The Great $50M African IP Address Heist

A top executive at the nonprofit entity responsible for doling out chunks of Internet addresses to businesses and other organizations in Africa has resigned his post following accusations that he secretly operated several companies which sold tens of millions of dollars worth of the increasingly scarce resource to online marketers. The allegations stemmed from a three-year investigation by a U.S.-based researcher whose findings shed light on a murky area of Internet governance that is all too often exploited by spammers and scammers alike.

There are fewer than four billion so-called “Internet Protocol version 4” or IPv4 addresses available for use, but the vast majority of them have already been allocated. The global dearth of available IP addresses has turned them into a commodity wherein each IP can fetch between $15-$25 on the open market. This has led to boom times for those engaged in the acquisition and sale of IP address blocks, but it has likewise emboldened those who specialize in absconding with and spamming from dormant IP address blocks without permission from the rightful owners.

Perhaps the most dogged chronicler of this trend is California-based freelance researcher Ron Guilmette, who since 2016 has been tracking several large swaths of IP address blocks set aside for use by African entities that somehow found their way into the hands of Internet marketing firms based in other continents.

Over the course of his investigation, Guilmette unearthed records showing many of these IP addresses were quietly commandeered from African businesses that are no longer in existence or that were years ago acquired by other firms. Guilmette estimates the current market value of the purloined IPs he’s documented in this case exceeds USD $50 million.

In collaboration with journalists based in South Africa, Guilmette discovered tens of thousands of these wayward IP addresses that appear to have been sold off by a handful of companies founded by the policy coordinator for The African Network Information Centre (AFRINIC), one of the world’s five regional Internet registries which handles IP address allocations for Africa and the Indian Ocean region.

That individual — Ernest Byaruhanga — was only the second person hired at AFRINIC back in 2004. Byaruhanga did not respond to requests for comment. However, he abruptly resigned from his position in October 2019 shortly after news of the IP address scheme was first detailed by Jan Vermeulen, a reporter for the South African tech news publication Mybroadband.co.za who assisted Guilmette in his research.

KrebsOnSecurity sought comment from AFRINIC’s new CEO Eddy Kayihura, who said the organization was aware of the allegations and is currently conducting an investigation into the matter.

“Since the investigation is ongoing, you will understand that we prefer to complete it before we make a public statement,” Kayihura said. “Mr. Byauhanga’s resignation letter did not mention specific reasons, though no one would be blamed to think the two events are related.”

Guilmette said the first clue he found suggesting someone at AFRINIC may have been involved came after he located records suggesting that official AFRINIC documents had been altered to change the ownership of IP address blocks once assigned to Infoplan (now Network and Information Technology Ltd), a South African company that was folded into the State IT Agency in 1998.

“This guy was shoveling IP addresses out the backdoor and selling them on the streets,” said Guilmette, who’s been posting evidence of his findings for years to public discussion lists on Internet governance. “To say that he had an evident conflict of interest would be a gross understatement.”

For example, documents obtained from the government of Uganda by Guilmette and others show Byaruhanga registered a private company called ipv4leasing after joining AFRINIC. Historic WHOIS records from domaintools.com [a former advertiser on this site] indicate Byaruhanga was the registrant of two domain names tied to this company — ipv4leasing.org and .net — back in 2013.

Guilmette and his journalist contacts in South Africa uncovered many instances of other companies tied to Byaruhanga and his immediate family members that appear to have been secretly selling AFRINIC IP address blocks to just about anyone willing to pay the asking price. But the activities of ipv4leasing are worth a closer look because they demonstrate how this type of shadowy commerce is critical to operations of spammers and scammers, who are constantly sullying swaths of IP addresses and seeking new ones to keep their operations afloat.

Historic AFRINIC record lookups show ipv4leasing.org tied to at least six sizable blocks of IP addresses that once belonged to a now defunct company from Cameroon called ITC that also did business as “Afriq*Access.”

