, 2018).

Regarding a data breach, each country and business might react and solve the problem differently.  I could tell that in the US, the government, businesses, and private sectors respond to the data breach very quickly and effectively.  In India, “the Indian authorities did nothing for weeks to fix the flaw” (Whittaker, 2018).  Why did the Indian government and authorities respond so slowly on the Aadhaar data breach?  Do you think it’s because the data breach happened to the public property, not a private sector? 

When it comes to the property of public or private, I often see people use it differently.  For public property, people often use it improperly, carelessly, and waste a lot.  For example, I have seen people who work for government office printed thousands of pages for a project when the document was not finally done yet.  A person later reprinted the document when it got fixed.  Now, I am working for a small private company.  My manager, the owner of the company, even suggested that I do not print any document if it can be shared through email.  Not only printing but any office equipment or office supplies the company uses them wisely. 

Back to the Aadhaar data breach, I think this security breach happened because the properties belong to the public.  People often don’t pay special attention to public property.  The way people handle and maintain public properties are often with less attention.  Aadhaar data breach was one of the clear examples.  “ZDNet spent more than a month trying to contact the Indian authorities -- including the Indian government's National Informatics Centre. Nobody responded to our repeated emails” (Whittaker, 2018). 

Here I have a couple of questions that I would like to ask the readers.  Do you have friends or relatives who are currently working for the City or State office in the US?  Do you think they have a lot of work to do?  Do you think they spend their time wisely at work?  Do you think they use public property correctly?

Reference:

Doshi, V.  (2018, Jan 4).  A security breach in India has left a billion people at risk of identity theft.  Retrieved from  https://www.washingtonpost.com/news/worldviews/wp/2018/01/04/a-security-breach-in-india-has-left-a-billion-people-at-risk-of-identity-theft/?noredirect=on&utm_term=.8209a3b1185d

Whittaker, Z.  (2018, Mar 23).  A new data leak hits Aadhaar, India's national ID database.  Retrieved from  https://www.zdnet.com/article/another-data-leak-hits-india-aadhaar-biometric-database/  

Spoofing Threat - Week 5

From the readings and lessons of the last couple weeks, I had a chance to learn about the STRIDE model.  This model was developed by Microsoft in order to help security engineers understand and classify all possible threats.  Each letter of STRIDE represents one type of threat as follow:

S stands for Spoofing, which is an act of pretending to be something or someone you're not.

T stand for Tampering, which is an act of modifying something you're not supposed to modify.

R stands for Repudiation, which is an act of claiming you didn't do something.

I stands for Information Disclosure. It is the exposure information to people who are not authorized to see it.

D stands for Denial of Service.  It is one type of attack that prevents valid users from accessing the system due to the system being flooded and running into a very low or critical resource that can't validate valid or invalid users anymore.

E stands for Escalation of privilege.  It is a threat related to either a program or any operation within the company doing things that they are not supposed to do.

In this particular post, I am going to talk about the first threat, which is the Spoofing threat.  As I have mentioned above, Spoofing is the threat of someone pretending to be something or someone they are not.  Most security systems rely on the identification and authentication of users.  How can the security system could tell if a user is a valid user?  For example, when student A using the login credentials of student B to log into the class website, the security system would not be able to identify the valid user in this case.  I would say the security system would fail.

We are living in the age of technology now, and this helps many businesses be able to expand their businesses, services, and increase the number of customers so quickly and successfully.  For example, we see so many companies taking advantage of technology to shop online.   Amazon is one of the most successful examples.  Almost every other big brands have also expanded their business and services through online service as well, such as BestBuy, Walmart, Target, Sears, and many universities too.  Twenty years ago, online classes might not have been available but now, it is common and helps both students and professors to learn and teach at their most convenient time.  Now, here is a different type of Spoofing threat that I would like to bring up and challenge all the universities, including Bellevue University.

How are you going to know if the student who is taking an online class is really the one who does all the assignments, quizzes, and exams?  For example, a student can "hire" someone to do all the work for them, this includes the weekly posting, assignments, and tests.  When hiring someone to do the work for them, the students give their login credentials to the person who they hire to do their work to login into the class website and perform all the work.   In this case, how are the school, the security system, and the professors able to identify if the user is valid and authorized to log into the website and perform the work?    

I brought this concern up and ask you, as a reader a question.  Do think this is a Spoofing threat?  If you think it is a Spoofing threat, then what do you think the best ways to defend against for this threat?  When I was thinking about this threat, I had two different thoughts.  First, an online class might not reflect the best quality and value of the students.  Second, the online program has some security holes.  With that, how do you think to fix these security issues? 

Here is just one way to fix this security threat that I could think of.  Each week, a professor can schedule a 30 minutes online meeting face to face with students through webcam to review/test the student.  I personally like the SYNC & Telephone meeting option that the Writing Center has.  This option allows students and the Writing Center staffs talk face to face about the papers.  Bellevue University should also have this option available for professors and students to meet online face to face and review the material.  The professors can use SYNC & Telephone meeting option to test students on the lessons that he/she teaches the students.  When doing the exams, students also need to log into the SYNC & Telephone meeting to do the test with verification from the professor or any staffs from the school.

Above is one specific Spoofing threat, which might be very different from the Spoofing threats of information technology. Do you think it is a Spoofing threat? It could be one threat that I am not sure if the school and professors ever thought about.  I hope this threat never happens, but if it happens, how the school could handle this threat? 

Reference:

Shostack, Adam. Threat Modeling: Designing for Security (p. 10). Wiley. Kindle Edition.