Issue 46 | May 24, 2017

#DataInsecurity Digest: The WannaCry issue

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: Is the WannaCry ransomware attack the “big one” that security experts have been warning about since information about the NSA’s cyber weapons were leaked? The massive ransomware attack, which many are pinning on North Korea, affected at least 75,000 computers in 99 countries and resulted in patients being turned away from hospitals and assembly lines shutting down. It remains to be seen if the reforms outlined in President Trump’s long-awaited cyber order will move the needle in terms of protecting consumers from similar attacks in the future. Congress isn’t sitting still however, as a bipartisan group of Congressmen have introduced legislation to get the NSA and other intelligence agencies to come clean about their stockpiles of zero-day vulnerabilities. Those calls for reform could get a big boost from Microsoft, which is using the WannaCry attack to reiterate its call for data security reform in the United States and elsewhere. Let’s just hope that whatever reforms come about, they make American consumers more secure than Trump properties’ leaky Wi-Fi networks.

And now, on to the clips!

—————–

WannaCry ransomware attack “unprecedented in scale.” At least 75,000 computers in 99 countries were hit by the WannaCry ransomware attack, which reportedly relied on Windows exploits originally identified in leaked documents from the National Security Agency (NSA). The impacts were widely felt in critical industry sectors across the globe. For example, automaker Renault’s assembly lines were shut down in France, National Health Service offices in the UK were forced to turn away patients, and more than 1,000 computers at the Russian Interior Ministry were affected. (Source: BBC News)

Despite initial reporting, old Windows XP installs were not primary target. While Microsoft did roll out a patch for its old Windows XP operating system in March to address the vulnerability that would later be exploited by the WannaCry attack, the obsolete OS was not the primary target, according to Kaspersky Labs. @phonesolder writes, “[a]ccording to data recently published by the security firm, an astonishing 98 percent of the affected devices were running some or the other version of Windows 7. On the other hand, less than one in a thousand were powered by Windows XP making it almost insignificant for the discussion.” (Source: TechPP)

Signs increasingly point to North Korea’s elite hacking group as WannaCry culprit. The reclusive regime has long trained elite cyberwarfare groups which often operate through other countries to maintain plausible deniability. While details remain sketchy, North Korea is increasingly viewed as the source of last week’s devastating WannaCry ransomware attacks. “Cyber security researchers have also said they have found technical evidence that could link North Korea with the global WannaCry “ransomware” cyber attack that infected more than 300,000 computers in 150 countries this month,” write @juminism and @pearswick. “The crux of the allegations against North Korea is its connection to a hacking group called Lazarus that is linked to last year’s $81 million cyber heist at the Bangladesh central bank and the 2014 attack on Sony’s Hollywood studio.” (Source: Reuters) 

Microsoft: “[A]ttack is a wake-up call for all of us.” Microsoft’s President and Chief Legal Officer Brad Smith was on the front lines of the company’s response to the WannaCry attack. While urging technical fixes, Smith was blunt about the need for government action. “As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems,” wrote Smith. “The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world.” (Source: Microsoft)

Congress responds to WannaCry with PATCH Act. In response to the unprecedented WannaCry ransomware attack, a bipartisan group of Congressmen introduced legislation that would require federal intelligence agencies to turn over their stockpile of zero-day vulnerabilities to an independent technical review board. The board would in turn determine if the vulnerabilities could be made public and fixed in order to improve overall cybersecurity. The Protecting Our Ability to Counter Hacking (PATCH) Act is sponsored by Sen. Brian Schatz (D-HI) and co-sponsored by Sen. Corey Gardner (R-CO), and Reps. Ted Lieu (D-CA), and Blake Farenthold (R-TX). (Source: ZDNet)

White House cyber order largely builds on Obama-era programs. The Trump Administration’s long-awaited cyber order is officially out, but it appears to offer little that wasn’t already in the pipeline under the Obama Administration. “My initial reaction to the order is, ‘this is great,'” former National Security Council Director for Cybersecurity Policy Ben Flatgard told Ars. “Trump just endorsed Barack Obama’s cybersecurity policy.” Flatgard was one of the principal authors of the Obama administration’s Cyber National Action Plan (CNAP), published in February of 2016. (Source: Ars Technica)

Three things to know about Ohlhausen and data security. Privacy and data security law-focused law firm Foaley Hoag offers their take on three things to expect from FTC Chairman Maureen Ohlhausen when it comes to data security at the Commission. “She agrees with the new cybersecurity executive order.” … “She’s not a fan of aggressive CIDs (civil investigative demands.)” … “The FTC’s definition of cyber injury might be shifting.” (Source: Foaley Hoag)

Mar-a-Lago an easy target for hackers. Wherever the President is is a tempting target for hackers of all stripes. Unfortunately for President Trump, the so-called “Winter White House” at Mar-a-Lago resort in Florida, as well as other favorite retreats are unusually insecure. “We parked a 17-foot motorboat in a lagoon about 800 feet from the back lawn of the Mar-a-Lago Club in Palm Beach and pointed a 2-foot wireless antenna that resembled a potato gun toward the club,” write @thejefflarson, @suryamattu, and @JuliaAngwin. “Within a minute, we spotted three weakly encrypted Wi-Fi networks. We could have hacked them in less than five minutes, but we refrained.” (Source: ProPublica) 

Breach du jour: Zomato. Restaurant app Zomato announced on May 18 that account information for approximately 17 millions users was compromised. The data that was disclosed included user IDs, names, usernames, email addresses, and hashed and salted passwords. The company claims it has been in touch with the hacker involved, who has promised to destroy the data and take down the dark web marketplace set up for the breached information. (Source: Zomato)

Breach du jour part deux: Brooks Brothers. High-end menswear retailer Brooks Brothers is the latest retailer to have its payments system breached. While exact numbers have not been announced, the retailer disclosed that the breach occurred over nearly a one-year period from April 2016 to March 2017 and compromised payment data, but not Social Security numbers or other personal information. (Source: Reuters)

—————–

Upcoming events

Today! May 24, 2017 – Planning for the Future: A Conference About Identity Theft – Washington, DC
The FTC will host an all-day conference to take a comprehensive look at how identity theft has evolved over the last decade and what can be done to address this challenge in the future. The conference will be used to gather input from academics, business and industry representatives, government experts, and consumer advocates. Participants will look at the current state of identity theft, examine potential future challenges, and discuss how to address these issues.

May 25, 2017 – Workshop on Technology and Consumer Protection (ConPro ’17) – San Jose, CA
At this year’s 38th IEEE Symposium on Security and Privacy, a Workshop on Technology and Consumer Protection (ConPro’17) will explore computer technology’s impact on consumers, with a special focus on privacy and ways in ”which computer science can prevent, detect, or address the potential for technology to deceive or unfairly harm consumers.” ConPro’17 aims to bring together academic and industry researchers along with government officials.

National Consumers League
Published May 24, 2017