In 2013, Anti-spam group Spamhaus.org began tracking floods of junk email originating from this block of IPs that once belonged to Afriq*Access. Spamhaus says it ultimately traced the domains advertised in those spam emails back to Adconion Direct, a U.S. based email marketing company that employs several executives who are now facing federal criminal charges for allegedly paying others to hijack large ranges of IP addresses used in wide-ranging spam campaigns.

Bill Woodcock is executive director of Packet Clearing House, a non-profit research institute dedicated to understanding and supporting Internet traffic exchange technology, policy, and economics. Woodcock said it’s not unheard of for employees at regional Internet registries (RIRs) to get caught selling off IP addresses as a side hustle, but that this case is by far the longest-running alleged scheme to date.

“It’s not unprecedented in the sense that there have been insider deals in the past done illicitly by employees of other RIRs,” he said. “But typically they’ve been one-off or short-lived before getting caught or fired.”

Anyone interested in a deeper dive on Guilmette’s years-long investigation — including the various IP address blocks in question — should check out MyBroadband’s detailed Dec. 4 story, How Internet Resources Worth R800 Million (USD $54M) Were Stolen and Sold on the Black Market.

Microsoft announces public preview of Microsoft Teams for Linux

Today, Microsoft announced a public preview of Microsoft Teams for Linux, the first Office 365 tool that’s available for the open-source operating system.

The hope is that by making it available for preview, the company can get feedback from the community and improve it before it becomes generally available. “Starting today, Microsoft Teams is available for Linux users in public preview, enabling high quality collaboration experiences for the open source community at work and in educational institutions,” the company wrote in the blog post announcing the release.

The goal here ultimately is to help get Teams into the hands of more customers by expanding the platforms it runs on. “Most of our customers have devices running on a variety of different platforms such as Windows 10, Linux and others. We are committed to supporting mixed environments across our cloud and productivity offerings, and with this announcement, we are pleased to extend the Teams experience to Linux users,” the company wrote in the blog post.

This announcement is significant for a couple of reasons. For starters, Microsoft has had a complicated history with Linux and open source, although in recent years, under Satya Nadella, it has embraced open source. This shows that Microsoft is willing to put its tools wherever customers need them, regardless of the platform or operating system.

Secondly, as it marks the first Office 365 app on Linux, if there is positive feedback, it could open the door for more apps on the platform down the road.

The announcement also comes against the backdrop of the company’s ongoing battles with Slack for enterprise collaboration platform users. In July, Microsoft announced 13 million daily active users on Teams. Meanwhile, Slack has 12 million DAUs. It’s worth noting that Slack has been available on Linux for almost two years.

Soci raises $12M to help big brands manage local marketing

According to CEO Afif Khoury, we’re in the middle of “the third wave of social” — a shift back to local interactions. And Khoury’s startup Soci (pronounced soh-shee) has raised $12 million in Series C funding to help companies navigate that shift.

Soci works with customers like Ace Hardware and Sport Clips to help them manage the online presence of hundreds or thousands of stores. It allows marketers to post content and share assets across all those pages, respond to reviews and comments, manage ad campaigns and provide guidance around how to stay on-brand.

It sounds like most of these interactions are happening on Facebook. Khoury told me that Soci integrates with “40 different APIs where businesses are having conversations with their customers,” but he added, “Facebook was and continues to be the most prominent conversation center.”

Khoury and CTO Alo Sarv founded Soci back in 2012. Khoury said they spent the first two years building the product, and have subsequently raised around $30 million in total funding.

“What we weren’t building was a point solution,” he said. “What we were building was a massive platform … It took us 18 months to two years to really build it in the way we thought was going to be meaningful for the marketplace.”

Soci has also incorporated artificial intelligence to power chatbots that Khoury said “take that engagement happening on social and move it downstream to a call or a sale or something relevant to the local business.”

The new round was led by Vertical Venture Partners, with participation from Grayhawk Capital and Ankona Capital. Khoury said the money will allow Soci to continue developing its AI technology and to build out its sales and marketing team.

“Ours is a very consultative sale,” he said. “It’s a complicated world that you’re living in, and we really want to partner and have a local presence with our customers.”

D-Wave partners with NEC to build hybrid HPC and quantum apps

D-Wave Systems announced a partnership with Japanese industrial giant NEC today to build what they call “hybrid apps and services” that work on a combination of NEC high-performance computers and D-Wave’s quantum systems.

The two companies also announced that NEC will be investing $10 million in D-Wave, which has raised $204 million prior to this, according to Crunchbase data.

D-Wave’s chief product officer and EVP of R&D, Alan Baratz, whom the company announced this week will be taking over as CEO effective January 1st, says the company has been able to do a lot of business in Japan, and the size of this deal could help push the technology further. “Our collaboration with global pioneer NEC is a major milestone in the pursuit of fully commercial quantum applications,” he said in a statement.

The company says it is one of the earliest deals between a quantum vendor and a multinational IT company with the size and scale of NEC. The deal involves three key elements. First of all, NEC and D-Wave will come together to develop hybrid services that combine NEC’s supercomputers and other classical systems with D-Wave’s quantum technology. The hope is that by combining the classical and quantum systems, they can create better performance for lower cost than you could get if you tried to do similar computing on a strictly classical system.

The two companies will also work together with NEC customers to build applications that will take advantage of this hybrid approach. Also, NEC will be an authorized reseller of D-Wave cloud services.

For NEC, which claims to have demonstrated the world’s first quantum bit device way back in 1999, it is about finding ways to keep advancing commercial quantum computing. “Quantum computing development is critical for the future of every industry tasked with solving today’s most complex problems. Hybrid applications and greater access to quantum systems is what will allow us to achieve truly commercial-grade quantum solutions,” Motoo Nishihara, executive vice president and CTO at NEC Corporation, said in a statement.

This deal should help move the companies toward that goal.

Accel and Index back Tines, as the cybersecurity startup adds another $11M to its Series A

It was just a couple of months ago that Tines, the cybersecurity automation startup, raised $4.1 million in Series A funding led by Blossom Capital, and now the Dublin-based company is disclosing an $11 million extension to the round.

This additional Series A funding is led by venture capital firm Accel, with participation from Index Ventures and previous backer Blossom Capital. The extra cash will be used to continue developing its cybersecurity automation platform and for further expansion into the U.S. and Europe.

Founded in February 2018 by ex-eBay, PayPal and DocuSign security engineer Eoin Hinchy, and subsequently joined by former eBay and DocuSign colleague Thomas Kinsella, Tines automates many of the repetitive manual tasks faced by security analysts so they can focus on other high-priority work. The pair had bootstrapped the company as recently as October.

“It was while I was at DocuSign that I felt there was a need for a platform like Tines,” explained Hinchy at the time of the initial Series A. “We had a team of really talented engineers in charge of incident response and forensics but they weren’t developers. I found they were doing the same tasks over and over again so I began looking for a platform to automate these repetitive tasks and didn’t find anything. Certainly nothing that did what we needed it to, so I came up with the idea to plug this gap in the market.”

To remedy this, Tines lets companies automate parts of their manual security processes with the help of six software “agents,” with each acting as a multipurpose building block. The idea is that, regardless of the process being automated, it only requires combinations of these six agent types configured in different ways to replicate a particular workflow.

In addition, the platform doesn’t rely on pre-built integrations to interact with external systems. Instead, Tines is able to plug in to any system that has an API. “This means integration with commercial, off-the-shelf products, or existing in-house tools is quick and simple, with most security teams automating stories (workflows) within the first 24 hours,” says the startup. Its software is also starting to find utility beyond cybersecurity processes, with several Tines customers using it in IT, DevOps, and HR.

“We heard that Eoin, a senior member of the security team at DocuSign (another Accel portfolio company), had recently left to start Tines, so we got in touch,” Accel’s Seth Pierrepont tells TechCrunch. “They were in the final stages of closing their Series A. However, we were so convinced by the founders, their product approach, and the market timing, that we asked them to extend the round”.

Pierrepont also points out that a unique aspect of the Dublin ecosystem is that many of the world’s largest tech companies have their European headquarters in the country (often attracted by relatively low corporation tax), “so it’s an incredibly rich talent pool despite being a relatively small city”.

Asked whether Accel views Tines as a cybersecurity automation company or a more general automation play that puts automation in the hands of non-technical employees for a multitude of possible use cases, Pierrepont says, given Hinchy and Kinsella’s backgrounds, the cybersecurity automation sector should be the primary focus for the company in the short term. However, longer term it is likely that Tines will be adopted across other functions as well.

“From our investment in Demisto (which was acquired by Palo Alto Networks earlier this year), we know the security automation or SOAR category (as Gartner defines it) very well,” he says. “Demisto pioneered the category and was definitively the market leader when it was acquired. However, we think the category is just getting started and that there is still a ton of whitespace for Tines to go after”.

Meanwhile, in less than a year, Tines says it has on-boarded 10 enterprise customers across a variety of industries, including Box, Auth0 and McKesson, with companies automating on average 100 thousand actions per day.

CISO Magazine Honors KrebsOnSecurity

CISO Magazine, a publication dedicated to covering issues near and dear to corporate chief information security officers everywhere, has graciously awarded this author the designation of “Cybersecurity Person of the Year” in its December 2019 issue.

KrebsOnSecurity is grateful for the unexpected honor. But I can definitely think of quite a few people who are far more deserving of this title. In fact, if I’m eligible for any kind of recognition, perhaps “Bad News Harbinger of the Year” would be more apt.

As in years past, 2019 featured quite a few big breaches and more than a little public speaking. Almost without fail at each engagement multiple C-level folks will approach after my talk, hand me their business cards and say something like, “I hope you never have to use this, but if you do please call me first.”

I’ve taken that advice to heart, and now endeavor wherever possible to give a heads up to CISOs/CSOs about a breach before reaching out to the public relations folks. I fully realize that in many cases the person in that role will refer me to the PR department eventually or perhaps immediately.

But on balance, my experience so far is that an initial outreach to the top security person in the organization often results in that inquiry being taken far more seriously. And including this person in my initial outreach makes it much more likely that this individual ends up being on the phone when the company returns my call.

Too often, these conversations are led by the breached organization’s general counsel, which strikes me as an unnecessarily confrontational and strategically misguided approach. Especially if this is also their playbook for responding to random security researchers trying to let the company know about a dangerous security vulnerability, data breach or leak.

At least when there is a C-level security person on the phone when that call comes in I can be relatively sure I’m not going to get snowed on the technical details. While this may be a distant concern for the organization in the throes of responding to a data security incident, the truth is that the first report is usually what gets repeated in the media — whether or not it is wholly accurate or fair.

This year’s CISO Magazine awards also honor the contributions of Rik Ferguson, vice president security research at Trend Micro, and Troy Hunt, an expert on web security and author of the data breach search website Have I Been Pwned? More at cisomag.com.

Patch Tuesday, December 2019 Edition

Microsoft today released updates to plug three dozen security holes in its Windows operating system and other software. The patches include fixes for seven critical bugs — those that can be exploited by malware or miscreants to take control over a Windows system with no help from users — as well as another flaw in most versions of Windows that is already being exploited in active attacks.

By nearly all accounts, the chief bugaboo this month is CVE-2019-1458, a vulnerability in a core Windows component (Win32k) that is present in Windows 7 through 10 and Windows Server 2008-2019. This bug is already being exploited in the wild, and according to Recorded Future the exploit available for it is similar to CVE-2019-0859, a Windows flaw reported in April that was found being sold in underground markets.

CVE-2019-1458 is what’s known as a “privilege escalation” flaw, meaning an attacker would need to previously have compromised the system using another vulnerability. Handy in that respect is CVE-2019-1468, a similarly widespread critical issue in the Windows font library that could be exploited just by getting the user to visit a hacked or malicious Web site.

Chris Goettl, director of security at Ivanti, called attention to a curious patch advisory Microsoft released today for CVE-2019-1489, which is yet another weakness in the Windows Remote Desktop Protocol (RDP) client, a component of Windows which lets users view and manage their system from a remote computer. What’s curious about this advisory is that it applies only to Windows XP Service Pack 3, which is no longer receiving security updates.

“The Exploitability Assessment for Latest Software Release and Older Software Release is 0, which is usually the value reserved for a vulnerability that is known to be exploited, yet the Exploited value was currently set to ‘No’ as the bulletin was released today,” Goettl said. “If you look at the Zero Day from this month (CVE-2019-1458) the EA for Older Software Release is ‘0 – Exploitation Detected.’ An odd discrepancy on top of a CVE advisory for an outdated OS. It is very likely this is being exploited in the wild.”

Microsoft didn’t release a patch for this bug on XP, and its advisory on it is about as sparse as they come. But if you’re still depending on Windows XP for remote access, you likely have bigger security concerns. Microsoft has patched many critical RDP flaws in the past year. Even the FBI last year encouraged users to disable it unless needed, citing flawed encryption mechanisms in older versions and a lack of access controls which make RDP a frequent entry point for malware and ransomware.

Speaking of no-longer-supported Microsoft operating systems, Windows 7 and Windows Server 2008 will cease receiving security updates after the next decade’s first Patch Tuesday comes to pass on January 14, 2020. While businesses and other volume-license purchasers will have the option to pay for further fixes after that point, all other Windows 7 users who want to stick with Windows will need to consider migrating to Windows 10 soon.

Windows 10 likes to install patches and sometimes feature updates all in one go and reboot your computer on its own schedule, but you don’t have to accept this default setting. Windows Central has a useful guide on how to disable or postpone automatic updates until you’re ready to install them. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update. To get there, click the Windows key on your keyboard and type “windows update” into the box that pops up.

Keep in mind that while staying up-to-date on Windows patches is a good idea, it’s important to make sure you’re updating only after you’ve backed up your important data and files. A reliable backup means you’re probably not losing your mind when the odd buggy patch causes problems booting the system. So do yourself a favor and backup your files before installing any patches.

And as always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may even chime in here with some helpful tips.

Finally, once again there are no security updates for Adobe Flash Player this month (there is a non-security update available), but Adobe did release critical updates for Windows and macOS versions of its Acrobat and PDF Reader that fix more than 20 vulnerabilities in these products. Photoshop and ColdFusion 2018 also received security updates today. Links to advisories here.

Preparing for 2020: Trends in Cybercrime, Threats and Risks

As 2019 draws to a close, we take a look at how the year has panned out on the cyber front. What have been the main trends witnessed over the last 12 months, and what can we learn from them to prepare for 2020 and beyond?

image of 2020 cybercrime trends

Ransomware: The ‘Gift’ to Criminals That Keeps On Giving

The main threat in 2019 continued to be ransomware, a relatively simple attack which encrypts information on endpoints and servers and demands a ransom payment in exchange for releasing the hijacked data. A ransomware attack does not attempt to be stealthy; notification of its existence is part of the MO, and aside from locking files, ransomware does not (directly) cause other damage to the infected system. That said, it’s precisely the knock-on denial of service effects arising from crucial data being made unavailable that make the business case to pay or to not pay turn in the criminals favour.

From a technical point of view, this is a threat that should be quite simple to deal with, and reducing the number of organizations that continue to offer criminals an easy pay day while putting their own essential services at risk is something that should be top of the agenda for every CISO in 2020. If there is a proper backup strategy in place, all the organization has to do is erase affected workstations and recover from the most recent pre-infection snapshot or image. Even better, a trusted EDR solution is easily capable of preventing ransomware in the first place and rolling back infected devices in the second.

In practice, however, too many organizations are caught unprepared. Too many businesses have sprawling networks with poor visibility and a wide-range of legacy devices. Too many businesses are using outdated information systems; too many have insufficient awareness of the threat; too many do not backup regularly or update software frequently enough. The practicalities for some organizations are far from trivial and not to be underestimated, but the reality is that no matter how big the challenge, businesses that fail to get their networks in order and implement simple, best practices across their endpoints can expect to be severely affected by ransomware attacks.

Take, for example, the Baltimore Municipality, which experienced a ransomware attack in May 2019. The attack left the city offline for weeks, and the recovery was slow and expensive. The Baltimore Municipality estimates the cost of the financial attack to be $18.2 – the city’s Information Technology Office has spent $4.6 million on recovery efforts since the attack and expects to spend another $5.4 million by the end of the year. Another $8.2 million cost comes from potential lost or delayed revenue, such as money from property taxes, real estate fees and fines.

The 2019 Baltimore attack was the first in a wave of (sometimes coordinated) attacks on U.S. cities and towns throughout the remainder of the year. The most notable attack was against 22 Texas cities and agencies. In addition, the education sector has been hit hardest by criminals. Since the beginning of 2019, there have been hundreds of ransomware attacks against US public schools – more than the total number of all attacks on US entities in 2018. Some school districts have been disabled for months because of such attacks.

Ransomware attacks have more than doubled globally over the past 12 months, with the United States being the target of more than half of the world’s incidents. The situation has become so dire that ransomware is considered a threat to US national security and there are real fears that ransomware attacks could interfere with the upcoming U.S. elections, either through voting machines or voter data being targeted for encryption.

Ransomware Take Away for 2020: take yourself out of the firing line, get proper protection and implement a robust backup and contingency plan. This is not just Security 101, but Security 911. 2019 teaches us that those who fail to make the right, crucial call to get on top of their networks will be caught out.

APTs: Making Nation-State Attacks Great Again

Government-backed, advanced persistent threat actors have been particularly busy this year. The Chinese, Iranians and North Koreans have all been seen engaging in hacking activities during 2019, while the US government has itself made unofficial admissions of cyber attacks against Iranian facilities this year.

Notable attacks seen during 2019 were a widespread attack on the airplane maker Airbus, an attack on a host of financial entities that generated $3 billion in revenue for North Korea, and Iranian attacks on Saudi entities and companies. In addition, it turns out that the Chinese passenger plane C919 unveiled this year is almost entirely copied from a series of American and other manufacturers, suggesting that stolen IP played a big role in its development. The US Secretary of Defense recently said that China is committing the biggest IP theft in human history. Needless to say, most of the information was stolen through cyber measures.

Unlike previous nation-state cyber attacks, these attacks are wide-ranging, affecting a variety of bodies, individuals and companies while striving to reach their final goal. In the process, many more entities that traditionally are not considered the targets of these sophisticated attackers are being hit. These include infrastructure companies and service providers. Undoubtedly, the changing threatscape will also require these entities to invest more in securing their information and infrastructure.

Clues to this could be seen in a new regulation by the US Department of Defense, the CMMC, which will apply to 300,000 sub-contractors this year to the organization’s major arms manufacturers and suppliers, requiring them to deploy appropriate safeguards as a condition for participation in tenders. Never ones to take half measures themselves, the Chinese government has come to the conclusion that it no longer trusts US tech, and has ordered all government and public institutions to remove US hardware and software and be 100% completely domestically-sourced by 2022.

APT Take Away for 2020: expect more of the same. As nations vie for strategic advantage in cyberspace, it looks increasingly like the battle will extend to securing and homogenizing the supply chain by the big players, with the smaller players likely having to pick their side.

IoT: Yet Even More ‘Stranger Things’ on Your Network

As the number of Internet of Things (IoT) devices invading enterprise networks continues its inexorable growth, both nation-state actors and criminal enterprises have this year naturally taken an interest in exploiting IoT devices.

Earlier this year, APT actor Fancy Bear, aka Strontium, attacked printers, video decoders and IP/VOIP phones to gain wider access to corporate networks. Meanwhile, copy-cat Mirai botnets continued to exploit unpatched devices susceptible to Eternalblue throughout 2019, with one security vendor reporting that virtually all attacks seen on their honeypots were automated scripts designed to attack at scale.

Increasing attention to the security of internet-connected appliances is, therefore, a necessity for every organization. It’s becoming ever-more difficult to avoid such things appearing on your network as manufacturers continue to add internet and ‘cloud’ capability to the most mundane of devices.

IoT Take Away for 2020: network visibility is going to be crucial. You cannot defend what you cannot see, and every blindspot is a potential soft access point into your wider network.

Breaches and Leaks: All Your Data Are Belong to Us!

Many of the “cyberattacks” we hear about are not attacks at all, but data breaches that are a result of malicious or negligent actions that expose sensitive information to the wider world. Digital data leakage has always existed, but as the amounts of data are growing exponentially and organizations are moving to cloud-based systems, data breaches are becoming more frequent and more severe.

Data breaches on frightening scales – like an entire nation – are the price of organizations becoming dependent on the cloud for storing information while at the same time lacking the knowledge, skill or will to implement secure cloud best practices.

For example, many organizations store their entire customer database on cloud services such as Amazon AWS or Microsoft Azure. These are robust platforms when used properly, but it’s also easy for clients to misconfigure firewalls, leave open permissions, use weak or recycled passwords or fail to secure other credentials.

Such basic failures have led to millions of sensitive records being exposed this year: medical records, financial information, personal information and more. As is so often the case, the technology is not at fault here. The challenge today is to develop the skills of the DevOps who operate these cloud environments to be aware of the dangers and to act intelligently.

As an example of what can happen when organizations fail this challenge, see the Canadian Bank of Nova Scotia developers who retained parts of the source code as well as passwords and credentials for sensitive systems on the open source storage system Github.

Breaches Take Away for 2020: do the right thing. There’s no shortage of best practices information on how to prevent and deal with data breaches, but research has shown that even some of the top consulting firms fail to take their own advice. Don’t be one of them.

Disinformation: Fake It Till You Make It, Politics’ New Normal

This year, we experienced a rise in a trend that affects our lives more deeply than just “cyber-hacking” – the increasing involvement of cyber attacks in politics. From Israel’s Prime Ministerial candidate’s mobile phone that was allegedly hacked by Iranians, through to Israeli offensive cyber companies whose products serve various regimes around the world for spying on political parties, to campaigns with political motivations by countries such as Russia and North Korea, and even ransomware campaigns featuring images of President Trump (or Hillary Clinton).

There is an understanding in the industry, as well as in the behavior of democratic states, that there will no longer be any “cyber-less” elections. The UK election in December 2019 has already witnessed several cyber incidents: DDoS attacks on one of the major parties, disinformation strategies by the other, and Russian-backed entities allegedly leaking information related to key election issues have all been seen.

With Deep Fakes and disinformation campaigns now being treated as genuine electoral tactics, there is even greater need to increase general awareness among the public about this threat to democracy as we move toward the US 2020 election season.

Disinformation Take Away for 2020: security mechanisms around influential political figures and political party apparatus must be tightened and more effort is needed to secure voting processes from tampering. On top of that, we all need to treat the 24/7 news cycle, designed to maximize instant likes, retweets and to hit that “gone viral” sweetspot, with a healthy degree of skepticism.

Summary

2019 was a clear continuation of the years that preceded it, but more intense — more attacks, more data breaches and greater damage throughout the world. Will 2020 bring any relief or will the threats keep escalating? The problems we’ve seen in 2019 aren’t going to “magic” themselves away, but nor are we helpless. The big takeaway from 2019 is that organizations and companies, governments and individuals must invest more in information security, education and prevention. Cybercrime is a solvable problem that no one needs to be a victim of.

But for those that continue to ignore the reality and refuse to accept the challenges of doing business in the modern, connected world, then 2020 will likely be bleaker than its predecessor, and not the other way around.

If you would like to see how SentinelOne can help your business meet those challenges and stay safe in 2020, contact us for more info or request a free demo.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

AWS is sick of waiting for your company to move to the cloud

AWS held its annual re:Invent customer conference last week in Las Vegas. Being Vegas, there was pageantry aplenty, of course, but this year’s model felt a bit different than in years past, lacking the onslaught of major announcements we are used to getting at this event.

Perhaps the pace of innovation could finally be slowing, but the company still had a few messages for attendees. For starters, AWS CEO Andy Jassy made it clear he’s tired of the slow pace of change inside the enterprise. In Jassy’s view, the time for incremental change is over, and it’s time to start moving to the cloud faster.

AWS also placed a couple of big bets this year in Vegas to help make that happen. The first involves AI and machine learning. The second, moving computing to the edge, closer to the business than the traditional cloud allows.

The question is what is driving these strategies? AWS had a clear head start in the cloud, and owns a third of the market, more than double its closest rival, Microsoft. The good news is that the market is still growing and will continue to do so for the foreseeable future. The bad news for AWS is that it can probably see Google and Microsoft beginning to resonate with more customers, and it’s looking for new ways to get a piece of the untapped part of the market to choose AWS.

Ransomware at Colorado IT Provider Affects 100+ Dental Offices

A Colorado company that specializes in providing IT services to dental offices suffered a ransomware attack this week that is disrupting operations for more than 100 dentistry practices, KrebsOnSecurity has learned.

Multiple sources affected say their IT provider, Englewood, Colo. based Complete Technology Solutions (CTS), was hacked, allowing a potent strain of ransomware known as “Sodinokibi” or “rEvil” to be installed on computers at more than 100 dentistry businesses that rely on the company for a range of services — including network security, data backup and voice-over-IP phone service.

Reached via phone Friday evening, CTS President Herb Miner declined to answer questions about the incident. When asked about reports of a ransomware attack on his company, Miner simply said it was not a good time and hung up.

The attack on CTS comes little more than two months after Sodinokibi hit Wisconsin-based dental IT provider PerCSoft, an intrusion that encrypted files for approximately 400 dental practices.

Thomas Terronez, CEO of Iowa-based Medix Dental, said he’s heard from several affected practices that the attackers are demanding $700,000 in bitcoin from some of the larger victims to receive a key that can unlock files encrypted by the ransomware.

Others reported a ransom demand in the tens of thousands of dollars. In previous ransomware attacks, the assailants appear to have priced their ransom demands based on the number of workstation and/or server endpoints within the victim organization. According to CTS, its clients typically have anywhere from 10 to 100 workstations.

Terronez said he’s spoken with multiple practices that have been sidelined by the ransomware attack, and that some CTS clients had usable backups of their data available off-site, while others have been working with third party companies to independently negotiate and pay the ransom for their practice only.

Many of CTS’s customers took to posting about the attack on a private Facebook group for dentists, discussing steps they’ve taken or attempted to take to get their files back.

“I would recommend everyone reach out to their insurance provider,” said one dentist based in Denver. “I was told by CTS that I would have to pay the ransom to get my corrupted files back.”

“My experience has been very different,” said dental practitioner based in Las Vegas. “No help from my insurance. Still not working, great loss of income, patients are mad, staff even worse.”

Terronez said the dental industry in general has fairly atrocious security practices, and that relatively few offices are willing to spend what’s needed to fend off sophisticated attackers. He said it’s common to see servers that haven’t been patched for over a year, backups that haven’t run for a while, Windows Defender as only point of detection, non-segmented wireless networks, and the whole staff having administrator access to the computers — sometimes all using the same or simple passwords.

“A lot of these [practices] are forced into a price point on what they’re willing to spend,” said Terronez, whose company also offers IT services to dental providers. “The most important thing for these offices is how fast can you solve their problems, and not necessarily the security stuff behind the scenes until it really matters.”